@fuzdev/fuz_app 0.78.1 → 0.80.0

package/dist/actions/CLAUDE.md

@@ -5,11 +5,11 @@
 > symmetric send/receive.
 
 For consumer wiring (client-authoritative vs server-authoritative dispatch,
-role-grant-offer UI integration), see ../../docs/usage.md §Deriving
+role-grant-offer UI integration), see ../../../docs/usage.md §Deriving
 Route/Event Specs, §Single JSON-RPC 2.0 Endpoint, §WebSocket Endpoint. For
-DEV-only output validation semantics see ../../docs/architecture.md
+DEV-only output validation semantics see ../../../docs/architecture.md
 §DEV-only Output Validation. For the SAES binding matrix and middleware
-ordering see the root ../../CLAUDE.md §Action Spec System (SAES) and
+ordering see the root ../../../CLAUDE.md §Action Spec System (SAES) and
 §Middleware Ordering.
 
 **CLAUDE.md is a map; TSDoc is the detail.** Per-symbol semantics
@@ -58,7 +58,7 @@ Optional fields:
 Canonical spec shape: module-scope `satisfies` declaration with
 `{method}_action_spec` naming, preserving the literal `method` type and
 dropping per-spec `*_METHOD` constants (readers dereference `.method`). See
-../../docs/usage.md §Canonical action-spec shape.
+../../../docs/usage.md §Canonical action-spec shape.
 
 ## Kind → binding matrix
 
@@ -300,7 +300,7 @@ the response unchanged, do not throw, do not mutate status.
 
 Caller-facing `input` schemas are validated **always** (DEV + production)
 — they're the contract with external callers. Server-authored `output`
-schemas are internal data. See ../../docs/architecture.md §DEV-only Output
+schemas are internal data. See ../../../docs/architecture.md §DEV-only Output
 Validation for full rationale.
 
 ## Transports

package/dist/actions/action_rpc.d.ts

@@ -59,7 +59,7 @@ export interface ActionContext {
     pending_effects: Array<Promise<void>>;
     /**
      * Deferred post-commit thunks — do not push directly; reach for
-     * `emit_after_commit(ctx, fn)` from `pending_effects.ts`. The flush
+     * `emit_after_commit(ctx, fn)` from `http/pending_effects.ts`. The flush
      * site invokes each thunk after the handler (and any wrapping
      * `db.transaction`) returns.
      */

package/dist/actions/compile_action_registry.d.ts

@@ -20,7 +20,7 @@
  *    kind / handler presence.
  *
  * Pre-consolidation each dispatcher inlined these checks; the comment
- * in `register_action_ws.ts` literally said "mirrors the HTTP RPC
+ * in `actions/register_action_ws.ts` literally said "mirrors the HTTP RPC
  * registration check" but nothing kept them mirrored. Centralizing the
  * loop closes the most likely future drift surface.
  *

package/dist/actions/compile_action_registry.js

@@ -20,7 +20,7 @@
  *    kind / handler presence.
  *
  * Pre-consolidation each dispatcher inlined these checks; the comment
- * in `register_action_ws.ts` literally said "mirrors the HTTP RPC
+ * in `actions/register_action_ws.ts` literally said "mirrors the HTTP RPC
  * registration check" but nothing kept them mirrored. Centralizing the
  * loop closes the most likely future drift surface.
  *

package/dist/actions/connection_closer.d.ts

@@ -7,7 +7,7 @@
  * message but does NOT re-query session / token validity — that
  * trade-off keeps chatty connections fast. The cost: revocation
  * doesn't actually disconnect open sockets unless something closes
- * them. `transports_ws_auth_guard.ts` is the listener-based seam
+ * them. `actions/transports_ws_auth_guard.ts` is the listener-based seam
  * (audit-event → close), but it only fires after the audit INSERT
  * succeeds — if the INSERT fails (DB error, pool exhausted, handler
  * dies mid-flight) the listener never runs and the live socket keeps

package/dist/actions/connection_closer.js

@@ -7,7 +7,7 @@
  * message but does NOT re-query session / token validity — that
  * trade-off keeps chatty connections fast. The cost: revocation
  * doesn't actually disconnect open sockets unless something closes
- * them. `transports_ws_auth_guard.ts` is the listener-based seam
+ * them. `actions/transports_ws_auth_guard.ts` is the listener-based seam
  * (audit-event → close), but it only fires after the audit INSERT
  * succeeds — if the INSERT fails (DB error, pool exhausted, handler
  * dies mid-flight) the listener never runs and the live socket keeps

package/dist/auth/actor_lookup_action_specs.d.ts

@@ -41,7 +41,7 @@
  * 2. {@link ACTOR_LOOKUP_IDS_MAX} cap per call,
  * 3. actor-uuid intractability (122-bit random),
  * 4. hard-deleted actors are indistinguishable from never-existed (no
- *    tombstone oracle — see `actor_lookup_queries.ts`).
+ *    tombstone oracle — see `auth/actor_lookup_queries.ts`).
  *
  * Response order is unspecified — callers index by `id` when needed.
  *

package/dist/auth/actor_lookup_action_specs.js

@@ -41,7 +41,7 @@
  * 2. {@link ACTOR_LOOKUP_IDS_MAX} cap per call,
  * 3. actor-uuid intractability (122-bit random),
  * 4. hard-deleted actors are indistinguishable from never-existed (no
- *    tombstone oracle — see `actor_lookup_queries.ts`).
+ *    tombstone oracle — see `auth/actor_lookup_queries.ts`).
  *
  * Response order is unspecified — callers index by `id` when needed.
  *

package/dist/auth/actor_lookup_queries.d.ts

@@ -10,7 +10,7 @@
  * The inner join still resolves one row per actor — `actor.account_id`
  * is `NOT NULL` so every actor has exactly one account.
  *
- * Info-leak posture (see `actor_lookup_action_specs.ts` §audit):
+ * Info-leak posture (see `auth/actor_lookup_action_specs.ts` §audit):
  *
  * - Row shape **omits** `account_id` — the join is control-plane,
  *   not wire-visible.

package/dist/auth/actor_lookup_queries.js

@@ -10,7 +10,7 @@
  * The inner join still resolves one row per actor — `actor.account_id`
  * is `NOT NULL` so every actor has exactly one account.
  *
- * Info-leak posture (see `actor_lookup_action_specs.ts` §audit):
+ * Info-leak posture (see `auth/actor_lookup_action_specs.ts` §audit):
  *
  * - Row shape **omits** `account_id` — the join is control-plane,
  *   not wire-visible.

package/dist/auth/actor_search_actions.d.ts

@@ -19,7 +19,7 @@
  *
  * `display_name` is omitted (not `null`) when `actor.name` is blank,
  * matching the wire shape `ActorLookupEntryJson.display_name?` — same
- * convention as `actor_lookup_actions.ts`.
+ * convention as `auth/actor_lookup_actions.ts`.
  *
  * @module
  */

package/dist/auth/actor_search_actions.js

@@ -19,7 +19,7 @@
  *
  * `display_name` is omitted (not `null`) when `actor.name` is blank,
  * matching the wire shape `ActorLookupEntryJson.display_name?` — same
- * convention as `actor_lookup_actions.ts`.
+ * convention as `auth/actor_lookup_actions.ts`.
  *
  * @module
  */

package/dist/auth/actor_search_queries.d.ts

@@ -1,7 +1,7 @@
 /**
  * Prefix-based actor search.
  *
- * Sibling to `actor_lookup_queries.ts` — that resolves a batch of ids to
+ * Sibling to `auth/actor_lookup_queries.ts` — that resolves a batch of ids to
  * labels; this resolves a partial name to candidate actors. Same row
  * shape (`ActorLookupRow`) so the labels arc on the consumer side stays
  * uniform.
@@ -29,10 +29,10 @@
  * gates), no role_grant join — every actor with a matching prefix is
  * returned.
  *
- * ## Info-leak posture (see `actor_search_action_specs.ts` §audit)
+ * ## Info-leak posture (see `auth/actor_search_action_specs.ts` §audit)
  *
  * - Row shape **omits** `account_id` — the join is control-plane, not
- *   wire-visible. Identical to `actor_lookup_queries.ts`.
+ *   wire-visible. Identical to `auth/actor_lookup_queries.ts`.
  * - Hard-deleted actors (cascade-orphaned via `actor.account_id` FK)
  *   drop out silently.
  * - No `created_at` / `updated_at` projected (timing-oracle avoidance).

package/dist/auth/actor_search_queries.js

@@ -1,7 +1,7 @@
 /**
  * Prefix-based actor search.
  *
- * Sibling to `actor_lookup_queries.ts` — that resolves a batch of ids to
+ * Sibling to `auth/actor_lookup_queries.ts` — that resolves a batch of ids to
  * labels; this resolves a partial name to candidate actors. Same row
  * shape (`ActorLookupRow`) so the labels arc on the consumer side stays
  * uniform.
@@ -29,10 +29,10 @@
  * gates), no role_grant join — every actor with a matching prefix is
  * returned.
  *
- * ## Info-leak posture (see `actor_search_action_specs.ts` §audit)
+ * ## Info-leak posture (see `auth/actor_search_action_specs.ts` §audit)
  *
  * - Row shape **omits** `account_id` — the join is control-plane, not
- *   wire-visible. Identical to `actor_lookup_queries.ts`.
+ *   wire-visible. Identical to `auth/actor_lookup_queries.ts`.
  * - Hard-deleted actors (cascade-orphaned via `actor.account_id` FK)
  *   drop out silently.
  * - No `created_at` / `updated_at` projected (timing-oracle avoidance).

package/dist/auth/all_action_spec_registries.d.ts

@@ -12,7 +12,7 @@
  * everything into a single mount would silently widen the dispatch surface
  * the moment a new opt-in landed — the exact failure mode this module is
  * built to detect, not propagate. See `./CLAUDE.md` §RPC actions
- * (`standard_rpc_actions.ts`).
+ * (`auth/standard_rpc_actions.ts`).
  *
  * Use cases for this registry:
  *

package/dist/auth/all_action_spec_registries.js

@@ -12,7 +12,7 @@
  * everything into a single mount would silently widen the dispatch surface
  * the moment a new opt-in landed — the exact failure mode this module is
  * built to detect, not propagate. See `./CLAUDE.md` §RPC actions
- * (`standard_rpc_actions.ts`).
+ * (`auth/standard_rpc_actions.ts`).
  *
  * Use cases for this registry:
  *

package/dist/auth/cell_action_specs.d.ts

@@ -114,7 +114,7 @@ export declare const CELL_RELATIONS_BUNDLE_LIMIT = 500;
  * Wire form for a cell row. `data` is the typed-but-permissive `CellData`
  * shape (kind / label / summary typed-and-optional, additional fields
  * pass through). Per-kind shape validation is sub-API and handled by
- * the app's `validate_data` deps callback (see `cell_actions.ts`).
+ * the app's `validate_data` deps callback (see `auth/cell_actions.ts`).
  *
  * `visibility` is the access-control axis — a top-level column on the
  * row, not a field inside `data`. `cell_grant` and `visibility` are the

package/dist/auth/cell_action_specs.js

@@ -120,7 +120,7 @@ export const CELL_RELATIONS_BUNDLE_LIMIT = 500;
  * Wire form for a cell row. `data` is the typed-but-permissive `CellData`
  * shape (kind / label / summary typed-and-optional, additional fields
  * pass through). Per-kind shape validation is sub-API and handled by
- * the app's `validate_data` deps callback (see `cell_actions.ts`).
+ * the app's `validate_data` deps callback (see `auth/cell_actions.ts`).
  *
  * `visibility` is the access-control axis — a top-level column on the
  * row, not a field inside `data`. `cell_grant` and `visibility` are the

package/dist/auth/cell_actions.d.ts

@@ -2,7 +2,7 @@
  * Generic cell RPC action handlers.
  *
  * Six `request_response` actions bound to the specs in
- * `./cell_action_specs.ts`:
+ * `auth/cell_action_specs.ts`:
  *
  * - Mutations: `cell_create`, `cell_update`, `cell_delete`, `cell_clone`.
  * - Reads: `cell_get`, `cell_list`.
@@ -30,7 +30,7 @@
  * Mutations emit `cell_create` / `cell_update` / `cell_delete` audit
  * events via `deps.audit.emit(...)`. The `AuditLogConfig` threaded through
  * the consumer's `audit_factory` (see `create_app_backend`) must declare
- * the cell event types (see `./cell_audit_metadata.ts`).
+ * the cell event types (see `auth/cell_audit_metadata.ts`).
  *
  * App vocabulary (e.g., collection / entry kinds) lives in client-side
  * helpers and per-app `validate_data` deps — this layer is generic-only

package/dist/auth/cell_actions.js

@@ -2,7 +2,7 @@
  * Generic cell RPC action handlers.
  *
  * Six `request_response` actions bound to the specs in
- * `./cell_action_specs.ts`:
+ * `auth/cell_action_specs.ts`:
  *
  * - Mutations: `cell_create`, `cell_update`, `cell_delete`, `cell_clone`.
  * - Reads: `cell_get`, `cell_list`.
@@ -30,7 +30,7 @@
  * Mutations emit `cell_create` / `cell_update` / `cell_delete` audit
  * events via `deps.audit.emit(...)`. The `AuditLogConfig` threaded through
  * the consumer's `audit_factory` (see `create_app_backend`) must declare
- * the cell event types (see `./cell_audit_metadata.ts`).
+ * the cell event types (see `auth/cell_audit_metadata.ts`).
  *
  * App vocabulary (e.g., collection / entry kinds) lives in client-side
  * helpers and per-app `validate_data` deps — this layer is generic-only

package/dist/auth/cell_audit_events.d.ts

@@ -9,9 +9,9 @@
  * alongside.
  *
  * Aggregator module by design — not a compat shim. The per-event metadata
- * schemas live in their own files (`cell_audit_metadata.ts`,
- * `cell_grant_audit_metadata.ts`, `cell_field_audit_metadata.ts`,
- * `cell_item_audit_metadata.ts`); this module is the single registration
+ * schemas live in their own files (`auth/cell_audit_metadata.ts`,
+ * `auth/cell_grant_audit_metadata.ts`, `auth/cell_field_audit_metadata.ts`,
+ * `auth/cell_item_audit_metadata.ts`); this module is the single registration
  * surface that keeps the keys in lockstep with the handlers.
  *
  * @module

package/dist/auth/cell_audit_events.js

@@ -9,9 +9,9 @@
  * alongside.
  *
  * Aggregator module by design — not a compat shim. The per-event metadata
- * schemas live in their own files (`cell_audit_metadata.ts`,
- * `cell_grant_audit_metadata.ts`, `cell_field_audit_metadata.ts`,
- * `cell_item_audit_metadata.ts`); this module is the single registration
+ * schemas live in their own files (`auth/cell_audit_metadata.ts`,
+ * `auth/cell_grant_audit_metadata.ts`, `auth/cell_field_audit_metadata.ts`,
+ * `auth/cell_item_audit_metadata.ts`); this module is the single registration
  * surface that keeps the keys in lockstep with the handlers.
  *
  * @module

package/dist/auth/cell_data_schema.d.ts

@@ -8,7 +8,7 @@
  * Loose object: arbitrary additional fields pass through unvalidated,
  * preserving the "unknown kinds ship without RPC churn" property. Per-kind
  * shape enforcement is opt-in via the `validate_data` deps slot — see
- * `cell_actions.ts`.
+ * `auth/cell_actions.ts`.
  *
  * **Discipline**: a field joins `CellData` only when at least two
  * consumers in different domains read it generically. `kind` (editor
@@ -20,7 +20,7 @@
  * **Visibility is not in here.** Access control is a peer of `cell_grant`,
  * not content metadata — `cell.visibility` lives as a top-level column on
  * `CellJson` and `CellRow` (the `CellVisibility` enum is defined in
- * `cell_action_specs.ts` next to the wire fields that use it), and is
+ * `auth/cell_action_specs.ts` next to the wire fields that use it), and is
  * enforced by `can_view_cell` reading the column directly (no JSON dive).
  *
  * @module

package/dist/auth/cell_data_schema.js

@@ -8,7 +8,7 @@
  * Loose object: arbitrary additional fields pass through unvalidated,
  * preserving the "unknown kinds ship without RPC churn" property. Per-kind
  * shape enforcement is opt-in via the `validate_data` deps slot — see
- * `cell_actions.ts`.
+ * `auth/cell_actions.ts`.
  *
  * **Discipline**: a field joins `CellData` only when at least two
  * consumers in different domains read it generically. `kind` (editor
@@ -20,7 +20,7 @@
  * **Visibility is not in here.** Access control is a peer of `cell_grant`,
  * not content metadata — `cell.visibility` lives as a top-level column on
  * `CellJson` and `CellRow` (the `CellVisibility` enum is defined in
- * `cell_action_specs.ts` next to the wire fields that use it), and is
+ * `auth/cell_action_specs.ts` next to the wire fields that use it), and is
  * enforced by `can_view_cell` reading the column directly (no JSON dive).
  *
  * @module

package/dist/auth/cell_field_actions.d.ts

@@ -2,7 +2,7 @@
  * Cell-field RPC handlers.
  *
  * Three `request_response` actions bound to the specs in
- * `./cell_field_action_specs.ts`:
+ * `auth/cell_field_action_specs.ts`:
  *
  * - `cell_field_set` — admin / owner / editor-grant on `source` may set;
  *   `target` must be view-admitted (so a caller can't link to a cell they
@@ -16,10 +16,10 @@
  *   first, then filter rows by `can_view_cell(source)`.
  *
  * IDOR-mask 404s on cell-miss / cell-unviewable, mirroring the existence-
- * leak guards in `cell_actions.ts` / `cell_grant_actions.ts`.
+ * leak guards in `auth/cell_actions.ts` / `auth/cell_grant_actions.ts`.
  *
  * Audit events `cell_field_set` / `cell_field_delete` carry IDs only —
- * see `./cell_field_audit_metadata.ts`.
+ * see `auth/cell_field_audit_metadata.ts`.
  *
  * @module
  */

package/dist/auth/cell_field_actions.js

@@ -2,7 +2,7 @@
  * Cell-field RPC handlers.
  *
  * Three `request_response` actions bound to the specs in
- * `./cell_field_action_specs.ts`:
+ * `auth/cell_field_action_specs.ts`:
  *
  * - `cell_field_set` — admin / owner / editor-grant on `source` may set;
  *   `target` must be view-admitted (so a caller can't link to a cell they
@@ -16,10 +16,10 @@
  *   first, then filter rows by `can_view_cell(source)`.
  *
  * IDOR-mask 404s on cell-miss / cell-unviewable, mirroring the existence-
- * leak guards in `cell_actions.ts` / `cell_grant_actions.ts`.
+ * leak guards in `auth/cell_actions.ts` / `auth/cell_grant_actions.ts`.
  *
  * Audit events `cell_field_set` / `cell_field_delete` carry IDs only —
- * see `./cell_field_audit_metadata.ts`.
+ * see `auth/cell_field_audit_metadata.ts`.
  *
  * @module
  */

package/dist/auth/cell_grant_actions.d.ts

@@ -2,7 +2,7 @@
  * Cell-grant ACL RPC handlers.
  *
  * Three `request_response` actions bound to specs in
- * `./cell_grant_action_specs.ts`:
+ * `auth/cell_grant_action_specs.ts`:
  *
  * Grant management is **manage-tier only** (`can_manage_cell` = admin /
  * owner). Editor-grant holders may edit a cell's content + relations but
@@ -22,10 +22,10 @@
  *
  * All three 404 with `cell_not_found` on cell-miss / cell-unviewable, and
  * with `cell_grant_not_found` on grant-miss, mirroring the existence-leak
- * guards in `cell_actions.ts`.
+ * guards in `auth/cell_actions.ts`.
  *
  * Audit events `cell_grant_create` / `cell_grant_revoke` carry IDs only
- * (no display-name snapshots); see `./cell_grant_audit_metadata.ts`.
+ * (no display-name snapshots); see `auth/cell_grant_audit_metadata.ts`.
  *
  * @module
  */

package/dist/auth/cell_grant_actions.js

@@ -2,7 +2,7 @@
  * Cell-grant ACL RPC handlers.
  *
  * Three `request_response` actions bound to specs in
- * `./cell_grant_action_specs.ts`:
+ * `auth/cell_grant_action_specs.ts`:
  *
  * Grant management is **manage-tier only** (`can_manage_cell` = admin /
  * owner). Editor-grant holders may edit a cell's content + relations but
@@ -22,10 +22,10 @@
  *
  * All three 404 with `cell_not_found` on cell-miss / cell-unviewable, and
  * with `cell_grant_not_found` on grant-miss, mirroring the existence-leak
- * guards in `cell_actions.ts`.
+ * guards in `auth/cell_actions.ts`.
  *
  * Audit events `cell_grant_create` / `cell_grant_revoke` carry IDs only
- * (no display-name snapshots); see `./cell_grant_audit_metadata.ts`.
+ * (no display-name snapshots); see `auth/cell_grant_audit_metadata.ts`.
  *
  * @module
  */

package/dist/auth/cell_item_actions.d.ts

@@ -2,7 +2,7 @@
  * Cell-item RPC handlers.
  *
  * Four `request_response` actions bound to the specs in
- * `./cell_item_action_specs.ts`:
+ * `auth/cell_item_action_specs.ts`:
  *
  * - `cell_item_insert` — admin / owner / editor-grant on `parent` may
  *   insert; `child` must be view-admitted. Returns
@@ -19,10 +19,10 @@
  *   filter rows by `can_view_cell(parent)`.
  *
  * IDOR-mask 404s on cell-miss / cell-unviewable, mirroring the existence-
- * leak guards in `cell_actions.ts`.
+ * leak guards in `auth/cell_actions.ts`.
  *
  * Audit events `cell_item_insert` / `cell_item_move` / `cell_item_delete`
- * carry IDs only — see `./cell_item_audit_metadata.ts`.
+ * carry IDs only — see `auth/cell_item_audit_metadata.ts`.
  *
  * @module
  */

package/dist/auth/cell_item_actions.js

@@ -2,7 +2,7 @@
  * Cell-item RPC handlers.
  *
  * Four `request_response` actions bound to the specs in
- * `./cell_item_action_specs.ts`:
+ * `auth/cell_item_action_specs.ts`:
  *
  * - `cell_item_insert` — admin / owner / editor-grant on `parent` may
  *   insert; `child` must be view-admitted. Returns
@@ -19,10 +19,10 @@
  *   filter rows by `can_view_cell(parent)`.
  *
  * IDOR-mask 404s on cell-miss / cell-unviewable, mirroring the existence-
- * leak guards in `cell_actions.ts`.
+ * leak guards in `auth/cell_actions.ts`.
  *
  * Audit events `cell_item_insert` / `cell_item_move` / `cell_item_delete`
- * carry IDs only — see `./cell_item_audit_metadata.ts`.
+ * carry IDs only — see `auth/cell_item_audit_metadata.ts`.
  *
  * @module
  */

package/dist/db/cell_queries.d.ts

@@ -32,8 +32,8 @@ import type { CellVisibility } from '../auth/cell_action_specs.js';
  * written, and the wire validates `CellData` on every write.
  *
  * Parent↔child membership and named relations live in the `cell_item` /
- * `cell_field` sibling tables (see `cell_item_queries.ts` /
- * `cell_field_queries.ts`). The cell row carries identity + content only.
+ * `cell_field` sibling tables (see `db/cell_item_queries.ts` /
+ * `db/cell_field_queries.ts`). The cell row carries identity + content only.
  *
  * `grant_count` is a derived projection (correlated subquery against
  * `cell_grant` keyed by `cell_id`, served by `idx_cell_grant_cell`) —

package/dist/db/cell_queries.js

@@ -307,7 +307,7 @@ export const query_cell_list = async (deps, params) => {
  * either an actor-shaped principal (`g.actor_id = $11`) or a
  * role-shaped principal whose `(role, scope_id)` matches a row in the
  * `caller_role_grants` CTE. NULL `g.scope_id` matches any scope, mirroring
- * `grant_admits` in `cell_authorize.ts`.
+ * `grant_admits` in `auth/cell_authorize.ts`.
  */
 const grant_admits_caller_predicate = (g_alias) => `(
 	     ($11::uuid IS NOT NULL AND ${g_alias}.actor_id = $11)

package/dist/http/CLAUDE.md

@@ -10,7 +10,7 @@ other domains should do the same — extend, don't special-case.
 
 For the design rationale behind declarative routes, DEV-only output
 validation, the three-layer error-schema merge, and fire-and-forget
-effects, see ../../docs/architecture.md.
+effects, see ../../../docs/architecture.md.
 
 ## Module Map
 
@@ -134,7 +134,7 @@ are the contract with external callers.
 
 Production short-circuits to the unwrapped handler — no parse work on the
 hot path. Uniform across all three action-handler surfaces (REST, RPC,
-WS); see ../../docs/architecture.md §DEV-only Output Validation.
+WS); see ../../../docs/architecture.md §DEV-only Output Validation.
 
 ### Helpers
 
@@ -297,7 +297,7 @@ pull in route types.
 Resolves the real client IP from `X-Forwarded-For` only when the TCP
 connection is from a configured trusted proxy. Without this middleware,
 `get_client_ip(c)` returns `'unknown'`. Must run **before** auth and
-rate-limiting middleware (see root ../../CLAUDE.md §Middleware Ordering).
+rate-limiting middleware (see root ../../../CLAUDE.md §Middleware Ordering).
 
 Per-symbol semantics on TSDoc; the cross-cutting properties:
 
@@ -492,7 +492,7 @@ Interfaces exported for consumer use: `TableInfo`, `TableWithCount`,
 
 ## Cross-Module Notes
 
-- **Middleware ordering** is assembled by `create_app_server` — see the root ../../CLAUDE.md §Middleware Ordering. The invariants `http/` needs consumers to uphold: trusted-proxy runs before auth/rate-limit; origin verification runs before session parsing; `client_ip` must be set before any handler or rate limiter reads it
+- **Middleware ordering** is assembled by `create_app_server` — see the root ../../../CLAUDE.md §Middleware Ordering. The invariants `http/` needs consumers to uphold: trusted-proxy runs before auth/rate-limit; origin verification runs before session parsing; `client_ip` must be set before any handler or rate limiter reads it
 - **No re-exports.** Import every symbol from its canonical source module. `http/surface.ts` no longer re-exports schema helpers — go through `http/schema_helpers.ts`
 - **Input/output schemas align with SAES.** When wiring RPC via `actions/action_rpc.ts` or bridging to `RouteSpec` via `actions/action_bridge.ts`, the same Zod types flow through unchanged (see `actions/CLAUDE.md` §Single JSON-RPC 2.0 endpoint and §HTTP bridge)
 - **Error modules are complementary, not redundant.** `http/error_schemas.ts` is Zod-first (for routes and surface); `http/jsonrpc_errors.ts` is throw-first (for handlers and the catch layer). A single `ERROR_*` code can be raised either way depending on whether the handler needs to also attach diagnostic fields

package/dist/http/auth_shape.d.ts

@@ -15,8 +15,8 @@
  * The same shape governs both `ActionSpec.auth` (in `actions/action_spec.ts`)
  * and `RouteSpec.auth` (in `http/route_spec.ts`). The canonical schema
  * lives here in `http/` because that preserves the existing
- * `actions → http` dependency direction (and `error_schemas.ts` /
- * `surface.ts` consume the type).
+ * `actions → http` dependency direction (and `http/error_schemas.ts` /
+ * `http/surface.ts` consume the type).
  *
  * Registry-time invariants 1, 3, and 4 live on the schema's
  * `.superRefine` so any spec that fails them throws at the Zod parse

package/dist/http/auth_shape.js

@@ -15,8 +15,8 @@
  * The same shape governs both `ActionSpec.auth` (in `actions/action_spec.ts`)
  * and `RouteSpec.auth` (in `http/route_spec.ts`). The canonical schema
  * lives here in `http/` because that preserves the existing
- * `actions → http` dependency direction (and `error_schemas.ts` /
- * `surface.ts` consume the type).
+ * `actions → http` dependency direction (and `http/error_schemas.ts` /
+ * `http/surface.ts` consume the type).
  *
  * Registry-time invariants 1, 3, and 4 live on the schema's
  * `.superRefine` so any spec that fails them throws at the Zod parse

package/dist/http/ip_canonical.d.ts

@@ -41,7 +41,7 @@
  * set — brackets, whitespace, control bytes, letters g–z — disqualifies
  * the input from parsing.
  *
- * Same regex `proxy.ts`'s `validate_ip_strict` uses; exported here so
+ * Same regex `http/proxy.ts`'s `validate_ip_strict` uses; exported here so
  * both modules can share one source of truth.
  */
 export declare const IP_LITERAL_CHARS: RegExp;

package/dist/http/ip_canonical.js

@@ -42,7 +42,7 @@ import { convertIPv6ToBinary, distinctRemoteAddr } from 'hono/utils/ipaddr';
  * set — brackets, whitespace, control bytes, letters g–z — disqualifies
  * the input from parsing.
  *
- * Same regex `proxy.ts`'s `validate_ip_strict` uses; exported here so
+ * Same regex `http/proxy.ts`'s `validate_ip_strict` uses; exported here so
  * both modules can share one source of truth.
  */
 export const IP_LITERAL_CHARS = /^[0-9a-fA-F.:]+$/;

package/dist/http/proxy.d.ts

@@ -13,7 +13,7 @@ import type { MiddlewareSpec } from './middleware_spec.js';
 /**
  * Normalize an IP address for consistent matching and storage.
  *
- * Delegates to `canonicalize_ip` from `ip_canonical.ts` — collapses
+ * Delegates to `canonicalize_ip` from `http/ip_canonical.ts` — collapses
  * RFC 5952-equivalent IPv6 forms (`::1`, `::0001`, `0:0:0:0:0:0:0:1`)
  * into a single key, emits IPv4-mapped IPv6 in dotted form, and
  * strips the `::ffff:` prefix from dotted IPv4-mapped values so the

package/dist/http/proxy.js

@@ -12,7 +12,7 @@ import { canonicalize_ip, IP_LITERAL_CHARS } from './ip_canonical.js';
 /**
  * Normalize an IP address for consistent matching and storage.
  *
- * Delegates to `canonicalize_ip` from `ip_canonical.ts` — collapses
+ * Delegates to `canonicalize_ip` from `http/ip_canonical.ts` — collapses
  * RFC 5952-equivalent IPv6 forms (`::1`, `::0001`, `0:0:0:0:0:0:0:1`)
  * into a single key, emits IPv4-mapped IPv6 in dotted form, and
  * strips the `::ffff:` prefix from dotted IPv4-mapped values so the

package/dist/http/route_spec.d.ts

@@ -83,7 +83,7 @@ export interface RouteContext {
     pending_effects: Array<Promise<void>>;
     /**
      * Deferred post-commit thunks — do not push directly; reach for
-     * `emit_after_commit(ctx, fn)` from `pending_effects.ts`. The flush
+     * `emit_after_commit(ctx, fn)` from `http/pending_effects.ts`. The flush
      * middleware invokes each thunk after the handler (and any wrapping
      * `db.transaction`) returns, closing the microtask-ordering window
      * that an eager `Promise.resolve().then(fn)` leaves open inside the

package/dist/server/app_server_context.d.ts

@@ -3,7 +3,7 @@
  *
  * Lives in its own module — separate from `server/app_server.ts` — so it can
  * be consumed as a **pure type** without dragging in the server-assembly
- * machinery. `app_server.ts` value-imports `hono` (it builds the `Hono` app),
+ * machinery. `server/app_server.ts` value-imports `hono` (it builds the `Hono` app),
  * so importing anything from it forces `hono` to be installed. Contract-only
  * consumers — cross-process test surfaces, Rust-backed servers that reuse the
  * route/RPC spec factories without running the TS server — need

package/dist/server/app_server_context.js

@@ -3,7 +3,7 @@
  *
  * Lives in its own module — separate from `server/app_server.ts` — so it can
  * be consumed as a **pure type** without dragging in the server-assembly
- * machinery. `app_server.ts` value-imports `hono` (it builds the `Hono` app),
+ * machinery. `server/app_server.ts` value-imports `hono` (it builds the `Hono` app),
  * so importing anything from it forces `hono` to be installed. Contract-only
  * consumers — cross-process test surfaces, Rust-backed servers that reuse the
  * route/RPC spec factories without running the TS server — need