@fuzdev/fuz_app 0.75.0 → 0.76.0

package/dist/auth/CLAUDE.md

@@ -400,6 +400,10 @@ are excluded.
   declare `credential_types: ['session']`. `account_session_revoke` is
   gated alongside `_revoke_all` because a leaked bearer can otherwise
   compose `account_session_list` + N×revoke to reach the same lockout.
+  REST `POST /logout` also declares `credential_types: ['session']`, but
+  for forensic fidelity rather than a threat — a bearer / daemon token
+  holds no session to end, so the gate refuses it instead of returning a
+  misleading 200 + a phantom `logout` audit row.
   Admin token/session revoke specs deliberately stay unrestricted (admin
   scripting from CLI/bearer is legitimate operator workflow). See
   ../../../docs/security.md §Credential-channel gating.

package/dist/auth/account_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAQtE,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CA+SjB,CAAC"}
+{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAQtE,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAoTjB,CAAC"}

package/dist/auth/account_routes.js

@@ -333,7 +333,11 @@ export const create_account_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/logout',
-            auth: { account: 'required', actor: 'none' },
+            // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+            // Logout is a session-bound operation; a bearer / daemon token holds no session
+            // to end, so the dispatcher rejects it (403 `credential_type_required`) rather than
+            // returning a misleading 200 + a phantom `logout` audit row for a no-op.
+            auth: { account: 'required', actor: 'none', credential_types: ['session'] },
             description: 'Revoke current session and clear cookie',
             input: LogoutInput,
             output: LogoutOutput,
@@ -343,20 +347,21 @@ export const create_account_route_specs = (deps, options) => {
                 if (session_token) {
                     const token_hash = hash_session_token(session_token);
                     await query_session_revoke_by_hash_unscoped(route, token_hash);
-                    // Handler-side belt+suspenders: close the live WS bound to
-                    // this session BEFORE the audit emit so revocation lands
-                    // even if the audit INSERT fails. Same transaction-commit
-                    // trade as `password` / RPC `session_revoke` below — a
-                    // throw between this close and the response rolls back the
-                    // DB revoke while leaving the socket severed; benign
-                    // (client reconnects, session still valid) but don't
-                    // introduce a throw here without acknowledging the trade.
-                    // The audit listener (`create_ws_logout_closer`) runs an
-                    // account-wide close on the logout event afterward —
-                    // broader than this targeted close, but both layers are
-                    // idempotent. Mirrors `zzz_server::account::logout_inner`.
+                    // Handler-side belt+suspenders: eagerly close this account's
+                    // live WS connections BEFORE the audit emit so revocation
+                    // lands even if the audit INSERT fails. Account-wide (not
+                    // session-targeted) to match the Rust `account_logout` handler
+                    // and the sibling `/password` handler — logout is a
+                    // self-initiated account-grain operation, and the audit
+                    // listener (`create_ws_logout_closer`) runs the same
+                    // account-wide close on the logout event afterward, so both
+                    // layers converge (idempotent). Same transaction-commit trade
+                    // as `password` / RPC `session_revoke`: a throw between this
+                    // close and the response rolls back the DB revoke while
+                    // leaving sockets severed; benign (client reconnects), but
+                    // don't introduce a throw here without acknowledging the trade.
                     if (connection_closer) {
-                        connection_closer.close_sockets_for_session(token_hash);
+                        connection_closer.close_sockets_for_account(ctx.account.id);
                     }
                 }
                 clear_session_cookie(c, session_options);

package/dist/db/CLAUDE.md

@@ -49,10 +49,11 @@ The wire schemas + RPC handlers + authz predicates for this layer live in
   (`CELL_HISTORY_MIGRATION_NS`, namespace `fuz_cell_history`), FK → `cell.id`.
   Ships present-but-unwritten; no snapshot lifecycle yet.
 - **`cell_queries.ts`** — `query_cell_create / get / get_by_path / update /
-delete`, `_list_by_data_kind / _list_by_creator / _list_by_ref`, the
+delete`, `_list_by_data_kind / _list_by_creator`, the
   generic `query_cell_list` (filter + SQL-side visibility predicate mirroring
-  `can_view_cell`), and `query_cell_load_many` (bulk id load, no visibility
-  filter — feeds the strict relation-read filter). `cell.refs` derived from
+  `can_view_cell`; the `ref` filter narrows by `cell.refs`), and
+  `query_cell_load_many` (bulk id load, no visibility filter — feeds the
+  strict relation-read filter). `cell.refs` derived from
   `data` via `extract_refs` on create/update. `CellRow.grant_count` is a
   derived projection (correlated subquery on `idx_cell_grant_cell`).
 - **`cell_grant_queries.ts`** — resource-side ACL: `query_cell_grant_create`

package/dist/db/cell_queries.d.ts

@@ -301,27 +301,4 @@ export interface CellListParams {
     /** Include soft-deleted rows. Default `false`. */
     include_deleted?: boolean;
 }
-/**
- * List active cells whose `refs` array contains the given fact hash,
- * newest first. Backed by the `idx_cell_refs` GIN index.
- *
- * Used by the fact-serving route's authz walk: a fact is viewable iff
- * **at least one** referencing active cell admits the caller via
- * `can_view_cell`. Unreferenced facts (no row returned here) are
- * unreachable through the public surface — orphan-fact GC handles them.
- *
- * `include_grant_count` defaults to true so the row hydrates uniformly
- * with the rest of the cell query surface. The fact-serving route is
- * the one hot path where the count is wasted work — pass `false`
- * there to skip the per-row correlated subquery; the field falls back
- * to a constant 0 so `CellRow` stays type-stable.
- *
- * @param deps - query deps
- * @param hash - fact hash to search for
- * @param options - pagination + grant-count toggle
- * @returns matching active rows
- */
-export declare const query_cell_list_by_ref: (deps: QueryDeps, hash: FactHash, options?: Pick<CellListOptions, "limit" | "offset"> & {
-    include_grant_count?: boolean;
-}) => Promise<Array<CellRow>>;
 //# sourceMappingURL=cell_queries.d.ts.map

package/dist/db/cell_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cell_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/cell_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,0BAA0B,CAAC;AACnD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAyB,KAAK,QAAQ,EAAC,MAAM,+BAA+B,CAAC;AAGpF,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,6BAA6B,CAAC;AAC1D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAEjE;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,QAAQ,CAAC;IACf,UAAU,EAAE,cAAc,CAAC;IAC3B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;CACpB;AAgBD,oEAAoE;AACpE,MAAM,WAAW,oBAAoB;IACpC,IAAI,EAAE,IAAI,CAAC;IACX,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CACzB;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC/B,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CACzB;AAED,yEAAyE;AACzE,MAAM,WAAW,eAAe;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,OAAO,oBAAoB,KACzB,OAAO,CAAC,OAAO,CAgBjB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,SAAS,EACf,IAAI,IAAI,EACR,UAAU;IAAC,eAAe,CAAC,EAAE,OAAO,CAAA;CAAC,KACnC,OAAO,CAAC,OAAO,GAAG,IAAI,CAUxB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,GAAG,IAAI,CAQxB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,KAAK,aAAa,CAAC,IAAI,CAAC,KACtB,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAQxB,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,IAAI,EACR,OAAO,eAAe,KACpB,OAAO,CAAC,OAAO,GAAG,IAAI,CA4BxB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,IAAI,EACR,UAAU;IAAC,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,OAAO,CAWjB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,MAAM,MAAM,EACZ,UAAU,IAAI,CAAC,eAAe,EAAE,OAAO,GAAG,QAAQ,CAAC,KACjD,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CASvB,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,IAAI,EACd,UAAU,IAAI,CAAC,eAAe,EAAE,OAAO,GAAG,QAAQ,CAAC,KACjD,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAQvB,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,eAAO,MAAM,eAAe,GAC3B,MAAM,SAAS,EACf,QAAQ,cAAc,KACpB,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CA0DxB,CAAC;AAiGF,4EAA4E;AAC5E,MAAM,WAAW,cAAc;IAC9B,8EAA8E;IAC9E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,4EAA4E;IAC5E,GAAG,CAAC,EAAE,QAAQ,CAAC;IACf,0EAA0E;IAC1E,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;;OAMG;IACH,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAClB;;;;OAIG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,eAAe,EAAE,OAAO,CAAC;IACzB;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B;;;;;;;OAOG;IACH,uBAAuB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAChD;;;;OAIG;IACH,2BAA2B,CAAC,EAAE,aAAa,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IACzD;;;;;OAKG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,yCAAyC;IACzC,QAAQ,CAAC,EAAE,YAAY,GAAG,YAAY,CAAC;IACvC,sCAAsC;IACtC,eAAe,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IACjC,iBAAiB;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,eAAe,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,MAAM,QAAQ,EACd,UAAU,IAAI,CAAC,eAAe,EAAE,OAAO,GAAG,QAAQ,CAAC,GAAG;IAAC,mBAAmB,CAAC,EAAE,OAAO,CAAA;CAAC,KACnF,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAYxB,CAAC"}
+{"version":3,"file":"cell_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/db/cell_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;GAqBG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,0BAA0B,CAAC;AACnD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AACjD,OAAO,EAAyB,KAAK,QAAQ,EAAC,MAAM,+BAA+B,CAAC;AAGpF,OAAO,KAAK,EAAC,QAAQ,EAAC,MAAM,6BAA6B,CAAC;AAC1D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,8BAA8B,CAAC;AAEjE;;;;;;;;;;;;GAYG;AACH,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,QAAQ,CAAC;IACf,UAAU,EAAE,cAAc,CAAC;IAC3B,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,KAAK,CAAC,QAAQ,CAAC,GAAG,IAAI,CAAC;IAC7B,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,WAAW,EAAE,MAAM,CAAC;CACpB;AAgBD,oEAAoE;AACpE,MAAM,WAAW,oBAAoB;IACpC,IAAI,EAAE,IAAI,CAAC;IACX,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CACzB;AAED;;;;GAIG;AACH,MAAM,WAAW,eAAe;IAC/B,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,IAAI,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CACzB;AAED,yEAAyE;AACzE,MAAM,WAAW,eAAe;IAC/B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,eAAe,CAAC,EAAE,OAAO,CAAC;CAC1B;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,OAAO,oBAAoB,KACzB,OAAO,CAAC,OAAO,CAgBjB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,GAC1B,MAAM,SAAS,EACf,IAAI,IAAI,EACR,UAAU;IAAC,eAAe,CAAC,EAAE,OAAO,CAAA;CAAC,KACnC,OAAO,CAAC,OAAO,GAAG,IAAI,CAUxB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,GAAG,IAAI,CAQxB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,KAAK,aAAa,CAAC,IAAI,CAAC,KACtB,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAQxB,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,IAAI,EACR,OAAO,eAAe,KACpB,OAAO,CAAC,OAAO,GAAG,IAAI,CA4BxB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,IAAI,EACR,UAAU;IAAC,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,OAAO,CAWjB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,MAAM,MAAM,EACZ,UAAU,IAAI,CAAC,eAAe,EAAE,OAAO,GAAG,QAAQ,CAAC,KACjD,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CASvB,CAAC;AAEH;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,IAAI,EACd,UAAU,IAAI,CAAC,eAAe,EAAE,OAAO,GAAG,QAAQ,CAAC,KACjD,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAQvB,CAAC;AAEH;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6CG;AACH,eAAO,MAAM,eAAe,GAC3B,MAAM,SAAS,EACf,QAAQ,cAAc,KACpB,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CA0DxB,CAAC;AAiGF,4EAA4E;AAC5E,MAAM,WAAW,cAAc;IAC9B,8EAA8E;IAC9E,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB;;;;;OAKG;IACH,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,4EAA4E;IAC5E,GAAG,CAAC,EAAE,QAAQ,CAAC;IACf,0EAA0E;IAC1E,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB;;;;OAIG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB;;;;;;OAMG;IACH,GAAG,CAAC,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;IAClB;;;;OAIG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,eAAe,EAAE,OAAO,CAAC;IACzB;;;;;;OAMG;IACH,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B;;;;;;;OAOG;IACH,uBAAuB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAChD;;;;OAIG;IACH,2BAA2B,CAAC,EAAE,aAAa,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC;IACzD;;;;;OAKG;IACH,uBAAuB,CAAC,EAAE,OAAO,CAAC;IAClC,yCAAyC;IACzC,QAAQ,CAAC,EAAE,YAAY,GAAG,YAAY,CAAC;IACvC,sCAAsC;IACtC,eAAe,CAAC,EAAE,KAAK,GAAG,MAAM,CAAC;IACjC,iBAAiB;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,mBAAmB;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,kDAAkD;IAClD,eAAe,CAAC,EAAE,OAAO,CAAC;CAC1B"}

package/dist/db/cell_queries.js

@@ -388,36 +388,6 @@ const build_shared_with_sql = (order_column, order_direction) => `${CALLER_ROLE_
 	   AND $6::bool IS NOT NULL
 	 ORDER BY c.${order_column} ${order_direction} NULLS LAST
 	 LIMIT $8 OFFSET $9`;
-/**
- * List active cells whose `refs` array contains the given fact hash,
- * newest first. Backed by the `idx_cell_refs` GIN index.
- *
- * Used by the fact-serving route's authz walk: a fact is viewable iff
- * **at least one** referencing active cell admits the caller via
- * `can_view_cell`. Unreferenced facts (no row returned here) are
- * unreachable through the public surface — orphan-fact GC handles them.
- *
- * `include_grant_count` defaults to true so the row hydrates uniformly
- * with the rest of the cell query surface. The fact-serving route is
- * the one hot path where the count is wasted work — pass `false`
- * there to skip the per-row correlated subquery; the field falls back
- * to a constant 0 so `CellRow` stays type-stable.
- *
- * @param deps - query deps
- * @param hash - fact hash to search for
- * @param options - pagination + grant-count toggle
- * @returns matching active rows
- */
-export const query_cell_list_by_ref = async (deps, hash, options) => {
-    const include_grant_count = options?.include_grant_count !== false;
-    const projection = include_grant_count ? grant_count_projection('cell') : '0::int AS grant_count';
-    return deps.db.query(`SELECT *, ${projection}
-		 FROM cell
-		 WHERE refs @> ARRAY[$1]::text[]
-		   AND deleted_at IS NULL
-		 ORDER BY created_at DESC
-		 LIMIT $2 OFFSET $3`, [hash, options?.limit ?? null, options?.offset ?? 0]);
-};
 /**
  * Derive the `refs` array column value from a cell's `data`.
  *

package/dist/server/serve_fact_route.d.ts

@@ -1,38 +1,67 @@
 /**
- * `GET /api/facts/:hash` — content-addressed fact serving.
+ * Content-addressed fact serving — cell-scoped, per-reference reads.
  *
- * Resolves a fact hash to the bytes referenced by at least one viewable
- * cell. Embedded facts stream from the `facts.bytes` PG column;
- * external facts (filesystem-backed `file:<shard>/<rest>` URLs) either
- * return an `X-Accel-Redirect` header pointing into nginx's internal
- * facts location (production) or stream from disk via the filesystem
- * `FactExternalFetcher` (dev / tests). The runtime mode is selected by
- * the optional `x_accel_redirect_prefix` factory option — set in prod,
- * unset in dev.
+ * Two routes serve fact bytes from the PG-backed fact store:
+ *
+ * - `GET /api/cells/:cell_id/facts/:hash` — the **per-reference read**.
+ *   The request names the referencing cell. Authz is scoped to that one
+ *   reference: `can_view_cell(caller, cell) AND cell.refs includes hash`.
+ *   This is the path non-admin callers use, and the only path for
+ *   confidential content.
+ * - `GET /api/facts/:hash` — the **bare-hash read**, restricted to admins.
+ *
+ * Embedded facts stream from the `fact.bytes` PG column; external facts
+ * (filesystem-backed `file:<shard>/<rest>` URLs) either return an
+ * `X-Accel-Redirect` header pointing into nginx's internal facts location
+ * (production) or stream from disk via the filesystem `FactExternalFetcher`
+ * (dev / tests). The runtime mode is selected by the optional
+ * `x_accel_redirect_prefix` factory option — set in prod, unset in dev.
  *
  * REST, not RPC: binary responses don't fit the JSON-RPC envelope.
  *
- * ## Authorization
- *
- * Auth is `{account: 'none', actor: 'none'}` — the dispatcher's
- * authorization phase is skipped for pure-public routes, so this handler
- * builds the `RequestContext` itself from `c.var.account_id` (populated
- * by the `/api/*` session middleware) by resolving the caller's single
- * actor and loading their role_grants. Unauthed callers pass through
- * with `req_ctx: null`. Viewers are admitted via `can_view_cell` over
- * **every** active cell that references the hash. Multi-actor accounts
- * fall through with `req_ctx: null` — there's no `acting?` slot on a
- * pure-public route, so multi-actor callers are treated as anonymous
- * (admitted only by the public-visibility branch). A fact is viewable iff
- * at least one referencing cell admits the caller; unauthenticated callers
- * are admitted only via a referencing cell with `cell.visibility ===
- * 'public'`. Facts with no referencing active cell are unreachable here —
- * orphan-fact GC reaps them separately.
- *
- * 404 is the universal "not viewable" response: missing fact, missing
- * referencing cell, all referencing cells private to other actors. We
- * deliberately don't distinguish 403 from 404 — the existence of a
- * private hash should not leak through the public surface.
+ * ## Authorization — authz lives on the cell→fact edge, not the hash
+ *
+ * Facts are global, content-addressed, owner-less bytes: identical bytes
+ * from different owners dedup to **one** `fact` row. Keying access control
+ * on the bare hash therefore unions visibility across every owner that
+ * references it — A's private bytes leak the instant B references identical
+ * bytes from a public cell. The fix is to scope authz to the
+ * `(cell, hash)` edge: a caller reads a fact *through a specific cell it
+ * can view that references the hash*. Dedup becomes a pure storage
+ * optimization with zero authz consequence — whether two owners' bytes
+ * share a `fact` row is invisible to the read check.
+ *
+ * The cell-scoped route resolves the named cell, requires
+ * `can_view_cell(caller, cell)`, and requires `cell.refs` to include the
+ * hash. B publishing identical bytes from B's public cell makes them
+ * readable *via B's cell* — it never touches A's private reference.
+ *
+ * The bare-hash route is **admin-only**: an admin's reach already spans
+ * every cell, so serving by bare hash grants no escalation. Non-admin
+ * callers are rejected at the auth phase and never reach the handler.
+ * (Explicitly-public facts — a producer opting bytes into world-readable
+ * status — are a future refinement; there is no such concept today, so
+ * the bare-hash route stays strictly admin-gated.)
+ *
+ * Auth shape on the cell-scoped route is `{account: 'none', actor: 'none'}`
+ * — the dispatcher's authorization phase is skipped for pure-public routes,
+ * so the handler builds the `RequestContext` itself from `c.var.account_id`
+ * (populated by the `/api/*` session middleware) by resolving the caller's
+ * single actor and loading their role_grants. Unauthed callers pass through
+ * with `req_ctx: null` and are admitted only by a `cell.visibility ===
+ * 'public'` cell. Multi-actor accounts fall through with `req_ctx: null`
+ * — there's no `acting?` slot on a pure-public route, so multi-actor
+ * callers are treated as anonymous.
+ *
+ * 404 is the universal "not viewable" response: missing fact, missing or
+ * unviewable cell, or the cell doesn't reference the hash. We deliberately
+ * don't distinguish 403 from 404 — neither the existence of a fact nor the
+ * existence of a cell→fact edge should leak through the public surface.
+ *
+ * Content-addressed serving of inline `blake3:` images (a markdown doc cell
+ * with embedded image refs) works through this model: the referencing cell
+ * is the doc cell, so serving goes view-doc-cell → doc-cell-refs-include-hash
+ * → serve.
  *
  * ## Defense-in-depth
  *
@@ -68,11 +97,33 @@ export interface CreateServeFactRouteSpecOptions {
     log: Logger;
 }
 /**
- * Build the `GET /api/facts/:hash` `RouteSpec`.
+ * Build the cell-scoped `GET /api/cells/:cell_id/facts/:hash` `RouteSpec`
+ * — the per-reference read.
+ *
+ * Resolves the named cell (404 if missing / soft-deleted), requires
+ * `can_view_cell(caller, cell)` AND `cell.refs` to include the hash
+ * (else 404, masked), then serves the bytes. Authz is scoped to this one
+ * `(cell, hash)` edge — never unioned across the fact's other referrers.
  *
  * Pure-public auth — the handler builds the per-request `RequestContext`
- * from `c.var.account_id` and enforces visibility per-fact via the
- * cell-walk above.
+ * from `c.var.account_id` and enforces visibility per-reference.
+ */
+export declare const create_serve_cell_fact_route_spec: (options: CreateServeFactRouteSpecOptions) => RouteSpec;
+/**
+ * Build the admin-only bare-hash `GET /api/facts/:hash` `RouteSpec`.
+ *
+ * An admin's reach already spans every cell, so serving by bare hash grants
+ * no escalation — the union concern that made this route a cross-owner leak
+ * for non-admins is vacuous for an admin. Non-admin callers are rejected at
+ * the auth phase (403) and never reach the handler. Confidential non-admin
+ * reads always go through the cell-scoped route above.
+ *
+ * Auth is `{account: 'required', actor: 'required', roles: ['admin']}` —
+ * the dispatcher's authorization phase resolves the acting actor and the
+ * post-authorization guard enforces the admin role before the handler runs.
+ * The handler re-checks `has_role(_, admin)` as defense-in-depth so a future
+ * mounting/auth-shape regression fails closed rather than serving by bare
+ * hash to a non-admin.
  */
 export declare const create_serve_fact_route_spec: (options: CreateServeFactRouteSpecOptions) => RouteSpec;
 //# sourceMappingURL=serve_fact_route.d.ts.map

package/dist/server/serve_fact_route.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"serve_fact_route.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/serve_fact_route.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4CG;AAKH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAOpD,OAAO,EAAmB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEvE,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAoB7C,MAAM,WAAW,+BAA+B;IAC/C;;;;;;OAMG;IACH,IAAI,EAAE,OAAO,CAAC;IACd,kFAAkF;IAClF,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;;OAMG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,+BAA+B,KACtC,SAgIF,CAAC"}
+{"version":3,"file":"serve_fact_route.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/serve_fact_route.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAyEG;AAMH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAepD,OAAO,EAAsC,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAE1F,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAsC7C,MAAM,WAAW,+BAA+B;IAC/C;;;;;;OAMG;IACH,IAAI,EAAE,OAAO,CAAC;IACd,kFAAkF;IAClF,SAAS,EAAE,MAAM,CAAC;IAClB;;;;;;OAMG;IACH,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,GAAG,EAAE,MAAM,CAAC;CACZ;AAwGD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAC7C,SAAS,+BAA+B,KACtC,SA8CF,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,+BAA+B,KACtC,SAgCF,CAAC"}

package/dist/server/serve_fact_route.js

@@ -1,38 +1,67 @@
 /**
- * `GET /api/facts/:hash` — content-addressed fact serving.
+ * Content-addressed fact serving — cell-scoped, per-reference reads.
  *
- * Resolves a fact hash to the bytes referenced by at least one viewable
- * cell. Embedded facts stream from the `facts.bytes` PG column;
- * external facts (filesystem-backed `file:<shard>/<rest>` URLs) either
- * return an `X-Accel-Redirect` header pointing into nginx's internal
- * facts location (production) or stream from disk via the filesystem
- * `FactExternalFetcher` (dev / tests). The runtime mode is selected by
- * the optional `x_accel_redirect_prefix` factory option — set in prod,
- * unset in dev.
+ * Two routes serve fact bytes from the PG-backed fact store:
+ *
+ * - `GET /api/cells/:cell_id/facts/:hash` — the **per-reference read**.
+ *   The request names the referencing cell. Authz is scoped to that one
+ *   reference: `can_view_cell(caller, cell) AND cell.refs includes hash`.
+ *   This is the path non-admin callers use, and the only path for
+ *   confidential content.
+ * - `GET /api/facts/:hash` — the **bare-hash read**, restricted to admins.
+ *
+ * Embedded facts stream from the `fact.bytes` PG column; external facts
+ * (filesystem-backed `file:<shard>/<rest>` URLs) either return an
+ * `X-Accel-Redirect` header pointing into nginx's internal facts location
+ * (production) or stream from disk via the filesystem `FactExternalFetcher`
+ * (dev / tests). The runtime mode is selected by the optional
+ * `x_accel_redirect_prefix` factory option — set in prod, unset in dev.
  *
  * REST, not RPC: binary responses don't fit the JSON-RPC envelope.
  *
- * ## Authorization
- *
- * Auth is `{account: 'none', actor: 'none'}` — the dispatcher's
- * authorization phase is skipped for pure-public routes, so this handler
- * builds the `RequestContext` itself from `c.var.account_id` (populated
- * by the `/api/*` session middleware) by resolving the caller's single
- * actor and loading their role_grants. Unauthed callers pass through
- * with `req_ctx: null`. Viewers are admitted via `can_view_cell` over
- * **every** active cell that references the hash. Multi-actor accounts
- * fall through with `req_ctx: null` — there's no `acting?` slot on a
- * pure-public route, so multi-actor callers are treated as anonymous
- * (admitted only by the public-visibility branch). A fact is viewable iff
- * at least one referencing cell admits the caller; unauthenticated callers
- * are admitted only via a referencing cell with `cell.visibility ===
- * 'public'`. Facts with no referencing active cell are unreachable here —
- * orphan-fact GC reaps them separately.
- *
- * 404 is the universal "not viewable" response: missing fact, missing
- * referencing cell, all referencing cells private to other actors. We
- * deliberately don't distinguish 403 from 404 — the existence of a
- * private hash should not leak through the public surface.
+ * ## Authorization — authz lives on the cell→fact edge, not the hash
+ *
+ * Facts are global, content-addressed, owner-less bytes: identical bytes
+ * from different owners dedup to **one** `fact` row. Keying access control
+ * on the bare hash therefore unions visibility across every owner that
+ * references it — A's private bytes leak the instant B references identical
+ * bytes from a public cell. The fix is to scope authz to the
+ * `(cell, hash)` edge: a caller reads a fact *through a specific cell it
+ * can view that references the hash*. Dedup becomes a pure storage
+ * optimization with zero authz consequence — whether two owners' bytes
+ * share a `fact` row is invisible to the read check.
+ *
+ * The cell-scoped route resolves the named cell, requires
+ * `can_view_cell(caller, cell)`, and requires `cell.refs` to include the
+ * hash. B publishing identical bytes from B's public cell makes them
+ * readable *via B's cell* — it never touches A's private reference.
+ *
+ * The bare-hash route is **admin-only**: an admin's reach already spans
+ * every cell, so serving by bare hash grants no escalation. Non-admin
+ * callers are rejected at the auth phase and never reach the handler.
+ * (Explicitly-public facts — a producer opting bytes into world-readable
+ * status — are a future refinement; there is no such concept today, so
+ * the bare-hash route stays strictly admin-gated.)
+ *
+ * Auth shape on the cell-scoped route is `{account: 'none', actor: 'none'}`
+ * — the dispatcher's authorization phase is skipped for pure-public routes,
+ * so the handler builds the `RequestContext` itself from `c.var.account_id`
+ * (populated by the `/api/*` session middleware) by resolving the caller's
+ * single actor and loading their role_grants. Unauthed callers pass through
+ * with `req_ctx: null` and are admitted only by a `cell.visibility ===
+ * 'public'` cell. Multi-actor accounts fall through with `req_ctx: null`
+ * — there's no `acting?` slot on a pure-public route, so multi-actor
+ * callers are treated as anonymous.
+ *
+ * 404 is the universal "not viewable" response: missing fact, missing or
+ * unviewable cell, or the cell doesn't reference the hash. We deliberately
+ * don't distinguish 403 from 404 — neither the existence of a fact nor the
+ * existence of a cell→fact edge should leak through the public surface.
+ *
+ * Content-addressed serving of inline `blake3:` images (a markdown doc cell
+ * with embedded image refs) works through this model: the referencing cell
+ * is the doc cell, so serving goes view-doc-cell → doc-cell-refs-include-hash
+ * → serve.
  *
  * ## Defense-in-depth
  *
@@ -47,151 +76,223 @@ import { createReadStream } from 'node:fs';
 import { Readable } from 'node:stream';
 import { join } from 'node:path';
 import { FactHashSchema } from '@fuzdev/fuz_util/fact_hash.js';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { z } from 'zod';
-import { build_request_context } from '../auth/request_context.js';
+import { build_request_context, get_request_context, has_role, } from '../auth/request_context.js';
+import { ROLE_ADMIN } from '../auth/role_schema.js';
+import { ActingActor } from '../http/auth_shape.js';
 import { ACCOUNT_ID_KEY } from '../hono_context.js';
 import { query_actors_by_account } from '../auth/account_queries.js';
 import { get_route_params } from '../http/route_spec.js';
 import { ERROR_INVALID_ROUTE_PARAMS } from '../http/error_schemas.js';
 import { query_get_fact, query_get_fact_meta } from '../db/fact_queries.js';
-import { query_cell_list_by_ref } from '../db/cell_queries.js';
+import { query_cell_get } from '../db/cell_queries.js';
 import { query_cell_grant_list_for_cell } from '../db/cell_grant_queries.js';
 import { can_view_cell } from '../auth/cell_authorize.js';
 import { parse_file_fact_url } from './file_fact_url.js';
 /** `Cache-Control` for fact responses — 5 min revocation window. */
 const CACHE_CONTROL = 'private, max-age=300';
 /**
- * Path-param schema. Matching the canonical fact-hash form here pushes
- * malformed-hash 400s through the framework's standard params-validation
- * error shape (`ERROR_INVALID_ROUTE_PARAMS`), which the round-trip
- * validator expects.
+ * Path-param schema for the bare-hash route. Matching the canonical
+ * fact-hash form here pushes malformed-hash 400s through the framework's
+ * standard params-validation error shape (`ERROR_INVALID_ROUTE_PARAMS`),
+ * which the round-trip validator expects.
+ */
+const bare_hash_params_schema = z.strictObject({
+    hash: FactHashSchema,
+});
+/**
+ * Path-param schema for the cell-scoped route. `cell_id` validates as a
+ * `Uuid`; `hash` as the canonical fact-hash form. Malformed values 400 via
+ * the standard params-validation shape.
  */
-const params_schema = z.strictObject({
+const cell_fact_params_schema = z.strictObject({
+    cell_id: Uuid,
     hash: FactHashSchema,
 });
+/** Shared error-schema entry: tighten the auto-derived 400 to the literal emitted by params validation. */
+const params_400_error = {
+    400: z.looseObject({
+        error: z.literal(ERROR_INVALID_ROUTE_PARAMS),
+        issues: z.array(z.unknown()),
+    }),
+};
+/**
+ * Serve a fact's bytes by hash, after the caller has been authorized for it.
+ *
+ * This is the shared tail of both routes — it never re-checks authz, so it
+ * MUST only be called once the caller has been admitted (admin on the
+ * bare-hash route, viewable referencing cell on the cell-scoped route).
+ * Reuses the embedded-stream / `X-Accel-Redirect` / disk-stream logic.
+ *
+ * Returns 404 when the fact's metadata is missing or its embedded bytes
+ * have vanished (a race), so the response shape is identical whether the
+ * fact is genuinely absent or merely unviewable.
+ */
+const serve_fact_bytes = async (c, route, hash, config) => {
+    const { facts_dir, x_accel_redirect_prefix, log } = config;
+    const meta = await query_get_fact_meta({ db: route.db }, hash);
+    if (!meta) {
+        return c.body(null, 404);
+    }
+    const content_type = meta.content_type ?? 'application/octet-stream';
+    const size = String(meta.size);
+    if (meta.external_url === null) {
+        // Embedded — bytes live in the PG row.
+        const row = await query_get_fact({ db: route.db }, hash);
+        if (!row || row.bytes === null) {
+            // Race: meta said embedded but bytes vanished. Treat as not-found.
+            log.warn(`serve_fact: embedded bytes missing for ${hash} (meta said embedded, row=${row ? 'present' : 'null'})`);
+            return c.body(null, 404);
+        }
+        const bytes = to_uint8(row.bytes);
+        return c.body(bytes, 200, {
+            'Content-Type': content_type,
+            'Content-Length': size,
+            'Cache-Control': CACHE_CONTROL,
+        });
+    }
+    // External — defense-in-depth re-validate the URL before trusting it
+    // to address the filesystem.
+    const parsed = parse_file_fact_url(meta.external_url);
+    if (!parsed) {
+        log.error(`serve_fact: rejecting malformed external_url for ${hash}: ${meta.external_url}`);
+        return c.body(null, 404);
+    }
+    const { shard, rest } = parsed;
+    if (x_accel_redirect_prefix !== undefined) {
+        // Production: hand off to nginx via the internal facts location.
+        return c.body(null, 200, {
+            'Content-Type': content_type,
+            'Content-Length': size,
+            'Cache-Control': CACHE_CONTROL,
+            'X-Accel-Redirect': `${x_accel_redirect_prefix}${shard}/${rest}`,
+        });
+    }
+    // Dev / tests: stream from disk. `createReadStream` errors land on the
+    // returned ReadableStream, which Hono surfaces as a 500 to the client.
+    const file_path = join(facts_dir, shard, rest);
+    const node_stream = createReadStream(file_path);
+    const web_stream = Readable.toWeb(node_stream);
+    return c.body(web_stream, 200, {
+        'Content-Type': content_type,
+        'Content-Length': size,
+        'Cache-Control': CACHE_CONTROL,
+    });
+};
 /**
- * Build the `GET /api/facts/:hash` `RouteSpec`.
+ * Resolve the caller's `RequestContext` on a pure-public route from the
+ * session-middleware-set account id. Multi-actor accounts return `null`
+ * (no `acting?` slot on a public route to disambiguate); single-actor
+ * accounts resolve their actor and role_grants for owner / grant / admin
+ * admission paths. Unauthenticated callers return `null`.
+ */
+const build_public_request_context = async (c, route) => {
+    const account_id = c.get(ACCOUNT_ID_KEY);
+    if (!account_id)
+        return null;
+    const actors = await query_actors_by_account({ db: route.db }, account_id);
+    if (actors.length !== 1)
+        return null;
+    return build_request_context({ db: route.db }, account_id, actors[0].id);
+};
+/**
+ * Build the cell-scoped `GET /api/cells/:cell_id/facts/:hash` `RouteSpec`
+ * — the per-reference read.
+ *
+ * Resolves the named cell (404 if missing / soft-deleted), requires
+ * `can_view_cell(caller, cell)` AND `cell.refs` to include the hash
+ * (else 404, masked), then serves the bytes. Authz is scoped to this one
+ * `(cell, hash)` edge — never unioned across the fact's other referrers.
  *
  * Pure-public auth — the handler builds the per-request `RequestContext`
- * from `c.var.account_id` and enforces visibility per-fact via the
- * cell-walk above.
+ * from `c.var.account_id` and enforces visibility per-reference.
  */
-export const create_serve_fact_route_spec = (options) => {
+export const create_serve_cell_fact_route_spec = (options) => {
     const { facts_dir, x_accel_redirect_prefix, log } = options;
+    const config = { facts_dir, x_accel_redirect_prefix, log };
     return {
         method: 'GET',
-        path: '/api/facts/:hash',
+        path: '/api/cells/:cell_id/facts/:hash',
         auth: { account: 'none', actor: 'none' },
-        description: 'Serve content-addressed fact bytes. 404 unless at least one referencing cell admits the caller via can_view_cell.',
-        params: params_schema,
+        description: 'Serve content-addressed fact bytes through a named referencing cell. 404 unless the cell admits the caller via can_view_cell AND references the hash (per-reference, never union-of-referrers).',
+        params: cell_fact_params_schema,
         input: z.null(),
         // The body is a binary stream; no JSON output schema applies.
         output: z.null(),
-        errors: {
-            // Tighten the auto-derived 400 from `ApiError` (`error: string`) to
-            // the actual literal emitted by `create_params_validation`, so
-            // `assert_error_schema_tightness` reads the surface as specific
-            // rather than generic.
-            400: z.looseObject({
-                error: z.literal(ERROR_INVALID_ROUTE_PARAMS),
-                issues: z.array(z.unknown()),
-            }),
-        },
+        errors: params_400_error,
         handler: async (c, route) => {
-            const { hash } = get_route_params(c);
-            const meta = await query_get_fact_meta({ db: route.db }, hash);
-            if (!meta) {
+            const { cell_id, hash } = get_route_params(c);
+            // Resolve the named cell. Missing / soft-deleted → 404 (masked).
+            const cell = await query_cell_get({ db: route.db }, cell_id);
+            if (!cell) {
                 return c.body(null, 404);
             }
-            // Pure-public route — dispatcher skips the authorization phase, so
-            // build the `RequestContext` here from the session-middleware-set
-            // account id. Multi-actor accounts fall through with `null` (no
-            // `acting?` slot on a public route to disambiguate); single-actor
-            // accounts resolve their actor and role_grants for owner / grant /
-            // admin admission paths.
-            const account_id = c.get(ACCOUNT_ID_KEY);
-            let req_ctx = null;
-            if (account_id) {
-                const actors = await query_actors_by_account({ db: route.db }, account_id);
-                if (actors.length === 1) {
-                    req_ctx = await build_request_context({ db: route.db }, account_id, actors[0].id);
-                }
-            }
-            // `include_grant_count: false` — the authz walk only reads
-            // `can_view_cell`-relevant fields, so skip the per-row grant
-            // COUNT subquery. Cheap to begin with; even cheaper now.
-            const referencing_cells = await query_cell_list_by_ref({ db: route.db }, hash, {
-                include_grant_count: false,
-            });
-            // Sequential walk with early break on first admit — preserves
-            // the original `.some()` short-circuit. Unauthenticated callers
-            // skip the grant fetch entirely since no grant can admit a null
-            // req_ctx (the only admit path is the public-visibility branch
-            // in `can_view_cell`, which doesn't need grants). Authenticated
-            // callers eat one `cell_grant` lookup per referencing cell up
-            // to the first admit; acceptable at MVP fact-serve scale.
-            // TODO: if profiling shows this hot, batch grants in one query
-            // across all referencing cells, or push the predicate into SQL.
-            let viewable = false;
-            for (const cell of referencing_cells) {
-                const grants = req_ctx
-                    ? await query_cell_grant_list_for_cell({ db: route.db }, cell.id)
-                    : null;
-                if (can_view_cell(req_ctx, cell, grants)) {
-                    viewable = true;
-                    break;
-                }
-            }
-            if (!viewable) {
-                // 404 (not 403) so existence of private hashes doesn't leak
-                // through the public surface. Same response shape as a
-                // genuinely missing fact.
+            // The cell→fact edge: the cell must actually reference the hash.
+            // `cell.refs` is auto-derived from `data` on every write, so this is
+            // the authoritative "does this cell reference these bytes" check.
+            // Missing edge → 404 (masked), never "exists elsewhere".
+            if (!cell.refs?.includes(hash)) {
                 return c.body(null, 404);
             }
-            const content_type = meta.content_type ?? 'application/octet-stream';
-            const size = String(meta.size);
-            if (meta.external_url === null) {
-                // Embedded — bytes live in the PG row.
-                const row = await query_get_fact({ db: route.db }, hash);
-                if (!row || row.bytes === null) {
-                    // Race: meta said embedded but bytes vanished. Treat as not-found.
-                    log.warn(`serve_fact: embedded bytes missing for ${hash} (meta said embedded, row=${row ? 'present' : 'null'})`);
-                    return c.body(null, 404);
-                }
-                const bytes = to_uint8(row.bytes);
-                return c.body(bytes, 200, {
-                    'Content-Type': content_type,
-                    'Content-Length': size,
-                    'Cache-Control': CACHE_CONTROL,
-                });
-            }
-            // External — defense-in-depth re-validate the URL before trusting it
-            // to address the filesystem.
-            const parsed = parse_file_fact_url(meta.external_url);
-            if (!parsed) {
-                log.error(`serve_fact: rejecting malformed external_url for ${hash}: ${meta.external_url}`);
+            // Per-reference view check — scoped to *this* cell only.
+            const req_ctx = await build_public_request_context(c, route);
+            // Unauthenticated callers skip the grant fetch entirely — no grant
+            // can admit a null req_ctx (the only admit path is the
+            // public-visibility branch in `can_view_cell`, which doesn't read
+            // grants).
+            const grants = req_ctx ? await query_cell_grant_list_for_cell({ db: route.db }, cell.id) : null;
+            if (!can_view_cell(req_ctx, cell, grants)) {
+                // 404 (not 403) so an unviewable cell→fact edge doesn't leak.
                 return c.body(null, 404);
             }
-            const { shard, rest } = parsed;
-            if (x_accel_redirect_prefix !== undefined) {
-                // Production: hand off to nginx via the internal facts location.
-                return c.body(null, 200, {
-                    'Content-Type': content_type,
-                    'Content-Length': size,
-                    'Cache-Control': CACHE_CONTROL,
-                    'X-Accel-Redirect': `${x_accel_redirect_prefix}${shard}/${rest}`,
-                });
+            return serve_fact_bytes(c, route, hash, config);
+        },
+    };
+};
+/**
+ * Build the admin-only bare-hash `GET /api/facts/:hash` `RouteSpec`.
+ *
+ * An admin's reach already spans every cell, so serving by bare hash grants
+ * no escalation — the union concern that made this route a cross-owner leak
+ * for non-admins is vacuous for an admin. Non-admin callers are rejected at
+ * the auth phase (403) and never reach the handler. Confidential non-admin
+ * reads always go through the cell-scoped route above.
+ *
+ * Auth is `{account: 'required', actor: 'required', roles: ['admin']}` —
+ * the dispatcher's authorization phase resolves the acting actor and the
+ * post-authorization guard enforces the admin role before the handler runs.
+ * The handler re-checks `has_role(_, admin)` as defense-in-depth so a future
+ * mounting/auth-shape regression fails closed rather than serving by bare
+ * hash to a non-admin.
+ */
+export const create_serve_fact_route_spec = (options) => {
+    const { facts_dir, x_accel_redirect_prefix, log } = options;
+    const config = { facts_dir, x_accel_redirect_prefix, log };
+    return {
+        method: 'GET',
+        path: '/api/facts/:hash',
+        auth: { account: 'required', actor: 'required', roles: [ROLE_ADMIN] },
+        description: 'Serve content-addressed fact bytes by bare hash — admin only. Non-admin reads go through GET /api/cells/:cell_id/facts/:hash (per-reference).',
+        params: bare_hash_params_schema,
+        // `actor: 'required'` (implied by the admin role gate) needs the
+        // authorization phase to resolve an acting actor — registry-time
+        // invariant 2 requires the `acting?` slot. On a GET it lives on
+        // `query` (a multi-actor admin disambiguates via `?acting=<actor>`).
+        query: z.strictObject({ acting: ActingActor }),
+        input: z.null(),
+        // The body is a binary stream; no JSON output schema applies.
+        output: z.null(),
+        errors: params_400_error,
+        handler: async (c, route) => {
+            const { hash } = get_route_params(c);
+            // Defense-in-depth: the auth phase already gated this on the admin
+            // role, but re-check the resolved context so a mounting/auth-shape
+            // regression fails closed instead of serving by bare hash.
+            if (!has_role(get_request_context(c), ROLE_ADMIN)) {
+                return c.body(null, 404);
             }
-            // Dev / tests: stream from disk. `createReadStream` errors land on the
-            // returned ReadableStream, which Hono surfaces as a 500 to the client.
-            const file_path = join(facts_dir, shard, rest);
-            const node_stream = createReadStream(file_path);
-            const web_stream = Readable.toWeb(node_stream);
-            return c.body(web_stream, 200, {
-                'Content-Type': content_type,
-                'Content-Length': size,
-                'Cache-Control': CACHE_CONTROL,
-            });
+            return serve_fact_bytes(c, route, hash, config);
         },
     };
 };

package/dist/testing/CLAUDE.md

@@ -574,7 +574,11 @@ auth-related routes (login/logout/verify/sessions/tokens/password/signup)
 and asserts `DEFAULT_INTEGRATION_ERROR_COVERAGE` (20%). Bootstrap is
 excluded because no describe block in this suite drives it — its declared
 codes would always be uncovered. Consumer-specific routes aren't exercised
-here either — they don't count against the baseline. Override with
+here either — they don't count against the baseline. 403 authorization
+denials (the credential-channel gate on `/logout` + `/password`, the invite
+gate on `/signup`) are likewise excluded via `ignore_statuses: [403]` — they're
+exercised by the conformance + attack-surface suites, not this lifecycle suite.
+Override with
 `error_coverage_min?: number` (set to `0` to skip the assertion — useful for
 minimal route sets whose declared error codes outpace the suite's
 denial-path drivers).

package/dist/testing/integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAM9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAiB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAC,KAAK,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxD;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,kEAAkE;IAClE,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;OAIG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IA60CF,CAAC"}
+{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAM9D,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAkB1B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACvD,OAAO,EAAC,KAAK,mBAAmB,EAAC,MAAM,iCAAiC,CAAC;AACzE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxD;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C;;;;OAIG;IACH,UAAU,EAAE,SAAS,CAAC;IACtB;;;;;;;;;OASG;IACH,cAAc,EAAE,cAAc,CAAC;IAC/B,kEAAkE;IAClE,YAAY,EAAE,mBAAmB,CAAC;IAClC;;;;OAIG;IACH,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC;;;;;;;;;;;;OAYG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC;;;;;;;OAOG;IACH,kBAAkB,CAAC,EAAE,MAAM,CAAC;CAC5B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IAw6CF,CAAC"}

package/dist/testing/integration.js

@@ -23,6 +23,7 @@ import { ErrorCoverageCollector, assert_error_coverage, DEFAULT_INTEGRATION_ERRO
 import { is_public_auth } from '../http/auth_shape.js';
 import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 import { invite_create_action_spec } from '../auth/admin_action_specs.js';
+import { LoginOutput, AccountStatusOutput } from '../auth/account_routes.js';
 import {} from './cross_backend/capabilities.js';
 import { DEFAULT_TEST_PASSWORD } from './app_server.js';
 /**
@@ -91,6 +92,14 @@ export const describe_standard_integration_tests = (options) => {
             });
             assert_error_coverage(error_collector, auth_routes.length > 0 ? auth_routes : route_specs, {
                 min_coverage: options.error_coverage_min ?? DEFAULT_INTEGRATION_ERROR_COVERAGE,
+                // Authorization denials (403) on these scoped auth routes — the
+                // credential-channel gate on /logout + /password, the invite gate on
+                // /signup — are exercised by the conformance + attack-surface suites,
+                // not this lifecycle suite. Drop 403 from this collector's denominator
+                // (same spirit as the [401, 403, 429] ignore in the attack-surface
+                // tightness defaults); otherwise #10 adding /logout's 403 to the spine
+                // surface tips the ratio under threshold here though the gate is tested.
+                ignore_statuses: [403],
             });
         });
         // --- 1. Login/logout lifecycle ---
@@ -269,6 +278,75 @@ export const describe_standard_integration_tests = (options) => {
                 assert.deepStrictEqual(wrong_pw_keys, no_user_keys, 'Response keys must be identical to prevent account enumeration');
                 assert.strictEqual(wrong_pw_body.error, no_user_body.error, 'Error codes must be identical');
             });
+            // Wire-shape gate: the successful `POST /login` body must strict-parse
+            // against `LoginOutput` (`{ok: true}`). `.strictObject` rejects any
+            // extra field, so a backend leaking `username` / `account_id` (the
+            // Rust spine's old shape) fails here on either impl.
+            test('successful login body strict-parses against LoginOutput', async () => {
+                const fixture = await options.setup_test();
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
+                assert.ok(login_route, 'Expected POST /login route — ensure create_route_specs includes account routes');
+                const res = await fixture.transport(login_route.path, {
+                    method: 'POST',
+                    headers: {
+                        host: 'localhost',
+                        origin: 'http://localhost:5173',
+                        'content-type': 'application/json',
+                    },
+                    body: JSON.stringify({
+                        username: fixture.account.username,
+                        password: DEFAULT_TEST_PASSWORD,
+                    }),
+                });
+                assert.strictEqual(res.status, 200);
+                const body = await res.json();
+                // Throws on any extra or missing field — drift on either backend fails.
+                LoginOutput.parse(body);
+            });
+        });
+        // --- 1b. Account status body (strict schema) ---
+        describe('account status response body', () => {
+            // Wire-shape gate: the authenticated `GET /api/account/status` body
+            // must strict-parse against `AccountStatusOutput` — the full shape
+            // `{account: SessionAccountJson, actor: ActorSummaryJson | null,
+            // role_grants: RoleGrantSummaryJson[]}`. `.strictObject` rejects any
+            // extra or missing field on `account` / `actor` / each role_grant, so
+            // a backend returning the old narrow shape (Rust's `{account:{id,
+            // username}, role_grants:[{role}]}`) fails here on either impl. The
+            // fixture keeper is single-actor, so `actor` must be non-null and
+            // `role_grants` populated (keeper holds keeper + admin globally).
+            //
+            // `/status` is mounted at `create_app_server` time (it needs the
+            // `bootstrap_available` runtime state), not by `create_account_route_specs`
+            // and not listed in the declared surface, so we can't gate on `route_specs`.
+            // A backend that mounts only the account-route factory (e.g. a minimal
+            // in-process route set) doesn't serve it — probe at runtime and skip on
+            // 404. The full spine surfaces (in-process + cross-process) serve it, so
+            // the gate runs there. `find_auth_route` can't be used: `/status` isn't a
+            // `RestAuthRouteSuffix`.
+            test('authenticated status body strict-parses against AccountStatusOutput', async (ctx) => {
+                const fixture = await options.setup_test();
+                const login_route = find_auth_route(route_specs, '/login', 'POST');
+                assert.ok(login_route, 'Expected POST /login route — ensure create_route_specs includes account routes');
+                // `/status` is the sibling of `/login` under the same account prefix.
+                const status_path = login_route.path.replace(/\/login$/, '/status');
+                const res = await fixture.transport(status_path, {
+                    method: 'GET',
+                    headers: fixture.create_session_headers({ host: 'localhost' }),
+                });
+                if (res.status === 404) {
+                    // Backend doesn't mount /status (minimal route set) — nothing to gate.
+                    ctx.skip();
+                    return;
+                }
+                assert.strictEqual(res.status, 200);
+                const body = await res.json();
+                // Throws on any extra/missing field across account/actor/role_grants.
+                const parsed = AccountStatusOutput.parse(body);
+                // Single-actor keeper: actor resolved, role_grants populated.
+                assert.ok(parsed.actor, 'single-actor keeper must resolve a non-null actor');
+                assert.ok(parsed.role_grants.length > 0, 'single-actor keeper must have populated role_grants');
+            });
         });
         // --- 2. Cookie attributes ---
         describe('cookie attributes', () => {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.75.0",
+  "version": "0.76.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",
@@ -63,10 +63,10 @@
   },
   "devDependencies": {
     "@electric-sql/pglite": "^0.4.5",
-    "@fuzdev/blake3_wasm": "^0.1.0",
+    "@fuzdev/blake3_wasm": "^0.1.1",
     "@fuzdev/fuz_code": "^0.45.1",
-    "@fuzdev/fuz_css": "^0.60.0",
-    "@fuzdev/fuz_ui": "^0.195.1",
+    "@fuzdev/fuz_css": "^0.61.1",
+    "@fuzdev/fuz_ui": "^0.197.0",
     "@fuzdev/fuz_util": "^0.63.0",
     "@fuzdev/gro": "^0.200.0",
     "@hono/node-server": "^1.19.14",
@@ -94,7 +94,7 @@
     "prettier-plugin-svelte": "^3.5.1",
     "svelte": "^5.56.0",
     "svelte-check": "^4.4.5",
-    "svelte-docinfo": "^0.2.0",
+    "svelte-docinfo": "^0.2.1",
     "svelte2tsx": "^0.7.52",
     "tslib": "^2.8.1",
     "typescript": "^5.9.3",