@fuzdev/fuz_app 0.63.0 → 0.64.0

package/dist/actions/ws_endpoint_spec.js

@@ -0,0 +1,13 @@
+/**
+ * `WsEndpointSpec` — the canonical WebSocket endpoint declaration consumed
+ * by `create_app_server`'s `ws_endpoints` option (mirror of `RpcEndpointSpec`
+ * for HTTP RPC).
+ *
+ * Lives in its own module so both `server/app_server.ts` (which mounts
+ * endpoints from these specs) and `http/surface.ts` (which threads the
+ * resolved spec list into surface generation) can import it without a
+ * cycle between the two.
+ *
+ * @module
+ */
+export {};

package/dist/auth/CLAUDE.md

@@ -375,10 +375,11 @@ Zod enum; `AuditOutcome` is `'success' | 'failure'`.
 - **Consumer extensibility**: `create_audit_log_config({extra_events})`
   builds an `AuditLogConfig` merging builtins with consumer event-type
   strings keyed to a Zod schema (validates metadata) or `null` (registers
-  without validation). Pass the result to `create_app_backend({audit_log_config})`
-  — it gets captured inside the bound `AppDeps.audit` emitter, and every
-  call to `audit.emit` validates against it (defaults to
-  `builtin_audit_log_config` when absent). `query_audit_log` still accepts
+  without validation). Pass the result into the consumer's `audit_factory`
+  body — typically `({db, log}) => create_audit_emitter({db, log,
+audit_log_config, on_audit_event})` — so it gets captured inside the
+  bound `AppDeps.audit` emitter; every call to `audit.emit` validates
+  against it (defaults to `builtin_audit_log_config` when absent). `query_audit_log` still accepts
   the trailing `config` positional arg for in-transaction emit sites that
   hold a transaction-scoped DB only. Builtin collisions and
   `AuditEventTypeName` format failures throw at construction. The DB
@@ -756,7 +757,9 @@ run'` if the seed somehow missed (defensive — migrations always seed).
 - `query_audit_log_list_role_grant_history` (filters to `role_grant_create` / `role_grant_revoke`).
 - `query_audit_log_cleanup_before`.
 - **Audit fan-out runs through `AppDeps.audit`** (the bound emitter built
-  by `create_audit_emitter` at backend assembly — see §`audit_emitter.ts`).
+  by the consumer's `audit_factory` callback on `CreateAppBackendOptions`,
+  typically a one-liner over `create_audit_emitter` — see
+  §`audit_emitter.ts`).
   `audit.emit(ctx, input)` writes via the captured pool, so audit entries
   persist even when the request transaction rolls back. The emitter
   closes over `on_audit_event` + `audit_log_config` so handlers can never
@@ -767,7 +770,11 @@ run'` if the seed somehow missed (defensive — migrations always seed).
 ### `audit_emitter.ts`
 
 `AuditEmitter` is the bound capability that lives on `AppDeps.audit`,
-built once at `create_app_backend` time.
+built once by the consumer's `audit_factory` callback on
+`CreateAppBackendOptions`. `create_app_backend` invokes the callback
+with its constructed `{db, log}` after migrations run; the canonical
+body is `({db, log}) => create_audit_emitter({db, log, on_audit_event,
+audit_log_config})`.
 
 Four methods:
 
@@ -1331,6 +1338,19 @@ Closure state:
   When absent, those two specs are still present in `all_admin_action_specs`
   (surface-wise) but the handlers are not wired — RPC dispatch returns
   `method_not_found`.
+- `options.connection_closer?: ConnectionCloser | null` — when set,
+  `admin_session_revoke_all` and `admin_token_revoke_all` handlers
+  eagerly close the target account's live WS sockets via
+  `close_sockets_for_account(input.account_id)` BEFORE emitting the
+  audit event. Failure outcomes (404 account-not-found) skip the
+  eager close. Listener-based close
+  (`transports_ws_auth_guard` on `audit.on_event_chain`) stays as a
+  fail-safe; primitives are idempotent. Symmetric with the
+  self-service surface (see `AccountActionOptions.connection_closer`
+  below). `BackendWebsocketTransport` satisfies the interface
+  structurally. Mirrors `zzz_server`'s parity pass — fuz_app widens
+  to admin-side too (Rust port's catch-up tracked in
+  `~/dev/zzz/TODO_RUST_SERVER_DETAILS.md`).
 
 `all_admin_action_specs: Array<RequestResponseActionSpec>` — codegen-ready
 registry of all eleven specs (always includes the two app-settings specs).
@@ -1494,6 +1514,8 @@ surface drop down to the per-domain factories directly.
 Option routing: `roles` is shared between admin and role-grant-offer;
 `app_settings` flows to admin only; `default_ttl_ms` and `authorize`
 flow to role-grant-offer only; `max_tokens` flows to account only;
+`connection_closer` is shared between admin and account (handler-side
+eager WS close on revoke; role-grant-offer ignores);
 `notification_sender` is wired through to role-grant-offer (admin +
 account ignore it).
 
@@ -1530,6 +1552,29 @@ and `create_frontend_rpc_client({specs})` wiring. Self-service role
 specs are not included (opt-in, app-specific `eligible_roles`) —
 spread `all_self_service_role_action_specs` separately when needed.
 
+To expose the standard surface over WebSocket as well as HTTP RPC,
+spread `protocol_actions` and `create_standard_rpc_actions(ctx.deps,
+opts)` into `create_app_server`'s `ws_endpoints` factory alongside the
+matching `rpc_endpoints` entry:
+
+```ts
+ws_endpoints: (ctx) => [{
+  path: '/api/ws',
+  allowed_origins,
+  actions: [
+    ...protocol_actions,
+    ...create_standard_rpc_actions(ctx.deps, opts),
+    ...consumer_local_actions,
+  ],
+}],
+```
+
+The same action factory powers both surfaces; per-message authorization
+and rate limiting fire identically across HTTP RPC and WS. With both
+endpoints mounted, a typed frontend client can route per-method via
+`transport_for_method` (e.g. `account_*` over WS for live revocation
+detection, admin reads over HTTP).
+
 ### `all_action_spec_registries.ts` — walker-only registry-of-registries
 
 `all_fuz_auth_action_spec_registries` — walker/codegen entry for every
@@ -1601,8 +1646,23 @@ The REST `password_change` audit row mirrors the same field on all
 three outcomes (success, wrong-password, concurrent-change).
 
 Deps: `Pick<RouteFactoryDeps, 'log' | 'audit'>`.
-Options: `{max_tokens?: number | null}` — defaults to `DEFAULT_MAX_TOKENS`
-from `account_routes.ts`; `null` disables the cap.
+Options: `{max_tokens?: number | null, connection_closer?: ConnectionCloser | null}`.
+`max_tokens` defaults to `DEFAULT_MAX_TOKENS` from `account_routes.ts`;
+`null` disables the cap. `connection_closer` (from
+`actions/connection_closer.ts`) wires handler-side eager WS socket
+closure: `account_session_revoke` calls `close_sockets_for_session(input.session_id)`,
+`_session_revoke_all` calls `close_sockets_for_account(account.id)`,
+`account_token_revoke` calls `close_sockets_for_token(input.token_id)` —
+each fires synchronously BEFORE the audit emit so revocation lands even
+when the audit INSERT fails. Listener-based close
+(`transports_ws_auth_guard` on `audit.on_event_chain`) stays as a
+fail-safe; close primitives are idempotent. Failure outcomes
+(`revoked: false`) skip the eager close — mirrors the listener's
+`outcome === 'failure'` guard so attacker-guessable ids can't be used to
+target arbitrary sockets. `BackendWebsocketTransport` satisfies
+`ConnectionCloser` structurally — consumers pass the WS transport
+instance directly. Mirrors `zzz_server::handlers/account.rs` (landed
+2026-05-16).
 
 `all_account_action_specs: Array<RequestResponseActionSpec>` — codegen-ready
 registry of all seven specs.
@@ -1810,15 +1870,19 @@ resulting role_grant.
   - `db: Db` — pool-level instance (middleware uses this; route handlers
     get a transaction-scoped `Db` via `RouteContext`).
   - `log: Logger`.
-  - `audit: AuditEmitter` — bound emitter built once at `create_app_backend`
-    via `create_audit_emitter`. Closes over the pool, the
+  - `audit: AuditEmitter` — bound emitter built once by the consumer's
+    `audit_factory` callback on `CreateAppBackendOptions`. The factory
+    runs after `create_db` resolves and migrations apply;
+    `create_app_backend` invokes it with `{db, log}` and lands the
+    returned emitter on `deps.audit`. The canonical body is one line
+    over `create_audit_emitter` (closes over the pool, the
     `on_audit_event` subscriber chain, and the optional
-    `AuditLogConfig` so handlers reach `audit.emit(ctx, input)` /
+    `AuditLogConfig`); consumers wrap or replace it for tests. Handlers
+    reach `audit.emit(ctx, input)` /
     `audit.emit_role_grant_target(ctx, auth, input)` and never see the
-    pool. Pass `on_audit_event` and `audit_log_config` to
-    `create_app_backend` — both fold into `audit`'s closure and the slot
-    is the single seam for SSE/WS fan-out (additional listeners append
-    via `audit.on_event_chain.push(...)` at server assembly).
+    pool. The slot is the single seam for SSE/WS fan-out — additional
+    listeners append via `audit.on_event_chain.push(...)` at server
+    assembly.
 - **`RouteFactoryDeps = Omit<AppDeps, 'db'>`** — for route factories. Route
   handlers receive DB access via `RouteContext`, so factories don't capture
   a pool-level `Db`.

package/dist/auth/account_action_specs.d.ts

@@ -98,7 +98,7 @@ export declare const account_verify_action_spec: {
     input: z.ZodVoid;
     output: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodString;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
         email: z.ZodNullable<z.ZodEmail>;
         email_verified: z.ZodBoolean;
         created_at: z.ZodString;

package/dist/auth/account_actions.d.ts

@@ -23,6 +23,7 @@
  * @module
  */
 import { type RpcAction } from '../actions/action_rpc.js';
+import type { ConnectionCloser } from '../actions/connection_closer.js';
 import type { RouteFactoryDeps } from './deps.js';
 /** Options for `create_account_actions`. */
 export interface AccountActionOptions {
@@ -33,6 +34,18 @@ export interface AccountActionOptions {
      * `DEFAULT_MAX_TOKENS`; pass `null` to disable the cap.
      */
     max_tokens?: number | null;
+    /**
+     * Live-connection closer — when set, `account_session_revoke` /
+     * `_session_revoke_all` / `account_token_revoke` handlers eagerly close
+     * affected WebSocket sockets BEFORE emitting the corresponding audit
+     * event. Closes the audit-failure-leaks-WS surface: the listener-based
+     * close (`transports_ws_auth_guard`) only fires after the audit INSERT
+     * succeeds, so a DB error would leave live sockets stale. `BackendWebsocketTransport`
+     * satisfies this interface structurally; consumers pass their transport
+     * instance directly. When absent, only the listener-based close runs.
+     * Mirrors `zzz_server`'s handler-side `close_sockets_for_*` calls.
+     */
+    connection_closer?: ConnectionCloser | null;
 }
 /**
  * Create the self-service account RPC actions.

package/dist/auth/account_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAqC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAe5F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CA2GjB,CAAC"}
+{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAqC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC5F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAetE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B;;;;;;;;;;OAUG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CAyIjB,CAAC"}

package/dist/auth/account_actions.js

@@ -39,7 +39,7 @@ import { account_verify_action_spec, account_session_list_action_spec, account_s
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
  */
 export const create_account_actions = (deps, options = {}) => {
-    const { max_tokens = DEFAULT_MAX_TOKENS } = options;
+    const { max_tokens = DEFAULT_MAX_TOKENS, connection_closer = null } = options;
     const verify_handler = (_input, ctx) => {
         return to_session_account(ctx.auth.account);
     };
@@ -49,6 +49,21 @@ export const create_account_actions = (deps, options = {}) => {
     };
     const session_revoke_handler = async (input, ctx) => {
         const revoked = await query_session_revoke_for_account(ctx, input.session_id, ctx.auth.account.id);
+        // Handler-side belt+suspenders: close the live WS socket bound to this
+        // session BEFORE the audit emit, so revocation lands even if the audit
+        // INSERT fails. The real ordering invariant is "before the transaction
+        // commits": this handler runs inside the dispatcher's transaction
+        // (side_effects: true), so any throw between this close and the return
+        // would roll back the DB revoke while leaving the socket severed. That
+        // is benign — the session is still valid, the client reconnects — but
+        // don't introduce a throw here without acknowledging the trade.
+        // Only fire on success — failure carries an attacker-guessable
+        // session_id and the listener-based close already ignores failure
+        // outcomes for the same reason. Idempotent — the audit listener runs a
+        // second close on success but matches no sockets the second time.
+        if (revoked && connection_closer) {
+            connection_closer.close_sockets_for_session(input.session_id);
+        }
         deps.audit.emit(ctx, {
             event_type: 'session_revoke',
             outcome: revoked ? 'success' : 'failure',
@@ -61,6 +76,17 @@ export const create_account_actions = (deps, options = {}) => {
     };
     const session_revoke_all_handler = async (_input, ctx) => {
         const count = await query_session_revoke_all_for_account(ctx, ctx.auth.account.id);
+        // Handler-side belt+suspenders — see session_revoke_handler comment.
+        // Close fires regardless of `count` (today `count >= 1` always — the
+        // caller is using the session they're revoking; future bearer / daemon-
+        // token-credentialed callers may hit `count: 0`). Symmetric with the
+        // admin revoke-all handlers in `admin_actions.ts`, where `count: 0` is
+        // a real outcome (target account had no live sessions/tokens) and the
+        // eager close still fires to scrub sockets that the audit listener
+        // would otherwise miss when the INSERT fails. Idempotent at all counts.
+        if (connection_closer) {
+            connection_closer.close_sockets_for_account(ctx.auth.account.id);
+        }
         deps.audit.emit(ctx, {
             event_type: 'session_revoke_all',
             account_id: ctx.auth.account.id,
@@ -93,6 +119,10 @@ export const create_account_actions = (deps, options = {}) => {
     };
     const token_revoke_handler = async (input, ctx) => {
         const revoked = await query_revoke_api_token_for_account(ctx, input.token_id, ctx.auth.account.id);
+        // Handler-side belt+suspenders — see session_revoke_handler comment.
+        if (revoked && connection_closer) {
+            connection_closer.close_sockets_for_token(input.token_id);
+        }
         deps.audit.emit(ctx, {
             event_type: 'token_revoke',
             outcome: revoked ? 'success' : 'failure',

package/dist/auth/account_routes.d.ts

@@ -26,6 +26,7 @@ import type { SessionOptions } from './session_cookie.js';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { RouteFactoryDeps } from './deps.js';
+import type { ConnectionCloser } from '../actions/connection_closer.js';
 /** Input for `GET /api/account/status`. No parameters — caller is the subject. */
 export declare const AccountStatusInput: z.ZodNull;
 export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
@@ -41,7 +42,7 @@ export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
 export declare const AccountStatusOutput: z.ZodObject<{
     account: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodString;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
         email: z.ZodNullable<z.ZodEmail>;
         email_verified: z.ZodBoolean;
         created_at: z.ZodString;
@@ -143,10 +144,19 @@ export interface AccountRouteOptions extends AuthSessionRouteOptions {
      * jitter while keeping the floor. Default `DEFAULT_LOGIN_FAIL_JITTER_MS`.
      */
     login_fail_jitter_ms?: number;
+    /**
+     * Live-connection closer — when set, the `logout` and `password` handlers
+     * eagerly close affected WebSocket sockets for the account BEFORE
+     * emitting the corresponding audit event. Mirrors the self-service
+     * action surface (see `AccountActionOptions.connection_closer`). When
+     * absent, only the listener-based close (`transports_ws_auth_guard` on
+     * `audit.on_event_chain`) runs.
+     */
+    connection_closer?: ConnectionCloser | null;
 }
 /** Input for `POST /login`. Accepts a username or email in the `username` field. */
 export declare const LoginInput: z.ZodObject<{
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     password: z.ZodString;
 }, z.core.$strict>;
 export type LoginInput = z.infer<typeof LoginInput>;

package/dist/auth/account_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CA8PjB,CAAC"}
+{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAQtE,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CA+SjB,CAAC"}

package/dist/auth/account_routes.js

@@ -217,7 +217,7 @@ export const PasswordChangeOutput = z.strictObject({
  */
 export const create_account_route_specs = (deps, options) => {
     const { keyring, password } = deps;
-    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, login_fail_floor_ms = DEFAULT_LOGIN_FAIL_FLOOR_MS, login_fail_jitter_ms = DEFAULT_LOGIN_FAIL_JITTER_MS, } = options;
+    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, login_fail_floor_ms = DEFAULT_LOGIN_FAIL_FLOOR_MS, login_fail_jitter_ms = DEFAULT_LOGIN_FAIL_JITTER_MS, connection_closer = null, } = options;
     return [
         {
             method: 'GET',
@@ -254,8 +254,12 @@ export const create_account_route_specs = (deps, options) => {
                         return rate_limit_exceeded_response(c, check.retry_after);
                     }
                 }
-                const { username: raw_username, password: pw } = get_route_input(c);
-                const username = raw_username.trim().toLowerCase();
+                // `UsernameProvided` canonicalizes via `.trim().toLowerCase()` at
+                // parse time — the validated value lands canonical in
+                // `c.var.validated_input`, so the per-account rate-limit key,
+                // DB lookup, and audit metadata see one form. See
+                // `primitive_schemas.ts` for the schema-layer canonicalization.
+                const { username, password: pw } = get_route_input(c);
                 // DB lookup first so we can key the per-account rate limit by a canonical value
                 // (account.id) rather than the submitted identifier. Otherwise an attacker could
                 // alternate between username and email to double the per-account bucket.
@@ -339,6 +343,21 @@ export const create_account_route_specs = (deps, options) => {
                 if (session_token) {
                     const token_hash = hash_session_token(session_token);
                     await query_session_revoke_by_hash_unscoped(route, token_hash);
+                    // Handler-side belt+suspenders: close the live WS bound to
+                    // this session BEFORE the audit emit so revocation lands
+                    // even if the audit INSERT fails. Same transaction-commit
+                    // trade as `password` / RPC `session_revoke` below — a
+                    // throw between this close and the response rolls back the
+                    // DB revoke while leaving the socket severed; benign
+                    // (client reconnects, session still valid) but don't
+                    // introduce a throw here without acknowledging the trade.
+                    // The audit listener (`create_ws_logout_closer`) runs an
+                    // account-wide close on the logout event afterward —
+                    // broader than this targeted close, but both layers are
+                    // idempotent. Mirrors `zzz_server::account::logout_inner`.
+                    if (connection_closer) {
+                        connection_closer.close_sockets_for_session(token_hash);
+                    }
                 }
                 clear_session_cookie(c, session_options);
                 // Account-grain operation — no `actor_id` (which actor was
@@ -401,11 +420,10 @@ export const create_account_route_specs = (deps, options) => {
                     });
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
-                // successful verification — reset rate limiters
-                if (ip_rate_limiter && ip)
-                    ip_rate_limiter.reset(ip);
-                if (login_account_rate_limiter)
-                    login_account_rate_limiter.reset(ctx.account.id);
+                // Verify succeeded — do the throw-y operations FIRST so a fault
+                // (Argon2 OOM, native binding error, DB outage on the UPDATE)
+                // can't wipe the rate-limit history of a caller observing 500s.
+                // Resets happen below, after both calls have settled.
                 const new_hash = await password.hash_password(new_password);
                 // Conditional UPDATE keyed on the verified hash: closes the
                 // verify-write race with a concurrent password change that
@@ -413,6 +431,19 @@ export const create_account_route_specs = (deps, options) => {
                 // operation — `updated_by` stays null (the per-request actor is
                 // incidental; password is account-level state).
                 const updated = await query_update_account_password(route, ctx.account.id, new_hash, null, ctx.account.password_hash);
+                // Verify-success contract — the caller proved knowledge, so wipe
+                // their failure history. The race-loser branch below re-records
+                // one on top of the wiped slate so net cost stays 1 (mirrors the
+                // verify-fail branch above's `record`-from-prior+1 outcome when
+                // prior was 0; for prior > 0 the race-loser pays exactly 1,
+                // matching the OLD pre-S1 behavior). Deferring from "after
+                // verify" to "after UPDATE settled" is what closes the S1
+                // bypass — a throw between reset and the UPDATE could have
+                // wiped an attacker's budget.
+                if (ip_rate_limiter && ip)
+                    ip_rate_limiter.reset(ip);
+                if (login_account_rate_limiter)
+                    login_account_rate_limiter.reset(ctx.account.id);
                 if (!updated) {
                     // A concurrent password change committed first — our
                     // `current_password` was correct at read-time but the row's
@@ -437,6 +468,22 @@ export const create_account_route_specs = (deps, options) => {
                 // revoke all sessions and API tokens (force re-auth everywhere)
                 const sessions_revoked = await query_session_revoke_all_for_account(route, ctx.account.id);
                 const tokens_revoked = await query_revoke_all_api_tokens_for_account(route, ctx.account.id);
+                // Handler-side belt+suspenders — close every live WS socket on
+                // this account BEFORE the audit emit so the revoke-all cascade
+                // lands even if the audit INSERT fails. The real ordering
+                // invariant is "before the transaction commits": this route
+                // runs with the default `transaction: true`, so a throw between
+                // this close and the response would roll back the password
+                // update + session/token revokes while leaving sockets severed.
+                // Benign — affected clients reconnect with their still-valid
+                // session — but don't introduce a throw here without
+                // acknowledging the trade. Listener-based close
+                // (`transports_ws_auth_guard` on the `password_change` event)
+                // runs the same close afterward; idempotent on the second pass.
+                // Mirrors `zzz_server::account::password_inner`.
+                if (connection_closer) {
+                    connection_closer.close_sockets_for_account(ctx.account.id);
+                }
                 clear_session_cookie(c, session_options);
                 // Account-grain operation — no `actor_id`. The password is
                 // account-level state; which per-request actor was resolved

package/dist/auth/account_schema.d.ts

@@ -106,7 +106,7 @@ export interface ApiToken {
 /** Zod schema for `SessionAccount` — account without sensitive fields. */
 export declare const SessionAccountJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     email: z.ZodNullable<z.ZodEmail>;
     email_verified: z.ZodBoolean;
     created_at: z.ZodString;
@@ -152,7 +152,7 @@ export type ActorSummaryJson = z.infer<typeof ActorSummaryJson>;
 /** Zod schema for admin-facing account data — extends `SessionAccountJson` with audit fields. */
 export declare const AdminAccountJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     email: z.ZodNullable<z.ZodEmail>;
     email_verified: z.ZodBoolean;
     created_at: z.ZodString;
@@ -188,7 +188,7 @@ export type PendingOfferSummaryJson = z.infer<typeof PendingOfferSummaryJson>;
 export declare const AdminAccountEntryJson: z.ZodObject<{
     account: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodString;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
         email: z.ZodNullable<z.ZodEmail>;
         email_verified: z.ZodBoolean;
         created_at: z.ZodString;

package/dist/auth/admin_action_specs.d.ts

@@ -35,7 +35,7 @@ export declare const AdminAccountListOutput: z.ZodObject<{
     accounts: z.ZodArray<z.ZodObject<{
         account: z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-            username: z.ZodString;
+            username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
             email: z.ZodNullable<z.ZodEmail>;
             email_verified: z.ZodBoolean;
             created_at: z.ZodString;
@@ -183,7 +183,7 @@ export type AuditLogRoleGrantHistoryOutput = z.infer<typeof AuditLogRoleGrantHis
 /** Input for `invite_create`. At least one of `email` / `username` must be provided. */
 export declare const InviteCreateInput: z.ZodObject<{
     email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
-    username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    username: z.ZodOptional<z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>>;
     acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
 export type InviteCreateInput = z.infer<typeof InviteCreateInput>;
@@ -193,7 +193,7 @@ export declare const InviteCreateOutput: z.ZodObject<{
     invite: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         email: z.ZodNullable<z.ZodEmail>;
-        username: z.ZodNullable<z.ZodString>;
+        username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
         claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         claimed_at: z.ZodNullable<z.ZodString>;
         created_at: z.ZodString;
@@ -211,7 +211,7 @@ export declare const InviteListOutput: z.ZodObject<{
     invites: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         email: z.ZodNullable<z.ZodEmail>;
-        username: z.ZodNullable<z.ZodString>;
+        username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
         claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         claimed_at: z.ZodNullable<z.ZodString>;
         created_at: z.ZodString;
@@ -289,7 +289,7 @@ export declare const admin_account_list_action_spec: {
         accounts: z.ZodArray<z.ZodObject<{
             account: z.ZodObject<{
                 id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-                username: z.ZodString;
+                username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
                 email: z.ZodNullable<z.ZodEmail>;
                 email_verified: z.ZodBoolean;
                 created_at: z.ZodString;
@@ -512,7 +512,7 @@ export declare const invite_create_action_spec: {
     side_effects: true;
     input: z.ZodObject<{
         email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
-        username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        username: z.ZodOptional<z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>>;
         acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
@@ -520,7 +520,7 @@ export declare const invite_create_action_spec: {
         invite: z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             email: z.ZodNullable<z.ZodEmail>;
-            username: z.ZodNullable<z.ZodString>;
+            username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
             claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             claimed_at: z.ZodNullable<z.ZodString>;
             created_at: z.ZodString;
@@ -554,7 +554,7 @@ export declare const invite_list_action_spec: {
         invites: z.ZodArray<z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             email: z.ZodNullable<z.ZodEmail>;
-            username: z.ZodNullable<z.ZodString>;
+            username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
             claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             claimed_at: z.ZodNullable<z.ZodString>;
             created_at: z.ZodString;

package/dist/auth/admin_actions.d.ts

@@ -28,6 +28,7 @@
  * @module
  */
 import { type RpcAction } from '../actions/action_rpc.js';
+import type { ConnectionCloser } from '../actions/connection_closer.js';
 import { type RoleSchemaResult } from './role_schema.js';
 import { type AppSettings } from './app_settings_schema.js';
 import type { RouteFactoryDeps } from './deps.js';
@@ -49,6 +50,16 @@ export interface AdminActionOptions {
      * handler and RPC dispatch returns `method_not_found`.
      */
     app_settings?: AppSettings;
+    /**
+     * Live-connection closer — when set, `admin_session_revoke_all` and
+     * `admin_token_revoke_all` handlers eagerly close affected WebSocket
+     * sockets for the target account BEFORE emitting the corresponding
+     * audit event. Mirrors the self-service surface (see
+     * `AccountActionOptions.connection_closer`). `BackendWebsocketTransport`
+     * satisfies this interface structurally. When absent, only the
+     * listener-based close (`transports_ws_auth_guard`) runs.
+     */
+    connection_closer?: ConnectionCloser | null;
 }
 /**
  * Create the admin-only RPC actions.

package/dist/auth/admin_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAsC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAE7F,OAAO,EAGN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AAuB1B,OAAO,EAAC,KAAK,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAK1D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AA6ChD,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,WAAW,CAAC;CAC3B;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,kBAAuB,KAC9B,KAAK,CAAC,SAAS,CA0PjB,CAAC"}
+{"version":3,"file":"admin_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAsC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAEtE,OAAO,EAGN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AAuB1B,OAAO,EAAC,KAAK,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAK1D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AA6ChD,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,WAAW,CAAC;IAC3B;;;;;;;;OAQG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAED;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,kBAAuB,KAC9B,KAAK,CAAC,SAAS,CAmRjB,CAAC"}

package/dist/auth/admin_actions.js

@@ -56,6 +56,7 @@ import { admin_account_list_action_spec, admin_session_list_action_spec, admin_s
 export const create_admin_actions = (deps, options = {}) => {
     const role_specs = options.roles?.role_specs ?? builtin_role_specs_by_name;
     const grantable_roles = list_roles_with_grant_path(role_specs, GRANT_PATH_ADMIN);
+    const connection_closer = options.connection_closer ?? null;
     const account_list_handler = async (input, ctx) => {
         const accounts = await query_admin_account_list(ctx, {
             limit: input.limit,
@@ -88,6 +89,23 @@ export const create_admin_actions = (deps, options = {}) => {
             throw jsonrpc_errors.not_found('account', { reason: ERROR_ACCOUNT_NOT_FOUND });
         }
         const count = await query_session_revoke_all_for_account(ctx, input.account_id);
+        // Handler-side belt+suspenders — close the target account's live WS
+        // sockets BEFORE the audit emit so revocation lands even if the audit
+        // INSERT fails. Listener-based close (`transports_ws_auth_guard` on
+        // `audit.on_event_chain`) stays as a fail-safe for out-of-band emit
+        // sites. Idempotent — see `account_actions.ts::session_revoke_handler`.
+        if (connection_closer) {
+            connection_closer.close_sockets_for_account(input.account_id);
+        }
+        // TOCTOU window — admin B hard-deletes `input.account_id` between the
+        // pre-check above and this emit; the FK rejects the row, the audit
+        // emitter logs + swallows, and the operation goes unaudited. Bounded
+        // by the audit emitter's failure logging (operator-visible) and by
+        // the rarity of concurrent admin hard-deletes. Not switching to the
+        // failure-shape (`target_account_id: null + metadata.attempted_account_id`)
+        // because the FK linkage powers the username-join in
+        // `audit_log_list_with_usernames`; losing it on every success row
+        // to harden a corner case isn't worth the query-shape change.
         deps.audit.emit(ctx, {
             event_type: 'session_revoke_all',
             account_id: auth.account.id,
@@ -117,6 +135,13 @@ export const create_admin_actions = (deps, options = {}) => {
             throw jsonrpc_errors.not_found('account', { reason: ERROR_ACCOUNT_NOT_FOUND });
         }
         const count = await query_revoke_all_api_tokens_for_account(ctx, input.account_id);
+        // Handler-side belt+suspenders — see `session_revoke_all_handler`.
+        if (connection_closer) {
+            connection_closer.close_sockets_for_account(input.account_id);
+        }
+        // TOCTOU window — see `session_revoke_all_handler` for the rationale on
+        // keeping `target_account_id` populated rather than switching to the
+        // failure-shape.
         deps.audit.emit(ctx, {
             event_type: 'token_revoke_all',
             account_id: auth.account.id,