@fuzdev/fuz_app 0.87.0 → 0.89.0

package/dist/actions/action_rpc.js

@@ -14,7 +14,7 @@
 import { z } from 'zod';
 import { DEV } from 'esm-env';
 import {} from '../http/route_spec.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { get_request_context, } from '../auth/request_context.js';
 import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY, TEST_CONTEXT_PRESET_KEY, } from '../hono_context.js';
 import { compile_action_registry } from './compile_action_registry.js';

package/dist/actions/register_action_ws.js

@@ -30,7 +30,7 @@ import { wait } from '@fuzdev/fuz_util/async.js';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { get_request_context, require_request_context, } from '../auth/request_context.js';
 import { hash_session_token } from '../auth/session_queries.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { flush_pending_effects, flush_post_commit_effects } from '../http/pending_effects.js';
 import { jsonrpc_error_messages } from '../http/jsonrpc_errors.js';
 import { create_jsonrpc_error_response, create_jsonrpc_notification, to_jsonrpc_message_id, to_jsonrpc_params, is_jsonrpc_request, } from '../http/jsonrpc_helpers.js';

package/dist/auth/CLAUDE.md

@@ -121,6 +121,21 @@ they track the same config. Sample via `get_*`; `reset_*` are test-only.
 - `auth/audit_log_routes.ts` — optional `GET /audit/stream` (SSE); list/history are on the RPC surface.
 - `auth/auth_guard_resolver.ts` — `fuz_auth_guard_resolver` injected into `apply_route_specs` so the framework stays auth-agnostic.
 
+**Hono-free route shapes.** Each cookie/SSE-coupled route module has a sibling
+`*_route_schema.ts` (`account_route_schema.ts`, `signup_route_schema.ts`,
+`audit_log_route_schema.ts`, `bootstrap_route_schema.ts`) holding the I/O
+schemas **and** the route _shapes_ (`Omit<RouteSpec, 'handler'>` —
+method/path/auth/io/errors, via `create_*_route_shapes(options)` or a static
+`*_route_shape` const). The `create_*_route_specs` factories spread a shape and
+attach the live (hono-coupled) handler; a cross-process surface builder spreads
+the same shape with a stub handler (surface generation never runs handlers).
+Single source of truth — the shape can't drift between the live route and the
+attack surface — and a backend-spawning consumer assembling its surface imports
+the shapes without dragging `hono/cookie` / `hono/streaming` (and the optional
+`hono` peer) onto a Rust-only cross-process suite. Shared route-limit constants
+(`DEFAULT_MAX_SESSIONS` / `_TOKENS`) live in `account_route_schema.ts` for the
+same reason (the RPC `account_actions` reads `DEFAULT_MAX_TOKENS`).
+
 **`POST /login` timing floor.** Login 401s are floored to
 `DEFAULT_LOGIN_FAIL_FLOOR_MS` (250ms) + uniform jitter (±25ms) via
 `Promise.all(work, setTimeout)` so observed time is `max(work, delay)` and

package/dist/auth/account_actions.js

@@ -27,7 +27,7 @@ import { to_session_account } from './account_schema.js';
 import { query_session_list_for_account, query_session_revoke_for_account, query_session_revoke_all_for_account, } from './session_queries.js';
 import { query_api_token_enforce_limit, query_api_token_list_for_account, query_create_api_token, query_revoke_api_token_for_account, } from './api_token_queries.js';
 import { generate_api_token } from './api_token.js';
-import { DEFAULT_MAX_TOKENS } from './account_routes.js';
+import { DEFAULT_MAX_TOKENS } from './account_route_schema.js';
 import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from './account_action_specs.js';
 /**
  * Create the self-service account RPC actions.

package/dist/auth/account_route_schema.d.ts

@@ -0,0 +1,152 @@
+/**
+ * Hono-free wire schemas + route shapes for the account REST routes.
+ *
+ * Split from `account_routes.ts` (whose handlers pull `hono/cookie` via
+ * `session_middleware`) so cross-process test suites can build the account
+ * route shapes — and assert on the `POST /login` / `GET /api/account/status`
+ * response shapes — without dragging the in-process Hono session handler, and
+ * its optional `hono` peer, onto a backend-spawning consumer. `account_routes.ts`
+ * imports these back and attaches the live handlers; single source of truth
+ * for the wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RouteSpec } from '../http/route_spec.js';
+/** Input for `GET /api/account/status`. No parameters — caller is the subject. */
+export declare const AccountStatusInput: z.ZodNull;
+export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
+/** Output for `GET /api/account/status`. */
+export declare const AccountStatusOutput: z.ZodObject<{
+    account: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+        email: z.ZodNullable<z.ZodEmail>;
+        email_verified: z.ZodBoolean;
+        created_at: z.ZodString;
+    }, z.core.$strict>;
+    actor: z.ZodNullable<z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.ZodString;
+    }, z.core.$strict>>;
+    role_grants: z.ZodArray<z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
+        scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        created_at: z.ZodString;
+        expires_at: z.ZodNullable<z.ZodString>;
+        granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type AccountStatusOutput = z.infer<typeof AccountStatusOutput>;
+/** Error body for `GET /api/account/status` on the unauthenticated path. */
+export declare const AccountStatusUnauthenticatedError: z.ZodObject<{
+    error: z.ZodLiteral<"authentication_required">;
+    bootstrap_available: z.ZodOptional<z.ZodBoolean>;
+}, z.core.$loose>;
+export type AccountStatusUnauthenticatedError = z.infer<typeof AccountStatusUnauthenticatedError>;
+/** Input for `POST /login`. Accepts a username or email in the `username` field. */
+export declare const LoginInput: z.ZodObject<{
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    password: z.ZodString;
+}, z.core.$strict>;
+export type LoginInput = z.infer<typeof LoginInput>;
+/** Output for `POST /login`. Session cookie is the operative side effect. */
+export declare const LoginOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+}, z.core.$strict>;
+export type LoginOutput = z.infer<typeof LoginOutput>;
+/** Input for `POST /logout`. Session identity flows through the cookie. */
+export declare const LogoutInput: z.ZodNull;
+export type LogoutInput = z.infer<typeof LogoutInput>;
+/** Output for `POST /logout`. Includes the revoked account's username for UI redraw. */
+export declare const LogoutOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    username: z.ZodString;
+}, z.core.$strict>;
+export type LogoutOutput = z.infer<typeof LogoutOutput>;
+/** Input for `POST /password`. `current_password` is minimally validated; `new_password` enforces the full policy. */
+export declare const PasswordChangeInput: z.ZodObject<{
+    current_password: z.ZodString;
+    new_password: z.ZodString;
+}, z.core.$strict>;
+export type PasswordChangeInput = z.infer<typeof PasswordChangeInput>;
+/** Output for `POST /password`. Counts are returned so the UI can summarize the revoke-all cascade. */
+export declare const PasswordChangeOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    sessions_revoked: z.ZodNumber;
+    tokens_revoked: z.ZodNumber;
+}, z.core.$strict>;
+export type PasswordChangeOutput = z.infer<typeof PasswordChangeOutput>;
+/** Default maximum sessions per account. */
+export declare const DEFAULT_MAX_SESSIONS = 5;
+/** Default maximum API tokens per account. */
+export declare const DEFAULT_MAX_TOKENS = 10;
+/**
+ * The `GET /status` route shape minus its handler — pure hono-free data.
+ * `create_account_status_route_spec` spreads this and attaches the live handler
+ * (which reads the account id off the request context); surface generation
+ * spreads it with a stub handler.
+ *
+ * The path is **relative** like the sibling account shapes (`/login`,
+ * `/verify`), so it composes under `prefix_route_specs('/api/account', …)` into
+ * `/api/account/status`. `create_account_route_specs` bundles it (so every
+ * account surface serves `/status`, matching the Rust `account_router`);
+ * mirror Rust by mounting it as part of the account family, not separately.
+ */
+export declare const account_status_route_shape: {
+    method: "GET";
+    path: string;
+    auth: {
+        account: "none";
+        actor: "none";
+    };
+    description: string;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        account: z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+            email: z.ZodNullable<z.ZodEmail>;
+            email_verified: z.ZodBoolean;
+            created_at: z.ZodString;
+        }, z.core.$strict>;
+        actor: z.ZodNullable<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+        }, z.core.$strict>>;
+        role_grants: z.ZodArray<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            role: z.ZodString;
+            scope_kind: z.ZodNullable<z.ZodString>;
+            scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            created_at: z.ZodString;
+            expires_at: z.ZodNullable<z.ZodString>;
+            granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    errors: {
+        401: z.ZodObject<{
+            error: z.ZodLiteral<"authentication_required">;
+            bootstrap_available: z.ZodOptional<z.ZodBoolean>;
+        }, z.core.$loose>;
+    };
+};
+/** Option inputs that shape the account route metadata (not its handlers). */
+export interface AccountRouteShapeOptions {
+    /** Whether a per-account login rate limiter is wired — toggles `/password`'s `rate_limit`. */
+    login_account_rate_limited: boolean;
+}
+/**
+ * The four account route shapes (`/verify`, `/login`, `/logout`, `/password`)
+ * minus their handlers — pure hono-free data. `create_account_route_specs`
+ * spreads each and attaches the live handler; cross-process surface builders
+ * spread them with stub handlers. Single source of truth — the shapes can't
+ * drift between the live routes and the surface.
+ *
+ * Returns a fixed 4-tuple `[verify, login, logout, password]` so destructuring
+ * yields non-optional shapes under `noUncheckedIndexedAccess`.
+ */
+export declare const create_account_route_shapes: (options: AccountRouteShapeOptions) => [Omit<RouteSpec, "handler">, Omit<RouteSpec, "handler">, Omit<RouteSpec, "handler">, Omit<RouteSpec, "handler">];
+//# sourceMappingURL=account_route_schema.d.ts.map

package/dist/auth/account_route_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account_route_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_route_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAKtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAQrD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,4CAA4C;AAC5C,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,6EAA6E;AAC7E,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUD,CAAC;AAEvC,8EAA8E;AAC9E,MAAM,WAAW,wBAAwB;IACxC,8FAA8F;IAC9F,0BAA0B,EAAE,OAAO,CAAC;CACpC;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,GACvC,SAAS,wBAAwB,KAC/B,CACF,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAC1B,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAC1B,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,EAC1B,IAAI,CAAC,SAAS,EAAE,SAAS,CAAC,CAoD1B,CAAC"}

package/dist/auth/account_route_schema.js

@@ -0,0 +1,147 @@
+/**
+ * Hono-free wire schemas + route shapes for the account REST routes.
+ *
+ * Split from `account_routes.ts` (whose handlers pull `hono/cookie` via
+ * `session_middleware`) so cross-process test suites can build the account
+ * route shapes — and assert on the `POST /login` / `GET /api/account/status`
+ * response shapes — without dragging the in-process Hono session handler, and
+ * its optional `hono` peer, onto a backend-spawning consumer. `account_routes.ts`
+ * imports these back and attaches the live handlers; single source of truth
+ * for the wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { ActorSummaryJson, RoleGrantSummaryJson, SessionAccountJson } from './account_schema.js';
+import { UsernameProvided } from '../primitive_schemas.js';
+import { Password, PasswordProvided } from './password.js';
+import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INVALID_CREDENTIALS, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
+/** Input for `GET /api/account/status`. No parameters — caller is the subject. */
+export const AccountStatusInput = z.null();
+/** Output for `GET /api/account/status`. */
+export const AccountStatusOutput = z.strictObject({
+    account: SessionAccountJson,
+    actor: ActorSummaryJson.nullable(),
+    role_grants: z.array(RoleGrantSummaryJson),
+});
+/** Error body for `GET /api/account/status` on the unauthenticated path. */
+export const AccountStatusUnauthenticatedError = z.looseObject({
+    error: z.literal(ERROR_AUTHENTICATION_REQUIRED),
+    bootstrap_available: z.boolean().optional(),
+});
+/** Input for `POST /login`. Accepts a username or email in the `username` field. */
+export const LoginInput = z.strictObject({
+    username: UsernameProvided,
+    password: PasswordProvided,
+});
+/** Output for `POST /login`. Session cookie is the operative side effect. */
+export const LoginOutput = z.strictObject({
+    ok: z.literal(true),
+});
+/** Input for `POST /logout`. Session identity flows through the cookie. */
+export const LogoutInput = z.null();
+/** Output for `POST /logout`. Includes the revoked account's username for UI redraw. */
+export const LogoutOutput = z.strictObject({
+    ok: z.literal(true),
+    username: z.string(),
+});
+/** Input for `POST /password`. `current_password` is minimally validated; `new_password` enforces the full policy. */
+export const PasswordChangeInput = z.strictObject({
+    current_password: PasswordProvided,
+    new_password: Password,
+});
+/** Output for `POST /password`. Counts are returned so the UI can summarize the revoke-all cascade. */
+export const PasswordChangeOutput = z.strictObject({
+    ok: z.literal(true),
+    sessions_revoked: z.number(),
+    tokens_revoked: z.number(),
+});
+/** Default maximum sessions per account. */
+export const DEFAULT_MAX_SESSIONS = 5;
+/** Default maximum API tokens per account. */
+export const DEFAULT_MAX_TOKENS = 10;
+/**
+ * The `GET /status` route shape minus its handler — pure hono-free data.
+ * `create_account_status_route_spec` spreads this and attaches the live handler
+ * (which reads the account id off the request context); surface generation
+ * spreads it with a stub handler.
+ *
+ * The path is **relative** like the sibling account shapes (`/login`,
+ * `/verify`), so it composes under `prefix_route_specs('/api/account', …)` into
+ * `/api/account/status`. `create_account_route_specs` bundles it (so every
+ * account surface serves `/status`, matching the Rust `account_router`);
+ * mirror Rust by mounting it as part of the account family, not separately.
+ */
+export const account_status_route_shape = {
+    method: 'GET',
+    path: '/status',
+    auth: { account: 'none', actor: 'none' },
+    description: 'Current account info (unauthenticated: 401 with bootstrap status)',
+    input: AccountStatusInput,
+    output: AccountStatusOutput,
+    errors: {
+        401: AccountStatusUnauthenticatedError,
+    },
+};
+/**
+ * The four account route shapes (`/verify`, `/login`, `/logout`, `/password`)
+ * minus their handlers — pure hono-free data. `create_account_route_specs`
+ * spreads each and attaches the live handler; cross-process surface builders
+ * spread them with stub handlers. Single source of truth — the shapes can't
+ * drift between the live routes and the surface.
+ *
+ * Returns a fixed 4-tuple `[verify, login, logout, password]` so destructuring
+ * yields non-optional shapes under `noUncheckedIndexedAccess`.
+ */
+export const create_account_route_shapes = (options) => [
+    {
+        method: 'GET',
+        path: '/verify',
+        auth: { account: 'required', actor: 'none' },
+        description: 'Session-validity probe for nginx auth_request (empty body, 200 or 401)',
+        input: z.null(),
+        output: z.null(),
+    },
+    {
+        method: 'POST',
+        path: '/login',
+        auth: { account: 'none', actor: 'none' },
+        description: 'Exchange credentials for session',
+        input: LoginInput,
+        output: LoginOutput,
+        rate_limit: 'both',
+        errors: {
+            400: z.looseObject({
+                error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
+            }),
+            401: z.looseObject({ error: z.literal(ERROR_INVALID_CREDENTIALS) }),
+        },
+    },
+    {
+        method: 'POST',
+        path: '/logout',
+        // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+        // Logout is a session-bound operation; a bearer / daemon token holds no session
+        // to end, so the dispatcher rejects it (403 `credential_type_required`) rather than
+        // returning a misleading 200 + a phantom `logout` audit row for a no-op.
+        auth: { account: 'required', actor: 'none', credential_types: ['session'] },
+        description: 'Revoke current session and clear cookie',
+        input: LogoutInput,
+        output: LogoutOutput,
+    },
+    {
+        method: 'POST',
+        path: '/password',
+        // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
+        auth: { account: 'required', actor: 'none', credential_types: ['session'] },
+        description: 'Change password (revokes all sessions and API tokens)',
+        input: PasswordChangeInput,
+        output: PasswordChangeOutput,
+        rate_limit: options.login_account_rate_limited ? 'both' : 'ip',
+        errors: {
+            400: z.looseObject({
+                error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
+            }),
+        },
+    },
+];

package/dist/auth/account_routes.d.ts

@@ -21,53 +21,11 @@
  *
  * @module
  */
-import { z } from 'zod';
 import type { SessionOptions } from './session_cookie.js';
 import { type RouteSpec } from '../http/route_spec.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { RouteFactoryDeps } from './deps.js';
 import type { ConnectionCloser } from '../actions/connection_closer.js';
-/** Input for `GET /api/account/status`. No parameters — caller is the subject. */
-export declare const AccountStatusInput: z.ZodNull;
-export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
-/**
- * Output for `GET /api/account/status` on the authenticated path.
- *
- * `account` is always populated for authenticated callers. `actor` and
- * `role_grants` are populated when the caller's account has a unique actor or
- * the request supplies `?acting=<actor_id>`; on multi-actor accounts
- * without an `acting` query, `actor` is `null` and `role_grants` is empty so
- * the frontend can show a persona picker without a separate roundtrip.
- */
-export declare const AccountStatusOutput: z.ZodObject<{
-    account: z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-        email: z.ZodNullable<z.ZodEmail>;
-        email_verified: z.ZodBoolean;
-        created_at: z.ZodString;
-    }, z.core.$strict>;
-    actor: z.ZodNullable<z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        name: z.ZodString;
-    }, z.core.$strict>>;
-    role_grants: z.ZodArray<z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        role: z.ZodString;
-        scope_kind: z.ZodNullable<z.ZodString>;
-        scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-        created_at: z.ZodString;
-        expires_at: z.ZodNullable<z.ZodString>;
-        granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-    }, z.core.$strict>>;
-}, z.core.$strict>;
-export type AccountStatusOutput = z.infer<typeof AccountStatusOutput>;
-/** Error body for `GET /api/account/status` on the unauthenticated path. */
-export declare const AccountStatusUnauthenticatedError: z.ZodObject<{
-    error: z.ZodLiteral<"authentication_required">;
-    bootstrap_available: z.ZodOptional<z.ZodBoolean>;
-}, z.core.$loose>;
-export type AccountStatusUnauthenticatedError = z.infer<typeof AccountStatusUnauthenticatedError>;
 /**
  * Create the account status route spec.
  *
@@ -91,10 +49,6 @@ export interface AccountStatusOptions {
         available: boolean;
     };
 }
-/** Default maximum sessions per account. */
-export declare const DEFAULT_MAX_SESSIONS = 5;
-/** Default maximum API tokens per account. */
-export declare const DEFAULT_MAX_TOKENS = 10;
 /**
  * Default minimum wall-clock time (ms) for a login failure (401) response.
  *
@@ -153,49 +107,30 @@ export interface AccountRouteOptions extends AuthSessionRouteOptions {
      * `audit.on_event_chain`) runs.
      */
     connection_closer?: ConnectionCloser | null;
+    /**
+     * Runtime bootstrap status for the bundled `GET /status` route — when
+     * `available`, its unauthenticated 401 carries `bootstrap_available: true`
+     * so a fresh frontend can route to the bootstrap flow. Pass
+     * `ctx.bootstrap_status` (the live `BootstrapStatus` ref) so the flag tracks
+     * the one-shot bootstrap completing. Omit when no bootstrap flow is wired —
+     * `/status` is still served, just without the flag.
+     */
+    bootstrap_status?: {
+        available: boolean;
+    };
 }
-/** Input for `POST /login`. Accepts a username or email in the `username` field. */
-export declare const LoginInput: z.ZodObject<{
-    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-    password: z.ZodString;
-}, z.core.$strict>;
-export type LoginInput = z.infer<typeof LoginInput>;
-/** Output for `POST /login`. The signed session cookie is the operative side effect. */
-export declare const LoginOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-}, z.core.$strict>;
-export type LoginOutput = z.infer<typeof LoginOutput>;
-/** Input for `POST /logout`. Session identity flows through the cookie. */
-export declare const LogoutInput: z.ZodNull;
-export type LogoutInput = z.infer<typeof LogoutInput>;
-/** Output for `POST /logout`. Includes the revoked account's username for UI redraw. */
-export declare const LogoutOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    username: z.ZodString;
-}, z.core.$strict>;
-export type LogoutOutput = z.infer<typeof LogoutOutput>;
-/** Input for `POST /password`. `current_password` is minimally validated; `new_password` enforces the full policy. */
-export declare const PasswordChangeInput: z.ZodObject<{
-    current_password: z.ZodString;
-    new_password: z.ZodString;
-}, z.core.$strict>;
-export type PasswordChangeInput = z.infer<typeof PasswordChangeInput>;
-/** Output for `POST /password`. Counts are returned so the UI can summarize the revoke-all cascade. */
-export declare const PasswordChangeOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    sessions_revoked: z.ZodNumber;
-    tokens_revoked: z.ZodNumber;
-}, z.core.$strict>;
-export type PasswordChangeOutput = z.infer<typeof PasswordChangeOutput>;
 /**
  * Create account route specs for session-based auth.
  *
- * The returned specs cover the three flows that stay REST after the RPC
- * migration (login, logout, password change). Self-service session/token
- * management and verify are on `auth/account_actions.ts`.
+ * The returned specs cover the REST flows that stay after the RPC migration:
+ * `/status` (account info + bootstrap availability), `/verify` (nginx
+ * `auth_request` shim), `/login`, `/logout`, `/password`. `/status` is bundled
+ * here (relative path, prefixed to `/api/account/status` by the caller) so
+ * every account surface serves it, matching the Rust `account_router`.
+ * Self-service session/token management is on `auth/account_actions.ts`.
  *
  * @param deps - stateless capabilities (keyring, password, log)
- * @param options - per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter)
+ * @param options - per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter, bootstrap_status)
  * @returns route specs (not yet applied to Hono)
  */
 export declare const create_account_route_specs: (deps: RouteFactoryDeps, options: AccountRouteOptions) => Array<RouteSpec>;

package/dist/auth/account_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAQtE,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAoTjB,CAAC"}
+{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA4BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAGtE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SA4EhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAC9B;;;;;;;OAOG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;IAC5C;;;;;;;OAOG;IACH,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAID;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAwRjB,CAAC"}