npm - @syncular/server-hono - Versions diffs - 0.0.6-126 → 0.0.6-135 - Mend

@syncular/server-hono 0.0.6-126 → 0.0.6-135

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/dist/console/gateway.d.ts.map +1 -1
package/dist/console/gateway.js +799 -1200
package/dist/console/gateway.js.map +1 -1
package/dist/console/live-auth.d.ts +7 -0
package/dist/console/live-auth.d.ts.map +1 -0
package/dist/console/live-auth.js +35 -0
package/dist/console/live-auth.js.map +1 -0
package/dist/console/routes.d.ts +5 -1
package/dist/console/routes.d.ts.map +1 -1
package/dist/console/routes.js +39 -191
package/dist/console/routes.js.map +1 -1
package/dist/routes.d.ts +1 -1
package/dist/routes.d.ts.map +1 -1
package/dist/routes.js +86 -4
package/dist/routes.js.map +1 -1
package/dist/ws.d.ts +5 -12
package/dist/ws.d.ts.map +1 -1
package/dist/ws.js +30 -202
package/dist/ws.js.map +1 -1
package/package.json +6 -6
package/src/__tests__/create-server.test.ts +26 -0
package/src/__tests__/sync-maintenance.test.ts +257 -0
package/src/console/gateway.ts +985 -1591
package/src/console/live-auth.ts +39 -0
package/src/console/routes.ts +59 -211
package/src/routes.ts +102 -4
package/src/ws.ts +44 -213

package/dist/console/gateway.js CHANGED Viewed

@@ -2,6 +2,7 @@ import { Hono } from 'hono';
 import { cors } from 'hono/cors';
 import { describeRoute, resolver, validator as zValidator } from 'hono-openapi';
 import { z } from 'zod';
+import { closeUnauthenticatedSocket, parseBearerToken, parseWebSocketAuthToken, } from './live-auth.js';
 import { ApiKeyTypeSchema, ConsoleApiKeyBulkRevokeRequestSchema, ConsoleApiKeyBulkRevokeResponseSchema, ConsoleApiKeyCreateRequestSchema, ConsoleApiKeyCreateResponseSchema, ConsoleApiKeyRevokeResponseSchema, ConsoleApiKeySchema, ConsoleClearEventsResultSchema, ConsoleClientSchema, ConsoleCommitDetailSchema, ConsoleCommitListItemSchema, ConsoleCompactResultSchema, ConsoleEvictResultSchema, ConsoleHandlerSchema, ConsoleOperationEventSchema, ConsoleOperationsQuerySchema, ConsolePaginatedResponseSchema, ConsolePaginationQuerySchema, ConsolePartitionedPaginationQuerySchema, ConsolePartitionQuerySchema, ConsolePruneEventsResultSchema, ConsolePrunePreviewSchema, ConsolePruneResultSchema, ConsoleRequestEventSchema, ConsoleRequestPayloadSchema, ConsoleTimelineItemSchema, ConsoleTimelineQuerySchema, LatencyQuerySchema, LatencyStatsResponseSchema, SyncStatsSchema, TimeseriesQuerySchema, TimeseriesStatsResponseSchema, } from './schemas.js';
 const GatewayFailureSchema = z.object({
     instanceId: z.string(),
@@ -230,65 +231,35 @@ function parseLocalNumericId(value) {
         return null;
     return parsed;
 }
-function resolveEventTarget(args) {
-    const federated = parseFederatedNumericId(args.id);
-    if (federated) {
-        const instance = findInstanceById({
-            instances: args.instances,
-            instanceId: federated.instanceId,
-        });
-        if (!instance) {
-            return {
-                ok: false,
-                status: 404,
-                error: 'NOT_FOUND',
-                message: 'Instance not found',
-            };
-        }
-        return { ok: true, instance, localEventId: federated.localId };
-    }
-    const localEventId = parseLocalNumericId(args.id);
-    if (localEventId === null) {
-        return {
-            ok: false,
-            status: 400,
-            error: 'INVALID_FEDERATED_ID',
-            message: 'Expected either "<instanceId>:<eventId>" or "<eventId>" with an explicit instance filter.',
-        };
-    }
-    const selectedInstances = selectInstances({
-        instances: args.instances,
-        query: args.query,
-    });
+function noInstancesSelectedResponse() {
+    return {
+        ok: false,
+        status: 400,
+        error: 'NO_INSTANCES_SELECTED',
+        message: 'No enabled instances matched the provided instance filter.',
+    };
+}
+function resolveSingleSelectedInstance(args) {
+    const selectedInstances = selectInstances(args);
     if (selectedInstances.length === 0) {
-        return {
-            ok: false,
-            status: 400,
-            error: 'NO_INSTANCES_SELECTED',
-            message: 'No enabled instances matched the provided instance filter.',
-        };
+        return noInstancesSelectedResponse();
     }
     if (selectedInstances.length > 1) {
         return {
             ok: false,
             status: 400,
-            error: 'AMBIGUOUS_EVENT_ID',
-            message: 'Local event IDs are ambiguous across multiple instances. Use "<instanceId>:<eventId>" or select one instance.',
+            error: args.onMultiple.error,
+            message: args.onMultiple.message,
         };
     }
     const instance = selectedInstances[0];
     if (!instance) {
-        return {
-            ok: false,
-            status: 400,
-            error: 'NO_INSTANCES_SELECTED',
-            message: 'No enabled instances matched the provided instance filter.',
-        };
+        return noInstancesSelectedResponse();
     }
-    return { ok: true, instance, localEventId };
+    return { ok: true, instance };
 }
-function resolveCommitTarget(args) {
-    const federated = parseFederatedNumericId(args.seq);
+function resolveFederatedOrLocalNumericTarget(args) {
+    const federated = parseFederatedNumericId(args.id);
     if (federated) {
         const instance = findInstanceById({
             instances: args.instances,
@@ -302,76 +273,71 @@ function resolveCommitTarget(args) {
                 message: 'Instance not found',
             };
         }
-        return { ok: true, instance, localCommitSeq: federated.localId };
+        return { ok: true, instance, localId: federated.localId };
     }
-    const localCommitSeq = parseLocalNumericId(args.seq);
-    if (localCommitSeq === null) {
+    const localId = parseLocalNumericId(args.id);
+    if (localId === null) {
         return {
             ok: false,
             status: 400,
             error: 'INVALID_FEDERATED_ID',
-            message: 'Expected either "<instanceId>:<commitSeq>" or "<commitSeq>" with an explicit instance filter.',
+            message: args.invalidMessage,
         };
     }
-    const selectedInstances = selectInstances({
+    const selection = resolveSingleSelectedInstance({
         instances: args.instances,
         query: args.query,
+        onMultiple: {
+            error: args.ambiguousError,
+            message: args.ambiguousMessage,
+        },
     });
-    if (selectedInstances.length === 0) {
-        return {
-            ok: false,
-            status: 400,
-            error: 'NO_INSTANCES_SELECTED',
-            message: 'No enabled instances matched the provided instance filter.',
-        };
-    }
-    if (selectedInstances.length > 1) {
-        return {
-            ok: false,
-            status: 400,
-            error: 'AMBIGUOUS_COMMIT_ID',
-            message: 'Local commit IDs are ambiguous across multiple instances. Use "<instanceId>:<commitSeq>" or select one instance.',
-        };
-    }
-    const instance = selectedInstances[0];
-    if (!instance) {
-        return {
-            ok: false,
-            status: 400,
-            error: 'NO_INSTANCES_SELECTED',
-            message: 'No enabled instances matched the provided instance filter.',
-        };
-    }
-    return { ok: true, instance, localCommitSeq };
+    if (!selection.ok)
+        return selection;
+    return { ok: true, instance: selection.instance, localId };
+}
+function resolveEventTarget(args) {
+    const resolved = resolveFederatedOrLocalNumericTarget({
+        id: args.id,
+        instances: args.instances,
+        query: args.query,
+        invalidMessage: 'Expected either "<instanceId>:<eventId>" or "<eventId>" with an explicit instance filter.',
+        ambiguousError: 'AMBIGUOUS_EVENT_ID',
+        ambiguousMessage: 'Local event IDs are ambiguous across multiple instances. Use "<instanceId>:<eventId>" or select one instance.',
+    });
+    if (!resolved.ok)
+        return resolved;
+    return {
+        ok: true,
+        instance: resolved.instance,
+        localEventId: resolved.localId,
+    };
+}
+function resolveCommitTarget(args) {
+    const resolved = resolveFederatedOrLocalNumericTarget({
+        id: args.seq,
+        instances: args.instances,
+        query: args.query,
+        invalidMessage: 'Expected either "<instanceId>:<commitSeq>" or "<commitSeq>" with an explicit instance filter.',
+        ambiguousError: 'AMBIGUOUS_COMMIT_ID',
+        ambiguousMessage: 'Local commit IDs are ambiguous across multiple instances. Use "<instanceId>:<commitSeq>" or select one instance.',
+    });
+    if (!resolved.ok)
+        return resolved;
+    return {
+        ok: true,
+        instance: resolved.instance,
+        localCommitSeq: resolved.localId,
+    };
 }
 function resolveSingleInstanceTarget(args) {
-    const selectedInstances = selectInstances(args);
-    if (selectedInstances.length === 0) {
-        return {
-            ok: false,
-            status: 400,
-            error: 'NO_INSTANCES_SELECTED',
-            message: 'No enabled instances matched the provided instance filter.',
-        };
-    }
-    if (selectedInstances.length > 1) {
-        return {
-            ok: false,
-            status: 400,
+    return resolveSingleSelectedInstance({
+        ...args,
+        onMultiple: {
             error: 'INSTANCE_REQUIRED',
             message: 'This endpoint requires exactly one target instance. Provide `instanceId` or a single-value `instanceIds` filter.',
-        };
-    }
-    const instance = selectedInstances[0];
-    if (!instance) {
-        return {
-            ok: false,
-            status: 400,
-            error: 'NO_INSTANCES_SELECTED',
-            message: 'No enabled instances matched the provided instance filter.',
-        };
-    }
-    return { ok: true, instance };
+        },
+    });
 }
 function minNullable(values) {
     const filtered = values.filter((value) => value !== null);
@@ -473,14 +439,6 @@ function resolveForwardAuthorization(args) {
     }
     return null;
 }
-function parseBearerToken(authHeader) {
-    const value = authHeader?.trim();
-    if (!value?.startsWith('Bearer ')) {
-        return null;
-    }
-    const token = value.slice(7).trim();
-    return token.length > 0 ? token : null;
-}
 async function fetchDownstreamJson(args) {
     const url = buildConsoleEndpointUrl({
         instance: args.instance,
@@ -741,6 +699,124 @@ export function createConsoleGatewayRoutes(options) {
         ],
         credentials: true,
     }));
+    const withGatewayAuth = async (c, callback) => {
+        const auth = await options.authenticate(c);
+        if (!auth) {
+            return unauthorizedResponse(c);
+        }
+        return callback();
+    };
+    const proxySingleInstanceJsonRequest = async (args) => {
+        const target = resolveSingleInstanceTarget({
+            instances,
+            query: args.query,
+        });
+        if (!target.ok) {
+            return args.c.json({
+                error: target.error,
+                message: target.message,
+            }, target.status);
+        }
+        const forwardQuery = sanitizeForwardQueryParams(new URL(args.c.req.url).searchParams);
+        const result = await forwardDownstreamJsonRequest({
+            c: args.c,
+            instance: target.instance,
+            method: args.method,
+            path: args.path,
+            query: forwardQuery,
+            ...(args.body === undefined ? {} : { body: args.body }),
+            responseSchema: args.responseSchema,
+            fetchImpl,
+        });
+        if (!result.ok) {
+            return jsonResponse(result.body, result.status);
+        }
+        return jsonResponse(result.data, result.status);
+    };
+    const selectTargetInstances = (c, query) => {
+        const selectedInstances = selectInstances({ instances, query });
+        if (selectedInstances.length > 0) {
+            return { ok: true, selectedInstances };
+        }
+        const noInstanceError = noInstancesSelectedResponse();
+        return {
+            ok: false,
+            response: c.json({
+                error: noInstanceError.error,
+                message: noInstanceError.message,
+            }, noInstanceError.status),
+        };
+    };
+    const fetchFromSelectedInstances = async (args) => {
+        const results = await Promise.all(args.selectedInstances.map((instance) => fetchDownstreamJson({
+            c: args.c,
+            instance,
+            path: args.path,
+            query: args.query,
+            schema: args.schema,
+            fetchImpl,
+        })));
+        const failedInstances = results
+            .filter((result) => !result.ok)
+            .map((result) => result.failure);
+        const successfulResults = results
+            .map((result, index) => ({
+            result,
+            instance: args.selectedInstances[index],
+        }))
+            .filter((entry) => Boolean(entry.instance) && entry.result.ok)
+            .map((entry) => ({
+            instance: entry.instance,
+            data: entry.result.data,
+        }));
+        if (successfulResults.length === 0) {
+            return {
+                ok: false,
+                response: allInstancesFailedResponse(args.c, failedInstances),
+            };
+        }
+        return {
+            ok: true,
+            successfulResults,
+            failedInstances,
+        };
+    };
+    const fetchPagedFromSelectedInstances = async (args) => {
+        const results = await Promise.all(args.selectedInstances.map((instance) => fetchDownstreamPaged({
+            c: args.c,
+            instance,
+            path: args.path,
+            query: args.query,
+            targetCount: args.targetCount,
+            schema: args.schema,
+            fetchImpl,
+        })));
+        const failedInstances = results
+            .filter((result) => !result.ok)
+            .map((result) => result.failure);
+        const successfulResults = results
+            .map((result, index) => ({
+            result,
+            instance: args.selectedInstances[index],
+        }))
+            .filter((entry) => Boolean(entry.instance) && entry.result.ok)
+            .map((entry) => ({
+            instance: entry.instance,
+            items: entry.result.items,
+            total: entry.result.total,
+        }));
+        if (successfulResults.length === 0) {
+            return {
+                ok: false,
+                response: allInstancesFailedResponse(args.c, failedInstances),
+            };
+        }
+        return {
+            ok: true,
+            successfulResults,
+            failedInstances,
+        };
+    };
     routes.get('/instances', describeRoute({
         tags: ['console-gateway'],
         summary: 'List configured downstream console instances',
@@ -763,17 +839,15 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        return c.json({
-            items: instances.map((instance) => ({
-                instanceId: instance.instanceId,
-                label: instance.label ?? instance.instanceId,
-                baseUrl: instance.baseUrl,
-                enabled: instance.enabled ?? true,
-            })),
+        return withGatewayAuth(c, async () => {
+            return c.json({
+                items: instances.map((instance) => ({
+                    instanceId: instance.instanceId,
+                    label: instance.label ?? instance.instanceId,
+                    baseUrl: instance.baseUrl,
+                    enabled: instance.enabled ?? true,
+                })),
+            });
         });
     });
     routes.get('/instances/health', describeRoute({
@@ -798,34 +872,29 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayInstanceFilterSchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const items = await Promise.all(selection.selectedInstances.map((instance) => checkDownstreamInstanceHealth({
+                c,
+                instance,
+                fetchImpl,
+            })));
+            const failedInstances = items
+                .filter((item) => !item.healthy)
+                .map((item) => ({
+                instanceId: item.instanceId,
+                reason: item.reason ?? 'Health probe failed',
+                ...(item.status !== undefined ? { status: item.status } : {}),
+            }));
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const items = await Promise.all(selectedInstances.map((instance) => checkDownstreamInstanceHealth({
-            c,
-            instance,
-            fetchImpl,
-        })));
-        const failedInstances = items
-            .filter((item) => !item.healthy)
-            .map((item) => ({
-            instanceId: item.instanceId,
-            reason: item.reason ?? 'Health probe failed',
-            ...(item.status !== undefined ? { status: item.status } : {}),
-        }));
-        return c.json({
-            items,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                items,
+                partial: failedInstances.length > 0,
+                failedInstances,
+            });
         });
     });
     routes.get('/handlers', describeRoute({
@@ -842,32 +911,16 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'GET',
-            path: '/handlers',
-            query: forwardQuery,
-            responseSchema: GatewayHandlersResponseSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'GET',
+                path: '/handlers',
+                responseSchema: GatewayHandlersResponseSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/prune/preview', describeRoute({
         tags: ['console-gateway'],
@@ -883,32 +936,16 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: '/prune/preview',
-            query: forwardQuery,
-            responseSchema: ConsolePrunePreviewSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: '/prune/preview',
+                responseSchema: ConsolePrunePreviewSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/prune', describeRoute({
         tags: ['console-gateway'],
@@ -924,32 +961,16 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: '/prune',
-            query: forwardQuery,
-            responseSchema: ConsolePruneResultSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: '/prune',
+                responseSchema: ConsolePruneResultSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/compact', describeRoute({
         tags: ['console-gateway'],
@@ -965,32 +986,16 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: '/compact',
-            query: forwardQuery,
-            responseSchema: ConsoleCompactResultSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: '/compact',
+                responseSchema: ConsoleCompactResultSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/notify-data-change', describeRoute({
         tags: ['console-gateway'],
@@ -1006,34 +1011,18 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), zValidator('json', GatewayNotifyDataChangeRequestSchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const body = c.req.valid('json');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: '/notify-data-change',
-            query: forwardQuery,
-            body,
-            responseSchema: GatewayNotifyDataChangeResponseSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const body = c.req.valid('json');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: '/notify-data-change',
+                body,
+                responseSchema: GatewayNotifyDataChangeResponseSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.delete('/clients/:id', describeRoute({
         tags: ['console-gateway'],
@@ -1049,33 +1038,17 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('param', GatewayClientPathParamSchema), zValidator('query', GatewaySingleInstancePartitionQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const { id } = c.req.valid('param');
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'DELETE',
-            path: `/clients/${encodeURIComponent(id)}`,
-            query: forwardQuery,
-            responseSchema: ConsoleEvictResultSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const { id } = c.req.valid('param');
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'DELETE',
+                path: `/clients/${encodeURIComponent(id)}`,
+                responseSchema: ConsoleEvictResultSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.delete('/events', describeRoute({
         tags: ['console-gateway'],
@@ -1091,32 +1064,16 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'DELETE',
-            path: '/events',
-            query: forwardQuery,
-            responseSchema: ConsoleClearEventsResultSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'DELETE',
+                path: '/events',
+                responseSchema: ConsoleClearEventsResultSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/events/prune', describeRoute({
         tags: ['console-gateway'],
@@ -1132,32 +1089,16 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: '/events/prune',
-            query: forwardQuery,
-            responseSchema: ConsolePruneEventsResultSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: '/events/prune',
+                responseSchema: ConsolePruneEventsResultSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.get('/api-keys', describeRoute({
         tags: ['console-gateway'],
@@ -1173,32 +1114,16 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayApiKeysQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'GET',
-            path: '/api-keys',
-            query: forwardQuery,
-            responseSchema: ConsolePaginatedResponseSchema(ConsoleApiKeySchema),
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'GET',
+                path: '/api-keys',
+                responseSchema: ConsolePaginatedResponseSchema(ConsoleApiKeySchema),
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/api-keys', describeRoute({
         tags: ['console-gateway'],
@@ -1214,34 +1139,18 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), zValidator('json', ConsoleApiKeyCreateRequestSchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const body = c.req.valid('json');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: '/api-keys',
-            query: forwardQuery,
-            body,
-            responseSchema: ConsoleApiKeyCreateResponseSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const body = c.req.valid('json');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: '/api-keys',
+                body,
+                responseSchema: ConsoleApiKeyCreateResponseSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.get('/api-keys/:id', describeRoute({
         tags: ['console-gateway'],
@@ -1257,33 +1166,17 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('param', GatewayApiKeyPathParamSchema), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const { id } = c.req.valid('param');
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'GET',
-            path: `/api-keys/${encodeURIComponent(id)}`,
-            query: forwardQuery,
-            responseSchema: ConsoleApiKeySchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const { id } = c.req.valid('param');
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'GET',
+                path: `/api-keys/${encodeURIComponent(id)}`,
+                responseSchema: ConsoleApiKeySchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.delete('/api-keys/:id', describeRoute({
         tags: ['console-gateway'],
@@ -1299,33 +1192,17 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('param', GatewayApiKeyPathParamSchema), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const { id } = c.req.valid('param');
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'DELETE',
-            path: `/api-keys/${encodeURIComponent(id)}`,
-            query: forwardQuery,
-            responseSchema: ConsoleApiKeyRevokeResponseSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const { id } = c.req.valid('param');
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'DELETE',
+                path: `/api-keys/${encodeURIComponent(id)}`,
+                responseSchema: ConsoleApiKeyRevokeResponseSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/api-keys/bulk-revoke', describeRoute({
         tags: ['console-gateway'],
@@ -1341,34 +1218,18 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewaySingleInstanceQuerySchema), zValidator('json', ConsoleApiKeyBulkRevokeRequestSchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const body = c.req.valid('json');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: '/api-keys/bulk-revoke',
-            query: forwardQuery,
-            body,
-            responseSchema: ConsoleApiKeyBulkRevokeResponseSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const body = c.req.valid('json');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: '/api-keys/bulk-revoke',
+                body,
+                responseSchema: ConsoleApiKeyBulkRevokeResponseSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/api-keys/:id/rotate/stage', describeRoute({
         tags: ['console-gateway'],
@@ -1384,33 +1245,17 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('param', GatewayApiKeyPathParamSchema), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const { id } = c.req.valid('param');
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: `/api-keys/${encodeURIComponent(id)}/rotate/stage`,
-            query: forwardQuery,
-            responseSchema: ConsoleApiKeyCreateResponseSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const { id } = c.req.valid('param');
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: `/api-keys/${encodeURIComponent(id)}/rotate/stage`,
+                responseSchema: ConsoleApiKeyCreateResponseSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.post('/api-keys/:id/rotate', describeRoute({
         tags: ['console-gateway'],
@@ -1426,33 +1271,17 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('param', GatewayApiKeyPathParamSchema), zValidator('query', GatewaySingleInstanceQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const { id } = c.req.valid('param');
-        const query = c.req.valid('query');
-        const target = resolveSingleInstanceTarget({ instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                message: target.message,
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await forwardDownstreamJsonRequest({
-            c,
-            instance: target.instance,
-            method: 'POST',
-            path: `/api-keys/${encodeURIComponent(id)}/rotate`,
-            query: forwardQuery,
-            responseSchema: ConsoleApiKeyCreateResponseSchema,
-            fetchImpl,
+        return withGatewayAuth(c, async () => {
+            const { id } = c.req.valid('param');
+            const query = c.req.valid('query');
+            return proxySingleInstanceJsonRequest({
+                c,
+                query,
+                method: 'POST',
+                path: `/api-keys/${encodeURIComponent(id)}/rotate`,
+                responseSchema: ConsoleApiKeyCreateResponseSchema,
+            });
         });
-        if (!result.ok) {
-            return jsonResponse(result.body, result.status);
-        }
-        return jsonResponse(result.data, result.status);
     });
     routes.get('/stats', describeRoute({
         tags: ['console-gateway'],
@@ -1468,65 +1297,49 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayStatsQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            const fetched = await fetchFromSelectedInstances({
+                c,
+                selectedInstances: selection.selectedInstances,
+                path: '/stats',
+                query: forwardQuery,
+                schema: SyncStatsSchema,
+            });
+            if (!fetched.ok) {
+                return fetched.response;
+            }
+            const statsByInstance = new Map();
+            for (const result of fetched.successfulResults) {
+                statsByInstance.set(result.instance.instanceId, result.data);
+            }
+            const statsValues = Array.from(statsByInstance.values());
+            const sum = (selector) => statsValues.reduce((acc, stats) => acc + selector(stats), 0);
+            const minCommitSeqByInstance = {};
+            const maxCommitSeqByInstance = {};
+            for (const [instanceId, stats] of statsByInstance.entries()) {
+                minCommitSeqByInstance[instanceId] = stats.minCommitSeq;
+                maxCommitSeqByInstance[instanceId] = stats.maxCommitSeq;
+            }
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const results = await Promise.all(selectedInstances.map((instance) => fetchDownstreamJson({
-            c,
-            instance,
-            path: '/stats',
-            query: forwardQuery,
-            schema: SyncStatsSchema,
-            fetchImpl,
-        })));
-        const failedInstances = results
-            .filter((result) => !result.ok)
-            .map((result) => result.failure);
-        const successfulResults = results.filter((result) => result.ok);
-        if (successfulResults.length === 0) {
-            return allInstancesFailedResponse(c, failedInstances);
-        }
-        const statsByInstance = new Map();
-        for (let i = 0; i < selectedInstances.length; i++) {
-            const result = results[i];
-            if (!result || !result.ok)
-                continue;
-            const instance = selectedInstances[i];
-            if (!instance)
-                continue;
-            statsByInstance.set(instance.instanceId, result.data);
-        }
-        const statsValues = Array.from(statsByInstance.values());
-        const sum = (selector) => statsValues.reduce((acc, stats) => acc + selector(stats), 0);
-        const minCommitSeqByInstance = {};
-        const maxCommitSeqByInstance = {};
-        for (const [instanceId, stats] of statsByInstance.entries()) {
-            minCommitSeqByInstance[instanceId] = stats.minCommitSeq;
-            maxCommitSeqByInstance[instanceId] = stats.maxCommitSeq;
-        }
-        return c.json({
-            commitCount: sum((stats) => stats.commitCount),
-            changeCount: sum((stats) => stats.changeCount),
-            minCommitSeq: Math.min(...statsValues.map((stats) => stats.minCommitSeq)),
-            maxCommitSeq: Math.max(...statsValues.map((stats) => stats.maxCommitSeq)),
-            clientCount: sum((stats) => stats.clientCount),
-            activeClientCount: sum((stats) => stats.activeClientCount),
-            minActiveClientCursor: minNullable(statsValues.map((stats) => stats.minActiveClientCursor)),
-            maxActiveClientCursor: maxNullable(statsValues.map((stats) => stats.maxActiveClientCursor)),
-            minCommitSeqByInstance,
-            maxCommitSeqByInstance,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                commitCount: sum((stats) => stats.commitCount),
+                changeCount: sum((stats) => stats.changeCount),
+                minCommitSeq: Math.min(...statsValues.map((stats) => stats.minCommitSeq)),
+                maxCommitSeq: Math.max(...statsValues.map((stats) => stats.maxCommitSeq)),
+                clientCount: sum((stats) => stats.clientCount),
+                activeClientCount: sum((stats) => stats.activeClientCount),
+                minActiveClientCursor: minNullable(statsValues.map((stats) => stats.minActiveClientCursor)),
+                maxActiveClientCursor: maxNullable(statsValues.map((stats) => stats.maxActiveClientCursor)),
+                minCommitSeqByInstance,
+                maxCommitSeqByInstance,
+                partial: fetched.failedInstances.length > 0,
+                failedInstances: fetched.failedInstances,
+            });
         });
     });
     routes.get('/stats/timeseries', describeRoute({
@@ -1543,40 +1356,30 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayTimeseriesQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            const fetched = await fetchFromSelectedInstances({
+                c,
+                selectedInstances: selection.selectedInstances,
+                path: '/stats/timeseries',
+                query: forwardQuery,
+                schema: TimeseriesStatsResponseSchema,
+            });
+            if (!fetched.ok) {
+                return fetched.response;
+            }
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const results = await Promise.all(selectedInstances.map((instance) => fetchDownstreamJson({
-            c,
-            instance,
-            path: '/stats/timeseries',
-            query: forwardQuery,
-            schema: TimeseriesStatsResponseSchema,
-            fetchImpl,
-        })));
-        const failedInstances = results
-            .filter((result) => !result.ok)
-            .map((result) => result.failure);
-        const successfulResults = results.filter((result) => result.ok);
-        if (successfulResults.length === 0) {
-            return allInstancesFailedResponse(c, failedInstances);
-        }
-        return c.json({
-            buckets: mergeTimeseriesBuckets(successfulResults.map((result) => result.data)),
-            interval: query.interval,
-            range: query.range,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                buckets: mergeTimeseriesBuckets(fetched.successfulResults.map((result) => result.data)),
+                interval: query.interval,
+                range: query.range,
+                partial: fetched.failedInstances.length > 0,
+                failedInstances: fetched.failedInstances,
+            });
         });
     });
     routes.get('/stats/latency', describeRoute({
@@ -1593,40 +1396,30 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayLatencyQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            const fetched = await fetchFromSelectedInstances({
+                c,
+                selectedInstances: selection.selectedInstances,
+                path: '/stats/latency',
+                query: forwardQuery,
+                schema: LatencyStatsResponseSchema,
+            });
+            if (!fetched.ok) {
+                return fetched.response;
+            }
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const results = await Promise.all(selectedInstances.map((instance) => fetchDownstreamJson({
-            c,
-            instance,
-            path: '/stats/latency',
-            query: forwardQuery,
-            schema: LatencyStatsResponseSchema,
-            fetchImpl,
-        })));
-        const failedInstances = results
-            .filter((result) => !result.ok)
-            .map((result) => result.failure);
-        const successfulResults = results.filter((result) => result.ok);
-        if (successfulResults.length === 0) {
-            return allInstancesFailedResponse(c, failedInstances);
-        }
-        return c.json({
-            push: averagePercentiles(successfulResults.map((result) => result.data.push)),
-            pull: averagePercentiles(successfulResults.map((result) => result.data.pull)),
-            range: query.range,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                push: averagePercentiles(fetched.successfulResults.map((result) => result.data.push)),
+                pull: averagePercentiles(fetched.successfulResults.map((result) => result.data.pull)),
+                range: query.range,
+                partial: fetched.failedInstances.length > 0,
+                failedInstances: fetched.failedInstances,
+            });
         });
     });
     routes.get('/commits', describeRoute({
@@ -1643,66 +1436,51 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayPaginatedQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const targetCount = query.offset + query.limit;
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            forwardQuery.delete('limit');
+            forwardQuery.delete('offset');
+            const pageSchema = ConsolePaginatedResponseSchema(ConsoleCommitListItemSchema);
+            const fetched = await fetchPagedFromSelectedInstances({
+                c,
+                selectedInstances: selection.selectedInstances,
+                path: '/commits',
+                query: forwardQuery,
+                targetCount,
+                schema: pageSchema,
+            });
+            if (!fetched.ok) {
+                return fetched.response;
+            }
+            const merged = fetched.successfulResults
+                .flatMap(({ items, instance }) => items.map((commit) => ({
+                ...commit,
+                instanceId: instance.instanceId,
+                federatedCommitId: `${instance.instanceId}:${commit.commitSeq}`,
+            })))
+                .sort((a, b) => {
+                const byTime = compareIsoDesc(a.createdAt, b.createdAt);
+                if (byTime !== 0)
+                    return byTime;
+                const byInstance = a.instanceId.localeCompare(b.instanceId);
+                if (byInstance !== 0)
+                    return byInstance;
+                return b.commitSeq - a.commitSeq;
+            });
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const targetCount = query.offset + query.limit;
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        forwardQuery.delete('limit');
-        forwardQuery.delete('offset');
-        const pageSchema = ConsolePaginatedResponseSchema(ConsoleCommitListItemSchema);
-        const results = await Promise.all(selectedInstances.map((instance) => fetchDownstreamPaged({
-            c,
-            instance,
-            path: '/commits',
-            query: forwardQuery,
-            targetCount,
-            schema: pageSchema,
-            fetchImpl,
-        })));
-        const failedInstances = results
-            .filter((result) => !result.ok)
-            .map((result) => result.failure);
-        const successful = results
-            .map((result, index) => ({
-            result,
-            instance: selectedInstances[index],
-        }))
-            .filter((entry) => Boolean(entry.instance) && entry.result.ok);
-        if (successful.length === 0) {
-            return allInstancesFailedResponse(c, failedInstances);
-        }
-        const merged = successful
-            .flatMap(({ result, instance }) => result.items.map((commit) => ({
-            ...commit,
-            instanceId: instance.instanceId,
-            federatedCommitId: `${instance.instanceId}:${commit.commitSeq}`,
-        })))
-            .sort((a, b) => {
-            const byTime = compareIsoDesc(a.createdAt, b.createdAt);
-            if (byTime !== 0)
-                return byTime;
-            const byInstance = a.instanceId.localeCompare(b.instanceId);
-            if (byInstance !== 0)
-                return byInstance;
-            return b.commitSeq - a.commitSeq;
-        });
-        return c.json({
-            items: merged.slice(query.offset, query.offset + query.limit),
-            total: successful.reduce((acc, entry) => acc + entry.result.total, 0),
-            offset: query.offset,
-            limit: query.limit,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                items: merged.slice(query.offset, query.offset + query.limit),
+                total: fetched.successfulResults.reduce((acc, entry) => acc + entry.total, 0),
+                offset: query.offset,
+                limit: query.limit,
+                partial: fetched.failedInstances.length > 0,
+                failedInstances: fetched.failedInstances,
+            });
         });
     });
     routes.get('/commits/:seq', describeRoute({
@@ -1719,42 +1497,40 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('param', GatewayCommitPathParamSchema), zValidator('query', ConsolePartitionQuerySchema.extend(GatewayInstanceFilterSchema.shape)), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const { seq } = c.req.valid('param');
-        const query = c.req.valid('query');
-        const target = resolveCommitTarget({ seq, instances, query });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                ...(target.message ? { message: target.message } : {}),
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await fetchDownstreamJson({
-            c,
-            instance: target.instance,
-            path: `/commits/${target.localCommitSeq}`,
-            query: forwardQuery,
-            schema: ConsoleCommitDetailSchema,
-            fetchImpl,
-        });
-        if (!result.ok) {
-            if (result.failure.status === 404) {
-                return c.json({ error: 'NOT_FOUND' }, 404);
+        return withGatewayAuth(c, async () => {
+            const { seq } = c.req.valid('param');
+            const query = c.req.valid('query');
+            const target = resolveCommitTarget({ seq, instances, query });
+            if (!target.ok) {
+                return c.json({
+                    error: target.error,
+                    ...(target.message ? { message: target.message } : {}),
+                }, target.status);
+            }
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            const result = await fetchDownstreamJson({
+                c,
+                instance: target.instance,
+                path: `/commits/${target.localCommitSeq}`,
+                query: forwardQuery,
+                schema: ConsoleCommitDetailSchema,
+                fetchImpl,
+            });
+            if (!result.ok) {
+                if (result.failure.status === 404) {
+                    return c.json({ error: 'NOT_FOUND' }, 404);
+                }
+                return c.json({
+                    error: 'DOWNSTREAM_UNAVAILABLE',
+                    failedInstances: [result.failure],
+                }, 502);
             }
             return c.json({
-                error: 'DOWNSTREAM_UNAVAILABLE',
-                failedInstances: [result.failure],
-            }, 502);
-        }
-        return c.json({
-            ...result.data,
-            instanceId: target.instance.instanceId,
-            federatedCommitId: `${target.instance.instanceId}:${result.data.commitSeq}`,
-            localCommitSeq: result.data.commitSeq,
+                ...result.data,
+                instanceId: target.instance.instanceId,
+                federatedCommitId: `${target.instance.instanceId}:${result.data.commitSeq}`,
+                localCommitSeq: result.data.commitSeq,
+            });
         });
     });
     routes.get('/clients', describeRoute({
@@ -1771,66 +1547,51 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayPaginatedQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const targetCount = query.offset + query.limit;
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            forwardQuery.delete('limit');
+            forwardQuery.delete('offset');
+            const pageSchema = ConsolePaginatedResponseSchema(ConsoleClientSchema);
+            const fetched = await fetchPagedFromSelectedInstances({
+                c,
+                selectedInstances: selection.selectedInstances,
+                path: '/clients',
+                query: forwardQuery,
+                targetCount,
+                schema: pageSchema,
+            });
+            if (!fetched.ok) {
+                return fetched.response;
+            }
+            const merged = fetched.successfulResults
+                .flatMap(({ items, instance }) => items.map((client) => ({
+                ...client,
+                instanceId: instance.instanceId,
+                federatedClientId: `${instance.instanceId}:${client.clientId}`,
+            })))
+                .sort((a, b) => {
+                const byTime = compareIsoDesc(a.updatedAt, b.updatedAt);
+                if (byTime !== 0)
+                    return byTime;
+                const byInstance = a.instanceId.localeCompare(b.instanceId);
+                if (byInstance !== 0)
+                    return byInstance;
+                return a.clientId.localeCompare(b.clientId);
+            });
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const targetCount = query.offset + query.limit;
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        forwardQuery.delete('limit');
-        forwardQuery.delete('offset');
-        const pageSchema = ConsolePaginatedResponseSchema(ConsoleClientSchema);
-        const results = await Promise.all(selectedInstances.map((instance) => fetchDownstreamPaged({
-            c,
-            instance,
-            path: '/clients',
-            query: forwardQuery,
-            targetCount,
-            schema: pageSchema,
-            fetchImpl,
-        })));
-        const failedInstances = results
-            .filter((result) => !result.ok)
-            .map((result) => result.failure);
-        const successful = results
-            .map((result, index) => ({
-            result,
-            instance: selectedInstances[index],
-        }))
-            .filter((entry) => Boolean(entry.instance) && entry.result.ok);
-        if (successful.length === 0) {
-            return allInstancesFailedResponse(c, failedInstances);
-        }
-        const merged = successful
-            .flatMap(({ result, instance }) => result.items.map((client) => ({
-            ...client,
-            instanceId: instance.instanceId,
-            federatedClientId: `${instance.instanceId}:${client.clientId}`,
-        })))
-            .sort((a, b) => {
-            const byTime = compareIsoDesc(a.updatedAt, b.updatedAt);
-            if (byTime !== 0)
-                return byTime;
-            const byInstance = a.instanceId.localeCompare(b.instanceId);
-            if (byInstance !== 0)
-                return byInstance;
-            return a.clientId.localeCompare(b.clientId);
-        });
-        return c.json({
-            items: merged.slice(query.offset, query.offset + query.limit),
-            total: successful.reduce((acc, entry) => acc + entry.result.total, 0),
-            offset: query.offset,
-            limit: query.limit,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                items: merged.slice(query.offset, query.offset + query.limit),
+                total: fetched.successfulResults.reduce((acc, entry) => acc + entry.total, 0),
+                offset: query.offset,
+                limit: query.limit,
+                partial: fetched.failedInstances.length > 0,
+                failedInstances: fetched.failedInstances,
+            });
         });
     });
     routes.get('/timeline', describeRoute({
@@ -1847,77 +1608,64 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayTimelineQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const targetCount = query.offset + query.limit;
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            forwardQuery.delete('limit');
+            forwardQuery.delete('offset');
+            const pageSchema = ConsolePaginatedResponseSchema(ConsoleTimelineItemSchema);
+            const fetched = await fetchPagedFromSelectedInstances({
+                c,
+                selectedInstances: selection.selectedInstances,
+                path: '/timeline',
+                query: forwardQuery,
+                targetCount,
+                schema: pageSchema,
+            });
+            if (!fetched.ok) {
+                return fetched.response;
+            }
+            const merged = fetched.successfulResults
+                .flatMap(({ items, instance }) => items.map((item) => {
+                const localCommitSeq = item.type === 'commit'
+                    ? (item.commit?.commitSeq ?? null)
+                    : null;
+                const localEventId = item.type === 'event' ? (item.event?.eventId ?? null) : null;
+                const localIdSegment = item.type === 'commit'
+                    ? String(localCommitSeq ?? 'unknown')
+                    : String(localEventId ?? 'unknown');
+                return {
+                    ...item,
+                    instanceId: instance.instanceId,
+                    federatedTimelineId: `${instance.instanceId}:${item.type}:${localIdSegment}`,
+                    localCommitSeq,
+                    localEventId,
+                };
+            }))
+                .sort((a, b) => {
+                const byTime = compareIsoDesc(a.timestamp, b.timestamp);
+                if (byTime !== 0)
+                    return byTime;
+                const byInstance = a.instanceId.localeCompare(b.instanceId);
+                if (byInstance !== 0)
+                    return byInstance;
+                const aLocalId = a.localCommitSeq ?? a.localEventId ?? 0;
+                const bLocalId = b.localCommitSeq ?? b.localEventId ?? 0;
+                return bLocalId - aLocalId;
+            });
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const targetCount = query.offset + query.limit;
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        forwardQuery.delete('limit');
-        forwardQuery.delete('offset');
-        const pageSchema = ConsolePaginatedResponseSchema(ConsoleTimelineItemSchema);
-        const results = await Promise.all(selectedInstances.map((instance) => fetchDownstreamPaged({
-            c,
-            instance,
-            path: '/timeline',
-            query: forwardQuery,
-            targetCount,
-            schema: pageSchema,
-            fetchImpl,
-        })));
-        const failedInstances = results
-            .filter((result) => !result.ok)
-            .map((result) => result.failure);
-        const successful = results
-            .map((result, index) => ({
-            result,
-            instance: selectedInstances[index],
-        }))
-            .filter((entry) => Boolean(entry.instance) && entry.result.ok);
-        if (successful.length === 0) {
-            return allInstancesFailedResponse(c, failedInstances);
-        }
-        const merged = successful
-            .flatMap(({ result, instance }) => result.items.map((item) => {
-            const localCommitSeq = item.type === 'commit' ? (item.commit?.commitSeq ?? null) : null;
-            const localEventId = item.type === 'event' ? (item.event?.eventId ?? null) : null;
-            const localIdSegment = item.type === 'commit'
-                ? String(localCommitSeq ?? 'unknown')
-                : String(localEventId ?? 'unknown');
-            return {
-                ...item,
-                instanceId: instance.instanceId,
-                federatedTimelineId: `${instance.instanceId}:${item.type}:${localIdSegment}`,
-                localCommitSeq,
-                localEventId,
-            };
-        }))
-            .sort((a, b) => {
-            const byTime = compareIsoDesc(a.timestamp, b.timestamp);
-            if (byTime !== 0)
-                return byTime;
-            const byInstance = a.instanceId.localeCompare(b.instanceId);
-            if (byInstance !== 0)
-                return byInstance;
-            const aLocalId = a.localCommitSeq ?? a.localEventId ?? 0;
-            const bLocalId = b.localCommitSeq ?? b.localEventId ?? 0;
-            return bLocalId - aLocalId;
-        });
-        return c.json({
-            items: merged.slice(query.offset, query.offset + query.limit),
-            total: successful.reduce((acc, entry) => acc + entry.result.total, 0),
-            offset: query.offset,
-            limit: query.limit,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                items: merged.slice(query.offset, query.offset + query.limit),
+                total: fetched.successfulResults.reduce((acc, entry) => acc + entry.total, 0),
+                offset: query.offset,
+                limit: query.limit,
+                partial: fetched.failedInstances.length > 0,
+                failedInstances: fetched.failedInstances,
+            });
         });
     });
     routes.get('/operations', describeRoute({
@@ -1934,67 +1682,52 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayOperationsQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const targetCount = query.offset + query.limit;
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            forwardQuery.delete('limit');
+            forwardQuery.delete('offset');
+            const pageSchema = ConsolePaginatedResponseSchema(ConsoleOperationEventSchema);
+            const fetched = await fetchPagedFromSelectedInstances({
+                c,
+                selectedInstances: selection.selectedInstances,
+                path: '/operations',
+                query: forwardQuery,
+                targetCount,
+                schema: pageSchema,
+            });
+            if (!fetched.ok) {
+                return fetched.response;
+            }
+            const merged = fetched.successfulResults
+                .flatMap(({ items, instance }) => items.map((operation) => ({
+                ...operation,
+                instanceId: instance.instanceId,
+                federatedOperationId: `${instance.instanceId}:${operation.operationId}`,
+                localOperationId: operation.operationId,
+            })))
+                .sort((a, b) => {
+                const byTime = compareIsoDesc(a.createdAt, b.createdAt);
+                if (byTime !== 0)
+                    return byTime;
+                const byInstance = a.instanceId.localeCompare(b.instanceId);
+                if (byInstance !== 0)
+                    return byInstance;
+                return b.localOperationId - a.localOperationId;
+            });
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const targetCount = query.offset + query.limit;
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        forwardQuery.delete('limit');
-        forwardQuery.delete('offset');
-        const pageSchema = ConsolePaginatedResponseSchema(ConsoleOperationEventSchema);
-        const results = await Promise.all(selectedInstances.map((instance) => fetchDownstreamPaged({
-            c,
-            instance,
-            path: '/operations',
-            query: forwardQuery,
-            targetCount,
-            schema: pageSchema,
-            fetchImpl,
-        })));
-        const failedInstances = results
-            .filter((result) => !result.ok)
-            .map((result) => result.failure);
-        const successful = results
-            .map((result, index) => ({
-            result,
-            instance: selectedInstances[index],
-        }))
-            .filter((entry) => Boolean(entry.instance) && entry.result.ok);
-        if (successful.length === 0) {
-            return allInstancesFailedResponse(c, failedInstances);
-        }
-        const merged = successful
-            .flatMap(({ result, instance }) => result.items.map((operation) => ({
-            ...operation,
-            instanceId: instance.instanceId,
-            federatedOperationId: `${instance.instanceId}:${operation.operationId}`,
-            localOperationId: operation.operationId,
-        })))
-            .sort((a, b) => {
-            const byTime = compareIsoDesc(a.createdAt, b.createdAt);
-            if (byTime !== 0)
-                return byTime;
-            const byInstance = a.instanceId.localeCompare(b.instanceId);
-            if (byInstance !== 0)
-                return byInstance;
-            return b.localOperationId - a.localOperationId;
-        });
-        return c.json({
-            items: merged.slice(query.offset, query.offset + query.limit),
-            total: successful.reduce((acc, entry) => acc + entry.result.total, 0),
-            offset: query.offset,
-            limit: query.limit,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                items: merged.slice(query.offset, query.offset + query.limit),
+                total: fetched.successfulResults.reduce((acc, entry) => acc + entry.total, 0),
+                offset: query.offset,
+                limit: query.limit,
+                partial: fetched.failedInstances.length > 0,
+                failedInstances: fetched.failedInstances,
+            });
         });
     });
     routes.get('/events', describeRoute({
@@ -2011,67 +1744,52 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('query', GatewayEventsQuerySchema), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const query = c.req.valid('query');
-        const selectedInstances = selectInstances({ instances, query });
-        if (selectedInstances.length === 0) {
+        return withGatewayAuth(c, async () => {
+            const query = c.req.valid('query');
+            const selection = selectTargetInstances(c, query);
+            if (!selection.ok) {
+                return selection.response;
+            }
+            const targetCount = query.offset + query.limit;
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            forwardQuery.delete('limit');
+            forwardQuery.delete('offset');
+            const pageSchema = ConsolePaginatedResponseSchema(ConsoleRequestEventSchema);
+            const fetched = await fetchPagedFromSelectedInstances({
+                c,
+                selectedInstances: selection.selectedInstances,
+                path: '/events',
+                query: forwardQuery,
+                targetCount,
+                schema: pageSchema,
+            });
+            if (!fetched.ok) {
+                return fetched.response;
+            }
+            const merged = fetched.successfulResults
+                .flatMap(({ items, instance }) => items.map((event) => ({
+                ...event,
+                instanceId: instance.instanceId,
+                federatedEventId: `${instance.instanceId}:${event.eventId}`,
+                localEventId: event.eventId,
+            })))
+                .sort((a, b) => {
+                const byTime = compareIsoDesc(a.createdAt, b.createdAt);
+                if (byTime !== 0)
+                    return byTime;
+                const byInstance = a.instanceId.localeCompare(b.instanceId);
+                if (byInstance !== 0)
+                    return byInstance;
+                return b.localEventId - a.localEventId;
+            });
             return c.json({
-                error: 'NO_INSTANCES_SELECTED',
-                message: 'No enabled instances matched the provided instance filter.',
-            }, 400);
-        }
-        const targetCount = query.offset + query.limit;
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        forwardQuery.delete('limit');
-        forwardQuery.delete('offset');
-        const pageSchema = ConsolePaginatedResponseSchema(ConsoleRequestEventSchema);
-        const results = await Promise.all(selectedInstances.map((instance) => fetchDownstreamPaged({
-            c,
-            instance,
-            path: '/events',
-            query: forwardQuery,
-            targetCount,
-            schema: pageSchema,
-            fetchImpl,
-        })));
-        const failedInstances = results
-            .filter((result) => !result.ok)
-            .map((result) => result.failure);
-        const successful = results
-            .map((result, index) => ({
-            result,
-            instance: selectedInstances[index],
-        }))
-            .filter((entry) => Boolean(entry.instance) && entry.result.ok);
-        if (successful.length === 0) {
-            return allInstancesFailedResponse(c, failedInstances);
-        }
-        const merged = successful
-            .flatMap(({ result, instance }) => result.items.map((event) => ({
-            ...event,
-            instanceId: instance.instanceId,
-            federatedEventId: `${instance.instanceId}:${event.eventId}`,
-            localEventId: event.eventId,
-        })))
-            .sort((a, b) => {
-            const byTime = compareIsoDesc(a.createdAt, b.createdAt);
-            if (byTime !== 0)
-                return byTime;
-            const byInstance = a.instanceId.localeCompare(b.instanceId);
-            if (byInstance !== 0)
-                return byInstance;
-            return b.localEventId - a.localEventId;
-        });
-        return c.json({
-            items: merged.slice(query.offset, query.offset + query.limit),
-            total: successful.reduce((acc, entry) => acc + entry.result.total, 0),
-            offset: query.offset,
-            limit: query.limit,
-            partial: failedInstances.length > 0,
-            failedInstances,
+                items: merged.slice(query.offset, query.offset + query.limit),
+                total: fetched.successfulResults.reduce((acc, entry) => acc + entry.total, 0),
+                offset: query.offset,
+                limit: query.limit,
+                partial: fetched.failedInstances.length > 0,
+                failedInstances: fetched.failedInstances,
+            });
         });
     });
     if (options.websocket?.enabled &&
@@ -2112,15 +1830,6 @@ export function createConsoleGatewayRoutes(options) {
                 };
                 return options.authenticate(authContext);
             };
-            const closeUnauthenticated = (ws) => {
-                try {
-                    ws.send(JSON.stringify({ type: 'error', message: 'UNAUTHENTICATED' }));
-                }
-                catch {
-                    // no-op
-                }
-                ws.close(4001, 'Unauthenticated');
-            };
             const cleanup = (ws) => {
                 const state = liveState.get(ws);
                 if (!state)
@@ -2156,6 +1865,7 @@ export function createConsoleGatewayRoutes(options) {
                         heartbeatInterval: null,
                         authTimeout: null,
                         isAuthenticated: false,
+                        startAuthenticatedSession: null,
                     };
                     liveState.set(ws, state);
                     const startAuthenticatedSession = (upstreamBearerToken) => {
@@ -2259,6 +1969,7 @@ export function createConsoleGatewayRoutes(options) {
                         }, heartbeatIntervalMs);
                         state.heartbeatInterval = heartbeatInterval;
                     };
+                    state.startAuthenticatedSession = startAuthenticatedSession;
                     if (initialAuth) {
                         startAuthenticatedSession(parseBearerToken(c.req.header('Authorization')));
                         return;
@@ -2268,7 +1979,7 @@ export function createConsoleGatewayRoutes(options) {
                         if (!current || current.isAuthenticated) {
                             return;
                         }
-                        closeUnauthenticated(ws);
+                        closeUnauthenticatedSocket(ws);
                         cleanup(ws);
                     }, 5_000);
                 },
@@ -2278,24 +1989,13 @@ export function createConsoleGatewayRoutes(options) {
                         return;
                     }
                     if (typeof event.data !== 'string') {
-                        closeUnauthenticated(ws);
+                        closeUnauthenticatedSocket(ws);
                         cleanup(ws);
                         return;
                     }
-                    let token = '';
-                    try {
-                        const parsed = JSON.parse(event.data);
-                        if (parsed.type === 'auth' &&
-                            typeof parsed.token === 'string' &&
-                            parsed.token.trim().length > 0) {
-                            token = parsed.token;
-                        }
-                    }
-                    catch {
-                        // Invalid auth message will be handled below.
-                    }
+                    const token = parseWebSocketAuthToken(event.data);
                     if (!token) {
-                        closeUnauthenticated(ws);
+                        closeUnauthenticatedSocket(ws);
                         cleanup(ws);
                         return;
                     }
@@ -2305,108 +2005,11 @@ export function createConsoleGatewayRoutes(options) {
                         return;
                     }
                     if (!auth) {
-                        closeUnauthenticated(ws);
+                        closeUnauthenticatedSocket(ws);
                         cleanup(ws);
                         return;
                     }
-                    current.isAuthenticated = true;
-                    if (current.authTimeout) {
-                        clearTimeout(current.authTimeout);
-                        current.authTimeout = null;
-                    }
-                    for (const instance of selectedInstances) {
-                        const downstreamQuery = new URLSearchParams();
-                        if (partitionId) {
-                            downstreamQuery.set('partitionId', partitionId);
-                        }
-                        if (replaySince) {
-                            downstreamQuery.set('since', replaySince);
-                        }
-                        downstreamQuery.set('replayLimit', String(replayLimit));
-                        const downstreamUrl = buildConsoleEndpointUrl({
-                            instance,
-                            requestUrl: c.req.url,
-                            path: '/events/live',
-                            query: downstreamQuery,
-                        });
-                        const downstreamSocket = createDownstreamSocket(downstreamUrl);
-                        const upstreamToken = token.trim();
-                        const downstreamToken = instance.token?.trim() ||
-                            (upstreamToken.length > 0 ? upstreamToken : null);
-                        if (downstreamToken && downstreamSocket.send) {
-                            downstreamSocket.onopen = () => {
-                                try {
-                                    downstreamSocket.send?.(JSON.stringify({
-                                        type: 'auth',
-                                        token: downstreamToken,
-                                    }));
-                                }
-                                catch {
-                                    // no-op
-                                }
-                            };
-                        }
-                        downstreamSocket.onmessage = (message) => {
-                            if (typeof message.data !== 'string') {
-                                return;
-                            }
-                            try {
-                                const payload = JSON.parse(message.data);
-                                if (typeof payload.type === 'string' &&
-                                    (payload.type === 'connected' ||
-                                        payload.type === 'heartbeat')) {
-                                    return;
-                                }
-                                const payloadData = payload.data &&
-                                    typeof payload.data === 'object' &&
-                                    !Array.isArray(payload.data)
-                                    ? { ...payload.data, instanceId: instance.instanceId }
-                                    : { instanceId: instance.instanceId };
-                                const liveEvent = {
-                                    ...payload,
-                                    data: payloadData,
-                                    instanceId: instance.instanceId,
-                                    timestamp: typeof payload.timestamp === 'string'
-                                        ? payload.timestamp
-                                        : new Date().toISOString(),
-                                };
-                                ws.send(JSON.stringify(liveEvent));
-                            }
-                            catch {
-                                // Ignore malformed downstream events
-                            }
-                        };
-                        downstreamSocket.onerror = () => {
-                            try {
-                                ws.send(JSON.stringify({
-                                    type: 'instance_error',
-                                    instanceId: instance.instanceId,
-                                    timestamp: new Date().toISOString(),
-                                }));
-                            }
-                            catch {
-                                // ignore send errors
-                            }
-                        };
-                        current.downstreamSockets.push(downstreamSocket);
-                    }
-                    ws.send(JSON.stringify({
-                        type: 'connected',
-                        timestamp: new Date().toISOString(),
-                        instanceCount: selectedInstances.length,
-                    }));
-                    const heartbeatInterval = setInterval(() => {
-                        try {
-                            ws.send(JSON.stringify({
-                                type: 'heartbeat',
-                                timestamp: new Date().toISOString(),
-                            }));
-                        }
-                        catch {
-                            clearInterval(heartbeatInterval);
-                        }
-                    }, heartbeatIntervalMs);
-                    current.heartbeatInterval = heartbeatInterval;
+                    current.startAuthenticatedSession?.(token);
                 },
                 onClose(_event, ws) {
                     cleanup(ws);
@@ -2431,46 +2034,44 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('param', GatewayEventPathParamSchema), zValidator('query', ConsolePartitionQuerySchema.extend(GatewayInstanceFilterSchema.shape)), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const { id } = c.req.valid('param');
-        const query = c.req.valid('query');
-        const target = resolveEventTarget({
-            id,
-            instances,
-            query,
-        });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                ...(target.message ? { message: target.message } : {}),
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await fetchDownstreamJson({
-            c,
-            instance: target.instance,
-            path: `/events/${target.localEventId}`,
-            query: forwardQuery,
-            schema: ConsoleRequestEventSchema,
-            fetchImpl,
-        });
-        if (!result.ok) {
-            if (result.failure.status === 404) {
-                return c.json({ error: 'NOT_FOUND' }, 404);
+        return withGatewayAuth(c, async () => {
+            const { id } = c.req.valid('param');
+            const query = c.req.valid('query');
+            const target = resolveEventTarget({
+                id,
+                instances,
+                query,
+            });
+            if (!target.ok) {
+                return c.json({
+                    error: target.error,
+                    ...(target.message ? { message: target.message } : {}),
+                }, target.status);
+            }
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            const result = await fetchDownstreamJson({
+                c,
+                instance: target.instance,
+                path: `/events/${target.localEventId}`,
+                query: forwardQuery,
+                schema: ConsoleRequestEventSchema,
+                fetchImpl,
+            });
+            if (!result.ok) {
+                if (result.failure.status === 404) {
+                    return c.json({ error: 'NOT_FOUND' }, 404);
+                }
+                return c.json({
+                    error: 'DOWNSTREAM_UNAVAILABLE',
+                    failedInstances: [result.failure],
+                }, 502);
             }
             return c.json({
-                error: 'DOWNSTREAM_UNAVAILABLE',
-                failedInstances: [result.failure],
-            }, 502);
-        }
-        return c.json({
-            ...result.data,
-            instanceId: target.instance.instanceId,
-            federatedEventId: `${target.instance.instanceId}:${result.data.eventId}`,
-            localEventId: result.data.eventId,
+                ...result.data,
+                instanceId: target.instance.instanceId,
+                federatedEventId: `${target.instance.instanceId}:${result.data.eventId}`,
+                localEventId: result.data.eventId,
+            });
         });
     });
     routes.get('/events/:id/payload', describeRoute({
@@ -2487,46 +2088,44 @@ export function createConsoleGatewayRoutes(options) {
             },
         },
     }), zValidator('param', GatewayEventPathParamSchema), zValidator('query', ConsolePartitionQuerySchema.extend(GatewayInstanceFilterSchema.shape)), async (c) => {
-        const auth = await options.authenticate(c);
-        if (!auth) {
-            return unauthorizedResponse(c);
-        }
-        const { id } = c.req.valid('param');
-        const query = c.req.valid('query');
-        const target = resolveEventTarget({
-            id,
-            instances,
-            query,
-        });
-        if (!target.ok) {
-            return c.json({
-                error: target.error,
-                ...(target.message ? { message: target.message } : {}),
-            }, target.status);
-        }
-        const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
-        const result = await fetchDownstreamJson({
-            c,
-            instance: target.instance,
-            path: `/events/${target.localEventId}/payload`,
-            query: forwardQuery,
-            schema: ConsoleRequestPayloadSchema,
-            fetchImpl,
-        });
-        if (!result.ok) {
-            if (result.failure.status === 404) {
-                return c.json({ error: 'NOT_FOUND' }, 404);
+        return withGatewayAuth(c, async () => {
+            const { id } = c.req.valid('param');
+            const query = c.req.valid('query');
+            const target = resolveEventTarget({
+                id,
+                instances,
+                query,
+            });
+            if (!target.ok) {
+                return c.json({
+                    error: target.error,
+                    ...(target.message ? { message: target.message } : {}),
+                }, target.status);
+            }
+            const forwardQuery = sanitizeForwardQueryParams(new URL(c.req.url).searchParams);
+            const result = await fetchDownstreamJson({
+                c,
+                instance: target.instance,
+                path: `/events/${target.localEventId}/payload`,
+                query: forwardQuery,
+                schema: ConsoleRequestPayloadSchema,
+                fetchImpl,
+            });
+            if (!result.ok) {
+                if (result.failure.status === 404) {
+                    return c.json({ error: 'NOT_FOUND' }, 404);
+                }
+                return c.json({
+                    error: 'DOWNSTREAM_UNAVAILABLE',
+                    failedInstances: [result.failure],
+                }, 502);
             }
             return c.json({
-                error: 'DOWNSTREAM_UNAVAILABLE',
-                failedInstances: [result.failure],
-            }, 502);
-        }
-        return c.json({
-            ...result.data,
-            instanceId: target.instance.instanceId,
-            federatedEventId: `${target.instance.instanceId}:${target.localEventId}`,
-            localEventId: target.localEventId,
+                ...result.data,
+                instanceId: target.instance.instanceId,
+                federatedEventId: `${target.instance.instanceId}:${target.localEventId}`,
+                localEventId: target.localEventId,
+            });
         });
     });
     return routes;