@fuzdev/fuz_app 0.67.1 → 0.68.0

package/dist/auth/cell_data_schema.js

@@ -0,0 +1,42 @@
+/**
+ * Generic cell-data base schema.
+ *
+ * The wire-side shape every cell consumer can read without per-kind
+ * knowledge: a permissive bag with three universally-relevant typed
+ * fields. Per-kind schemas extend this and narrow `kind` to a literal.
+ *
+ * Loose object: arbitrary additional fields pass through unvalidated,
+ * preserving the "unknown kinds ship without RPC churn" property. Per-kind
+ * shape enforcement is opt-in via the `validate_data` deps slot — see
+ * `cell_actions.ts`.
+ *
+ * **Discipline**: a field joins `CellData` only when at least two
+ * consumers in different domains read it generically. `kind` (editor
+ * dispatch + sub-API registry), `label` (list/index rendering), and
+ * `summary` (card subtitle + share-target description) meet this bar.
+ * Future candidates require evidence of generic usage — otherwise they
+ * stay per-kind.
+ *
+ * **Visibility is not in here.** Access control is a peer of `cell_grant`,
+ * not content metadata — `cell.visibility` lives as a top-level column on
+ * `CellJson` and `CellRow` (the `CellVisibility` enum is defined in
+ * `cell_action_specs.ts` next to the wire fields that use it), and is
+ * enforced by `can_view_cell` reading the column directly (no JSON dive).
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Base cell-data shape. All fields optional; loose mode admits arbitrary
+ * additional keys so apps can attach metadata or stage new kinds without
+ * touching the wire schema.
+ *
+ * `kind` is optional because cells without a registered kind are valid —
+ * admin-curated content, in-development types, or unknown shapes pass
+ * through. Known kinds get richer validation via the per-kind sub-API.
+ */
+export const CellData = z.looseObject({
+    kind: z.string().optional(),
+    label: z.string().optional(),
+    summary: z.string().optional(),
+});

package/dist/auth/cell_field_action_specs.d.ts

@@ -0,0 +1,244 @@
+/**
+ * Cell-field RPC specs — declarative contract for the three named-relation
+ * verbs (`set` / `delete` / `list`).
+ *
+ * `(source_id, name) → target_id` edges modeled after JSON object
+ * key/value pairs. One target per `(source_id, name)` pair: re-setting a
+ * name overwrites the prior target. `cell_field_list` is bidirectional:
+ * pass `source_id` for forward fields, `target_id` for reverse upfields
+ * (the latter has 2-layer authz — see handler).
+ *
+ * @module
+ */
+import { z } from 'zod';
+/** Error reason — `cell_field_list` got neither `source_id` nor `target_id`. */
+export declare const ERROR_CELL_FIELD_LIST_REQUIRES_SOURCE_OR_TARGET: "cell_field_list_requires_source_or_target";
+/**
+ * Field name grammar — fuz snake_case identifier convention. Anchored
+ * `^[a-z][a-z0-9_]{0,63}$`: leading letter, alphanumeric + underscore
+ * trailing, 64-char cap. No reserved names yet.
+ */
+export declare const CELL_FIELD_NAME_REGEX: RegExp;
+export declare const CellFieldName: z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">;
+export type CellFieldName = z.infer<typeof CellFieldName>;
+/** Wire-format for a `cell_field` row. ISO `created_at`, branded UUIDs. */
+export declare const FieldJson: z.ZodObject<{
+    source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    name: z.ZodString;
+    target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    created_at: z.ZodString;
+}, z.core.$strict>;
+export type FieldJson = z.infer<typeof FieldJson>;
+/**
+ * Input for `cell_field_set`. UPSERT on `(source_id, name)` — re-issuing
+ * the same input updates `target_id` and bumps `created_at`.
+ */
+export declare const CellFieldSetInput: z.ZodObject<{
+    source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    name: z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">;
+    target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type CellFieldSetInput = z.infer<typeof CellFieldSetInput>;
+export declare const CellFieldSetOutput: z.ZodObject<{
+    field: z.ZodObject<{
+        source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.ZodString;
+        target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        created_at: z.ZodString;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type CellFieldSetOutput = z.infer<typeof CellFieldSetOutput>;
+/**
+ * Input for `cell_field_delete`. Idempotent: a successful response is
+ * returned even when no row matched.
+ */
+export declare const CellFieldDeleteInput: z.ZodObject<{
+    source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    name: z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type CellFieldDeleteInput = z.infer<typeof CellFieldDeleteInput>;
+export declare const CellFieldDeleteOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    deleted: z.ZodBoolean;
+}, z.core.$strict>;
+export type CellFieldDeleteOutput = z.infer<typeof CellFieldDeleteOutput>;
+/**
+ * Input for `cell_field_list`. Pass `source_id` for forward fields or
+ * `target_id` for reverse upfields — exactly one (the schema rejects
+ * both / neither). Reverse listing has 2-layer authz (target view-check
+ * gates the call; per-source view-check filters the rows).
+ *
+ * Forward listing supports cursor pagination via `name_after` (return
+ * rows whose `name > name_after` lex). The reverse listing doesn't
+ * paginate (the result set is small in practice — number of sources
+ * pointing at a given target).
+ */
+export declare const CellFieldListInput: z.ZodObject<{
+    source_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    name_after: z.ZodOptional<z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">>;
+    limit: z.ZodOptional<z.ZodNumber>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type CellFieldListInput = z.infer<typeof CellFieldListInput>;
+export declare const CellFieldListOutput: z.ZodObject<{
+    fields: z.ZodArray<z.ZodObject<{
+        source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.ZodString;
+        target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        created_at: z.ZodString;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type CellFieldListOutput = z.infer<typeof CellFieldListOutput>;
+export declare const cell_field_set_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">;
+        target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        field: z.ZodObject<{
+            source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+            target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const cell_field_delete_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        deleted: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const cell_field_list_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "optional";
+        actor: "optional";
+    };
+    side_effects: false;
+    input: z.ZodObject<{
+        source_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        target_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        name_after: z.ZodOptional<z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">>;
+        limit: z.ZodOptional<z.ZodNumber>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        fields: z.ZodArray<z.ZodObject<{
+            source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+            target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    rate_limit: "ip";
+    description: string;
+};
+/** All cell_field action specs — composed into `all_cell_action_specs`. */
+export declare const all_cell_field_action_specs: readonly [{
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">;
+        target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        field: z.ZodObject<{
+            source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+            target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+}, {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        deleted: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+}, {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "optional";
+        actor: "optional";
+    };
+    side_effects: false;
+    input: z.ZodObject<{
+        source_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        target_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        name_after: z.ZodOptional<z.core.$ZodBranded<z.ZodString, "CellFieldName", "out">>;
+        limit: z.ZodOptional<z.ZodNumber>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        fields: z.ZodArray<z.ZodObject<{
+            source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+            target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    rate_limit: "ip";
+    description: string;
+}];
+//# sourceMappingURL=cell_field_action_specs.d.ts.map

package/dist/auth/cell_field_action_specs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_field_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cell_field_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAQtB,gFAAgF;AAChF,eAAO,MAAM,+CAA+C,EAC3D,2CAAoD,CAAC;AAItD;;;;GAIG;AACH,eAAO,MAAM,qBAAqB,QAA2B,CAAC;AAC9D,eAAO,MAAM,aAAa,yDAAiE,CAAC;AAC5F,MAAM,MAAM,aAAa,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,aAAa,CAAC,CAAC;AAE1D,2EAA2E;AAC3E,eAAO,MAAM,SAAS;;;;;kBAKpB,CAAC;AACH,MAAM,MAAM,SAAS,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,SAAS,CAAC,CAAC;AAIlD;;;GAGG;AACH,eAAO,MAAM,iBAAiB;;;;;kBAO5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,eAAO,MAAM,kBAAkB;;;;;;;kBAAqC,CAAC;AACrE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE;;;GAGG;AACH,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,eAAO,MAAM,qBAAqB;;;kBAGhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB;;;;;;kBAoB5B,CAAC;AACJ,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,eAAO,MAAM,mBAAmB;;;;;;;kBAE9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAItE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAEtC,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;CAWL,CAAC;AAEtC,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;CAYH,CAAC;AAEtC,2EAA2E;AAC3E,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAI9B,CAAC"}

package/dist/auth/cell_field_action_specs.js

@@ -0,0 +1,136 @@
+/**
+ * Cell-field RPC specs — declarative contract for the three named-relation
+ * verbs (`set` / `delete` / `list`).
+ *
+ * `(source_id, name) → target_id` edges modeled after JSON object
+ * key/value pairs. One target per `(source_id, name)` pair: re-setting a
+ * name overwrites the prior target. `cell_field_list` is bidirectional:
+ * pass `source_id` for forward fields, `target_id` for reverse upfields
+ * (the latter has 2-layer authz — see handler).
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
+import { ActingActor } from '../http/auth_shape.js';
+// -- Error reasons ----------------------------------------------------------
+/** Error reason — `cell_field_list` got neither `source_id` nor `target_id`. */
+export const ERROR_CELL_FIELD_LIST_REQUIRES_SOURCE_OR_TARGET = 'cell_field_list_requires_source_or_target';
+// -- Shared schemas ---------------------------------------------------------
+/**
+ * Field name grammar — fuz snake_case identifier convention. Anchored
+ * `^[a-z][a-z0-9_]{0,63}$`: leading letter, alphanumeric + underscore
+ * trailing, 64-char cap. No reserved names yet.
+ */
+export const CELL_FIELD_NAME_REGEX = /^[a-z][a-z0-9_]{0,63}$/;
+export const CellFieldName = z.string().regex(CELL_FIELD_NAME_REGEX).brand('CellFieldName');
+/** Wire-format for a `cell_field` row. ISO `created_at`, branded UUIDs. */
+export const FieldJson = z.strictObject({
+    source_id: Uuid,
+    name: z.string(),
+    target_id: Uuid,
+    created_at: z.string(),
+});
+// -- cell_field_set ---------------------------------------------------------
+/**
+ * Input for `cell_field_set`. UPSERT on `(source_id, name)` — re-issuing
+ * the same input updates `target_id` and bumps `created_at`.
+ */
+export const CellFieldSetInput = z.strictObject({
+    source_id: Uuid.meta({ description: 'Cell whose field to set.' }),
+    name: CellFieldName.meta({
+        description: 'Field name. snake_case identifier; max 64 chars.',
+    }),
+    target_id: Uuid.meta({ description: 'Cell the field points at.' }),
+    acting: ActingActor,
+});
+export const CellFieldSetOutput = z.strictObject({ field: FieldJson });
+// -- cell_field_delete ------------------------------------------------------
+/**
+ * Input for `cell_field_delete`. Idempotent: a successful response is
+ * returned even when no row matched.
+ */
+export const CellFieldDeleteInput = z.strictObject({
+    source_id: Uuid.meta({ description: 'Cell whose field to delete.' }),
+    name: CellFieldName.meta({ description: 'Field name to delete.' }),
+    acting: ActingActor,
+});
+export const CellFieldDeleteOutput = z.strictObject({
+    ok: z.literal(true),
+    deleted: z.boolean(),
+});
+// -- cell_field_list --------------------------------------------------------
+/**
+ * Input for `cell_field_list`. Pass `source_id` for forward fields or
+ * `target_id` for reverse upfields — exactly one (the schema rejects
+ * both / neither). Reverse listing has 2-layer authz (target view-check
+ * gates the call; per-source view-check filters the rows).
+ *
+ * Forward listing supports cursor pagination via `name_after` (return
+ * rows whose `name > name_after` lex). The reverse listing doesn't
+ * paginate (the result set is small in practice — number of sources
+ * pointing at a given target).
+ */
+export const CellFieldListInput = z
+    .strictObject({
+    source_id: Uuid.optional().meta({
+        description: 'List forward fields whose source is this cell.',
+    }),
+    target_id: Uuid.optional().meta({
+        description: 'List reverse upfields whose target is this cell.',
+    }),
+    name_after: CellFieldName.optional().meta({
+        description: 'Cursor for forward pagination — return rows whose name > this lex. Forward only.',
+    }),
+    limit: z.number().int().positive().max(500).optional().meta({
+        description: 'Page size cap (max 500). Forward only. Omit for unbounded — explicit list calls escape the bundled `cell_get` cap.',
+    }),
+    acting: ActingActor,
+})
+    .refine((v) => Boolean(v.source_id) !== Boolean(v.target_id), {
+    message: ERROR_CELL_FIELD_LIST_REQUIRES_SOURCE_OR_TARGET,
+});
+export const CellFieldListOutput = z.strictObject({
+    fields: z.array(FieldJson),
+});
+// -- Action specs -----------------------------------------------------------
+export const cell_field_set_action_spec = {
+    method: 'cell_field_set',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: { account: 'required', actor: 'required' },
+    side_effects: true,
+    input: CellFieldSetInput,
+    output: CellFieldSetOutput,
+    async: true,
+    description: 'Set a named relation `(source.name) → target`. UPSERT on `(source_id, name)`: re-pointing replaces in place. Caller must be able to edit `source` and view `target`; both gate via `can_edit_cell` / `can_view_cell`.',
+};
+export const cell_field_delete_action_spec = {
+    method: 'cell_field_delete',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: { account: 'required', actor: 'required' },
+    side_effects: true,
+    input: CellFieldDeleteInput,
+    output: CellFieldDeleteOutput,
+    async: true,
+    description: 'Delete a named relation. Idempotent — `deleted: false` when no row matched. Caller must be able to edit `source`.',
+};
+export const cell_field_list_action_spec = {
+    method: 'cell_field_list',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: { account: 'optional', actor: 'optional' },
+    side_effects: false,
+    input: CellFieldListInput,
+    output: CellFieldListOutput,
+    async: true,
+    rate_limit: 'ip',
+    description: 'List forward fields (pass `source_id`) or reverse upfields (pass `target_id`). Forward listing filters targets to those the caller may view (strict target-visibility). Reverse listing has 2-layer authz: gate on `can_view_cell(target)` first (404 otherwise), then filter rows by per-source `can_view_cell`. Per-IP rate-limited — symmetric with `cell_get` to bound public-surface id-walking.',
+};
+/** All cell_field action specs — composed into `all_cell_action_specs`. */
+export const all_cell_field_action_specs = [
+    cell_field_set_action_spec,
+    cell_field_delete_action_spec,
+    cell_field_list_action_spec,
+];

package/dist/auth/cell_field_actions.d.ts

@@ -0,0 +1,34 @@
+/**
+ * Cell-field RPC handlers.
+ *
+ * Three `request_response` actions bound to the specs in
+ * `./cell_field_action_specs.ts`:
+ *
+ * - `cell_field_set` — admin / owner / editor-grant on `source` may set;
+ *   `target` must be view-admitted (so a caller can't link to a cell they
+ *   couldn't otherwise see). Idempotent UPSERT on `(source_id, name)`.
+ * - `cell_field_delete` — admin / owner / editor-grant on `source`.
+ *   Idempotent: `deleted: false` when no row matched.
+ * - `cell_field_list` — bidirectional. Forward (pass `source_id`) is
+ *   gated on `can_view_cell(source)` and filters targets to those the
+ *   caller may view (strict target-visibility, batched). Reverse (pass
+ *   `target_id`) has 2-layer authz: gate on `can_view_cell(target)`
+ *   first, then filter rows by `can_view_cell(source)`.
+ *
+ * IDOR-mask 404s on cell-miss / cell-unviewable, mirroring the existence-
+ * leak guards in `cell_actions.ts` / `cell_grant_actions.ts`.
+ *
+ * Audit events `cell_field_set` / `cell_field_delete` carry IDs only —
+ * see `./cell_field_audit_metadata.ts`.
+ *
+ * @module
+ */
+import { type RpcAction } from '../actions/action_rpc.js';
+import type { RouteFactoryDeps } from './deps.js';
+import { type FieldJson } from './cell_field_action_specs.js';
+import { type CellFieldRow } from '../db/cell_field_queries.js';
+export type CellFieldActionDeps = Pick<RouteFactoryDeps, 'log' | 'audit'>;
+export declare const to_field_json: (row: CellFieldRow) => FieldJson;
+/** Create the three `cell_field_*` RPC actions. */
+export declare const create_cell_field_actions: (deps: CellFieldActionDeps) => Array<RpcAction>;
+//# sourceMappingURL=cell_field_actions.d.ts.map

package/dist/auth/cell_field_actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_field_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cell_field_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AAEH,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAEhD,OAAO,EAUN,KAAK,SAAS,EACd,MAAM,8BAA8B,CAAC;AAMtC,OAAO,EAKN,KAAK,YAAY,EACjB,MAAM,6BAA6B,CAAC;AAMrC,MAAM,MAAM,mBAAmB,GAAG,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,CAAC;AAE1E,eAAO,MAAM,aAAa,GAAI,KAAK,YAAY,KAAG,SAKhD,CAAC;AAEH,mDAAmD;AACnD,eAAO,MAAM,yBAAyB,GAAI,MAAM,mBAAmB,KAAG,KAAK,CAAC,SAAS,CAmIpF,CAAC"}

package/dist/auth/cell_field_actions.js

@@ -0,0 +1,153 @@
+/**
+ * Cell-field RPC handlers.
+ *
+ * Three `request_response` actions bound to the specs in
+ * `./cell_field_action_specs.ts`:
+ *
+ * - `cell_field_set` — admin / owner / editor-grant on `source` may set;
+ *   `target` must be view-admitted (so a caller can't link to a cell they
+ *   couldn't otherwise see). Idempotent UPSERT on `(source_id, name)`.
+ * - `cell_field_delete` — admin / owner / editor-grant on `source`.
+ *   Idempotent: `deleted: false` when no row matched.
+ * - `cell_field_list` — bidirectional. Forward (pass `source_id`) is
+ *   gated on `can_view_cell(source)` and filters targets to those the
+ *   caller may view (strict target-visibility, batched). Reverse (pass
+ *   `target_id`) has 2-layer authz: gate on `can_view_cell(target)`
+ *   first, then filter rows by `can_view_cell(source)`.
+ *
+ * IDOR-mask 404s on cell-miss / cell-unviewable, mirroring the existence-
+ * leak guards in `cell_actions.ts` / `cell_grant_actions.ts`.
+ *
+ * Audit events `cell_field_set` / `cell_field_delete` carry IDs only —
+ * see `./cell_field_audit_metadata.ts`.
+ *
+ * @module
+ */
+import { rpc_action, } from '../actions/action_rpc.js';
+import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
+import { cell_field_set_action_spec, cell_field_delete_action_spec, cell_field_list_action_spec, } from './cell_field_action_specs.js';
+import { ERROR_CELL_NOT_FOUND } from './cell_action_specs.js';
+import { can_view_cell, can_edit_cell } from './cell_authorize.js';
+import { filter_visible_target_ids } from './cell_relation_visibility.js';
+import { query_cell_get } from '../db/cell_queries.js';
+import { query_cell_grant_list_for_cell } from '../db/cell_grant_queries.js';
+import { query_cell_field_set, query_cell_field_delete, query_cell_field_list_for_source, query_cell_field_list_for_target, } from '../db/cell_field_queries.js';
+export const to_field_json = (row) => ({
+    source_id: row.source_id,
+    name: row.name,
+    target_id: row.target_id,
+    created_at: typeof row.created_at === 'string' ? row.created_at : row.created_at.toISOString(),
+});
+/** Create the three `cell_field_*` RPC actions. */
+export const create_cell_field_actions = (deps) => {
+    const set_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const source = await query_cell_get(ctx, input.source_id);
+        if (!source) {
+            // IDOR mask: same code as cell_get's miss/unviewable.
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        const source_grants = await query_cell_grant_list_for_cell(ctx, source.id);
+        if (!can_edit_cell(auth, source, source_grants)) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        const target = await query_cell_get(ctx, input.target_id);
+        if (!target) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        // Target must be view-admitted — otherwise a caller could probe for
+        // the existence of private cells by trying to point a field at them
+        // (and observe whether the call 404s vs. succeeds).
+        const target_grants = await query_cell_grant_list_for_cell(ctx, target.id);
+        if (!can_view_cell(auth, target, target_grants)) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        const row = await query_cell_field_set(ctx, {
+            source_id: input.source_id,
+            name: input.name,
+            target_id: input.target_id,
+        });
+        deps.audit.emit(ctx, {
+            event_type: 'cell_field_set',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: {
+                source_id: row.source_id,
+                name: row.name,
+                target_id: row.target_id,
+            },
+        });
+        return { field: to_field_json(row) };
+    };
+    const delete_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const source = await query_cell_get(ctx, input.source_id);
+        if (!source) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        const source_grants = await query_cell_grant_list_for_cell(ctx, source.id);
+        if (!can_edit_cell(auth, source, source_grants)) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        const deleted = await query_cell_field_delete(ctx, input.source_id, input.name);
+        if (deleted) {
+            deps.audit.emit(ctx, {
+                event_type: 'cell_field_delete',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                ip: ctx.client_ip,
+                metadata: {
+                    source_id: deleted.source_id,
+                    name: deleted.name,
+                    target_id: deleted.target_id,
+                },
+            });
+        }
+        return { ok: true, deleted: deleted !== null };
+    };
+    const list_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        // Forward listing: gate on can_view_cell(source), then filter the
+        // targets to those the caller may view (strict target-visibility).
+        if (input.source_id !== undefined) {
+            const source = await query_cell_get(ctx, input.source_id);
+            if (!source) {
+                throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+            }
+            const source_grants = auth ? await query_cell_grant_list_for_cell(ctx, source.id) : null;
+            if (!can_view_cell(auth, source, source_grants)) {
+                throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+            }
+            const rows = await query_cell_field_list_for_source(ctx, source.id, {
+                limit: input.limit,
+                name_after: input.name_after,
+            });
+            const visible_targets = await filter_visible_target_ids(ctx, auth, rows.map((r) => r.target_id));
+            return { fields: rows.filter((r) => visible_targets.has(r.target_id)).map(to_field_json) };
+        }
+        // Reverse listing: 2-layer authz. First, can_view_cell(target).
+        // Without this, the count of returned rows leaks "at least N
+        // viewable cells link to this private target."
+        const target = await query_cell_get(ctx, input.target_id);
+        if (!target) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        const target_grants = auth ? await query_cell_grant_list_for_cell(ctx, target.id) : null;
+        if (!can_view_cell(auth, target, target_grants)) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        // Then filter rows by per-source can_view_cell. Batched (not N+1):
+        // one bulk visibility filter over all source ids, same as the forward
+        // branch. Bounded by `limit` at the query so a heavily inbound-linked
+        // target can't force an unbounded fetch on this public endpoint.
+        const rows = await query_cell_field_list_for_target(ctx, target.id, { limit: input.limit });
+        const visible_sources = await filter_visible_target_ids(ctx, auth, rows.map((r) => r.source_id));
+        return { fields: rows.filter((r) => visible_sources.has(r.source_id)).map(to_field_json) };
+    };
+    return [
+        rpc_action(cell_field_set_action_spec, set_handler),
+        rpc_action(cell_field_delete_action_spec, delete_handler),
+        rpc_action(cell_field_list_action_spec, list_handler),
+    ];
+};

package/dist/auth/cell_field_audit_metadata.d.ts

@@ -0,0 +1,30 @@
+/**
+ * Audit-log metadata schemas for `cell_field_set` / `cell_field_delete`.
+ *
+ * IDs only — same discipline as the cell + cell_grant envelopes (audit
+ * logs store references, not denormalized strings). Apps register these
+ * via `extra_events:` on `create_audit_log_config`.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Metadata envelope for `cell_field_set`. Emitted on every successful
+ * create OR update path (UPSERT on `(source_id, name)`); the audit
+ * reader correlates create-vs-update via repeated `(source_id, name)`
+ * if needed.
+ */
+export declare const CellFieldSetAuditMetadata: z.ZodObject<{
+    source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    name: z.ZodString;
+    target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+}, z.core.$loose>;
+export type CellFieldSetAuditMetadata = z.infer<typeof CellFieldSetAuditMetadata>;
+/** Metadata envelope for `cell_field_delete`. */
+export declare const CellFieldDeleteAuditMetadata: z.ZodObject<{
+    source_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    name: z.ZodString;
+    target_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+}, z.core.$loose>;
+export type CellFieldDeleteAuditMetadata = z.infer<typeof CellFieldDeleteAuditMetadata>;
+//# sourceMappingURL=cell_field_audit_metadata.d.ts.map

package/dist/auth/cell_field_audit_metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_field_audit_metadata.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cell_field_audit_metadata.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB;;;;iBAIpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iDAAiD;AACjD,eAAO,MAAM,4BAA4B;;;;iBAIvC,CAAC;AACH,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC"}