@fuzdev/fuz_app 0.61.0 → 0.63.0

package/dist/server/app_server.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,IAAI,EAAE,KAAK,OAAO,EAAC,MAAM,MAAM,CAAC;AAGxC,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAEN,KAAK,cAAc,EAEnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,+BAA+B,CAAC;AACvC,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,gCAAgC,CAAC;AAEhE,OAAO,EAKN,KAAK,WAAW,EAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,kBAAkB,CAAC;AACtD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAGjD,OAAO,oBAAoB,CAAC;AAE5B,OAAO,EAA2B,KAAK,kBAAkB,EAAC,MAAM,aAAa,CAAC;AAE9E,OAAO,EAEN,KAAK,cAAc,EAEnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAGN,KAAK,eAAe,EACpB,MAAM,6BAA6B,CAAC;AASrC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAClC,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC,2DAA2D;IAC3D,OAAO,EAAE,UAAU,CAAC;IACpB,6CAA6C;IAC7C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,sCAAsC;IACtC,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAE/B,6BAA6B;IAC7B,KAAK,EAAE;QACN,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;KACtD,CAAC;IAEF;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACrC;;;;;OAKG;IACH,0BAA0B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;;OAQG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;;OAQG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,2DAA2D;IAC3D,kBAAkB,CAAC,EAAE,gBAAgB,CAAC;IAEtC,yEAAyE;IACzE,SAAS,CAAC,EAAE;QACX,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,mEAAmE;QACnE,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;;WAGG;QACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9E,CAAC;IAEF;;;OAGG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC;IAEtB;;;OAGG;IACH,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAEpE,4DAA4D;IAC5D,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAE/E;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,IAAI,GAAG;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IAEvC,gFAAgF;IAChF,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAE/B;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAEjG,gHAAgH;IAChH,UAAU,EAAE,CAAC,CAAC,SAAS,CAAC;IAExB,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAE9C,6DAA6D;IAC7D,cAAc,CAAC,EAAE;QAChB,YAAY,EAAE,kBAAkB,CAAC;QACjC,YAAY,CAAC,EAAE,MAAM,CAAC;KACtB,CAAC;IAEF;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAEhC;;;;OAIG;IACH,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAExE,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,eAAe,CAAC;IAClC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,yEAAyE;IACzE,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;IACpC,iFAAiF;IACjF,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,kFAAkF;IAClF,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,uGAAuG;IACvG,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,0GAA0G;IAC1G,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;CAC9B;AAED,uCAAuC;AACvC,MAAM,WAAW,SAAS;IACzB,GAAG,EAAE,IAAI,CAAC;IACV,wEAAwE;IACxE,YAAY,EAAE,cAAc,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oGAAoG;IACpG,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAClD,oFAAoF;IACpF,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;IAC9B,mEAAmE;IACnE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED,gDAAgD;AAChD,eAAO,MAAM,qBAAqB,QAAc,CAAC;AAEjD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iBAAiB,GAAU,SAAS,gBAAgB,KAAG,OAAO,CAAC,SAAS,CAmRpF,CAAC"}
+{"version":3,"file":"app_server.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_server.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,IAAI,EAAE,KAAK,OAAO,EAAC,MAAM,MAAM,CAAC;AAGxC,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAEN,KAAK,cAAc,EAEnB,MAAM,2BAA2B,CAAC;AACnC,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,8BAA8B,CAAC;AAC1E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,+BAA+B,CAAC;AAEvC,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,gCAAgC,CAAC;AAEhE,OAAO,EAKN,KAAK,WAAW,EAChB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,kBAAkB,CAAC;AACtD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,kBAAkB,CAAC;AAGjD,OAAO,oBAAoB,CAAC;AAE5B,OAAO,EAA2B,KAAK,kBAAkB,EAAC,MAAM,aAAa,CAAC;AAE9E,OAAO,EAEN,KAAK,cAAc,EAEnB,KAAK,eAAe,EACpB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,uBAAuB,CAAC;AAC/B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAGN,KAAK,eAAe,EACpB,MAAM,6BAA6B,CAAC;AASrC;;GAEG;AACH,MAAM,WAAW,kBAAkB;IAClC,0DAA0D;IAC1D,MAAM,EAAE,MAAM,CAAC;IACf,uDAAuD;IACvD,IAAI,EAAE,MAAM,CAAC;CACb;AAED;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC,2DAA2D;IAC3D,OAAO,EAAE,UAAU,CAAC;IACpB,6CAA6C;IAC7C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,sCAAsC;IACtC,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAE/B,6BAA6B;IAC7B,KAAK,EAAE;QACN,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;QAC/B,iBAAiB,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,SAAS,CAAC;KACtD,CAAC;IAEF;;;;;OAKG;IACH,eAAe,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACrC;;;;;OAKG;IACH,0BAA0B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;;OAQG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;;OAQG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IACjD;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,2DAA2D;IAC3D,kBAAkB,CAAC,EAAE,gBAAgB,CAAC;IAEtC,yEAAyE;IACzE,SAAS,CAAC,EAAE;QACX,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,mEAAmE;QACnE,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;;WAGG;QACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;KAC9E,CAAC;IAEF;;;OAGG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC;IAEtB;;;OAGG;IACH,kBAAkB,EAAE,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAEpE,4DAA4D;IAC5D,oBAAoB,CAAC,EAAE,CAAC,KAAK,EAAE,KAAK,CAAC,cAAc,CAAC,KAAK,KAAK,CAAC,cAAc,CAAC,CAAC;IAE/E;;;;;;;;;;;;;;OAcG;IACH,aAAa,CAAC,EAAE,IAAI,GAAG;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAC,CAAC;IAEvC,gFAAgF;IAChF,WAAW,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAE/B;;;;;;;;;;;OAWG;IACH,aAAa,CAAC,EAAE,KAAK,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,gBAAgB,KAAK,KAAK,CAAC,eAAe,CAAC,CAAC,CAAC;IAEjG;;;;OAIG;IACH,UAAU,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IAEzB,mFAAmF;IACnF,qBAAqB,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IAE9C,6DAA6D;IAC7D,cAAc,CAAC,EAAE;QAChB,YAAY,EAAE,kBAAkB,CAAC;QACjC,4DAA4D;QAC5D,IAAI,CAAC,EAAE,MAAM,CAAC;QACd,gEAAgE;QAChE,YAAY,CAAC,EAAE,MAAM,CAAC;QACtB;;;;WAIG;QACH,YAAY,CAAC,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC;KACzC,CAAC;IAEF;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAEhC;;;;OAIG;IACH,eAAe,CAAC,EAAE,CAAC,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,kBAAkB,KAAK,IAAI,CAAC;IAExE,8CAA8C;IAC9C,UAAU,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACrC;AAED,8CAA8C;AAC9C,MAAM,WAAW,gBAAgB;IAChC,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,UAAU,CAAC;IACpB,gBAAgB,EAAE,eAAe,CAAC;IAClC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,yEAAyE;IACzE,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;IACpC,iFAAiF;IACjF,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,kFAAkF;IAClF,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,uGAAuG;IACvG,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,0GAA0G;IAC1G,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B;;;;OAIG;IACH,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;CAC9B;AAED,uCAAuC;AACvC,MAAM,WAAW,SAAS;IACzB,GAAG,EAAE,IAAI,CAAC;IACV,wEAAwE;IACxE,YAAY,EAAE,cAAc,CAAC;IAC7B,gBAAgB,EAAE,eAAe,CAAC;IAClC,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC;IAC1B,oGAAoG;IACpG,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAClD;;;;OAIG;IACH,SAAS,EAAE,WAAW,GAAG,IAAI,CAAC;IAC9B,mEAAmE;IACnE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,iBAAiB,GAAI,QAAQ;IAAC,SAAS,EAAE,WAAW,GAAG,IAAI,CAAA;CAAC,KAAG,WAO3E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,qBAAqB,QAAc,CAAC;AAEjD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,iBAAiB,GAAU,SAAS,gBAAgB,KAAG,OAAO,CAAC,SAAS,CAmRpF,CAAC"}

package/dist/server/app_server.js

@@ -13,6 +13,7 @@ import { bodyLimit } from 'hono/body-limit';
 import { z } from 'zod';
 import { session_cookie_options, } from '../auth/session_cookie.js';
 import { create_audit_log_sse, audit_log_event_specs, } from '../realtime/sse_auth_guard.js';
+import { BaseServerEnv } from './env.js';
 import { query_app_settings_load } from '../auth/app_settings_queries.js';
 import { create_rate_limiter, default_login_account_rate_limit, default_action_account_rate_limit, default_action_ip_rate_limit, } from '../rate_limiter.js';
 // Side-effect import: augments Hono's ContextVariableMap so consumers
@@ -31,6 +32,29 @@ import { fuz_auth_guard_resolver } from '../auth/auth_guard_resolver.js';
 import { create_fuz_authorization_handler } from '../auth/request_context.js';
 import { ERROR_PAYLOAD_TOO_LARGE } from '../http/error_schemas.js';
 import { create_rpc_endpoint } from '../actions/action_rpc.js';
+/**
+ * Assert that `audit_sse` was wired by `create_app_server` and return it
+ * as a non-null `AuditLogSse`. Throws a labelled error when the
+ * `audit_log_sse` option was not passed to `create_app_server`.
+ *
+ * Use in route factories that depend on factory-managed audit SSE:
+ *
+ * ```ts
+ * create_route_specs: (ctx) => create_audit_log_route_specs({
+ *   stream: require_audit_sse(ctx),
+ * }),
+ * ```
+ *
+ * Preferred over `ctx.audit_sse!` — `!` lies to the type system and
+ * produces a downstream cannot-read-property crash if a consumer wires
+ * the route without enabling the option.
+ */
+export const require_audit_sse = (source) => {
+    if (!source.audit_sse) {
+        throw new Error('audit_sse is null — pass `audit_log_sse: true` (or `{role}`) in `AppServerOptions`');
+    }
+    return source.audit_sse;
+};
 /** Default maximum request body size: 1 MiB. */
 export const DEFAULT_MAX_BODY_SIZE = 1024 * 1024;
 /**
@@ -42,7 +66,11 @@ export const DEFAULT_MAX_BODY_SIZE = 1024 * 1024;
  * pass `migration_namespaces` to `create_app_backend`.
  *
  * When `audit_log_sse` is set, the SSE registry's listener is appended to
- * `backend.deps.audit.on_event_chain` — no shallow-copy of `AppDeps`.
+ * `backend.deps.audit.on_event_chain` — no shallow-copy of `AppDeps`. The
+ * `audit_sse` field on the returned `AppServer` (and the
+ * `AppServerContext` passed to `create_route_specs`) is non-null in that
+ * case; consumers can call `require_audit_sse(ctx)` / `require_audit_sse(server)`
+ * to assert the invariant.
  *
  * @returns assembled Hono app, backend, surface build, and bootstrap status
  */
@@ -161,7 +189,7 @@ export const create_app_server = async (options) => {
     const surface_spec = create_app_surface_spec({
         middleware_specs: surface_middleware,
         route_specs,
-        env_schema: options.env_schema,
+        env_schema: options.env_schema ?? BaseServerEnv,
         event_specs: all_event_specs,
         rpc_endpoints: resolved_rpc_endpoints,
     });
@@ -269,8 +297,8 @@ export const create_app_server = async (options) => {
     }
     // Static file serving
     if (options.static_serving) {
-        const { serve_static, spa_fallback } = options.static_serving;
-        for (const mw of create_static_middleware(serve_static, { spa_fallback })) {
+        const { serve_static, root, spa_fallback, is_spa_route } = options.static_serving;
+        for (const mw of create_static_middleware(serve_static, { root, spa_fallback, is_spa_route })) {
             app.use('/*', mw);
         }
     }

package/dist/testing/CLAUDE.md

@@ -6,23 +6,17 @@ round-trip harnesses. Consumers import these to assemble their own test suites
 against a fuz_app-derived server.
 
 For narrative wiring examples (how to call these from a consumer's vitest
-setup), see `../../../docs/testing.md`. For fuz_app's own test suite
-conventions (`.db.test.ts` suffix, the `db` vitest project, `assert_rejects`),
-see `../../test/CLAUDE.md`. This file is a reference index for the helpers
-themselves.
+setup), see ../../../docs/testing.md. For fuz_app's own test suite
+conventions, see ../../test/CLAUDE.md. For shared testing conventions
+(`.db.test.ts`, `assert` from vitest, `assert_rejects`, `vi.mock` caveats),
+see Skill(fuz-stack) testing-patterns. This file is a reference index for
+the helpers themselves.
 
 ## Production guard — always the first import
 
-Every module in this directory starts with `import './assert_dev_env.js';`
-as its first line. The side-effect import reads `DEV` from `esm-env` and
-throws if it is false — preventing accidental inclusion in production
-bundles. SvelteKit and Vite set `DEV` correctly for dev + tests; the
-production code path explodes at the first testing-module import.
-
-When adding a new module to this directory, make this import the first
-line. The convention is enforced by grep, not by a linter — break it and
-the production bundle still builds, then crashes at runtime on first
-module load.
+Every module here starts with `import './assert_dev_env.js';` — reads `DEV`
+from `esm-env` and throws if false, preventing production-bundle inclusion.
+Enforced by grep, not a linter; make this the first line in new modules.
 
 ## Stubs, factories, mocks
 
@@ -40,7 +34,7 @@ module load.
 | `create_stub_app_deps()`                              | Factory returning fresh `AppDeps` with no-op FS/keyring/password, a `create_noop_stub` DB, silent `Logger`, no-op `audit`.                                                                                                                                                                                                                                                                                                                                                                                                          |
 | `create_test_audit_emitter()`                         | No-op `AuditEmitter` for tests that don't assert on audit fan-out. `emit` / `emit_role_grant_target` are no-ops; `emit_pool` resolves immediately; `notify` is a no-op; `on_event_chain` is empty.                                                                                                                                                                                                                                                                                                                                  |
 | `create_stub_audit_sse()`                             | No-op `AuditLogSse` for surface-test wiring without booting real SSE. `subscribe` returns a no-op cleanup; `on_audit_event` is a no-op; the `registry` is a fresh `SubscriberRegistry` (live `.size` / `.close_*` for tests touching registry state, isolated per call). For real SSE plumbing, build via `create_audit_log_sse` against `create_test_app`.                                                                                                                                                                         |
-| `create_stub_api_middleware({include_daemon_token?})` | Stub `MiddlewareSpec[]` matching `create_auth_middleware_specs`'s output (origin/session/request_context/bearer_auth, optional daemon_token) for surface generation without booting real auth. See `../auth/CLAUDE.md` §Middleware for the real stack.                                                                                                                                                                                                                                                                              |
+| `create_stub_api_middleware({include_daemon_token?})` | Stub `MiddlewareSpec[]` matching `create_auth_middleware_specs`'s output (origin/session/request_context/bearer_auth, optional daemon_token) for surface generation without booting real auth. See `auth/CLAUDE.md` §Middleware for the real stack.                                                                                                                                                                                                                                                                                 |
 | `create_stub_app_server_context(session_options)`     | Stub `AppServerContext` — rate limiters null, `bootstrap_status.available: false`, `app_settings.open_signup: false`.                                                                                                                                                                                                                                                                                                                                                                                                               |
 | `create_test_app_surface_spec(options)`               | Builds an `AppSurfaceSpec` that mirrors `create_app_server`'s route assembly: consumer routes + factory-managed bootstrap routes (prefixed via `bootstrap_route_prefix`, default `'/api/account'`) + stub middleware + surface generation. `CreateTestAppSurfaceSpecOptions` accepts `session_options`, `create_route_specs`, `env_schema?`, `event_specs?`, `rpc_endpoints?`, `transform_middleware?`, `bootstrap_route_prefix?`. Single source of truth for attack-surface tests — track `create_app_server` wiring changes here. |
 
@@ -572,7 +566,7 @@ Options: `{session_options, create_route_specs, app_options?, db_factories?}`.
 
 7 test groups covering admin surface: account listing, role_grant grant
 lifecycle (via `role_grant_offer_create` + `role_grant_revoke` RPC flows —
-**not** REST; see `../auth/CLAUDE.md` for `role_grant_offer_action_specs.ts` + `role_grant_offer_actions.ts`), session / token management, audit log reads (RPC),
+**not** REST; see `auth/CLAUDE.md` for `role_grant_offer_action_specs.ts` + `role_grant_offer_actions.ts`), session / token management, audit log reads (RPC),
 admin-to-admin isolation, error coverage, response schema validation.
 
 Required options: `{session_options, create_route_specs, roles: RoleSchemaResult, rpc_endpoints: RpcEndpointsSuiteOption, admin_prefix?, app_options?, db_factories?}`.
@@ -688,7 +682,7 @@ Registry lookups:
    - unauthenticated → `unauthenticated` (code -32001)
    - wrong role → `forbidden` (-32002)
    - authenticated without role → `forbidden`
-   - **keeper rejects non-daemon credentials** — session and api_token credentials are rejected even when the account has the keeper role (only `daemon_token` passes). The credential-type gate fires before the role gate (see `../auth/CLAUDE.md` §`request_context.ts` for `require_credential_types`).
+   - **keeper rejects non-daemon credentials** — session and api_token credentials are rejected even when the account has the keeper role (only `daemon_token` passes). The credential-type gate fires before the role gate (see `auth/CLAUDE.md` §`request_context.ts` for `require_credential_types`).
    - correct auth passes (not 401/403)
    - GET unauthenticated for `side_effects: false` reads
 2. **RPC adversarial envelopes** — fixed set exercising dispatcher steps 1–2: non-JSON body, wrong `jsonrpc` version, missing `jsonrpc` / `method` / `id`, batch array, unknown method, GET missing `method`/`id`, GET invalid JSON params, GET non-object params, GET mutation method → `invalid_request`.
@@ -700,47 +694,37 @@ deps — no DB needed.
 Options: `{build: () => AppSurfaceSpec, roles: Array<string>}`.
 
 **Opt-in bundles need their own per-bundle suite file.** Action bundles
-not folded into `create_standard_rpc_actions` (today `self_service_role_actions`
-and `actor_lookup_actions`) get zero adversarial / round-trip coverage
-from `describe_rpc_attack_surface_tests` + `describe_rpc_round_trip_tests`
-unless the consumer ships a `<module>.rpc_suites.db.test.ts` mounting the
-opt-in factory on the RPC endpoint and calling both suites. See
-`../../test/CLAUDE.md` §Composable Test Suites for the obligation note
-and `actor_lookup_actions.rpc_suites.db.test.ts` /
-`role_grant_offer_actions.rpc_suites.db.test.ts` as templates.
+not folded into `create_standard_rpc_actions` (today `self_service_role_actions`,
+`actor_lookup_actions`, and `actor_search_actions`) get zero adversarial
+/ round-trip coverage from `describe_rpc_attack_surface_tests` +
+`describe_rpc_round_trip_tests` unless the consumer ships a
+`<module>.rpc_suites.db.test.ts` mounting the opt-in factory on the RPC
+endpoint and calling both suites. See ../../test/CLAUDE.md §Composable
+Test Suites for the obligation note; existing
+../../test/auth/\*.rpc_suites.db.test.ts files are templates.
 
 ## Cross-cutting conventions
 
-- **`assert` from vitest, not `expect`.** Project-wide convention
-  (mirrored in `src/test/CLAUDE.md`). Use `assert_rejects` from
-  `@fuzdev/fuz_util/testing.js` for async rejection assertions.
-- **`.db.test.ts` suffix** for any test file that instantiates a `Db`
-  (directly or via `create_test_app`, `create_describe_db`,
-  `create_pglite_factory`). The suffix opts the file into the `db`
-  vitest project (`isolate: false`, `fileParallelism: false`) so the
-  PGlite WASM cache is shared across every DB test file.
+Shared conventions (`.db.test.ts` suffix, `isolate: false` semantics,
+`assert` from vitest, `assert_rejects`, `vi.mock` avoidance under
+`isolate: false`) live in Skill(fuz-stack) testing-patterns.
+fuz_app-specific points:
+
 - **`await_pending_effects: true`** is set by `create_test_app`.
   Fire-and-forget effects (audit logs, session touches, WS fan-out via
   `emit_after_commit`) resolve before the response returns, so tests
   can assert on side effects inline without manual flushing.
-- **Avoid `vi.mock()` inside `.db.test.ts`.** With `isolate: false`,
-  module-level mocks leak across files. When a mock is unavoidable
-  (e.g. `middleware.ts` uses them module-level for bearer auth tests),
-  always pair with `vi.restoreAllMocks()` in `afterEach` to contain
-  the blast radius.
-- **Deep-path imports only.** `testing/` follows the package
-  convention — import from the canonical module (`./db.js`,
-  `./rpc_helpers.js`, etc.), never a barrel. fuz_app's `dist/` doesn't
-  ship one.
-- **DI via small `*Deps` interfaces.** Stub factories here accept the
-  same narrow `*Deps` contracts production code uses — never
-  `Pick<GodType, ...>`. New helpers that need env/fs/logger access
-  should take `EnvDeps` / `FsReadDeps` / `Logger` from
-  `runtime/deps.ts` or `@fuzdev/fuz_util/log.js`.
+- **Deep-path imports only.** Import from the canonical module
+  (`testing/db.js`, `testing/rpc_helpers.js`, etc.); fuz_app's `dist/` ships no
+  barrel.
+- **DI via small `*Deps` interfaces.** Stub factories accept the same
+  narrow `*Deps` contracts production code uses — never
+  `Pick<GodType, ...>`. New helpers needing env/fs/logger take
+  `EnvDeps` / `FsReadDeps` / `Logger` from `runtime/deps.ts` or
+  `@fuzdev/fuz_util/log.js`.
 - **Keep the shared echo routes in sync with public surface.** When
   middleware or public API gains a new context variable, header, or
   field, update the echo in `middleware.ts`
   (`create_bearer_auth_test_app`, `create_test_middleware_stack_app`)
-  alongside the assertions in `src/test/auth/*.test.ts`. The two move
-  together — drift between them shows up as a missed assertion, not a
-  test failure.
+  alongside the assertions in `src/test/auth/*.test.ts`. Drift surfaces
+  as a missed assertion, not a test failure.

package/dist/testing/audit_completeness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD,OAAO,EAGN,KAAK,eAAe,EAEpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAoDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAkgBzF,CAAC"}
+{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD,OAAO,EAGN,KAAK,eAAe,EAEpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AA2ED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAihBzF,CAAC"}

package/dist/testing/audit_completeness.js

@@ -27,12 +27,23 @@ import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spe
 import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 /** Query audit log events from the database. */
 const query_audit_events = async (db) => {
-    return db.query('SELECT event_type, seq FROM audit_log ORDER BY seq');
+    return db.query('SELECT event_type, seq, metadata FROM audit_log ORDER BY seq');
 };
 /** Assert that audit events contain the expected event type. */
 const assert_has_event = (events, expected, context) => {
     assert.ok(events.some((e) => e.event_type === expected), `Expected '${expected}' audit event after ${context}`);
 };
+/**
+ * Assert that an event type was emitted with the expected `credential_type`
+ * recorded in metadata — defense-in-depth coverage for the spec gate
+ * documented in `docs/security.md` §Credential-channel gating.
+ */
+const assert_event_credential_type = (events, expected, credential_type, context) => {
+    const match = events.find((e) => e.event_type === expected);
+    assert.ok(match, `Expected '${expected}' audit event after ${context}`);
+    const recorded = (match.metadata ?? {}).credential_type;
+    assert.strictEqual(recorded, credential_type, `Expected '${expected}' audit metadata.credential_type === '${credential_type}' after ${context} (got ${JSON.stringify(recorded)})`);
+};
 /** Build CreateTestAppOptions with admin+keeper roles. */
 const build_options = (options, db) => ({
     session_options: options.session_options,
@@ -138,6 +149,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_token_create failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'token_create', 'account_token_create RPC');
+                assert_event_credential_type(events, 'token_create', 'session', 'account_token_create RPC');
             });
             test('token revoke produces token_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -162,6 +174,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_token_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'token_revoke', 'account_token_revoke RPC');
+                assert_event_credential_type(events, 'token_revoke', 'session', 'account_token_revoke RPC');
             });
             test('session revoke produces session_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -198,6 +211,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_session_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'session_revoke', 'account_session_revoke RPC');
+                assert_event_credential_type(events, 'session_revoke', 'session', 'account_session_revoke RPC');
             });
             test('session revoke-all produces session_revoke_all event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -211,6 +225,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'session_revoke_all', 'account_session_revoke_all RPC');
+                assert_event_credential_type(events, 'session_revoke_all', 'session', 'account_session_revoke_all RPC');
             });
             test('password change produces password_change event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -227,6 +242,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.strictEqual(res.status, 200);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'password_change', 'POST /password');
+                assert_event_credential_type(events, 'password_change', 'session', 'POST /password');
             });
         });
         // --- Admin routes ---

package/dist/ui/CLAUDE.md

@@ -5,14 +5,16 @@ utilities. Cookie-based SPA auth; prerendered static HTML served by Hono
 (no SvelteKit SSR for sessions). State classes hold one or more `AsyncSlot`s
 via composition (one per distinct async operation — e.g. `list` + `create` +
 `revoke`); per-row write ops use `KeyedAsyncSlot<K, T = void, E = string>`
-(supersedes the old `AsyncSlot` + `SvelteSet<id>` pair) so concurrent rows
-don't abort each other and failures surface per-row via `slot.error(key)`.
-Payload lives as `$state.raw` fields on the class. Shared dependencies flow
-through Svelte context, never through props — RPC adapters in particular
-are provisioned once at the admin shell and read by every `Admin*.svelte`.
+so concurrent rows don't abort each other and failures surface per-row via
+`slot.error(key)`. Payload lives as `$state.raw` fields on the class.
+Shared dependencies flow through Svelte context, never through props —
+RPC adapters are provisioned once at the admin shell and read by every
+`Admin*.svelte`.
 
-See ../../docs/usage.md for end-to-end wiring examples (sections "Role grant
-offer UI" and "Admin UI"). This file is a reference, not a tutorial.
+For Svelte 5 patterns (runes, inline `$props`, contexts, snippets,
+attachments), see Skill(fuz-stack) svelte-patterns. See ../../docs/usage.md
+for end-to-end wiring examples ("Role grant offer UI", "Admin UI"). This
+file is a reference, not a tutorial.
 
 ## Key patterns
 
@@ -67,15 +69,8 @@ it. Six methods land on the reducer: `role_grant_offer_received` /
 `_retracted` / `_accepted` / `_declined` / `_supersede` all merge a
 `{offer}` payload; `role_grant_revoke` is ignored at this layer (role_grant
 lifecycle lives in auth/role_grants state). The six notification specs and
-their payload shapes are defined in `../auth/role_grant_offer_notifications.ts`
-(see `../auth/CLAUDE.md` §WS notifications).
-
-### Svelte 5 inline `$props` shape
-
-Always `const {...}: {...} = $props()` — never `interface Props`.
-Destructure defaults in the binding list; put the type literal inline.
-This matches the user-memory Svelte props rule and the existing file
-conventions.
+their payload shapes are defined in `auth/role_grant_offer_notifications.ts`
+(see `auth/CLAUDE.md` §WS notifications).
 
 ### Context over props for shared deps
 
@@ -184,8 +179,8 @@ destructive actions.
   reason codes with friendly copy: `ERROR_ROLE_GRANT_OFFER_SELF_TARGET`,
   `ERROR_ROLE_GRANT_OFFER_ROLE_NOT_GRANTABLE`, `ERROR_ROLE_GRANT_OFFER_NOT_AUTHORIZED`,
   `ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH`, `ERROR_ROLE_GRANT_OFFER_ACTOR_MISMATCH`
-  — imported from `../auth/role_grant_offer_action_specs.js` (see
-  `../auth/CLAUDE.md` for `role_grant_offer_action_specs.ts` +
+  — imported from `auth/role_grant_offer_action_specs.js` (see
+  `auth/CLAUDE.md` for `role_grant_offer_action_specs.ts` +
   `role_grant_offer_actions.ts`).
 - `RoleGrantOfferHistory.svelte` — both-directions history (recipient +
   grantor, including terminal). Props: `current_actor_id: string | null`

package/dist/ui/keyed_async_slot.svelte.d.ts

@@ -56,7 +56,7 @@ export type KeyedAsyncSlotOptions<T, E = string> = Omit<AsyncSlotOptions<T, E>,
  *
  * @typeParam K - The key type. Map identity is SameValueZero — branded
  *   strings (`Uuid`) work directly. For composite keys, stringify at
- *   the call site (e.g. `` `${account_id}:${role}` ``).
+ *   the call site (e.g. "`${account_id}:${role}`").
  * @typeParam T - The success payload type. Use `void` for write-only
  *   actions whose response isn't worth retaining.
  * @typeParam E - The shape of per-key `error(key)`. Defaults to

package/dist/ui/keyed_async_slot.svelte.js

@@ -48,7 +48,7 @@ import { AsyncSlot } from './async_slot.svelte.js';
  *
  * @typeParam K - The key type. Map identity is SameValueZero — branded
  *   strings (`Uuid`) work directly. For composite keys, stringify at
- *   the call site (e.g. `` `${account_id}:${role}` ``).
+ *   the call site (e.g. "`${account_id}:${role}`").
  * @typeParam T - The success payload type. Use `void` for write-only
  *   actions whose response isn't worth retaining.
  * @typeParam E - The shape of per-key `error(key)`. Defaults to

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.61.0",
+  "version": "0.63.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",