@fuzdev/fuz_app 0.62.0 → 0.64.0

package/dist/auth/admin_actions.d.ts

@@ -28,6 +28,7 @@
  * @module
  */
 import { type RpcAction } from '../actions/action_rpc.js';
+import type { ConnectionCloser } from '../actions/connection_closer.js';
 import { type RoleSchemaResult } from './role_schema.js';
 import { type AppSettings } from './app_settings_schema.js';
 import type { RouteFactoryDeps } from './deps.js';
@@ -49,6 +50,16 @@ export interface AdminActionOptions {
      * handler and RPC dispatch returns `method_not_found`.
      */
     app_settings?: AppSettings;
+    /**
+     * Live-connection closer — when set, `admin_session_revoke_all` and
+     * `admin_token_revoke_all` handlers eagerly close affected WebSocket
+     * sockets for the target account BEFORE emitting the corresponding
+     * audit event. Mirrors the self-service surface (see
+     * `AccountActionOptions.connection_closer`). `BackendWebsocketTransport`
+     * satisfies this interface structurally. When absent, only the
+     * listener-based close (`transports_ws_auth_guard`) runs.
+     */
+    connection_closer?: ConnectionCloser | null;
 }
 /**
  * Create the admin-only RPC actions.

package/dist/auth/admin_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAsC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAE7F,OAAO,EAGN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AAuB1B,OAAO,EAAC,KAAK,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAK1D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AA6ChD,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,WAAW,CAAC;CAC3B;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,kBAAuB,KAC9B,KAAK,CAAC,SAAS,CA0PjB,CAAC"}
+{"version":3,"file":"admin_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAsC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAEtE,OAAO,EAGN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AAuB1B,OAAO,EAAC,KAAK,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAK1D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AA6ChD,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,WAAW,CAAC;IAC3B;;;;;;;;OAQG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,kBAAuB,KAC9B,KAAK,CAAC,SAAS,CAmRjB,CAAC"}

package/dist/auth/admin_actions.js

@@ -56,6 +56,7 @@ import { admin_account_list_action_spec, admin_session_list_action_spec, admin_s
 export const create_admin_actions = (deps, options = {}) => {
     const role_specs = options.roles?.role_specs ?? builtin_role_specs_by_name;
     const grantable_roles = list_roles_with_grant_path(role_specs, GRANT_PATH_ADMIN);
+    const connection_closer = options.connection_closer ?? null;
     const account_list_handler = async (input, ctx) => {
         const accounts = await query_admin_account_list(ctx, {
             limit: input.limit,
@@ -88,6 +89,23 @@ export const create_admin_actions = (deps, options = {}) => {
             throw jsonrpc_errors.not_found('account', { reason: ERROR_ACCOUNT_NOT_FOUND });
         }
         const count = await query_session_revoke_all_for_account(ctx, input.account_id);
+        // Handler-side belt+suspenders — close the target account's live WS
+        // sockets BEFORE the audit emit so revocation lands even if the audit
+        // INSERT fails. Listener-based close (`transports_ws_auth_guard` on
+        // `audit.on_event_chain`) stays as a fail-safe for out-of-band emit
+        // sites. Idempotent — see `account_actions.ts::session_revoke_handler`.
+        if (connection_closer) {
+            connection_closer.close_sockets_for_account(input.account_id);
+        }
+        // TOCTOU window — admin B hard-deletes `input.account_id` between the
+        // pre-check above and this emit; the FK rejects the row, the audit
+        // emitter logs + swallows, and the operation goes unaudited. Bounded
+        // by the audit emitter's failure logging (operator-visible) and by
+        // the rarity of concurrent admin hard-deletes. Not switching to the
+        // failure-shape (`target_account_id: null + metadata.attempted_account_id`)
+        // because the FK linkage powers the username-join in
+        // `audit_log_list_with_usernames`; losing it on every success row
+        // to harden a corner case isn't worth the query-shape change.
         deps.audit.emit(ctx, {
             event_type: 'session_revoke_all',
             account_id: auth.account.id,
@@ -117,6 +135,13 @@ export const create_admin_actions = (deps, options = {}) => {
             throw jsonrpc_errors.not_found('account', { reason: ERROR_ACCOUNT_NOT_FOUND });
         }
         const count = await query_revoke_all_api_tokens_for_account(ctx, input.account_id);
+        // Handler-side belt+suspenders — see `session_revoke_all_handler`.
+        if (connection_closer) {
+            connection_closer.close_sockets_for_account(input.account_id);
+        }
+        // TOCTOU window — see `session_revoke_all_handler` for the rationale on
+        // keeping `target_account_id` populated rather than switching to the
+        // failure-shape.
         deps.audit.emit(ctx, {
             event_type: 'token_revoke_all',
             account_id: auth.account.id,

package/dist/auth/all_action_spec_registries.d.ts

@@ -22,14 +22,14 @@
  * - Codegen that needs to see every fuz_auth surface at once
  *   (typed-client filters, attack-surface reports). For typed-client
  *   wiring of the standard surface, prefer `all_standard_action_specs`
- *   in `./standard_action_specs.ts` — it mirrors the
+ *   in `auth/standard_action_specs.ts` — it mirrors the
  *   `create_standard_rpc_actions` mount and stays narrower than this
  *   registry-of-registries (no opt-in bundles).
  *
  * `protocol_action_specs` (heartbeat / cancel) is **not** included —
  * those are transport-level wire-protocol concerns shipped by fuz_app
  * and spread by every consumer at registration via `protocol_actions`
- * from `../actions/protocol.ts`. Walker tests that need protocol
+ * from `actions/protocol.ts`. Walker tests that need protocol
  * coverage spread `protocol_action_specs` separately.
  *
  * @module

package/dist/auth/all_action_spec_registries.js

@@ -22,14 +22,14 @@
  * - Codegen that needs to see every fuz_auth surface at once
  *   (typed-client filters, attack-surface reports). For typed-client
  *   wiring of the standard surface, prefer `all_standard_action_specs`
- *   in `./standard_action_specs.ts` — it mirrors the
+ *   in `auth/standard_action_specs.ts` — it mirrors the
  *   `create_standard_rpc_actions` mount and stays narrower than this
  *   registry-of-registries (no opt-in bundles).
  *
  * `protocol_action_specs` (heartbeat / cancel) is **not** included —
  * those are transport-level wire-protocol concerns shipped by fuz_app
  * and spread by every consumer at registration via `protocol_actions`
- * from `../actions/protocol.ts`. Walker tests that need protocol
+ * from `actions/protocol.ts`. Walker tests that need protocol
  * coverage spread `protocol_action_specs` separately.
  *
  * @module

package/dist/auth/audit_emitter.d.ts

@@ -2,11 +2,14 @@
  * Bound audit-emit capability.
  *
  * `AuditEmitter` closes over the pool-level `Db`, the `on_audit_event`
- * subscriber chain, and the optional `AuditLogConfig` at backend-assembly
- * time. Consumers reach for `deps.audit.emit(ctx, input)` and never see the
- * pool — handlers cannot accidentally emit an audit event against the
- * request's transactional `db` (which would be rolled back with the parent
- * on a handler throw).
+ * subscriber chain, and the optional `AuditLogConfig`. Built by the
+ * consumer's `audit_factory` callback on `CreateAppBackendOptions` —
+ * `create_app_backend` invokes the factory once with its constructed
+ * `{db, log}` and lands the result on `AppDeps.audit`. Consumers reach
+ * for `deps.audit.emit(ctx, input)` and never see the pool — handlers
+ * cannot accidentally emit an audit event against the request's
+ * transactional `db` (which would be rolled back with the parent on a
+ * handler throw).
  *
  * Four methods cover every fan-out shape the auth domain needs:
  *
@@ -26,9 +29,13 @@
  *   the query layer). Runs every listener on the chain; per-listener throws
  *   are isolated.
  *
- * The chain is mutable so server assembly can append additional listeners
- * (e.g. the audit-log SSE registry composed by `create_app_server`) after
- * the backend is built but before the first request runs.
+ * The chain is a documented mutable seam — `create_app_server` appends
+ * additional listeners after the backend is built (the factory-managed
+ * audit-log SSE, per-endpoint WS auth guards and logout closers, any
+ * `extra_audit_handlers` on a `WsEndpointSpec`) before the first request
+ * runs. Consumers can also append listeners directly on the emitter
+ * they return from `audit_factory` for setups that don't pass through
+ * `create_app_server`.
  *
  * @module
  */
@@ -126,12 +133,36 @@ export interface AuditEmitter {
      */
     notify(event: AuditLogEvent): void;
     /**
-     * Mutable subscriber chain. Append at server assembly to compose the
-     * factory-managed audit-log SSE on top of the consumer's
-     * `on_audit_event` callback without shallow-copying `AppDeps`.
+     * Mutable subscriber chain. `create_app_server` appends the
+     * factory-managed audit-log SSE listener and per-endpoint WS auth
+     * guards / logout closers here so SSE + WS fan-out compose on top of
+     * the consumer's `on_audit_event` callback without shallow-copying
+     * `AppDeps`. Consumers can also append listeners directly for setups
+     * that don't run through `create_app_server`.
      */
     readonly on_event_chain: Array<(event: AuditLogEvent) => void>;
 }
+/**
+ * Signature of `AuditEmitter.emit` — captured by the inner closure so
+ * `emit_role_grant_target` reaches the decorated function rather than
+ * a `this.emit` lookup. Exposed as a type so `EmitDecorator` can name
+ * the inner / outer slot.
+ */
+export type AuditEmitFn = <T extends string>(ctx: AuditEmitterContext, input: AuditLogInput<T>) => void;
+/**
+ * Wrap the bound `emit` before it gets captured by `emit_role_grant_target`'s
+ * closure and exposed on the returned `AuditEmitter`. Test instrumentation
+ * uses this to record `emit` invocation ordering against external markers
+ * (e.g. eager `ConnectionCloser` calls in `connection_closer.db.test.ts`)
+ * without paying the freeze-breaking footgun the pre-decorator
+ * `patch_audit_emit_capture` hot-patcher had.
+ *
+ * Because the inner closure captures the decorated function (not the
+ * outer slot reference), `emit_role_grant_target` also routes through
+ * the wrap — the close-vs-emit ordering helper sees role-grant-shape
+ * emissions, not just bare `emit` calls. Production never sets this.
+ */
+export type EmitDecorator = (inner: AuditEmitFn) => AuditEmitFn;
 /** Options for `create_audit_emitter`. */
 export interface CreateAuditEmitterOptions {
     /** Pool-level `Db`. Captured by every emit call. */
@@ -149,9 +180,22 @@ export interface CreateAuditEmitterOptions {
      * registered here once at backend assembly.
      */
     audit_log_config?: AuditLogConfig;
+    /**
+     * Test-only hook to wrap `emit` at construction time. The decorated
+     * function is captured by `emit_role_grant_target`'s closure and is
+     * the function exposed on the returned `AuditEmitter`, so both call
+     * shapes route through it — see `EmitDecorator` for the rationale.
+     *
+     * Leave unset in production. The intended caller is
+     * `create_emit_ordering_audit_factory` in `testing/audit_drift_guard.ts`.
+     */
+    emit_decorator?: EmitDecorator;
 }
 /**
- * Build a bound `AuditEmitter`. Called once at `create_app_backend` time.
+ * Build a bound `AuditEmitter`. Typical caller is the consumer's
+ * `audit_factory` callback on `CreateAppBackendOptions` —
+ * `create_app_backend` invokes that callback with its constructed
+ * `{db, log}` and lands the result on `AppDeps.audit`.
  *
  * @param options - pool, logger, optional initial subscriber, optional config
  * @returns the bound emitter; closes over the pool + config + listener chain

package/dist/auth/audit_emitter.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_emitter.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_emitter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,sBAAsB,CAAC;AAE9D,OAAO,EAEN,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,MAAM,uBAAuB,CAAC;AAE/B;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,mBAAmB;IACnC,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACtC;AAED;;;;GAIG;AACH,MAAM,WAAW,yBAA0B,SAAQ,mBAAmB;IACrE,0FAA0F;IAC1F,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC5B;;;;;;;;;;;;;;;;OAgBG;IACH,IAAI,CAAC,CAAC,SAAS,MAAM,EAAE,GAAG,EAAE,mBAAmB,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAChF;;;;;;;OAOG;IACH,sBAAsB,CAAC,CAAC,SAAS,MAAM,EACtC,GAAG,EAAE,yBAAyB,EAC9B,IAAI,EAAE,mBAAmB,EACzB,KAAK,EAAE;QACN,UAAU,EAAE,CAAC,CAAC;QACd,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;QAC7B,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QACvC,OAAO,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;KAChC,GACC,IAAI,CAAC;IACR;;;;;;;;;;OAUG;IACH,SAAS,CAAC,CAAC,SAAS,MAAM,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,MAAM,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAAC;IACnC;;;;OAIG;IACH,QAAQ,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,CAAC;CAC/D;AAED,0CAA0C;AAC1C,MAAM,WAAW,yBAAyB;IACzC,oDAAoD;IACpD,EAAE,EAAE,EAAE,CAAC;IACP,qDAAqD;IACrD,GAAG,EAAE,MAAM,CAAC;IACZ;;;OAGG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB,GAAI,SAAS,yBAAyB,KAAG,YAoDzE,CAAC"}
+{"version":3,"file":"audit_emitter.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_emitter.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAwCG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AACpD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,sBAAsB,CAAC;AAE9D,OAAO,EAEN,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,MAAM,uBAAuB,CAAC;AAE/B;;;;;;;;;;;;;;;GAeG;AACH,MAAM,WAAW,mBAAmB;IACnC,eAAe,EAAE,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC;CACtC;AAED;;;;GAIG;AACH,MAAM,WAAW,yBAA0B,SAAQ,mBAAmB;IACrE,0FAA0F;IAC1F,SAAS,EAAE,MAAM,CAAC;CAClB;AAED;;;;GAIG;AACH,MAAM,WAAW,YAAY;IAC5B;;;;;;;;;;;;;;;;OAgBG;IACH,IAAI,CAAC,CAAC,SAAS,MAAM,EAAE,GAAG,EAAE,mBAAmB,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC;IAChF;;;;;;;OAOG;IACH,sBAAsB,CAAC,CAAC,SAAS,MAAM,EACtC,GAAG,EAAE,yBAAyB,EAC9B,IAAI,EAAE,mBAAmB,EACzB,KAAK,EAAE;QACN,UAAU,EAAE,CAAC,CAAC;QACd,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;QAC/B,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;QAC7B,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;QACvC,OAAO,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;KAChC,GACC,IAAI,CAAC;IACR;;;;;;;;;;OAUG;IACH,SAAS,CAAC,CAAC,SAAS,MAAM,EAAE,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpE;;;;;;;OAOG;IACH,MAAM,CAAC,KAAK,EAAE,aAAa,GAAG,IAAI,CAAC;IACnC;;;;;;;OAOG;IACH,QAAQ,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,CAAC;CAC/D;AAED;;;;;GAKG;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,SAAS,MAAM,EAC1C,GAAG,EAAE,mBAAmB,EACxB,KAAK,EAAE,aAAa,CAAC,CAAC,CAAC,KACnB,IAAI,CAAC;AAEV;;;;;;;;;;;;GAYG;AACH,MAAM,MAAM,aAAa,GAAG,CAAC,KAAK,EAAE,WAAW,KAAK,WAAW,CAAC;AAEhE,0CAA0C;AAC1C,MAAM,WAAW,yBAAyB;IACzC,oDAAoD;IACpD,EAAE,EAAE,EAAE,CAAC;IACP,qDAAqD;IACrD,GAAG,EAAE,MAAM,CAAC;IACZ;;;OAGG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;IAClC;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC;CAC/B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,GAAI,SAAS,yBAAyB,KAAG,YAoEzE,CAAC"}

package/dist/auth/audit_emitter.js

@@ -2,11 +2,14 @@
  * Bound audit-emit capability.
  *
  * `AuditEmitter` closes over the pool-level `Db`, the `on_audit_event`
- * subscriber chain, and the optional `AuditLogConfig` at backend-assembly
- * time. Consumers reach for `deps.audit.emit(ctx, input)` and never see the
- * pool — handlers cannot accidentally emit an audit event against the
- * request's transactional `db` (which would be rolled back with the parent
- * on a handler throw).
+ * subscriber chain, and the optional `AuditLogConfig`. Built by the
+ * consumer's `audit_factory` callback on `CreateAppBackendOptions` —
+ * `create_app_backend` invokes the factory once with its constructed
+ * `{db, log}` and lands the result on `AppDeps.audit`. Consumers reach
+ * for `deps.audit.emit(ctx, input)` and never see the pool — handlers
+ * cannot accidentally emit an audit event against the request's
+ * transactional `db` (which would be rolled back with the parent on a
+ * handler throw).
  *
  * Four methods cover every fan-out shape the auth domain needs:
  *
@@ -26,22 +29,29 @@
  *   the query layer). Runs every listener on the chain; per-listener throws
  *   are isolated.
  *
- * The chain is mutable so server assembly can append additional listeners
- * (e.g. the audit-log SSE registry composed by `create_app_server`) after
- * the backend is built but before the first request runs.
+ * The chain is a documented mutable seam — `create_app_server` appends
+ * additional listeners after the backend is built (the factory-managed
+ * audit-log SSE, per-endpoint WS auth guards and logout closers, any
+ * `extra_audit_handlers` on a `WsEndpointSpec`) before the first request
+ * runs. Consumers can also append listeners directly on the emitter
+ * they return from `audit_factory` for setups that don't pass through
+ * `create_app_server`.
  *
  * @module
  */
 import { query_audit_log } from './audit_log_queries.js';
 import { builtin_audit_log_config, } from './audit_log_schema.js';
 /**
- * Build a bound `AuditEmitter`. Called once at `create_app_backend` time.
+ * Build a bound `AuditEmitter`. Typical caller is the consumer's
+ * `audit_factory` callback on `CreateAppBackendOptions` —
+ * `create_app_backend` invokes that callback with its constructed
+ * `{db, log}` and lands the result on `AppDeps.audit`.
  *
  * @param options - pool, logger, optional initial subscriber, optional config
  * @returns the bound emitter; closes over the pool + config + listener chain
  */
 export const create_audit_emitter = (options) => {
-    const { db, log, audit_log_config = builtin_audit_log_config } = options;
+    const { db, log, audit_log_config = builtin_audit_log_config, emit_decorator } = options;
     const on_event_chain = [];
     if (options.on_audit_event)
         on_event_chain.push(options.on_audit_event);
@@ -64,9 +74,14 @@ export const create_audit_emitter = (options) => {
             log.error('Audit log write failed:', err);
         }
     };
-    const emit = (ctx, input) => {
+    const base_emit = (ctx, input) => {
         ctx.pending_effects.push(emit_pool(input));
     };
+    // The decorated `emit` is what `emit_role_grant_target` captures below
+    // and what gets exposed on the returned object — both call shapes
+    // route through any `emit_decorator` the caller supplied. Production
+    // passes no decorator, so this collapses to `base_emit`.
+    const emit = emit_decorator ? emit_decorator(base_emit) : base_emit;
     const emit_role_grant_target = (ctx, auth, input) => {
         emit(ctx, {
             event_type: input.event_type,
@@ -79,5 +94,16 @@ export const create_audit_emitter = (options) => {
             metadata: input.metadata,
         });
     };
-    return { emit, emit_role_grant_target, emit_pool, notify, on_event_chain };
+    // Freeze the slot layout so consumers cannot hot-patch `emit` /
+    // `emit_role_grant_target` / `emit_pool` / `notify` after construction.
+    // The previous test helper `patch_audit_emit_capture` did exactly this
+    // and only happened to work because the four slots were writable —
+    // `emit_role_grant_target` calls the closed-over inner `emit`, not
+    // `this.emit`, so the patch silently bypassed role-grant-shape emits.
+    // Tests that need instrumentation pass `emit_decorator` so the wrap
+    // is captured by the closure before the freeze (see
+    // `create_emit_ordering_audit_factory`). `on_event_chain` is a
+    // frozen reference but its array contents stay mutable —
+    // `create_app_server` appends to it post-assembly, by design.
+    return Object.freeze({ emit, emit_role_grant_target, emit_pool, notify, on_event_chain });
 };

package/dist/auth/audit_log_routes.d.ts

@@ -7,7 +7,7 @@
  * `GET /audit/stream` SSE route — streams aren't an action-kind, so they
  * stay on REST. The event payload broadcast on the stream surfaces via
  * `audit_log_event_specs` (one `EventSpec` per audit event type) declared
- * alongside the broadcaster in `../realtime/sse_auth_guard.ts`.
+ * alongside the broadcaster in `realtime/sse_auth_guard.ts`.
  *
  * @module
  */

package/dist/auth/audit_log_routes.js

@@ -7,7 +7,7 @@
  * `GET /audit/stream` SSE route — streams aren't an action-kind, so they
  * stay on REST. The event payload broadcast on the stream surfaces via
  * `audit_log_event_specs` (one `EventSpec` per audit event type) declared
- * alongside the broadcaster in `../realtime/sse_auth_guard.ts`.
+ * alongside the broadcaster in `realtime/sse_auth_guard.ts`.
  *
  * @module
  */

package/dist/auth/audit_log_schema.d.ts

@@ -85,21 +85,46 @@ export declare const audit_metadata_schemas: Readonly<{
         reason: z.ZodOptional<z.ZodEnum<{
             concurrent_change: "concurrent_change";
         }>>;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>>;
     session_revoke: z.ZodObject<{
         session_id: z.ZodString;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>;
     session_revoke_all: z.ZodObject<{
         count: z.ZodOptional<z.ZodNumber>;
         reason: z.ZodOptional<z.ZodString>;
         attempted_account_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>;
     token_create: z.ZodObject<{
         token_id: z.ZodString;
         name: z.ZodString;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>;
     token_revoke: z.ZodObject<{
         token_id: z.ZodString;
+        credential_type: z.ZodOptional<z.ZodEnum<{
+            daemon_token: "daemon_token";
+            session: "session";
+            api_token: "api_token";
+        }>>;
     }, z.core.$loose>;
     token_revoke_all: z.ZodObject<{
         count: z.ZodOptional<z.ZodNumber>;
@@ -311,9 +336,11 @@ export interface CreateAuditLogConfigOptions {
  * Throws when an `extra_events` key collides with a builtin event type, or
  * fails `AuditEventTypeName` format validation.
  *
- * Call once at startup; pass the result to `create_app_backend` (which
- * threads it into `AppDeps.audit`). Builtin handlers omit the
- * `audit_log_config` slot and pick up `builtin_audit_log_config`.
+ * Call once at startup; pass the result into the consumer's `audit_factory`
+ * body — typically `({db, log}) => create_audit_emitter({db, log,
+ * audit_log_config, ...})` — so it gets captured inside the bound
+ * `AppDeps.audit` emitter. Builtin handlers omit the `audit_log_config`
+ * slot and pick up `builtin_audit_log_config`.
  *
  * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */

package/dist/auth/audit_log_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAO5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,8aAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA6MW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}
+{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAoB5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,8aAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkNW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}

package/dist/auth/audit_log_schema.js

@@ -14,6 +14,17 @@ import { Blake3Hash } from '@fuzdev/fuz_util/hash_blake3.js';
 import { AuthSessionJson } from './account_schema.js';
 import { Email } from '../primitive_schemas.js';
 import { ApiTokenId } from './api_token.js';
+import { BuiltinCredentialType } from './credential_type_schema.js';
+/**
+ * Defense-in-depth audit field — records the credential channel
+ * (`session` / `api_token` / `daemon_token`) the request arrived on.
+ * Present on events whose specs declare `credential_types: ['session']`
+ * so forensics survive a future loosening or bypass of the spec gate.
+ * See `docs/security.md` §Credential-channel gating.
+ */
+const credential_type_meta = BuiltinCredentialType.optional().meta({
+    description: 'Credential channel the request arrived on. Defense in depth — the spec gate restricts to `session`, but the row preserves what actually authenticated the request in case the gate is loosened or bypassed in a future refactor.',
+});
 /**
  * All tracked auth event types. Frozen to convert accidental in-process
  * mutation (test cross-contamination, cast escapes) into loud TypeErrors.
@@ -102,10 +113,12 @@ export const audit_metadata_schemas = Object.freeze({
         reason: z.enum(['concurrent_change']).optional().meta({
             description: 'Failure category. `concurrent_change` indicates another password change committed first against the same starting hash (verify-write race loser). Absent for typed-wrong-password failures.',
         }),
+        credential_type: credential_type_meta,
     })
         .nullable(),
     session_revoke: z.looseObject({
         session_id: Blake3Hash.meta({ description: 'Blake3 hash identifying the revoked session row.' }),
+        credential_type: credential_type_meta,
     }),
     session_revoke_all: z.looseObject({
         // Omitted on `outcome='failure'` (no revocation attempted — e.g. target
@@ -122,13 +135,16 @@ export const audit_metadata_schemas = Object.freeze({
         attempted_account_id: Uuid.optional().meta({
             description: 'Probed account id when the target lookup missed (FK constraint forces `target_account_id` to null).',
         }),
+        credential_type: credential_type_meta,
     }),
     token_create: z.looseObject({
         token_id: ApiTokenId.meta({ description: 'Public id of the created API token (`tok_…`).' }),
         name: z.string().meta({ description: 'Operator-supplied label for the token.' }),
+        credential_type: credential_type_meta,
     }),
     token_revoke: z.looseObject({
         token_id: ApiTokenId.meta({ description: 'Public id of the revoked API token (`tok_…`).' }),
+        credential_type: credential_type_meta,
     }),
     token_revoke_all: z.looseObject({
         // Same shape as `session_revoke_all` for failures.
@@ -275,9 +291,11 @@ export const builtin_audit_log_config = Object.freeze({
  * Throws when an `extra_events` key collides with a builtin event type, or
  * fails `AuditEventTypeName` format validation.
  *
- * Call once at startup; pass the result to `create_app_backend` (which
- * threads it into `AppDeps.audit`). Builtin handlers omit the
- * `audit_log_config` slot and pick up `builtin_audit_log_config`.
+ * Call once at startup; pass the result into the consumer's `audit_factory`
+ * body — typically `({db, log}) => create_audit_emitter({db, log,
+ * audit_log_config, ...})` — so it gets captured inside the bound
+ * `AppDeps.audit` emitter. Builtin handlers omit the `audit_log_config`
+ * slot and pick up `builtin_audit_log_config`.
  *
  * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */

package/dist/auth/bootstrap_routes.d.ts

@@ -19,7 +19,7 @@ import type { StatResult } from '../runtime/deps.js';
 /** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
 export declare const BootstrapInput: z.ZodObject<{
     token: z.ZodString;
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     password: z.ZodString;
 }, z.core.$strict>;
 export type BootstrapInput = z.infer<typeof BootstrapInput>;

package/dist/auth/invite_schema.d.ts

@@ -23,7 +23,7 @@ export interface Invite {
 export declare const InviteJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     email: z.ZodNullable<z.ZodEmail>;
-    username: z.ZodNullable<z.ZodString>;
+    username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
     claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     claimed_at: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
@@ -34,7 +34,7 @@ export type InviteJson = z.infer<typeof InviteJson>;
 export declare const InviteWithUsernamesJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     email: z.ZodNullable<z.ZodEmail>;
-    username: z.ZodNullable<z.ZodString>;
+    username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
     claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     claimed_at: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;

package/dist/auth/request_context.d.ts

@@ -340,7 +340,7 @@ export declare const build_account_context: (deps: QueryDeps, account_id: string
  *
  * The auth phase deliberately stops short of constructing a `Response` so
  * the same failure flows through every transport without the auth-domain
- * code knowing about JSON-RPC. See `fuz_app/CLAUDE.md` § Cleanest
+ * code knowing about JSON-RPC. See `../../../CLAUDE.md` §Cleanest
  * architecture takes priority for the rationale.
  */
 export type AuthorizationFailureBody = {

package/dist/auth/signup_routes.d.ts

@@ -24,7 +24,7 @@ export interface SignupRouteOptions extends AuthSessionRouteOptions {
 }
 /** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
 export declare const SignupInput: z.ZodObject<{
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     password: z.ZodString;
     email: z.ZodOptional<z.ZodEmail>;
 }, z.core.$strict>;

package/dist/auth/standard_rpc_actions.d.ts

@@ -10,6 +10,7 @@
  * Option routing: shared `roles` flows to both admin and role-grant-offer;
  * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
  * to role-grant-offer only; `max_tokens` goes to account only;
+ * shared `connection_closer` flows to admin + account (role-grant-offer ignores);
  * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
  *

package/dist/auth/standard_rpc_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,2BAA2B,EAChC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,2BAA2B,EAAE,oBAAoB;CAAG;AAEjF;;;;;;;GAOG;AACH,MAAM,WAAW,sBAAuB,SAAQ,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC;IACtF,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}
+{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,2BAA2B,EAChC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,2BAA2B,EAAE,oBAAoB;CAAG;AAEjF;;;;;;;GAOG;AACH,MAAM,WAAW,sBAAuB,SAAQ,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC;IACtF,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}

package/dist/auth/standard_rpc_actions.js

@@ -10,6 +10,7 @@
  * Option routing: shared `roles` flows to both admin and role-grant-offer;
  * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
  * to role-grant-offer only; `max_tokens` goes to account only;
+ * shared `connection_closer` flows to admin + account (role-grant-offer ignores);
  * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
  *

package/dist/env/update_env_variable.js

@@ -70,7 +70,7 @@ export const update_env_variable = async (key, value, options) => {
     const updated_content = updated_lines.join('\n') + (has_trailing_newline ? '\n' : '');
     await write_file(file_path, updated_content, 'utf-8');
 };
-// Keep this tokenization aligned with `parse_dotenv` in `./dotenv.ts`:
+// Keep this tokenization aligned with `parse_dotenv` in `env/dotenv.ts`:
 // trim, skip empties/comments, split on the first `=`.
 const find_last_key_line_index = (lines, key) => {
     if (!key)