@fuzdev/fuz_app 0.71.1 → 0.72.1

package/dist/realtime/sse_auth_guard.d.ts

@@ -17,15 +17,23 @@ import type { SseStream, SseNotification, EventSpec } from './sse.js';
 /** SSE channel the audit-log stream route publishes on. */
 export declare const AUDIT_LOG_CHANNEL = "audit_log";
 /**
- * Audit event types that trigger SSE stream disconnection.
+ * Audit event types that trigger SSE stream disconnection — the union of
+ * access-invalidation events. Over-closing a one-way admin feed is cheap (the
+ * client reconnects if still authorized), so the SSE set is the full union.
  *
  * `role_grant_revoke` requires the revoked role to match the guard's `required_role`
  * (or is skipped entirely when `required_role` is `null` — useful for streams
- * not gated by any specific role_grant).
- * `session_revoke_all` and `password_change` close every stream for the target account.
+ * not gated by any specific role_grant). The WS half deliberately omits this
+ * event (per-message re-authorization picks role changes up there); a one-way
+ * SSE stream has no per-message recheck, so it must close here.
+ * `session_revoke_all` / `token_revoke_all` / `password_change` / `logout` close
+ * every stream for the target account.
  * `session_revoke` closes only the stream tied to the specific revoked session
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
  * all of a user's streams for a single-session revoke would be over-aggressive.
+ * The single `token_revoke` the WS half handles is omitted: an SSE stream is
+ * opened under a cookie session, never an API token, so no stream is keyed by a
+ * single token id.
  */
 export declare const disconnect_event_types: ReadonlySet<string>;
 /**
@@ -33,8 +41,9 @@ export declare const disconnect_event_types: ReadonlySet<string>;
  *
  * Closes streams when:
  * - `role_grant_revoke` fires for the `required_role` targeting a connected subscriber
- * - `session_revoke_all` targets a connected subscriber (consistent invalidation)
- * - `password_change` targets a connected subscriber (sessions revoked implicitly)
+ * - `session_revoke` targets the specific revoked session (session-hash-scoped)
+ * - `session_revoke_all` / `token_revoke_all` / `password_change` / `logout`
+ *   target a connected subscriber (account-wide)
  *
  * The registry must use `account_id` as the identity key when subscribing
  * (passed as the third argument to `registry.subscribe()`).

package/dist/realtime/sse_auth_guard.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAE,KAAK,gBAAgB,EAAC,MAAM,0BAA0B,CAAC;AACnF,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAC,MAAM,UAAU,CAAC;AAEpE,2DAA2D;AAC3D,eAAO,MAAM,iBAAiB,cAAc,CAAC;AAE7C;;;;;;;;;;GAUG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAKrD,CAAC;AAEH;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,GAAG,IAAI,EAC5B,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CA6CjC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;IAC1F,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,yJAAyJ;IACzJ,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,SAAS,CAOlD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,KAAK,CAAC;AAE9C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B,KAAG,WAgBH,CAAC"}
+{"version":3,"file":"sse_auth_guard.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/realtime/sse_auth_guard.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAGN,KAAK,aAAa,EAClB,MAAM,6BAA6B,CAAC;AACrC,OAAO,EAAC,kBAAkB,EAAE,KAAK,gBAAgB,EAAC,MAAM,0BAA0B,CAAC;AACnF,OAAO,KAAK,EAAC,SAAS,EAAE,eAAe,EAAE,SAAS,EAAC,MAAM,UAAU,CAAC;AAEpE,2DAA2D;AAC3D,eAAO,MAAM,iBAAiB,cAAc,CAAC;AAE7C;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,sBAAsB,EAAE,WAAW,CAAC,MAAM,CAOrD,CAAC;AAEH;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,qBAAqB,GAAI,CAAC,EACtC,UAAU,kBAAkB,CAAC,CAAC,CAAC,EAC/B,eAAe,MAAM,GAAG,IAAI,EAC5B,KAAK,MAAM,KACT,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CA6CjC,CAAC;AAEF;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,8FAA8F;IAC9F,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;IAC1F,kFAAkF;IAClF,GAAG,EAAE,MAAM,CAAC;IACZ,yJAAyJ;IACzJ,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C,yEAAyE;IACzE,QAAQ,EAAE,kBAAkB,CAAC,eAAe,CAAC,CAAC;CAC9C;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,EAAE,KAAK,CAAC,SAAS,CAOlD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,KAAK,CAAC;AAE9C;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,eAAO,MAAM,oBAAoB,GAAI,SAAS;IAC7C,mEAAmE;IACnE,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,aAAa,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC9B,KAAG,WAgBH,CAAC"}

package/dist/realtime/sse_auth_guard.js

@@ -15,29 +15,40 @@ import { SubscriberRegistry } from './subscriber_registry.js';
 /** SSE channel the audit-log stream route publishes on. */
 export const AUDIT_LOG_CHANNEL = 'audit_log';
 /**
- * Audit event types that trigger SSE stream disconnection.
+ * Audit event types that trigger SSE stream disconnection — the union of
+ * access-invalidation events. Over-closing a one-way admin feed is cheap (the
+ * client reconnects if still authorized), so the SSE set is the full union.
  *
  * `role_grant_revoke` requires the revoked role to match the guard's `required_role`
  * (or is skipped entirely when `required_role` is `null` — useful for streams
- * not gated by any specific role_grant).
- * `session_revoke_all` and `password_change` close every stream for the target account.
+ * not gated by any specific role_grant). The WS half deliberately omits this
+ * event (per-message re-authorization picks role changes up there); a one-way
+ * SSE stream has no per-message recheck, so it must close here.
+ * `session_revoke_all` / `token_revoke_all` / `password_change` / `logout` close
+ * every stream for the target account.
  * `session_revoke` closes only the stream tied to the specific revoked session
  * (matched by the blake3 session hash in `event.metadata.session_id`) — closing
  * all of a user's streams for a single-session revoke would be over-aggressive.
+ * The single `token_revoke` the WS half handles is omitted: an SSE stream is
+ * opened under a cookie session, never an API token, so no stream is keyed by a
+ * single token id.
  */
 export const disconnect_event_types = new Set([
     'role_grant_revoke', // role revoked — user lost access
     'session_revoke', // single session revoked — close only that stream
     'session_revoke_all', // all sessions invalidated — user should be kicked
+    'token_revoke_all', // all API tokens invalidated — close the account's streams
     'password_change', // password changed — all sessions revoked implicitly
+    'logout', // explicit logout — close the account's streams
 ]);
 /**
  * Create an audit event handler that closes SSE streams on auth changes.
  *
  * Closes streams when:
  * - `role_grant_revoke` fires for the `required_role` targeting a connected subscriber
- * - `session_revoke_all` targets a connected subscriber (consistent invalidation)
- * - `password_change` targets a connected subscriber (sessions revoked implicitly)
+ * - `session_revoke` targets the specific revoked session (session-hash-scoped)
+ * - `session_revoke_all` / `token_revoke_all` / `password_change` / `logout`
+ *   target a connected subscriber (account-wide)
  *
  * The registry must use `account_id` as the identity key when subscribing
  * (passed as the third argument to `registry.subscribe()`).

package/dist/testing/cross_backend/sse_round_trip.d.ts

@@ -29,9 +29,9 @@ export interface CrossProcessSseTestOptions {
     readonly origin?: string;
 }
 /**
- * Register the cross-process SSE round-trip suite. Up to three cases over a
- * real streaming `fetch`: connected-comment, audit data frame, and
- * close-on-revoke.
+ * Register the cross-process SSE round-trip suite. Up to four cases over a
+ * real streaming `fetch`: connected-comment, audit data frame, account-wide
+ * close-on-revoke, and session-scoped close-on-revoke.
  */
 export declare const describe_cross_process_sse_tests: (options: CrossProcessSseTestOptions) => void;
 //# sourceMappingURL=sse_round_trip.d.ts.map

package/dist/testing/cross_backend/sse_round_trip.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"sse_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/sse_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA8C9B,OAAO,EAAC,KAAK,mBAAmB,EAAU,MAAM,mBAAmB,CAAC;AACpE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAK1C,kEAAkE;AAClE,MAAM,WAAW,0BAA0B;IAC1C;;;;;;OAMG;IACH,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,wEAAwE;IACxE,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAC3C,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,6EAA6E;IAC7E,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,6DAA6D;IAC7D,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CACzB;AA0BD;;;;GAIG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,0BAA0B,KAAG,IAwGtF,CAAC"}
+{"version":3,"file":"sse_round_trip.d.ts","sourceRoot":"../src/lib/","sources":["../../../src/lib/testing/cross_backend/sse_round_trip.ts"],"names":[],"mappings":"AAAA,OAAO,sBAAsB,CAAC;AA+D9B,OAAO,EAAC,KAAK,mBAAmB,EAAU,MAAM,mBAAmB,CAAC;AACpE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,YAAY,CAAC;AAK1C,kEAAkE;AAClE,MAAM,WAAW,0BAA0B;IAC1C;;;;;;OAMG;IACH,QAAQ,CAAC,UAAU,EAAE,SAAS,CAAC;IAC/B,wEAAwE;IACxE,QAAQ,CAAC,YAAY,EAAE,mBAAmB,CAAC;IAC3C,2EAA2E;IAC3E,QAAQ,CAAC,QAAQ,EAAE,MAAM,CAAC;IAC1B,6EAA6E;IAC7E,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B;;;;;;OAMG;IACH,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,6DAA6D;IAC7D,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;CACzB;AA0BD;;;;GAIG;AACH,eAAO,MAAM,gCAAgC,GAAI,SAAS,0BAA0B,KAAG,IAqKtF,CAAC"}

package/dist/testing/cross_backend/sse_round_trip.js

@@ -11,7 +11,7 @@ import '../assert_dev_env.js';
  * (`describe_standard_cross_process_tests`) omits SSE by design, so consumers
  * call this alongside it (paralleling `describe_cross_process_ws_tests`).
  *
- * Three cases, mirroring the in-process SSE self-test against fuz_app's
+ * Four cases, mirroring the in-process SSE self-test against fuz_app's
  * standard audit-log stream:
  *
  * 1. **connects** — the stream opens and emits the `: connected` comment.
@@ -22,10 +22,23 @@ import '../assert_dev_env.js';
  *    the secondary, not the subscriber). The secondary is minted *before* the
  *    stream opens so `create_account`'s own audit events (invite / signup /
  *    login / token) don't land on it.
- * 3. **close-on-revoke** (gated on `rpc_path`) — the subscriber's *own*
- *    sessions are revoked (`account_session_revoke_all`), so the
+ * 3. **close-on-revoke, account-wide** (gated on `rpc_path`) — the subscriber's
+ *    *own* sessions are revoked (`account_session_revoke_all`), so the
  *    `session_revoke_all` event targets the keeper and the audit guard drops
- *    the live stream. Asserted via `SseTransport.wait_for_close`.
+ *    the live stream via the account-wide `close_for_account` path. Asserted
+ *    via `SseTransport.wait_for_close`.
+ * 4. **close-on-revoke, session-scoped** (gated on `rpc_path`) — the
+ *    subscriber's *own* single session is revoked (`account_session_revoke`),
+ *    so the `session_revoke` event drops the stream via the session-hash-scoped
+ *    `close_for_session` path (the distinct primitive cases 2–3 don't reach).
+ *
+ * The close-on-revoke matrix is layered: cases 3–4 exercise the account-wide
+ * and session-scoped paths cross-process; the remaining union events
+ * (`token_revoke_all` / `logout` / `password_change`, all account-wide; and
+ * `role_grant_revoke`, role-matched) are covered by the spine's `fuz_realtime`
+ * SSE-registry unit tests and the in-process guard self-test, so a cross-process
+ * `token_revoke_all`-with-zero-tokens case (which may emit no audit row) stays
+ * out to keep the spawned-backend suite non-flaky.
  *
  * Gated on `capabilities.sse` — backends without an end-to-end SSE stream
  * skip (the cases still surface as `.skip` in the report). Cross-process
@@ -35,7 +48,7 @@ import '../assert_dev_env.js';
  * @module
  */
 import { assert, describe } from 'vitest';
-import { account_session_revoke_all_action_spec } from '../../auth/account_action_specs.js';
+import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, } from '../../auth/account_action_specs.js';
 import { admin_session_revoke_all_action_spec } from '../../auth/admin_action_specs.js';
 import { audit_log_event_specs } from '../../realtime/sse_auth_guard.js';
 import { SSE_CONNECTED_COMMENT } from '../../realtime/sse.js';
@@ -60,9 +73,9 @@ const assert_audit_data_frame = (frame) => {
     assert.ok(result.success, `audit data frame params mismatch for '${String(payload.method)}': ${result.success ? '' : JSON.stringify(result.error.issues)}`);
 };
 /**
- * Register the cross-process SSE round-trip suite. Up to three cases over a
- * real streaming `fetch`: connected-comment, audit data frame, and
- * close-on-revoke.
+ * Register the cross-process SSE round-trip suite. Up to four cases over a
+ * real streaming `fetch`: connected-comment, audit data frame, account-wide
+ * close-on-revoke, and session-scoped close-on-revoke.
  */
 export const describe_cross_process_sse_tests = (options) => {
     const { setup_test, capabilities, base_url, rpc_path, origin } = options;
@@ -133,5 +146,39 @@ export const describe_cross_process_sse_tests = (options) => {
                 await sse.close();
             }
         });
+        // Single `session_revoke` of the subscriber's OWN session → the
+        // session-hash-scoped close path (`close_for_session` / the TS guard's
+        // `close_by_identity(session_id)`). The keeper holds exactly one session,
+        // so revoking it by its blake3 hash drops the stream opened under it.
+        // This is the close-on-revoke path the account-wide cases above don't
+        // exercise; the remaining union events (`token_revoke_all` / `logout` /
+        // `password_change`) share the account-wide `close_for_account` path the
+        // `session_revoke_all` case already covers, and `role_grant_revoke`'s
+        // role-matched path is covered by `fuz_realtime`'s SSE registry unit tests.
+        test_if(capabilities.sse && rpc_path !== undefined, 'stream closes on a single session_revoke of the subscriber session', async () => {
+            const fixture = await setup_test();
+            const sse = await create_sse_transport({
+                base_url,
+                sse_path,
+                cookies: fixture.transport.cookies(),
+                origin,
+            });
+            try {
+                const first = await sse.read_frame();
+                assert.strictEqual(first + '\n\n', SSE_CONNECTED_COMMENT, 'first frame must be the connected comment');
+                const list_res = await fixture.transport(rpc_path, create_rpc_post_init(account_session_list_action_spec.method));
+                assert.strictEqual(list_res.status, 200, `account_session_list RPC failed (status=${list_res.status})`);
+                const list_body = (await list_res.json());
+                const session_id = list_body.result?.sessions?.[0]?.id;
+                assert.ok(typeof session_id === 'string' && session_id.length > 0, 'expected the subscriber session id (blake3 hash) to revoke');
+                const revoke_res = await fixture.transport(rpc_path, create_rpc_post_init(account_session_revoke_action_spec.method, { session_id }));
+                assert.strictEqual(revoke_res.status, 200, `account_session_revoke RPC failed (status=${revoke_res.status})`);
+                const closed = await sse.wait_for_close(2000);
+                assert.ok(closed, 'stream did not close within 2s after session_revoke');
+            }
+            finally {
+                await sse.close();
+            }
+        });
     });
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.71.1",
+  "version": "0.72.1",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",
@@ -48,6 +48,12 @@
     "@hono/node-ws": {
       "optional": true
     },
+    "@node-rs/argon2": {
+      "optional": true
+    },
+    "hono": {
+      "optional": true
+    },
     "pg": {
       "optional": true
     },