@fuzdev/fuz_app 0.87.0 → 0.89.0

package/dist/auth/account_routes.js

@@ -21,41 +21,18 @@
  *
  * @module
  */
-import { z } from 'zod';
 import { clear_session_cookie, create_session_and_set_cookie } from './session_middleware.js';
-import { ActorSummaryJson, RoleGrantSummaryJson, SessionAccountJson, to_session_account, } from './account_schema.js';
-import { UsernameProvided } from '../primitive_schemas.js';
+import { RoleGrantSummaryJson, to_session_account } from './account_schema.js';
+import { account_status_route_shape, create_account_route_shapes, DEFAULT_MAX_SESSIONS, } from './account_route_schema.js';
 import { hash_session_token, query_session_revoke_all_for_account, query_session_revoke_by_hash_unscoped, } from './session_queries.js';
 import { query_account_by_username_or_email, query_update_account_password, } from './account_queries.js';
 import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
 import { build_account_context, build_request_context, get_request_context, require_request_context, resolve_acting_actor, } from './request_context.js';
 import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { get_route_input } from '../http/route_spec.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
-import { Password, PasswordProvided } from './password.js';
-import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INVALID_CREDENTIALS, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
-/** Input for `GET /api/account/status`. No parameters — caller is the subject. */
-export const AccountStatusInput = z.null();
-/**
- * Output for `GET /api/account/status` on the authenticated path.
- *
- * `account` is always populated for authenticated callers. `actor` and
- * `role_grants` are populated when the caller's account has a unique actor or
- * the request supplies `?acting=<actor_id>`; on multi-actor accounts
- * without an `acting` query, `actor` is `null` and `role_grants` is empty so
- * the frontend can show a persona picker without a separate roundtrip.
- */
-export const AccountStatusOutput = z.strictObject({
-    account: SessionAccountJson,
-    actor: ActorSummaryJson.nullable(),
-    role_grants: z.array(RoleGrantSummaryJson),
-});
-/** Error body for `GET /api/account/status` on the unauthenticated path. */
-export const AccountStatusUnauthenticatedError = z.looseObject({
-    error: z.literal(ERROR_AUTHENTICATION_REQUIRED),
-    bootstrap_available: z.boolean().optional(),
-});
+import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INVALID_CREDENTIALS } from '../http/error_schemas.js';
 /**
  * Create the account status route spec.
  *
@@ -70,15 +47,8 @@ export const AccountStatusUnauthenticatedError = z.looseObject({
  * @returns a single account status route spec
  */
 export const create_account_status_route_spec = (options) => ({
-    method: 'GET',
-    path: options?.path ?? '/api/account/status',
-    auth: { account: 'none', actor: 'none' },
-    description: 'Current account info (unauthenticated: 401 with bootstrap status)',
-    input: AccountStatusInput,
-    output: AccountStatusOutput,
-    errors: {
-        401: AccountStatusUnauthenticatedError,
-    },
+    ...account_status_route_shape,
+    path: options?.path ?? account_status_route_shape.path,
     handler: async (c, route) => {
         const account_id = c.get(ACCOUNT_ID_KEY) ?? null;
         if (!account_id) {
@@ -147,10 +117,6 @@ export const create_account_status_route_spec = (options) => ({
         });
     },
 });
-/** Default maximum sessions per account. */
-export const DEFAULT_MAX_SESSIONS = 5;
-/** Default maximum API tokens per account. */
-export const DEFAULT_MAX_TOKENS = 10;
 /**
  * Default minimum wall-clock time (ms) for a login failure (401) response.
  *
@@ -176,75 +142,43 @@ const login_fail_delay = (floor_ms, jitter_ms) => {
     const jitter = jitter_ms > 0 ? Math.floor(Math.random() * (jitter_ms * 2 + 1)) - jitter_ms : 0;
     return new Promise((resolve) => setTimeout(resolve, floor_ms + jitter));
 };
-// -- Input/output schemas ---------------------------------------------------
-/** Input for `POST /login`. Accepts a username or email in the `username` field. */
-export const LoginInput = z.strictObject({
-    username: UsernameProvided,
-    password: PasswordProvided,
-});
-/** Output for `POST /login`. The signed session cookie is the operative side effect. */
-export const LoginOutput = z.strictObject({
-    ok: z.literal(true),
-});
-/** Input for `POST /logout`. Session identity flows through the cookie. */
-export const LogoutInput = z.null();
-/** Output for `POST /logout`. Includes the revoked account's username for UI redraw. */
-export const LogoutOutput = z.strictObject({
-    ok: z.literal(true),
-    username: z.string(),
-});
-/** Input for `POST /password`. `current_password` is minimally validated; `new_password` enforces the full policy. */
-export const PasswordChangeInput = z.strictObject({
-    current_password: PasswordProvided,
-    new_password: Password,
-});
-/** Output for `POST /password`. Counts are returned so the UI can summarize the revoke-all cascade. */
-export const PasswordChangeOutput = z.strictObject({
-    ok: z.literal(true),
-    sessions_revoked: z.number(),
-    tokens_revoked: z.number(),
-});
+// `create_account_route_specs` spreads each shape and attaches the live
+// handler below.
 /**
  * Create account route specs for session-based auth.
  *
- * The returned specs cover the three flows that stay REST after the RPC
- * migration (login, logout, password change). Self-service session/token
- * management and verify are on `auth/account_actions.ts`.
+ * The returned specs cover the REST flows that stay after the RPC migration:
+ * `/status` (account info + bootstrap availability), `/verify` (nginx
+ * `auth_request` shim), `/login`, `/logout`, `/password`. `/status` is bundled
+ * here (relative path, prefixed to `/api/account/status` by the caller) so
+ * every account surface serves it, matching the Rust `account_router`.
+ * Self-service session/token management is on `auth/account_actions.ts`.
  *
  * @param deps - stateless capabilities (keyring, password, log)
- * @param options - per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter)
+ * @param options - per-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter, bootstrap_status)
  * @returns route specs (not yet applied to Hono)
  */
 export const create_account_route_specs = (deps, options) => {
     const { keyring, password } = deps;
-    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, login_fail_floor_ms = DEFAULT_LOGIN_FAIL_FLOOR_MS, login_fail_jitter_ms = DEFAULT_LOGIN_FAIL_JITTER_MS, connection_closer = null, } = options;
+    const { session_options, ip_rate_limiter, login_account_rate_limiter, max_sessions = DEFAULT_MAX_SESSIONS, login_fail_floor_ms = DEFAULT_LOGIN_FAIL_FLOOR_MS, login_fail_jitter_ms = DEFAULT_LOGIN_FAIL_JITTER_MS, connection_closer = null, bootstrap_status, } = options;
+    const [verify_shape, login_shape, logout_shape, password_shape] = create_account_route_shapes({
+        login_account_rate_limited: login_account_rate_limiter !== null,
+    });
     return [
+        // `/status` is bundled into the account family (relative path, prefixed
+        // to `/api/account/status` by the caller) so every account surface serves
+        // it — matching the Rust `account_router`. The standalone
+        // `create_account_status_route_spec` stays the building block.
+        create_account_status_route_spec({ bootstrap_status }),
         {
-            method: 'GET',
-            path: '/verify',
-            auth: { account: 'required', actor: 'none' },
-            description: 'Session-validity probe for nginx auth_request (empty body, 200 or 401)',
-            input: z.null(),
-            output: z.null(),
+            ...verify_shape,
             handler: (c) => {
                 require_request_context(c);
                 return c.body(null, 200);
             },
         },
         {
-            method: 'POST',
-            path: '/login',
-            auth: { account: 'none', actor: 'none' },
-            description: 'Exchange credentials for session',
-            input: LoginInput,
-            output: LoginOutput,
-            rate_limit: 'both',
-            errors: {
-                400: z.looseObject({
-                    error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
-                }),
-                401: z.looseObject({ error: z.literal(ERROR_INVALID_CREDENTIALS) }),
-            },
+            ...login_shape,
             handler: async (c, route) => {
                 // Per-IP rate limit check (before any DB/password work)
                 const ip = ip_rate_limiter ? get_client_ip(c) : null;
@@ -331,16 +265,7 @@ export const create_account_route_specs = (deps, options) => {
             },
         },
         {
-            method: 'POST',
-            path: '/logout',
-            // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
-            // Logout is a session-bound operation; a bearer / daemon token holds no session
-            // to end, so the dispatcher rejects it (403 `credential_type_required`) rather than
-            // returning a misleading 200 + a phantom `logout` audit row for a no-op.
-            auth: { account: 'required', actor: 'none', credential_types: ['session'] },
-            description: 'Revoke current session and clear cookie',
-            input: LogoutInput,
-            output: LogoutOutput,
+            ...logout_shape,
             handler: async (c, route) => {
                 const ctx = require_request_context(c);
                 const session_token = c.get(session_options.context_key) ?? null;
@@ -377,19 +302,7 @@ export const create_account_route_specs = (deps, options) => {
             },
         },
         {
-            method: 'POST',
-            path: '/password',
-            // `credential_types: ['session']` — see `docs/security.md` §Credential-channel gating.
-            auth: { account: 'required', actor: 'none', credential_types: ['session'] },
-            description: 'Change password (revokes all sessions and API tokens)',
-            input: PasswordChangeInput,
-            output: PasswordChangeOutput,
-            rate_limit: login_account_rate_limiter ? 'both' : 'ip',
-            errors: {
-                400: z.looseObject({
-                    error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
-                }),
-            },
+            ...password_shape,
             handler: async (c, route) => {
                 // per-IP rate limit check (before argon2 work)
                 const ip = ip_rate_limiter ? get_client_ip(c) : null;

package/dist/auth/audit_log_route_schema.d.ts

@@ -0,0 +1,32 @@
+/**
+ * Hono-free wire schemas + route shape for the audit-log SSE stream.
+ *
+ * Split from `audit_log_routes.ts` (whose handler pulls `hono/streaming` via
+ * `realtime/sse`) so cross-process test suites can build the audit-stream
+ * route shape without dragging the in-process SSE handler, and its optional
+ * `hono` peer, onto a backend-spawning consumer. `audit_log_routes.ts` imports
+ * these back and attaches the live SSE handler; single source of truth for the
+ * wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RouteSpec } from '../http/route_spec.js';
+/** Query schema for the audit-log SSE route — multi-actor admins pass `?acting=<uuid>`. */
+export declare const AuditStreamQuery: z.ZodObject<{
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type AuditStreamQuery = z.infer<typeof AuditStreamQuery>;
+/** Default role required to access the audit-log SSE route. */
+export declare const DEFAULT_AUDIT_STREAM_ROLE = "admin";
+/**
+ * The `GET /audit/stream` SSE route shape minus its handler — pure hono-free
+ * data. `create_audit_log_route_specs` spreads this and attaches the live SSE
+ * handler; cross-process surface builders spread it with a stub handler. The
+ * output is `z.null()` because SSE streams have no JSON response body.
+ *
+ * @param required_role - role gating the stream (default `DEFAULT_AUDIT_STREAM_ROLE`)
+ * @returns the SSE route shape minus its handler
+ */
+export declare const create_audit_log_route_shape: (required_role?: string) => Omit<RouteSpec, "handler">;
+//# sourceMappingURL=audit_log_route_schema.d.ts.map

package/dist/auth/audit_log_route_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit_log_route_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_route_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAGrD,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;kBAAwC,CAAC;AACtE,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+DAA+D;AAC/D,eAAO,MAAM,yBAAyB,UAAU,CAAC;AAEjD;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,gBAAe,MAAkC,KAC/C,IAAI,CAAC,SAAS,EAAE,SAAS,CAQ1B,CAAC"}

package/dist/auth/audit_log_route_schema.js

@@ -0,0 +1,36 @@
+/**
+ * Hono-free wire schemas + route shape for the audit-log SSE stream.
+ *
+ * Split from `audit_log_routes.ts` (whose handler pulls `hono/streaming` via
+ * `realtime/sse`) so cross-process test suites can build the audit-stream
+ * route shape without dragging the in-process SSE handler, and its optional
+ * `hono` peer, onto a backend-spawning consumer. `audit_log_routes.ts` imports
+ * these back and attaches the live SSE handler; single source of truth for the
+ * wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { ActingActor } from '../http/auth_shape.js';
+/** Query schema for the audit-log SSE route — multi-actor admins pass `?acting=<uuid>`. */
+export const AuditStreamQuery = z.strictObject({ acting: ActingActor });
+/** Default role required to access the audit-log SSE route. */
+export const DEFAULT_AUDIT_STREAM_ROLE = 'admin';
+/**
+ * The `GET /audit/stream` SSE route shape minus its handler — pure hono-free
+ * data. `create_audit_log_route_specs` spreads this and attaches the live SSE
+ * handler; cross-process surface builders spread it with a stub handler. The
+ * output is `z.null()` because SSE streams have no JSON response body.
+ *
+ * @param required_role - role gating the stream (default `DEFAULT_AUDIT_STREAM_ROLE`)
+ * @returns the SSE route shape minus its handler
+ */
+export const create_audit_log_route_shape = (required_role = DEFAULT_AUDIT_STREAM_ROLE) => ({
+    method: 'GET',
+    path: '/audit/stream',
+    auth: { account: 'required', actor: 'required', roles: [required_role] },
+    description: 'Subscribe to realtime audit log events',
+    query: AuditStreamQuery,
+    input: z.null(),
+    output: z.null(), // SSE — no JSON response
+});

package/dist/auth/audit_log_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AAQzE,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;QAC1F,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,CAiC5F,CAAC"}
+{"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AAIzE,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;QAC1F,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,CAyB5F,CAAC"}

package/dist/auth/audit_log_routes.js

@@ -11,13 +11,10 @@
  *
  * @module
  */
-import { z } from 'zod';
+import { create_audit_log_route_shape } from './audit_log_route_schema.js';
 import { create_sse_response } from '../realtime/sse.js';
 import { AUTH_SESSION_TOKEN_HASH_KEY, require_request_context } from './request_context.js';
 import { AUDIT_LOG_CHANNEL } from '../realtime/sse_auth_guard.js';
-import { ActingActor } from '../http/auth_shape.js';
-/** Query schema for the audit-log SSE route — multi-actor admins pass `?acting=<uuid>`. */
-const AuditStreamQuery = z.strictObject({ acting: ActingActor });
 /**
  * Create the optional audit-log SSE route spec.
  *
@@ -28,19 +25,12 @@ const AuditStreamQuery = z.strictObject({ acting: ActingActor });
  * @returns the SSE route spec (when `options.stream` is provided) or an empty array
  */
 export const create_audit_log_route_specs = (options) => {
-    const role = options?.required_role ?? 'admin';
     if (!options?.stream)
         return [];
     const { subscribe, log } = options.stream;
     return [
         {
-            method: 'GET',
-            path: '/audit/stream',
-            auth: { account: 'required', actor: 'required', roles: [role] },
-            description: 'Subscribe to realtime audit log events',
-            query: AuditStreamQuery,
-            input: z.null(),
-            output: z.null(), // SSE — no JSON response
+            ...create_audit_log_route_shape(options.required_role),
             handler: (c) => {
                 const ctx = require_request_context(c);
                 // scope = session hash (capped → tabs-per-session limit and

package/dist/auth/bearer_auth.js

@@ -17,7 +17,7 @@
 import { DEV } from 'esm-env';
 import { AUTH_API_TOKEN_ID_KEY, ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { query_validate_api_token } from './api_token_queries.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
 /**
  * Create middleware that authenticates via bearer token.

package/dist/auth/bootstrap_route_schema.d.ts

@@ -0,0 +1,85 @@
+/**
+ * Hono-free wire shape + schemas for `POST /bootstrap`.
+ *
+ * Split from `bootstrap_routes.ts` so the route's declared shape (method,
+ * path, auth, input/output/error schemas) is importable **without** the
+ * hono-coupled handler (which sets a session cookie and reads the client
+ * IP off the Hono context). `create_bootstrap_route_specs` spreads
+ * `bootstrap_route_shape` and attaches the live handler; the test surface
+ * builder (`create_test_app_surface_spec`) spreads it with a stub handler so
+ * attack-surface generation reads the real shape without pulling the
+ * in-process Hono app onto cross-process consumers. Single source of truth —
+ * the shape can't drift between the live route and the surface.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
+export declare const BootstrapInput: z.ZodObject<{
+    token: z.ZodString;
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    password: z.ZodString;
+}, z.core.$strict>;
+export type BootstrapInput = z.infer<typeof BootstrapInput>;
+/** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
+export declare const BootstrapOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    account: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    }, z.core.$strict>;
+    actor: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type BootstrapOutput = z.infer<typeof BootstrapOutput>;
+/**
+ * The `POST /bootstrap` route shape minus its handler — pure hono-free data.
+ * `create_bootstrap_route_specs` spreads this and attaches the live handler;
+ * surface generation spreads it with a stub handler (handlers are never run
+ * during surface assembly, only the shape is read).
+ */
+export declare const bootstrap_route_shape: {
+    method: "POST";
+    path: string;
+    auth: {
+        account: "none";
+        actor: "none";
+    };
+    description: string;
+    transaction: false;
+    input: z.ZodObject<{
+        token: z.ZodString;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+        password: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        account: z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+        }, z.core.$strict>;
+        actor: z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    rate_limit: "ip";
+    errors: {
+        400: z.ZodObject<{
+            error: z.ZodEnum<{
+                invalid_request_body: "invalid_request_body";
+                invalid_json_body: "invalid_json_body";
+            }>;
+        }, z.core.$loose>;
+        401: z.ZodObject<{
+            error: z.ZodLiteral<"invalid_token">;
+        }, z.core.$loose>;
+        403: z.ZodObject<{
+            error: z.ZodLiteral<"already_bootstrapped">;
+        }, z.core.$loose>;
+        404: z.ZodObject<{
+            error: z.ZodLiteral<"token_file_missing">;
+        }, z.core.$loose>;
+    };
+};
+//# sourceMappingURL=bootstrap_route_schema.d.ts.map

package/dist/auth/bootstrap_route_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap_route_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_route_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AActB,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;;;;;;;kBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiBI,CAAC"}

package/dist/auth/bootstrap_route_schema.js

@@ -0,0 +1,56 @@
+/**
+ * Hono-free wire shape + schemas for `POST /bootstrap`.
+ *
+ * Split from `bootstrap_routes.ts` so the route's declared shape (method,
+ * path, auth, input/output/error schemas) is importable **without** the
+ * hono-coupled handler (which sets a session cookie and reads the client
+ * IP off the Hono context). `create_bootstrap_route_specs` spreads
+ * `bootstrap_route_shape` and attaches the live handler; the test surface
+ * builder (`create_test_app_surface_spec`) spreads it with a stub handler so
+ * attack-surface generation reads the real shape without pulling the
+ * in-process Hono app onto cross-process consumers. Single source of truth —
+ * the shape can't drift between the live route and the surface.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
+import { Username } from '../primitive_schemas.js';
+import { Password } from './password.js';
+import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
+/** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
+export const BootstrapInput = z.strictObject({
+    token: z.string().min(1).meta({ sensitivity: 'secret' }),
+    username: Username,
+    password: Password,
+});
+/** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
+export const BootstrapOutput = z.strictObject({
+    ok: z.literal(true),
+    account: z.strictObject({ id: Uuid, username: Username }),
+    actor: z.strictObject({ id: Uuid }),
+});
+/**
+ * The `POST /bootstrap` route shape minus its handler — pure hono-free data.
+ * `create_bootstrap_route_specs` spreads this and attaches the live handler;
+ * surface generation spreads it with a stub handler (handlers are never run
+ * during surface assembly, only the shape is read).
+ */
+export const bootstrap_route_shape = {
+    method: 'POST',
+    path: '/bootstrap',
+    auth: { account: 'none', actor: 'none' },
+    description: 'Create initial keeper account (one-shot)',
+    transaction: false, // bootstrap_account manages its own transaction
+    input: BootstrapInput,
+    output: BootstrapOutput,
+    rate_limit: 'ip',
+    errors: {
+        400: z.looseObject({
+            error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
+        }),
+        401: z.looseObject({ error: z.literal(ERROR_INVALID_TOKEN) }),
+        403: z.looseObject({ error: z.literal(ERROR_ALREADY_BOOTSTRAPPED) }),
+        404: z.looseObject({ error: z.literal(ERROR_TOKEN_FILE_MISSING) }),
+    },
+};

package/dist/auth/bootstrap_routes.d.ts

@@ -6,7 +6,6 @@
  *
  * @module
  */
-import { z } from 'zod';
 import type { Context } from 'hono';
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { SessionOptions } from './session_cookie.js';
@@ -16,25 +15,6 @@ import { type RouteSpec } from '../http/route_spec.js';
 import { type RateLimiter } from '../rate_limiter.js';
 import type { RouteFactoryDeps } from './deps.js';
 import type { StatResult } from '../runtime/deps.js';
-/** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
-export declare const BootstrapInput: z.ZodObject<{
-    token: z.ZodString;
-    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-    password: z.ZodString;
-}, z.core.$strict>;
-export type BootstrapInput = z.infer<typeof BootstrapInput>;
-/** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
-export declare const BootstrapOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    account: z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
-    }, z.core.$strict>;
-    actor: z.ZodObject<{
-        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    }, z.core.$strict>;
-}, z.core.$strict>;
-export type BootstrapOutput = z.infer<typeof BootstrapOutput>;
 /**
  * Bootstrap status — runtime state computed once at startup.
  */

package/dist/auth/bootstrap_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAGpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAWnD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;;;;;;;kBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAkHjB,CAAC"}
+{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAEvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAGnD;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAmGjB,CAAC"}

package/dist/auth/bootstrap_routes.js

@@ -6,29 +6,13 @@
  *
  * @module
  */
-import { z } from 'zod';
-import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { create_session_and_set_cookie } from './session_middleware.js';
 import { bootstrap_account } from './bootstrap_account.js';
-import { Username } from '../primitive_schemas.js';
-import { Password } from './password.js';
+import { bootstrap_route_shape } from './bootstrap_route_schema.js';
 import { get_route_input } from '../http/route_spec.js';
-import { get_client_ip } from '../http/proxy.js';
+import { get_client_ip } from '../http/client_ip.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
-import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
-// -- Input/output schemas ---------------------------------------------------
-/** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
-export const BootstrapInput = z.strictObject({
-    token: z.string().min(1).meta({ sensitivity: 'secret' }),
-    username: Username,
-    password: Password,
-});
-/** Output for `POST /bootstrap`. Session cookie is the operative side effect. */
-export const BootstrapOutput = z.strictObject({
-    ok: z.literal(true),
-    account: z.strictObject({ id: Uuid, username: Username }),
-    actor: z.strictObject({ id: Uuid }),
-});
+import { ERROR_ALREADY_BOOTSTRAPPED } from '../http/error_schemas.js';
 /**
  * Check bootstrap availability at startup.
  *
@@ -73,22 +57,7 @@ export const create_bootstrap_route_specs = (deps, options) => {
     const { token_path } = bootstrap_status;
     return [
         {
-            method: 'POST',
-            path: '/bootstrap',
-            auth: { account: 'none', actor: 'none' },
-            description: 'Create initial keeper account (one-shot)',
-            transaction: false, // bootstrap_account manages its own transaction
-            input: BootstrapInput,
-            output: BootstrapOutput,
-            rate_limit: 'ip',
-            errors: {
-                400: z.looseObject({
-                    error: z.enum([ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY]),
-                }),
-                401: z.looseObject({ error: z.literal(ERROR_INVALID_TOKEN) }),
-                403: z.looseObject({ error: z.literal(ERROR_ALREADY_BOOTSTRAPPED) }),
-                404: z.looseObject({ error: z.literal(ERROR_TOKEN_FILE_MISSING) }),
-            },
+            ...bootstrap_route_shape,
             handler: async (c, route) => {
                 // Short-circuit if bootstrap already completed or surface-only mounted.
                 // In 'surface_only' mode `bootstrap_status.token_path === null` and

package/dist/auth/signup_route_schema.d.ts

@@ -0,0 +1,53 @@
+/**
+ * Hono-free wire schemas + route shape for `POST /signup`.
+ *
+ * Split from `signup_routes.ts` (whose handler pulls `hono/cookie` via
+ * `session_middleware` to set the new session cookie) so cross-process test
+ * suites can build the signup route shape — and assert on the response shape
+ * — without dragging the in-process Hono session handler, and its optional
+ * `hono` peer, onto a backend-spawning consumer. `signup_routes.ts` imports
+ * these back and attaches the live handler; single source of truth for the
+ * wire shape.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RouteSpec } from '../http/route_spec.js';
+/** Input for `POST /signup`. `email` is optional and must match any referenced invite. */
+export declare const SignupInput: z.ZodObject<{
+    username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    password: z.ZodString;
+    email: z.ZodOptional<z.ZodEmail>;
+}, z.core.$strict>;
+export type SignupInput = z.infer<typeof SignupInput>;
+/**
+ * Output for `POST /signup`.
+ *
+ * Session cookie is the operative side effect. The returned `account` and
+ * `actor` mirror `BootstrapOutput` so cross-process per-test setup can read
+ * the per-test identity straight off the signup response.
+ */
+export declare const SignupOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    account: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodPipe<z.ZodString, z.ZodTransform<string, string>>;
+    }, z.core.$strict>;
+    actor: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type SignupOutput = z.infer<typeof SignupOutput>;
+/** Option inputs that shape the signup route metadata (not its handler). */
+export interface SignupRouteShapeOptions {
+    /** Whether a per-account signup rate limiter is wired — toggles `rate_limit`. */
+    signup_account_rate_limited: boolean;
+}
+/**
+ * The `POST /signup` route shape minus its handler — pure hono-free data.
+ * `create_signup_route_specs` spreads this and attaches the live handler;
+ * cross-process surface builders spread it with a stub handler. Single source
+ * of truth — the shape can't drift between the live route and the surface.
+ */
+export declare const create_signup_route_shape: (options: SignupRouteShapeOptions) => Omit<RouteSpec, "handler">;
+//# sourceMappingURL=signup_route_schema.d.ts.map

package/dist/auth/signup_route_schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"signup_route_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_route_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAKtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAQrD,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD;;;;;;GAMG;AACH,eAAO,MAAM,YAAY;;;;;;;;;kBAIvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,4EAA4E;AAC5E,MAAM,WAAW,uBAAuB;IACvC,iFAAiF;IACjF,2BAA2B,EAAE,OAAO,CAAC;CACrC;AAED;;;;;GAKG;AACH,eAAO,MAAM,yBAAyB,GACrC,SAAS,uBAAuB,KAC9B,IAAI,CAAC,SAAS,EAAE,SAAS,CAgB1B,CAAC"}