@fuzdev/fuz_app 0.62.0 → 0.63.0

package/dist/testing/audit_completeness.js

@@ -27,12 +27,23 @@ import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spe
 import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 /** Query audit log events from the database. */
 const query_audit_events = async (db) => {
-    return db.query('SELECT event_type, seq FROM audit_log ORDER BY seq');
+    return db.query('SELECT event_type, seq, metadata FROM audit_log ORDER BY seq');
 };
 /** Assert that audit events contain the expected event type. */
 const assert_has_event = (events, expected, context) => {
     assert.ok(events.some((e) => e.event_type === expected), `Expected '${expected}' audit event after ${context}`);
 };
+/**
+ * Assert that an event type was emitted with the expected `credential_type`
+ * recorded in metadata — defense-in-depth coverage for the spec gate
+ * documented in `docs/security.md` §Credential-channel gating.
+ */
+const assert_event_credential_type = (events, expected, credential_type, context) => {
+    const match = events.find((e) => e.event_type === expected);
+    assert.ok(match, `Expected '${expected}' audit event after ${context}`);
+    const recorded = (match.metadata ?? {}).credential_type;
+    assert.strictEqual(recorded, credential_type, `Expected '${expected}' audit metadata.credential_type === '${credential_type}' after ${context} (got ${JSON.stringify(recorded)})`);
+};
 /** Build CreateTestAppOptions with admin+keeper roles. */
 const build_options = (options, db) => ({
     session_options: options.session_options,
@@ -138,6 +149,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_token_create failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'token_create', 'account_token_create RPC');
+                assert_event_credential_type(events, 'token_create', 'session', 'account_token_create RPC');
             });
             test('token revoke produces token_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -162,6 +174,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_token_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'token_revoke', 'account_token_revoke RPC');
+                assert_event_credential_type(events, 'token_revoke', 'session', 'account_token_revoke RPC');
             });
             test('session revoke produces session_revoke event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -198,6 +211,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_session_revoke failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'session_revoke', 'account_session_revoke RPC');
+                assert_event_credential_type(events, 'session_revoke', 'session', 'account_session_revoke RPC');
             });
             test('session revoke-all produces session_revoke_all event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -211,6 +225,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.ok(res.ok, `account_session_revoke_all failed: ${res.ok ? '' : JSON.stringify(res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'session_revoke_all', 'account_session_revoke_all RPC');
+                assert_event_credential_type(events, 'session_revoke_all', 'session', 'account_session_revoke_all RPC');
             });
             test('password change produces password_change event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -227,6 +242,7 @@ export const describe_audit_completeness_tests = (options) => {
                 assert.strictEqual(res.status, 200);
                 const events = await query_audit_events(test_app.backend.deps.db);
                 assert_has_event(events, 'password_change', 'POST /password');
+                assert_event_credential_type(events, 'password_change', 'session', 'POST /password');
             });
         });
         // --- Admin routes ---

package/dist/ui/CLAUDE.md

@@ -5,14 +5,16 @@ utilities. Cookie-based SPA auth; prerendered static HTML served by Hono
 (no SvelteKit SSR for sessions). State classes hold one or more `AsyncSlot`s
 via composition (one per distinct async operation — e.g. `list` + `create` +
 `revoke`); per-row write ops use `KeyedAsyncSlot<K, T = void, E = string>`
-(supersedes the old `AsyncSlot` + `SvelteSet<id>` pair) so concurrent rows
-don't abort each other and failures surface per-row via `slot.error(key)`.
-Payload lives as `$state.raw` fields on the class. Shared dependencies flow
-through Svelte context, never through props — RPC adapters in particular
-are provisioned once at the admin shell and read by every `Admin*.svelte`.
+so concurrent rows don't abort each other and failures surface per-row via
+`slot.error(key)`. Payload lives as `$state.raw` fields on the class.
+Shared dependencies flow through Svelte context, never through props —
+RPC adapters are provisioned once at the admin shell and read by every
+`Admin*.svelte`.
 
-See ../../docs/usage.md for end-to-end wiring examples (sections "Role grant
-offer UI" and "Admin UI"). This file is a reference, not a tutorial.
+For Svelte 5 patterns (runes, inline `$props`, contexts, snippets,
+attachments), see Skill(fuz-stack) svelte-patterns. See ../../docs/usage.md
+for end-to-end wiring examples ("Role grant offer UI", "Admin UI"). This
+file is a reference, not a tutorial.
 
 ## Key patterns
 
@@ -67,15 +69,8 @@ it. Six methods land on the reducer: `role_grant_offer_received` /
 `_retracted` / `_accepted` / `_declined` / `_supersede` all merge a
 `{offer}` payload; `role_grant_revoke` is ignored at this layer (role_grant
 lifecycle lives in auth/role_grants state). The six notification specs and
-their payload shapes are defined in `../auth/role_grant_offer_notifications.ts`
-(see `../auth/CLAUDE.md` §WS notifications).
-
-### Svelte 5 inline `$props` shape
-
-Always `const {...}: {...} = $props()` — never `interface Props`.
-Destructure defaults in the binding list; put the type literal inline.
-This matches the user-memory Svelte props rule and the existing file
-conventions.
+their payload shapes are defined in `auth/role_grant_offer_notifications.ts`
+(see `auth/CLAUDE.md` §WS notifications).
 
 ### Context over props for shared deps
 
@@ -184,8 +179,8 @@ destructive actions.
   reason codes with friendly copy: `ERROR_ROLE_GRANT_OFFER_SELF_TARGET`,
   `ERROR_ROLE_GRANT_OFFER_ROLE_NOT_GRANTABLE`, `ERROR_ROLE_GRANT_OFFER_NOT_AUTHORIZED`,
   `ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH`, `ERROR_ROLE_GRANT_OFFER_ACTOR_MISMATCH`
-  — imported from `../auth/role_grant_offer_action_specs.js` (see
-  `../auth/CLAUDE.md` for `role_grant_offer_action_specs.ts` +
+  — imported from `auth/role_grant_offer_action_specs.js` (see
+  `auth/CLAUDE.md` for `role_grant_offer_action_specs.ts` +
   `role_grant_offer_actions.ts`).
 - `RoleGrantOfferHistory.svelte` — both-directions history (recipient +
   grantor, including terminal). Props: `current_actor_id: string | null`

package/dist/ui/keyed_async_slot.svelte.d.ts

@@ -56,7 +56,7 @@ export type KeyedAsyncSlotOptions<T, E = string> = Omit<AsyncSlotOptions<T, E>,
  *
  * @typeParam K - The key type. Map identity is SameValueZero — branded
  *   strings (`Uuid`) work directly. For composite keys, stringify at
- *   the call site (e.g. `` `${account_id}:${role}` ``).
+ *   the call site (e.g. "`${account_id}:${role}`").
  * @typeParam T - The success payload type. Use `void` for write-only
  *   actions whose response isn't worth retaining.
  * @typeParam E - The shape of per-key `error(key)`. Defaults to

package/dist/ui/keyed_async_slot.svelte.js

@@ -48,7 +48,7 @@ import { AsyncSlot } from './async_slot.svelte.js';
  *
  * @typeParam K - The key type. Map identity is SameValueZero — branded
  *   strings (`Uuid`) work directly. For composite keys, stringify at
- *   the call site (e.g. `` `${account_id}:${role}` ``).
+ *   the call site (e.g. "`${account_id}:${role}`").
  * @typeParam T - The success payload type. Use `void` for write-only
  *   actions whose response isn't worth retaining.
  * @typeParam E - The shape of per-key `error(key)`. Defaults to

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.62.0",
+  "version": "0.63.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",