@fuzdev/fuz_app 0.61.0 → 0.63.0

package/dist/auth/account_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CA0PjB,CAAC"}
+{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CA8PjB,CAAC"}

package/dist/auth/account_routes.js

@@ -29,7 +29,7 @@ import { hash_session_token, query_session_revoke_all_for_account, query_session
 import { query_account_by_username_or_email, query_update_account_password, } from './account_queries.js';
 import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
 import { build_account_context, build_request_context, get_request_context, require_request_context, resolve_acting_actor, } from './request_context.js';
-import { ACCOUNT_ID_KEY } from '../hono_context.js';
+import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
@@ -355,7 +355,8 @@ export const create_account_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/password',
-            auth: { account: 'required', actor: 'none' },
+            // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+            auth: { account: 'required', actor: 'none', credential_types: ['session'] },
             description: 'Change password (revokes all sessions and API tokens)',
             input: PasswordChangeInput,
             output: PasswordChangeOutput,
@@ -376,6 +377,8 @@ export const create_account_route_specs = (deps, options) => {
                 }
                 const ctx = require_request_context(c);
                 const { current_password, new_password } = get_route_input(c);
+                // Defense in depth — see `docs/security.md` §Credential-channel gating.
+                const credential_type = c.get(CREDENTIAL_TYPE_KEY) ?? undefined;
                 // per-account rate limit check (after context resolution, before argon2 work)
                 if (login_account_rate_limiter) {
                     const check = login_account_rate_limiter.check(ctx.account.id);
@@ -394,6 +397,7 @@ export const create_account_route_specs = (deps, options) => {
                         outcome: 'failure',
                         account_id: ctx.account.id,
                         ip: get_client_ip(c),
+                        metadata: { credential_type },
                     });
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
@@ -426,7 +430,7 @@ export const create_account_route_specs = (deps, options) => {
                         outcome: 'failure',
                         account_id: ctx.account.id,
                         ip: get_client_ip(c),
-                        metadata: { reason: 'concurrent_change' },
+                        metadata: { reason: 'concurrent_change', credential_type },
                     });
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
@@ -442,7 +446,7 @@ export const create_account_route_specs = (deps, options) => {
                     event_type: 'password_change',
                     account_id: ctx.account.id,
                     ip: get_client_ip(c),
-                    metadata: { sessions_revoked, tokens_revoked },
+                    metadata: { sessions_revoked, tokens_revoked, credential_type },
                 });
                 return c.json({ ok: true, sessions_revoked, tokens_revoked });
             },

package/dist/auth/account_schema.d.ts

@@ -5,9 +5,9 @@
  * `Account`, `Actor`, `RoleGrant`, `AuthSession`, and `ApiToken`.
  *
  * Identifier primitives (`Username`, `UsernameProvided`, `Email`) live
- * in `../primitive_schemas.ts` — they're general validator shapes that
+ * in `primitive_schemas.ts` — they're general validator shapes that
  * don't depend on the auth domain. The auth-shape request-contract
- * primitive `ActingActor` lives in `../http/auth_shape.ts` next to
+ * primitive `ActingActor` lives in `http/auth_shape.ts` next to
  * `RouteAuth` (the two pair: `auth.actor !== 'none'` ⟺ input declares
  * `acting?: ActingActor`).
  *

package/dist/auth/account_schema.js

@@ -5,9 +5,9 @@
  * `Account`, `Actor`, `RoleGrant`, `AuthSession`, and `ApiToken`.
  *
  * Identifier primitives (`Username`, `UsernameProvided`, `Email`) live
- * in `../primitive_schemas.ts` — they're general validator shapes that
+ * in `primitive_schemas.ts` — they're general validator shapes that
  * don't depend on the auth domain. The auth-shape request-contract
- * primitive `ActingActor` lives in `../http/auth_shape.ts` next to
+ * primitive `ActingActor` lives in `http/auth_shape.ts` next to
  * `RouteAuth` (the two pair: `auth.actor !== 'none'` ⟺ input declares
  * `acting?: ActingActor`).
  *

package/dist/auth/actor_lookup_actions.d.ts

@@ -3,7 +3,7 @@
  *
  * Pure read — no audit, no side effects. Auth (`account: 'required'`) +
  * rate-limit (`account`-grain) enforced at the spec layer; see
- * `./actor_lookup_action_specs.ts` for the info-leak audit.
+ * `auth/actor_lookup_action_specs.ts` for the info-leak audit.
  *
  * `display_name` is omitted (not `null`) when `actor.name` is blank,
  * matching the wire shape `display_name?` so the typed client sees an

package/dist/auth/actor_lookup_actions.js

@@ -3,7 +3,7 @@
  *
  * Pure read — no audit, no side effects. Auth (`account: 'required'`) +
  * rate-limit (`account`-grain) enforced at the spec layer; see
- * `./actor_lookup_action_specs.ts` for the info-leak audit.
+ * `auth/actor_lookup_action_specs.ts` for the info-leak audit.
  *
  * `display_name` is omitted (not `null`) when `actor.name` is blank,
  * matching the wire shape `display_name?` so the typed client sees an

package/dist/auth/actor_lookup_queries.d.ts

@@ -10,7 +10,7 @@
  * The inner join still resolves one row per actor — `actor.account_id`
  * is `NOT NULL` so every actor has exactly one account.
  *
- * Info-leak posture (see `actor_lookup_action_specs.ts` § audit):
+ * Info-leak posture (see `actor_lookup_action_specs.ts` §audit):
  *
  * - Row shape **omits** `account_id` — the join is control-plane,
  *   not wire-visible.

package/dist/auth/actor_lookup_queries.js

@@ -10,7 +10,7 @@
  * The inner join still resolves one row per actor — `actor.account_id`
  * is `NOT NULL` so every actor has exactly one account.
  *
- * Info-leak posture (see `actor_lookup_action_specs.ts` § audit):
+ * Info-leak posture (see `actor_lookup_action_specs.ts` §audit):
  *
  * - Row shape **omits** `account_id` — the join is control-plane,
  *   not wire-visible.

package/dist/auth/actor_search_action_specs.d.ts

@@ -45,7 +45,7 @@
  * ## Wire shape — info-leak audit
  *
  * Output `{actors: [{id, username, display_name?}]}` is identical to
- * `actor_lookup`'s — see `./actor_lookup_action_specs.ts` for the full
+ * `actor_lookup`'s — see `auth/actor_lookup_action_specs.ts` for the full
  * field-by-field audit. Same omissions (`account_id`, email,
  * timestamps, role / role_grants / session state), same `display_name`
  * omitted-not-null contract, same response-order-unspecified rule.

package/dist/auth/actor_search_action_specs.js

@@ -45,7 +45,7 @@
  * ## Wire shape — info-leak audit
  *
  * Output `{actors: [{id, username, display_name?}]}` is identical to
- * `actor_lookup`'s — see `./actor_lookup_action_specs.ts` for the full
+ * `actor_lookup`'s — see `auth/actor_lookup_action_specs.ts` for the full
  * field-by-field audit. Same omissions (`account_id`, email,
  * timestamps, role / role_grants / session state), same `display_name`
  * omitted-not-null contract, same response-order-unspecified rule.

package/dist/auth/actor_search_actions.d.ts

@@ -3,7 +3,7 @@
  *
  * Pure read — no audit, no side effects. Auth (`account: 'required'`,
  * `actor: 'none'`) + rate-limit (`account`-grain) enforced at the spec
- * layer; see `./actor_search_action_specs.ts` for the info-leak audit
+ * layer; see `auth/actor_search_action_specs.ts` for the info-leak audit
  * and threat model.
  *
  * The handler adds two checks the spec layer can't express:

package/dist/auth/actor_search_actions.js

@@ -3,7 +3,7 @@
  *
  * Pure read — no audit, no side effects. Auth (`account: 'required'`,
  * `actor: 'none'`) + rate-limit (`account`-grain) enforced at the spec
- * layer; see `./actor_search_action_specs.ts` for the info-leak audit
+ * layer; see `auth/actor_search_action_specs.ts` for the info-leak audit
  * and threat model.
  *
  * The handler adds two checks the spec layer can't express:

package/dist/auth/actor_search_queries.d.ts

@@ -29,7 +29,7 @@
  * gates), no role_grant join — every actor with a matching prefix is
  * returned.
  *
- * ## Info-leak posture (see `actor_search_action_specs.ts` § audit)
+ * ## Info-leak posture (see `actor_search_action_specs.ts` §audit)
  *
  * - Row shape **omits** `account_id` — the join is control-plane, not
  *   wire-visible. Identical to `actor_lookup_queries.ts`.

package/dist/auth/actor_search_queries.js

@@ -29,7 +29,7 @@
  * gates), no role_grant join — every actor with a matching prefix is
  * returned.
  *
- * ## Info-leak posture (see `actor_search_action_specs.ts` § audit)
+ * ## Info-leak posture (see `actor_search_action_specs.ts` §audit)
  *
  * - Row shape **omits** `account_id` — the join is control-plane, not
  *   wire-visible. Identical to `actor_lookup_queries.ts`.

package/dist/auth/all_action_spec_registries.d.ts

@@ -22,14 +22,14 @@
  * - Codegen that needs to see every fuz_auth surface at once
  *   (typed-client filters, attack-surface reports). For typed-client
  *   wiring of the standard surface, prefer `all_standard_action_specs`
- *   in `./standard_action_specs.ts` — it mirrors the
+ *   in `auth/standard_action_specs.ts` — it mirrors the
  *   `create_standard_rpc_actions` mount and stays narrower than this
  *   registry-of-registries (no opt-in bundles).
  *
  * `protocol_action_specs` (heartbeat / cancel) is **not** included —
  * those are transport-level wire-protocol concerns shipped by fuz_app
  * and spread by every consumer at registration via `protocol_actions`
- * from `../actions/protocol.ts`. Walker tests that need protocol
+ * from `actions/protocol.ts`. Walker tests that need protocol
  * coverage spread `protocol_action_specs` separately.
  *
  * @module

package/dist/auth/all_action_spec_registries.js

@@ -22,14 +22,14 @@
  * - Codegen that needs to see every fuz_auth surface at once
  *   (typed-client filters, attack-surface reports). For typed-client
  *   wiring of the standard surface, prefer `all_standard_action_specs`
- *   in `./standard_action_specs.ts` — it mirrors the
+ *   in `auth/standard_action_specs.ts` — it mirrors the
  *   `create_standard_rpc_actions` mount and stays narrower than this
  *   registry-of-registries (no opt-in bundles).
  *
  * `protocol_action_specs` (heartbeat / cancel) is **not** included —
  * those are transport-level wire-protocol concerns shipped by fuz_app
  * and spread by every consumer at registration via `protocol_actions`
- * from `../actions/protocol.ts`. Walker tests that need protocol
+ * from `actions/protocol.ts`. Walker tests that need protocol
  * coverage spread `protocol_action_specs` separately.
  *
  * @module

package/dist/auth/audit_log_routes.d.ts

@@ -7,7 +7,7 @@
  * `GET /audit/stream` SSE route — streams aren't an action-kind, so they
  * stay on REST. The event payload broadcast on the stream surfaces via
  * `audit_log_event_specs` (one `EventSpec` per audit event type) declared
- * alongside the broadcaster in `../realtime/sse_auth_guard.ts`.
+ * alongside the broadcaster in `realtime/sse_auth_guard.ts`.
  *
  * @module
  */

package/dist/auth/audit_log_routes.js

@@ -7,7 +7,7 @@
  * `GET /audit/stream` SSE route — streams aren't an action-kind, so they
  * stay on REST. The event payload broadcast on the stream surfaces via
  * `audit_log_event_specs` (one `EventSpec` per audit event type) declared
- * alongside the broadcaster in `../realtime/sse_auth_guard.ts`.
+ * alongside the broadcaster in `realtime/sse_auth_guard.ts`.
  *
  * @module
  */

package/dist/auth/audit_log_schema.d.ts

@@ -85,21 +85,46 @@ export declare const audit_metadata_schemas: Readonly<{
         reason: z.ZodOptional<z.ZodEnum<{
             concurrent_change: "concurrent_change";
         }>>;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>>;
     session_revoke: z.ZodObject<{
         session_id: z.ZodString;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>;
     session_revoke_all: z.ZodObject<{
         count: z.ZodOptional<z.ZodNumber>;
         reason: z.ZodOptional<z.ZodString>;
         attempted_account_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>;
     token_create: z.ZodObject<{
         token_id: z.ZodString;
         name: z.ZodString;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>;
     token_revoke: z.ZodObject<{
         token_id: z.ZodString;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>;
     token_revoke_all: z.ZodObject<{
         count: z.ZodOptional<z.ZodNumber>;

package/dist/auth/audit_log_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAO5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,8aAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA6MW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}
+{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAoB5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,8aAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkNW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}

package/dist/auth/audit_log_schema.js

@@ -14,6 +14,17 @@ import { Blake3Hash } from '@fuzdev/fuz_util/hash_blake3.js';
 import { AuthSessionJson } from './account_schema.js';
 import { Email } from '../primitive_schemas.js';
 import { ApiTokenId } from './api_token.js';
+import { BuiltinCredentialType } from './credential_type_schema.js';
+/**
+ * Defense-in-depth audit field — records the credential channel
+ * (`session` / `api_token` / `daemon_token`) the request arrived on.
+ * Present on events whose specs declare `credential_types: ['session']`
+ * so forensics survive a future loosening or bypass of the spec gate.
+ * See `docs/security.md` §Credential-channel gating.
+ */
+const credential_type_meta = BuiltinCredentialType.optional().meta({
+    description: 'Credential channel the request arrived on. Defense in depth — the spec gate restricts to `session`, but the row preserves what actually authenticated the request in case the gate is loosened or bypassed in a future refactor.',
+});
 /**
  * All tracked auth event types. Frozen to convert accidental in-process
  * mutation (test cross-contamination, cast escapes) into loud TypeErrors.
@@ -102,10 +113,12 @@ export const audit_metadata_schemas = Object.freeze({
         reason: z.enum(['concurrent_change']).optional().meta({
             description: 'Failure category. `concurrent_change` indicates another password change committed first against the same starting hash (verify-write race loser). Absent for typed-wrong-password failures.',
         }),
+        credential_type: credential_type_meta,
     })
         .nullable(),
     session_revoke: z.looseObject({
         session_id: Blake3Hash.meta({ description: 'Blake3 hash identifying the revoked session row.' }),
+        credential_type: credential_type_meta,
     }),
     session_revoke_all: z.looseObject({
         // Omitted on `outcome='failure'` (no revocation attempted — e.g. target
@@ -122,13 +135,16 @@ export const audit_metadata_schemas = Object.freeze({
         attempted_account_id: Uuid.optional().meta({
             description: 'Probed account id when the target lookup missed (FK constraint forces `target_account_id` to null).',
         }),
+        credential_type: credential_type_meta,
     }),
     token_create: z.looseObject({
         token_id: ApiTokenId.meta({ description: 'Public id of the created API token (`tok_…`).' }),
         name: z.string().meta({ description: 'Operator-supplied label for the token.' }),
+        credential_type: credential_type_meta,
     }),
     token_revoke: z.looseObject({
         token_id: ApiTokenId.meta({ description: 'Public id of the revoked API token (`tok_…`).' }),
+        credential_type: credential_type_meta,
     }),
     token_revoke_all: z.looseObject({
         // Same shape as `session_revoke_all` for failures.

package/dist/auth/request_context.d.ts

@@ -340,7 +340,7 @@ export declare const build_account_context: (deps: QueryDeps, account_id: string
  *
  * The auth phase deliberately stops short of constructing a `Response` so
  * the same failure flows through every transport without the auth-domain
- * code knowing about JSON-RPC. See `fuz_app/CLAUDE.md` § Cleanest
+ * code knowing about JSON-RPC. See `../../../CLAUDE.md` §Cleanest
  * architecture takes priority for the rationale.
  */
 export type AuthorizationFailureBody = {

package/dist/env/update_env_variable.js

@@ -70,7 +70,7 @@ export const update_env_variable = async (key, value, options) => {
     const updated_content = updated_lines.join('\n') + (has_trailing_newline ? '\n' : '');
     await write_file(file_path, updated_content, 'utf-8');
 };
-// Keep this tokenization aligned with `parse_dotenv` in `./dotenv.ts`:
+// Keep this tokenization aligned with `parse_dotenv` in `env/dotenv.ts`:
 // trim, skip empties/comments, split on the first `=`.
 const find_last_key_line_index = (lines, key) => {
     if (!key)

package/dist/http/CLAUDE.md

@@ -5,12 +5,12 @@ surface introspection, JSON-RPC envelope + error taxonomy, proxy/origin
 middleware primitives, post-commit effect helper, generic admin route specs.
 
 **Nothing in this directory is auth-specific.** Auth middleware, routes, and
-guards live in `../auth/` and consume these primitives. Routes and actions in
+guards live in `auth/` and consume these primitives. Routes and actions in
 other domains should do the same — extend, don't special-case.
 
 For the design rationale behind declarative routes, DEV-only output
 validation, the three-layer error-schema merge, and fire-and-forget effects,
-see `../../docs/architecture.md`.
+see ../../docs/architecture.md.
 
 ## Module Map
 
@@ -42,7 +42,7 @@ by `generate_app_surface`. Same-shaped data, different consumers.
 
 - `method` — `'GET' | 'POST' | 'PUT' | 'DELETE' | 'PATCH'`
 - `path` — Hono path (supports `:param` segments)
-- `auth: RouteAuth` — flat record `{account, actor, roles?, credential_types?}` from `auth_shape.ts`. Each axis is `'none' | 'optional' | 'required'`. Same shape governs `ActionSpec.auth` (see `../actions/CLAUDE.md`).
+- `auth: RouteAuth` — flat record `{account, actor, roles?, credential_types?}` from `auth_shape.ts`. Each axis is `'none' | 'optional' | 'required'`. Same shape governs `ActionSpec.auth` (see `actions/CLAUDE.md`).
 - `handler: RouteHandler` — `(c: Context, route: RouteContext) => Response | Promise<Response>`
 - `description` — free-text, surfaced in `AppSurface`
 - `params?: z.ZodObject` — strict-object schema for URL path params
@@ -84,7 +84,7 @@ interface RouteContext {
   `db.transaction`.
 
 Pool-level fire-and-forget writes (audit logs, etc.) run through the bound
-`AppDeps.audit` capability — see `../auth/CLAUDE.md` §Deps. Handlers that
+`AppDeps.audit` capability — see `auth/CLAUDE.md` §Deps. Handlers that
 need rollback-resilient writes call `deps.audit.emit(route, input)`, which
 captures the pool inside the bound emitter so the row lands even when
 the handler's transaction rolls back.
@@ -98,7 +98,7 @@ the handler's transaction rolls back.
 
 Override explicitly when a mutation route must manage its own transactions
 (e.g. signup, which does a multi-step flow that can't live inside a single
-wrapper). See `../auth/signup_routes.ts`.
+wrapper). See `auth/signup_routes.ts`.
 
 ### Validation pipeline (per-route middleware order)
 
@@ -114,7 +114,7 @@ wrapper). See `../auth/signup_routes.ts`.
    or `auth.actor === 'required'`. Fires before any body parsing so
    unauthenticated callers never see route-shape information from
    input parse failures. The `AuthGuardResolver` (e.g.
-   `fuz_auth_guard_resolver` from `../auth/auth_guard_resolver.ts`) returns
+   `fuz_auth_guard_resolver` from `auth/auth_guard_resolver.ts`) returns
    this set as `pre_validation: Array<MiddlewareHandler>`.
 4. **Input validation** — JSON body parsed + validated; mismatch returns
    400 `ERROR_INVALID_JSON_BODY` (not JSON) or `ERROR_INVALID_REQUEST_BODY`
@@ -191,7 +191,7 @@ are the contract with external callers.
 
 The production behavior short-circuits to the unwrapped handler — no
 parse work on the hot path. Uniform across all three action-handler
-surfaces (REST, RPC, WS); see `../../docs/architecture.md` §DEV-only
+surfaces (REST, RPC, WS); see ../../docs/architecture.md §DEV-only
 Output Validation.
 
 ### Helpers
@@ -205,8 +205,8 @@ Output Validation.
 
 `error_schemas.ts` is the **declarative** error surface:
 
-- `ERROR_*` snake*case string constants — single source of truth; use
-  `.literal(ERROR*\*)` in Zod schemas and inline checks in handlers
+- `ERROR_*` `snake_case` string constants — single source of truth; use
+  `.literal(ERROR_*)` in Zod schemas and inline checks in handlers
 - `ApiError`, `ValidationError`, `PermissionError`,
   `CredentialTypeRequiredError`, `RateLimitError`, `PayloadTooLargeError`,
   `ForeignKeyError` — standard shapes
@@ -413,7 +413,7 @@ connection is from a configured trusted proxy. Without this middleware,
 `get_client_ip(c)` returns `'unknown'`.
 
 Must run **before** auth and rate-limiting middleware. See the root
-`../../CLAUDE.md` §Middleware Ordering.
+../../CLAUDE.md §Middleware Ordering.
 
 - `normalize_ip(ip)` — idempotent: lowercase + strip `::ffff:` prefix on
   IPv4-mapped IPv6 addresses; safe on non-IP strings (`'unknown'` → `'unknown'`).
@@ -465,7 +465,7 @@ don't include ports — bounded by operator configuration in practice.
 
 Origin allowlisting for locally-running services — **not** the CSRF
 layer. CSRF is handled by `SameSite: strict` on session cookies (see
-`../auth/session_middleware.ts`).
+`auth/session_middleware.ts`).
 
 - `parse_allowed_origins(env_value)` — comma-separated patterns → `Array<RegExp>`
 - `should_allow_origin(origin, patterns)` — case-insensitive match
@@ -664,7 +664,7 @@ emit_after_commit(ctx, () => notification_sender.send_to_account(account_id, msg
 ```
 
 Used for WS sends (`NotificationSender.send_to_account` for
-role-grant-offer notifications — see `../auth/CLAUDE.md` §WS notifications)
+role-grant-offer notifications — see `auth/CLAUDE.md` §WS notifications)
 and any side effect that must run only after the transaction commits.
 
 ### Key properties
@@ -712,7 +712,7 @@ auth-domain dependencies:
   surface data reveals API structure (schemas, auth, routes)
 
 Auth-aware variants (account status, bootstrap status) live in
-`../auth/` — `common_routes.ts` stays generic.
+`auth/` — `common_routes.ts` stays generic.
 
 ## DB Routes (Generic Browser)
 
@@ -743,7 +743,7 @@ Interfaces exported for consumer use: `TableInfo`, `TableWithCount`,
 ## Cross-Module Notes
 
 - **Middleware ordering** is assembled by `create_app_server` — see the
-  root `../../CLAUDE.md` §Middleware Ordering. The invariants `http/`
+  root ../../CLAUDE.md §Middleware Ordering. The invariants `http/`
   needs consumers to uphold: trusted-proxy runs before auth/rate-limit;
   origin verification runs before session parsing; `client_ip` must be
   set before any handler or rate limiter reads it
@@ -753,7 +753,7 @@ Interfaces exported for consumer use: `TableInfo`, `TableWithCount`,
 - **Input/output schemas align with SAES.** When wiring RPC via
   `actions/action_rpc.ts` or bridging to `RouteSpec` via
   `actions/action_bridge.ts`, the same Zod types flow through unchanged
-  (see `../actions/CLAUDE.md` §Single JSON-RPC 2.0 endpoint and §HTTP bridge)
+  (see `actions/CLAUDE.md` §Single JSON-RPC 2.0 endpoint and §HTTP bridge)
 - **Error modules are complementary, not redundant.** `error_schemas.ts`
   is Zod-first (for routes and surface); `jsonrpc_errors.ts` is
   throw-first (for handlers and the catch layer). A single `ERROR_*`

package/dist/server/app_server.d.ts

@@ -137,7 +137,10 @@ export interface AppServerOptions {
      * listener to `backend.deps.audit.on_event_chain` (composing with the
      * consumer's `on_audit_event` callback rather than rebuilding `AppDeps`), and
      * auto-includes `audit_log_event_specs` in the surface. The result is exposed
-     * on `AppServerContext` (for route factories) and `AppServer` (for the caller).
+     * on `AppServerContext` (for route factories) and `AppServer` (for the caller),
+     * always typed as `AuditLogSse | null` — when this option is set, the field
+     * is non-null. Use `require_audit_sse(ctx)` to assert the invariant in
+     * route factories that depend on it.
      *
      * Pass `true` for defaults (admin role), or `{role: 'custom'}` for a custom role.
      * Omit to wire audit SSE manually.
@@ -160,14 +163,27 @@ export interface AppServerOptions {
      * `create_standard_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})`.
      */
     rpc_endpoints?: Array<RpcEndpointSpec> | ((context: AppServerContext) => Array<RpcEndpointSpec>);
-    /** Env schema for surface generation. Pass `z.object({})` when there are no env vars beyond `BaseServerEnv`. */
-    env_schema: z.ZodObject;
+    /**
+     * Env schema for surface generation. Defaults to `BaseServerEnv` —
+     * pass an extended schema (typically `BaseServerEnv.extend({...})`)
+     * when the consumer adds app-specific env vars.
+     */
+    env_schema?: z.ZodObject;
     /** Middleware applied after routes, before static serving. Included in surface. */
     post_route_middleware?: Array<MiddlewareSpec>;
     /** Static file serving. Omit if not serving static files. */
     static_serving?: {
         serve_static: ServeStaticFactory;
+        /** Root directory for static files. Default `'./build'`. */
+        root?: string;
+        /** Optional SPA fallback path served for client-side routes. */
         spa_fallback?: string;
+        /**
+         * Predicate deciding which paths receive the SPA fallback.
+         * Default: every path that is not under `/api/`. Only consulted
+         * when `spa_fallback` is set.
+         */
+        is_spa_route?: (path: string) => boolean;
     };
     /**
      * Await all pending fire-and-forget effects before returning the response.
@@ -202,7 +218,11 @@ export interface AppServerContext {
     action_account_rate_limiter: RateLimiter | null;
     /** Global app settings (mutable ref — mutated by settings admin route). */
     app_settings: AppSettings;
-    /** Factory-managed audit log SSE. `null` when `audit_log_sse` option is not set. */
+    /**
+     * Factory-managed audit log SSE. Non-null when the `audit_log_sse`
+     * option was passed to `create_app_server`, `null` when omitted.
+     * Use `require_audit_sse(ctx)` to assert the invariant.
+     */
     audit_sse: AuditLogSse | null;
 }
 /** Result of `create_app_server()`. */
@@ -215,11 +235,35 @@ export interface AppServer {
     app_settings: AppSettings;
     /** Migration results from `create_app_backend` (auth + any `migration_namespaces` passed there). */
     migration_results: ReadonlyArray<MigrationResult>;
-    /** Factory-managed audit log SSE. `null` when `audit_log_sse` option is not set. */
+    /**
+     * Factory-managed audit log SSE. Non-null when the `audit_log_sse`
+     * option was passed to `create_app_server`, `null` when omitted.
+     * Use `require_audit_sse(server)` to assert the invariant.
+     */
     audit_sse: AuditLogSse | null;
     /** Close the database connection. Propagated from `AppBackend`. */
     close: () => Promise<void>;
 }
+/**
+ * Assert that `audit_sse` was wired by `create_app_server` and return it
+ * as a non-null `AuditLogSse`. Throws a labelled error when the
+ * `audit_log_sse` option was not passed to `create_app_server`.
+ *
+ * Use in route factories that depend on factory-managed audit SSE:
+ *
+ * ```ts
+ * create_route_specs: (ctx) => create_audit_log_route_specs({
+ *   stream: require_audit_sse(ctx),
+ * }),
+ * ```
+ *
+ * Preferred over `ctx.audit_sse!` — `!` lies to the type system and
+ * produces a downstream cannot-read-property crash if a consumer wires
+ * the route without enabling the option.
+ */
+export declare const require_audit_sse: (source: {
+    audit_sse: AuditLogSse | null;
+}) => AuditLogSse;
 /** Default maximum request body size: 1 MiB. */
 export declare const DEFAULT_MAX_BODY_SIZE: number;
 /**
@@ -231,7 +275,11 @@ export declare const DEFAULT_MAX_BODY_SIZE: number;
  * pass `migration_namespaces` to `create_app_backend`.
  *
  * When `audit_log_sse` is set, the SSE registry's listener is appended to
- * `backend.deps.audit.on_event_chain` — no shallow-copy of `AppDeps`.
+ * `backend.deps.audit.on_event_chain` — no shallow-copy of `AppDeps`. The
+ * `audit_sse` field on the returned `AppServer` (and the
+ * `AppServerContext` passed to `create_route_specs`) is non-null in that
+ * case; consumers can call `require_audit_sse(ctx)` / `require_audit_sse(server)`
+ * to assert the invariant.
  *
  * @returns assembled Hono app, backend, surface build, and bootstrap status
  */