@fuzdev/fuz_app 0.64.0 → 0.65.0

package/dist/auth/account_schema.d.ts

@@ -74,7 +74,7 @@ export interface RoleGrant {
     expires_at: string | null;
     revoked_at: string | null;
     revoked_by: Uuid | null;
-    /** Optional free-form reason attached on revoke (surfaced in the revokee WS notification once it lands). */
+    /** Optional free-form reason attached on revoke (rides on the `role_grant_revoke` WS notification to the revokee). */
     revoked_reason: string | null;
     granted_by: Uuid | null;
     /** Offer that produced this role_grant (set by `query_accept_offer`). `null` for direct grants. */

package/dist/auth/account_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE5C,OAAO,EAAC,QAAQ,EAAE,KAAK,EAAC,MAAM,yBAAyB,CAAC;AAIxD,mEAAmE;AACnE,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,wFAAwF;AACxF,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,4FAA4F;AAC5F,MAAM,WAAW,KAAK;IACrB,EAAE,EAAE,IAAI,CAAC;IACT,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,MAAM,CAAC;AAExD,wEAAwE;AACxE,MAAM,WAAW,SAAS;IACzB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,iGAAiG;IACjG,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,4GAA4G;IAC5G,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,mGAAmG;IACnG,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,eAAO,MAAM,oBAAoB,GAChC,GAAG;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EAC1D,MAAK,IAAiB,KACpB,OAA2E,CAAC;AAE/E,uEAAuE;AACvE,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACrB;AAED,6CAA6C;AAC7C,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACnB;AAID,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB;;;;;;kBAM7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,6EAA6E;AAC7E,eAAO,MAAM,eAAe;;;;;;kBAM1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,4EAA4E;AAC5E,eAAO,MAAM,kBAAkB;;;;;;;;kBAQ7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,gFAAgF;AAChF,eAAO,MAAM,oBAAoB;;;;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iGAAiG;AACjG,eAAO,MAAM,gBAAgB;;;;;;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;kBASlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,sGAAsG;AACtG,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAKhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,MAAM,WAAW,kBAAkB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACpC,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,0GAA0G;IAC1G,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,OAAO,KAAG,cAMpD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,SAAS,OAAO,KAAG,gBAIlD,CAAC"}
+{"version":3,"file":"account_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE5C,OAAO,EAAC,QAAQ,EAAE,KAAK,EAAC,MAAM,yBAAyB,CAAC;AAIxD,mEAAmE;AACnE,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,wFAAwF;AACxF,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,4FAA4F;AAC5F,MAAM,WAAW,KAAK;IACrB,EAAE,EAAE,IAAI,CAAC;IACT,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,MAAM,CAAC;AAExD,wEAAwE;AACxE,MAAM,WAAW,SAAS;IACzB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,iGAAiG;IACjG,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,sHAAsH;IACtH,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,mGAAmG;IACnG,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,eAAO,MAAM,oBAAoB,GAChC,GAAG;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EAC1D,MAAK,IAAiB,KACpB,OAA2E,CAAC;AAE/E,uEAAuE;AACvE,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACrB;AAED,6CAA6C;AAC7C,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACnB;AAID,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB;;;;;;kBAM7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,6EAA6E;AAC7E,eAAO,MAAM,eAAe;;;;;;kBAM1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,4EAA4E;AAC5E,eAAO,MAAM,kBAAkB;;;;;;;;kBAQ7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,gFAAgF;AAChF,eAAO,MAAM,oBAAoB;;;;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iGAAiG;AACjG,eAAO,MAAM,gBAAgB;;;;;;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;kBASlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,sGAAsG;AACtG,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAKhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,MAAM,WAAW,kBAAkB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACpC,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,0GAA0G;IAC1G,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,OAAO,KAAG,cAMpD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,SAAS,OAAO,KAAG,gBAIlD,CAAC"}

package/dist/auth/api_token_queries.js

@@ -51,7 +51,7 @@ export const query_validate_api_token = async (deps, raw_token, ip, pending_effe
         ip ?? null,
         row.id,
     ])
-        .then(() => { }) // eslint-disable-line @typescript-eslint/no-empty-function
+        .then(() => { })
         .catch((err) => {
         deps.log.error('Failed to update last_used_at:', err);
     });

package/dist/auth/audit_log_ddl.d.ts

@@ -19,6 +19,6 @@
  *
  * @module
  */
-export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq SERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
+export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq BIGSERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
 export declare const AUDIT_LOG_INDEXES: string[];
 //# sourceMappingURL=audit_log_ddl.d.ts.map

package/dist/auth/audit_log_ddl.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,eAAO,MAAM,gBAAgB,ihBAa3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAM7B,CAAC"}
+{"version":3,"file":"audit_log_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,eAAO,MAAM,gBAAgB,ohBAa3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAM7B,CAAC"}

package/dist/auth/audit_log_ddl.js

@@ -22,7 +22,7 @@
 export const AUDIT_LOG_SCHEMA = `
 CREATE TABLE IF NOT EXISTS audit_log (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
-  seq SERIAL NOT NULL,
+  seq BIGSERIAL NOT NULL,
   event_type TEXT NOT NULL,
   outcome TEXT NOT NULL DEFAULT 'success',
   actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,

package/dist/auth/bootstrap_account.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,WAAW,EAAE;QAAC,MAAM,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAC,CAAC;IACnD,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}
+{"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,WAAW,EAAE;QAAC,MAAM,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAC,CAAC;IACnD,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CAuEhC,CAAC"}

package/dist/auth/bootstrap_account.js

@@ -9,7 +9,7 @@
 import { timingSafeEqual } from 'node:crypto';
 import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, } from '../http/error_schemas.js';
 import { ROLE_ADMIN, ROLE_KEEPER } from './role_schema.js';
-import { query_create_account_with_actor, query_account_has_any } from './account_queries.js';
+import { query_create_account_with_actor } from './account_queries.js';
 import { query_create_role_grant } from './role_grant_queries.js';
 /**
  * Bootstrap the first account with keeper and admin privileges.
@@ -57,10 +57,6 @@ export const bootstrap_account = async (deps, provided_token, input) => {
         if (lock_rows.length === 0) {
             return { ok: false, error: ERROR_ALREADY_BOOTSTRAPPED, status: 403 };
         }
-        // Belt-and-suspenders: verify no accounts exist even if lock was available
-        if (await query_account_has_any({ db: tx })) {
-            return { ok: false, error: ERROR_ALREADY_BOOTSTRAPPED, status: 403 };
-        }
         const tx_deps = { db: tx };
         const { account, actor } = await query_create_account_with_actor(tx_deps, {
             username: input.username,

package/dist/auth/bootstrap_routes.d.ts

@@ -26,7 +26,13 @@ export type BootstrapInput = z.infer<typeof BootstrapInput>;
 /** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
 export declare const BootstrapOutput: z.ZodObject<{
     ok: z.ZodLiteral<true>;
-    username: z.ZodString;
+    account: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    }, z.core.$strict>;
+    actor: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
 }, z.core.$strict>;
 export type BootstrapOutput = z.infer<typeof BootstrapOutput>;
 /**

package/dist/auth/bootstrap_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAYnD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;kBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAiHjB,CAAC"}
+{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAGpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAWnD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;;;;;;;kBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAkHjB,CAAC"}

package/dist/auth/bootstrap_routes.js

@@ -7,6 +7,7 @@
  * @module
  */
 import { z } from 'zod';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { create_session_and_set_cookie } from './session_middleware.js';
 import { bootstrap_account } from './bootstrap_account.js';
 import { Username } from '../primitive_schemas.js';
@@ -14,7 +15,7 @@ import { Password } from './password.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
-import { ERROR_BOOTSTRAP_NOT_CONFIGURED, ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
+import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
 export const BootstrapInput = z.strictObject({
@@ -25,7 +26,8 @@ export const BootstrapInput = z.strictObject({
 /** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
 export const BootstrapOutput = z.strictObject({
     ok: z.literal(true),
-    username: z.string(),
+    account: z.strictObject({ id: Uuid, username: Username }),
+    actor: z.strictObject({ id: Uuid }),
 });
 /**
  * Check bootstrap availability at startup.
@@ -85,13 +87,14 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 }),
                 401: z.looseObject({ error: z.literal(ERROR_INVALID_TOKEN) }),
                 403: z.looseObject({ error: z.literal(ERROR_ALREADY_BOOTSTRAPPED) }),
-                404: z.looseObject({
-                    error: z.enum([ERROR_TOKEN_FILE_MISSING, ERROR_BOOTSTRAP_NOT_CONFIGURED]),
-                }),
+                404: z.looseObject({ error: z.literal(ERROR_TOKEN_FILE_MISSING) }),
             },
             handler: async (c, route) => {
-                // Short-circuit if bootstrap already completed
-                if (!bootstrap_status.available) {
+                // Short-circuit if bootstrap already completed or surface-only mounted.
+                // In 'surface_only' mode `bootstrap_status.token_path === null` and
+                // `available === false`; in 'live' mode after success `available` flips
+                // to `false`. Either way the wire shape is 403 ALREADY_BOOTSTRAPPED.
+                if (!bootstrap_status.available || token_path === null) {
                     return c.json({ error: ERROR_ALREADY_BOOTSTRAPPED }, 403);
                 }
                 // Per-IP rate limit check (before any token/DB work)
@@ -103,9 +106,6 @@ export const create_bootstrap_route_specs = (deps, options) => {
                     }
                 }
                 const input = get_route_input(c);
-                if (token_path === null) {
-                    return c.json({ error: ERROR_BOOTSTRAP_NOT_CONFIGURED }, 404);
-                }
                 // `transaction: false` makes `route.db` the pool. `bootstrap_account`
                 // manages its own transaction internally.
                 const result = await bootstrap_account({
@@ -158,7 +158,11 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 if (!result.token_file_deleted) {
                     throw new Error(`Bootstrap succeeded but token file was not deleted at ${token_path}. Delete it manually and log in.`);
                 }
-                return c.json({ ok: true, username: result.account.username });
+                return c.json({
+                    ok: true,
+                    account: { id: result.account.id, username: result.account.username },
+                    actor: { id: result.actor.id },
+                });
             },
         },
     ];

package/dist/auth/keyring.d.ts

@@ -7,7 +7,7 @@
  *
  * @example
  * ```ts
- * const keyring = create_keyring(process.env.SECRET_COOKIE_KEYS);
+ * const keyring = create_keyring(process.env.SECRET_FUZ_COOKIE_KEYS);
  * if (!keyring) throw new Error('No keys configured');
  *
  * const signed = await keyring.sign('user:123:1700000000');
@@ -47,12 +47,12 @@ export interface Keyring {
  *
  * **Security: key rotation is an operational concern.** Old keys remain valid
  * for verification indefinitely — a leaked old key can forge session cookies
- * until it is removed from `SECRET_COOKIE_KEYS`. After rotating to a new
+ * until it is removed from `SECRET_FUZ_COOKIE_KEYS`. After rotating to a new
  * signing key, remove the old key within a grace period (e.g. 24–48 hours,
  * long enough for active sessions to re-sign with the new key via cookie
- * refresh). Treat `SECRET_COOKIE_KEYS` changes as security-critical deploys.
+ * refresh). Treat `SECRET_FUZ_COOKIE_KEYS` changes as security-critical deploys.
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns keyring or null if no keys configured
  */
 export declare const create_keyring: (env_value: string | undefined) => Keyring | null;
@@ -63,7 +63,7 @@ export declare const create_keyring: (env_value: string | undefined) => Keyring
  * or all-separator input like `'____'`), and for each key shorter than
  * `MIN_KEY_LENGTH` characters.
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns array of validation errors (empty if valid)
  */
 export declare const validate_keyring: (env_value: string | undefined) => Array<string>;
@@ -84,7 +84,7 @@ export type ValidatedKeyringResult = {
  * Returns a discriminated union so callers handle exit/logging their own way
  * (e.g. `Deno.exit(1)` vs `runtime.exit(1)`).
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns `{ok: true, keyring}` or `{ok: false, errors}`
  */
 export declare const create_validated_keyring: (env_value: string | undefined) => ValidatedKeyringResult;

package/dist/auth/keyring.js

@@ -7,7 +7,7 @@
  *
  * @example
  * ```ts
- * const keyring = create_keyring(process.env.SECRET_COOKIE_KEYS);
+ * const keyring = create_keyring(process.env.SECRET_FUZ_COOKIE_KEYS);
  * if (!keyring) throw new Error('No keys configured');
  *
  * const signed = await keyring.sign('user:123:1700000000');
@@ -30,12 +30,12 @@ const encoder = new TextEncoder();
  *
  * **Security: key rotation is an operational concern.** Old keys remain valid
  * for verification indefinitely — a leaked old key can forge session cookies
- * until it is removed from `SECRET_COOKIE_KEYS`. After rotating to a new
+ * until it is removed from `SECRET_FUZ_COOKIE_KEYS`. After rotating to a new
  * signing key, remove the old key within a grace period (e.g. 24–48 hours,
  * long enough for active sessions to re-sign with the new key via cookie
- * refresh). Treat `SECRET_COOKIE_KEYS` changes as security-critical deploys.
+ * refresh). Treat `SECRET_FUZ_COOKIE_KEYS` changes as security-critical deploys.
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns keyring or null if no keys configured
  */
 export const create_keyring = (env_value) => {
@@ -75,13 +75,13 @@ export const create_keyring = (env_value) => {
  * or all-separator input like `'____'`), and for each key shorter than
  * `MIN_KEY_LENGTH` characters.
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns array of validation errors (empty if valid)
  */
 export const validate_keyring = (env_value) => {
     const keys = parse_keys(env_value);
     if (keys.length === 0) {
-        return ['SECRET_COOKIE_KEYS is required'];
+        return ['SECRET_FUZ_COOKIE_KEYS is required'];
     }
     const errors = [];
     for (const [i, key] of keys.entries()) {
@@ -126,7 +126,7 @@ const verify_with_crypto_key = async (signed_value, key) => {
  * Returns a discriminated union so callers handle exit/logging their own way
  * (e.g. `Deno.exit(1)` vs `runtime.exit(1)`).
  *
- * @param env_value - the SECRET_COOKIE_KEYS environment variable
+ * @param env_value - the SECRET_FUZ_COOKIE_KEYS environment variable
  * @returns `{ok: true, keyring}` or `{ok: false, errors}`
  */
 export const create_validated_keyring = (env_value) => {
@@ -136,7 +136,7 @@ export const create_validated_keyring = (env_value) => {
     }
     const keyring = create_keyring(env_value);
     if (!keyring) {
-        return { ok: false, errors: ['SECRET_COOKIE_KEYS is required'] };
+        return { ok: false, errors: ['SECRET_FUZ_COOKIE_KEYS is required'] };
     }
     return { ok: true, keyring };
 };

package/dist/auth/role_grant_offer_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"role_grant_offer_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,EAGN,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAIN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AA0B1B,OAAO,EAA4C,KAAK,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACpG,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,EAON,KAAK,kBAAkB,EACvB,MAAM,qCAAqC,CAAC;AAiC7C;;;;;;;;GAQG;AACH,MAAM,MAAM,6BAA6B,GAAG,CAC3C,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EACrE,IAAI,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EACnC,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC,qDAAqD;AACrD,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,0FAA0F;IAC1F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,6BAA6B,CAAC;CAC1C;AA6BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,EAAE,6BAavC,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,GAAG;IAC/C,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD,EACD,UAAS,2BAAgC,KACvC,KAAK,CAAC,SAAS,CAidjB,CAAC"}
+{"version":3,"file":"role_grant_offer_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,EAGN,KAAK,aAAa,EAClB,KAAK,SAAS,EACd,MAAM,0BAA0B,CAAC;AAGlC,OAAO,EAIN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AA0B1B,OAAO,EAA4C,KAAK,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACpG,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,EAON,KAAK,kBAAkB,EACvB,MAAM,qCAAqC,CAAC;AAiC7C;;;;;;;;GAQG;AACH,MAAM,MAAM,6BAA6B,GAAG,CAC3C,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EACrE,IAAI,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EACnC,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC,qDAAqD;AACrD,MAAM,WAAW,2BAA2B;IAC3C;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,0FAA0F;IAC1F,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,6BAA6B,CAAC;CAC1C;AA6BD;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,EAAE,6BAavC,CAAC;AAIF;;;;;;;GAOG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,GAAG;IAC/C,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD,EACD,UAAS,2BAAgC,KACvC,KAAK,CAAC,SAAS,CAmdjB,CAAC"}

package/dist/auth/role_grant_offer_actions.js

@@ -130,8 +130,10 @@ export const create_role_grant_offer_actions = (deps, options = {}) => {
         });
     };
     // Returns {offer} only — no auto-accept. Recipient must call
-    // role_grant_offer_accept; admin tests materialize role_grants via
-    // query_accept_offer (see testing/admin_integration.ts `offer_and_accept`).
+    // role_grant_offer_accept; admin tests drive the full consent flow over
+    // RPC (see testing/admin_integration.ts `offer_and_accept`), or seed
+    // role_grants directly via create_test_role_grant_direct when the
+    // test isn't about the consent path.
     const create_handler = async (input, ctx) => {
         const auth = ctx.auth;
         // Role must include the admin grant path — same gate as admin direct-grant.

package/dist/db/create_db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"create_db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/create_db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,SAAS,CAAC;AAIxC,yCAAyC;AACzC,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,EAAE,CAAC;IACP,iFAAiF;IACjF,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,SAAS,GAAU,cAAc,MAAM,KAAG,OAAO,CAAC,cAAc,CAgC5E,CAAC"}
+{"version":3,"file":"create_db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/create_db.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAC,EAAE,EAAE,MAAM,EAAC,MAAM,SAAS,CAAC;AAIxC,yCAAyC;AACzC,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,EAAE,CAAC;IACP,iFAAiF;IACjF,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CAChB;AAED;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,SAAS,GAAU,cAAc,MAAM,KAAG,OAAO,CAAC,cAAc,CA6C5E,CAAC"}

package/dist/db/create_db.js

@@ -32,6 +32,19 @@ import { create_pglite_db } from './db_pglite.js';
 export const create_db = async (database_url) => {
     if (database_url.startsWith('postgres://') || database_url.startsWith('postgresql://')) {
         const { default: pg } = await import('pg');
+        // Parse int8 (BIGINT) as a JS number. pg defaults to returning int8
+        // as a string to avoid 2^53 precision loss; our only int8 column
+        // today (`audit_log.seq`) stays well under that bound, and reading
+        // as number keeps the wire shape uniform across the SERIAL→BIGSERIAL
+        // widening.
+        //
+        // CAVEAT: pg.types.setTypeParser mutates pg.types globally — every
+        // pg.Pool in the process inherits the coercion, including pools the
+        // consumer constructs against unrelated databases. Any future int8
+        // column that could legitimately exceed 2^53 (file sizes, byte
+        // offsets) will silently round; if one lands, localize via a
+        // per-pool `types` override instead of widening this global parser.
+        pg.types.setTypeParser(20, (val) => Number(val));
         const pool = new pg.Pool({ connectionString: database_url });
         const { db, close } = create_pg_db(pool);
         return {

package/dist/dev/setup.d.ts

@@ -51,7 +51,7 @@ export interface ResetDbResult {
 /** Options for `setup_env_file`. */
 export interface SetupEnvOptions {
     /**
-     * Extra env var replacements beyond the default `SECRET_COOKIE_KEYS`.
+     * Extra env var replacements beyond the default `SECRET_FUZ_COOKIE_KEYS`.
      *
      * Keys are env var names, values are async generators.
      * Replaces `^KEY=$` (empty value) patterns in the env file.
@@ -103,7 +103,7 @@ export declare const generate_random_key: (deps: CommandDeps) => Promise<string>
  */
 export declare const read_env_var: (deps: Pick<FsReadDeps, "stat" | "read_text_file">, env_path: string, name: string) => Promise<string | undefined>;
 /**
- * Create an env file from its example template, auto-generating `SECRET_COOKIE_KEYS`.
+ * Create an env file from its example template, auto-generating `SECRET_FUZ_COOKIE_KEYS`.
  *
  * If the file already exists, backfills any empty values that have generators.
  * Idempotent — safe to re-run.

package/dist/dev/setup.js

@@ -69,7 +69,7 @@ export const read_env_var = async (deps, env_path, name) => {
 };
 // === Setup helpers ===
 /**
- * Create an env file from its example template, auto-generating `SECRET_COOKIE_KEYS`.
+ * Create an env file from its example template, auto-generating `SECRET_FUZ_COOKIE_KEYS`.
  *
  * If the file already exists, backfills any empty values that have generators.
  * Idempotent — safe to re-run.
@@ -84,9 +84,9 @@ export const read_env_var = async (deps, env_path, name) => {
 export const setup_env_file = async (deps, env_path, example_path, options) => {
     const log = options?.log ?? default_setup_logger;
     const set_permissions = options?.set_permissions;
-    // build the full replacement map (SECRET_COOKIE_KEYS + extras)
+    // build the full replacement map (SECRET_FUZ_COOKIE_KEYS + extras)
     const replacements = {
-        SECRET_COOKIE_KEYS: () => generate_random_key(deps),
+        SECRET_FUZ_COOKIE_KEYS: () => generate_random_key(deps),
         ...options?.replacements,
     };
     const stat = await deps.stat(env_path);