@fuzdev/fuz_app 0.87.0 → 0.88.0

package/dist/actions/action_rpc.js

@@ -14,7 +14,7 @@
 import { z } from 'zod';
 import { DEV } from 'esm-env';
 import {} from '../http/route_spec.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { get_request_context, } from '../auth/request_context.js';
 import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY, TEST_CONTEXT_PRESET_KEY, } from '../hono_context.js';
 import { compile_action_registry } from './compile_action_registry.js';

package/dist/actions/register_action_ws.js

@@ -30,7 +30,7 @@ import { wait } from '@fuzdev/fuz_util/async.js';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { get_request_context, require_request_context, } from '../auth/request_context.js';
 import { hash_session_token } from '../auth/session_queries.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { flush_pending_effects, flush_post_commit_effects } from '../http/pending_effects.js';
 import { jsonrpc_error_messages } from '../http/jsonrpc_errors.js';
 import { create_jsonrpc_error_response, create_jsonrpc_notification, to_jsonrpc_message_id, to_jsonrpc_params, is_jsonrpc_request, } from '../http/jsonrpc_helpers.js';

package/dist/auth/CLAUDE.md

@@ -121,6 +121,21 @@ they track the same config. Sample via `get_*`; `reset_*` are test-only.
 - `auth/audit_log_routes.ts` — optional `GET /audit/stream` (SSE); list/history are on the RPC surface.
 - `auth/auth_guard_resolver.ts` — `fuz_auth_guard_resolver` injected into `apply_route_specs` so the framework stays auth-agnostic.
 
+**Hono-free route shapes.** Each cookie/SSE-coupled route module has a sibling
+`*_route_schema.ts` (`account_route_schema.ts`, `signup_route_schema.ts`,
+`audit_log_route_schema.ts`, `bootstrap_route_schema.ts`) holding the I/O
+schemas **and** the route _shapes_ (`Omit<RouteSpec, 'handler'>` —
+method/path/auth/io/errors, via `create_*_route_shapes(options)` or a static
+`*_route_shape` const). The `create_*_route_specs` factories spread a shape and
+attach the live (hono-coupled) handler; a cross-process surface builder spreads
+the same shape with a stub handler (surface generation never runs handlers).
+Single source of truth — the shape can't drift between the live route and the
+attack surface — and a backend-spawning consumer assembling its surface imports
+the shapes without dragging `hono/cookie` / `hono/streaming` (and the optional
+`hono` peer) onto a Rust-only cross-process suite. Shared route-limit constants
+(`DEFAULT_MAX_SESSIONS` / `_TOKENS`) live in `account_route_schema.ts` for the
+same reason (the RPC `account_actions` reads `DEFAULT_MAX_TOKENS`).
+
 **`POST /login` timing floor.** Login 401s are floored to
 `DEFAULT_LOGIN_FAIL_FLOOR_MS` (250ms) + uniform jitter (±25ms) via
 `Promise.all(work, setTimeout)` so observed time is `max(work, delay)` and

package/dist/auth/account_actions.js

@@ -27,7 +27,7 @@ import { to_session_account } from './account_schema.js';
 import { query_session_list_for_account, query_session_revoke_for_account, query_session_revoke_all_for_account, } from './session_queries.js';
 import { query_api_token_enforce_limit, query_api_token_list_for_account, query_create_api_token, query_revoke_api_token_for_account, } from './api_token_queries.js';
 import { generate_api_token } from './api_token.js';
-import { DEFAULT_MAX_TOKENS } from './account_routes.js';
+import { DEFAULT_MAX_TOKENS } from './account_route_schema.js';
 import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from './account_action_specs.js';
 /**
  * Create the self-service account RPC actions.

package/dist/auth/account_route_schema.d.ts

@@ -0,0 +1,146 @@
+/**
+ * Hono-free wire schemas + route shapes for the account REST routes.
+ *
+ * Split from `account_routes.ts` (whose handlers pull `hono/cookie` via
+ * `session_middleware`) so cross-process test suites can build the account
+ * route shapes — and assert on the `POST /login` / `GET /api/account/status`
+ * response shapes — without dragging the in-process Hono session handler, and
+ * its optional `hono` peer, onto a backend-spawning consumer. `account_routes.ts`
+ * imports these back and attaches the live handlers; single source of truth
+ * for the wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RouteSpec } from '../http/route_spec.js';
+/** Input for `GET /api/account/status`. No parameters — caller is the subject. */
+export declare const AccountStatusInput: z.ZodNull;
+export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
+/** Output for `GET /api/account/status`. */
+export declare const AccountStatusOutput: z.ZodObject<{
+    account: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+        email: z.ZodNullable<z.ZodEmail>;
+        email_verified: z.ZodBoolean;
+        created_at: z.ZodString;
+    }, z.core.$strict>;
+    actor: z.ZodNullable<z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.ZodString;
+    }, z.core.$strict>>;
+    role_grants: z.ZodArray<z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
+        scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        created_at: z.ZodString;
+        expires_at: z.ZodNullable<z.ZodString>;
+        granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type AccountStatusOutput = z.infer<typeof AccountStatusOutput>;
+/** Error body for `GET /api/account/status` on the unauthenticated path. */
+export declare const AccountStatusUnauthenticatedError: z.ZodObject<{
+    error: z.ZodLiteral<"authentication_required">;
+    bootstrap_available: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$loose>;
+export type AccountStatusUnauthenticatedError = z.infer<typeof AccountStatusUnauthenticatedError>;
+/** Input for `POST /login`. Accepts a username or email in the `username` field. */
+export declare const LoginInput: z.ZodObject<{
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    password: z.ZodString;
+}, z.core.$strict>;
+export type LoginInput = z.infer<typeof LoginInput>;
+/** Output for `POST /login`. Session cookie is the operative side effect. */
+export declare const LoginOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+}, z.core.$strict>;
+export type LoginOutput = z.infer<typeof LoginOutput>;
+/** Input for `POST /logout`. Session identity flows through the cookie. */
+export declare const LogoutInput: z.ZodNull;
+export type LogoutInput = z.infer<typeof LogoutInput>;
+/** Output for `POST /logout`. Includes the revoked account's username for UI redraw. */
+export declare const LogoutOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    username: z.ZodString;
+}, z.core.$strict>;
+export type LogoutOutput = z.infer<typeof LogoutOutput>;
+/** Input for `POST /password`. `current_password` is minimally validated; `new_password` enforces the full policy. */
+export declare const PasswordChangeInput: z.ZodObject<{
+    current_password: z.ZodString;
+    new_password: z.ZodString;
+}, z.core.$strict>;
+export type PasswordChangeInput = z.infer<typeof PasswordChangeInput>;
+/** Output for `POST /password`. Counts are returned so the UI can summarize the revoke-all cascade. */
+export declare const PasswordChangeOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    sessions_revoked: z.ZodNumber;
+    tokens_revoked: z.ZodNumber;
+}, z.core.$strict>;
+export type PasswordChangeOutput = z.infer<typeof PasswordChangeOutput>;
+/** Default maximum sessions per account. */
+export declare const DEFAULT_MAX_SESSIONS = 5;
+/** Default maximum API tokens per account. */
+export declare const DEFAULT_MAX_TOKENS = 10;
+/**
+ * The `GET /api/account/status` route shape minus its handler — pure
+ * hono-free data. `create_account_status_route_spec` spreads this and
+ * attaches the live handler (which reads the account id off the request
+ * context); surface generation spreads it with a stub handler.
+ */
+export declare const account_status_route_shape: {
+    method: "GET";
+    path: string;
+    auth: {
+        account: "none";
+        actor: "none";
+    };
+    description: string;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        account: z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+            email: z.ZodNullable<z.ZodEmail>;
+            email_verified: z.ZodBoolean;
+            created_at: z.ZodString;
+        }, z.core.$strict>;
+        actor: z.ZodNullable<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+        }, z.core.$strict>>;
+        role_grants: z.ZodArray<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            role: z.ZodString;
+            scope_kind: z.ZodNullable<z.ZodString>;
+            scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            created_at: z.ZodString;
+            expires_at: z.ZodNullable<z.ZodString>;
+            granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    errors: {
+        401: z.ZodObject<{
+            error: z.ZodLiteral<"authentication_required">;
+            bootstrap_available: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$loose>;
+    };
+};
+/** Option inputs that shape the account route metadata (not its handlers). */
+export interface AccountRouteShapeOptions {
+    /** Whether a per-account login rate limiter is wired — toggles `/password`'s `rate_limit`. */
+    login_account_rate_limited: boolean;
+}
+/**
+ * The four account route shapes (`/verify`, `/login`, `/logout`, `/password`)
+ * minus their handlers — pure hono-free data. `create_account_route_specs`
+ * spreads each and attaches the live handler; cross-process surface builders
+ * spread them with stub handlers. Single source of truth — the shapes can't
+ * drift between the live routes and the surface.
+ *
+ * Returns a fixed 4-tuple `[verify, login, logout, password]` so destructuring
+ * yields non-optional shapes under `noUncheckedIndexedAccess`.
+ */
+export declare const create_account_route_shapes: (options: AccountRouteShapeOptions) => [Omit<RouteSpec, "handler">, Omit<RouteSpec, "handler">, Omit<RouteSpec, "handler">, Omit<RouteSpec, "handler">];
+//# sourceMappingURL=account_route_schema.d.ts.map

package/dist/auth/account_route_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account_route_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_route_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAKtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAQrD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,4CAA4C;AAC5C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,6EAA6E;AAC7E,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;GAKG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUD,CAAC;AAEvC,8EAA8E;AAC9E,MAAM,WAAW,wBAAwB;IACxC,8FAA8F;IAC9F,0BAA0B,EAAE,OAAO,CAAC;CACpC;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,wBAAwB,KAC/B,CACF,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAC1B,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAC1B,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAC1B,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAoD1B,CAAC"}

package/dist/auth/account_route_schema.js

@@ -0,0 +1,141 @@
+/**
+ * Hono-free wire schemas + route shapes for the account REST routes.
+ *
+ * Split from `account_routes.ts` (whose handlers pull `hono/cookie` via
+ * `session_middleware`) so cross-process test suites can build the account
+ * route shapes — and assert on the `POST /login` / `GET /api/account/status`
+ * response shapes — without dragging the in-process Hono session handler, and
+ * its optional `hono` peer, onto a backend-spawning consumer. `account_routes.ts`
+ * imports these back and attaches the live handlers; single source of truth
+ * for the wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { ActorSummaryJson, RoleGrantSummaryJson, SessionAccountJson } from './account_schema.js';
+import { UsernameProvided } from '../primitive_schemas.js';
+import { Password, PasswordProvided } from './password.js';
+import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INVALID_CREDENTIALS, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
+/** Input for `GET /api/account/status`. No parameters — caller is the subject. */
+export const AccountStatusInput = z.null();
+/** Output for `GET /api/account/status`. */
+export const AccountStatusOutput = z.strictObject({
+    account: SessionAccountJson,
+    actor: ActorSummaryJson.nullable(),
+    role_grants: z.array(RoleGrantSummaryJson),
+});
+/** Error body for `GET /api/account/status` on the unauthenticated path. */
+export const AccountStatusUnauthenticatedError = z.looseObject({
+    error: z.literal(ERROR_AUTHENTICATION_REQUIRED),
+    bootstrap_available: z.boolean().optional(),
+});
+/** Input for `POST /login`. Accepts a username or email in the `username` field. */
+export const LoginInput = z.strictObject({
+    username: UsernameProvided,
+    password: PasswordProvided,
+});
+/** Output for `POST /login`. Session cookie is the operative side effect. */
+export const LoginOutput = z.strictObject({
+    ok: z.literal(true),
+});
+/** Input for `POST /logout`. Session identity flows through the cookie. */
+export const LogoutInput = z.null();
+/** Output for `POST /logout`. Includes the revoked account's username for UI redraw. */
+export const LogoutOutput = z.strictObject({
+    ok: z.literal(true),
+    username: z.string(),
+});
+/** Input for `POST /password`. `current_password` is minimally validated; `new_password` enforces the full policy. */
+export const PasswordChangeInput = z.strictObject({
+    current_password: PasswordProvided,
+    new_password: Password,
+});
+/** Output for `POST /password`. Counts are returned so the UI can summarize the revoke-all cascade. */
+export const PasswordChangeOutput = z.strictObject({
+    ok: z.literal(true),
+    sessions_revoked: z.number(),
+    tokens_revoked: z.number(),
+});
+/** Default maximum sessions per account. */
+export const DEFAULT_MAX_SESSIONS = 5;
+/** Default maximum API tokens per account. */
+export const DEFAULT_MAX_TOKENS = 10;
+/**
+ * The `GET /api/account/status` route shape minus its handler — pure
+ * hono-free data. `create_account_status_route_spec` spreads this and
+ * attaches the live handler (which reads the account id off the request
+ * context); surface generation spreads it with a stub handler.
+ */
+export const account_status_route_shape = {
+    method: 'GET',
+    path: '/api/account/status',
+    auth: { account: 'none', actor: 'none' },
+    description: 'Current account info (unauthenticated: 401 with bootstrap status)',
+    input: AccountStatusInput,
+    output: AccountStatusOutput,
+    errors: {
+        401: AccountStatusUnauthenticatedError,
+    },
+};
+/**
+ * The four account route shapes (`/verify`, `/login`, `/logout`, `/password`)
+ * minus their handlers — pure hono-free data. `create_account_route_specs`
+ * spreads each and attaches the live handler; cross-process surface builders
+ * spread them with stub handlers. Single source of truth — the shapes can't
+ * drift between the live routes and the surface.
+ *
+ * Returns a fixed 4-tuple `[verify, login, logout, password]` so destructuring
+ * yields non-optional shapes under `noUncheckedIndexedAccess`.
+ */
+export const create_account_route_shapes = (options) => [
+    {
+        method: 'GET',
+        path: '/verify',
+        auth: { account: 'required', actor: 'none' },
+        description: 'Session-validity probe for nginx auth_request (empty body, 200 or 401)',
+        input: z.null(),
+        output: z.null(),
+    },
+    {
+        method: 'POST',
+        path: '/login',
+        auth: { account: 'none', actor: 'none' },
+        description: 'Exchange credentials for session',
+        input: LoginInput,
+        output: LoginOutput,
+        rate_limit: 'both',
+        errors: {
+            400: z.looseObject({
+                error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
+            }),
+            401: z.looseObject({ error: z.literal(ERROR_INVALID_CREDENTIALS) }),
+        },
+    },
+    {
+        method: 'POST',
+        path: '/logout',
+        // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+        // Logout is a session-bound operation; a bearer / daemon token holds no session
+        // to end, so the dispatcher rejects it (403 `credential_type_required`) rather than
+        // returning a misleading 200 + a phantom `logout` audit row for a no-op.
+        auth: { account: 'required', actor: 'none', credential_types: ['session'] },
+        description: 'Revoke current session and clear cookie',
+        input: LogoutInput,
+        output: LogoutOutput,
+    },
+    {
+        method: 'POST',
+        path: '/password',
+        // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+        auth: { account: 'required', actor: 'none', credential_types: ['session'] },
+        description: 'Change password (revokes all sessions and API tokens)',
+        input: PasswordChangeInput,
+        output: PasswordChangeOutput,
+        rate_limit: options.login_account_rate_limited ? 'both' : 'ip',
+        errors: {
+            400: z.looseObject({
+                error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
+            }),
+        },
+    },
+];

package/dist/auth/account_routes.d.ts

@@ -21,53 +21,11 @@
  *
  * @module
  */
-import { z } from 'zod';
 import type { SessionOptions } from './session_cookie.js';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { RouteFactoryDeps } from './deps.js';
 import type { ConnectionCloser } from '../actions/connection_closer.js';
-/** Input for `GET /api/account/status`. No parameters — caller is the subject. */
-export declare const AccountStatusInput: z.ZodNull;
-export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
-/**
- * Output for `GET /api/account/status` on the authenticated path.
- *
- * `account` is always populated for authenticated callers. `actor` and
- * `role_grants` are populated when the caller's account has a unique actor or
- * the request supplies `?acting=<actor_id>`; on multi-actor accounts
- * without an `acting` query, `actor` is `null` and `role_grants` is empty so
- * the frontend can show a persona picker without a separate roundtrip.
- */
-export declare const AccountStatusOutput: z.ZodObject<{
-    account: z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-        email: z.ZodNullable<z.ZodEmail>;
-        email_verified: z.ZodBoolean;
-        created_at: z.ZodString;
-    }, z.core.$strict>;
-    actor: z.ZodNullable<z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        name: z.ZodString;
-    }, z.core.$strict>>;
-    role_grants: z.ZodArray<z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        role: z.ZodString;
-        scope_kind: z.ZodNullable<z.ZodString>;
-        scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-        created_at: z.ZodString;
-        expires_at: z.ZodNullable<z.ZodString>;
-        granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-    }, z.core.$strict>>;
-}, z.core.$strict>;
-export type AccountStatusOutput = z.infer<typeof AccountStatusOutput>;
-/** Error body for `GET /api/account/status` on the unauthenticated path. */
-export declare const AccountStatusUnauthenticatedError: z.ZodObject<{
-    error: z.ZodLiteral<"authentication_required">;
-    bootstrap_available: z.ZodOptional<z.ZodBoolean>;
-}, z.core.$loose>;
-export type AccountStatusUnauthenticatedError = z.infer<typeof AccountStatusUnauthenticatedError>;
 /**
  * Create the account status route spec.
  *
@@ -91,10 +49,6 @@ export interface AccountStatusOptions {
         available: boolean;
     };
 }
-/** Default maximum sessions per account. */
-export declare const DEFAULT_MAX_SESSIONS = 5;
-/** Default maximum API tokens per account. */
-export declare const DEFAULT_MAX_TOKENS = 10;
 /**
  * Default minimum wall-clock time (ms) for a login failure (401) response.
  *
@@ -154,39 +108,6 @@ export interface AccountRouteOptions extends AuthSessionRouteOptions {
      */
     connection_closer?: ConnectionCloser | null;
 }
-/** Input for `POST /login`. Accepts a username or email in the `username` field. */
-export declare const LoginInput: z.ZodObject<{
-    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-    password: z.ZodString;
-}, z.core.$strict>;
-export type LoginInput = z.infer<typeof LoginInput>;
-/** Output for `POST /login`. The signed session cookie is the operative side effect. */
-export declare const LoginOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-}, z.core.$strict>;
-export type LoginOutput = z.infer<typeof LoginOutput>;
-/** Input for `POST /logout`. Session identity flows through the cookie. */
-export declare const LogoutInput: z.ZodNull;
-export type LogoutInput = z.infer<typeof LogoutInput>;
-/** Output for `POST /logout`. Includes the revoked account's username for UI redraw. */
-export declare const LogoutOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    username: z.ZodString;
-}, z.core.$strict>;
-export type LogoutOutput = z.infer<typeof LogoutOutput>;
-/** Input for `POST /password`. `current_password` is minimally validated; `new_password` enforces the full policy. */
-export declare const PasswordChangeInput: z.ZodObject<{
-    current_password: z.ZodString;
-    new_password: z.ZodString;
-}, z.core.$strict>;
-export type PasswordChangeInput = z.infer<typeof PasswordChangeInput>;
-/** Output for `POST /password`. Counts are returned so the UI can summarize the revoke-all cascade. */
-export declare const PasswordChangeOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    sessions_revoked: z.ZodNumber;
-    tokens_revoked: z.ZodNumber;
-}, z.core.$strict>;
-export type PasswordChangeOutput = z.infer<typeof PasswordChangeOutput>;
 /**
  * Create account route specs for session-based auth.
  *

package/dist/auth/account_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAQtE,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAoTjB,CAAC"}
+{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA4BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAGtE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SA4EhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAID;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAkRjB,CAAC"}

package/dist/auth/account_routes.js

@@ -21,41 +21,18 @@
  *
  * @module
  */
-import { z } from 'zod';
 import { clear_session_cookie, create_session_and_set_cookie } from './session_middleware.js';
-import { ActorSummaryJson, RoleGrantSummaryJson, SessionAccountJson, to_session_account, } from './account_schema.js';
-import { UsernameProvided } from '../primitive_schemas.js';
+import { RoleGrantSummaryJson, to_session_account } from './account_schema.js';
+import { account_status_route_shape, create_account_route_shapes, DEFAULT_MAX_SESSIONS, } from './account_route_schema.js';
 import { hash_session_token, query_session_revoke_all_for_account, query_session_revoke_by_hash_unscoped, } from './session_queries.js';
 import { query_account_by_username_or_email, query_update_account_password, } from './account_queries.js';
 import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
 import { build_account_context, build_request_context, get_request_context, require_request_context, resolve_acting_actor, } from './request_context.js';
 import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { get_route_input } from '../http/route_spec.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
-import { Password, PasswordProvided } from './password.js';
-import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INVALID_CREDENTIALS, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
-/** Input for `GET /api/account/status`. No parameters — caller is the subject. */
-export const AccountStatusInput = z.null();
-/**
- * Output for `GET /api/account/status` on the authenticated path.
- *
- * `account` is always populated for authenticated callers. `actor` and
- * `role_grants` are populated when the caller's account has a unique actor or
- * the request supplies `?acting=<actor_id>`; on multi-actor accounts
- * without an `acting` query, `actor` is `null` and `role_grants` is empty so
- * the frontend can show a persona picker without a separate roundtrip.
- */
-export const AccountStatusOutput = z.strictObject({
-    account: SessionAccountJson,
-    actor: ActorSummaryJson.nullable(),
-    role_grants: z.array(RoleGrantSummaryJson),
-});
-/** Error body for `GET /api/account/status` on the unauthenticated path. */
-export const AccountStatusUnauthenticatedError = z.looseObject({
-    error: z.literal(ERROR_AUTHENTICATION_REQUIRED),
-    bootstrap_available: z.boolean().optional(),
-});
+import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INVALID_CREDENTIALS } from '../http/error_schemas.js';
 /**
  * Create the account status route spec.
  *
@@ -70,15 +47,8 @@ export const AccountStatusUnauthenticatedError = z.looseObject({
  * @returns a single account status route spec
  */
 export const create_account_status_route_spec = (options) => ({
-    method: 'GET',
-    path: options?.path ?? '/api/account/status',
-    auth: { account: 'none', actor: 'none' },
-    description: 'Current account info (unauthenticated: 401 with bootstrap status)',
-    input: AccountStatusInput,
-    output: AccountStatusOutput,
-    errors: {
-        401: AccountStatusUnauthenticatedError,
-    },
+    ...account_status_route_shape,
+    path: options?.path ?? account_status_route_shape.path,
     handler: async (c, route) => {
         const account_id = c.get(ACCOUNT_ID_KEY) ?? null;
         if (!account_id) {
@@ -147,10 +117,6 @@ export const create_account_status_route_spec = (options) => ({
         });
     },
 });
-/** Default maximum sessions per account. */
-export const DEFAULT_MAX_SESSIONS = 5;
-/** Default maximum API tokens per account. */
-export const DEFAULT_MAX_TOKENS = 10;
 /**
  * Default minimum wall-clock time (ms) for a login failure (401) response.
  *
@@ -176,34 +142,8 @@ const login_fail_delay = (floor_ms, jitter_ms) => {
     const jitter = jitter_ms > 0 ? Math.floor(Math.random() * (jitter_ms * 2 + 1)) - jitter_ms : 0;
     return new Promise((resolve) => setTimeout(resolve, floor_ms + jitter));
 };
-// -- Input/output schemas ---------------------------------------------------
-/** Input for `POST /login`. Accepts a username or email in the `username` field. */
-export const LoginInput = z.strictObject({
-    username: UsernameProvided,
-    password: PasswordProvided,
-});
-/** Output for `POST /login`. The signed session cookie is the operative side effect. */
-export const LoginOutput = z.strictObject({
-    ok: z.literal(true),
-});
-/** Input for `POST /logout`. Session identity flows through the cookie. */
-export const LogoutInput = z.null();
-/** Output for `POST /logout`. Includes the revoked account's username for UI redraw. */
-export const LogoutOutput = z.strictObject({
-    ok: z.literal(true),
-    username: z.string(),
-});
-/** Input for `POST /password`. `current_password` is minimally validated; `new_password` enforces the full policy. */
-export const PasswordChangeInput = z.strictObject({
-    current_password: PasswordProvided,
-    new_password: Password,
-});
-/** Output for `POST /password`. Counts are returned so the UI can summarize the revoke-all cascade. */
-export const PasswordChangeOutput = z.strictObject({
-    ok: z.literal(true),
-    sessions_revoked: z.number(),
-    tokens_revoked: z.number(),
-});
+// `create_account_route_specs` spreads each shape and attaches the live
+// handler below.
 /**
  * Create account route specs for session-based auth.
  *
@@ -218,33 +158,19 @@ export const PasswordChangeOutput = z.strictObject({
 export const create_account_route_specs = (deps, options) => {
     const { keyring, password } = deps;
     const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, login_fail_floor_ms = DEFAULT_LOGIN_FAIL_FLOOR_MS, login_fail_jitter_ms = DEFAULT_LOGIN_FAIL_JITTER_MS, connection_closer = null, } = options;
+    const [verify_shape, login_shape, logout_shape, password_shape] = create_account_route_shapes({
+        login_account_rate_limited: login_account_rate_limiter !== null,
+    });
     return [
         {
-            method: 'GET',
-            path: '/verify',
-            auth: { account: 'required', actor: 'none' },
-            description: 'Session-validity probe for nginx auth_request (empty body, 200 or 401)',
-            input: z.null(),
-            output: z.null(),
+            ...verify_shape,
             handler: (c) => {
                 require_request_context(c);
                 return c.body(null, 200);
             },
         },
         {
-            method: 'POST',
-            path: '/login',
-            auth: { account: 'none', actor: 'none' },
-            description: 'Exchange credentials for session',
-            input: LoginInput,
-            output: LoginOutput,
-            rate_limit: 'both',
-            errors: {
-                400: z.looseObject({
-                    error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
-                }),
-                401: z.looseObject({ error: z.literal(ERROR_INVALID_CREDENTIALS) }),
-            },
+            ...login_shape,
             handler: async (c, route) => {
                 // Per-IP rate limit check (before any DB/password work)
                 const ip = ip_rate_limiter ? get_client_ip(c) : null;
@@ -331,16 +257,7 @@ export const create_account_route_specs = (deps, options) => {
             },
         },
         {
-            method: 'POST',
-            path: '/logout',
-            // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
-            // Logout is a session-bound operation; a bearer / daemon token holds no session
-            // to end, so the dispatcher rejects it (403 `credential_type_required`) rather than
-            // returning a misleading 200 + a phantom `logout` audit row for a no-op.
-            auth: { account: 'required', actor: 'none', credential_types: ['session'] },
-            description: 'Revoke current session and clear cookie',
-            input: LogoutInput,
-            output: LogoutOutput,
+            ...logout_shape,
             handler: async (c, route) => {
                 const ctx = require_request_context(c);
                 const session_token = c.get(session_options.context_key) ?? null;
@@ -377,19 +294,7 @@ export const create_account_route_specs = (deps, options) => {
             },
         },
         {
-            method: 'POST',
-            path: '/password',
-            // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
-            auth: { account: 'required', actor: 'none', credential_types: ['session'] },
-            description: 'Change password (revokes all sessions and API tokens)',
-            input: PasswordChangeInput,
-            output: PasswordChangeOutput,
-            rate_limit: login_account_rate_limiter ? 'both' : 'ip',
-            errors: {
-                400: z.looseObject({
-                    error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
-                }),
-            },
+            ...password_shape,
             handler: async (c, route) => {
                 // per-IP rate limit check (before argon2 work)
                 const ip = ip_rate_limiter ? get_client_ip(c) : null;