@fuzdev/fuz_app 0.67.1 → 0.69.0

package/dist/auth/role_grant_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"role_grant_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,SAAS,EAAE,oBAAoB,EAAC,MAAM,qBAAqB,CAAC;AAMzE,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,8BAA8B,CAAC;AAElE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,OAAO,oBAAoB,KACzB,OAAO,CAAC,SAAS,CAmCnB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,2CAA2C,GACvD,MAAM,SAAS,EACf,eAAe,MAAM,EACrB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,IAAI,CAAA;CAAC,GAAG,IAAI,CASjD,CAAC;AAEF,qHAAqH;AACrH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,IAAI,EACnB,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CA+CtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAS1B,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAK1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yCAAyC,GACrD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,8IAA8I;AAC9I,MAAM,WAAW,oBAAoB;IACpC;;;;;;;;OAQG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,IAAI,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,IAAI,CAAC;QACf,QAAQ,EAAE,IAAI,CAAC;QACf,UAAU,EAAE,IAAI,CAAC;KACjB,CAAC,CAAC;IACH;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA8C9B,CAAC;AAEF,iIAAiI;AACjI,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,UAAU,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;IACH;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA4C1B,CAAC"}
+{"version":3,"file":"role_grant_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,SAAS,EAAE,oBAAoB,EAAC,MAAM,qBAAqB,CAAC;AAMzE,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,8BAA8B,CAAC;AAElE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,OAAO,oBAAoB,KACzB,OAAO,CAAC,SAAS,CAmCnB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,2CAA2C,GACvD,MAAM,SAAS,EACf,eAAe,MAAM,EACrB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,IAAI,CAAA;CAAC,GAAG,IAAI,CASjD,CAAC;AAEF,qHAAqH;AACrH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,IAAI,EACnB,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CA+CtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAS1B,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,CAgBjB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4CAA4C,GACxD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,CAchB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAK1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yCAAyC,GACrD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,8IAA8I;AAC9I,MAAM,WAAW,oBAAoB;IACpC;;;;;;;;OAQG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,IAAI,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,IAAI,CAAC;QACf,QAAQ,EAAE,IAAI,CAAC;QACf,UAAU,EAAE,IAAI,CAAC;KACjB,CAAC,CAAC;IACH;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA8C9B,CAAC;AAEF,iIAAiI;AACjI,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,UAAU,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;IACH;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA4C1B,CAAC"}

package/dist/auth/role_grant_queries.js

@@ -211,6 +211,60 @@ export const query_account_has_global_role = async (deps, account_id, role) => {
 		 ) AS exists`, [account_id, role]);
     return row?.exists ?? false;
 };
+/**
+ * Like `query_account_has_global_role`, but only counts the grant when the
+ * **account itself is active** (`deleted_at IS NULL`). Used by the last-admin
+ * branch of the removability guard: a soft-deleted admin can't log in and is
+ * excluded from `query_count_active_accounts_with_global_role`, so the guard
+ * must use the same active-account predicate when testing whether the *target*
+ * is an admin — otherwise removing an already-tombstoned admin is falsely
+ * blocked as `cannot_delete_last_admin` even though it can't lower the active
+ * count. The keeper branch deliberately uses the unconditional
+ * `query_account_has_global_role` (a keeper is never removable regardless of
+ * tombstone state).
+ *
+ * @param deps - query dependencies
+ * @param account_id - the account to check
+ * @param role - the role to check for (e.g. `ROLE_ADMIN`)
+ * @returns `true` if the account is active and any of its actors holds an active global `role` grant
+ */
+export const query_account_has_active_global_role = async (deps, account_id, role) => {
+    const row = await deps.db.query_one(`SELECT EXISTS(
+			SELECT 1 FROM role_grant rg
+			JOIN actor act ON act.id = rg.actor_id
+			JOIN account a ON a.id = act.account_id
+			WHERE a.id = $1
+			  AND a.deleted_at IS NULL
+			  AND rg.role = $2
+			  AND rg.scope_id IS NULL
+			  AND rg.revoked_at IS NULL
+			  AND (rg.expires_at IS NULL OR rg.expires_at > NOW())
+		 ) AS exists`, [account_id, role]);
+    return row?.exists ?? false;
+};
+/**
+ * Count **active** accounts (`deleted_at IS NULL`) holding an active global
+ * role_grant for `role`. Used by the last-admin guard on `account_delete` /
+ * `account_purge`: a soft-deleted account's admin grant isn't revoked, so a
+ * plain grant count would include tombstoned (unusable) admins — this joins
+ * `account` and excludes them, counting only admins that can actually log in.
+ *
+ * @param deps - query dependencies
+ * @param role - the role to count (e.g. `ROLE_ADMIN`)
+ * @returns the number of distinct active accounts with an active global `role` grant
+ */
+export const query_count_active_accounts_with_global_role = async (deps, role) => {
+    const row = await deps.db.query_one(`SELECT COUNT(DISTINCT a.id) AS count
+		 FROM account a
+		 JOIN actor act ON act.account_id = a.id
+		 JOIN role_grant rg ON rg.actor_id = act.id
+		 WHERE a.deleted_at IS NULL
+		   AND rg.role = $1
+		   AND rg.scope_id IS NULL
+		   AND rg.revoked_at IS NULL
+		   AND (rg.expires_at IS NULL OR rg.expires_at > NOW())`, [role]);
+    return Number(row?.count ?? 0);
+};
 /**
  * List all role_grants for an actor (including revoked/expired).
  */

package/dist/auth/signup_routes.d.ts

@@ -11,7 +11,6 @@ import { z } from 'zod';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { RouteFactoryDeps } from './deps.js';
-import type { AppSettings } from './app_settings_schema.js';
 import type { AuthSessionRouteOptions } from './account_routes.js';
 /**
  * Default minimum wall-clock time (ms) for a signup denial (403 / 409) response.
@@ -40,8 +39,6 @@ export declare const DEFAULT_SIGNUP_FAIL_JITTER_MS = 25;
 export interface SignupRouteOptions extends AuthSessionRouteOptions {
     /** Rate limiter for signup attempts, keyed by submitted username. Pass `null` to disable. */
     signup_account_rate_limiter: RateLimiter | null;
-    /** Mutable ref to app settings — when `open_signup` is true, invite check is skipped. */
-    app_settings: AppSettings;
     /**
      * Minimum wall-clock time (ms) for signup denial responses (403 / 409).
      * Set to `0` or a negative number to disable (e.g., in tests). Default

package/dist/auth/signup_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signup_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAatB,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAOhD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAE1D,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,qBAAqB,CAAC;AAEjE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAQhD;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,uBAAuB;IAClE,6FAA6F;IAC7F,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,yFAAyF;IACzF,YAAY,EAAE,WAAW,CAAC;IAC1B;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAID,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;;;;;kBAIvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,gBAAgB,EACtB,SAAS,kBAAkB,KACzB,KAAK,CAAC,SAAS,CAmLjB,CAAC"}
+{"version":3,"file":"signup_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AActB,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,qBAAqB,CAAC;AAEjE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAQhD;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,uBAAuB;IAClE,6FAA6F;IAC7F,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAID,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;;;;;kBAIvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,gBAAgB,EACtB,SAAS,kBAAkB,KACzB,KAAK,CAAC,SAAS,CAwLjB,CAAC"}

package/dist/auth/signup_routes.js

@@ -11,6 +11,7 @@ import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { create_session_and_set_cookie } from './session_middleware.js';
 import { query_create_account_with_actor } from './account_queries.js';
+import { query_app_settings_load } from './app_settings_queries.js';
 import { query_invite_find_unclaimed_match_for_update, query_invite_claim_unscoped, } from './invite_queries.js';
 import { Username, Email } from '../primitive_schemas.js';
 import { Password } from './password.js';
@@ -74,7 +75,7 @@ export const SignupOutput = z.strictObject({
  */
 export const create_signup_route_specs = (deps, options) => {
     const { keyring, password } = deps;
-    const { session_options, ip_rate_limiter, signup_account_rate_limiter, app_settings, signup_fail_floor_ms = DEFAULT_SIGNUP_FAIL_FLOOR_MS, signup_fail_jitter_ms = DEFAULT_SIGNUP_FAIL_JITTER_MS, } = options;
+    const { session_options, ip_rate_limiter, signup_account_rate_limiter, signup_fail_floor_ms = DEFAULT_SIGNUP_FAIL_FLOOR_MS, signup_fail_jitter_ms = DEFAULT_SIGNUP_FAIL_JITTER_MS, } = options;
     return [
         {
             method: 'POST',
@@ -111,6 +112,11 @@ export const create_signup_route_specs = (deps, options) => {
                         return rate_limit_exceeded_response(c, check.retry_after);
                     }
                 }
+                // Load the open-signup toggle fresh from the DB on every
+                // request — the authoritative source, so multiple server
+                // processes never serve a stale in-memory value. Bounded by
+                // the per-IP + per-account rate limiters above.
+                const { open_signup } = await query_app_settings_load(route);
                 // Start the denial-time floor concurrently with failure work.
                 // Observed response time for 403 / 409 is `max(work, delay)`
                 // so the cheap `no_match` path (no Argon2, find returns
@@ -138,7 +144,7 @@ export const create_signup_route_specs = (deps, options) => {
                             reason,
                             ...(invite && { invite_id: invite.id }),
                             ...(email != null && { email }),
-                            ...(app_settings.open_signup && { open_signup: true }),
+                            ...(open_signup && { open_signup: true }),
                         },
                     });
                 };
@@ -153,7 +159,7 @@ export const create_signup_route_specs = (deps, options) => {
                         // loser's `find_for_update` returns no row (winner
                         // flipped `claimed_at`) and falls through to
                         // `ERROR_NO_MATCHING_INVITE`. No race window.
-                        if (!app_settings.open_signup) {
+                        if (!open_signup) {
                             invite = await query_invite_find_unclaimed_match_for_update(tx_deps, email ?? null, username);
                             if (!invite) {
                                 throw new NoMatchingInviteError();

package/dist/auth/standard_rpc_actions.d.ts

@@ -8,8 +8,8 @@
  * `create_account_actions`).
  *
  * Option routing: shared `roles` flows to both admin and role-grant-offer;
- * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
- * to role-grant-offer only; `max_tokens` goes to account only;
+ * `default_ttl_ms` and `authorize` go to role-grant-offer only; `max_tokens`
+ * goes to account only;
  * shared `connection_closer` flows to admin + account (role-grant-offer ignores);
  * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
@@ -27,7 +27,7 @@ import type { RpcAction } from '../actions/action_rpc.js';
 /**
  * Options for `create_standard_rpc_actions`.
  *
- * Composes `AdminActionOptions` (`roles`, `app_settings`),
+ * Composes `AdminActionOptions` (`roles`),
  * `RoleGrantOfferActionOptions` (`roles`, `default_ttl_ms`, `authorize`), and
  * `AccountActionOptions` (`max_tokens`). `roles` is shared between admin
  * and role-grant-offer — the caller supplies it once and the helper threads
@@ -49,13 +49,13 @@ export interface StandardRpcActionsDeps extends Pick<RouteFactoryDeps, 'log' | '
 /**
  * Build the combined admin + role-grant-offer + account RPC action set.
  *
- * Spreads `create_admin_actions(deps, {roles, app_settings})`,
+ * Spreads `create_admin_actions(deps, {roles})`,
  * `create_role_grant_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
  * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
  * option flows to admin + role-grant-offer.
  *
  * @param deps - `StandardRpcActionsDeps` (`log`, `audit` from `RouteFactoryDeps`; optional `notification_sender` for WS fan-out)
- * @param options - role schema, optional app-settings ref, role-grant-offer config, account config
+ * @param options - role schema, role-grant-offer config, account config
  * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
  */
 export declare const create_standard_rpc_actions: (deps: StandardRpcActionsDeps, options?: StandardRpcActionsOptions) => Array<RpcAction>;

package/dist/auth/standard_rpc_actions.js

@@ -8,8 +8,8 @@
  * `create_account_actions`).
  *
  * Option routing: shared `roles` flows to both admin and role-grant-offer;
- * `app_settings` goes to admin only; `default_ttl_ms` and `authorize` go
- * to role-grant-offer only; `max_tokens` goes to account only;
+ * `default_ttl_ms` and `authorize` go to role-grant-offer only; `max_tokens`
+ * goes to account only;
  * shared `connection_closer` flows to admin + account (role-grant-offer ignores);
  * `notification_sender` reaches role-grant-offer transparently (admin + account
  * ignore it).
@@ -24,13 +24,13 @@ import { create_account_actions } from './account_actions.js';
 /**
  * Build the combined admin + role-grant-offer + account RPC action set.
  *
- * Spreads `create_admin_actions(deps, {roles, app_settings})`,
+ * Spreads `create_admin_actions(deps, {roles})`,
  * `create_role_grant_offer_actions(deps, {roles, default_ttl_ms, authorize})`,
  * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
  * option flows to admin + role-grant-offer.
  *
  * @param deps - `StandardRpcActionsDeps` (`log`, `audit` from `RouteFactoryDeps`; optional `notification_sender` for WS fan-out)
- * @param options - role schema, optional app-settings ref, role-grant-offer config, account config
+ * @param options - role schema, role-grant-offer config, account config
  * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
  */
 export const create_standard_rpc_actions = (deps, options = {}) => [

package/dist/db/CLAUDE.md

@@ -0,0 +1,118 @@
+# db/
+
+> Database layer: the `Db` abstraction over pg + PGlite, the migration
+> runner, and the cell content-primitive schema + queries.
+
+For server assembly, `QueryDeps`, and migration-runner contract see the
+root ../../../CLAUDE.md and ../../../docs/architecture.md /
+../../../docs/migrations.md.
+
+**CLAUDE.md is a map; TSDoc is the detail.** Per-symbol semantics live on
+the code.
+
+## Generic db infrastructure
+
+- `db.ts` — `Db` abstraction over pg + PGlite, `query` / `query_one` /
+  `transaction`, `no_nested_transaction` guard.
+- `create_db.ts` — URL-based driver auto-detection (`postgres` /
+  `pglite-file` / `pglite-memory`); registers the int8 parser so
+  `BIGSERIAL` columns read as JS numbers.
+- `db_pg.ts` / `db_pglite.ts` — driver adapters.
+- `migrate.ts` — advisory-lock migration runner (`run_migrations`,
+  `baseline`), `Migration` / `MigrationNamespace` / `MigrationError`.
+- `query_deps.ts` — `QueryDeps = {db}`, the first param to every `query_*`.
+- `assert_row.ts` — `assert_row(row, context)` for INSERT … RETURNING.
+- `pg_error.ts` — `is_pg_unique_violation` (Postgres `23505`).
+- `sql_identifier.ts` — `assert_valid_sql_identifier`.
+- `status.ts` — CLI DB status utility.
+
+## Cell layer
+
+The universal mutable content primitive: a single `cell` table whose `data`
+JSONB is interpreted by view shape, with normalized relation + ACL sibling
+tables. `cell.refs` carries `blake3:` fact hashes auto-extracted from `data`
+on every write (cells-by-fact discovery). `path` is the **global** namespace
+axis — no tenant/hub scoping; globally unique on active rows. Soft delete via
+`deleted_at`; most indexes are partial on `deleted_at IS NULL`.
+
+The wire schemas + RPC handlers + authz predicates for this layer live in
+`auth/` — see `auth/CLAUDE.md` §Cell layer. The DDL/query split here is:
+
+- **`cell_ddl.ts`** — `cell` + `cell_grant` + `cell_field` + `cell_item`
+  tables; single-migration `CELL_MIGRATION_NS` (namespace `fuz_cell`).
+  `cell.visibility cell_visibility NOT NULL DEFAULT 'private'` (PG ENUM
+  `('private', 'public')`) — a top-level access-control column, peer to
+  `cell_grant`, not a `data` field. Nullable `created_by` / `updated_by`
+  FKs to `actor` (NULL = system origin). GIN on `data` / `refs`; global
+  partial-unique on `path`.
+- **`cell_history_ddl.ts`** — dormant `cell_history` table
+  (`CELL_HISTORY_MIGRATION_NS`, namespace `fuz_cell_history`), FK → `cell.id`.
+  Ships present-but-unwritten; no snapshot lifecycle yet.
+- **`cell_queries.ts`** — `query_cell_create / get / get_by_path / update /
+delete`, `_list_by_data_kind / _list_by_creator / _list_by_ref`, the
+  generic `query_cell_list` (filter + SQL-side visibility predicate mirroring
+  `can_view_cell`), and `query_cell_load_many` (bulk id load, no visibility
+  filter — feeds the strict relation-read filter). `cell.refs` derived from
+  `data` via `extract_refs` on create/update. `CellRow.grant_count` is a
+  derived projection (correlated subquery on `idx_cell_grant_cell`).
+- **`cell_grant_queries.ts`** — resource-side ACL: `query_cell_grant_create`
+  (UPSERT on the partial unique index, actor- vs role-shaped principal),
+  `_get`, `_delete` (returns deleted row), `_list_for_cell`,
+  `_list_for_cells` (bulk, for the relation-read filter), and
+  `query_cell_grants_for_caller_in_cells` (caller-matched enrichment for
+  `shared_with: 'me'`).
+- **`cell_field_queries.ts`** — named relations (`(source_id, name) →
+target_id`): `query_cell_field_set` (UPSERT), `_get`, `_delete`,
+  `_list_for_source` (`{limit, name_after}`), `_list_for_target`. Reads JOIN
+  cell with `deleted_at IS NULL` so dangling relations don't surface.
+- **`cell_item_queries.ts`** — ordered children (`(parent_id, position) →
+child_id`, fractional-index keyed): `query_cell_item_insert` (throws
+  `23505` on collision), `_get`, `_move`, `_delete`, `_list_for_parent`
+  (`{limit, position_after}`), `_list_for_child`. Same soft-delete JOIN.
+- **`cell_audit_queries.ts`** — `query_audit_log_list_by_cell`: matches
+  `audit_log` rows whose `metadata` names the cell on any of six cell-domain
+  keys (`cell_id` / `source_id` / `new_id` / `parent_id` / `child_id` /
+  `target_id`), bitmap-OR over the metadata GIN.
+
+## Fact layer
+
+Content-addressed byte store. Cells reference facts by blake3 hash
+(`cell.refs`, auto-extracted from `data`); the fact layer stores the bytes.
+Optional — minimal consumers never migrate it.
+
+- **`fact_ddl.ts`** — `facts` (content-addressed bytes: embedded `bytes` xor
+  `external_url`, CHECK enforces exactly one) + `fact_refs` (declared
+  dependency edges; `target_hash` deliberately not an FK, for federation) +
+  `memos` (`(fn_id, input_hash) → output_hash`). `FACT_MIGRATION_NS`, namespace
+  `fuz_facts`.
+- **`fact_queries.ts`** — mechanical `query_put_fact` (idempotent `ON CONFLICT
+DO NOTHING`), `_put_fact_refs`, `_get_fact` / `_get_fact_meta` / `_has_fact`
+  / `_get_fact_refs`, `_delete_fact` (returns `{size, external_url}` for
+  external unlink), and the cell-coupled orphan queries `query_orphan_facts_list`
+  / `_select_for_delete` (a fact is orphan when no active `cell.refs` names it).
+- **`fact_store.ts`** — `PgFactStore implements FactStore` (the interface lives
+  in `@fuzdev/fuz_util/fact_store.js`): embedded-vs-`put_ref` split by
+  `embedded_threshold`, JSON ref auto-extract, idempotent put, verify-on-read
+  for external content via an injected `FactExternalFetcher`. The filesystem
+  fetcher + write/serve plumbing live under `server/` (`file_fact_url.ts`,
+  `file_fact_fetcher.ts`, `fact_write.ts`, `serve_fact_route.ts`).
+
+### Migration namespace order
+
+FK dependency dictates order; consumers register via `migration_namespaces`
+on `create_app_backend` (after the built-in `fuz_auth` namespace). The fact
+namespace is independent (no FK to cell) but conventionally sits between cell
+and cell_history:
+
+```
+auth_migration_ns (built-in, fuz_auth)
+  → CELL_MIGRATION_NS        (fuz_cell — FKs actor.id)
+  → FACT_MIGRATION_NS        (fuz_facts — no external FK; optional)
+  → CELL_HISTORY_MIGRATION_NS (fuz_cell_history — FKs cell.id)
+```
+
+### Pre-stable migration policy
+
+Pre-stable: when an introducing migration needs to change shape, **rewrite
+the original in place** rather than appending a follow-up — consumers
+re-bootstrap dev DBs on upgrade. See ../../../docs/migrations.md.

package/dist/db/cell_audit_queries.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Audit-log query for the per-cell timeline. Matches rows whose
+ * `metadata` jsonb names the cell on any of the keys used by cell-domain
+ * event envelopes — `cell_id` (cell mutations + grants), `source_id` /
+ * `new_id` (clone), `source_id` / `target_id` (cell_field events),
+ * `parent_id` / `child_id` (cell_item events).
+ *
+ * Each `metadata @> '{...}'::jsonb` clause hits the existing GIN on
+ * `audit_log.metadata`; Postgres bitmap-ORs the index scans together.
+ *
+ * @module
+ */
+import type { QueryDeps } from './query_deps.js';
+import type { AuditLogEvent } from '../auth/audit_log_schema.js';
+import type { Uuid } from '@fuzdev/fuz_util/id.js';
+export interface CellAuditListOptions {
+    limit: number;
+    /** Cursor — return rows with `seq < before`. */
+    before?: number;
+}
+/**
+ * Fetch audit rows mentioning `cell_id` on any cell-domain metadata key.
+ * Ordered newest-first by `seq` for cursor pagination through `before`.
+ */
+export declare const query_audit_log_list_by_cell: (deps: QueryDeps, cell_id: Uuid, options: CellAuditListOptions) => Promise<Array<AuditLogEvent>>;
+//# sourceMappingURL=cell_audit_queries.d.ts.map

package/dist/db/cell_audit_queries.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_audit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/cell_audit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAoBjD,MAAM,WAAW,oBAAoB;IACpC,KAAK,EAAE,MAAM,CAAC;IACd,gDAAgD;IAChD,MAAM,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;;GAGG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,SAAS,IAAI,EACb,SAAS,oBAAoB,KAC3B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAwB9B,CAAC"}

package/dist/db/cell_audit_queries.js

@@ -0,0 +1,53 @@
+/**
+ * Audit-log query for the per-cell timeline. Matches rows whose
+ * `metadata` jsonb names the cell on any of the keys used by cell-domain
+ * event envelopes — `cell_id` (cell mutations + grants), `source_id` /
+ * `new_id` (clone), `source_id` / `target_id` (cell_field events),
+ * `parent_id` / `child_id` (cell_item events).
+ *
+ * Each `metadata @> '{...}'::jsonb` clause hits the existing GIN on
+ * `audit_log.metadata`; Postgres bitmap-ORs the index scans together.
+ *
+ * @module
+ */
+/**
+ * Metadata-jsonb keys cell-domain events use to name the cell. This
+ * array is the **only** source these key strings can come from —
+ * `query_audit_log_list_by_cell` interpolates them directly into
+ * `jsonb_build_object('<key>', ...)` (no SQL parameterization), so
+ * any caller-controllable input here would be a SQL injection. The
+ * list is frozen alongside the audit metadata envelopes; extending it
+ * means extending those envelopes too.
+ */
+const CELL_AUDIT_METADATA_KEYS = [
+    'cell_id',
+    'source_id',
+    'new_id',
+    'parent_id',
+    'child_id',
+    'target_id',
+];
+/**
+ * Fetch audit rows mentioning `cell_id` on any cell-domain metadata key.
+ * Ordered newest-first by `seq` for cursor pagination through `before`.
+ */
+export const query_audit_log_list_by_cell = async (deps, cell_id, options) => {
+    const params = [];
+    let i = 1;
+    const cell_id_placeholder = `$${i++}`;
+    params.push(cell_id);
+    // One JSONB containment predicate per metadata key. The cell id is
+    // shared across all keys, so we reuse `$1` rather than allocating a
+    // fresh placeholder per clause — keeps the prepared statement plan
+    // stable and the param list small.
+    const containment_predicates = CELL_AUDIT_METADATA_KEYS.map((key) => `metadata @> jsonb_build_object('${key}', ${cell_id_placeholder}::text)`);
+    const conditions = [`(${containment_predicates.join(' OR ')})`];
+    if (options.before !== undefined) {
+        conditions.push(`seq < $${i++}`);
+        params.push(options.before);
+    }
+    const where = `WHERE ${conditions.join(' AND ')}`;
+    const limit_placeholder = `$${i++}`;
+    params.push(options.limit);
+    return deps.db.query(`SELECT * FROM audit_log ${where} ORDER BY seq DESC LIMIT ${limit_placeholder}`, params);
+};

package/dist/db/cell_ddl.d.ts

@@ -0,0 +1,151 @@
+/**
+ * Cell PG schema.
+ *
+ * The universal content primitive: a single `cell` table whose `data` JSONB
+ * is interpreted by view shape. Parent→child membership and named
+ * relationships live in two sibling tables — `cell_item` (ordered
+ * children, fractional-indexing keyed) and `cell_field` (named edges).
+ * `refs text[]` carries `blake3:` fact hashes auto-extracted from `data`
+ * by application code on every write.
+ *
+ * Soft delete via `deleted_at`. Most indexes are partial on
+ * `deleted_at IS NULL` so active-cell queries skip tombstones.
+ *
+ * `path` is the global namespace axis — a partial unique index enforces
+ * uniqueness across all active rows (PostgreSQL UNIQUE constraints don't
+ * support WHERE clauses, so it's expressed as a partial unique index). It
+ * additionally filters on `deleted_at IS NULL` so a soft-deleted cell
+ * doesn't block reuse of its path. Path writes are admin-only at the
+ * action layer; user-namespaced paths are a future extension.
+ *
+ * **Ownership columns** (`created_by`, `updated_by`) are nullable FKs to
+ * `actor`: NULL = system origin (well-known cells, daemon/agent cells).
+ * The non-admin authz path treats NULL `created_by` as admin-only via an
+ * explicit equality check (`auth/cell_authorize.ts`).
+ *
+ * **Timestamp naming** (`created_at`, `updated_at`) aligns with fuz_app's
+ * `_at`-everywhere convention used by `account`, `actor`, `audit_log`,
+ * `role_grant`, etc.
+ *
+ * **Single-migration shape**: `cell_v0` creates the canonical
+ * cell + cell_grant + cell_field + cell_item layout in one shot from the
+ * live exported constants.
+ *
+ * @module
+ */
+import type { Migration, MigrationNamespace } from './migrate.js';
+/**
+ * `cell_visibility` enum — access-control axis for a cell. Lives as a
+ * top-level column (not inside `data`) because visibility is access
+ * control, not content metadata. `cell_grant` is the other ACL surface;
+ * keeping visibility as a peer column (not a JSON field) co-locates
+ * access-control state and lets the planner reason about it directly.
+ *
+ * Ships with two states (`'private'`, `'public'`); a third (unlisted /
+ * public-link) folds in via `ALTER TYPE` when public-link sharing lands.
+ *
+ * Wrapped in a `DO` block so the migration can replay idempotently —
+ * `CREATE TYPE` has no `IF NOT EXISTS` variant in PostgreSQL.
+ */
+export declare const CELL_VISIBILITY_TYPE = "\nDO $$ BEGIN\n\tCREATE TYPE cell_visibility AS ENUM ('private', 'public');\nEXCEPTION WHEN duplicate_object THEN NULL;\nEND $$";
+/**
+ * `cell` table — universal content primitive: identity + content only.
+ * Parent→child membership lives in `cell_item`; named relations live in
+ * `cell_field`. Includes the `created_by` / `updated_by` ownership columns.
+ *
+ * `visibility` is the access-control axis — `private` (default) is
+ * restricted to admin / owner / `cell_grant`-admitted callers; `public`
+ * admits everyone, including unauthenticated visitors. Lives as a
+ * top-level column so the auth predicate reads off the row directly
+ * rather than reaching into `data`.
+ *
+ * `path` is the global namespace axis (no tenant/hub scoping) — globally
+ * unique on active rows via `idx_cell_path_unique`.
+ */
+export declare const CELL_SCHEMA = "\nCREATE TABLE IF NOT EXISTS cell (\n\tid UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n\tdata JSONB NOT NULL,\n\tvisibility cell_visibility NOT NULL DEFAULT 'private',\n\tpath TEXT,\n\trefs TEXT[],\n\tcreated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n\tupdated_at TIMESTAMPTZ,\n\tdeleted_at TIMESTAMPTZ,\n\tcreated_by UUID REFERENCES actor(id) ON DELETE SET NULL,\n\tupdated_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
+/**
+ * Cell indexes — all active-only, partial on `deleted_at IS NULL`.
+ *
+ * - `idx_cell_active`: active-cell list/scan ordered by creation.
+ * - `idx_cell_path_unique`: global `path` uniqueness + read-side path
+ *   lookup. Partial on path + active so reused paths after soft delete are
+ *   allowed.
+ * - `idx_cell_data`: shape-driven queries (`data ? 'kind'`, `data @> ...`).
+ * - `idx_cell_refs`: cells-by-fact discovery (cross-cell reference graph).
+ * - `idx_cell_created_by`: "cells this actor created" queries.
+ *
+ * Parent↔child membership and named relations live in sibling tables;
+ * see `CELL_ITEM_INDEXES` / `CELL_FIELD_INDEXES` below.
+ */
+export declare const CELL_INDEXES: Array<string>;
+/**
+ * `cell_grant` table — resource-side ACL for cells. Each row admits a
+ * principal (actor or `(role, scope_id)`) at a `level` (`viewer` or
+ * `editor`). Owner is implicit (`cell.created_by`); the table never carries
+ * owner rows.
+ *
+ * The single-principal arm is actor-grain (`actor_id` FK); the other arm is
+ * role-shaped (`(role, scope_id)`). The CHECK enforces exactly one arm.
+ */
+export declare const CELL_GRANT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS cell_grant (\n\tid UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n\tcell_id UUID NOT NULL REFERENCES cell(id) ON DELETE CASCADE,\n\tlevel TEXT NOT NULL CHECK (level IN ('viewer', 'editor')),\n\tactor_id UUID REFERENCES actor(id) ON DELETE CASCADE,\n\trole TEXT,\n\tscope_id UUID,\n\tgranted_by UUID REFERENCES actor(id) ON DELETE SET NULL,\n\tcreated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n\tCHECK (\n\t\t(actor_id IS NOT NULL AND role IS NULL AND scope_id IS NULL) OR\n\t\t(actor_id IS NULL AND role IS NOT NULL)\n\t)\n)";
+/**
+ * `cell_grant` indexes.
+ *
+ * - `idx_cell_grant_cell`: forward lookup ("who has access to this cell?").
+ * - `idx_cell_grant_actor`: reverse lookup ("which cells does this actor have access to?").
+ * - `idx_cell_grant_role_scope`: reverse lookup for role-shaped principals.
+ * - `idx_cell_grant_unique_actor`: prevents duplicate actor-shaped grants for the same cell.
+ *   Re-granting updates `level` via UPSERT on this index.
+ * - `idx_cell_grant_unique_role_scope`: same, for role-shaped grants.
+ *   `NULLS NOT DISTINCT` so two rows with the same `(cell_id, role)` and
+ *   `scope_id IS NULL` collide — without it, default NULL-distinct
+ *   semantics would let duplicate null-scope role grants slip past the
+ *   re-share UPSERT path. Requires PostgreSQL 15+ (pglite tracks PG 16).
+ */
+export declare const CELL_GRANT_INDEXES: Array<string>;
+/**
+ * `cell_field` table — named relation (`(source_id, name) → target_id`).
+ * One target per name per source — JSON-object keys are unique. Multiplicity
+ * is expressed by composition (`foo.tags = collection_cell` whose `items[]`
+ * are the tags), not by allowing duplicate `(source_id, name)` rows.
+ */
+export declare const CELL_FIELD_SCHEMA = "\nCREATE TABLE IF NOT EXISTS cell_field (\n\tsource_id UUID NOT NULL REFERENCES cell(id) ON DELETE CASCADE,\n\tname TEXT NOT NULL,\n\ttarget_id UUID NOT NULL REFERENCES cell(id) ON DELETE CASCADE,\n\tcreated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n\tPRIMARY KEY (source_id, name)\n)";
+/**
+ * `cell_field` indexes.
+ *
+ * - PK on `(source_id, name)` covers forward lookup ("what does this cell
+ *   point to via field X?") and the per-source fields list.
+ * - `idx_cell_field_target` covers reverse lookup ("which cells link to
+ *   this target?").
+ *
+ * Soft-delete is filtered by JOIN at the read boundary; no partial indexes
+ * here on `deleted_at` (would force index churn on cell soft-delete
+ * toggles, and the join filter is sufficient).
+ */
+export declare const CELL_FIELD_INDEXES: Array<string>;
+/**
+ * `cell_item` table — ordered child membership keyed by an opaque
+ * fractional-indexing string. `(parent_id, position)` PK enforces one cell
+ * per slot; the same `child_id` may appear at multiple positions (the
+ * primitive is JSON-array-shaped — ordered multiset, not set). Domain
+ * dedup rules ride on top in helpers.
+ */
+export declare const CELL_ITEM_SCHEMA = "\nCREATE TABLE IF NOT EXISTS cell_item (\n\tparent_id UUID NOT NULL REFERENCES cell(id) ON DELETE CASCADE,\n\tposition TEXT NOT NULL,\n\tchild_id UUID NOT NULL REFERENCES cell(id) ON DELETE CASCADE,\n\tcreated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n\tPRIMARY KEY (parent_id, position)\n)";
+/**
+ * `cell_item` indexes.
+ *
+ * - PK on `(parent_id, position)` covers ordered scans for the per-parent
+ *   items list (`SELECT ... ORDER BY position`).
+ * - `idx_cell_item_child` covers reverse lookup ("which parents contain
+ *   this child?").
+ */
+export declare const CELL_ITEM_INDEXES: Array<string>;
+/** Tables created by `CELL_MIGRATION_NS`, in drop order (children first). */
+export declare const CELL_DROP_TABLES: readonly ["cell_field", "cell_item", "cell_grant", "cell"];
+/** Cell migrations. */
+export declare const CELL_MIGRATIONS: Array<Migration>;
+/** Namespace identifier for cell migrations. */
+export declare const CELL_MIGRATION_NAMESPACE = "fuz_cell";
+/** Migration namespace consumed by `run_migrations`. */
+export declare const CELL_MIGRATION_NS: MigrationNamespace;
+//# sourceMappingURL=cell_ddl.d.ts.map

package/dist/db/cell_ddl.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/cell_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AAGH,OAAO,KAAK,EAAC,SAAS,EAAE,kBAAkB,EAAC,MAAM,cAAc,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,oBAAoB,oIAI1B,CAAC;AAER;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,WAAW,4aAYtB,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,YAAY,EAAE,KAAK,CAAC,MAAM,CAYtC,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,iBAAiB,0iBAc5B,CAAC;AAEH;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAW5C,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,+RAO5B,CAAC;AAEH;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,kBAAkB,EAAE,KAAK,CAAC,MAAM,CAE5C,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gBAAgB,qSAO3B,CAAC;AAEH;;;;;;;GAOG;AACH,eAAO,MAAM,iBAAiB,EAAE,KAAK,CAAC,MAAM,CAG3C,CAAC;AAEF,6EAA6E;AAC7E,eAAO,MAAM,gBAAgB,4DAA6D,CAAC;AAE3F,uBAAuB;AACvB,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,SAAS,CAuB5C,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,wBAAwB,aAAa,CAAC;AAEnD,wDAAwD;AACxD,eAAO,MAAM,iBAAiB,EAAE,kBAG/B,CAAC"}