@fuzdev/fuz_app 0.63.0 → 0.65.0

package/dist/auth/audit_emitter.js

@@ -2,11 +2,14 @@
  * Bound audit-emit capability.
  *
  * `AuditEmitter` closes over the pool-level `Db`, the `on_audit_event`
- * subscriber chain, and the optional `AuditLogConfig` at backend-assembly
- * time. Consumers reach for `deps.audit.emit(ctx, input)` and never see the
- * pool — handlers cannot accidentally emit an audit event against the
- * request's transactional `db` (which would be rolled back with the parent
- * on a handler throw).
+ * subscriber chain, and the optional `AuditLogConfig`. Built by the
+ * consumer's `audit_factory` callback on `CreateAppBackendOptions` —
+ * `create_app_backend` invokes the factory once with its constructed
+ * `{db, log}` and lands the result on `AppDeps.audit`. Consumers reach
+ * for `deps.audit.emit(ctx, input)` and never see the pool — handlers
+ * cannot accidentally emit an audit event against the request's
+ * transactional `db` (which would be rolled back with the parent on a
+ * handler throw).
  *
  * Four methods cover every fan-out shape the auth domain needs:
  *
@@ -26,22 +29,29 @@
  *   the query layer). Runs every listener on the chain; per-listener throws
  *   are isolated.
  *
- * The chain is mutable so server assembly can append additional listeners
- * (e.g. the audit-log SSE registry composed by `create_app_server`) after
- * the backend is built but before the first request runs.
+ * The chain is a documented mutable seam — `create_app_server` appends
+ * additional listeners after the backend is built (the factory-managed
+ * audit-log SSE, per-endpoint WS auth guards and logout closers, any
+ * `extra_audit_handlers` on a `WsEndpointSpec`) before the first request
+ * runs. Consumers can also append listeners directly on the emitter
+ * they return from `audit_factory` for setups that don't pass through
+ * `create_app_server`.
  *
  * @module
  */
 import { query_audit_log } from './audit_log_queries.js';
 import { builtin_audit_log_config, } from './audit_log_schema.js';
 /**
- * Build a bound `AuditEmitter`. Called once at `create_app_backend` time.
+ * Build a bound `AuditEmitter`. Typical caller is the consumer's
+ * `audit_factory` callback on `CreateAppBackendOptions` —
+ * `create_app_backend` invokes that callback with its constructed
+ * `{db, log}` and lands the result on `AppDeps.audit`.
  *
  * @param options - pool, logger, optional initial subscriber, optional config
  * @returns the bound emitter; closes over the pool + config + listener chain
  */
 export const create_audit_emitter = (options) => {
-    const { db, log, audit_log_config = builtin_audit_log_config } = options;
+    const { db, log, audit_log_config = builtin_audit_log_config, emit_decorator } = options;
     const on_event_chain = [];
     if (options.on_audit_event)
         on_event_chain.push(options.on_audit_event);
@@ -64,9 +74,14 @@ export const create_audit_emitter = (options) => {
             log.error('Audit log write failed:', err);
         }
     };
-    const emit = (ctx, input) => {
+    const base_emit = (ctx, input) => {
         ctx.pending_effects.push(emit_pool(input));
     };
+    // The decorated `emit` is what `emit_role_grant_target` captures below
+    // and what gets exposed on the returned object — both call shapes
+    // route through any `emit_decorator` the caller supplied. Production
+    // passes no decorator, so this collapses to `base_emit`.
+    const emit = emit_decorator ? emit_decorator(base_emit) : base_emit;
     const emit_role_grant_target = (ctx, auth, input) => {
         emit(ctx, {
             event_type: input.event_type,
@@ -79,5 +94,16 @@ export const create_audit_emitter = (options) => {
             metadata: input.metadata,
         });
     };
-    return { emit, emit_role_grant_target, emit_pool, notify, on_event_chain };
+    // Freeze the slot layout so consumers cannot hot-patch `emit` /
+    // `emit_role_grant_target` / `emit_pool` / `notify` after construction.
+    // The previous test helper `patch_audit_emit_capture` did exactly this
+    // and only happened to work because the four slots were writable —
+    // `emit_role_grant_target` calls the closed-over inner `emit`, not
+    // `this.emit`, so the patch silently bypassed role-grant-shape emits.
+    // Tests that need instrumentation pass `emit_decorator` so the wrap
+    // is captured by the closure before the freeze (see
+    // `create_emit_ordering_audit_factory`). `on_event_chain` is a
+    // frozen reference but its array contents stay mutable —
+    // `create_app_server` appends to it post-assembly, by design.
+    return Object.freeze({ emit, emit_role_grant_target, emit_pool, notify, on_event_chain });
 };

package/dist/auth/audit_log_ddl.d.ts

@@ -19,6 +19,6 @@
  *
  * @module
  */
-export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq SERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
+export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq BIGSERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
 export declare const AUDIT_LOG_INDEXES: string[];
 //# sourceMappingURL=audit_log_ddl.d.ts.map

package/dist/auth/audit_log_ddl.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,eAAO,MAAM,gBAAgB,ihBAa3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAM7B,CAAC"}
+{"version":3,"file":"audit_log_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,eAAO,MAAM,gBAAgB,ohBAa3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAM7B,CAAC"}

package/dist/auth/audit_log_ddl.js

@@ -22,7 +22,7 @@
 export const AUDIT_LOG_SCHEMA = `
 CREATE TABLE IF NOT EXISTS audit_log (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  seq SERIAL NOT NULL,
+  seq BIGSERIAL NOT NULL,
   event_type TEXT NOT NULL,
   outcome TEXT NOT NULL DEFAULT 'success',
   actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,

package/dist/auth/audit_log_schema.d.ts

@@ -336,9 +336,11 @@ export interface CreateAuditLogConfigOptions {
  * Throws when an `extra_events` key collides with a builtin event type, or
  * fails `AuditEventTypeName` format validation.
  *
- * Call once at startup; pass the result to `create_app_backend` (which
- * threads it into `AppDeps.audit`). Builtin handlers omit the
- * `audit_log_config` slot and pick up `builtin_audit_log_config`.
+ * Call once at startup; pass the result into the consumer's `audit_factory`
+ * body — typically `({db, log}) => create_audit_emitter({db, log,
+ * audit_log_config, ...})` — so it gets captured inside the bound
+ * `AppDeps.audit` emitter. Builtin handlers omit the `audit_log_config`
+ * slot and pick up `builtin_audit_log_config`.
  *
  * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */

package/dist/auth/audit_log_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAoB5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,8aAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkNW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}
+{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAoB5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,8aAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkNW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}

package/dist/auth/audit_log_schema.js

@@ -291,9 +291,11 @@ export const builtin_audit_log_config = Object.freeze({
  * Throws when an `extra_events` key collides with a builtin event type, or
  * fails `AuditEventTypeName` format validation.
  *
- * Call once at startup; pass the result to `create_app_backend` (which
- * threads it into `AppDeps.audit`). Builtin handlers omit the
- * `audit_log_config` slot and pick up `builtin_audit_log_config`.
+ * Call once at startup; pass the result into the consumer's `audit_factory`
+ * body — typically `({db, log}) => create_audit_emitter({db, log,
+ * audit_log_config, ...})` — so it gets captured inside the bound
+ * `AppDeps.audit` emitter. Builtin handlers omit the `audit_log_config`
+ * slot and pick up `builtin_audit_log_config`.
  *
  * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */

package/dist/auth/bootstrap_account.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,WAAW,EAAE;QAAC,MAAM,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAC,CAAC;IACnD,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}
+{"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,WAAW,EAAE;QAAC,MAAM,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAC,CAAC;IACnD,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CAuEhC,CAAC"}

package/dist/auth/bootstrap_account.js

@@ -9,7 +9,7 @@
 import { timingSafeEqual } from 'node:crypto';
 import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, } from '../http/error_schemas.js';
 import { ROLE_ADMIN, ROLE_KEEPER } from './role_schema.js';
-import { query_create_account_with_actor, query_account_has_any } from './account_queries.js';
+import { query_create_account_with_actor } from './account_queries.js';
 import { query_create_role_grant } from './role_grant_queries.js';
 /**
  * Bootstrap the first account with keeper and admin privileges.
@@ -57,10 +57,6 @@ export const bootstrap_account = async (deps, provided_token, input) => {
         if (lock_rows.length === 0) {
             return { ok: false, error: ERROR_ALREADY_BOOTSTRAPPED, status: 403 };
         }
-        // Belt-and-suspenders: verify no accounts exist even if lock was available
-        if (await query_account_has_any({ db: tx })) {
-            return { ok: false, error: ERROR_ALREADY_BOOTSTRAPPED, status: 403 };
-        }
         const tx_deps = { db: tx };
         const { account, actor } = await query_create_account_with_actor(tx_deps, {
             username: input.username,

package/dist/auth/bootstrap_routes.d.ts

@@ -19,14 +19,20 @@ import type { StatResult } from '../runtime/deps.js';
 /** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
 export declare const BootstrapInput: z.ZodObject<{
     token: z.ZodString;
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     password: z.ZodString;
 }, z.core.$strict>;
 export type BootstrapInput = z.infer<typeof BootstrapInput>;
 /** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
 export declare const BootstrapOutput: z.ZodObject<{
     ok: z.ZodLiteral<true>;
-    username: z.ZodString;
+    account: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    }, z.core.$strict>;
+    actor: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
 }, z.core.$strict>;
 export type BootstrapOutput = z.infer<typeof BootstrapOutput>;
 /**

package/dist/auth/bootstrap_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAYnD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;kBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAiHjB,CAAC"}
+{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAGpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAWnD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;;;;;;;kBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAkHjB,CAAC"}

package/dist/auth/bootstrap_routes.js

@@ -7,6 +7,7 @@
  * @module
  */
 import { z } from 'zod';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { create_session_and_set_cookie } from './session_middleware.js';
 import { bootstrap_account } from './bootstrap_account.js';
 import { Username } from '../primitive_schemas.js';
@@ -14,7 +15,7 @@ import { Password } from './password.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
-import { ERROR_BOOTSTRAP_NOT_CONFIGURED, ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
+import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
 export const BootstrapInput = z.strictObject({
@@ -25,7 +26,8 @@ export const BootstrapInput = z.strictObject({
 /** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
 export const BootstrapOutput = z.strictObject({
     ok: z.literal(true),
-    username: z.string(),
+    account: z.strictObject({ id: Uuid, username: Username }),
+    actor: z.strictObject({ id: Uuid }),
 });
 /**
  * Check bootstrap availability at startup.
@@ -85,13 +87,14 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 }),
                 401: z.looseObject({ error: z.literal(ERROR_INVALID_TOKEN) }),
                 403: z.looseObject({ error: z.literal(ERROR_ALREADY_BOOTSTRAPPED) }),
-                404: z.looseObject({
-                    error: z.enum([ERROR_TOKEN_FILE_MISSING, ERROR_BOOTSTRAP_NOT_CONFIGURED]),
-                }),
+                404: z.looseObject({ error: z.literal(ERROR_TOKEN_FILE_MISSING) }),
             },
             handler: async (c, route) => {
-                // Short-circuit if bootstrap already completed
-                if (!bootstrap_status.available) {
+                // Short-circuit if bootstrap already completed or surface-only mounted.
+                // In 'surface_only' mode `bootstrap_status.token_path === null` and
+                // `available === false`; in 'live' mode after success `available` flips
+                // to `false`. Either way the wire shape is 403 ALREADY_BOOTSTRAPPED.
+                if (!bootstrap_status.available || token_path === null) {
                     return c.json({ error: ERROR_ALREADY_BOOTSTRAPPED }, 403);
                 }
                 // Per-IP rate limit check (before any token/DB work)
@@ -103,9 +106,6 @@ export const create_bootstrap_route_specs = (deps, options) => {
                     }
                 }
                 const input = get_route_input(c);
-                if (token_path === null) {
-                    return c.json({ error: ERROR_BOOTSTRAP_NOT_CONFIGURED }, 404);
-                }
                 // `transaction: false` makes `route.db` the pool. `bootstrap_account`
                 // manages its own transaction internally.
                 const result = await bootstrap_account({
@@ -158,7 +158,11 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 if (!result.token_file_deleted) {
                     throw new Error(`Bootstrap succeeded but token file was not deleted at ${token_path}. Delete it manually and log in.`);
                 }
-                return c.json({ ok: true, username: result.account.username });
+                return c.json({
+                    ok: true,
+                    account: { id: result.account.id, username: result.account.username },
+                    actor: { id: result.actor.id },
+                });
             },
         },
     ];

package/dist/auth/invite_schema.d.ts

@@ -23,7 +23,7 @@ export interface Invite {
 export declare const InviteJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     email: z.ZodNullable<z.ZodEmail>;
-    username: z.ZodNullable<z.ZodString>;
+    username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
     claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     claimed_at: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
@@ -34,7 +34,7 @@ export type InviteJson = z.infer<typeof InviteJson>;
 export declare const InviteWithUsernamesJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     email: z.ZodNullable<z.ZodEmail>;
-    username: z.ZodNullable<z.ZodString>;
+    username: z.ZodNullable<z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>>;
     claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     claimed_at: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;

package/dist/auth/keyring.d.ts

@@ -7,7 +7,7 @@
  *
  * @example
  * ```ts
- * const keyring = create_keyring(process.env.SECRET_COOKIE_KEYS);
+ * const keyring = create_keyring(process.env.SECRET_FUZ_COOKIE_KEYS);
  * if (!keyring) throw new Error('No keys configured');
  *
  * const signed = await keyring.sign('user:123:1700000000');
@@ -47,12 +47,12 @@ export interface Keyring {
  *
  * **Security: key rotation is an operational concern.** Old keys remain valid
  * for verification indefinitely — a leaked old key can forge session cookies
- * until it is removed from `SECRET_COOKIE_KEYS`. After rotating to a new
+ * until it is removed from `SECRET_FUZ_COOKIE_KEYS`. After rotating to a new
  * signing key, remove the old key within a grace period (e.g. 24–48 hours,
  * long enough for active sessions to re-sign with the new key via cookie
- * refresh). Treat `SECRET_COOKIE_KEYS` changes as security-critical deploys.
+ * refresh). Treat `SECRET_FUZ_COOKIE_KEYS` changes as security-critical deploys.
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns keyring or null if no keys configured
  */
 export declare const create_keyring: (env_value: string | undefined) => Keyring | null;
@@ -63,7 +63,7 @@ export declare const create_keyring: (env_value: string | undefined) => Keyring
  * or all-separator input like `'____'`), and for each key shorter than
  * `MIN_KEY_LENGTH` characters.
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns array of validation errors (empty if valid)
  */
 export declare const validate_keyring: (env_value: string | undefined) => Array<string>;
@@ -84,7 +84,7 @@ export type ValidatedKeyringResult = {
  * Returns a discriminated union so callers handle exit/logging their own way
  * (e.g. `Deno.exit(1)` vs `runtime.exit(1)`).
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns `{ok: true, keyring}` or `{ok: false, errors}`
  */
 export declare const create_validated_keyring: (env_value: string | undefined) => ValidatedKeyringResult;

package/dist/auth/keyring.js

@@ -7,7 +7,7 @@
  *
  * @example
  * ```ts
- * const keyring = create_keyring(process.env.SECRET_COOKIE_KEYS);
+ * const keyring = create_keyring(process.env.SECRET_FUZ_COOKIE_KEYS);
  * if (!keyring) throw new Error('No keys configured');
  *
  * const signed = await keyring.sign('user:123:1700000000');
@@ -30,12 +30,12 @@ const encoder = new TextEncoder();
  *
  * **Security: key rotation is an operational concern.** Old keys remain valid
  * for verification indefinitely — a leaked old key can forge session cookies
- * until it is removed from `SECRET_COOKIE_KEYS`. After rotating to a new
+ * until it is removed from `SECRET_FUZ_COOKIE_KEYS`. After rotating to a new
  * signing key, remove the old key within a grace period (e.g. 24–48 hours,
  * long enough for active sessions to re-sign with the new key via cookie
- * refresh). Treat `SECRET_COOKIE_KEYS` changes as security-critical deploys.
+ * refresh). Treat `SECRET_FUZ_COOKIE_KEYS` changes as security-critical deploys.
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns keyring or null if no keys configured
  */
 export const create_keyring = (env_value) => {
@@ -75,13 +75,13 @@ export const create_keyring = (env_value) => {
  * or all-separator input like `'____'`), and for each key shorter than
  * `MIN_KEY_LENGTH` characters.
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns array of validation errors (empty if valid)
  */
 export const validate_keyring = (env_value) => {
     const keys = parse_keys(env_value);
     if (keys.length === 0) {
-        return ['SECRET_COOKIE_KEYS is required'];
+        return ['SECRET_FUZ_COOKIE_KEYS is required'];
     }
     const errors = [];
     for (const [i, key] of keys.entries()) {
@@ -126,7 +126,7 @@ const verify_with_crypto_key = async (signed_value, key) => {
  * Returns a discriminated union so callers handle exit/logging their own way
  * (e.g. `Deno.exit(1)` vs `runtime.exit(1)`).
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns `{ok: true, keyring}` or `{ok: false, errors}`
  */
 export const create_validated_keyring = (env_value) => {
@@ -136,7 +136,7 @@ export const create_validated_keyring = (env_value) => {
     }
     const keyring = create_keyring(env_value);
     if (!keyring) {
-        return { ok: false, errors: ['SECRET_COOKIE_KEYS is required'] };
+        return { ok: false, errors: ['SECRET_FUZ_COOKIE_KEYS is required'] };
     }
     return { ok: true, keyring };
 };

package/dist/auth/role_grant_offer_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"role_grant_offer_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,EAGN,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAIN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AA0B1B,OAAO,EAA4C,KAAK,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACpG,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,EAON,KAAK,kBAAkB,EACvB,MAAM,qCAAqC,CAAC;AAiC7C;;;;;;;;GAQG;AACH,MAAM,MAAM,6BAA6B,GAAG,CAC3C,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EACrE,IAAI,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EACnC,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC,qDAAqD;AACrD,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,0FAA0F;IAC1F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,6BAA6B,CAAC;CAC1C;AA6BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,EAAE,6BAavC,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,GAAG;IAC/C,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD,EACD,UAAS,2BAAgC,KACvC,KAAK,CAAC,SAAS,CAidjB,CAAC"}
+{"version":3,"file":"role_grant_offer_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,EAGN,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAIN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AA0B1B,OAAO,EAA4C,KAAK,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACpG,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,EAON,KAAK,kBAAkB,EACvB,MAAM,qCAAqC,CAAC;AAiC7C;;;;;;;;GAQG;AACH,MAAM,MAAM,6BAA6B,GAAG,CAC3C,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EACrE,IAAI,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EACnC,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC,qDAAqD;AACrD,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,0FAA0F;IAC1F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,6BAA6B,CAAC;CAC1C;AA6BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,EAAE,6BAavC,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,GAAG;IAC/C,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD,EACD,UAAS,2BAAgC,KACvC,KAAK,CAAC,SAAS,CAmdjB,CAAC"}

package/dist/auth/role_grant_offer_actions.js

@@ -130,8 +130,10 @@ export const create_role_grant_offer_actions = (deps, options = {}) => {
         });
     };
     // Returns {offer} only — no auto-accept. Recipient must call
-    // role_grant_offer_accept; admin tests materialize role_grants via
-    // query_accept_offer (see testing/admin_integration.ts `offer_and_accept`).
+    // role_grant_offer_accept; admin tests drive the full consent flow over
+    // RPC (see testing/admin_integration.ts `offer_and_accept`), or seed
+    // role_grants directly via create_test_role_grant_direct when the
+    // test isn't about the consent path.
     const create_handler = async (input, ctx) => {
         const auth = ctx.auth;
         // Role must include the admin grant path — same gate as admin direct-grant.

package/dist/auth/signup_routes.d.ts

@@ -24,7 +24,7 @@ export interface SignupRouteOptions extends AuthSessionRouteOptions {
 }
 /** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
 export declare const SignupInput: z.ZodObject<{
-    username: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
     password: z.ZodString;
     email: z.ZodOptional<z.ZodEmail>;
 }, z.core.$strict>;

package/dist/auth/standard_rpc_actions.d.ts

@@ -10,6 +10,7 @@
  * Option routing: shared `roles` flows to both admin and role-grant-offer;
  * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
  * to role-grant-offer only; `max_tokens` goes to account only;
+ * shared `connection_closer` flows to admin + account (role-grant-offer ignores);
  * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
  *

package/dist/auth/standard_rpc_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,2BAA2B,EAChC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,2BAA2B,EAAE,oBAAoB;CAAG;AAEjF;;;;;;;GAOG;AACH,MAAM,WAAW,sBAAuB,SAAQ,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC;IACtF,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}
+{"version":3,"file":"standard_rpc_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_rpc_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAuB,KAAK,kBAAkB,EAAC,MAAM,oBAAoB,CAAC;AACjF,OAAO,EAEN,KAAK,2BAA2B,EAChC,MAAM,+BAA+B,CAAC;AACvC,OAAO,EAAyB,KAAK,oBAAoB,EAAC,MAAM,sBAAsB,CAAC;AACvF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,kBAAkB,EAAC,MAAM,qCAAqC,CAAC;AAC5E,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExD;;;;;;;;GAQG;AACH,MAAM,WAAW,yBAChB,SAAQ,kBAAkB,EAAE,2BAA2B,EAAE,oBAAoB;CAAG;AAEjF;;;;;;;GAOG;AACH,MAAM,WAAW,sBAAuB,SAAQ,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC;IACtF,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,sBAAsB,EAC5B,UAAS,yBAA8B,KACrC,KAAK,CAAC,SAAS,CAIjB,CAAC"}

package/dist/auth/standard_rpc_actions.js

@@ -10,6 +10,7 @@
  * Option routing: shared `roles` flows to both admin and role-grant-offer;
  * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
  * to role-grant-offer only; `max_tokens` goes to account only;
+ * shared `connection_closer` flows to admin + account (role-grant-offer ignores);
  * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
  *

package/dist/db/create_db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create_db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/create_db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,SAAS,CAAC;AAIxC,yCAAyC;AACzC,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,EAAE,CAAC;IACP,iFAAiF;IACjF,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,SAAS,GAAU,cAAc,MAAM,KAAG,OAAO,CAAC,cAAc,CAgC5E,CAAC"}
+{"version":3,"file":"create_db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/create_db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,SAAS,CAAC;AAIxC,yCAAyC;AACzC,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,EAAE,CAAC;IACP,iFAAiF;IACjF,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,SAAS,GAAU,cAAc,MAAM,KAAG,OAAO,CAAC,cAAc,CA6C5E,CAAC"}

package/dist/db/create_db.js

@@ -32,6 +32,19 @@ import { create_pglite_db } from './db_pglite.js';
 export const create_db = async (database_url) => {
     if (database_url.startsWith('postgres://') || database_url.startsWith('postgresql://')) {
         const { default: pg } = await import('pg');
+        // Parse int8 (BIGINT) as a JS number. pg defaults to returning int8
+        // as a string to avoid 2^53 precision loss; our only int8 column
+        // today (`audit_log.seq`) stays well under that bound, and reading
+        // as number keeps the wire shape uniform across the SERIAL→BIGSERIAL
+        // widening.
+        //
+        // CAVEAT: pg.types.setTypeParser mutates pg.types globally — every
+        // pg.Pool in the process inherits the coercion, including pools the
+        // consumer constructs against unrelated databases. Any future int8
+        // column that could legitimately exceed 2^53 (file sizes, byte
+        // offsets) will silently round; if one lands, localize via a
+        // per-pool `types` override instead of widening this global parser.
+        pg.types.setTypeParser(20, (val) => Number(val));
         const pool = new pg.Pool({ connectionString: database_url });
         const { db, close } = create_pg_db(pool);
         return {

package/dist/dev/setup.d.ts

@@ -51,7 +51,7 @@ export interface ResetDbResult {
 /** Options for `setup_env_file`. */
 export interface SetupEnvOptions {
     /**
-     * Extra env var replacements beyond the default `SECRET_COOKIE_KEYS`.
+     * Extra env var replacements beyond the default `SECRET_FUZ_COOKIE_KEYS`.
      *
      * Keys are env var names, values are async generators.
      * Replaces `^KEY=$` (empty value) patterns in the env file.
@@ -103,7 +103,7 @@ export declare const generate_random_key: (deps: CommandDeps) => Promise<string>
  */
 export declare const read_env_var: (deps: Pick<FsReadDeps, "stat" | "read_text_file">, env_path: string, name: string) => Promise<string | undefined>;
 /**
- * Create an env file from its example template, auto-generating `SECRET_COOKIE_KEYS`.
+ * Create an env file from its example template, auto-generating `SECRET_FUZ_COOKIE_KEYS`.
  *
  * If the file already exists, backfills any empty values that have generators.
  * Idempotent — safe to re-run.

package/dist/dev/setup.js

@@ -69,7 +69,7 @@ export const read_env_var = async (deps, env_path, name) => {
 };
 // === Setup helpers ===
 /**
- * Create an env file from its example template, auto-generating `SECRET_COOKIE_KEYS`.
+ * Create an env file from its example template, auto-generating `SECRET_FUZ_COOKIE_KEYS`.
  *
  * If the file already exists, backfills any empty values that have generators.
  * Idempotent — safe to re-run.
@@ -84,9 +84,9 @@ export const read_env_var = async (deps, env_path, name) => {
 export const setup_env_file = async (deps, env_path, example_path, options) => {
     const log = options?.log ?? default_setup_logger;
     const set_permissions = options?.set_permissions;
-    // build the full replacement map (SECRET_COOKIE_KEYS + extras)
+    // build the full replacement map (SECRET_FUZ_COOKIE_KEYS + extras)
     const replacements = {
-        SECRET_COOKIE_KEYS: () => generate_random_key(deps),
+        SECRET_FUZ_COOKIE_KEYS: () => generate_random_key(deps),
         ...options?.replacements,
     };
     const stat = await deps.stat(env_path);