@fuzdev/fuz_app 0.63.0 → 0.64.0

package/dist/actions/CLAUDE.md

@@ -469,9 +469,18 @@ persistence + rehydration by the consumer.
 
 ## WS auth guard (`transports_ws_auth_guard.ts`)
 
-`create_ws_auth_guard(transport, log)` returns an `on_audit_event` callback
-wireable via `CreateAppBackendOptions.on_audit_event`. Mirrors the SSE
-guard in `realtime/sse_auth_guard.ts` but targets the WS transport.
+Closes WS sockets on audit revoke events — per-message dispatch doesn't
+re-check session/token validity, so this guard is the revocation seam
+for open connections. Module TSDoc carries the full rationale.
+
+`create_ws_auth_guard(transport, log)` returns an `on_audit_event` callback.
+For standard WS endpoints mounted via `AppServerOptions.ws_endpoints`,
+`create_app_server` composes this guard onto
+`backend.deps.audit.on_event_chain` automatically (per
+`WsEndpointSpec.auth_guard`). For custom wiring, append it inside the
+consumer's `audit_factory` body (or via `audit.on_event_chain.push(...)`
+post-assembly). Mirrors the SSE guard in `realtime/sse_auth_guard.ts`
+but targets the WS transport.
 
 `ws_disconnect_event_types` (ReadonlySet): `session_revoke`,
 `token_revoke`, `session_revoke_all`, `token_revoke_all`, `password_change`.
@@ -510,27 +519,124 @@ Same `outcome === 'failure'` guard as `create_ws_auth_guard`. Closes via
 `close_sockets_for_account(event.account_id)` — `logout` is always
 self-service, so there is no `target_account_id` to fall back on.
 
-## WebSocket dispatch
+## Connection closer (`connection_closer.ts`)
+
+Narrow structural capability for handler-side eager WS socket closure
+on revocation — the belt+suspenders layer that complements the audit-
+listener guards above.
+
+```ts
+interface ConnectionCloser {
+	close_sockets_for_session: (session_token_hash: string) => number;
+	close_sockets_for_token: (api_token_id: string) => number;
+	close_sockets_for_account: (account_id: string) => number;
+}
+```
+
+`BackendWebsocketTransport` satisfies this structurally — consumers
+pass the transport instance directly (same shape as
+`NotificationSender`). Wired into `AccountRouteOptions.connection_closer`
+(logout / password), `AccountActionOptions.connection_closer`
+(`account_session_revoke` / `_revoke_all` / `account_token_revoke`),
+and `AdminActionOptions.connection_closer`
+(`admin_session_revoke_all` / `admin_token_revoke_all`). Each handler
+calls the appropriate `close_sockets_for_*` method synchronously
+BEFORE the audit emit so revocation lands even on audit INSERT
+failure. Listener-based close
+(`create_ws_auth_guard` / `create_ws_logout_closer`) stays as a
+fail-safe for out-of-band emit sites; `close_sockets_for_*` is
+idempotent. Failure outcomes (`revoked: false`, 404 not-found) skip
+the eager close — matches the listener's `outcome === 'failure'`
+guard so attacker-guessable ids cannot be used to target arbitrary
+sockets. Mirrors `zzz_server`'s handler-side `close_sockets_for_*`
+calls (landed 2026-05-16; see
+`~/dev/grimoire/lore/fuz_app/TODO_AUTH.md` § Audit-driven WS
+revocation: handler-side belt+suspenders).
 
-Two layered entry points:
+## WebSocket dispatch
 
-### `register_ws_endpoint` (`register_ws_endpoint.ts`) — idiomatic
+Three layered entry points, in decreasing abstraction:
+
+### `create_app_server.ws_endpoints` (`server/app_server.ts`) — canonical
+
+The top-level mount surface — mirror of `rpc_endpoints` for WebSocket
+endpoints. Accepts either an array of `WsEndpointSpec` or a factory
+`(ctx: AppServerContext) => ReadonlyArray<WsEndpointSpec>`; the factory
+form runs after the server context is assembled so action lists can
+depend on `ctx.deps` / `ctx.action_*_rate_limiter`. Each entry is
+auto-mounted via `register_ws_endpoint` against the assembled Hono app,
+so consumers no longer call `register_ws_endpoint` themselves in their
+server-assembly module.
+
+`upgradeWebSocket` (the Hono adapter helper) is supplied once at the
+top level — `create_app_server` throws when `ws_endpoints` resolves
+non-empty but `upgradeWebSocket` is missing. A factory returning `[]`
+does NOT trip the check, so feature-flag gated WS surfaces stay safe.
+
+Per-endpoint `WsEndpointSpec` fields:
+
+- `path` — Hono mount path
+- `allowed_origins` — origin allowlist regexes (parsed via `parse_allowed_origins`)
+- `actions` — the `ReadonlyArray<Action>` to dispatch (spread `protocol_actions` first)
+- `required_roles?: ReadonlyArray<RoleName>` — any-of upgrade-time role gate; omit or `[]` to skip
+- `transport?: BackendWebsocketTransport` — supplied or auto-created; returned on `AppServer.ws_endpoints[path]` either way
+- `heartbeat?`, `artificial_delay?`, `on_socket_open?`, `on_socket_close?` — passed through to `register_ws_endpoint`
+- `auth_guard?: boolean` — default `true`; auto-composes `create_ws_auth_guard` + `create_ws_logout_closer` against the endpoint's transport and appends them to `deps.audit.on_event_chain`. The wiring is deduped by **reference identity** (`WeakSet<BackendWebsocketTransport>`), so two `WsEndpointSpec`s sharing one `BackendWebsocketTransport` instance still get a single pair of listeners. Wrapped / DI-proxied transports dedupe as separate entries — set `auth_guard: false` on duplicates and compose `create_ws_auth_guard` / `create_ws_logout_closer` against the underlying transport once
+- `extra_audit_handlers?: ReadonlyArray<AuditEventHandler>` — appended after the standard guards; consumer-owned, never deduped
+
+`auth_guard: true` does NOT close sockets on `role_grant_revoke`
+(deliberate — per-connection role tracking is out of scope). Consumers
+that need role-revoke disconnection wire it via `extra_audit_handlers`.
+
+The mounted transport is reachable at `app_server.ws_endpoints[path]` —
+a `Readonly<Record<string, BackendWebsocketTransport>>` keyed by mount
+path. Use this handle for fan-out (`send_to_account`) and broadcast.
+
+Duplicate paths across `WsEndpointSpec`s throw at mount time
+(`'create_app_server: duplicate ws_endpoints path: <path>'`), closing
+the route-shadow hole Hono's silent `app.get` overwriting would leave.
+Cross-surface collisions are also detected — registering `GET <path>`
+as both a `RouteSpec` and a `WsEndpointSpec` throws
+`'create_app_server: ws_endpoints path collides with a GET RouteSpec: <path>'`
+at mount time. Exact-string match only; pattern overlap (e.g. a
+`RouteSpec` at `GET /api/:resource` vs `WsEndpointSpec` at `/api/ws`)
+is not detected — Hono's specific-before-wildcard routing keeps those
+working, but if you need certainty avoid the overlap.
+
+`auth_guard` semantics when multiple specs share a transport: **any**
+spec with `auth_guard !== false` wires the guard for that transport
+(OR-semantics, order-independent). To opt out for a shared transport,
+every sibling spec must pass `auth_guard: false`. Documented on the
+`WsEndpointSpec.auth_guard` TSDoc.
+
+`AppSurfaceWsEndpoint.methods` surfaces `request_response` + `remote_notification`
+specs only — `local_call` specs are filtered out because they don't
+dispatch over WS (`compile_action_registry` routes only
+`request_response` with a handler into `action_map`; `local_call` is
+frontend-side registry metadata).
+
+### `register_ws_endpoint` (`register_ws_endpoint.ts`) — middle tier
 
 Composes the standard upgrade stack:
 
 1. `verify_request_source(allowed_origins)`
 2. `require_auth`
 3. upgrade-time authorization phase — resolves the acting actor and seeds `REQUEST_CONTEXT_KEY` for the inner `register_action_ws`'s upgrade-time identity capture
-4. optional `require_role([required_role])` (single-element array form)
+4. optional `require_role(required_roles)` — any-of disjunction
 5. delegates to `register_action_ws`
 
-Extends `RegisterActionWsOptions` with `allowed_origins: Array<RegExp>`
-and optional `required_role: RoleName`. Returns `{transport}`. Note:
-`required_role` is a **coarse upgrade-time gate** — per-action `auth` in
-each spec still applies at dispatch time via `perform_action`.
+Extends `RegisterActionWsOptions` with `allowed_origins: ReadonlyArray<RegExp>`
+and optional `required_roles: ReadonlyArray<RoleName>`. Returns
+`{transport}`. Note: `required_roles` is a **coarse upgrade-time gate**
+— per-action `auth` in each spec still applies at dispatch time via
+`perform_action`. Pass `[]` (or omit) to skip the role gate.
 (`verify_request_source` and `require_auth` / `require_role` are from
 `auth/`; see `auth/CLAUDE.md` §Middleware for their semantics.)
 
+Most consumers reach for the higher-level `ws_endpoints` option above —
+this is the entry test harnesses use when they need the upgrade stack
+without `create_app_server`'s full assembly.
+
 ### `register_action_ws` (`register_action_ws.ts`) — lower-level
 
 Exposed for tests (`create_ws_test_harness`) that need to drive the
@@ -945,6 +1051,13 @@ HTTP transport is **not** registered. `local_call` specs in `specs`
 silently no-op because `lookup_action_handler` always returns
 `undefined`; this factory targets wire-dispatched actions.
 
+`all_standard_action_specs` is transport-agnostic — when a consumer
+spreads `create_standard_rpc_actions(ctx.deps, opts)` into both
+`rpc_endpoints` AND `ws_endpoints` on `create_app_server`, every method
+is reachable on both transports and `transport_for_method` can route
+per-call (e.g. return `'frontend_websocket_rpc'` for `account_*` /
+`admin_*` methods to bind them to the live WS connection).
+
 `transport_for_method` and `on_action_event` are pure pass-throughs to
 `create_rpc_client` — exposed so consumers needing per-method routing
 (zap-style WS-for-actions / HTTP-for-rest split) or per-dispatch event

package/dist/actions/connection_closer.d.ts

@@ -0,0 +1,68 @@
+/**
+ * Narrow structural capability for closing live WebSocket connections
+ * tied to a session token hash, API token id, or account id.
+ *
+ * **Why this exists.** Per-message authorization phase on WebSocket
+ * (`actions/perform_action.ts`) reloads role_grants from the DB on every
+ * message but does NOT re-query session / token validity — that
+ * trade-off keeps chatty connections fast. The cost: revocation
+ * doesn't actually disconnect open sockets unless something closes
+ * them. `transports_ws_auth_guard.ts` is the listener-based seam
+ * (audit-event → close), but it only fires after the audit INSERT
+ * succeeds — if the INSERT fails (DB error, pool exhausted, handler
+ * dies mid-flight) the listener never runs and the live socket keeps
+ * working with a stale `RequestContext` until disconnect.
+ *
+ * Used by self-service revocation handlers (`account_session_revoke` /
+ * `_revoke_all`, `account_token_revoke`, `logout`, `password`) and the
+ * admin revoke-all handlers (`admin_session_revoke_all`,
+ * `admin_token_revoke_all`) to eagerly drop affected sockets BEFORE
+ * emitting the corresponding audit event. The audit listener stays as
+ * a fail-safe for out-of-band emit sites (admin tools, scheduled
+ * jobs, SSE-driven flows). `close_sockets_for_*` is idempotent so the
+ * second pass is a no-op.
+ *
+ * Mirrors `zzz_server`'s `close_sockets_for_*` calls in
+ * `account.rs::logout_inner` / `_password_inner` /
+ * `handlers/account.rs::handle_account_session_revoke[_all]` /
+ * `_token_revoke` (landed 2026-05-16); see
+ * `~/dev/grimoire/lore/fuz_app/TODO_AUTH.md` §Audit-driven WS
+ * revocation: handler-side belt+suspenders for the cross-backend
+ * parity record.
+ *
+ * `BackendWebsocketTransport` satisfies this interface structurally,
+ * so consumers pass their transport instance directly (same shape as
+ * `NotificationSender`). The interface stays local so handlers don't
+ * couple to the concrete transport, and tests can inject a capturing
+ * stub with no WS machinery.
+ *
+ * @module
+ */
+/**
+ * Narrow capability — three idempotent socket-close methods, each
+ * returning the number of sockets actually closed (zero when none
+ * matched). Callers typically ignore the return value (used by
+ * telemetry / tests).
+ */
+export interface ConnectionCloser {
+    /**
+     * Close every connection authenticated with a session whose blake3
+     * hash matches `session_token_hash`. Idempotent — calling on an
+     * already-closed session is a no-op.
+     */
+    close_sockets_for_session: (session_token_hash: string) => number;
+    /**
+     * Close every connection authenticated with the given API token id.
+     * Idempotent — calling on an already-revoked token is a no-op.
+     */
+    close_sockets_for_token: (api_token_id: string) => number;
+    /**
+     * Close every connection bound to `account_id`, regardless of
+     * credential type (session / api_token / daemon_token). Coarse
+     * closure used when every credential on an account is invalidated
+     * — password change, session-revoke-all, token-revoke-all, logout.
+     * Idempotent.
+     */
+    close_sockets_for_account: (account_id: string) => number;
+}
+//# sourceMappingURL=connection_closer.d.ts.map

package/dist/actions/connection_closer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"connection_closer.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/connection_closer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAuCG;AAEH;;;;;GAKG;AACH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,yBAAyB,EAAE,CAAC,kBAAkB,EAAE,MAAM,KAAK,MAAM,CAAC;IAClE;;;OAGG;IACH,uBAAuB,EAAE,CAAC,YAAY,EAAE,MAAM,KAAK,MAAM,CAAC;IAC1D;;;;;;OAMG;IACH,yBAAyB,EAAE,CAAC,UAAU,EAAE,MAAM,KAAK,MAAM,CAAC;CAC1D"}

package/dist/actions/connection_closer.js

@@ -0,0 +1,41 @@
+/**
+ * Narrow structural capability for closing live WebSocket connections
+ * tied to a session token hash, API token id, or account id.
+ *
+ * **Why this exists.** Per-message authorization phase on WebSocket
+ * (`actions/perform_action.ts`) reloads role_grants from the DB on every
+ * message but does NOT re-query session / token validity — that
+ * trade-off keeps chatty connections fast. The cost: revocation
+ * doesn't actually disconnect open sockets unless something closes
+ * them. `transports_ws_auth_guard.ts` is the listener-based seam
+ * (audit-event → close), but it only fires after the audit INSERT
+ * succeeds — if the INSERT fails (DB error, pool exhausted, handler
+ * dies mid-flight) the listener never runs and the live socket keeps
+ * working with a stale `RequestContext` until disconnect.
+ *
+ * Used by self-service revocation handlers (`account_session_revoke` /
+ * `_revoke_all`, `account_token_revoke`, `logout`, `password`) and the
+ * admin revoke-all handlers (`admin_session_revoke_all`,
+ * `admin_token_revoke_all`) to eagerly drop affected sockets BEFORE
+ * emitting the corresponding audit event. The audit listener stays as
+ * a fail-safe for out-of-band emit sites (admin tools, scheduled
+ * jobs, SSE-driven flows). `close_sockets_for_*` is idempotent so the
+ * second pass is a no-op.
+ *
+ * Mirrors `zzz_server`'s `close_sockets_for_*` calls in
+ * `account.rs::logout_inner` / `_password_inner` /
+ * `handlers/account.rs::handle_account_session_revoke[_all]` /
+ * `_token_revoke` (landed 2026-05-16); see
+ * `~/dev/grimoire/lore/fuz_app/TODO_AUTH.md` §Audit-driven WS
+ * revocation: handler-side belt+suspenders for the cross-backend
+ * parity record.
+ *
+ * `BackendWebsocketTransport` satisfies this interface structurally,
+ * so consumers pass their transport instance directly (same shape as
+ * `NotificationSender`). The interface stays local so handlers don't
+ * couple to the concrete transport, and tests can inject a capturing
+ * stub with no WS machinery.
+ *
+ * @module
+ */
+export {};

package/dist/actions/register_action_ws.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register_action_ws.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_action_ws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAC/B,OAAO,KAAK,EAAC,gBAAgB,EAAE,SAAS,EAAC,MAAM,SAAS,CAAC;AAEzD,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAUjD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAgBpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAC,KAAK,MAAM,EAAC,MAAM,mBAAmB,CAAC;AAI9C,OAAO,EAAC,yBAAyB,EAAE,KAAK,kBAAkB,EAAC,MAAM,4BAA4B,CAAC;AAG9F,YAAY,EAAC,MAAM,EAAC,CAAC;AAErB,0EAA0E;AAC1E,eAAO,MAAM,gCAAgC,QAAS,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,qFAAqF;IACrF,EAAE,EAAE,SAAS,CAAC;IACd,4EAA4E;IAC5E,aAAa,EAAE,IAAI,CAAC;IACpB,oDAAoD;IACpD,QAAQ,EAAE,kBAAkB,CAAC;IAC7B;;;OAGG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,wFAAwF;IACxF,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,+CAA+C;IAC/C,EAAE,EAAE,SAAS,CAAC;IACd,2CAA2C;IAC3C,aAAa,EAAE,IAAI,CAAC;IACpB,kGAAkG;IAClG,QAAQ,EAAE,kBAAkB,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAsB;IACtC;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wCAAwC;AACxC,MAAM,WAAW,uBAAuB;IACvC,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,EAAE,IAAI,CAAC;IACV,iEAAiE;IACjE,gBAAgB,EAAE,gBAAgB,CAAC;IACnC;;;;;;;OAOG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B;;;;;;;;;OASG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;OAIG;IACH,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,sBAAsB,CAAC;IAC7C,+EAA+E;IAC/E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpE;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACjD;AAED,sCAAsC;AACtC,MAAM,WAAW,sBAAsB;IACtC,yEAAyE;IACzE,SAAS,EAAE,yBAAyB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,uBAAuB,KAAG,sBAuUrE,CAAC"}
+{"version":3,"file":"register_action_ws.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_action_ws.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAC/B,OAAO,KAAK,EAAC,gBAAgB,EAAE,SAAS,EAAC,MAAM,SAAS,CAAC;AAEzD,OAAO,EAAS,KAAK,MAAM,IAAI,UAAU,EAAC,MAAM,yBAAyB,CAAC;AAC1E,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAUjD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAgBpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAC,KAAK,MAAM,EAAC,MAAM,mBAAmB,CAAC;AAI9C,OAAO,EAAC,yBAAyB,EAAE,KAAK,kBAAkB,EAAC,MAAM,4BAA4B,CAAC;AAG9F,YAAY,EAAC,MAAM,EAAC,CAAC;AAErB,0EAA0E;AAC1E,eAAO,MAAM,gCAAgC,QAAS,CAAC;AAEvD;;;;;;;GAOG;AACH,MAAM,WAAW,iBAAiB;IACjC,qFAAqF;IACrF,EAAE,EAAE,SAAS,CAAC;IACd,4EAA4E;IAC5E,aAAa,EAAE,IAAI,CAAC;IACpB,oDAAoD;IACpD,QAAQ,EAAE,kBAAkB,CAAC;IAC7B;;;OAGG;IACH,MAAM,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,KAAK,IAAI,CAAC;IAClD,wFAAwF;IACxF,MAAM,EAAE,WAAW,CAAC;CACpB;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,kBAAkB;IAClC,+CAA+C;IAC/C,EAAE,EAAE,SAAS,CAAC;IACd,2CAA2C;IAC3C,aAAa,EAAE,IAAI,CAAC;IACpB,kGAAkG;IAClG,QAAQ,EAAE,kBAAkB,CAAC;CAC7B;AAED,MAAM,WAAW,sBAAsB;IACtC;;;;;OAKG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wCAAwC;AACxC,MAAM,WAAW,uBAAuB;IACvC,oCAAoC;IACpC,IAAI,EAAE,MAAM,CAAC;IACb,gCAAgC;IAChC,GAAG,EAAE,IAAI,CAAC;IACV,iEAAiE;IACjE,gBAAgB,EAAE,gBAAgB,CAAC;IACnC;;;;;;;OAOG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B;;;;;;;;;OASG;IACH,EAAE,EAAE,EAAE,CAAC;IACP;;;;OAIG;IACH,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;;OAKG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,sBAAsB,CAAC;IAC7C,+EAA+E;IAC/E,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B,qDAAqD;IACrD,GAAG,CAAC,EAAE,UAAU,CAAC;IACjB;;;;;OAKG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE;;;;;OAKG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpE;;;;;;OAMG;IACH,sBAAsB,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;IAC5C;;;;;OAKG;IACH,2BAA2B,CAAC,EAAE,WAAW,GAAG,IAAI,CAAC;CACjD;AAED,sCAAsC;AACtC,MAAM,WAAW,sBAAsB;IACtC,yEAAyE;IACzE,SAAS,EAAE,yBAAyB,CAAC;CACrC;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,uBAAuB,KAAG,sBA4VrE,CAAC"}

package/dist/actions/register_action_ws.js

@@ -90,6 +90,14 @@ export const register_action_ws = (options) => {
         // `credential_type` from this closure; the live request_context is
         // only used by the test-preset escape hatch (perform_action runs
         // the authorization phase fresh on every message in production).
+        //
+        // Per-message dispatch reloads role_grants via the authorization
+        // phase but does NOT re-query session / token validity — those
+        // are checked once at upgrade. Revocation enforcement therefore
+        // lives outside this dispatcher, in the audit-driven WS auth
+        // guard (`transports_ws_auth_guard.ts`). Without that guard wired
+        // into the audit chain, `session_revoke` / `token_revoke` are
+        // no-ops for existing WS connections.
         const upgrade_context = require_request_context(c);
         const account_id = upgrade_context.account.id;
         const client_ip = get_client_ip(c);
@@ -263,8 +271,21 @@ export const register_action_ws = (options) => {
                 // eager fire-and-forget pool writes (audit emits, etc.);
                 // `post_commit_effects` collects deferred thunks pushed
                 // via `emit_after_commit` (WS notifications). Both flush
-                // in the same try/finally so the next message sees a clean
-                // slate.
+                // in the `finally` so the next message sees a clean slate.
+                //
+                // Ordering invariant — reply-before-flush is load-bearing.
+                // Handlers that revoke their own credential
+                // (`session_revoke_all`, `token_revoke` of the calling
+                // bearer) audit-emit events whose listener chain — wired
+                // by the WS auth guard in `transports_ws_auth_guard.ts` —
+                // closes this socket when the audit row writes. The
+                // synchronous `ws.send` on the success path returns
+                // before any close can fire (the DB write that triggers
+                // the chain is async — even in production with
+                // `await_pending_effects: false`, the listener chain only
+                // runs after the row lands). Inverting the order —
+                // flushing the queues before the send — would silently
+                // strand the caller without a reply.
                 const pending_effects = [];
                 const post_commit_effects = [];
                 const notify = notify_socket(ws);

package/dist/actions/register_ws_endpoint.d.ts

@@ -12,8 +12,8 @@
  *    and build the `RequestContext` that per-message dispatch reads.
  *    Multi-actor accounts must supply `?acting` to pick a persona;
  *    single-actor accounts work without it.
- * 4. Optional `require_role(required_role)` — for endpoints gated to a
- *    specific role.
+ * 4. Optional `require_role(required_roles)` — for endpoints gated to a
+ *    non-empty any-of set of roles.
  *
  * Then delegates to `register_action_ws` for per-message JSON-RPC
  * dispatch.
@@ -29,15 +29,17 @@ export interface RegisterWsEndpointOptions extends RegisterActionWsOptions {
      * env var via `parse_allowed_origins`. Passed straight to
      * `verify_request_source`.
      */
-    allowed_origins: Array<RegExp>;
+    allowed_origins: ReadonlyArray<RegExp>;
     /**
-     * Role required to upgrade. Omit for any authenticated account
-     * (`require_auth` + actor resolution alone); set to e.g. `ROLE_ADMIN`
-     * to gate the endpoint behind a role. The per-action `auth` in each
-     * spec still applies at dispatch time — this is a coarse upgrade-time
-     * gate.
+     * Roles permitted to upgrade — any-of disjunction (matches the
+     * underlying `require_role` semantics). Omit (or pass `[]`) for any
+     * authenticated account (`require_auth` + actor resolution alone);
+     * set to e.g. `[ROLE_ADMIN]` to gate the endpoint behind a single role
+     * or `[ROLE_ADMIN, ROLE_KEEPER]` to permit either. The per-action
+     * `auth` in each spec still applies at dispatch time — this is a coarse
+     * upgrade-time gate.
      */
-    required_role?: RoleName;
+    required_roles?: ReadonlyArray<RoleName>;
 }
 /**
  * Mount a WebSocket endpoint with the standard upgrade stack (origin check

package/dist/actions/register_ws_endpoint.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"register_ws_endpoint.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_ws_endpoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAYH,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,wBAAwB,CAAC;AAGrD,OAAO,EAEN,KAAK,uBAAuB,EAC5B,KAAK,sBAAsB,EAC3B,MAAM,yBAAyB,CAAC;AAEjC,0CAA0C;AAC1C,MAAM,WAAW,yBAA0B,SAAQ,uBAAuB;IACzE;;;;OAIG;IACH,eAAe,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC/B;;;;;;OAMG;IACH,aAAa,CAAC,EAAE,QAAQ,CAAC;CACzB;AAgDD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,SAAS,yBAAyB,KAChC,sBAmBF,CAAC"}
+{"version":3,"file":"register_ws_endpoint.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/register_ws_endpoint.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAYH,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,wBAAwB,CAAC;AAGrD,OAAO,EAEN,KAAK,uBAAuB,EAC5B,KAAK,sBAAsB,EAC3B,MAAM,yBAAyB,CAAC;AAEjC,0CAA0C;AAC1C,MAAM,WAAW,yBAA0B,SAAQ,uBAAuB;IACzE;;;;OAIG;IACH,eAAe,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC;;;;;;;;OAQG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;CACzC;AAgDD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,SAAS,yBAAyB,KAChC,sBAmBF,CAAC"}

package/dist/actions/register_ws_endpoint.js

@@ -12,8 +12,8 @@
  *    and build the `RequestContext` that per-message dispatch reads.
  *    Multi-actor accounts must supply `?acting` to pick a persona;
  *    single-actor accounts work without it.
- * 4. Optional `require_role(required_role)` — for endpoints gated to a
- *    specific role.
+ * 4. Optional `require_role(required_roles)` — for endpoints gated to a
+ *    non-empty any-of set of roles.
  *
  * Then delegates to `register_action_ws` for per-message JSON-RPC
  * dispatch.
@@ -77,12 +77,12 @@ const create_ws_authorization_middleware = (db) => {
  *   then registers the `GET path` route via the inner `register_action_ws`
  */
 export const register_ws_endpoint = (options) => {
-    const { app, path, allowed_origins, db, required_role, log = new Logger('[ws]'), ...rest } = options;
+    const { app, path, allowed_origins, db, required_roles, log = new Logger('[ws]'), ...rest } = options;
     app.use(path, verify_request_source(allowed_origins));
     app.use(path, require_auth);
     app.use(path, create_ws_authorization_middleware(db));
-    if (required_role !== undefined) {
-        app.use(path, require_role([required_role]));
+    if (required_roles?.length) {
+        app.use(path, require_role(required_roles));
     }
     return register_action_ws({ app, path, db, log, ...rest });
 };

package/dist/actions/transports_ws_auth_guard.d.ts

@@ -1,12 +1,26 @@
 /**
  * WebSocket auth guard — bridges audit events to `BackendWebsocketTransport`.
  *
- * Mirror of `realtime/sse_auth_guard.ts` for the backend WebSocket transport.
- * Dispatches audit events to the right `close_sockets_for_*` method so
- * consumers do not re-implement the switch themselves.
+ * **Why this exists.** `register_action_ws` captures `account_id` and
+ * `credential_type` at upgrade time and reuses them for every message.
+ * `perform_action`'s per-message authorization phase reloads role_grants
+ * from the DB, but session and token VALIDITY are not re-queried — that
+ * trade-off keeps chatty WS connections fast. The cost: nothing in the
+ * dispatch path notices when a session is revoked or a token is rotated.
+ * This guard is the enforcement mechanism — it listens on the audit
+ * chain and closes affected sockets when revocation events fire, so
+ * revocation actually takes effect on existing connections. Without it,
+ * `session_revoke` / `token_revoke` are no-ops for open WS connections.
  *
- * Consumers wire it as `on_audit_event` on their `AppBackend` (or compose
- * it with other callbacks via `create_app_server`'s `audit_log_sse` path).
+ * Mirror of `realtime/sse_auth_guard.ts` for the backend WebSocket
+ * transport. Dispatches audit events to the right `close_sockets_for_*`
+ * method so consumers do not re-implement the switch themselves.
+ *
+ * For standard WS endpoints mounted via `AppServerOptions.ws_endpoints`,
+ * `create_app_server` composes the guard automatically per
+ * `WsEndpointSpec.auth_guard`. For custom wiring, append the handler
+ * inside the consumer's `audit_factory` body (or via
+ * `audit.on_event_chain.push(...)` post-assembly).
  *
  * @module
  */
@@ -14,7 +28,7 @@ import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { AuditLogEvent } from '../auth/audit_log_schema.js';
 import type { BackendWebsocketTransport } from './transports_ws_backend.js';
 /**
- * Audit-event callback shape — the function `CreateAppBackendOptions.on_audit_event`
+ * Audit-event callback shape — the function `CreateAuditEmitterOptions.on_audit_event`
  * accepts and that the helpers in this module return.
  *
  * Exported so consumers composing multiple handlers (typically
@@ -46,8 +60,10 @@ export declare const ws_disconnect_event_types: ReadonlySet<string>;
  * user close another user's socket by guessing a session hash or token id.
  *
  * @param log - logger for disconnect events (info level on non-zero closures)
- * @returns an `on_audit_event` callback suitable for `CreateAppBackendOptions`.
- *   The returned callback mutates `transport` (closing matching sockets via
+ * @returns an `on_audit_event` callback suitable for `create_audit_emitter`'s
+ *   `on_audit_event` slot, or for appending onto
+ *   `audit.on_event_chain` post-assembly. The returned callback mutates
+ *   `transport` (closing matching sockets via
  *   `close_sockets_for_session` / `_token` / `_account`) on every relevant event.
  */
 export declare const create_ws_auth_guard: (transport: BackendWebsocketTransport, log: Logger) => AuditEventHandler;

package/dist/actions/transports_ws_auth_guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"transports_ws_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/transports_ws_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,4BAA4B,CAAC;AAE1E;;;;;;;;GAQG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;AAE/D;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB,EAAE,WAAW,CAAC,MAAM,CAMxD,CAAC;AAEH;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oBAAoB,GAChC,WAAW,yBAAyB,EACpC,KAAK,MAAM,KACT,iBA6CF,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,uBAAuB,GACnC,WAAW,yBAAyB,EACpC,KAAK,MAAM,KACT,iBAaF,CAAC"}
+{"version":3,"file":"transports_ws_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/transports_ws_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,4BAA4B,CAAC;AAE1E;;;;;;;;GAQG;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;AAE/D;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB,EAAE,WAAW,CAAC,MAAM,CAMxD,CAAC;AAEH;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,oBAAoB,GAChC,WAAW,yBAAyB,EACpC,KAAK,MAAM,KACT,iBA6CF,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AACH,eAAO,MAAM,uBAAuB,GACnC,WAAW,yBAAyB,EACpC,KAAK,MAAM,KACT,iBAaF,CAAC"}

package/dist/actions/transports_ws_auth_guard.js

@@ -1,12 +1,26 @@
 /**
  * WebSocket auth guard — bridges audit events to `BackendWebsocketTransport`.
  *
- * Mirror of `realtime/sse_auth_guard.ts` for the backend WebSocket transport.
- * Dispatches audit events to the right `close_sockets_for_*` method so
- * consumers do not re-implement the switch themselves.
+ * **Why this exists.** `register_action_ws` captures `account_id` and
+ * `credential_type` at upgrade time and reuses them for every message.
+ * `perform_action`'s per-message authorization phase reloads role_grants
+ * from the DB, but session and token VALIDITY are not re-queried — that
+ * trade-off keeps chatty WS connections fast. The cost: nothing in the
+ * dispatch path notices when a session is revoked or a token is rotated.
+ * This guard is the enforcement mechanism — it listens on the audit
+ * chain and closes affected sockets when revocation events fire, so
+ * revocation actually takes effect on existing connections. Without it,
+ * `session_revoke` / `token_revoke` are no-ops for open WS connections.
  *
- * Consumers wire it as `on_audit_event` on their `AppBackend` (or compose
- * it with other callbacks via `create_app_server`'s `audit_log_sse` path).
+ * Mirror of `realtime/sse_auth_guard.ts` for the backend WebSocket
+ * transport. Dispatches audit events to the right `close_sockets_for_*`
+ * method so consumers do not re-implement the switch themselves.
+ *
+ * For standard WS endpoints mounted via `AppServerOptions.ws_endpoints`,
+ * `create_app_server` composes the guard automatically per
+ * `WsEndpointSpec.auth_guard`. For custom wiring, append the handler
+ * inside the consumer's `audit_factory` body (or via
+ * `audit.on_event_chain.push(...)` post-assembly).
  *
  * @module
  */
@@ -39,8 +53,10 @@ export const ws_disconnect_event_types = new Set([
  * user close another user's socket by guessing a session hash or token id.
  *
  * @param log - logger for disconnect events (info level on non-zero closures)
- * @returns an `on_audit_event` callback suitable for `CreateAppBackendOptions`.
- *   The returned callback mutates `transport` (closing matching sockets via
+ * @returns an `on_audit_event` callback suitable for `create_audit_emitter`'s
+ *   `on_audit_event` slot, or for appending onto
+ *   `audit.on_event_chain` post-assembly. The returned callback mutates
+ *   `transport` (closing matching sockets via
  *   `close_sockets_for_session` / `_token` / `_account`) on every relevant event.
  */
 export const create_ws_auth_guard = (transport, log) => {

package/dist/actions/ws_endpoint_spec.d.ts

@@ -0,0 +1,119 @@
+/**
+ * `WsEndpointSpec` — the canonical WebSocket endpoint declaration consumed
+ * by `create_app_server`'s `ws_endpoints` option (mirror of `RpcEndpointSpec`
+ * for HTTP RPC).
+ *
+ * Lives in its own module so both `server/app_server.ts` (which mounts
+ * endpoints from these specs) and `http/surface.ts` (which threads the
+ * resolved spec list into surface generation) can import it without a
+ * cycle between the two.
+ *
+ * @module
+ */
+import type { Action } from './action_types.js';
+import type { RoleName } from '../auth/role_schema.js';
+import type { BackendWebsocketTransport } from './transports_ws_backend.js';
+import type { ServerHeartbeatOptions, SocketCloseContext, SocketOpenContext } from './register_action_ws.js';
+import type { AuditEventHandler } from './transports_ws_auth_guard.js';
+/**
+ * Declarative description of a WebSocket endpoint to be auto-mounted by
+ * `create_app_server`.
+ *
+ * Single source of truth for mount + surface — the same array drives
+ * `register_ws_endpoint`-style upgrade wiring AND the `surface.ws_endpoints`
+ * slot emitted into `AppSurface`, so consumers cannot drift their declared
+ * actions from what dispatch actually serves.
+ */
+export interface WsEndpointSpec {
+    /** Hono mount path (e.g. `/api/ws`). */
+    path: string;
+    /**
+     * Origin allowlist regexes — typically parsed via `parse_allowed_origins`.
+     * Passed straight to `verify_request_source` on upgrade.
+     */
+    allowed_origins: ReadonlyArray<RegExp>;
+    /**
+     * The actions registered on this endpoint. Spread `protocol_actions`
+     * from `actions/protocol.ts` first to complete the
+     * disconnect-detection + per-request cancel pairing with the frontend
+     * client.
+     */
+    actions: ReadonlyArray<Action>;
+    /**
+     * Roles permitted to upgrade — any-of disjunction. Omit (or pass `[]`)
+     * to skip the upgrade-time role gate; per-action `auth` on each spec
+     * still applies at dispatch time via `perform_action`. Pass
+     * `[ROLE_ADMIN]` for a zap-style admin-only WS endpoint.
+     */
+    required_roles?: ReadonlyArray<RoleName>;
+    /**
+     * Existing transport to register connections with. Auto-created when
+     * omitted. Either way the mounted transport is reachable on
+     * `AppServer.ws_endpoints[path]` for broadcast / fan-out.
+     */
+    transport?: BackendWebsocketTransport;
+    /**
+     * Server-side heartbeat policy. Default-on (60s receive-silence
+     * timeout). Set `false` only when an upstream stack (TCP keepalive,
+     * Cloudflare idle timeout) already owns disconnect detection.
+     */
+    heartbeat?: boolean | ServerHeartbeatOptions;
+    /** Optional per-message delay for testing loading states. */
+    artificial_delay?: number;
+    /**
+     * Called once per socket after `transport.add_connection` but before
+     * the first message dispatches. See
+     * `RegisterActionWsOptions.on_socket_open`.
+     */
+    on_socket_open?: (ctx: SocketOpenContext) => void | Promise<void>;
+    /**
+     * Called once per socket on close, before `transport.remove_connection`.
+     * See `RegisterActionWsOptions.on_socket_close`.
+     */
+    on_socket_close?: (ctx: SocketCloseContext) => void | Promise<void>;
+    /**
+     * Default `true` — auto-composes `create_ws_auth_guard` +
+     * `create_ws_logout_closer` against this endpoint's transport and
+     * appends them to `deps.audit.on_event_chain`. Wiring is deduped by
+     * transport **reference identity** (`WeakSet<BackendWebsocketTransport>`),
+     * so two `WsEndpointSpec`s sharing the exact same instance get a
+     * single pair of listeners.
+     *
+     * **Shared-transport OR-semantics.** When multiple `WsEndpointSpec`s
+     * share one transport, the guard is wired iff **any** of those specs
+     * has `auth_guard !== false`. To opt out for a shared transport,
+     * every sibling spec must pass `auth_guard: false`. The default is
+     * "fail safe" — easier to enable than disable, and predictable
+     * regardless of spec order.
+     *
+     * Reference-identity dedupe means **wrapped or proxied transports
+     * dedupe as separate entries** — a consumer threading every
+     * transport through a tracing / DI / metrics shim will get a fresh
+     * pair of listeners per shimmed reference, even when the underlying
+     * transport is the same. If you wrap or proxy, set `auth_guard:
+     * false` on the duplicate `WsEndpointSpec`s and compose
+     * `create_ws_auth_guard` / `create_ws_logout_closer` against the
+     * underlying transport once.
+     *
+     * Set `false` when a consumer needs to compose their own callback
+     * from scratch — or to opt out of the auto-wiring entirely.
+     *
+     * NOTE: does NOT close sockets on `role_grant_revoke` — that omission
+     * is deliberate (per-connection role tracking is out of scope). A user
+     * whose admin role is revoked keeps their socket open; the next message
+     * gets `forbidden` from the per-message authorization phase. Consumers
+     * wanting role-revoke disconnection use `extra_audit_handlers`.
+     */
+    auth_guard?: boolean;
+    /**
+     * Extra audit-event handlers appended to `deps.audit.on_event_chain`
+     * AFTER the standard `auth_guard` wiring (when enabled). By the time
+     * these run, the standard guards may have already closed sockets. Use
+     * for role-revoke disconnection, custom analytics, etc.
+     *
+     * Never deduped — consumer-owned; pass the same handler twice and it
+     * fires twice.
+     */
+    extra_audit_handlers?: ReadonlyArray<AuditEventHandler>;
+}
+//# sourceMappingURL=ws_endpoint_spec.d.ts.map

package/dist/actions/ws_endpoint_spec.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ws_endpoint_spec.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/actions/ws_endpoint_spec.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,mBAAmB,CAAC;AAC9C,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,wBAAwB,CAAC;AACrD,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,4BAA4B,CAAC;AAC1E,OAAO,KAAK,EACX,sBAAsB,EACtB,kBAAkB,EAClB,iBAAiB,EACjB,MAAM,yBAAyB,CAAC;AACjC,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,+BAA+B,CAAC;AAErE;;;;;;;;GAQG;AACH,MAAM,WAAW,cAAc;IAC9B,wCAAwC;IACxC,IAAI,EAAE,MAAM,CAAC;IACb;;;OAGG;IACH,eAAe,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACvC;;;;;OAKG;IACH,OAAO,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC/B;;;;;OAKG;IACH,cAAc,CAAC,EAAE,aAAa,CAAC,QAAQ,CAAC,CAAC;IACzC;;;;OAIG;IACH,SAAS,CAAC,EAAE,yBAAyB,CAAC;IACtC;;;;OAIG;IACH,SAAS,CAAC,EAAE,OAAO,GAAG,sBAAsB,CAAC;IAC7C,6DAA6D;IAC7D,gBAAgB,CAAC,EAAE,MAAM,CAAC;IAC1B;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAClE;;;OAGG;IACH,eAAe,CAAC,EAAE,CAAC,GAAG,EAAE,kBAAkB,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACpE;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAgCG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,iBAAiB,CAAC,CAAC;CACxD"}