@fuzdev/fuz_app 0.87.0 → 0.88.0

package/dist/auth/audit_log_route_schema.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Hono-free wire schemas + route shape for the audit-log SSE stream.
+ *
+ * Split from `audit_log_routes.ts` (whose handler pulls `hono/streaming` via
+ * `realtime/sse`) so cross-process test suites can build the audit-stream
+ * route shape without dragging the in-process SSE handler, and its optional
+ * `hono` peer, onto a backend-spawning consumer. `audit_log_routes.ts` imports
+ * these back and attaches the live SSE handler; single source of truth for the
+ * wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RouteSpec } from '../http/route_spec.js';
+/** Query schema for the audit-log SSE route — multi-actor admins pass `?acting=<uuid>`. */
+export declare const AuditStreamQuery: z.ZodObject<{
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type AuditStreamQuery = z.infer<typeof AuditStreamQuery>;
+/** Default role required to access the audit-log SSE route. */
+export declare const DEFAULT_AUDIT_STREAM_ROLE = "admin";
+/**
+ * The `GET /audit/stream` SSE route shape minus its handler — pure hono-free
+ * data. `create_audit_log_route_specs` spreads this and attaches the live SSE
+ * handler; cross-process surface builders spread it with a stub handler. The
+ * output is `z.null()` because SSE streams have no JSON response body.
+ *
+ * @param required_role - role gating the stream (default `DEFAULT_AUDIT_STREAM_ROLE`)
+ * @returns the SSE route shape minus its handler
+ */
+export declare const create_audit_log_route_shape: (required_role?: string) => Omit<RouteSpec, "handler">;
+//# sourceMappingURL=audit_log_route_schema.d.ts.map

package/dist/auth/audit_log_route_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit_log_route_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_route_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAGrD,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;kBAAwC,CAAC;AACtE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+DAA+D;AAC/D,eAAO,MAAM,yBAAyB,UAAU,CAAC;AAEjD;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,gBAAe,MAAkC,KAC/C,IAAI,CAAC,SAAS,EAAE,SAAS,CAQ1B,CAAC"}

package/dist/auth/audit_log_route_schema.js

@@ -0,0 +1,36 @@
+/**
+ * Hono-free wire schemas + route shape for the audit-log SSE stream.
+ *
+ * Split from `audit_log_routes.ts` (whose handler pulls `hono/streaming` via
+ * `realtime/sse`) so cross-process test suites can build the audit-stream
+ * route shape without dragging the in-process SSE handler, and its optional
+ * `hono` peer, onto a backend-spawning consumer. `audit_log_routes.ts` imports
+ * these back and attaches the live SSE handler; single source of truth for the
+ * wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { ActingActor } from '../http/auth_shape.js';
+/** Query schema for the audit-log SSE route — multi-actor admins pass `?acting=<uuid>`. */
+export const AuditStreamQuery = z.strictObject({ acting: ActingActor });
+/** Default role required to access the audit-log SSE route. */
+export const DEFAULT_AUDIT_STREAM_ROLE = 'admin';
+/**
+ * The `GET /audit/stream` SSE route shape minus its handler — pure hono-free
+ * data. `create_audit_log_route_specs` spreads this and attaches the live SSE
+ * handler; cross-process surface builders spread it with a stub handler. The
+ * output is `z.null()` because SSE streams have no JSON response body.
+ *
+ * @param required_role - role gating the stream (default `DEFAULT_AUDIT_STREAM_ROLE`)
+ * @returns the SSE route shape minus its handler
+ */
+export const create_audit_log_route_shape = (required_role = DEFAULT_AUDIT_STREAM_ROLE) => ({
+    method: 'GET',
+    path: '/audit/stream',
+    auth: { account: 'required', actor: 'required', roles: [required_role] },
+    description: 'Subscribe to realtime audit log events',
+    query: AuditStreamQuery,
+    input: z.null(),
+    output: z.null(), // SSE — no JSON response
+});

package/dist/auth/audit_log_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AAQzE,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;QAC1F,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,CAiC5F,CAAC"}
+{"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AAIzE,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;QAC1F,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,CAyB5F,CAAC"}

package/dist/auth/audit_log_routes.js

@@ -11,13 +11,10 @@
  *
  * @module
  */
-import { z } from 'zod';
+import { create_audit_log_route_shape } from './audit_log_route_schema.js';
 import { create_sse_response } from '../realtime/sse.js';
 import { AUTH_SESSION_TOKEN_HASH_KEY, require_request_context } from './request_context.js';
 import { AUDIT_LOG_CHANNEL } from '../realtime/sse_auth_guard.js';
-import { ActingActor } from '../http/auth_shape.js';
-/** Query schema for the audit-log SSE route — multi-actor admins pass `?acting=<uuid>`. */
-const AuditStreamQuery = z.strictObject({ acting: ActingActor });
 /**
  * Create the optional audit-log SSE route spec.
  *
@@ -28,19 +25,12 @@ const AuditStreamQuery = z.strictObject({ acting: ActingActor });
  * @returns the SSE route spec (when `options.stream` is provided) or an empty array
  */
 export const create_audit_log_route_specs = (options) => {
-    const role = options?.required_role ?? 'admin';
     if (!options?.stream)
         return [];
     const { subscribe, log } = options.stream;
     return [
         {
-            method: 'GET',
-            path: '/audit/stream',
-            auth: { account: 'required', actor: 'required', roles: [role] },
-            description: 'Subscribe to realtime audit log events',
-            query: AuditStreamQuery,
-            input: z.null(),
-            output: z.null(), // SSE — no JSON response
+            ...create_audit_log_route_shape(options.required_role),
             handler: (c) => {
                 const ctx = require_request_context(c);
                 // scope = session hash (capped → tabs-per-session limit and

package/dist/auth/bearer_auth.js

@@ -17,7 +17,7 @@
 import { DEV } from 'esm-env';
 import { AUTH_API_TOKEN_ID_KEY, ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { query_validate_api_token } from './api_token_queries.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
 /**
  * Create middleware that authenticates via bearer token.

package/dist/auth/bootstrap_route_schema.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Hono-free wire shape + schemas for `POST /bootstrap`.
+ *
+ * Split from `bootstrap_routes.ts` so the route's declared shape (method,
+ * path, auth, input/output/error schemas) is importable **without** the
+ * hono-coupled handler (which sets a session cookie and reads the client
+ * IP off the Hono context). `create_bootstrap_route_specs` spreads
+ * `bootstrap_route_shape` and attaches the live handler; the test surface
+ * builder (`create_test_app_surface_spec`) spreads it with a stub handler so
+ * attack-surface generation reads the real shape without pulling the
+ * in-process Hono app onto cross-process consumers. Single source of truth —
+ * the shape can't drift between the live route and the surface.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
+export declare const BootstrapInput: z.ZodObject<{
+    token: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    password: z.ZodString;
+}, z.core.$strict>;
+export type BootstrapInput = z.infer<typeof BootstrapInput>;
+/** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
+export declare const BootstrapOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    account: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    }, z.core.$strict>;
+    actor: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type BootstrapOutput = z.infer<typeof BootstrapOutput>;
+/**
+ * The `POST /bootstrap` route shape minus its handler — pure hono-free data.
+ * `create_bootstrap_route_specs` spreads this and attaches the live handler;
+ * surface generation spreads it with a stub handler (handlers are never run
+ * during surface assembly, only the shape is read).
+ */
+export declare const bootstrap_route_shape: {
+    method: "POST";
+    path: string;
+    auth: {
+        account: "none";
+        actor: "none";
+    };
+    description: string;
+    transaction: false;
+    input: z.ZodObject<{
+        token: z.ZodString;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+        password: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        account: z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+        }, z.core.$strict>;
+        actor: z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    rate_limit: "ip";
+    errors: {
+        400: z.ZodObject<{
+            error: z.ZodEnum<{
+                invalid_request_body: "invalid_request_body";
+                invalid_json_body: "invalid_json_body";
+            }>;
+        }, z.core.$loose>;
+        401: z.ZodObject<{
+            error: z.ZodLiteral<"invalid_token">;
+        }, z.core.$loose>;
+        403: z.ZodObject<{
+            error: z.ZodLiteral<"already_bootstrapped">;
+        }, z.core.$loose>;
+        404: z.ZodObject<{
+            error: z.ZodLiteral<"token_file_missing">;
+        }, z.core.$loose>;
+    };
+};
+//# sourceMappingURL=bootstrap_route_schema.d.ts.map

package/dist/auth/bootstrap_route_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap_route_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_route_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AActB,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;;;;;;;kBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiBI,CAAC"}

package/dist/auth/bootstrap_route_schema.js

@@ -0,0 +1,56 @@
+/**
+ * Hono-free wire shape + schemas for `POST /bootstrap`.
+ *
+ * Split from `bootstrap_routes.ts` so the route's declared shape (method,
+ * path, auth, input/output/error schemas) is importable **without** the
+ * hono-coupled handler (which sets a session cookie and reads the client
+ * IP off the Hono context). `create_bootstrap_route_specs` spreads
+ * `bootstrap_route_shape` and attaches the live handler; the test surface
+ * builder (`create_test_app_surface_spec`) spreads it with a stub handler so
+ * attack-surface generation reads the real shape without pulling the
+ * in-process Hono app onto cross-process consumers. Single source of truth —
+ * the shape can't drift between the live route and the surface.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
+import { Username } from '../primitive_schemas.js';
+import { Password } from './password.js';
+import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
+/** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
+export const BootstrapInput = z.strictObject({
+    token: z.string().min(1).meta({ sensitivity: 'secret' }),
+    username: Username,
+    password: Password,
+});
+/** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
+export const BootstrapOutput = z.strictObject({
+    ok: z.literal(true),
+    account: z.strictObject({ id: Uuid, username: Username }),
+    actor: z.strictObject({ id: Uuid }),
+});
+/**
+ * The `POST /bootstrap` route shape minus its handler — pure hono-free data.
+ * `create_bootstrap_route_specs` spreads this and attaches the live handler;
+ * surface generation spreads it with a stub handler (handlers are never run
+ * during surface assembly, only the shape is read).
+ */
+export const bootstrap_route_shape = {
+    method: 'POST',
+    path: '/bootstrap',
+    auth: { account: 'none', actor: 'none' },
+    description: 'Create initial keeper account (one-shot)',
+    transaction: false, // bootstrap_account manages its own transaction
+    input: BootstrapInput,
+    output: BootstrapOutput,
+    rate_limit: 'ip',
+    errors: {
+        400: z.looseObject({
+            error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
+        }),
+        401: z.looseObject({ error: z.literal(ERROR_INVALID_TOKEN) }),
+        403: z.looseObject({ error: z.literal(ERROR_ALREADY_BOOTSTRAPPED) }),
+        404: z.looseObject({ error: z.literal(ERROR_TOKEN_FILE_MISSING) }),
+    },
+};

package/dist/auth/bootstrap_routes.d.ts

@@ -6,7 +6,6 @@
  *
  * @module
  */
-import { z } from 'zod';
 import type { Context } from 'hono';
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { SessionOptions } from './session_cookie.js';
@@ -16,25 +15,6 @@ import { type RouteSpec } from '../http/route_spec.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { RouteFactoryDeps } from './deps.js';
 import type { StatResult } from '../runtime/deps.js';
-/** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
-export declare const BootstrapInput: z.ZodObject<{
-    token: z.ZodString;
-    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-    password: z.ZodString;
-}, z.core.$strict>;
-export type BootstrapInput = z.infer<typeof BootstrapInput>;
-/** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
-export declare const BootstrapOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    account: z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-    }, z.core.$strict>;
-    actor: z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    }, z.core.$strict>;
-}, z.core.$strict>;
-export type BootstrapOutput = z.infer<typeof BootstrapOutput>;
 /**
  * Bootstrap status — runtime state computed once at startup.
  */

package/dist/auth/bootstrap_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAGpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAWnD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;;;;;;;kBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAkHjB,CAAC"}
+{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAEvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAGnD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAmGjB,CAAC"}

package/dist/auth/bootstrap_routes.js

@@ -6,29 +6,13 @@
  *
  * @module
  */
-import { z } from 'zod';
-import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { create_session_and_set_cookie } from './session_middleware.js';
 import { bootstrap_account } from './bootstrap_account.js';
-import { Username } from '../primitive_schemas.js';
-import { Password } from './password.js';
+import { bootstrap_route_shape } from './bootstrap_route_schema.js';
 import { get_route_input } from '../http/route_spec.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
-import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
-// -- Input/output schemas ---------------------------------------------------
-/** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
-export const BootstrapInput = z.strictObject({
-    token: z.string().min(1).meta({ sensitivity: 'secret' }),
-    username: Username,
-    password: Password,
-});
-/** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
-export const BootstrapOutput = z.strictObject({
-    ok: z.literal(true),
-    account: z.strictObject({ id: Uuid, username: Username }),
-    actor: z.strictObject({ id: Uuid }),
-});
+import { ERROR_ALREADY_BOOTSTRAPPED } from '../http/error_schemas.js';
 /**
  * Check bootstrap availability at startup.
  *
@@ -73,22 +57,7 @@ export const create_bootstrap_route_specs = (deps, options) => {
     const { token_path } = bootstrap_status;
     return [
         {
-            method: 'POST',
-            path: '/bootstrap',
-            auth: { account: 'none', actor: 'none' },
-            description: 'Create initial keeper account (one-shot)',
-            transaction: false, // bootstrap_account manages its own transaction
-            input: BootstrapInput,
-            output: BootstrapOutput,
-            rate_limit: 'ip',
-            errors: {
-                400: z.looseObject({
-                    error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
-                }),
-                401: z.looseObject({ error: z.literal(ERROR_INVALID_TOKEN) }),
-                403: z.looseObject({ error: z.literal(ERROR_ALREADY_BOOTSTRAPPED) }),
-                404: z.looseObject({ error: z.literal(ERROR_TOKEN_FILE_MISSING) }),
-            },
+            ...bootstrap_route_shape,
             handler: async (c, route) => {
                 // Short-circuit if bootstrap already completed or surface-only mounted.
                 // In 'surface_only' mode `bootstrap_status.token_path === null` and

package/dist/auth/signup_route_schema.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Hono-free wire schemas + route shape for `POST /signup`.
+ *
+ * Split from `signup_routes.ts` (whose handler pulls `hono/cookie` via
+ * `session_middleware` to set the new session cookie) so cross-process test
+ * suites can build the signup route shape — and assert on the response shape
+ * — without dragging the in-process Hono session handler, and its optional
+ * `hono` peer, onto a backend-spawning consumer. `signup_routes.ts` imports
+ * these back and attaches the live handler; single source of truth for the
+ * wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RouteSpec } from '../http/route_spec.js';
+/** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
+export declare const SignupInput: z.ZodObject<{
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    password: z.ZodString;
+    email: z.ZodOptional<z.ZodEmail>;
+}, z.core.$strict>;
+export type SignupInput = z.infer<typeof SignupInput>;
+/**
+ * Output for `POST /signup`.
+ *
+ * Session cookie is the operative side effect. The returned `account` and
+ * `actor` mirror `BootstrapOutput` so cross-process per-test setup can read
+ * the per-test identity straight off the signup response.
+ */
+export declare const SignupOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    account: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    }, z.core.$strict>;
+    actor: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type SignupOutput = z.infer<typeof SignupOutput>;
+/** Option inputs that shape the signup route metadata (not its handler). */
+export interface SignupRouteShapeOptions {
+    /** Whether a per-account signup rate limiter is wired — toggles `rate_limit`. */
+    signup_account_rate_limited: boolean;
+}
+/**
+ * The `POST /signup` route shape minus its handler — pure hono-free data.
+ * `create_signup_route_specs` spreads this and attaches the live handler;
+ * cross-process surface builders spread it with a stub handler. Single source
+ * of truth — the shape can't drift between the live route and the surface.
+ */
+export declare const create_signup_route_shape: (options: SignupRouteShapeOptions) => Omit<RouteSpec, "handler">;
+//# sourceMappingURL=signup_route_schema.d.ts.map

package/dist/auth/signup_route_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signup_route_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_route_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAKtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAQrD,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;;;;;kBAIvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,4EAA4E;AAC5E,MAAM,WAAW,uBAAuB;IACvC,iFAAiF;IACjF,2BAA2B,EAAE,OAAO,CAAC;CACrC;AAED;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,GACrC,SAAS,uBAAuB,KAC9B,IAAI,CAAC,SAAS,EAAE,SAAS,CAgB1B,CAAC"}

package/dist/auth/signup_route_schema.js

@@ -0,0 +1,59 @@
+/**
+ * Hono-free wire schemas + route shape for `POST /signup`.
+ *
+ * Split from `signup_routes.ts` (whose handler pulls `hono/cookie` via
+ * `session_middleware` to set the new session cookie) so cross-process test
+ * suites can build the signup route shape — and assert on the response shape
+ * — without dragging the in-process Hono session handler, and its optional
+ * `hono` peer, onto a backend-spawning consumer. `signup_routes.ts` imports
+ * these back and attaches the live handler; single source of truth for the
+ * wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
+import { Username, Email } from '../primitive_schemas.js';
+import { Password } from './password.js';
+import { ERROR_NO_MATCHING_INVITE, ERROR_SIGNUP_CONFLICT, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
+/** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
+export const SignupInput = z.strictObject({
+    username: Username,
+    password: Password,
+    email: Email.optional(),
+});
+/**
+ * Output for `POST /signup`.
+ *
+ * Session cookie is the operative side effect. The returned `account` and
+ * `actor` mirror `BootstrapOutput` so cross-process per-test setup can read
+ * the per-test identity straight off the signup response.
+ */
+export const SignupOutput = z.strictObject({
+    ok: z.literal(true),
+    account: z.strictObject({ id: Uuid, username: Username }),
+    actor: z.strictObject({ id: Uuid }),
+});
+/**
+ * The `POST /signup` route shape minus its handler — pure hono-free data.
+ * `create_signup_route_specs` spreads this and attaches the live handler;
+ * cross-process surface builders spread it with a stub handler. Single source
+ * of truth — the shape can't drift between the live route and the surface.
+ */
+export const create_signup_route_shape = (options) => ({
+    method: 'POST',
+    path: '/signup',
+    auth: { account: 'none', actor: 'none' },
+    description: 'Create account (invite-gated or open signup)',
+    transaction: false, // manages its own transaction for TOCTOU safety
+    input: SignupInput,
+    output: SignupOutput,
+    rate_limit: options.signup_account_rate_limited ? 'both' : 'ip',
+    errors: {
+        400: z.looseObject({
+            error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
+        }),
+        403: z.looseObject({ error: z.literal(ERROR_NO_MATCHING_INVITE) }),
+        409: z.looseObject({ error: z.literal(ERROR_SIGNUP_CONFLICT) }),
+    },
+});

package/dist/auth/signup_routes.d.ts

@@ -7,7 +7,6 @@
  *
  * @module
  */
-import { z } from 'zod';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { RouteFactoryDeps } from './deps.js';
@@ -52,31 +51,6 @@ export interface SignupRouteOptions extends AuthSessionRouteOptions {
      */
     signup_fail_jitter_ms?: number;
 }
-/** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
-export declare const SignupInput: z.ZodObject<{
-    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-    password: z.ZodString;
-    email: z.ZodOptional<z.ZodEmail>;
-}, z.core.$strict>;
-export type SignupInput = z.infer<typeof SignupInput>;
-/**
- * Output for `POST /signup`.
- *
- * Session cookie is the operative side effect. The returned `account` and
- * `actor` mirror `BootstrapOutput` so cross-process per-test setup can read
- * the per-test identity straight off the signup response.
- */
-export declare const SignupOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    account: z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-    }, z.core.$strict>;
-    actor: z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    }, z.core.$strict>;
-}, z.core.$strict>;
-export type SignupOutput = z.infer<typeof SignupOutput>;
 /**
  * Create signup route specs for account creation.
  *

package/dist/auth/signup_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signup_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AActB,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,qBAAqB,CAAC;AAEjE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAQhD;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,uBAAuB;IAClE,6FAA6F;IAC7F,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAID,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;;;;;kBAIvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,gBAAgB,EACtB,SAAS,kBAAkB,KACzB,KAAK,CAAC,SAAS,CAwLjB,CAAC"}
+{"version":3,"file":"signup_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAaH,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAGhD,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,qBAAqB,CAAC;AAEjE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD;;;;;;;GAOG;AACH,eAAO,MAAM,6BAA6B,KAAK,CAAC;AAQhD;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,uBAAuB;IAClE,6FAA6F;IAC7F,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;OAIG;IACH,qBAAqB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAID;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,gBAAgB,EACtB,SAAS,kBAAkB,KACzB,KAAK,CAAC,SAAS,CA4KjB,CAAC"}

package/dist/auth/signup_routes.js

@@ -7,18 +7,15 @@
  *
  * @module
  */
-import { z } from 'zod';
-import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { create_session_and_set_cookie } from './session_middleware.js';
 import { query_create_account_with_actor } from './account_queries.js';
 import { query_app_settings_load } from './app_settings_queries.js';
 import { query_invite_find_unclaimed_match_for_update, query_invite_claim_unscoped, } from './invite_queries.js';
-import { Username, Email } from '../primitive_schemas.js';
-import { Password } from './password.js';
+import { create_signup_route_shape } from './signup_route_schema.js';
 import { get_route_input } from '../http/route_spec.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
-import { ERROR_NO_MATCHING_INVITE, ERROR_SIGNUP_CONFLICT, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
+import { ERROR_NO_MATCHING_INVITE, ERROR_SIGNUP_CONFLICT } from '../http/error_schemas.js';
 import { is_pg_unique_violation } from '../db/pg_error.js';
 /**
  * Default minimum wall-clock time (ms) for a signup denial (403 / 409) response.
@@ -47,25 +44,8 @@ const signup_fail_delay = (floor_ms, jitter_ms) => {
     const jitter = jitter_ms > 0 ? Math.floor(Math.random() * (jitter_ms * 2 + 1)) - jitter_ms : 0;
     return new Promise((resolve) => setTimeout(resolve, floor_ms + jitter));
 };
-// -- Input/output schemas ---------------------------------------------------
-/** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
-export const SignupInput = z.strictObject({
-    username: Username,
-    password: Password,
-    email: Email.optional(),
-});
-/**
- * Output for `POST /signup`.
- *
- * Session cookie is the operative side effect. The returned `account` and
- * `actor` mirror `BootstrapOutput` so cross-process per-test setup can read
- * the per-test identity straight off the signup response.
- */
-export const SignupOutput = z.strictObject({
-    ok: z.literal(true),
-    account: z.strictObject({ id: Uuid, username: Username }),
-    actor: z.strictObject({ id: Uuid }),
-});
+// `create_signup_route_specs` spreads the shape and attaches the live handler
+// below.
 /**
  * Create signup route specs for account creation.
  *
@@ -78,21 +58,9 @@ export const create_signup_route_specs = (deps, options) => {
     const { session_options, ip_rate_limiter, signup_account_rate_limiter, signup_fail_floor_ms = DEFAULT_SIGNUP_FAIL_FLOOR_MS, signup_fail_jitter_ms = DEFAULT_SIGNUP_FAIL_JITTER_MS, } = options;
     return [
         {
-            method: 'POST',
-            path: '/signup',
-            auth: { account: 'none', actor: 'none' },
-            description: 'Create account (invite-gated or open signup)',
-            transaction: false, // manages its own transaction for TOCTOU safety
-            input: SignupInput,
-            output: SignupOutput,
-            rate_limit: signup_account_rate_limiter ? 'both' : 'ip',
-            errors: {
-                400: z.looseObject({
-                    error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
-                }),
-                403: z.looseObject({ error: z.literal(ERROR_NO_MATCHING_INVITE) }),
-                409: z.looseObject({ error: z.literal(ERROR_SIGNUP_CONFLICT) }),
-            },
+            ...create_signup_route_shape({
+                signup_account_rate_limited: signup_account_rate_limiter !== null,
+            }),
             handler: async (c, route) => {
                 // Per-IP rate limit check (before any work). 429 stays fast.
                 const ip = ip_rate_limiter ? get_client_ip(c) : null;

package/dist/http/CLAUDE.md

@@ -21,7 +21,8 @@ effects, see ../../../docs/architecture.md.
 - `http/middleware_spec.ts` — `MiddlewareSpec` interface.
 - `http/surface.ts` — `AppSurface`, `AppSurfaceSpec`, `generate_app_surface`, diagnostics.
 - `http/surface_query.ts` — pure filters/groupings over `AppSurface`.
-- `http/proxy.ts` — trusted-proxy middleware, CIDR parsing, rightmost-first XFF resolution.
+- `http/proxy.ts` — trusted-proxy middleware, CIDR parsing, rightmost-first XFF resolution. Pulls `hono/utils/ipaddr` for CIDR matching.
+- `http/client_ip.ts` — `get_client_ip(c)` — reads the resolved IP off the context (set by `proxy.ts`'s middleware). Split out of `proxy.ts` so it's hono-free: dispatch + route modules that only _read_ the IP don't pull `hono/utils/ipaddr`, keeping cross-process test surfaces free of the optional `hono` peer.
 - `http/ip_canonical.ts` — RFC 5952 IPv6 canonicalization + IPv4-mapped collapse; `IP_LITERAL_CHARS` regex.
 - `http/origin.ts` — origin allowlist middleware with wildcard patterns (Origin-only).
 - `http/jsonrpc.ts` — JSON-RPC 2.0 envelope schemas (MCP superset), `JsonrpcErrorCode`, `_meta`.

package/dist/http/client_ip.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Read the resolved client IP off the Hono context.
+ *
+ * Split from `proxy.ts` (which pulls `hono/utils/ipaddr` for trusted-proxy
+ * CIDR matching) so dispatch + route modules that only need to *read* the IP
+ * stay free of that value import — and the cross-process test surface that
+ * imports them stays free of the optional `hono` peer. The IP itself is set on
+ * the context by the trusted-proxy middleware in `proxy.ts`.
+ *
+ * @module
+ */
+import type { Context } from 'hono';
+/** Client IP resolved by the trusted-proxy middleware, or `'unknown'` if unset. */
+export declare const get_client_ip: (c: Context) => string;
+//# sourceMappingURL=client_ip.d.ts.map

package/dist/http/client_ip.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"client_ip.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/client_ip.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAElC,mFAAmF;AACnF,eAAO,MAAM,aAAa,GAAI,GAAG,OAAO,KAAG,MAAyC,CAAC"}