@fuzdev/fuz_app 0.62.0 → 0.64.0

package/dist/actions/CLAUDE.md

@@ -12,12 +12,13 @@ server-authoritative dispatch, role-grant-offer UI integration) see
 ../../docs/usage.md §Deriving Route/Event Specs, §Single JSON-RPC 2.0 Endpoint,
 §WebSocket Endpoint. For DEV-only output validation semantics see
 ../../docs/architecture.md §DEV-only Output Validation. For the SAES
-binding matrix and middleware ordering see the root `../../CLAUDE.md`
+binding matrix and middleware ordering see the root ../../CLAUDE.md
 §Action Spec System (SAES) and §Middleware Ordering.
 
 IMPORTANT: Every exported Zod schema is paired with a same-named `z.infer`
-type export. When adding new schemas, keep the pair invariant — it is the
-convention callers rely on for type imports.
+type export — the convention callers rely on for type imports. When adding
+new schemas, keep the pair invariant (ecosystem-wide rule; see
+Skill(fuz-stack) zod-schemas).
 
 NOTE: `ActionRegistry` keeps a few pre-built getters (auth filters,
 initiator-direction filters) that codegen doesn't consume today — kept
@@ -53,10 +54,10 @@ declarative metadata for consumers (codegen, UI form-state matching, docs)
 to read off the spec instead of scanning handler code. No runtime
 enforcement — drift between declared reasons and what handlers actually
 throw is caught per-module by source-scanning unit tests (see
-`../../test/auth/role_grant_offer_actions.error_reasons.test.ts`). Reuses
+../../test/auth/role*grant_offer_actions.error_reasons.test.ts). Reuses
 the same `as const` string constants the handler throws (e.g.
-`ERROR_ROLE_GRANT_OFFER_*` from `../auth/role_grant_offer_action_specs.ts`,
-`ERROR_ROLE_GRANT_NOT_FOUND` from `../http/error_schemas.ts`) so call
+`ERROR_ROLE_GRANT_OFFER*\*`from`auth/role_grant_offer_action_specs.ts`,
+`ERROR_ROLE_GRANT_NOT_FOUND`from`http/error_schemas.ts`) so call
 sites can import either side. Standard transport errors (validation,
 auth, rate-limit) stay implicit.
 
@@ -119,7 +120,7 @@ The remaining asymmetry today is runtime: there is no
 `Promise<Result<{value}, {error}>>` shape `FrontendActionsApi` methods
 return. Closing those gaps is on the deferred follow-up set in the
 [SAES RPC closeout](https://github.com/ryanatkn/grimoire/blob/main/quests/HISTORY.md#saes-rpc-direction-2026-04)
-(grimoire `lore/fuz_app/TODO.md` § Future Directions tracks the symmetric
+(grimoire `lore/fuz_app/TODO.md` §Future Directions tracks the symmetric
 backend signature, backend RPC client, and local-call symmetry items) —
 wait for a second backend runtime case.
 
@@ -217,7 +218,7 @@ and `FrontendActionHandlers`.
 - `generate_action_event_datas(specs, imports, {same_file?, collections_path?, include_protocol_actions?})` — `ActionEventDatas` interface; per-spec variant by kind (`ActionEventRequestResponseData` / `ActionEventRemoteNotificationData` / `ActionEventLocalCallData`). `same_file` (default `true`) is the file-layout switch: when `true`, assumes `ActionInputs` / `ActionOutputs` are in the same module and adds no import (the zzz pattern); when `false`, adds the type imports from `collections_path` (default `'./action_collections.js'`). `collections_path` alone is a no-op — the surprising omit-vs-default behavior of earlier versions has been replaced.
 - `generate_frontend_actions_api(specs, imports, {interface_name?, method_filter?, collections_path?, sync_returns_value?, include_protocol_actions?})` — emits the typed `FrontendActionsApi` interface (configurable via `interface_name`, default `'FrontendActionsApi'`). One method signature per spec via `generate_actions_api_method_signature`. Protocol actions filtered by default; `method_filter: (spec) => boolean` runs after the protocol-action filter. Renamed from `generate_actions_api` in API review III to make the side-of-the-wire intent visible at every consumer site.
 - `generate_frontend_action_handlers(specs, imports, {collections_path?, include_protocol_actions?})` — `FrontendActionHandlers` interface (Tier 2 only — wraps `generate_phase_handlers` with `action_event_type: 'TypedActionEvent'`). Pair with `generate_typed_action_event_alias`.
-- `generate_backend_actions_api(specs, imports, {interface_name?, spec_array_name?, specs_module?, collections_path?, qualify_spec?, include_protocol_actions?})` — `BackendActionsApi` interface AND `broadcast_action_specs: ReadonlyArray<ActionSpecUnion>` array (both names configurable). Filter: `kind === 'remote_notification' && initiator !== 'frontend'`, with `streams`-target methods (request-scoped progress notifications invoked via `ctx.notify`) excluded — the discriminator is `ActionSpec.streams`, not a manual list. Adds `ActionInputs` (from `collections_path`) + `ActionSpecUnion`, plus `* as specs` from `specs_module` unless `qualify_spec` is set. Method shape today is `(input) => Promise<void>` (matches `create_broadcast_api`'s fire-and-forget runtime); generalizing to per-kind shapes via `generate_actions_api_method_signature` is deferred until a second backend runtime constructor lands (tracked in grimoire `lore/fuz_app/TODO.md` § Future Directions, _Symmetric backend signature shape_).
+- `generate_backend_actions_api(specs, imports, {interface_name?, spec_array_name?, specs_module?, collections_path?, qualify_spec?, include_protocol_actions?})` — `BackendActionsApi` interface AND `broadcast_action_specs: ReadonlyArray<ActionSpecUnion>` array (both names configurable). Filter: `kind === 'remote_notification' && initiator !== 'frontend'`, with `streams`-target methods (request-scoped progress notifications invoked via `ctx.notify`) excluded — the discriminator is `ActionSpec.streams`, not a manual list. Adds `ActionInputs` (from `collections_path`) + `ActionSpecUnion`, plus `* as specs` from `specs_module` unless `qualify_spec` is set. Method shape today is `(input) => Promise<void>` (matches `create_broadcast_api`'s fire-and-forget runtime); generalizing to per-kind shapes via `generate_actions_api_method_signature` is deferred until a second backend runtime constructor lands (tracked in grimoire `lore/fuz_app/TODO.md` §Future Directions, _Symmetric backend signature shape_).
 - `generate_backend_action_handlers_map(imports, options?)` — emits the `BackendActionHandlers` mapped type (`{[K in BackendRequestResponseMethod]: (input: ActionInputs[K], ctx: BackendHandlerContext) => ActionOutputs[K] | Promise<ActionOutputs[K]>}`). Replaces the hand-maintained `Exclude<>` + parallel mapped-type pattern (zzz had this at `zzz/src/lib/server/zzz_action_handlers.ts:42-66`). Configurable type name, method enum name, and context type name; configurable `collections_path` / `metatypes_path` for the type imports.
 
 ### Wrapper + multi-source helper
@@ -319,6 +320,7 @@ interface ActionContext {
 	pending_effects: Array<Promise<void>>; // eager pool writes already in flight — see http/CLAUDE.md §Pending Effects
 	post_commit_effects: Array<() => void | Promise<void>>; // deferred — push via `emit_after_commit`
 	client_ip: string;
+	credential_type: CredentialType | null; // session | api_token | daemon_token (or null for anonymous) — same value the credential_types gate consumed
 	log: Logger;
 	notify: (method, params) => void; // HTTP: DEV-mode warn + drop (no streaming channel); WS: socket-scoped
 	signal: AbortSignal; // HTTP: client-disconnect; WS: AbortSignal.any([socket_close, request_cancel])
@@ -458,7 +460,7 @@ Fan-out:
 
 - `send(notification)` — broadcasts to every connection (current `send(request)` returns an internal_error "not yet implemented" — backend cannot initiate request-response).
 - `broadcast_filtered(message, predicate)` — per-connection predicate over `ConnectionIdentity`; skips non-matching. Returns count.
-- `send_to_account(account_id, message)` — targeted wrapper over `broadcast_filtered`. Mirrors `close_sockets_for_account` on the send side (every connection for the account). Structurally satisfies the `NotificationSender` interface from `auth/role_grant_offer_notifications.ts` (see `../auth/CLAUDE.md` §WS notifications).
+- `send_to_account(account_id, message)` — targeted wrapper over `broadcast_filtered`. Mirrors `close_sockets_for_account` on the send side (every connection for the account). Structurally satisfies the `NotificationSender` interface from `auth/role_grant_offer_notifications.ts` (see `auth/CLAUDE.md` §WS notifications).
 - `get_connection_count()` — telemetry counter over the connection map.
 
 Return values are bookkeeping, not delivery receipts — `0` means no live
@@ -467,9 +469,18 @@ persistence + rehydration by the consumer.
 
 ## WS auth guard (`transports_ws_auth_guard.ts`)
 
-`create_ws_auth_guard(transport, log)` returns an `on_audit_event` callback
-wireable via `CreateAppBackendOptions.on_audit_event`. Mirrors the SSE
-guard in `realtime/sse_auth_guard.ts` but targets the WS transport.
+Closes WS sockets on audit revoke events — per-message dispatch doesn't
+re-check session/token validity, so this guard is the revocation seam
+for open connections. Module TSDoc carries the full rationale.
+
+`create_ws_auth_guard(transport, log)` returns an `on_audit_event` callback.
+For standard WS endpoints mounted via `AppServerOptions.ws_endpoints`,
+`create_app_server` composes this guard onto
+`backend.deps.audit.on_event_chain` automatically (per
+`WsEndpointSpec.auth_guard`). For custom wiring, append it inside the
+consumer's `audit_factory` body (or via `audit.on_event_chain.push(...)`
+post-assembly). Mirrors the SSE guard in `realtime/sse_auth_guard.ts`
+but targets the WS transport.
 
 `ws_disconnect_event_types` (ReadonlySet): `session_revoke`,
 `token_revoke`, `session_revoke_all`, `token_revoke_all`, `password_change`.
@@ -508,26 +519,123 @@ Same `outcome === 'failure'` guard as `create_ws_auth_guard`. Closes via
 `close_sockets_for_account(event.account_id)` — `logout` is always
 self-service, so there is no `target_account_id` to fall back on.
 
-## WebSocket dispatch
+## Connection closer (`connection_closer.ts`)
+
+Narrow structural capability for handler-side eager WS socket closure
+on revocation — the belt+suspenders layer that complements the audit-
+listener guards above.
 
-Two layered entry points:
+```ts
+interface ConnectionCloser {
+	close_sockets_for_session: (session_token_hash: string) => number;
+	close_sockets_for_token: (api_token_id: string) => number;
+	close_sockets_for_account: (account_id: string) => number;
+}
+```
 
-### `register_ws_endpoint` (`register_ws_endpoint.ts`) — idiomatic
+`BackendWebsocketTransport` satisfies this structurally — consumers
+pass the transport instance directly (same shape as
+`NotificationSender`). Wired into `AccountRouteOptions.connection_closer`
+(logout / password), `AccountActionOptions.connection_closer`
+(`account_session_revoke` / `_revoke_all` / `account_token_revoke`),
+and `AdminActionOptions.connection_closer`
+(`admin_session_revoke_all` / `admin_token_revoke_all`). Each handler
+calls the appropriate `close_sockets_for_*` method synchronously
+BEFORE the audit emit so revocation lands even on audit INSERT
+failure. Listener-based close
+(`create_ws_auth_guard` / `create_ws_logout_closer`) stays as a
+fail-safe for out-of-band emit sites; `close_sockets_for_*` is
+idempotent. Failure outcomes (`revoked: false`, 404 not-found) skip
+the eager close — matches the listener's `outcome === 'failure'`
+guard so attacker-guessable ids cannot be used to target arbitrary
+sockets. Mirrors `zzz_server`'s handler-side `close_sockets_for_*`
+calls (landed 2026-05-16; see
+`~/dev/grimoire/lore/fuz_app/TODO_AUTH.md` § Audit-driven WS
+revocation: handler-side belt+suspenders).
+
+## WebSocket dispatch
+
+Three layered entry points, in decreasing abstraction:
+
+### `create_app_server.ws_endpoints` (`server/app_server.ts`) — canonical
+
+The top-level mount surface — mirror of `rpc_endpoints` for WebSocket
+endpoints. Accepts either an array of `WsEndpointSpec` or a factory
+`(ctx: AppServerContext) => ReadonlyArray<WsEndpointSpec>`; the factory
+form runs after the server context is assembled so action lists can
+depend on `ctx.deps` / `ctx.action_*_rate_limiter`. Each entry is
+auto-mounted via `register_ws_endpoint` against the assembled Hono app,
+so consumers no longer call `register_ws_endpoint` themselves in their
+server-assembly module.
+
+`upgradeWebSocket` (the Hono adapter helper) is supplied once at the
+top level — `create_app_server` throws when `ws_endpoints` resolves
+non-empty but `upgradeWebSocket` is missing. A factory returning `[]`
+does NOT trip the check, so feature-flag gated WS surfaces stay safe.
+
+Per-endpoint `WsEndpointSpec` fields:
+
+- `path` — Hono mount path
+- `allowed_origins` — origin allowlist regexes (parsed via `parse_allowed_origins`)
+- `actions` — the `ReadonlyArray<Action>` to dispatch (spread `protocol_actions` first)
+- `required_roles?: ReadonlyArray<RoleName>` — any-of upgrade-time role gate; omit or `[]` to skip
+- `transport?: BackendWebsocketTransport` — supplied or auto-created; returned on `AppServer.ws_endpoints[path]` either way
+- `heartbeat?`, `artificial_delay?`, `on_socket_open?`, `on_socket_close?` — passed through to `register_ws_endpoint`
+- `auth_guard?: boolean` — default `true`; auto-composes `create_ws_auth_guard` + `create_ws_logout_closer` against the endpoint's transport and appends them to `deps.audit.on_event_chain`. The wiring is deduped by **reference identity** (`WeakSet<BackendWebsocketTransport>`), so two `WsEndpointSpec`s sharing one `BackendWebsocketTransport` instance still get a single pair of listeners. Wrapped / DI-proxied transports dedupe as separate entries — set `auth_guard: false` on duplicates and compose `create_ws_auth_guard` / `create_ws_logout_closer` against the underlying transport once
+- `extra_audit_handlers?: ReadonlyArray<AuditEventHandler>` — appended after the standard guards; consumer-owned, never deduped
+
+`auth_guard: true` does NOT close sockets on `role_grant_revoke`
+(deliberate — per-connection role tracking is out of scope). Consumers
+that need role-revoke disconnection wire it via `extra_audit_handlers`.
+
+The mounted transport is reachable at `app_server.ws_endpoints[path]` —
+a `Readonly<Record<string, BackendWebsocketTransport>>` keyed by mount
+path. Use this handle for fan-out (`send_to_account`) and broadcast.
+
+Duplicate paths across `WsEndpointSpec`s throw at mount time
+(`'create_app_server: duplicate ws_endpoints path: <path>'`), closing
+the route-shadow hole Hono's silent `app.get` overwriting would leave.
+Cross-surface collisions are also detected — registering `GET <path>`
+as both a `RouteSpec` and a `WsEndpointSpec` throws
+`'create_app_server: ws_endpoints path collides with a GET RouteSpec: <path>'`
+at mount time. Exact-string match only; pattern overlap (e.g. a
+`RouteSpec` at `GET /api/:resource` vs `WsEndpointSpec` at `/api/ws`)
+is not detected — Hono's specific-before-wildcard routing keeps those
+working, but if you need certainty avoid the overlap.
+
+`auth_guard` semantics when multiple specs share a transport: **any**
+spec with `auth_guard !== false` wires the guard for that transport
+(OR-semantics, order-independent). To opt out for a shared transport,
+every sibling spec must pass `auth_guard: false`. Documented on the
+`WsEndpointSpec.auth_guard` TSDoc.
+
+`AppSurfaceWsEndpoint.methods` surfaces `request_response` + `remote_notification`
+specs only — `local_call` specs are filtered out because they don't
+dispatch over WS (`compile_action_registry` routes only
+`request_response` with a handler into `action_map`; `local_call` is
+frontend-side registry metadata).
+
+### `register_ws_endpoint` (`register_ws_endpoint.ts`) — middle tier
 
 Composes the standard upgrade stack:
 
 1. `verify_request_source(allowed_origins)`
 2. `require_auth`
 3. upgrade-time authorization phase — resolves the acting actor and seeds `REQUEST_CONTEXT_KEY` for the inner `register_action_ws`'s upgrade-time identity capture
-4. optional `require_role([required_role])` (single-element array form)
+4. optional `require_role(required_roles)` — any-of disjunction
 5. delegates to `register_action_ws`
 
-Extends `RegisterActionWsOptions` with `allowed_origins: Array<RegExp>`
-and optional `required_role: RoleName`. Returns `{transport}`. Note:
-`required_role` is a **coarse upgrade-time gate** — per-action `auth` in
-each spec still applies at dispatch time via `perform_action`.
+Extends `RegisterActionWsOptions` with `allowed_origins: ReadonlyArray<RegExp>`
+and optional `required_roles: ReadonlyArray<RoleName>`. Returns
+`{transport}`. Note: `required_roles` is a **coarse upgrade-time gate**
+— per-action `auth` in each spec still applies at dispatch time via
+`perform_action`. Pass `[]` (or omit) to skip the role gate.
 (`verify_request_source` and `require_auth` / `require_role` are from
-`../auth/`; see `../auth/CLAUDE.md` §Middleware for their semantics.)
+`auth/`; see `auth/CLAUDE.md` §Middleware for their semantics.)
+
+Most consumers reach for the higher-level `ws_endpoints` option above —
+this is the entry test harnesses use when they need the upgrade stack
+without `create_app_server`'s full assembly.
 
 ### `register_action_ws` (`register_action_ws.ts`) — lower-level
 
@@ -584,7 +692,7 @@ Per-message side-effect queues: `pending_effects: Array<Promise<void>>`
 `flush_post_commit_effects`. Both flush in the same `try/finally` that
 releases the request controller, so fire-and-forget audit / notification
 effects pushed by the handler complete (or reject visibly) before the
-next message dispatches. See `../http/CLAUDE.md` §Pending Effects.
+next message dispatches. See `http/CLAUDE.md` §Pending Effects.
 
 Lifecycle hooks on `RegisterActionWsOptions`:
 
@@ -943,6 +1051,13 @@ HTTP transport is **not** registered. `local_call` specs in `specs`
 silently no-op because `lookup_action_handler` always returns
 `undefined`; this factory targets wire-dispatched actions.
 
+`all_standard_action_specs` is transport-agnostic — when a consumer
+spreads `create_standard_rpc_actions(ctx.deps, opts)` into both
+`rpc_endpoints` AND `ws_endpoints` on `create_app_server`, every method
+is reachable on both transports and `transport_for_method` can route
+per-call (e.g. return `'frontend_websocket_rpc'` for `account_*` /
+`admin_*` methods to bind them to the live WS connection).
+
 `transport_for_method` and `on_action_event` are pure pass-throughs to
 `create_rpc_client` — exposed so consumers needing per-method routing
 (zap-style WS-for-actions / HTTP-for-rest split) or per-dispatch event
@@ -950,9 +1065,9 @@ wiring (zzz-style reactive Cells observing `ActionEvent` lifecycle)
 don't have to drop down to manual `create_rpc_client` construction
 (which forfeits the bundled `api` / `api_result` pair).
 
-`all_standard_action_specs` (in `../auth/standard_action_specs.ts`) is
+`all_standard_action_specs` (in `auth/standard_action_specs.ts`) is
 the matching aggregate spec list mirroring `create_standard_rpc_actions`
-on the backend — see `../auth/CLAUDE.md` §`standard_rpc_actions.ts`.
+on the backend — see `auth/CLAUDE.md` §`standard_rpc_actions.ts`.
 
 ## Broadcast API (`broadcast_api.ts`)
 

package/dist/actions/action_rpc.d.ts

@@ -17,6 +17,7 @@ import type { Uuid } from '@fuzdev/fuz_util/id.js';
 import type { RequestResponseActionSpec } from './action_spec.js';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type RequestActorContext, type RequestContext } from '../auth/request_context.js';
+import { type CredentialType } from '../hono_context.js';
 import type { Db } from '../db/db.js';
 import { type JsonrpcRequestId } from '../http/jsonrpc.js';
 import type { RateLimiter } from '../rate_limiter.js';
@@ -72,6 +73,15 @@ export interface ActionContext {
      * `role_grant_offer_expire` cleanup sweep in `auth/cleanup.ts`).
      */
     client_ip: string;
+    /**
+     * Credential channel the request arrived on (`'session'` | `'api_token'` |
+     * `'daemon_token'`), or `null` for anonymous requests. Same value the
+     * dispatcher's `credential_types` gate consumed at step 4 — exposed here
+     * so handlers can record it in audit metadata (defense in depth: the
+     * gate may be loosened or bypassed in a future refactor, but the audit
+     * row preserves what actually authenticated the request).
+     */
+    credential_type: CredentialType | null;
     /** Logger instance. */
     log: Logger;
     /**

package/dist/actions/action_rpc.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAEN,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AAEpC,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAErB,MAAM,oBAAoB,CAAC;AAM5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAGpD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B;;;;OAIG;IACH,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;;OAKG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;;OAKG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;OAKG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;;OAKG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;;;;;GASG;AACH,MAAM,WAAW,iBAAkB,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;IACrE,IAAI,EAAE,cAAc,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CAC5D,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,iBAAiB,KAClB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAmB,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;IACtE,IAAI,EAAE,mBAAmB,CAAC;CAC1B;AAED;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CAC7D,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,kBAAkB,KACnB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,cAAc,CAAC,KAAK,SAAS,yBAAyB,IAAI;IACrE,KAAK,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;CACtB,SAAS,CAAC,UAAU,CAAC,GACnB,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,GACrE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,GAC9C,iBAAiB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,GACpE,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,cAAc,CAAC,KAAK,CAAC,KAC5B,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;OAOG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACjD;AAkBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CAoMtF,CAAC"}
+{"version":3,"file":"action_rpc.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/action_rpc.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,kBAAkB,CAAC;AAChE,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExE,OAAO,EAEN,KAAK,mBAAmB,EACxB,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAIN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAC5B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAGN,KAAK,gBAAgB,EAErB,MAAM,oBAAoB,CAAC;AAM5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAGpD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,aAAa;IAC7B,+DAA+D;IAC/D,IAAI,EAAE,cAAc,GAAG,IAAI,CAAC;IAC5B,iDAAiD;IACjD,UAAU,EAAE,gBAAgB,CAAC;IAC7B;;;;OAIG;IACH,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;;OAKG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;;OAKG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;;;OAKG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD;;;;;;;OAOG;IACH,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;;;OAOG;IACH,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,uBAAuB;IACvB,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;;;OAQG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD;;;;;OAKG;IACH,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;GAKG;AACH,MAAM,MAAM,aAAa,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CACxD,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;;;;;GASG;AACH,MAAM,WAAW,iBAAkB,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;IACrE,IAAI,EAAE,cAAc,CAAC;CACrB;AAED;;;;GAIG;AACH,MAAM,MAAM,iBAAiB,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CAC5D,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,iBAAiB,KAClB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;;;;GAQG;AACH,MAAM,WAAW,kBAAmB,SAAQ,IAAI,CAAC,aAAa,EAAE,MAAM,CAAC;IACtE,IAAI,EAAE,mBAAmB,CAAC;CAC1B;AAED;;;;GAIG;AACH,MAAM,MAAM,kBAAkB,CAAC,MAAM,GAAG,GAAG,EAAE,OAAO,GAAG,GAAG,IAAI,CAC7D,KAAK,EAAE,MAAM,EACb,GAAG,EAAE,kBAAkB,KACnB,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC;;;;;GAKG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,yBAAyB,CAAC;IAChC,OAAO,EAAE,aAAa,CAAC;CACvB;AAED;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,cAAc,CAAC,KAAK,SAAS,yBAAyB,IAAI;IACrE,KAAK,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC;CACtB,SAAS,CAAC,UAAU,CAAC,GACnB,kBAAkB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,GACrE,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,GAC9C,iBAAiB,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,GACpE,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;AAErE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,eAAO,MAAM,UAAU,GAAI,KAAK,SAAS,yBAAyB,EACjE,MAAM,KAAK,EACX,SAAS,cAAc,CAAC,KAAK,CAAC,KAC5B,SAGD,CAAC;AAEH,yCAAyC;AACzC,MAAM,WAAW,wBAAwB;IACxC,sDAAsD;IACtD,IAAI,EAAE,MAAM,CAAC;IACb,4BAA4B;IAC5B,OAAO,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAC1B,2CAA2C;IAC3C,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;;;OAOG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACjD;AAkBD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAoCG;AACH,eAAO,MAAM,mBAAmB,GAAI,SAAS,wBAAwB,KAAG,KAAK,CAAC,SAAS,CAoMtF,CAAC"}

package/dist/actions/action_rpc.js

@@ -16,7 +16,7 @@ import { DEV } from 'esm-env';
 import {} from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { get_request_context, } from '../auth/request_context.js';
-import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY, TEST_CONTEXT_PRESET_KEY } from '../hono_context.js';
+import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY, TEST_CONTEXT_PRESET_KEY, } from '../hono_context.js';
 import { compile_action_registry } from './compile_action_registry.js';
 import { JSONRPC_VERSION, JsonrpcRequest, } from '../http/jsonrpc.js';
 import { jsonrpc_error_messages, jsonrpc_error_code_to_http_status, JSONRPC_ERROR_CODES, } from '../http/jsonrpc_errors.js';

package/dist/actions/action_spec.d.ts

@@ -42,7 +42,7 @@ export declare const ActionSpec: z.ZodObject<{
      * `null` for `remote_notification` and `local_call` — those don't
      * dispatch through the request/response auth gate.
      *
-     * See `../http/auth_shape.ts` for the design rationale (orthogonal
+     * See `http/auth_shape.ts` for the design rationale (orthogonal
      * authentication / account-resolution / actor-resolution / role-and-
      * credential authorization axes).
      */

package/dist/actions/action_spec.js

@@ -25,7 +25,7 @@ export const ActionSpec = z.strictObject({
      * `null` for `remote_notification` and `local_call` — those don't
      * dispatch through the request/response auth gate.
      *
-     * See `../http/auth_shape.ts` for the design rationale (orthogonal
+     * See `http/auth_shape.ts` for the design rationale (orthogonal
      * authentication / account-resolution / actor-resolution / role-and-
      * credential authorization axes).
      */

package/dist/actions/connection_closer.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Narrow structural capability for closing live WebSocket connections
+ * tied to a session token hash, API token id, or account id.
+ *
+ * **Why this exists.** Per-message authorization phase on WebSocket
+ * (`actions/perform_action.ts`) reloads role_grants from the DB on every
+ * message but does NOT re-query session / token validity — that
+ * trade-off keeps chatty connections fast. The cost: revocation
+ * doesn't actually disconnect open sockets unless something closes
+ * them. `transports_ws_auth_guard.ts` is the listener-based seam
+ * (audit-event → close), but it only fires after the audit INSERT
+ * succeeds — if the INSERT fails (DB error, pool exhausted, handler
+ * dies mid-flight) the listener never runs and the live socket keeps
+ * working with a stale `RequestContext` until disconnect.
+ *
+ * Used by self-service revocation handlers (`account_session_revoke` /
+ * `_revoke_all`, `account_token_revoke`, `logout`, `password`) and the
+ * admin revoke-all handlers (`admin_session_revoke_all`,
+ * `admin_token_revoke_all`) to eagerly drop affected sockets BEFORE
+ * emitting the corresponding audit event. The audit listener stays as
+ * a fail-safe for out-of-band emit sites (admin tools, scheduled
+ * jobs, SSE-driven flows). `close_sockets_for_*` is idempotent so the
+ * second pass is a no-op.
+ *
+ * Mirrors `zzz_server`'s `close_sockets_for_*` calls in
+ * `account.rs::logout_inner` / `_password_inner` /
+ * `handlers/account.rs::handle_account_session_revoke[_all]` /
+ * `_token_revoke` (landed 2026-05-16); see
+ * `~/dev/grimoire/lore/fuz_app/TODO_AUTH.md` §Audit-driven WS
+ * revocation: handler-side belt+suspenders for the cross-backend
+ * parity record.
+ *
+ * `BackendWebsocketTransport` satisfies this interface structurally,
+ * so consumers pass their transport instance directly (same shape as
+ * `NotificationSender`). The interface stays local so handlers don't
+ * couple to the concrete transport, and tests can inject a capturing
+ * stub with no WS machinery.
+ *
+ * @module
+ */
+/**
+ * Narrow capability — three idempotent socket-close methods, each
+ * returning the number of sockets actually closed (zero when none
+ * matched). Callers typically ignore the return value (used by
+ * telemetry / tests).
+ */
+export interface ConnectionCloser {
+    /**
+     * Close every connection authenticated with a session whose blake3
+     * hash matches `session_token_hash`. Idempotent — calling on an
+     * already-closed session is a no-op.
+     */
+    close_sockets_for_session: (session_token_hash: string) => number;
+    /**
+     * Close every connection authenticated with the given API token id.
+     * Idempotent — calling on an already-revoked token is a no-op.
+     */
+    close_sockets_for_token: (api_token_id: string) => number;
+    /**
+     * Close every connection bound to `account_id`, regardless of
+     * credential type (session / api_token / daemon_token). Coarse
+     * closure used when every credential on an account is invalidated
+     * — password change, session-revoke-all, token-revoke-all, logout.
+     * Idempotent.
+     */
+    close_sockets_for_account: (account_id: string) => number;
+}
+//# sourceMappingURL=connection_closer.d.ts.map

package/dist/actions/connection_closer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection_closer.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/connection_closer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,yBAAyB,EAAE,CAAC,kBAAkB,EAAE,MAAM,KAAK,MAAM,CAAC;IAClE;;;OAGG;IACH,uBAAuB,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,CAAC;IAC1D;;;;;;OAMG;IACH,yBAAyB,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,MAAM,CAAC;CAC1D"}

package/dist/actions/connection_closer.js

@@ -0,0 +1,41 @@
+/**
+ * Narrow structural capability for closing live WebSocket connections
+ * tied to a session token hash, API token id, or account id.
+ *
+ * **Why this exists.** Per-message authorization phase on WebSocket
+ * (`actions/perform_action.ts`) reloads role_grants from the DB on every
+ * message but does NOT re-query session / token validity — that
+ * trade-off keeps chatty connections fast. The cost: revocation
+ * doesn't actually disconnect open sockets unless something closes
+ * them. `transports_ws_auth_guard.ts` is the listener-based seam
+ * (audit-event → close), but it only fires after the audit INSERT
+ * succeeds — if the INSERT fails (DB error, pool exhausted, handler
+ * dies mid-flight) the listener never runs and the live socket keeps
+ * working with a stale `RequestContext` until disconnect.
+ *
+ * Used by self-service revocation handlers (`account_session_revoke` /
+ * `_revoke_all`, `account_token_revoke`, `logout`, `password`) and the
+ * admin revoke-all handlers (`admin_session_revoke_all`,
+ * `admin_token_revoke_all`) to eagerly drop affected sockets BEFORE
+ * emitting the corresponding audit event. The audit listener stays as
+ * a fail-safe for out-of-band emit sites (admin tools, scheduled
+ * jobs, SSE-driven flows). `close_sockets_for_*` is idempotent so the
+ * second pass is a no-op.
+ *
+ * Mirrors `zzz_server`'s `close_sockets_for_*` calls in
+ * `account.rs::logout_inner` / `_password_inner` /
+ * `handlers/account.rs::handle_account_session_revoke[_all]` /
+ * `_token_revoke` (landed 2026-05-16); see
+ * `~/dev/grimoire/lore/fuz_app/TODO_AUTH.md` §Audit-driven WS
+ * revocation: handler-side belt+suspenders for the cross-backend
+ * parity record.
+ *
+ * `BackendWebsocketTransport` satisfies this interface structurally,
+ * so consumers pass their transport instance directly (same shape as
+ * `NotificationSender`). The interface stays local so handlers don't
+ * couple to the concrete transport, and tests can inject a capturing
+ * stub with no WS machinery.
+ *
+ * @module
+ */
+export {};

package/dist/actions/perform_action.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"perform_action.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/perform_action.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAC,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAEN,KAAK,gBAAgB,EAErB,KAAK,kBAAkB,EACvB,MAAM,oBAAoB,CAAC;AAW5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAEpD,OAAO,KAAK,EAA+B,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAClC,kEAAkE;IAClE,MAAM,EAAE,SAAS,CAAC;IAClB,mGAAmG;IACnG,UAAU,EAAE,OAAO,CAAC;IACpB,sDAAsD;IACtD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,yDAAyD;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,uEAAuE;IACvE,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;IAClB,oGAAoG;IACpG,MAAM,EAAE,WAAW,CAAC;IACpB,sFAAsF;IACtF,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,uDAAuD;IACvD,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QAAC,eAAe,EAAE,cAAc,GAAG,IAAI,CAAA;KAAC,CAAC;CAClD;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IACjC,gGAAgG;IAChG,EAAE,EAAE,EAAE,CAAC;IACP;;;OAGG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;OAGG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,uEAAuE;IACvE,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;CAChD;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAC5B;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAC7B;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,kBAAkB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAC,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,GAC1B,OAAO,kBAAkB,EACzB,MAAM,iBAAiB,KACrB,OAAO,CAAC,mBAAmB,CAuJ7B,CAAC;AA4EF;;;GAGG;AACH,eAAO,MAAM,iCAAiC,GAC7C,IAAI,gBAAgB,EACpB,QAAQ,mBAAmB,KACzB;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,gBAAgB,CAAA;CAAC,GAAG,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAAG;IAAC,KAAK,EAAE,kBAAkB,CAAA;CAAC,CAK5F,CAAC"}
+{"version":3,"file":"perform_action.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/perform_action.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAC,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,OAAO,EAEN,KAAK,gBAAgB,EAErB,KAAK,kBAAkB,EACvB,MAAM,oBAAoB,CAAC;AAW5B,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAEpD,OAAO,KAAK,EAA+B,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,kBAAkB;IAClC,kEAAkE;IAClE,MAAM,EAAE,SAAS,CAAC;IAClB,mGAAmG;IACnG,UAAU,EAAE,OAAO,CAAC;IACpB,sDAAsD;IACtD,UAAU,EAAE,gBAAgB,CAAC;IAC7B,yDAAyD;IACzD,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,uEAAuE;IACvE,eAAe,EAAE,cAAc,GAAG,IAAI,CAAC;IACvC,qEAAqE;IACrE,SAAS,EAAE,MAAM,CAAC;IAClB,oGAAoG;IACpG,MAAM,EAAE,WAAW,CAAC;IACpB,sFAAsF;IACtF,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,uDAAuD;IACvD,aAAa,CAAC,EAAE,IAAI,CAAC;IACrB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QAAC,eAAe,EAAE,cAAc,GAAG,IAAI,CAAA;KAAC,CAAC;CAClD;AAED;;;;;;;;GAQG;AACH,MAAM,WAAW,iBAAiB;IACjC,gGAAgG;IAChG,EAAE,EAAE,EAAE,CAAC;IACP;;;OAGG;IACH,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACtC;;;OAGG;IACH,mBAAmB,EAAE,KAAK,CAAC,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;IACvD,gDAAgD;IAChD,GAAG,EAAE,MAAM,CAAC;IACZ,kEAAkE;IAClE,sBAAsB,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3C,uEAAuE;IACvE,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;CAChD;AAED;;;;GAIG;AACH,MAAM,MAAM,mBAAmB,GAC5B;IAAC,IAAI,EAAE,IAAI,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAC7B;IAAC,IAAI,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,kBAAkB,CAAC;IAAC,MAAM,EAAE,MAAM,CAAA;CAAC,CAAC;AAE9D;;;;;;;;;GASG;AACH,eAAO,MAAM,cAAc,GAC1B,OAAO,kBAAkB,EACzB,MAAM,iBAAiB,KACrB,OAAO,CAAC,mBAAmB,CAwJ7B,CAAC;AA4EF;;;GAGG;AACH,eAAO,MAAM,iCAAiC,GAC7C,IAAI,gBAAgB,EACpB,QAAQ,mBAAmB,KACzB;IAAC,OAAO,EAAE,MAAM,CAAC;IAAC,EAAE,EAAE,gBAAgB,CAAA;CAAC,GAAG,CAAC;IAAC,MAAM,EAAE,OAAO,CAAA;CAAC,GAAG;IAAC,KAAK,EAAE,kBAAkB,CAAA;CAAC,CAK5F,CAAC"}

package/dist/actions/perform_action.js

@@ -144,6 +144,7 @@ export const perform_action = async (input, deps) => {
             pending_effects,
             post_commit_effects,
             client_ip,
+            credential_type,
             log,
             notify,
             signal,

package/dist/actions/register_action_ws.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register_action_ws.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_action_ws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAC/B,OAAO,KAAK,EAAC,gBAAgB,EAAE,SAAS,EAAC,MAAM,SAAS,CAAC;AAEzD,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAUjD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAgBpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAC,KAAK,MAAM,EAAC,MAAM,mBAAmB,CAAC;AAI9C,OAAO,EAAC,yBAAyB,EAAE,KAAK,kBAAkB,EAAC,MAAM,4BAA4B,CAAC;AAG9F,YAAY,EAAC,MAAM,EAAC,CAAC;AAErB,0EAA0E;AAC1E,eAAO,MAAM,gCAAgC,QAAS,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,qFAAqF;IACrF,EAAE,EAAE,SAAS,CAAC;IACd,4EAA4E;IAC5E,aAAa,EAAE,IAAI,CAAC;IACpB,oDAAoD;IACpD,QAAQ,EAAE,kBAAkB,CAAC;IAC7B;;;OAGG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,wFAAwF;IACxF,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,+CAA+C;IAC/C,EAAE,EAAE,SAAS,CAAC;IACd,2CAA2C;IAC3C,aAAa,EAAE,IAAI,CAAC;IACpB,kGAAkG;IAClG,QAAQ,EAAE,kBAAkB,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAsB;IACtC;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wCAAwC;AACxC,MAAM,WAAW,uBAAuB;IACvC,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,EAAE,IAAI,CAAC;IACV,iEAAiE;IACjE,gBAAgB,EAAE,gBAAgB,CAAC;IACnC;;;;;;;OAOG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B;;;;;;;;;OASG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;OAIG;IACH,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,sBAAsB,CAAC;IAC7C,+EAA+E;IAC/E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpE;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACjD;AAED,sCAAsC;AACtC,MAAM,WAAW,sBAAsB;IACtC,yEAAyE;IACzE,SAAS,EAAE,yBAAyB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,uBAAuB,KAAG,sBAuUrE,CAAC"}
+{"version":3,"file":"register_action_ws.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_action_ws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAC/B,OAAO,KAAK,EAAC,gBAAgB,EAAE,SAAS,EAAC,MAAM,SAAS,CAAC;AAEzD,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAUjD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAgBpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAC,KAAK,MAAM,EAAC,MAAM,mBAAmB,CAAC;AAI9C,OAAO,EAAC,yBAAyB,EAAE,KAAK,kBAAkB,EAAC,MAAM,4BAA4B,CAAC;AAG9F,YAAY,EAAC,MAAM,EAAC,CAAC;AAErB,0EAA0E;AAC1E,eAAO,MAAM,gCAAgC,QAAS,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,qFAAqF;IACrF,EAAE,EAAE,SAAS,CAAC;IACd,4EAA4E;IAC5E,aAAa,EAAE,IAAI,CAAC;IACpB,oDAAoD;IACpD,QAAQ,EAAE,kBAAkB,CAAC;IAC7B;;;OAGG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,wFAAwF;IACxF,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,+CAA+C;IAC/C,EAAE,EAAE,SAAS,CAAC;IACd,2CAA2C;IAC3C,aAAa,EAAE,IAAI,CAAC;IACpB,kGAAkG;IAClG,QAAQ,EAAE,kBAAkB,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAsB;IACtC;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wCAAwC;AACxC,MAAM,WAAW,uBAAuB;IACvC,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,EAAE,IAAI,CAAC;IACV,iEAAiE;IACjE,gBAAgB,EAAE,gBAAgB,CAAC;IACnC;;;;;;;OAOG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B;;;;;;;;;OASG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;OAIG;IACH,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,sBAAsB,CAAC;IAC7C,+EAA+E;IAC/E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpE;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACjD;AAED,sCAAsC;AACtC,MAAM,WAAW,sBAAsB;IACtC,yEAAyE;IACzE,SAAS,EAAE,yBAAyB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,uBAAuB,KAAG,sBA4VrE,CAAC"}

package/dist/actions/register_action_ws.js

@@ -90,6 +90,14 @@ export const register_action_ws = (options) => {
         // `credential_type` from this closure; the live request_context is
         // only used by the test-preset escape hatch (perform_action runs
         // the authorization phase fresh on every message in production).
+        //
+        // Per-message dispatch reloads role_grants via the authorization
+        // phase but does NOT re-query session / token validity — those
+        // are checked once at upgrade. Revocation enforcement therefore
+        // lives outside this dispatcher, in the audit-driven WS auth
+        // guard (`transports_ws_auth_guard.ts`). Without that guard wired
+        // into the audit chain, `session_revoke` / `token_revoke` are
+        // no-ops for existing WS connections.
         const upgrade_context = require_request_context(c);
         const account_id = upgrade_context.account.id;
         const client_ip = get_client_ip(c);
@@ -263,8 +271,21 @@ export const register_action_ws = (options) => {
                 // eager fire-and-forget pool writes (audit emits, etc.);
                 // `post_commit_effects` collects deferred thunks pushed
                 // via `emit_after_commit` (WS notifications). Both flush
-                // in the same try/finally so the next message sees a clean
-                // slate.
+                // in the `finally` so the next message sees a clean slate.
+                //
+                // Ordering invariant — reply-before-flush is load-bearing.
+                // Handlers that revoke their own credential
+                // (`session_revoke_all`, `token_revoke` of the calling
+                // bearer) audit-emit events whose listener chain — wired
+                // by the WS auth guard in `transports_ws_auth_guard.ts` —
+                // closes this socket when the audit row writes. The
+                // synchronous `ws.send` on the success path returns
+                // before any close can fire (the DB write that triggers
+                // the chain is async — even in production with
+                // `await_pending_effects: false`, the listener chain only
+                // runs after the row lands). Inverting the order —
+                // flushing the queues before the send — would silently
+                // strand the caller without a reply.
                 const pending_effects = [];
                 const post_commit_effects = [];
                 const notify = notify_socket(ws);

package/dist/actions/register_ws_endpoint.d.ts

@@ -12,8 +12,8 @@
  *    and build the `RequestContext` that per-message dispatch reads.
  *    Multi-actor accounts must supply `?acting` to pick a persona;
  *    single-actor accounts work without it.
- * 4. Optional `require_role(required_role)` — for endpoints gated to a
- *    specific role.
+ * 4. Optional `require_role(required_roles)` — for endpoints gated to a
+ *    non-empty any-of set of roles.
  *
  * Then delegates to `register_action_ws` for per-message JSON-RPC
  * dispatch.
@@ -29,15 +29,17 @@ export interface RegisterWsEndpointOptions extends RegisterActionWsOptions {
      * env var via `parse_allowed_origins`. Passed straight to
      * `verify_request_source`.
      */
-    allowed_origins: Array<RegExp>;
+    allowed_origins: ReadonlyArray<RegExp>;
     /**
-     * Role required to upgrade. Omit for any authenticated account
-     * (`require_auth` + actor resolution alone); set to e.g. `ROLE_ADMIN`
-     * to gate the endpoint behind a role. The per-action `auth` in each
-     * spec still applies at dispatch time — this is a coarse upgrade-time
-     * gate.
+     * Roles permitted to upgrade — any-of disjunction (matches the
+     * underlying `require_role` semantics). Omit (or pass `[]`) for any
+     * authenticated account (`require_auth` + actor resolution alone);
+     * set to e.g. `[ROLE_ADMIN]` to gate the endpoint behind a single role
+     * or `[ROLE_ADMIN, ROLE_KEEPER]` to permit either. The per-action
+     * `auth` in each spec still applies at dispatch time — this is a coarse
+     * upgrade-time gate.
      */
-    required_role?: RoleName;
+    required_roles?: ReadonlyArray<RoleName>;
 }
 /**
  * Mount a WebSocket endpoint with the standard upgrade stack (origin check

package/dist/actions/register_ws_endpoint.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register_ws_endpoint.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_ws_endpoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAYH,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,wBAAwB,CAAC;AAGrD,OAAO,EAEN,KAAK,uBAAuB,EAC5B,KAAK,sBAAsB,EAC3B,MAAM,yBAAyB,CAAC;AAEjC,0CAA0C;AAC1C,MAAM,WAAW,yBAA0B,SAAQ,uBAAuB;IACzE;;;;OAIG;IACH,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/B;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,QAAQ,CAAC;CACzB;AAgDD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,SAAS,yBAAyB,KAChC,sBAmBF,CAAC"}
+{"version":3,"file":"register_ws_endpoint.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_ws_endpoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAYH,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,wBAAwB,CAAC;AAGrD,OAAO,EAEN,KAAK,uBAAuB,EAC5B,KAAK,sBAAsB,EAC3B,MAAM,yBAAyB,CAAC;AAEjC,0CAA0C;AAC1C,MAAM,WAAW,yBAA0B,SAAQ,uBAAuB;IACzE;;;;OAIG;IACH,eAAe,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;CACzC;AAgDD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,SAAS,yBAAyB,KAChC,sBAmBF,CAAC"}

package/dist/actions/register_ws_endpoint.js

@@ -12,8 +12,8 @@
  *    and build the `RequestContext` that per-message dispatch reads.
  *    Multi-actor accounts must supply `?acting` to pick a persona;
  *    single-actor accounts work without it.
- * 4. Optional `require_role(required_role)` — for endpoints gated to a
- *    specific role.
+ * 4. Optional `require_role(required_roles)` — for endpoints gated to a
+ *    non-empty any-of set of roles.
  *
  * Then delegates to `register_action_ws` for per-message JSON-RPC
  * dispatch.
@@ -77,12 +77,12 @@ const create_ws_authorization_middleware = (db) => {
  *   then registers the `GET path` route via the inner `register_action_ws`
  */
 export const register_ws_endpoint = (options) => {
-    const { app, path, allowed_origins, db, required_role, log = new Logger('[ws]'), ...rest } = options;
+    const { app, path, allowed_origins, db, required_roles, log = new Logger('[ws]'), ...rest } = options;
     app.use(path, verify_request_source(allowed_origins));
     app.use(path, require_auth);
     app.use(path, create_ws_authorization_middleware(db));
-    if (required_role !== undefined) {
-        app.use(path, require_role([required_role]));
+    if (required_roles?.length) {
+        app.use(path, require_role(required_roles));
     }
     return register_action_ws({ app, path, db, log, ...rest });
 };