fullstack app library
201 modules ยท 1225 declarations
auth/permit_offer_queries.ts view source
AcceptOfferInput Input for query_accept_offer.
offer_idUuidto_account_idAccount of the accepting recipient โ IDOR guard against another account accepting the offer.
UuidipOptional IP to stamp on the audit events.
string | nullauth/permit_offer_queries.ts view source
AcceptOfferResult Result of query_accept_offer โ the permit produced (new or pre-existing on race), plus the (now-accepted) offer.
permitoffercreatedtrue if this call is the one that accepted the offer (new permit inserted); false on a race returning the already-created permit.
booleansuperseded_offersSibling offers superseded by this accept โ empty on the race-loser path.
Each entry carries its grantor's from_account_id so the caller can
fan out permit_offer_supersede notifications without a second
round-trip.
Array<SupersededOffer>audit_eventsAudit events emitted in-transaction โ fed back through the normal on_audit_event broadcast chain by the caller. Includes one permit_offer_supersede per superseded sibling.
Array<AuditLogEvent>auth/account_schema.ts view source
Account Account โ authentication identity. You log in as an account.
idUuidusernameemailEmail | nullemail_verifiedbooleanpassword_hashstringcreated_atstringcreated_byUuid | nullupdated_atstringupdated_byUuid | null"\nCREATE UNIQUE INDEX IF NOT EXISTS idx_account_email ON account (LOWER(email)) WHERE email IS NOT NULL" "\nCREATE TABLE IF NOT EXISTS account (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n username TEXT UNIQUE NOT NULL,\n email TEXT,\n email_verified BOOLEAN NOT NULL DEFAULT false,\n password_hash TEXT NOT NULL,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n created_by UUID,\n updated_at TIMESTAMPTZ ... Auth table DDL โ CREATE TABLE, index, and seed statements.
Consumed by auth/migrations.ts. Separated from auth/account_schema.ts to isolate DDL concerns from runtime types.
auth/account_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: false; input: ZodVoid; output: ZodObject<{ sessions: ZodArray<ZodObject<{ id: ZodString; account_id: $ZodBranded<...>; created_at: ZodString; expires_at: ZodString; last_seen_at: ZodString; }, $strict>>; }, $stric... auth/account_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodObject<{ session_id: ZodString; }, $strict>; output: ZodObject<...>; async: true; description: string; } auth/account_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodVoid; output: ZodObject<{ ok: ZodLiteral<true>; count: ZodNumber; }, $strict>; async: true; description: string; } ui/account_sessions_state.svelte.ts view source
{ get: () => () => AccountSessionsRpc | null; set: (value?: (() => AccountSessionsRpc | null) | undefined) => () => AccountSessionsRpc | null; } Svelte context carrying the reactive AccountSessionsRpc accessor. Mirrors
the admin-side RPC contexts. Unset context falls back to () => null so
components render the usual "rpc adapter not wired" state.
auth/account_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodObject<{ name: ZodDefault<ZodString>; }, $strict>; output: ZodObject<...>; async: true; description: string; } auth/account_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: false; input: ZodVoid; output: ZodObject<{ tokens: ZodArray<ZodObject<{ id: ZodString; account_id: $ZodBranded<...>; ... 4 more ...; created_at: ZodString; }, $strict>>; }, $strict>; async: true; description: stri... auth/account_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodObject<{ token_id: ZodString; }, $strict>; output: ZodObject<...>; async: true; description: string; } "\nCREATE UNIQUE INDEX IF NOT EXISTS idx_account_username_ci ON account (LOWER(username))" auth/account_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: false; input: ZodVoid; output: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; username: ZodString; email: ZodNullable<...>; email_verified: ZodBoolean; created_at: ZodString; }, $strict>; async: true; descri... auth/account_actions.ts view source
AccountActionDeps Dependencies for create_account_actions.
Shares shape with AdminActionDeps / PermitOfferActionDeps so consumers
can pass the same deps to every action factory. audit_log_config is
carried through AppDeps and consumed by audit_log_fire_and_forget;
absent โ defaults to BUILTIN_AUDIT_LOG_CONFIG.
auth/account_actions.ts view source
AccountActionOptions Options for create_account_actions.
max_tokensMax API tokens per account. When set, account_token_create enforces the
cap via query_api_token_enforce_limit inside the same transaction โ
oldest tokens are evicted once the cap is exceeded. Default
DEFAULT_MAX_TOKENS; pass null to disable the cap.
number | nullauth/account_routes.ts view source
AccountRouteOptions Per-factory configuration for account route specs.
login_account_rate_limiterRate limiter for login attempts, keyed by submitted username. Pass null to disable.
RateLimiter | nullmax_sessionsMax active sessions per account. Evicts oldest on login. Default 5, null disables.
number | nulllogin_fail_floor_msMinimum wall-clock time (ms) for login 401 responses. Set to 0 or a
negative number to disable (e.g., in tests). Default
DEFAULT_LOGIN_FAIL_FLOOR_MS.
numberlogin_fail_jitter_msUniform jitter window (ยฑms) layered on the floor. Set to 0 to disable
jitter while keeping the floor. Default DEFAULT_LOGIN_FAIL_JITTER_MS.
numberui/account_sessions_state.svelte.ts view source
AccountSessionsRpc Narrow RPC surface consumed by AccountSessionsState. Consumers adapt their
typed RPC client to this shape. Mirrors the other per-domain *Rpc
interfaces (AdminAccountsRpc, AuditLogRpc, AdminInvitesRpc).
The three methods wrap the corresponding action specs on auth/account_actions.ts:
- list โ account_session_list
- revoke โ account_session_revoke (IDOR-guarded by account_id server-side)
- revoke_all โ account_session_revoke_all
list() => Promise<{sessions: Array<AuthSessionJson>}>revoke(params: {session_id: string}) => Promise<{ok: true; revoked: boolean}>revoke_all() => Promise<{ok: true; count: number}>ui/account_sessions_state.svelte.ts view source
sessionstype Array<AuthSessionJson>
active_countconstructortype new (options?: AccountSessionsStateOptions | undefined): AccountSessionsState
options?AccountSessionsStateOptions | undefinedfetchtype (): Promise<void>
Promise<void>revoketype (id: string): Promise<void>
idstringPromise<void>revoke_alltype (): Promise<void>
Promise<void>ui/account_sessions_state.svelte.ts view source
AccountSessionsStateOptions get_rpcReactive accessor for the RPC adapter; returns null when unwired.
Matches the get_rpc pattern on the admin state classes.
() => AccountSessionsRpc | nullauth/account_routes.ts view source
ZodNull Input for GET /api/account/status. No parameters โ caller is the subject.
auth/account_routes.ts view source
AccountStatusOptions Options for the account status route spec.
pathOverride the default path (/api/account/status).
stringbootstrap_statusRuntime bootstrap status โ when available, 401 responses include bootstrap_available.
{available: boolean}auth/account_routes.ts view source
ZodObject<{ account: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; username: ZodString; email: ZodNullable<ZodEmail>; email_verified: ZodBoolean; created_at: ZodString; }, $strict>; actor: ZodObject<...>; permits: ZodArray<...>; }, $strict> Output for GET /api/account/status on the authenticated path.
account and actor are the caller's own identity entities (v1 is 1:1
account/actor, but actor is first-class so consumers don't have to
derive actor_id from the permit list). Permits are already
active-filtered by build_request_context via
query_permit_find_active_for_actor โ revoked_at / revoked_by /
revoked_reason are never populated here, so PermitSummaryJson
carries the fields a client actually needs (including scope_id for
per-scope auth decisions).
auth/account_routes.ts view source
ZodObject<{ error: ZodLiteral<"authentication_required">; bootstrap_available: ZodOptional<ZodBoolean>; }, $loose> Error body for GET /api/account/status on the unauthenticated path.
actions/action_types.ts view source
Action<TCtx> A spec paired with its optional handler โ the composable unit passed to
register_action_ws and create_rpc_client. The server uses
both fields; the client reads only spec (the handler is
ignored, harmless). Shared fuz_app primitives (e.g. heartbeat_action)
export a complete tuple so consumers spread them into both sides'
actions array without inventing per-repo ping plumbing.
Left open for future fields (rate_limit, ACL, middleware hooks) so
additions attach to the action itself instead of scattering across
parallel arrays.
TCtxspechandlerServer-side handler. Ignored by the client. Omit for client-only specs.
WsActionHandler<TCtx>actions/action_event_types.ts view source
Record<"request_response" | "remote_notification" | "local_call", readonly ("send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute")[]> actions/action_event_types.ts view source
Record<"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", "send_request" | "receive_request" | ... 7 more ... | null> actions/action_event_types.ts view source
Record<"initial" | "parsed" | "handling" | "handled" | "failed", readonly ("initial" | "parsed" | "handling" | "handled" | "failed")[]> actions/action_codegen.ts view source
ReadonlySet<ActionMethodEnumKind> Default emit set โ every enum kind.
actions/action_spec.ts view source
ZodUnion<readonly [ZodLiteral<"public">, ZodLiteral<"authenticated">, ZodLiteral<"keeper">, ZodObject<{ role: ZodString; }, $strict>]> actions/action_rpc.ts view source
ActionContext Per-request context provided to RPC action handlers.
Extends RouteContext with auth identity and logger.
auth is RequestContext | null โ handlers for authenticated
actions can narrow via the auth middleware guarantee.
authThe authenticated identity, or null for public routes.
RequestContext | nullrequest_idThe JSON-RPC request ID from the envelope.
dbTransaction-scoped for mutations, pool-level for reads.
background_dbAlways pool-level โ for fire-and-forget effects that outlive the transaction.
pending_effectsFire-and-forget side effects โ push here for post-response flushing.
Array<Promise<void>>client_ipResolved client IP from the trusted-proxy middleware โ 'unknown' if the
middleware wasn't in the stack (e.g. WS dispatch) or couldn't resolve.
Thread into audit_log_fire_and_forget as ip: ctx.client_ip for every
user-initiated action so RPC audit rows match the REST convention. Pass
null only for rows written outside a request (e.g. the
permit_offer_expire cleanup sweep in auth/cleanup.ts).
stringlogLogger instance.
LoggernotifySend a request-scoped JSON-RPC notification to the originator.
On streaming transports (WebSocket) this routes to the originating
connection only. On the HTTP RPC transport this is a no-op with a
DEV-mode warn โ non-streaming transports have no channel for mid-
request notifications. The streams field on an ActionSpec names
the notification method this handler is expected to emit.
(method: string, params: unknown) => voidsignalAbortSignal that fires when the originating request is cancelled (client disconnect on HTTP, socket close on WebSocket). Streaming handlers should check this for early termination.
AbortSignalactions/action_event.ts view source
Action event that manages the lifecycle of an action through its state machine.
TMethodstringstringTPhaseTStepenvironmentspecmethod narrows to TMethod so consumers passing a typed TApi to
create_rpc_client get event.spec.method typed as the union of
their API's method names rather than plain string. The runtime
value comes from lookup_action_spec(method) keyed off the Proxy
get trap, so the narrowing matches the dispatched method.
type ActionSpecUnion & {method: TMethod}
constructortype new <TMethod extends string = string, TPhase extends ActionEventPhase = "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", TStep extends ActionEventStep = "initial" | ... 3 more ... | "failed">(environment: ActionEventEnvironment, spec: { ...; } | ... 1 more ... | { ...; }, data: ActionEventDataUnion<...>): ActionEvent<...>
environmentspec{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }dataActionEventDataUnion<TMethod>toJSONtype (): ActionEventDataUnion<TMethod>
ActionEventDataUnion<TMethod>observeSubscribe a listener fired on every data transition.
type (listener: ActionEventChangeObserver<TMethod>): () => void
listenercalled with (new_data, old_data, event) after each mutation
ActionEventChangeObserver<TMethod>() => voidunsubscribe function
set_dataReplace the event's data and notify observers.
type (new_data: ActionEventDataUnion<TMethod>): void
new_dataActionEventDataUnion<TMethod>voidparseParse input data according to the action's schema.
type (): this
thisthis for chaining with handle_async / handle_sync
Error - if called from a step other than `initial`handle_asyncExecute the handler for the current phase.
type (): Promise<void>
Promise<void>Error - if called from a step other than `parsed` (or `failed`,handle_syncExecute handler synchronously (only for sync local_call actions).
type (): void
voidError - if the spec is not a sync `local_call`, or if calledtransitionTransition to a new phase.
type (phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"): void
phasethe next phase to transition into
"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"voidError - if called from a step other than `handled` (oris_completetype (): boolean
booleanupdate_progresstype (progress: unknown): void
progressunknownvoidset_requesttype (request: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }): void
request{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }voidset_responsetype (response: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }; }): void
response{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }; }voidset_notificationtype (notification: { [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; }): void
notification{ [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; }voidactions/action_event.ts view source
ActionEventChangeObserver<TMethod> TMethodstringstringactions/action_event_data.ts view source
ZodObject<{ kind: ZodEnum<{ request_response: "request_response"; remote_notification: "remote_notification"; local_call: "local_call"; }>; phase: ZodEnum<{ send_request: "send_request"; ... 7 more ...; execute: "execute"; }>; ... 9 more ...; notification: ZodNullable<...>; }, $strict> actions/action_event_data.ts view source
ActionEventDataUnion<TMethod, TInput, TOutput> TMethodstringstringTInputunknownTOutputunknownactions/action_event_types.ts view source
ActionEventEnvironment executorlookup_action_handler(
method: string,
phase: ActionEventPhase,
) => ((event: any) => any) | undefinedlookup_action_spec(method: string) => ActionSpecUnion | undefinedlogLogger | nullactions/action_event_data.ts view source
ActionEventLocalCallData<TMethod, TInput, TOutput> TMethodstringstringTInputunknownTOutputunknownactions/action_bridge.ts view source
ActionEventOptions Options for deriving an EventSpec from an ActionSpec.
channelstringactions/action_spec.ts view source
ZodEnum<{ send_request: "send_request"; receive_request: "receive_request"; send_response: "send_response"; receive_response: "receive_response"; send_error: "send_error"; receive_error: "receive_error"; send: "send"; receive: "receive"; execute: "execute"; }> actions/action_event_data.ts view source
ActionEventRemoteNotificationData<TMethod, TInput> TMethodstringstringTInputunknownactions/action_event_data.ts view source
ActionEventRequestResponseData<TMethod, TInput, TOutput> TMethodstringstringTInputunknownTOutputunknownactions/action_event_types.ts view source
ZodEnum<{ initial: "initial"; parsed: "parsed"; handling: "handling"; handled: "handled"; failed: "failed"; }> actions/action_event_types.ts view source
ZodEnum<{ frontend: "frontend"; backend: "backend"; }> actions/action_rpc.ts view source
ActionHandler<TInput, TOutput> Handler function for an RPC action.
Receives validated input and an ActionContext with per-request deps. Returns the output value (serialized to JSON by the wrapper).
TInputanyTOutputanyactions/action_spec.ts view source
ZodEnum<{ frontend: "frontend"; backend: "backend"; both: "both"; }> actions/action_spec.ts view source
ZodEnum<{ request_response: "request_response"; remote_notification: "remote_notification"; local_call: "local_call"; }> actions/action_codegen.ts view source
ActionMethodEnumKind Discriminator for generate_action_method_enums โ which method-set enums to emit.
actions/action_peer.ts view source
environmenttransportstype Transports
default_send_optionstype Omit<ActionPeerSendOptions, 'signal'>
constructortype new (options: ActionPeerOptions): ActionPeer
optionssendResolve a transport (per-call name โ default name โ registry default) and forward the message. Catches unexpected throws and converts them to JSON-RPC error responses โ this method never throws.
type (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: ActionPeerSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?ActionPeerSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...the response envelope for requests, or null for successful
notifications (JsonrpcErrorResponse if the notification's transport
send failed)
sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: ActionPeerSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?ActionPeerSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: ActionPeerSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?ActionPeerSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...receiveDispatch an inbound JSON-RPC message โ request, notification, or malformed envelope. Never throws; unexpected failures become JSON-RPC error responses.
type (message: unknown): Promise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | ... 4 more ... | (number & $brand<...>); message: string; data?: unknown; }; } | { ...; } | null>
messageunknownPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...response message for requests, null for notifications, or
an invalid_request error for malformed input
actions/action_peer.ts view source
ActionPeerOptions environmenttransportsdefault_send_optionsOmit<ActionPeerSendOptions, 'signal'>actions/action_peer.ts view source
ActionPeerSendOptions Per-call options for ActionPeer.send. Extends TransportSendOptions
with transport_name for per-call transport selection. The peer-wide
default for any field lives on ActionPeerOptions.default_send_options โ
set queue: true there once for client-authoritative peers and override
per-call for exceptions (e.g. high-frequency position sync where stale
replays are wrong).
transport_nameactions/action_registry.ts view source
specstype Array<ActionSpecUnion>
constructortype new (specs: ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[]): ActionRegistry
specs({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; ...actions/action_bridge.ts view source
ActionRouteOptions Options for deriving a RouteSpec from an ActionSpec.
pathstringhandlerparamsURL path parameter schema. Use z.strictObject() with string fields matching :param segments.
z.ZodObjectqueryURL query parameter schema. Use z.strictObject() with string fields.
z.ZodObjecthttp_methodOverride the default HTTP method (default: side_effects โ POST, else GET).
authOverride the default auth mapping (default: 'public' โ none, 'authenticated' โ authenticated, 'keeper' โ keeper, {role} โ role).
errorsHandler-specific error schemas (HTTP status code โ Zod schema). Transport-specific โ not on ActionSpec.
actions/action_spec.ts view source
ZodBoolean actions/action_spec.ts view source
ZodObject<{ method: ZodString; kind: ZodEnum<{ request_response: "request_response"; remote_notification: "remote_notification"; local_call: "local_call"; }>; initiator: ZodEnum<...>; ... 8 more ...; rate_limit: ZodOptional<...>; }, $strict> actions/action_spec.ts view source
ZodUnion<readonly [ZodObject<{ method: ZodString; initiator: ZodEnum<{ frontend: "frontend"; backend: "backend"; both: "both"; }>; side_effects: ZodBoolean; input: ZodCustom<ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>, ZodType<...>>; ... 7 more ...; async: ZodDefault<...>; }, $strict>, ZodObject<.... auth/account_schema.ts view source
Actor Actor โ the entity that acts. Owns cells, holds permits, appears in audit trails.
idUuidaccount_idUuidnamestringcreated_atstringupdated_atstring | nullupdated_byUuid | null"\nCREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)" "\nCREATE TABLE IF NOT EXISTS actor (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n name TEXT NOT NULL,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n updated_at TIMESTAMPTZ,\n updated_by UUID REFERENCES actor(id) ON DELETE SET NULL\... auth/account_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; name: ZodString; }, $strict> Zod schema for the actor summary returned in admin account listings.
auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: false; input: ZodVoid; output: ZodObject<{ accounts: ZodArray<ZodObject<{ account: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 5 more ...; updated_by: ZodNullable<...>; }, $strict>; actor: ZodNullab... ui/admin_accounts_state.svelte.ts view source
{ get: () => () => AdminAccountsRpc | null; set: (value?: (() => AdminAccountsRpc | null) | undefined) => () => AdminAccountsRpc | null; } Svelte context carrying the reactive AdminAccountsRpc accessor. The
provisioner (typically the admin route shell) calls set(() => rpc);
consumers read with const get_rpc = admin_accounts_rpc_context.get();
and either pass the accessor straight to AdminAccountsState/
AdminSessionsState or wrap it with const rpc = $derived(get_rpc());
for direct RPC calls. Unset context falls back to () => null so
components mounted without a provisioner surface the usual "rpc adapter
not wired" path.
ui/admin_invites_state.svelte.ts view source
{ get: () => () => AdminInvitesRpc | null; set: (value?: (() => AdminInvitesRpc | null) | undefined) => () => AdminInvitesRpc | null; } Svelte context carrying the reactive AdminInvitesRpc accessor. Mirrors
admin_accounts_rpc_context. Unset context falls back to () => null.
testing/integration_helpers.ts view source
readonly string[] Field names that must not appear in non-admin HTTP response bodies.
auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: false; input: ZodVoid; output: ZodObject<{ sessions: ZodArray<ZodObject<{ id: ZodString; account_id: $ZodBranded<...>; created_at: ZodString; expires_at: ZodString; last_seen_at: ZodString; username: ZodString; ... auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: true; input: ZodObject<{ account_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict>; output: ZodObject<...>; async: true; description: string; rate_limit: "account"; } auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: true; input: ZodObject<{ account_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict>; output: ZodObject<...>; async: true; description: string; rate_limit: "account"; } auth/account_schema.ts view source
ZodObject<{ account: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; username: ZodString; email: ZodNullable<ZodEmail>; email_verified: ZodBoolean; created_at: ZodString; updated_at: ZodString; updated_by: ZodNullable<...>; }, $strict>; actor: ZodNullable<...>; permits: ZodArray<...>; pending_offers: ZodArray<.... Zod schema for an admin account listing entry (account + actor + permits + pending offers).
auth/account_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; username: ZodString; email: ZodNullable<ZodEmail>; email_verified: ZodBoolean; created_at: ZodString; updated_at: ZodString; updated_by: ZodNullable<...>; }, $strict> Zod schema for admin-facing account data โ extends SessionAccountJson with audit fields.
auth/admin_action_specs.ts view source
ZodVoid Input for admin_account_list. No parameters โ the caller is the subject.
auth/admin_action_specs.ts view source
ZodObject<{ accounts: ZodArray<ZodObject<{ account: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; username: ZodString; email: ZodNullable<ZodEmail>; email_verified: ZodBoolean; created_at: ZodString; updated_at: ZodString; updated_by: ZodNullable<...>; }, $strict>; actor: ZodNullable<...>; permits: ZodArray<.... Output for admin_account_list.
ui/admin_accounts_state.svelte.ts view source
AdminAccountsRpc Narrow RPC surface consumed by AdminAccountsState. Consumers adapt their
typed RPC client (e.g. a create_rpc_client Proxy) to this shape โ the
state class stays decoupled from the client's Result return type so
tests can inject plain-function stubs. Mirrors the PermitOffersRpc
pattern.
Every operation flows through RPC: the listing reuses admin_account_list,
grant reuses permit_offer_create, revoke and retract have dedicated
actions, and the session / token revoke-all mutations reuse
admin_session_revoke_all and admin_token_revoke_all. Without the
adapter the state class cannot fetch, grant, revoke, retract, or
revoke-all sessions/tokens.
Method signatures track the underlying action specs โ Uuid-branded ids
propagate from the wire through the state class to the components. The
adapter built by create_admin_rpc_adapters therefore needs zero casts
to bridge to the typed throwing Proxy.
list_accounts() => Promise<AdminAccountListOutput>list_sessions() => Promise<AdminSessionListOutput>grant_permit(params: PermitOfferCreateInput) => Promise<PermitOfferCreateOutput>revoke_permit(params: PermitRevokeInput) => Promise<PermitRevokeOutput>retract_offer(offer_id: Uuid) => Promise<PermitOfferOkOutput>session_revoke_all(params: AdminSessionRevokeAllInput) => Promise<AdminSessionRevokeAllOutput>token_revoke_all(params: AdminTokenRevokeAllInput) => Promise<AdminTokenRevokeAllOutput>ui/admin_accounts_state.svelte.ts view source
accountstype Array<AdminAccountEntryJson>
grantable_rolestype Array<RoleName>
granting_keystype SvelteSet<string>
revoking_idstype SvelteSet<string>
retracting_idstype SvelteSet<string>
account_countconstructortype new (options?: AdminAccountsStateOptions | undefined): AdminAccountsState
options?AdminAccountsStateOptions | undefinedfetchtype (): Promise<void>
Promise<void>grant_permitOffer the role to the recipient via the permit_offer_create RPC.
Server returns the pending offer; the recipient must accept before
the permit materializes. Returns the offer payload on success so
callers can drive follow-up UX (e.g. seed PermitOffersState.outgoing).
A re-offer from the same admin to the same (account, role)
refreshes the existing pending row โ the returned offer id is stable
across those calls.
No-op when the rpc adapter is absent; error is set to a descriptive
message so the UI surfaces the misconfiguration.
type (account_id: string & $brand<"Uuid">, role: string): Promise<{ id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<...>; ... 10 more ...; resulting_permit_id: (string & $brand<...>) | null; } | undefined>
account_idstring & $brand<"Uuid">rolestringPromise<{ id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; } | undefined>revoke_permitRevoke an active permit via the permit_revoke RPC.
actor_id is the natural key โ permits are actor-scoped, and the
admin UI reads row.actor.id straight from the listing, so the state
class takes it directly rather than deriving it from account_id.
The optional reason is stamped on permit.revoked_reason and
surfaced on the revokee's WS notification.
type (actor_id: string & $brand<"Uuid">, permit_id: string & $brand<"Uuid">, reason?: string | null | undefined): Promise<void>
actor_idstring & $brand<"Uuid">permit_idstring & $brand<"Uuid">reason?string | null | undefinedPromise<void>retract_offerRetract a pending offer the admin issued via the permit_offer_retract
RPC. The action handles auth, audit, and the
permit_offer_retracted WS notification.
After success, refetches the listing so pending_offers drops the
row and the "+ {role}" button un-hides.
type (offer_id: string & $brand<"Uuid">): Promise<void>
offer_idstring & $brand<"Uuid">Promise<void>ui/admin_accounts_state.svelte.ts view source
AdminAccountsStateOptions get_rpcReactive accessor for the RPC adapter; returns null when unwired.
Matches PermitOffersStateOptions.account_id / actor_id pattern โ
lets the component pass a $props()-sourced rpc without tripping
Svelte's state_referenced_locally warning.
() => AdminAccountsRpc | nullauth/admin_actions.ts view source
AdminActionDeps Dependencies for create_admin_actions.
Shares shape with PermitOfferActionDeps so consumers can pass the same
deps to both factories. log drives RPC-internal error logging;
on_audit_event is wired by the two revoke-all mutations so SSE fan-out
mirrors the former REST-route behavior. audit_log_config flows from
AppDeps and is consumed by audit_log_fire_and_forget.
auth/admin_actions.ts view source
AdminActionOptions Options for create_admin_actions.
rolesRole schema result from create_role_schema(). Defaults to builtin
roles only. Used to derive grantable_roles (the web_grantable
subset) returned by admin_account_list.
app_settingsMutable in-memory app settings ref โ typically ctx.app_settings from
AppServerContext. When provided, the factory wires the
app_settings_get and app_settings_update handlers; the update
handler mutates this ref so signup middleware reads the new value
without a DB round trip. When omitted, those two methods have no
handler and RPC dispatch returns method_not_found.
ui/admin_invites_state.svelte.ts view source
AdminInvitesRpc Narrow RPC surface consumed by AdminInvitesState. Consumers adapt their
typed RPC client to this shape. error.data.reason on thrown errors
carries the ERROR_INVITE_* constant โ handled by the caller when
user-friendly messages are needed. Method signatures track the wire
spec types directly so the adapter needs no casts.
list() => Promise<InviteListOutput>create(params: InviteCreateInput) => Promise<InviteCreateOutput>delete(params: InviteDeleteInput) => Promise<InviteDeleteOutput>ui/admin_invites_state.svelte.ts view source
invitestype Array<InviteWithUsernamesJson>
creatingdeleting_idstype SvelteSet<string>
invite_countunclaimed_countconstructortype new (options?: AdminInvitesStateOptions | undefined): AdminInvitesState
options?AdminInvitesStateOptions | undefinedfetchtype (): Promise<void>
Promise<void>create_invitetype (email?: string | undefined, username?: string | undefined): Promise<boolean>
email?string | undefinedusername?string | undefinedPromise<boolean>delete_invitetype (id: string & $brand<"Uuid">): Promise<void>
idstring & $brand<"Uuid">Promise<void>ui/admin_invites_state.svelte.ts view source
AdminInvitesStateOptions get_rpcReactive accessor for the RPC adapter. null disables all operations
(the state reports a descriptive error when mutations/fetches fire).
() => AdminInvitesRpc | nullui/admin_rpc_adapters.ts view source
AdminRpcAdapters The four admin RPC adapters assembled from a shared api.
admin_accountsadmin_invitesaudit_logapp_settingsui/admin_rpc_adapters.ts view source
AdminRpcApi The wire-method surface this module needs from the typed throwing RPC
client. Every method returns the unwrapped value or throws an Error
carrying the JSON-RPC {code, message, data?} shape โ i.e. the
ThrowingApi<...> view of the corresponding action specs.
Consumers pass the typed throwing Proxy returned by
create_frontend_rpc_client directly. Structural typing means any
superset (e.g. the consumer's full ThrowingApi<ActionsApi>) is
assignable as long as these methods are present at these signatures.
admin_account_list() => Promise<AdminAccountListOutput>admin_session_list() => Promise<AdminSessionListOutput>admin_session_revoke_all(
input: AdminSessionRevokeAllInput,
) => Promise<AdminSessionRevokeAllOutput>admin_token_revoke_all(input: AdminTokenRevokeAllInput) => Promise<AdminTokenRevokeAllOutput>audit_log_list(input: AuditLogListInput) => Promise<AuditLogListOutput>audit_log_permit_history(
input: AuditLogPermitHistoryInput,
) => Promise<AuditLogPermitHistoryOutput>invite_list() => Promise<InviteListOutput>invite_create(input: InviteCreateInput) => Promise<InviteCreateOutput>invite_delete(input: InviteDeleteInput) => Promise<InviteDeleteOutput>app_settings_get() => Promise<AppSettingsGetOutput>app_settings_update(input: AppSettingsUpdateInput) => Promise<AppSettingsUpdateOutput>permit_offer_create(input: PermitOfferCreateInput) => Promise<PermitOfferCreateOutput>permit_offer_retract(input: PermitOfferRetractInput) => Promise<PermitOfferOkOutput>permit_revoke(input: PermitRevokeInput) => Promise<PermitRevokeOutput>auth/audit_log_schema.ts view source
ZodObject<{ id: ZodString; account_id: $ZodBranded<ZodUUID, "Uuid", "out">; created_at: ZodString; expires_at: ZodString; last_seen_at: ZodString; username: ZodString; }, $strict> Zod schema for admin session listing (session + username).
auth/admin_action_specs.ts view source
ZodVoid Input for admin_session_list. No parameters โ reads every active session.
auth/admin_action_specs.ts view source
ZodObject<{ sessions: ZodArray<ZodObject<{ id: ZodString; account_id: $ZodBranded<ZodUUID, "Uuid", "out">; created_at: ZodString; expires_at: ZodString; last_seen_at: ZodString; username: ZodString; }, $strict>>; }, $strict> Output for admin_session_list. Cross-account listing; fan-out already scoped by role auth.
auth/admin_action_specs.ts view source
ZodObject<{ account_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict> Input for admin_session_revoke_all.
auth/admin_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; count: ZodNumber; }, $strict> Output for admin_session_revoke_all.
ui/admin_sessions_state.svelte.ts view source
sessionstype Array<AdminSessionJson>
revoking_account_idstype SvelteSet<string>
revoking_token_account_idstype SvelteSet<string>
active_countconstructortype new (options?: AdminSessionsStateOptions | undefined): AdminSessionsState
options?AdminSessionsStateOptions | undefinedfetchtype (): Promise<void>
Promise<void>revoke_all_for_accounttype (account_id: string & $brand<"Uuid">): Promise<void>
account_idstring & $brand<"Uuid">Promise<void>revoke_all_tokens_for_accounttype (account_id: string & $brand<"Uuid">): Promise<void>
account_idstring & $brand<"Uuid">Promise<void>ui/admin_sessions_state.svelte.ts view source
AdminSessionsStateOptions Options for AdminSessionsState.
The RPC adapter drives every operation (listing + the two revoke-all
mutations). Without it, fetch and the revoke controls no-op with
'rpc adapter not wired' on error.
get_rpcReactive accessor for the RPC adapter; returns null when unwired.
Mirrors AdminAccountsStateOptions.get_rpc so a single adapter
instance backs both states without tripping Svelte's
state_referenced_locally warning.
() => AdminAccountsRpc | nullauth/admin_action_specs.ts view source
ZodObject<{ account_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict> Input for admin_token_revoke_all.
auth/admin_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; count: ZodNumber; }, $strict> Output for admin_token_revoke_all.
testing/adversarial_headers.ts view source
AdversarialHeaderCase A header-level attack case for middleware stack testing.
namestringheadersRecord<string, string>expected_statusnumberexpected_errorstringexpected_error_schemaZod schema to validate error response body against. Defaults to ApiError when expected_error is set.
z.ZodTypevalidate_expectationWhether the request should reach token validation or be short-circuited by earlier middleware.
'called' | 'not_called'testing/attack_surface.ts view source
AdversarialTestOptions Options for adversarial test runners (auth enforcement and input validation).
buildBuild the app surface bundle (surface + route specs + middleware specs).
() => AppSurfaceSpecrolesAll roles in the app (e.g. ['admin', 'keeper']).
Array<string>ui/position_helpers.ts view source
Alignment Alignment options for positioned elements.
auth/account_action_specs.ts view source
{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }[] All self-service account action specs โ a codegen-ready registry. Consumers spread this into their own action-spec array to include account methods in a typed client surface.
auth/admin_action_specs.ts view source
{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }[] All admin action specs โ a codegen-ready registry. Consumers spread this
into their own action-spec array to include admin methods in a typed
client surface. Always includes the two app-settings specs; the runtime
factory only wires their handlers when AdminActionOptions.app_settings
is provided.
auth/permit_offer_action_specs.ts view source
{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }[] All permit-offer action specs โ a codegen-ready registry. Consumers spread this into their own action-spec array to include offer lifecycle + revoke methods in a typed client surface.
auth/self_service_role_action_specs.ts view source
readonly { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }[] All self-service role action specs โ a codegen-ready registry. Single-element
post-unification, kept for symmetry with the other all_*_action_specs
exports so codegen and frontend bundles import the same shape.
auth/standard_action_specs.ts view source
readonly { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }[] Combined spec registry for the standard RPC surface (admin + permit_offer + account). Symmetric with create_standard_rpc_actions.
Spec count is the sum of the three sub-registries. Adding a method to any sub-registry surfaces here automatically.
RegExp Regex for the public API token id (e.g. tok_abC0_d-3xyzA). Twelve
base64url characters after the tok_ prefix. Matches the format produced
by generate_api_token.
"\nCREATE INDEX IF NOT EXISTS idx_api_token_account ON api_token(account_id)" "secret_fuz_token_" Prefix for all fuz API tokens (enables secret scanning).
"\nCREATE TABLE IF NOT EXISTS api_token (\n id TEXT PRIMARY KEY,\n account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n name TEXT NOT NULL,\n token_hash TEXT NOT NULL,\n expires_at TIMESTAMPTZ,\n last_used_at TIMESTAMPTZ,\n last_used_ip TEXT,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n)" http/error_schemas.ts view source
ZodObject<{ error: ZodString; }, $loose> Base API error โ all JSON error responses have at least {error: string}.
auth/account_schema.ts view source
ApiToken API token for CLI/programmatic access.
idstringaccount_idUuidnamestringtoken_hashstringexpires_atstring | nulllast_used_atstring | nulllast_used_ipstring | nullcreated_atstringZodString Zod schema for the public API token id.
auth/api_token_queries.ts view source
ApiTokenQueryDeps Extended deps for query_validate_api_token which needs a logger.
logLoggerauth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: false; input: ZodVoid; output: ZodObject<{ settings: ZodObject<{ open_signup: ZodBoolean; updated_at: ZodNullable<...>; updated_by: ZodNullable<...>; updated_by_username: ZodNullable<...>; }, $strict>; }, $stric... ui/app_settings_state.svelte.ts view source
{ get: () => () => AppSettingsRpc | null; set: (value?: (() => AppSettingsRpc | null) | undefined) => () => AppSettingsRpc | null; } Svelte context carrying the reactive AppSettingsRpc accessor. Mirrors
admin_accounts_rpc_context. Unset context falls back to () => null so
OpenSignupToggle mounted outside a provisioner hides gracefully.
"\nCREATE TABLE IF NOT EXISTS app_settings (\n id INTEGER PRIMARY KEY DEFAULT 1 CHECK (id = 1),\n open_signup BOOLEAN NOT NULL DEFAULT false,\n updated_at TIMESTAMPTZ,\n updated_by UUID\n)" "\nINSERT INTO app_settings (id) VALUES (1) ON CONFLICT DO NOTHING" auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: true; input: ZodObject<{ open_signup: ZodBoolean; }, $strict>; output: ZodObject<...>; async: true; description: string; rate_limit: "account"; } server/app_backend.ts view source
AppBackend Result of create_app_backend() โ database metadata + deps bundle.
This is the initialized backend, not the HTTP server.
Pass it to create_app_server() to assemble the Hono app.
depsdb_typedb_namestringmigration_resultsMigration results from create_app_backend โ auth migrations plus any consumer namespaces passed via migration_namespaces.
ReadonlyArray<MigrationResult>closeClose the database connection. Bound to the actual driver.
() => Promise<void>AppDeps Stateless capabilities bundle for fuz_app backends.
Injectable and swappable per environment (production vs test). Does not contain config (static values) or runtime state (mutable refs).
statGet file/directory stats, or null if path doesn't exist.
(path: string) => Promise<StatResult | null>read_text_fileRead a file as text.
(path: string) => Promise<string>delete_fileDelete a file.
(path: string) => Promise<void>keyringHMAC-SHA256 cookie signing keyring.
passwordPassword hashing operations. Use argon2_password_deps in production.
dbDatabase instance.
logStructured logger instance.
Loggeron_audit_eventCalled after each audit log INSERT succeeds.
Use to broadcast audit events via SSE. Flows automatically to all
route factories that receive deps or RouteFactoryDeps.
Defaults to a noop when not wired to SSE.
(event: AuditLogEvent) => voidaudit_log_configAudit-log config for audit_log_fire_and_forget and query_audit_log.
Built once at startup via create_audit_log_config({extra_events}) to
register consumer event types. Optional โ defaults to
BUILTIN_AUDIT_LOG_CONFIG when absent.
Threaded through AppDeps (instead of a per-call positional arg) so consumer handlers cannot silently fall back to the builtin config by forgetting to pass theirs โ the deps bundle carries it everywhere fuz_app emits an audit event.
http/route_spec.ts view source
(app: Hono<BlankEnv, BlankSchema, "/">, specs: MiddlewareSpec[]): void Apply named middleware specs to a Hono app.
appHono<BlankEnv, BlankSchema, "/">specsMiddlewareSpec[]void http/route_spec.ts view source
(app: Hono<BlankEnv, BlankSchema, "/">, specs: RouteSpec[], resolve_auth_guards: AuthGuardResolver, log: Logger, db: Db): void Apply route specs to a Hono app.
For each spec: resolves auth to guards via the provided resolver, adds input validation middleware (for routes with non-null input schemas), wraps handler with DEV-only output and error validation, wraps with error catch layer (catches ThrownJsonrpcError and generic errors), and registers the route.
Each handler receives a RouteContext with:
- db: transaction-scoped (for non-GET) or pool-level (for GET)
- background_db: always pool-level
- pending_effects: fire-and-forget effect queue
appHono<BlankEnv, BlankSchema, "/">specsRouteSpec[]resolve_auth_guardsmaps RouteAuth to middleware โ use fuz_auth_guard_resolver from auth/route_guards.ts
logLoggerdbused for transaction wrapping and RouteContext
void Error - if two specs share the same `method` + `path` (each combination must be unique)server/app_server.ts view source
AppServer Result of create_app_server().
appHonosurface_specSurface spec โ serializable surface + raw specs that produced it.
bootstrap_statusapp_settingsGlobal app settings (mutable ref โ mutated by settings admin route).
migration_resultsMigration results from create_app_backend (auth + any migration_namespaces passed there).
ReadonlyArray<MigrationResult>audit_sseFactory-managed audit log SSE. null when audit_log_sse option is not set.
AuditLogSse | nullcloseClose the database connection. Propagated from AppBackend.
() => Promise<void>server/app_server.ts view source
AppServerContext Context passed to create_route_specs.
depsbackendbootstrap_statussession_optionsSessionOptions<string>ip_rate_limiterShared IP rate limiter (from options). null when not configured.
RateLimiter | nulllogin_account_rate_limiterPer-account login rate limiter (from options). null when not configured.
RateLimiter | nullsignup_account_rate_limiterPer-account signup rate limiter (from options). null when not configured.
RateLimiter | nullaction_ip_rate_limiterPer-IP action-dispatcher rate limiter โ shared across HTTP RPC + WS. null when not configured.
RateLimiter | nullaction_account_rate_limiterPer-actor action-dispatcher rate limiter โ shared across HTTP RPC + WS. null when not configured.
RateLimiter | nullapp_settingsGlobal app settings (mutable ref โ mutated by settings admin route).
audit_sseFactory-managed audit log SSE. null when audit_log_sse option is not set.
AuditLogSse | nullserver/app_server.ts view source
AppServerOptions Configuration for create_app_server().
Requires a pre-initialized AppBackend from create_app_backend().
Two explicit steps: init backend then assemble server.
backendPre-initialized backend from create_app_backend().
session_optionsSession options for cookie-based auth.
SessionOptions<string>allowed_originsParsed allowed origin patterns.
Array<RegExp>proxyTrusted proxy options.
{
trusted_proxies: Array<string>;
get_connection_ip: (c: Context) => string | undefined;
}ip_rate_limiterShared IP rate limiter for login, bootstrap, and bearer auth.
Omit or undefined to use a default limiter (5 attempts per 15 minutes).
Pass null to explicitly disable rate limiting.
Also available on AppServerContext for route factory callbacks.
RateLimiter | nulllogin_account_rate_limiterPer-account rate limiter for login attempts.
Omit or undefined to use a default limiter (10 attempts per 30 minutes).
Pass null to explicitly disable rate limiting.
Also available on AppServerContext for route factory callbacks.
RateLimiter | nullsignup_account_rate_limiterPer-account rate limiter for signup attempts, keyed by submitted username.
Omit or undefined to use a default limiter (10 attempts per 30 minutes).
Pass null to explicitly disable rate limiting.
Also available on AppServerContext for route factory callbacks.
RateLimiter | nullbearer_ip_rate_limiterRate limiter for bearer token auth attempts (per-IP).
Omit or undefined to use a default limiter (5 attempts per 15 minutes).
Pass null to explicitly disable rate limiting.
RateLimiter | nullaction_ip_rate_limiterPer-IP rate limiter for the action dispatchers (HTTP RPC + WebSocket).
Consulted for actions whose spec declares rate_limit: 'ip' or 'both'.
Same limiter applies across transports โ one budget per action.
Omit or undefined to use a default limiter (600 attempts per
15 minutes โ permissive). Pass null to explicitly disable.
Also available on AppServerContext for consumers wiring
register_action_ws.
RateLimiter | nullaction_account_rate_limiterPer-actor rate limiter for the action dispatchers (HTTP RPC + WebSocket).
Consulted for actions whose spec declares rate_limit: 'account' or
'both'. Keyed on request_context.actor.id (post-auth).
Omit or undefined to use a default limiter (1200 attempts per
15 minutes โ permissive). Pass null to explicitly disable.
Also available on AppServerContext for consumers wiring
register_action_ws.
RateLimiter | nullmax_body_sizeMaximum allowed request body size in bytes.
Omit or undefined to use the default (1 MiB).
Pass null to explicitly disable body size limiting.
number | nulldaemon_token_stateDaemon token state for keeper auth. Omit to disable.
bootstrapBootstrap options. Omit to skip bootstrap status check and routes.
{
token_path: string | null;
/** Route prefix for bootstrap routes. Default `'/api/account'`. */
route_prefix?: string;
/**
* Called after successful bootstrap (account + session created).
* Use for app-specific post-bootstrap work like generating API tokens.
*/
on_bootstrap?: (result: BootstrapAccountSuccess, c: Context) => Promise<void>;
}surface_routeSet to false to disable the auto-created surface route (GET /api/surface).
Default: auto-created (authenticated).
falsecreate_route_specsBuild route specs from the initialized backend. Called after all middleware is ready.
(context: AppServerContext) => Array<RouteSpec>transform_middlewareOptional: transform middleware specs before applying.
(specs: Array<MiddlewareSpec>) => Array<MiddlewareSpec>audit_log_sseEnable factory-managed audit log SSE.
When truthy, creates an AuditLogSse instance internally, wires on_audit_event
on the backend deps (composing with any existing callback), and auto-includes
AUDIT_LOG_EVENT_SPECS in the surface. The result is exposed on AppServerContext
(for route factories) and AppServer (for the caller).
Pass true for defaults (admin role), or {role: 'custom'} for a custom role.
Omit to wire audit SSE manually.
true | {role?: string}event_specsSSE event specs for surface generation. Defaults to [] (no SSE events).
Array<EventSpec>rpc_endpointsRPC endpoint specs โ single source of truth for both surface generation
*and* live dispatch. Each entry is mounted via create_rpc_endpoint
against the assembled Hono app, so consumers no longer call
create_rpc_endpoint themselves inside create_route_specs.
Accepts either an array (evaluated eagerly) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec> (evaluated after the
server context is assembled). Use the factory form when action lists
depend on ctx.deps / ctx.app_settings โ e.g.
create_standard_rpc_actions(ctx.deps, {app_settings: ctx.app_settings}).
Array<RpcEndpointSpec> | ((context: AppServerContext) => Array<RpcEndpointSpec>)env_schemaEnv schema for surface generation. Pass z.object({}) when there are no env vars beyond BaseServerEnv.
z.ZodObjectpost_route_middlewareMiddleware applied after routes, before static serving. Included in surface.
Array<MiddlewareSpec>static_servingStatic file serving. Omit if not serving static files.
{
serve_static: ServeStaticFactory;
spa_fallback?: string;
}await_pending_effectsAwait all pending fire-and-forget effects before returning the response.
Use in tests so audit log assertions don't need polling.
Default false (production: true fire-and-forget).
booleanon_effect_errorCalled when a pending effect rejects.
Use for monitoring, metrics, or alerting in production.
Only called when await_pending_effects is false (production mode).
(error: unknown, context: EffectErrorContext) => voidenv_valuesEnv values for startup summary logging.
Record<string, unknown>auth/app_settings_schema.ts view source
AppSettings App settings row from the database.
open_signupbooleanupdated_atstring | nullupdated_byUuid | nullauth/admin_action_specs.ts view source
ZodVoid Input for app_settings_get. No parameters.
auth/admin_action_specs.ts view source
ZodObject<{ settings: ZodObject<{ open_signup: ZodBoolean; updated_at: ZodNullable<ZodString>; updated_by: ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>; updated_by_username: ZodNullable<...>; }, $strict>; }, $strict> Output for app_settings_get.
auth/app_settings_schema.ts view source
ZodObject<{ open_signup: ZodBoolean; updated_at: ZodNullable<ZodString>; updated_by: ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>; }, $strict> Zod schema for client-safe app settings data.
ui/app_settings_state.svelte.ts view source
AppSettingsRpc Narrow RPC surface consumed by AppSettingsState. Consumers adapt their typed RPC client to this shape. Method signatures track the wire spec inputs/outputs directly so the adapter needs no casts.
get() => Promise<AppSettingsGetOutput>update(params: AppSettingsUpdateInput) => Promise<AppSettingsUpdateOutput>ui/app_settings_state.svelte.ts view source
settingstype AppSettingsWithUsernameJson | null
updatingconstructortype new (options?: AppSettingsStateOptions | undefined): AppSettingsState
options?AppSettingsStateOptions | undefinedfetchtype (): Promise<void>
Promise<void>update_open_signuptype (value: boolean): Promise<void>
valuebooleanPromise<void>ui/app_settings_state.svelte.ts view source
AppSettingsStateOptions get_rpcReactive accessor for the RPC adapter. null disables all operations
(the state reports a descriptive error when fetch/update fires).
() => AppSettingsRpc | nullauth/admin_action_specs.ts view source
ZodObject<{ open_signup: ZodBoolean; }, $strict> Input for app_settings_update.
auth/admin_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; settings: ZodObject<{ open_signup: ZodBoolean; updated_at: ZodNullable<ZodString>; updated_by: ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>; updated_by_username: ZodNullable<...>; }, $strict>; }, $strict> Output for app_settings_update.
auth/app_settings_schema.ts view source
ZodObject<{ open_signup: ZodBoolean; updated_at: ZodNullable<ZodString>; updated_by: ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>; updated_by_username: ZodNullable<...>; }, $strict> Zod schema for admin app settings with resolved updater username.
ui/AppShell.svelte view source
childrenSnippetsidebarSnippetsidebar_width?Sidebar width in pixels when shown.
numbersidebar_state?Optional pre-built SidebarState for sharing visibility across shells.
keyboard_shortcut?Single-key shortcut that toggles the sidebar (e.g. 'b'). false disables.
string | falseshow_toggle?Whether to render the built-in (or custom) toggle button.
booleantoggle_button?Custom toggle-button renderer; receives the title, visibility, and toggle callback.
Snippet<[{title: string; show_sidebar: boolean; toggle: () => void}]>AppSurface Generated attack surface โ JSON-serializable.
middlewareArray<AppSurfaceMiddleware>routesArray<AppSurfaceRoute>rpc_endpointsArray<AppSurfaceRpcEndpoint>envArray<AppSurfaceEnv>eventsArray<AppSurfaceEvent>diagnosticsArray<AppSurfaceDiagnostic>AppSurfaceDiagnostic Assembly-time diagnostic collected during surface generation or server assembly.
level'warning' | 'info'categorystringmessagestringsourcestringAppSurfaceEnv An env var in the generated attack surface (JSON-serializable).
namestringdescriptionstringsensitivitySensitivity level from .meta({sensitivity}). null when not sensitive.
Sensitivity | nullhas_defaultbooleanoptionalbooleanAppSurfaceEvent An SSE event in the generated attack surface (JSON-serializable).
methodstringdescriptionstringchannelstring | nullparams_schemaunknownAppSurfaceMiddleware A middleware in the generated attack surface (JSON-serializable).
namestringpathstringerror_schemasJSON Schema representations of error responses, keyed by HTTP status code. null when none.
Record<string, unknown> | nullAppSurfaceRoute A route in the generated attack surface (JSON-serializable).
methodstringpathstringauthapplicable_middlewareArray<string>descriptionstringis_mutationWhether this route mutates state (POST, PUT, DELETE, PATCH).
booleantransactionWhether this route's handler runs inside a database transaction.
booleanrate_limit_keyRate limit key type declared on the route spec. null when not rate-limited.
RateLimitKey | nullparams_schemaJSON Schema representation of the URL path params schema. null when no params.
unknownquery_schemaJSON Schema representation of the URL query params schema. null when no query schema.
unknowninput_schemaJSON Schema representation of the request body schema. null for no-body routes.
unknownoutput_schemaJSON Schema representation of the success response schema.
unknownerror_schemasJSON Schema representations of error responses, keyed by HTTP status code. null when none.
Record<string, unknown> | nullAppSurfaceRpcEndpoint An RPC endpoint in the generated attack surface (JSON-serializable).
pathstringmethodsArray<AppSurfaceRpcMethod>AppSurfaceRpcMethod A method within an RPC endpoint in the generated attack surface (JSON-serializable).
namestringauthinput_schemaJSON Schema representation of the input schema. null for null-input methods.
unknownoutput_schemaJSON Schema representation of the output schema.
unknownside_effectsbooleandescriptionstringrate_limit_keyRate limit key declared on the action spec. null when not rate-limited.
RateLimitKey | nullAppSurfaceSpec The surface bundled with the source specs that produced it.
AppSurface is JSON-serializable (snapshots, UI, startup logging). AppSurfaceSpec is runtime-only (tests, introspection, attack surface assertions).
surfaceroute_specsArray<RouteSpec>middleware_specsArray<MiddlewareSpec>rpc_endpointsArray<RpcEndpointSpec>auth/password_argon2.ts view source
PasswordHashDeps Argon2id implementation of PasswordHashDeps.
Pass as password in AppDeps / CreateAppBackendOptions for production use.
testing/surface_invariants.ts view source
(surface: AppSurface): void Routes declaring 404 error schemas should use specific z.literal() or z.enum()
error codes, not generic z.string().
A generic 404 schema (ApiError with z.string()) means the error code is
unconstrained โ the handler could return any string, making client error handling
fragile. Routes with params (:id) are the primary 404 producers; their error
schemas should use specific constants like ERROR_ACCOUNT_NOT_FOUND.
Only flags routes that have params_schema (param-driven resource lookup) โ routes
declaring 404 for other reasons (e.g., bootstrap not configured) may legitimately
use generic schemas.
surfacevoid testing/surface_invariants.ts view source
(surface: AppSurface): void Every route has a non-empty description.
surfacevoid testing/surface_invariants.ts view source
(surface: AppSurface): void The same z.literal() error code should not appear at different HTTP status codes
across routes.
Extracts const values from error schema error properties (which correspond to
z.literal() in the Zod source). Flags when the same literal appears at different
status codes โ e.g., ERROR_INVALID_CREDENTIALS at both 401 and 403 would be a bug.
Only checks schemas with const values (literal schemas). Generic z.string()
schemas (which produce {type: 'string'} in JSON Schema) are ignored.
surfacevoid testing/error_coverage.ts view source
(collector: ErrorCoverageCollector, route_specs: RouteSpec[], options?: ErrorCoverageOptions | undefined): void Assert error coverage meets a minimum threshold.
Computes the ratio of exercised error paths to total declared error paths.
For routes whose status error schema names specific codes (z.literal or
z.enum), each declared code counts as one coverage path; for schemas
without declared codes (ApiError/z.string()), the status counts as one
path. A status-only observation covers all declared codes for that status
(the "any-code" rule).
When min_coverage is 0 (default), logs coverage info without failing.
When > 0, fails if coverage is below the threshold.
collectorroute_specsRouteSpec[]options?ErrorCoverageOptions | undefinedvoid AssertionError - if `min_coverage > 0` and the covered/total ratiotesting/surface_invariants.ts view source
(surface: AppSurface, options?: ErrorSchemaTightnessOptions | undefined): void Assert that all error schemas meet a minimum specificity threshold.
Calls audit_error_schema_tightness and fails on any entry below
the configured threshold. Use allowlist and ignore_statuses to exclude
known exceptions during progressive tightening.
surfaceoptions?ErrorSchemaTightnessOptions | undefinedvoid AssertionError - listing every route ร status combination whose errortesting/assertions.ts view source
(lookup: Map<string, Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>>>, route: AppSurfaceRoute, status: number, body: unknown): void Assert that an error schema exists for a route+status and validate the body against it.
Protected routes should always have auto-derived error schemas (401 for authenticated, 403 for role-restricted). A missing schema indicates a gap in error schema derivation.
lookupmap from "METHOD /path" to merged error schemas
Map<string, Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>>>routethe surface route to validate against
statusexpected HTTP status code
numberbodythe parsed response body to validate
unknownvoid AssertionError - if no schema is declared for the route+status pair.ZodError - if the body does not satisfy the declared schema.testing/surface_invariants.ts view source
(surface: AppSurface): void Every route's declared error schemas must have an error field at the top level
(conforming to the ApiError base shape {error: string}).
Catches typos in error schema definitions and ensures consumers can always
read .error from error responses.
surfacevoid testing/assertions.ts view source
(surface: AppSurface, path_prefix: string, expected_middleware: string[]): void Verify every route under a path prefix has the exact expected middleware stack.
surfacethe app surface to check
path_prefixprefix to filter routes (e.g. '/api/')
stringexpected_middlewarethe exact middleware names in order
string[]void AssertionError - if no routes match `path_prefix`, or if any matchingtesting/surface_invariants.ts view source
(surface: AppSurface): void Every route with non-null input_schema has 400 in error_schemas.
surfacevoid testing/rpc_helpers.ts view source
(body: unknown, expected_code?: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">) | undefined): void Assert that a response body is a valid JSON-RPC error response.
Validates the structure matches JsonrpcErrorResponse and optionally checks the error code.
bodyunknownexpected_code?optional error code to assert
-32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">) | undefinedvoid testing/rpc_helpers.ts view source
(body: unknown, output_schema?: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>> | undefined): void Assert that a response body is a valid JSON-RPC success response.
Validates the structure matches JsonrpcResponse. When output_schema
is provided, also validates the result field against the declared
output schema โ matching the REST round-trip's assert_response_matches_spec.
bodyunknownoutput_schema?optional Zod schema to validate the result field against
ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>> | undefinedvoid testing/surface_invariants.ts view source
(surface: AppSurface, prefixes?: string[]): void Keeper-protected routes must be under expected path prefixes.
Catches keeper routes accidentally placed outside the API namespace
(e.g., a keeper route at /health or /admin/ instead of /api/...).
surfaceprefixesstring[]DEFAULT_KEEPER_ROUTE_PREFIXESvoid testing/surface_invariants.ts view source
(surface: AppSurface): void Every applicable middleware that declares errors must have those status codes
present in the route's error_schemas.
surfacevoid testing/surface_invariants.ts view source
(surface: AppSurface): void Routes with non-null input schemas should use POST (or other mutation methods), not GET.
GET routes with request bodies are technically allowed by HTTP but semantically suspicious โ they bypass browser security assumptions about GET being idempotent. Query-string-driven filtering (audit log, list endpoints) should use params schemas or query string parsing, not input schemas.
Note: RPC endpoints (create_rpc_endpoint) use input: z.null() on their
route specs โ the dispatcher handles body/query parsing internally. Real input
schemas live in rpc_endpoints surface, not on routes.
surfacevoid testing/surface_invariants.ts view source
(surface: AppSurface): void No duplicate method+path pairs.
surfacevoid testing/integration_helpers.ts view source
(body: Record<string, unknown>, context: string): void Assert that an error response contains no leaky field values.
Checks both field names and string values for patterns indicating stack traces, SQL, or internal paths.
bodyRecord<string, unknown>contextdescription for error messages
stringvoid testing/integration_helpers.ts view source
(body: unknown, blocklist: readonly string[], context: string): void Assert that a parsed JSON body contains no fields from the given blocklist.
bodyunknownblocklistreadonly string[]contextdescription for error messages
stringvoid testing/surface_invariants.ts view source
(surface: AppSurface, allowlist?: string[]): void Public mutation routes (auth: none + is_mutation) must be in the allowlist.
Catches accidentally unprotected POST/PUT/DELETE routes. Routes like login and bootstrap are public mutations by design โ they go in the allowlist.
surfaceallowliststring[][]void testing/data_exposure.ts view source
(surface: AppSurface, admin_only_fields?: readonly string[]): void Assert that non-admin route output schemas don't contain admin-only fields.
surfaceadmin_only_fieldsreadonly string[]ADMIN_ONLY_FIELD_BLOCKLISTvoid testing/assertions.ts view source
(surface: AppSurface, expected_public: string[]): void Bidirectional check: no unexpected public routes, no missing expected ones.
surfacethe app surface to check
expected_publicformat: ['GET /health', 'POST /api/account/login']
string[]void AssertionError - if the live surface has public routes not intesting/data_exposure.ts view source
(surface: AppSurface, sensitive_fields?: readonly string[]): void Assert that no output schema in the surface contains sensitive field names.
surfacesensitive_fieldsreadonly string[]SENSITIVE_FIELD_BLOCKLISTvoid testing/surface_invariants.ts view source
(surface: AppSurface): void Every route with non-null params_schema has 400 in error_schemas.
surfacevoid testing/surface_invariants.ts view source
(surface: AppSurface): void Every protected route has 401 in error_schemas.
surfacevoid testing/surface_invariants.ts view source
(surface: AppSurface): void Every route with non-null query_schema has 400 in error_schemas.
surfacevoid testing/integration_helpers.ts view source
(response: Response, body: { retry_after: number; }): void Assert that a 429 response includes a valid Retry-After header
matching the JSON body's retry_after field.
responseResponsebody{ retry_after: number; }void testing/integration_helpers.ts view source
(route_specs: RouteSpec[], method: string, path: string, response: Response): Promise<void> Validate a response body against the route spec's declared schemas.
For 2xx responses, validates against spec.output.
For error responses, validates against the merged error schema for that status code.
route_specsRouteSpec[]methodstringpathstringresponseResponsePromise<void> Error - if no route spec matches `method` + `path`, if the responsetesting/surface_invariants.ts view source
(surface: AppSurface): void Every role/keeper route has 403 in error_schemas.
surfacevoid <T>(row: T | undefined, context?: string | undefined): T Assert that a row is present, throwing a descriptive error if missing.
Use after INSERT ... RETURNING queries where the database guarantees
a row is returned on success. Replaces bare row! non-null assertions
with an explicit runtime check.
rowthe row from query_one (T | undefined) or rows[0] (T | undefined)
T | undefinedcontext?optional context for the error message (e.g. table or operation name)
string | undefinedT the row, guaranteed non-undefined
Error - if `row` is `undefined`testing/surface_invariants.ts view source
(surface: AppSurface, sensitive_patterns?: (string | RegExp)[]): void Sensitive routes must declare rate limiting (rate_limit_key is non-null)
or have 429 in their error schemas.
Matches routes against sensitive patterns and flags any that lack rate limit declarations. Catches forgotten rate limiting on credential-handling routes.
surfacesensitive_patterns(string | RegExp)[]DEFAULT_SENSITIVE_PATTERNSvoid testing/assertions.ts view source
(build_surface: () => AppSurface): void Verify surface generation is deterministic (build twice, compare).
build_surface() => AppSurfacevoid testing/surface_invariants.ts view source
(surface: AppSurface): void Run all structural invariants. Options-free โ applies universally.
Catches schema/surface generation bugs: missing 401/403/400 declarations, empty descriptions, duplicate routes, middleware-injected error codes unpropagated to routes, structurally invalid error schemas, error codes appearing at multiple statuses, and generic 404 schemas on param routes.
surfacevoid AssertionError - on the first invariant violation; the message namestesting/assertions.ts view source
(surface: AppSurface, snapshot_path: string): void Compare live surface against a committed snapshot JSON file.
Failure message instructs the developer to run gro gen to update the
snapshot โ every fuz_app consumer wires the snapshot through a *.gen.ts
file so regeneration goes through the same pipeline as the rest of the
generated artifacts.
surfacethe live surface to check
snapshot_pathabsolute path to the committed JSON snapshot
stringvoid AssertionError - if the live surface does not deep-equal the snapshot,testing/surface_invariants.ts view source
(surface: AppSurface, options?: SurfaceSecurityPolicyOptions): void Run security policy invariants. Configurable with sensible defaults.
Checks: - Sensitive routes are rate-limited - No unexpected public mutation routes - Input schemas use mutation methods (not GET) - Keeper routes under expected prefixes
surfaceoptions{}void AssertionError - on the first policy violation; the message namesdb/sql_identifier.ts view source
(name: string): string Assert that a string is a valid SQL identifier.
Use this before interpolating table or column names into DDL queries
where parameterized placeholders ($1) are not supported.
namethe identifier to validate
stringstring the validated identifier
Error - if the identifier contains characters outside `[a-zA-Z0-9_]`testing/surface_invariants.ts view source
(surface: AppSurface): ErrorSchemaAuditEntry[] Audit error schema tightness across all routes in a surface.
Reports which route x status code combinations use generic ApiError
(z.string()) vs specific z.literal() or z.enum() error codes.
Use the output to prioritize progressive tightening of error schemas.
surfaceErrorSchemaAuditEntry[] audit entries for every route x status combination
auth/audit_log_schema.ts view source
RegExp Letter start, then letters, digits, _, ., /, -. Accepts snake_case,
dotted, and namespaced consumer conventions; rejects empty strings, leading
separators, whitespace, and control characters.
auth/audit_log_schema.ts view source
readonly ["login", "logout", "bootstrap", "signup", "password_change", "session_revoke", "session_revoke_all", "token_create", "token_revoke", "token_revoke_all", "permit_grant", ... 9 more ..., "app_settings_update"] All tracked auth event types. Frozen to convert accidental in-process mutation (test cross-contamination, cast escapes) into loud TypeErrors. Not a security boundary โ in-process code has many other paths to subvert audit logging.
realtime/sse_auth_guard.ts view source
"audit_log" SSE channel the audit-log stream route publishes on.
auth/audit_log_schema.ts view source
50 Default page size for audit log listings.
realtime/sse_auth_guard.ts view source
EventSpec[] SSE event specs for audit log events.
One spec per AUDIT_EVENT_TYPES entry, all sharing the AuditLogEventJson params schema.
Pass to create_app_server's event_specs for surface generation and DEV validation.
auth/audit_log_queries.ts view source
<T extends string>(route: Pick<RouteContext, "background_db" | "pending_effects">, input: AuditLogInput<T>, deps: AuditLogFireAndForgetDeps): Promise<...> Log an audit event without blocking the caller.
Errors are logged โ audit logging never breaks auth flows. Uses
background_db so entries persist even when the request transaction
rolls back. Write and on_audit_event callback failures are logged separately.
routebackground_db and pending_effects from the route context
Pick<RouteContext, "background_db" | "pending_effects">inputthe audit event to record
AuditLogInput<T>depslogger, on_audit_event callback, and optional audit_log_config
Promise<void> the settled promise (callers may ignore it)
auth/audit_log_schema.ts view source
string[] auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: false; input: ZodObject<{ event_type: ZodOptional<ZodNullable<ZodString>>; ... 4 more ...; since_seq: ZodOptional<...>; }, $strict>; output: ZodObject<...>; async: true; description: string; } auth/admin_action_specs.ts view source
200 Max audit-log page size. Mirrors the former REST route's clamp.
auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: false; input: ZodObject<{ limit: ZodOptional<ZodNullable<ZodNumber>>; offset: ZodOptional<...>; }, $strict>; output: ZodObject<...>; async: true; description: string; } ui/audit_log_state.svelte.ts view source
{ get: () => () => AuditLogRpc | null; set: (value?: (() => AuditLogRpc | null) | undefined) => () => AuditLogRpc | null; } Svelte context carrying the reactive AuditLogRpc accessor. Mirrors
admin_accounts_rpc_context. Unset context falls back to () => null.
auth/audit_log_schema.ts view source
"\nCREATE TABLE IF NOT EXISTS audit_log (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n seq SERIAL NOT NULL,\n event_type TEXT NOT NULL,\n outcome TEXT NOT NULL DEFAULT 'success',\n actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n targe... realtime/sse_auth_guard.ts view source
10 Default max concurrent SSE subscribers per session scope for the audit log.
The audit log SSE subscribes with scope = session_hash and
groups = [account_id]. Only scope is capped โ so this limits tabs
per session. An account's total streams across all sessions is bounded
transitively by max_sessions ร AUDIT_LOG_SSE_MAX_PER_SCOPE. 10 tabs
per session is a comfortable ceiling for normal use; consumers raising
it above ~50 should consider server-side connection limits.
auth/audit_log_schema.ts view source
Readonly<{ login: ZodNullable<ZodObject<{ username: ZodString; }, $loose>>; logout: ZodNull; bootstrap: ZodNullable<ZodObject<{ error: ZodString; }, $loose>>; ... 17 more ...; app_settings_update: ZodObject<...>; }> Per-event-type metadata Zod schemas. z.looseObject so consumers can
add fields while known ones are validated. The record is frozen to
catch mutation bugs at the key level (e.g. tests that try to swap in a
stub schema); the Zod schemas themselves are reachable and mutable โ
freeze isn't a security boundary.
testing/audit_completeness.ts view source
AuditCompletenessTestOptions Configuration for describe_audit_completeness_tests.
session_optionsSession config for cookie-based auth.
SessionOptions<string>create_route_specsRoute spec factory โ same one used in production.
(ctx: AppServerContext) => Array<RouteSpec>rpc_endpointsRPC endpoint specs โ the source RpcAction arrays. Required; the admin permit flow is RPC-only and the suite hard-fails without it.
Accepts either an array (eager) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec> โ the factory form
is required when action handlers must close over the per-test
ctx.app_settings / ctx.deps (e.g. exercising app_settings_update).
The factory must return the same endpoint path regardless of ctx โ
it is invoked once at setup with a stub ctx for path lookup and again
per-test by create_app_server for live dispatch.
app_optionsOptional overrides for AppServerOptions.
db_factoriesDatabase factories to run tests against. Default: pglite only.
Array<DbFactory>actions/transports_ws_auth_guard.ts view source
AuditEventHandler Audit-event callback shape โ the function CreateAppBackendOptions.on_audit_event
accepts and that the helpers in this module return.
Exported so consumers composing multiple handlers (typically
create_ws_auth_guard + create_ws_logout_closer + their own
pre-existing on_audit_event) can annotate their composed callback
without reaching for Parameters<typeof create_ws_auth_guard>[0].
auth/audit_log_schema.ts view source
ZodEnum<{ invite_create: "invite_create"; invite_delete: "invite_delete"; app_settings_update: "app_settings_update"; login: "login"; logout: "logout"; bootstrap: "bootstrap"; signup: "signup"; ... 13 more ...; permit_offer_supersede: "permit_offer_supersede"; }> Zod schema for audit event types.
auth/audit_log_schema.ts view source
ZodString Zod schema for valid audit event-type name strings.
auth/audit_log_schema.ts view source
AuditLogConfig Configuration bundle for audit-log event types and metadata schemas.
Lets consumers extend the closed AUDIT_EVENT_TYPES enum with their own
event strings (and metadata Zod schemas) without forking. Pass to
audit_log_fire_and_forget / query_audit_log as the optional config
argument; both default to BUILTIN_AUDIT_LOG_CONFIG.
The DB column is TEXT NOT NULL and never enforced an enum, so consumer
event types round-trip through query_audit_log_list and SSE identically
to builtins.
Constructed configs are deep-frozen (wrapper, event_types,
metadata_schemas) to catch accidental mutation bugs early. Not a
security boundary against in-process code, which can subvert audit
logging through other paths.
event_typesAll recognized event-type strings โ fuz_app builtins plus consumer extras.
ReadonlyArray<string>metadata_schemasPer-event-type metadata schemas. Missing entries skip metadata validation for that type (row still written; metadata stored as raw JSONB).
Readonly<Record<string, z.ZodType>>auth/audit_log_schema.ts view source
AuditLogEvent Audit log row from the database. See AuditLogEventJson for event_type widening rationale.
idUuidseqnumberevent_typeoutcomeactor_idUuid | nullaccount_idUuid | nulltarget_account_idUuid | nullipstring | nullcreated_atstringmetadataRecord<string, unknown> | nullauth/audit_log_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; seq: ZodNumber; event_type: ZodString; outcome: ZodEnum<{ success: "success"; failure: "failure"; }>; ... 5 more ...; metadata: ZodNullable<...>; }, $strict> Zod schema for client-safe audit log event.
event_type is AuditEventTypeName (regex-validated string) โ matches
the AuditLogEvent row and the DB's TEXT NOT NULL column. Consumer
types registered via create_audit_log_config({extra_events}) round-trip
through queries, on_audit_event callbacks, and JSON-RPC responses
identically to builtins. AuditLogInput<T> stays parameterized on the
write side so AuditMetadataMap narrowing via get_audit_metadata works.
auth/audit_log_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; seq: ZodNumber; event_type: ZodString; outcome: ZodEnum<{ success: "success"; failure: "failure"; }>; ... 7 more ...; target_username: ZodNullable<...>; }, $strict> Zod schema for audit log events with resolved usernames.
auth/audit_log_queries.ts view source
AuditLogFireAndForgetDeps Capabilities required by audit_log_fire_and_forget.
Defined as a slice of AppDeps so call sites can pass the surrounding deps
bundle directly without a structural-compatibility coincidence. The bundled
shape replaces the prior (log, on_audit_event, config?) positional args
โ consumers that forgot the trailing config would silently fall back to
BUILTIN_AUDIT_LOG_CONFIG and skip metadata validation for their own
event types. audit_log_config is optional on AppDeps and defaults to
BUILTIN_AUDIT_LOG_CONFIG inside audit_log_fire_and_forget when absent.
auth/audit_log_schema.ts view source
AuditLogInput<T> Input for creating an audit log entry.
Tstringevent_typeToutcomeactor_idUuid | nullaccount_idUuid | nulltarget_account_idUuid | nullipstring | nullmetadataPer-event-type metadata. Builtin T narrows to AuditMetadataMap[T];
consumer strings widen to a generic record (validation runs against
AuditLogConfig.metadata_schemas at insert time).
T extends AuditEventType
? (AuditMetadataMap[T] & Record<string, unknown>) | null
: Record<string, unknown> | nullauth/admin_action_specs.ts view source
ZodObject<{ event_type: ZodOptional<ZodNullable<ZodString>>; outcome: ZodOptional<ZodNullable<ZodEnum<{ success: "success"; failure: "failure"; }>>>; account_id: ZodOptional<...>; limit: ZodOptional<...>; offset: ZodOptional<...>; since_seq: ZodOptional<...>; }, $strict> Input for audit_log_list. All filter fields are optional โ omit for the
default newest-first page. since_seq exists for SSE reconnection gap
fill (caller supplies the highest seq seen; server returns everything
after).
auth/audit_log_schema.ts view source
AuditLogListOptions Options for listing audit log entries.
limitnumberoffsetnumberevent_typeEvent-type filter. Accepts any string โ builtins or consumer-registered
via create_audit_log_config({extra_events}). The DB column is
TEXT NOT NULL with no CHECK, so unknown strings simply match nothing.
stringevent_type_inArray<string>account_idUuidoutcomesince_seqWhen set, only return events with seq greater than this value. Enables SSE reconnection gap fill.
numberauth/admin_action_specs.ts view source
ZodObject<{ events: ZodArray<ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; seq: ZodNumber; event_type: ZodString; outcome: ZodEnum<{ success: "success"; failure: "failure"; }>; ... 7 more ...; target_username: ZodNullable<...>; }, $strict>>; }, $strict> Output for audit_log_list.
auth/admin_action_specs.ts view source
ZodObject<{ limit: ZodOptional<ZodNullable<ZodNumber>>; offset: ZodOptional<ZodNullable<ZodNumber>>; }, $strict> Input for audit_log_permit_history.
auth/admin_action_specs.ts view source
ZodObject<{ events: ZodArray<ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; seq: ZodNumber; event_type: ZodString; outcome: ZodEnum<{ success: "success"; failure: "failure"; }>; ... 7 more ...; target_username: ZodNullable<...>; }, $strict>>; }, $strict> Output for audit_log_permit_history.
auth/audit_log_routes.ts view source
AuditLogRouteOptions Options for audit log route specs.
required_roleRole required to access audit routes. Default 'admin'.
stringstreamWhen provided, includes an SSE route at /audit/stream for realtime audit events.
The subscribe function receives the stream, channels, and the subscriber's account_id
as an identity key โ enabling close_by_identity() for auth revocation.
{
subscribe: (stream: SseStream<SseNotification>, options?: SubscribeOptions) => () => void;
log: Logger;
}ui/audit_log_state.svelte.ts view source
AuditLogRpc Narrow RPC surface consumed by AuditLogState. Consumers adapt their typed RPC client to this shape. Mirrors AdminAccountsRpc / AdminInvitesRpc. Method signatures track the wire spec inputs/outputs directly so the adapter needs no casts.
list(input?: AuditLogListInput) => Promise<AuditLogListOutput>permit_history(input?: AuditLogPermitHistoryInput) => Promise<AuditLogPermitHistoryOutput>realtime/sse_auth_guard.ts view source
AuditLogSse Convenience factory result for audit log SSE.
Satisfies AuditLogRouteOptions['stream'] and provides the combined
on_audit_event callback (broadcast + guard).
subscribeSubscribe function โ pass as part of stream option to create_audit_log_route_specs.
(stream: SseStream<SseNotification>, options?: SubscribeOptions) => () => voidlogLogger โ pass as part of stream option to create_audit_log_route_specs.
Loggeron_audit_eventCombined broadcast + guard callback. Pass as on_audit_event on CreateAppBackendOptions.
(event: AuditLogEvent) => voidregistryThe underlying registry โ exposed for subscriber count monitoring.
SubscriberRegistry<SseNotification>ui/audit_log_state.svelte.ts view source
eventstype Array<AuditLogEventWithUsernamesJson>
permit_history_eventstype Array<PermitHistoryEventJson>
countconnectedWhether the SSE stream is currently connected.
constructortype new (options?: AuditLogStateOptions | undefined): AuditLogState
options?AuditLogStateOptions | undefinedfetchtype (options?: { event_type?: string | null | undefined; outcome?: "success" | "failure" | null | undefined; account_id?: (string & $brand<"Uuid">) | null | undefined; limit?: number | null | undefined; offset?: number | ... 1 more ... | undefined; since_seq?: number | ... 1 more ... | undefined; } | undefined): Promise<...>
options?{ event_type?: string | null | undefined; outcome?: "success" | "failure" | null | undefined; account_id?: (string & $brand<"Uuid">) | null | undefined; limit?: number | null | undefined; offset?: number | ... 1 more ... | undefined; since_seq?: number | ... 1 more ... | undefined; } | undefinedPromise<void>fetch_permit_historytype (limit?: number | undefined, offset?: number | undefined): Promise<void>
limit?number | undefinedoffset?number | undefinedPromise<void>subscribeConnect to the SSE stream for realtime audit events.
New events are prepended to events. EventSource auto-reconnects on
transient errors; since_seq fills gaps on reconnection.
type (): () => void
() => voidcleanup function that closes the connection
disconnectClose the SSE connection.
type (): void
voidui/audit_log_state.svelte.ts view source
AuditLogStateOptions get_rpcReactive accessor for the RPC adapter. Matches the get_rpc pattern on
AdminAccountsState โ null disables fetch operations (SSE still works).
() => AuditLogRpc | nullstream_urlSSE stream URL. Defaults to the shipped admin audit-log stream route.
stringauth/audit_log_schema.ts view source
AuditMetadataMap Mapped type of metadata shapes per event type, derived from Zod schemas.
auth/audit_log_schema.ts view source
ZodEnum<{ success: "success"; failure: "failure"; }> Zod schema for audit event outcomes.
"auth_api_token_id" Hono context variable name for the authenticated API token id.
readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "permit", "permit_offer", "actor", "account", "bootstrap_lock"] All auth tables in drop order (children first for FK safety).
The full set created by AUTH_MIGRATIONS โ use for clean-slate
test DB initialization. AUTH_TRUNCATE_TABLES is the subset for
between-test data cleanup (excludes audit_log).
When adding tables to AUTH_MIGRATIONS, add them here too.
string[] Auth tables including audit_log โ for integration tests that exercise
the full middleware stack (login, admin, rate limiting).
Separate from AUTH_TRUNCATE_TABLES because unit-level DB tests that don't touch audit logging don't need to truncate it.
auth/migrations.ts view source
"fuz_auth" Namespace identifier for fuz_app auth migrations.
auth/migrations.ts view source
MigrationNamespace Pre-composed migration namespace for auth tables.
auth/migrations.ts view source
Migration[] Auth schema migrations in order.
- v0: Full auth schema โ account (with email_verified), actor, permit,
auth_session, api_token, audit_log (with seq), bootstrap_lock, invite,
app_settings, plus all indexes and seeds.
- v1: permit_offer table for consentful grants; adds scope_id /
source_offer_id / revoked_reason to permit and swaps the
(actor_id, role) partial unique index for a scope-aware variant using
the all-zeros sentinel UUID. The permit_offer table carries a
superseded_at terminal state; its partial unique index is scoped by
(to_account, role, scope, from_actor) so multiple grantors may coexist.
auth/session_queries.ts view source
number Extend session when it has less than this remaining (1 day in ms).
string[] auth/session_queries.ts view source
number Session lifetime in milliseconds (30 days).
"\nCREATE TABLE IF NOT EXISTS auth_session (\n id TEXT PRIMARY KEY,\n account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n expires_at TIMESTAMPTZ NOT NULL,\n last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n)" auth/request_context.ts view source
"auth_session_token_hash" Hono context variable name for the authenticated session token hash.
Set by create_request_context_middleware after a successful session lookup.
null when the request is unauthenticated or authenticated via a non-session
credential (bearer token, daemon token). Exposed so handlers can scope
per-session resources (e.g., SSE stream identity for targeted disconnection
on session_revoke) without re-hashing the token.
ui/auth_state.svelte.ts view source
{ get: (error_message?: string | undefined) => AuthState; get_maybe: () => AuthState | undefined; set: (value: AuthState) => AuthState; } Svelte context for AuthState.
Use auth_state_context.set(state) in the provider and auth_state_context.get() to access.
string[] Auth table names in truncation order (children first for FK safety).
Consumer projects can spread this into their own list and append app-specific tables.
AuthCleanupDeps Dependencies for the cleanup helpers.
logLoggeron_audit_eventCalled after each audit event INSERT succeeds. Typically the same
callback wired into AppDeps.on_audit_event (SSE broadcast). Omit
to skip broadcast โ the audit rows still land in the DB.
((event: AuditLogEvent) => void) | nullaudit_log_configAudit-log config. Only the builtin permit_offer_expire event type is
emitted here, so omitting this is safe โ the field exists so consumers
threading the same AppDeps bundle to scheduled cleanup keep using
their registered config (and consumer extensions to the
permit_offer_expire metadata schema get validated).
AuthCleanupResult Result of run_auth_cleanup.
expired_sessionsNumber of expired session rows deleted.
numberexpired_offersNumber of expired permit offer rows audit-stamped.
numberhttp/route_spec.ts view source
AuthGuardResolver Resolves a RouteAuth to middleware guard handlers.
Injected into apply_route_specs to decouple route registration from auth-specific middleware. See fuz_auth_guard_resolver in auth/route_guards.ts for the standard implementation.
auth/middleware.ts view source
AuthMiddlewareOptions Per-factory configuration for the standard auth middleware stack.
allowed_originsArray<RegExp>session_optionsSessionOptions<string>pathPath pattern for middleware (default: '/api/*').
stringdaemon_token_stateDaemon token state for keeper auth. Omit to disable daemon token middleware.
bearer_ip_rate_limiterRate limiter for bearer token auth attempts (per-IP). Pass null to disable.
RateLimiter | nullauth/permit_offer_actions.ts view source
(auth: RequestContext, input: { to_account_id: string; role: string; scope_id: string | null; }, deps: Pick<RouteFactoryDeps, "log">, ctx: ActionContext): boolean | Promise<...> Authorization callback that admits any admin and otherwise falls back to the symmetric default (caller must hold the offered role globally).
The web_grantable filter in create_handler runs before the
authorize callback, so this never sees non-web-grantable roles. Drop
into create_permit_offer_actions({authorize: authorize_admin_or_holder})
(or any factory that forwards authorize, e.g. create_standard_rpc_actions)
for the common "admins offer anything; users offer what they hold"
pattern. Scope-aware policies (e.g. classroom_teacher offering
classroom_student in their own scope) wrap this and short-circuit true
before delegating.
authinput{ to_account_id: string; role: string; scope_id: string | null; }depsPick<RouteFactoryDeps, "log">ctxboolean | Promise<boolean> auth/account_schema.ts view source
AuthSession Server-side auth session, keyed by blake3 hash of session token.
idstringaccount_idUuidcreated_atstringexpires_atstringlast_seen_atstringauth/account_schema.ts view source
ZodObject<{ id: ZodString; account_id: $ZodBranded<ZodUUID, "Uuid", "out">; created_at: ZodString; expires_at: ZodString; last_seen_at: ZodString; }, $strict> Zod schema for AuthSession โ id is the blake3 hash, safe for client.
auth/account_routes.ts view source
AuthSessionRouteOptions Shared options for route factories that create sessions and rate-limit by IP.
Extended by AccountRouteOptions and SignupRouteOptions. Consumers can destructure these from AppServerContext once and spread into multiple factories.
session_optionsSessionOptions<string>ip_rate_limiterRate limiter for auth attempts, keyed by client IP. Pass null to disable.
RateLimiter | nullui/auth_state.svelte.ts view source
verifyingverifiedverify_errortype string | null
accounttype SessionAccount | null
actortype ActorSummaryJson | null
permitstype Array<PermitSummaryJson>
active_permitstype Array<PermitSummaryJson>
rolestype Array<string>
needs_bootstrapTrue when bootstrap is available (no accounts exist yet).
check_sessionCheck auth state and bootstrap availability.
Fetches GET /api/account/status โ returns account info (200) or
401 with optional bootstrap_available flag.
Called on init, and after login/bootstrap to refresh state.
type (): Promise<void>
Promise<void>loginLog in with username and password. Translates 401 / 429 to friendly
messages on verify_error; refreshes the session via check_session
on success.
type (username: string, password: string): Promise<boolean>
usernamestringpasswordstringPromise<boolean>true if login succeeded, false otherwise
bootstrapBootstrap the first keeper account using a single-use token.
type (token: string, username: string, password: string): Promise<boolean>
tokenstringusernamestringpasswordstringPromise<boolean>true if bootstrap succeeded, false otherwise
signupSign up via invite (or open signup, when app_settings.open_signup
is true server-side). Translates 403 / 409 / 429 to friendly messages
on verify_error.
type (username: string, password: string, email?: string | undefined): Promise<boolean>
usernamestringpasswordstringemail?string | undefinedPromise<boolean>true if signup succeeded, false otherwise
logoutLog out โ best-effort POST /api/account/logout to clear the session
cookie, then clears local state regardless of the network outcome.
type (): Promise<void>
Promise<void>testing/auth_apps.ts view source
AuthTestApps Pre-built Hono apps for each auth level, shared across adversarial test suites.
publicHonoauthedHonokeeperHonoby_roleMap<string, Hono>actions/transports_ws_backend.ts view source
transport_nameadd_connectionAdd a new WebSocket connection with auth info.
Session connections pass a token hash for targeted revocation.
Bearer token connections (api_token) pass the api_token.id so the
socket can be closed when that specific token is revoked without
tearing down the account's other sockets. Daemon-token connections
pass null for both โ they're only reachable via
close_sockets_for_account.
type (ws: WSContext<unknown>, token_hash: string | null, account_id: string & $brand<"Uuid">, api_token_id?: string | null): string & $brand<"Uuid">
wsWSContext<unknown>token_hashstring | nullaccount_idstring & $brand<"Uuid">api_token_idstring | nullnullstring & $brand<"Uuid">the freshly assigned connection_id (branded Uuid)
remove_connectionRemove a WebSocket connection and its auth tracking data. Idempotent โ safe to call after revocation has already cleaned up.
type (ws: WSContext<unknown>): void
wsWSContext<unknown>voidclose_sockets_for_sessionClose all sockets associated with a specific session token hash.
type (token_hash: string): number
token_hashstringnumberthe number of sockets closed
close_sockets_for_accountClose all sockets associated with a specific account.
type (account_id: string & $brand<"Uuid">): number
account_idstring & $brand<"Uuid">numberthe number of sockets closed
close_sockets_for_tokenClose all sockets associated with a specific API token.
Used on token_revoke audit events so revoking one token doesn't
tear down the account's session-authenticated sockets or other
tokens' sockets.
type (api_token_id: string): number
api_token_idstringnumberthe number of sockets closed
sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...broadcast_filteredBroadcast to connections whose identity satisfies a predicate.
Used by the broadcast API when a consumer supplies a subscription ACL hook
(e.g. tx's tx_run_created only reaches the account that owns the run).
When no ACL is needed, callers should prefer send(message) / #broadcast
to skip the per-connection predicate overhead.
type (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }; } | { ...; }, predicate: (identity: ConnectionIdentity) => boolean): number
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }; } | { ....predicate(identity: ConnectionIdentity) => booleannumberthe number of sockets the message was sent to
send_to_accountSend a message to every socket bound to a specific account.
Targeted per-account fan-out for any flow where the delivery target
is a single known account. Prefer this over broadcast_filtered when
the filter is exactly "this account_id"; reach for broadcast_filtered
when the ACL is an arbitrary predicate over ConnectionIdentity.
Mirrors close_sockets_for_account on the send side: every connection
for the account (session, bearer, and daemon-token) receives the
message.
type (account_id: string & $brand<"Uuid">, message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { ...; }; } | { ...; }): number
account_idstring & $brand<"Uuid">message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }; } | { ....numberthe number of sockets the message was sent to
is_readytype (): boolean
booleanget_connection_countNumber of currently tracked WebSocket connections.
Read-only counter intended for telemetry, logging, and tests.
Counts every entry in the connection map โ including connections
that have been closed by the peer but not yet removed by the WS
adapter's onClose callback.
type (): number
numberactions/action_types.ts view source
BaseHandlerContext Minimum per-request context every server-side WS handler receives.
Consumers extend this with domain-specific fields via the dispatcher's
extend_context option. Mirrors the HTTP-side ActionContext and Rust's
Ctx<'a> shape (request_id + NotifyFn + CancellationToken).
request_idJSON-RPC envelope request id โ echoed back on the response.
connection_idStable per-socket connection id assigned by
BackendWebsocketTransport.add_connection โ same reference across every
message on this socket, also passed to on_socket_open /
on_socket_close. Consumers key per-connection domain state on this
directly instead of trying to derive it from signals (which are
per-message composites of AbortSignal.any([socket, request])).
UuidnotifySend a request-scoped JSON-RPC notification to the originating socket. Not a broadcast โ the message only reaches the client whose request triggered this handler.
(method: string, params: unknown) => voidsignalFires on socket close OR on a client-initiated cancel notification
matching this request's id. Streaming handlers poll for early
termination; per-message composite (AbortSignal.any([socket, request]))
โ not stable across messages.
AbortSignal(db: Db, ns: MigrationNamespace, names: readonly string[]): Promise<void> Insert tracker rows for the named migrations of a namespace without executing them.
Used to promote an existing schema (e.g. produced by a pre-0.42 build,
preserved through a tracker-shape upgrade) into the new identity tracker.
baseline() trusts the operator-supplied list โ it does not verify that
the schema actually matches what the named migrations would have produced.
Pair with a schema-assertion script post-baseline before re-enabling traffic.
Contract:
- Probes for the pre-0.42 tracker shape; throws old-tracker-shape if
found (DDL with IF NOT EXISTS would otherwise no-op against the old
table and the INSERT would fail with a confusing column-not-found).
- Creates the new-shape schema_version table if missing โ cutover
scripts that just dropped the old-shape table can call baseline()
directly with no separate DDL step.
- Acquires the same per-namespace advisory lock as run_migrations (with
the same try/catch fallback for environments lacking pg_advisory_lock).
- Refuses if any tracker rows already exist *for this namespace* โ lets
multi-call baseline scripts resume after partial failure (completed
namespaces guard themselves while remaining ones still run).
- Verifies the supplied names are a strict prefix of the namespace's
current migrations array โ a name not in the array, or out of order,
errors before any INSERT.
- Writes sequences 0..N-1 in one transaction.
dbthe database instance
nsthe namespace whose migrations are being baselined
namesprefix of ns.migrations[].name to record as already-applied
readonly string[]Promise<void> MigrationError - with `kind` of `old-tracker-shape`,ZodObject<{ NODE_ENV: ZodEnum<{ development: "development"; production: "production"; }>; PORT: ZodDefault<ZodCoercedNumber<unknown>>; HOST: ZodDefault<ZodString>; ... 9 more ...; SMTP_PASSWORD: ZodOptional<...>; }, $strict> Base Zod schema for server environment variables.
Provides the common fields used by fuz apps: server config, database, auth, security, public URLs, and SMTP.
Apps can use directly or extend with app-specific fields via .extend().
testing/middleware.ts view source
BearerAuthMocks Mocks bundle returned by create_bearer_auth_mocks.
mock_validateReturnType<typeof vi.fn>mock_find_by_idReturnType<typeof vi.fn>mock_find_by_accountReturnType<typeof vi.fn>mock_find_active_for_actorReturnType<typeof vi.fn>testing/middleware.ts view source
BearerAuthTestCase A full test case for the table-driven bearer auth runner.
validate_expectationWhether the request should reach token validation or be short-circuited.
'called' | 'not_called'assert_context_setIf true, assert REQUEST_CONTEXT_KEY and CREDENTIAL_TYPE_KEY were set to api_token values.
booleanexpected_api_token_idIf set, assert AUTH_API_TOKEN_ID_KEY was set to this value after a successful bearer auth.
stringassert_context_preservedIf true, assert the pre-existing session context and credential type are preserved.
booleanassert_mocksOptional callback for custom spy assertions on the mocks bundle.
(mocks: BearerAuthMocks) => voidtesting/middleware.ts view source
BearerAuthTestOptions Mock configuration for bearer auth middleware test setup.
nameTest description.
stringheadersRequest headers.
Record<string, string>pre_contextPre-set request context (simulates session already resolved).
mock_validate_resultWhat query_validate_api_token() returns.
unknownmock_find_by_id_resultWhat query_account_by_id() returns.
unknownmock_find_by_account_resultWhat query_actor_by_account() returns.
unknownmock_permits_resultWhat query_permit_find_active_for_actor() returns.
unknownexpected_statusExpected HTTP status, or 'next' if the middleware should call next().
number | 'next'expected_errorExpected error field in JSON response body.
stringexpected_error_schemaZod schema to validate error response body against. Defaults to ApiError when expected_error is set.
z.ZodTypeauth/bootstrap_account.ts view source
(deps: BootstrapAccountDeps, provided_token: string, input: BootstrapAccountInput): Promise<BootstrapAccountResult> Bootstrap the first account with keeper and admin privileges.
Uses an atomic bootstrap_lock UPDATE to prevent concurrent bootstrap
attempts (TOCTOU). The full flow runs in a single transaction:
1. Read and verify the bootstrap token (before transaction)
2. Hash the password (CPU-intensive, before transaction)
3. Acquire the bootstrap lock atomically (inside transaction)
4. Create account + actor
5. Grant keeper and admin permits (no expiry, granted_by = null)
6. Delete the token file (after commit, reported via token_file_deleted)
depsdatabase, token path, filesystem callbacks, and password hashing
provided_tokenthe bootstrap token from the user
stringinputusername and password
Promise<BootstrapAccountResult> the created account, actor, and permits โ or a bootstrap failure
"\nCREATE TABLE IF NOT EXISTS bootstrap_lock (\n id INTEGER PRIMARY KEY DEFAULT 1 CHECK (id = 1),\n bootstrapped BOOLEAN NOT NULL DEFAULT false\n)" "\nINSERT INTO bootstrap_lock (id, bootstrapped)\n SELECT 1, EXISTS(SELECT 1 FROM account)\n ON CONFLICT DO NOTHING" Seed the bootstrap_lock table, setting bootstrapped based on whether accounts exist.
testing/app_server.ts view source
(options: BootstrapTestAccountOptions): Promise<{ account: { id: string & $brand<"Uuid">; username: string; }; actor: { id: string & $brand<"Uuid">; }; api_token: string; session_cookie: string; }> Bootstrap a test account with credentials.
Creates an account with actor, grants roles, creates an API token,
creates a session, and signs a session cookie. Shared by
create_test_app_server and TestApp.create_account.
optionsPromise<{ account: { id: string & $brand<"Uuid">; username: string; }; actor: { id: string & $brand<"Uuid">; }; api_token: string; session_cookie: string; }> auth/bootstrap_account.ts view source
BootstrapAccountDeps Dependencies for bootstrap_account.
dbtoken_pathPath to the bootstrap token file on disk.
stringread_text_fileRead a file's contents as a string.
(path: string) => Promise<string>delete_fileDelete a file.
(path: string) => Promise<void>passwordOnly hashing is needed โ verification happens separately during login.
Pick<PasswordHashDeps, 'hash_password'>logStructured logger instance.
Loggerauth/bootstrap_account.ts view source
BootstrapAccountFailure Bootstrap failure result.
auth/bootstrap_account.ts view source
BootstrapAccountInput Input for the bootstrap account creation.
usernamestringpasswordstringauth/bootstrap_account.ts view source
BootstrapAccountResult Bootstrap account result โ either success or a bootstrap verification failure.
auth/bootstrap_account.ts view source
BootstrapAccountSuccess Successful bootstrap result with the created entities.
oktrueaccountactorpermits{keeper: Permit; admin: Permit}token_file_deletedWhether the bootstrap token file was successfully deleted after account creation.
booleanui/BootstrapForm.svelte view source
redirect_on_bootstrap?Path to navigate to after the first-keeper account is created.
stringauth/bootstrap_routes.ts view source
ZodObject<{ token: ZodString; username: ZodString; password: ZodString; }, $strict> Input for POST /bootstrap. token is the one-shot token file contents.
auth/bootstrap_routes.ts view source
ZodObject<{ ok: ZodLiteral<true>; username: ZodString; }, $strict> Output for POST /bootstrap. Session cookie is the operative side effect.
auth/bootstrap_routes.ts view source
BootstrapRouteOptions Per-factory configuration for bootstrap route specs.
bootstrap_status is runtime state (a mutable ref), not a dep or options value โ
it is passed through so the route handler can flip it on success.
session_optionsSessionOptions<string>bootstrap_statusShared mutable reference โ flipped to false after successful bootstrap.
on_bootstrapCalled after successful bootstrap (account + session created). Use for app-specific post-bootstrap work like generating API tokens.
(result: BootstrapAccountSuccess, c: Context) => Promise<void>ip_rate_limiterRate limiter for bootstrap attempts (per-IP). Pass null to disable.
RateLimiter | nullauth/bootstrap_routes.ts view source
BootstrapStatus Bootstrap status โ runtime state computed once at startup.
availablebooleantoken_pathstring | nulltesting/app_server.ts view source
BootstrapTestAccountOptions Options for bootstrap_test_account.
dbkeyringsession_optionsSessionOptions<string>passwordusernamestringpassword_valuestringrolesArray<string>actions/broadcast_api.ts view source
BroadcastApi Loose base shape for a broadcast API. Consumers typically declare a
stricter per-method interface (e.g. BackendActionsApi) and pin it via
the type parameter on create_broadcast_api.
testing/ws_round_trip.ts view source
<TApi extends object>(options: { harness: WsTestHarness; specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[]; }): TApi Wire a typed broadcast API against the harness's transport, matching
how a consumer's real backend composes the stack. Returns the typed
API so tests can call .tx_run_created(...) / .workspace_changed(...)
etc. directly.
const harness = create_ws_test_harness<BaseHandlerContext>({specs, handlers});
const broadcast = build_broadcast_api<MyBackendActionsApi>({
harness,
specs: my_broadcast_action_specs,
});
const client = await harness.connect(keeper_identity());
await broadcast.tx_run_created({run_id: '...', ...});
await client.wait_for(is_notification('tx_run_created'));options{ harness: WsTestHarness; specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[]; }TApi auth/permit_offer_notifications.ts view source
(params: { offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; }): { ...; } params{ offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; }{ [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } auth/permit_offer_notifications.ts view source
(params: { offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; }): { ...; } params{ offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; }{ [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } auth/permit_offer_notifications.ts view source
(params: { offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; }): { ...; } params{ offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; }{ [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } auth/permit_offer_notifications.ts view source
(params: { offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; }): { ...; } params{ offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; }{ [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } auth/permit_offer_notifications.ts view source
(params: { offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; reason: "sibling_accepted" | ... 1 more ... | "scope_destroyed"; cause_id: string & $brand<...>; }): { ...; } params{ offer: { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; }; reason: "sibling_accepted" | ... 1 more ... | "scope_destroyed"; cause_...{ [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } auth/permit_offer_notifications.ts view source
(params: { permit_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<"Uuid">) | null; reason: string | null; }): { [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { ...; } | undefined; } params{ permit_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<"Uuid">) | null; reason: string | null; }{ [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } auth/request_context.ts view source
(deps: QueryDeps, account_id: string): Promise<RequestContext | null> Build a full RequestContext from an account id.
Shared helper used by session, bearer, and daemon token middleware,
as well as WebSocket upgrade handlers. Does the account โ actor โ permits
lookup pipeline and returns the composed context, or null if
the account or actor is not found.
depsquery dependencies
account_idthe account to build context for
stringPromise<RequestContext | null> a request context, or null if account/actor not found
auth/audit_log_schema.ts view source
AuditLogConfig Builtin fuz_app audit-log config โ every existing event type and its metadata schema.
auth/role_schema.ts view source
ReadonlyMap<string, Required<RoleOptions>> Builtin role configs. Not overridable by consumers.
Typed ReadonlyMap for the contract โ but JS Maps don't honor
Object.freeze for .set / .delete / .clear (they mutate internal
slots, not own properties), so freeze adds no runtime guard here. Read
once at startup by create_role_schema and the admin / permit-offer
action factories; runtime mutation has no effect on already-built role
schemas.
auth/role_schema.ts view source
readonly ["keeper", "admin"] The builtin role names as a const tuple.
auth/role_schema.ts view source
ZodEnum<{ keeper: "keeper"; admin: "admin"; }> Zod schema for builtin roles only.
Action<BaseHandlerContext> Protocol-action tuple โ spread into the server's actions array (or via
protocol_actions from actions/protocol.ts) so the dispatcher registers the
spec for input validation and so create_rpc_client codegen sees the
method. The client doesn't need to call it directly;
FrontendWebsocketClient.request({signal}) sends the cancel notification
automatically when the signal fires.
{ method: string; kind: "remote_notification"; initiator: "frontend"; auth: null; side_effects: true; input: ZodObject<{ request_id: ZodUnion<readonly [ZodString, ZodNumber]>; }, $strict>; output: ZodVoid; async: true; description: string; } ActionSpec for the shared cancel. auth: null matches every other
remote-notification spec โ upgrade-time auth has already admitted the
socket, so per-action auth on a fire-and-forget notification is moot. The
per-connection {request_id โ AbortController} map enforces socket-scoped
ownership naturally: a different socket's cancel for the same id misses
in its own map.
(): void Placeholder handler โ cancel semantics are owned by register_action_ws, not invoked per-handler. Exported for symmetry with the Action tuple shape; the dispatcher short-circuits cancel notifications before any handler lookup happens.
void ZodObject<{ request_id: ZodUnion<readonly [ZodString, ZodNumber]>; }, $strict> Params for the cancel notification. request_id is the id of the
pending request to abort. Must match the id of a request sent on the
same socket; cancels from other sockets (or for unknown ids) are ignored.
ui/position_helpers.ts view source
CardinalPosition Basic position options for UI elements (cardinal directions).
auth/bootstrap_routes.ts view source
(deps: CheckBootstrapStatusDeps, options: { token_path: string | null; }): Promise<BootstrapStatus> Check bootstrap availability at startup.
Bootstrap is available when:
1. A token path is configured
2. The token file exists on disk
3. The bootstrap_lock table shows bootstrapped = false
depsfilesystem and database access for the check
optionsstatic configuration including token_path
{ token_path: string | null; }Promise<BootstrapStatus> an object with available (boolean) and token_path (string | null)
(deps: FetchDeps, port: number, host?: string, timeout_ms?: number): Promise<boolean> Check if a daemon is healthy by probing its /health endpoint.
Complements is_daemon_running (PID check) with an HTTP liveness probe.
Requires the daemon to register a /health route (e.g. via create_health_route_spec).
depsruntime with fetch capability
portport the daemon should be listening on
numberhosthostname (default localhost)
string'localhost'timeout_msrequest timeout in milliseconds (default 2000)
number2000Promise<boolean> true if the health endpoint responds with 2xx
testing/integration_helpers.ts view source
(body: Record<string, unknown>): string[] List the fields in an error response body that are not in the known-safe set.
Error schemas use z.looseObject (intentional โ multiple producers), but
test responses should be checked for fields that could leak information.
bodyRecord<string, unknown>string[] array of unexpected field names (empty = clean)
auth/bootstrap_routes.ts view source
CheckBootstrapStatusDeps Dependencies for checking bootstrap status at startup.
stat(path: string) => Promise<StatResult | null>dblogLogger(deps: AuthCleanupDeps): Promise<number> Sweep expired permit offers and emit one permit_offer_expire audit
event per row.
Returns the count of offers audit-stamped. The offer rows themselves are preserved โ offers carry audit value for the history view even after expiry, and accepted rows are the provenance for the resulting permit (deleting expired rows would not threaten that, but keeping them uniform with the retention policy for terminal rows is simpler).
depsPromise<number> auth/session_middleware.ts view source
<T>(c: Context<any, any, {}>, options: SessionOptions<T>): void Clear the session cookie on a response.
cContext<any, any, {}>optionsSessionOptions<T>void auth/account_schema.ts view source
ZodObject<{ id: ZodString; account_id: $ZodBranded<ZodUUID, "Uuid", "out">; name: ZodString; expires_at: ZodNullable<ZodString>; last_used_at: ZodNullable<...>; last_used_ip: ZodNullable<...>; created_at: ZodString; }, $strict> Zod schema for client-safe API token listing (excludes token_hash).
CliLogger errorLogs an error via Logger (gets Logger's error prefix).
(...args: Array<unknown>) => voidwarnLogs a warning via Logger (gets Logger's warn prefix).
(...args: Array<unknown>) => voidinfoLogs info via Logger (gets Logger's label prefix).
(...args: Array<unknown>) => voiddebugLogs debug via Logger (gets Logger's debug prefix).
(...args: Array<unknown>) => voidrawLogs raw output via Logger (no prefix, no level filtering).
(...args: Array<unknown>) => voidsuccessLogs a success message with [done] prefix at info level.
(msg: string) => voidskipLogs a skip message with [skip] prefix at info level.
(msg: string) => voidstepLogs a step message with ==> prefix at info level.
(msg: string) => voidheaderLogs a header with === title === decoration at info level.
(title: string) => voiddimLogs a dimmed message at info level.
(msg: string) => voidloggerThe underlying Logger instance.
Loggertesting/integration_helpers.ts view source
(value: unknown): Set<string> Recursively collect all key names from a parsed JSON value.
Walks objects and arrays to find every property name at any nesting depth.
valueunknownSet<string> testing/data_exposure.ts view source
(schema: unknown): Set<string> Recursively collect all property names from a JSON Schema.
Walks properties, items, allOf/anyOf/oneOf, and
additionalProperties to find every declared field name at any depth.
schemaunknownSet<string> (middleware: MiddlewareSpec[], route_path: string): Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> | null Collect error schemas from all middleware that applies to a route path.
middlewareMiddlewareSpec[]route_pathstringPartial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> | null merged middleware error schemas, or null if none
{ readonly green: "" | "\u001B[32m"; readonly yellow: "" | "\u001B[33m"; readonly blue: "" | "\u001B[34m"; readonly red: "" | "\u001B[31m"; readonly cyan: "" | "\u001B[36m"; readonly dim: "" | "\u001B[2m"; readonly bold: "" | "\u001B[1m"; readonly reset: "" | "\u001B[0m"; } ColumnInfo Column metadata from information_schema.
column_namestringdata_typestringis_nullablestringui/ColumnLayout.svelte view source
asideSnippetchildrenSnippetcolumn_width?CSS width of the fixed aside column.
stringCommandDeps Command execution.
run_commandRun a command and return the result. Never throws โ failures surface as
success: false.
options.cwd sets the child's working directory. options.signal aborts
the child when the signal fires. options.timeout_ms kills the child
after the given duration and returns timed_out: true on the result.
(
cmd: string,
args: Array<string>,
options?: RunCommandOptions,
) => Promise<CommandResult>CommandMeta<TCategory> Command metadata for help generation.
TCategorystringstringschemaz.ZodTypesummarystringusagestringcategoryTCategoryCommandResult Result of executing a command.
timed_out is present only when timeout_ms was passed in RunCommandOptions
and the process was killed after exceeding the timeout. Callers that pass
timeout_ms should check this flag to distinguish timeout from exit-code failure.
successbooleancodenumberstdoutstringstderrstringtimed_outbooleanactions/action_codegen.ts view source
(input: { origin_path: string; imports: ImportBuilder; blocks: readonly string[]; }): string Wrap the per-*.gen.ts boilerplate (banner + imports.build() +
blocks join + template literal) into one call. Returns the full file body
as a string ready to return from a Gen function.
Each consumer producer collapses to one compose_gen_file call wrapping the helper invocations.
input{ origin_path: string; imports: ImportBuilder; blocks: readonly string[]; }string export const gen: Gen = ({origin_path}) => {
const imports = new ImportBuilder();
return compose_gen_file({
origin_path,
imports,
blocks: [
generate_action_specs_record(all_action_specs, imports),
generate_action_inputs_outputs(all_action_specs, imports),
generate_action_event_datas(all_action_specs, imports),
],
});
};Empty blocks ('') are filtered out so helpers that short-circuit on
empty spec sets don't introduce stray double blank lines.
(runtime: TerminalDeps, message: string): Promise<boolean> Prompt for yes/no confirmation.
runtimeruntime with stdout_write and stdin_read capabilities
messagemessage to display
stringPromise<boolean> true if user confirms, false otherwise
ui/ConfirmButton.svelte view source
onconfirm(popover: Popover) => voidpopover_button_attrs?SvelteHTMLElements['button'] | undefinedhide_on_confirm?boolean | undefinedpopover_content?Unlike on PopoverButton this is optional and has a confirm arg
Snippet<[popover: Popover, confirm: () => void]> | undefinedpopover_button_content?Content for the popover button
Snippet<[popover: Popover, confirm: () => void]> | undefinedchildren?Unlike on PopoverButton this has a confirm arg
Snippet<[popover: Popover, confirm: () => void]> | undefinedactions/transports_ws_backend.ts view source
ConnectionIdentity Auth identity attached to a single WebSocket connection.
One record per connection. token_hash is set for cookie-session
connections, api_token_id for bearer (api_token) connections, and
both are null for daemon-token connections (reachable only via
BackendWebsocketTransport.close_sockets_for_account).
token_hashBlake3 session token hash, or null for non-session credentials.
string | nullaccount_idAuthenticated account id. Always set.
Uuidapi_token_idapi_token.id for bearer-authenticated connections, else null.
string | nulltesting/error_coverage.ts view source
CoverageFilterOptions Options controlling which routes/statuses are considered for coverage.
ignore_routesRoutes to skip, in 'METHOD /path' format.
Array<string>ignore_statusesHTTP status codes to skip.
Array<number>auth/account_actions.ts view source
(deps: AccountActionDeps, options?: AccountActionOptions): RpcAction[] Create the self-service account RPC actions.
depsAccountActionDeps slice of AppDeps (log, on_audit_event, optional audit_log_config)
optionsper-factory configuration
{}RpcAction[] the RpcAction array to spread into a create_rpc_endpoint call
auth/account_routes.ts view source
(deps: RouteFactoryDeps, options: AccountRouteOptions): RouteSpec[] Create account route specs for session-based auth.
The returned specs cover the three flows that stay REST after the RPC migration (login, logout, password change). Self-service session/token management and verify are on auth/account_actions.ts.
depsstateless capabilities (keyring, password, log)
optionsper-factory configuration (session_options, ip_rate_limiter, login_account_rate_limiter)
RouteSpec[] route specs (not yet applied to Hono)
auth/account_routes.ts view source
(options?: AccountStatusOptions | undefined): RouteSpec Create the account status route spec.
Handles both authenticated and unauthenticated requests:
- Authenticated: returns {account} with 200
- Unauthenticated: returns 401 with optional bootstrap_available flag
This eliminates the need for a separate /health fetch on page load โ
the frontend gets both session state and bootstrap availability in one request.
options?optional configuration (bootstrap_status for bootstrap detection)
AccountStatusOptions | undefinedRouteSpec a single account status route spec
actions/action_event.ts view source
<TMethod extends string = string>(environment: ActionEventEnvironment, spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<...>>; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }, input: unknown, initial_phase?: "send_request" | ... 8 more ... | undefined): ActionEvent<...> Create an action event from a spec and initial input.
environmentspec{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }inputunknowninitial_phase?"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute" | undefinedActionEvent<TMethod, "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", "initial" | "parsed" | "handling" | "handled" | "failed"> Error - if `initial_phase` is omitted and the executor cannotactions/action_event.ts view source
<TMethod extends string = string>(json: ActionEventDataUnion<TMethod>, environment: ActionEventEnvironment): ActionEvent<TMethod, "send_request" | ... 7 more ... | "execute", "initial" | ... 3 more ... | "failed"> Reconstruct an action event from serialized JSON data.
jsonActionEventDataUnion<TMethod>environmentActionEvent<TMethod, "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", "initial" | "parsed" | "handling" | "handled" | "failed"> Error - if the JSON's `method` field has no spec registered in `environment`actions/action_bridge.ts view source
(spec: { method: string; kind: "request_response" | "remote_notification" | "local_call"; initiator: "frontend" | "backend" | "both"; auth: "public" | "authenticated" | "keeper" | { ...; } | null; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }, options?: ActionEventOptions | undefined): EventSpec Derive an EventSpec from an ActionSpec.
Only remote_notification actions can become push events.
specthe action spec (must have kind: 'remote_notification')
{ method: string; kind: "request_response" | "remote_notification" | "local_call"; initiator: "frontend" | "backend" | "both"; auth: "public" | "authenticated" | "keeper" | { role: string; } | null; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }options?optional event-specific options (channel)
ActionEventOptions | undefinedEventSpec an EventSpec ready for create_validated_broadcaster
Error - if `spec.kind` is not `'remote_notification'`actions/action_bridge.ts view source
(spec: { method: string; kind: "request_response" | "remote_notification" | "local_call"; initiator: "frontend" | "backend" | "both"; auth: "public" | "authenticated" | "keeper" | { ...; } | null; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }, options: ActionRouteOptions): RouteSpec Derive a RouteSpec from an ActionSpec and options.
Only request_response actions (which require non-null auth) can become routes.
remote_notification actions (auth null) should use create_action_event_spec.
local_call actions are not for HTTP transport.
Error schemas are transport-specific (keyed by HTTP status codes) and belong on the options, not the action spec. Action specs define the contract; transport concerns like HTTP error codes are added at the bridge layer.
specthe action spec (must have non-null auth)
{ method: string; kind: "request_response" | "remote_notification" | "local_call"; initiator: "frontend" | "backend" | "both"; auth: "public" | "authenticated" | "keeper" | { role: string; } | null; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; }optionsHTTP-specific options (path, handler, optional overrides)
RouteSpec a RouteSpec ready for apply_route_specs
Error - if `spec.auth` is null (only `request_response` actions canauth/admin_actions.ts view source
(deps: AdminActionDeps, options?: AdminActionOptions): RpcAction[] Create the admin-only RPC actions.
depsAdminActionDeps slice of AppDeps (log, on_audit_event, optional audit_log_config)
optionsrole schema for grantable_roles derivation
{}RpcAction[] the RpcAction array to spread into a create_rpc_endpoint call
ui/admin_rpc_adapters.ts view source
(api: AdminRpcApi): AdminRpcAdapters Build the four admin RPC adapters from a typed throwing RPC client.
Method-name mapping:
| Narrow RPC method | Action spec method |
| ----------------------------------- | ---------------------------- |
| admin_accounts.list_accounts | admin_account_list |
| admin_accounts.list_sessions | admin_session_list |
| admin_accounts.grant_permit | permit_offer_create |
| admin_accounts.revoke_permit | permit_revoke |
| admin_accounts.retract_offer | permit_offer_retract |
| admin_accounts.session_revoke_all | admin_session_revoke_all |
| admin_accounts.token_revoke_all | admin_token_revoke_all |
| admin_invites.list | invite_list |
| admin_invites.create | invite_create |
| admin_invites.delete | invite_delete |
| audit_log.list | audit_log_list |
| audit_log.permit_history | audit_log_permit_history |
| app_settings.get | app_settings_get |
| app_settings.update | app_settings_update |
All four adapter factories call through the same api โ consumers
pass the typed throwing Proxy from create_frontend_rpc_client once,
regardless of how many admin surfaces they mount.
apiAdminRpcAdapters server/app_backend.ts view source
(options: CreateAppBackendOptions): Promise<AppBackend> Initialize the backend: database + auth migrations + deps.
Calls create_db โ run_migrations (auth namespace, then any
migration_namespaces from options in order) and bundles the result
with the provided keyring and password deps.
optionskeyring, password deps, optional database URL, and optional migration_namespaces
Promise<AppBackend> app backend with deps, database metadata, and combined migration results
Error - if `migration_namespaces` contains the reserved `'fuz_auth'` namespaceserver/app_server.ts view source
(options: AppServerOptions): Promise<AppServer> Create a fully assembled Hono app with auth, middleware, and routes.
Handles the assembly lifecycle: proxy middleware โ auth middleware โ
bootstrap status โ route specs โ surface generation โ Hono app assembly โ
static serving. Database migrations belong to the backend lifecycle โ
pass migration_namespaces to create_app_backend.
When audit_log_sse is set, shallow-copies backend.deps with a composed
on_audit_event that fans out to the SSE registry and the original
callback โ backend.deps itself is not mutated.
optionsPromise<AppServer> assembled Hono app, backend, surface build, and bootstrap status
(options: GenerateAppSurfaceOptions): AppSurfaceSpec Create an AppSurfaceSpec โ the surface bundled with its source specs.
optionsAppSurfaceSpec auth/audit_log_schema.ts view source
(options?: CreateAuditLogConfigOptions | undefined): AuditLogConfig Build an AuditLogConfig by merging fuz_app builtins with consumer extras.
Throws when an extra_events key collides with a builtin event type, or
fails AuditEventTypeName format validation.
Call once at startup; pass the result to consumer-emitted audit_log_fire_and_forget calls. Builtin handlers omit the argument and pick up BUILTIN_AUDIT_LOG_CONFIG.
options?CreateAuditLogConfigOptions | undefinedAuditLogConfig Error - when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validationauth/audit_log_routes.ts view source
(options?: AuditLogRouteOptions | undefined): RouteSpec[] Create the optional audit-log SSE route spec.
Returns an empty array when options.stream is not set โ no REST routes
live here apart from the stream.
options?optional stream wiring + role override
AuditLogRouteOptions | undefinedRouteSpec[] the SSE route spec (when options.stream is provided) or an empty array
realtime/sse_auth_guard.ts view source
(options: { role?: string | undefined; log: Logger; max_per_scope?: number | null | undefined; }): AuditLogSse Create a complete audit log SSE setup with broadcasting and auth guard.
Combines SubscriberRegistry, create_sse_auth_guard, and the broadcast
call into a single object. The result satisfies AuditLogRouteOptions['stream']
and provides the on_audit_event callback for CreateAppBackendOptions.
optionsfactory options
{ role?: string | undefined; log: Logger; max_per_scope?: number | null | undefined; }AuditLogSse audit log SSE setup (stream options + on_audit_event + registry)
const audit_sse = create_audit_log_sse({log});
// In create_app_backend options:
on_audit_event: audit_sse.on_audit_event,
// In create_route_specs:
create_audit_log_route_specs({stream: audit_sse});
// In create_app_server options:
event_specs: AUDIT_LOG_EVENT_SPECS,auth/middleware.ts view source
(deps: AppDeps, options: AuthMiddlewareOptions): Promise<MiddlewareSpec[]> Create the auth middleware stack.
Returns [origin, session, request_context, bearer_auth] middleware specs
for the given path pattern. When daemon_token_state is provided, appends
a 5th daemon_token layer. Apps can append extra entries for non-standard
paths (e.g., tx's /tx binary endpoint).
depsstateless capabilities (keyring, db)
optionsmiddleware configuration (allowed_origins, session_options, path, daemon_token_state)
Promise<MiddlewareSpec[]> the middleware spec array
testing/auth_apps.ts view source
(route_specs: RouteSpec[], roles: string[]): AuthTestApps Create one Hono test app per auth level.
route_specsthe route specs to register
RouteSpec[]rolesall roles in the app
string[]AuthTestApps actions/action_codegen.ts view source
(origin_path: string): string "DO NOT EDIT" banner naming the gen producer.
origin_pathstringstring auth/bearer_auth.ts view source
(deps: QueryDeps, ip_rate_limiter: RateLimiter | null, log: Logger): MiddlewareHandler Create middleware that authenticates via bearer token.
Soft-fails for invalid, expired, or empty tokens โ calls next() without
setting a request context, letting downstream auth enforcement (per-action
check_action_auth or require_auth) return a consistent JSON-RPC or
route-level error. This avoids leaking token-specific diagnostics
(invalid_token, account_not_found) that could aid enumeration attacks,
and ensures public actions are not blocked by bad credentials.
Rejects bearer tokens when an Origin or Referer header is present โ
browsers must use cookie auth to reduce attack surface.
Auth scheme matching is case-insensitive per RFC 7235.
On success, builds the request context ({ account, actor, permits })
and sets it on the Hono context. Skips if a request context is already set
(e.g. by session middleware).
Rate limiting (429) is the only hard-fail โ it's a throttling concern independent of auth identity.
depsquery dependencies (pool-level db for middleware)
ip_rate_limiterper-IP rate limiter for bearer token attempts (null to disable)
RateLimiter | nulllogthe logger instance
LoggerMiddlewareHandler testing/middleware.ts view source
(tc: BearerAuthTestOptions): BearerAuthMocks Create mock dependencies for create_bearer_auth_middleware, configured per test case.
Configures the module-level mocks for query_validate_api_token, query_account_by_id, query_actor_by_account, and query_permit_find_active_for_actor so each test case controls return values independently.
tcBearerAuthMocks mocks bundle with spy references
testing/middleware.ts view source
(tc: BearerAuthTestOptions, ip_rate_limiter?: RateLimiter | null): { app: Hono<BlankEnv, BlankSchema, "/">; mocks: BearerAuthMocks; } Create a Hono app wired with create_bearer_auth_middleware using mocked deps.
The route handler at /api/test returns the resolved context in the response body,
enabling assertions on REQUEST_CONTEXT_KEY and CREDENTIAL_TYPE_KEY.
tcip_rate_limiterRateLimiter | nullnull{ app: Hono<BlankEnv, BlankSchema, "/">; mocks: BearerAuthMocks; } auth/bootstrap_routes.ts view source
(deps: RouteFactoryDeps, options: BootstrapRouteOptions): RouteSpec[] Create bootstrap route specs for first-time account creation.
depsstateless capabilities including filesystem access
optionsper-factory configuration (session, token path, bootstrap status)
RouteSpec[] route specs (not yet applied to Hono)
actions/broadcast_api.ts view source
<TApi extends object>(options: CreateBroadcastApiOptions): TApi Builds a typed broadcast API from a set of action specs.
For each spec, adds a method keyed by spec.method that:
- Validates input against the spec's Zod schema (logs and returns on failure)
- Creates a JSON-RPC notification from the validated input
- Broadcasts via the peer (filtered by should_deliver when supplied)
Silently returns when no transport is ready (e.g. before any clients connect). Errors during send are logged but never thrown โ broadcasts are fire-and-forget from the handler's perspective.
Consumers declare an explicit interface and pin it via the type parameter:
export interface BackendActionsApi {
filer_change: (input: ActionInputs['filer_change']) => Promise<void>;
workspace_changed: (input: ActionInputs['workspace_changed']) => Promise<void>;
}
const api = create_broadcast_api<BackendActionsApi>({
peer: backend.peer,
specs: [filer_change_action_spec, workspace_changed_action_spec],
});The cast is unchecked โ callers must keep the interface and the specs
array in sync. Codegen (action_collections.gen.ts) is a natural fit
if the consumer already generates per-method type maps.
optionsTApi (logger: Logger): CliLogger Creates a CLI logger wrapping a Logger with semantic output methods.
loggerthe Logger instance to wrap
LoggerCliLogger a CliLogger with CLI semantic methods mapped to Logger levels
auth/daemon_token_middleware.ts view source
(state: DaemonTokenState, deps: QueryDeps): MiddlewareHandler Create middleware that authenticates via daemon token.
Checks the X-Daemon-Token header. Behavior:
- No header: pass through (don't touch existing context)
- Header present + valid: build RequestContext from keeper account,
set credential_type: 'daemon_token' (overrides any existing session/bearer context)
- Header present + invalid: return 401 (fail-closed, no downgrade)
- Header present + valid but keeper_account_id is null: return 503
statethe daemon token runtime state
depsquery dependencies (pool-level db for middleware)
MiddlewareHandler (deps: CommandDeps, db_name: string, options?: CreateDatabaseOptions | undefined): Promise<CommandResult> Create a PostgreSQL database if createdb is available.
Does not throw โ returns the underlying command result so callers can
decide how to react to a missing createdb or an "already exists" failure.
depscommand execution capability
db_namedatabase name to create
stringoptions?logger
CreateDatabaseOptions | undefinedPromise<CommandResult> the command result
(database_url: string): Promise<CreateDbResult> Create a database connection based on a URL.
The close callback is bound to the actual driver โ callers never need to
know which driver is in use.
For direct driver construction without URL routing, import create_pg_db from db/db_pg.ts or create_pglite_db from db/db_pglite.ts.
database_urlconnection URL (postgres://, postgresql://, file://, or memory://)
stringPromise<CreateDbResult> database instance, close callback, type, and display name
Error - if `database_url` uses an unsupported scheme. Driver(options: DbRouteOptions): RouteSpec[] Create the db API route specs.
optionsRouteSpec[] (args: readonly string[]): RuntimeDeps Create a runtime backed by Deno APIs.
Returns an object satisfying all *Deps interfaces from runtime/deps.ts.
Pass to shared functions that accept EnvDeps, FsReadDeps, etc.
argsCLI arguments (typically Deno.args)
readonly string[]RuntimeDeps runtime implementation using Deno APIs
(factories: DbFactory | DbFactory[], truncate_tables: string[]): (name: string, fn: (get_db: () => Db) => void) => void Create a describe_db function bound to specific factories and truncate tables.
Returns a 2-arg (name, fn) function that runs the test suite against each
factory. Each factory gets its own describe block with a shared database
instance, automatic beforeEach truncation, and afterAll cleanup.
Skipped factories use describe.skip.
factoriesone or more database factories to run suites against
DbFactory | DbFactory[]truncate_tablestables to truncate between tests (children first for FK safety)
string[](name: string, fn: (get_db: () => Db) => void) => void testing/integration_helpers.ts view source
(keyring: Keyring, session_options: SessionOptions<string>): Promise<string> Create an expired test cookie โ validly signed but with an expiry timestamp in 1970.
keyringsession_optionsSessionOptions<string>Promise<string> <T extends Record<string, unknown>>(schema: ZodType<T, unknown, $ZodTypeInternals<T, unknown>>, fallback: T): (unparsed: ParsedArgs) => { flags: T; remaining: ParsedArgs; } Create a project-specific global flag extractor.
Returns a function that separates global flags from command-specific args.
The schema defines which flags are global (with aliases via .meta({aliases})),
and the fallback provides defaults when parsing fails.
schemaZod schema for global flags
ZodType<T, unknown, $ZodTypeInternals<T, unknown>>fallbackdefault values when parsing fails
T(unparsed: ParsedArgs) => { flags: T; remaining: ParsedArgs; } extractor function (unparsed) => {flags, remaining}
testing/ws_round_trip.ts view source
(opts: FakeHonoContextOptions): Context<any, any, {}> Build a fake Hono Context exposing the auth keys the dispatcher
reads via c.get(...). Only .get() is populated โ no other Hono
context surface is simulated.
optsContext<any, any, {}> testing/ws_round_trip.ts view source
(): FakeWs Build a real WSContext backed by in-memory send/close capture.
Parsing of outgoing frames is left to the caller โ sends holds the
raw strings as the dispatcher wrote them.
FakeWs actions/frontend_rpc_client.ts view source
<TApi extends object>(options: CreateFrontendRpcClientOptions<TApi>): FrontendRpcClient<TApi> Build a frontend-only typed RPC client. See module doc for the bundle's design.
optionsCreateFrontendRpcClientOptions<TApi>FrontendRpcClient<TApi> http/common_routes.ts view source
(): RouteSpec Create a public health check route spec.
Infrastructure endpoint for uptime monitors and load balancers.
Bootstrap availability is exposed via /api/account/status instead.
RouteSpec <TCategory extends string>(options: HelpOptions<TCategory>): HelpGenerator Create a help generator configured for an application.
optionshelp configuration
HelpOptions<TCategory>HelpGenerator help generator with generate_main_help, generate_command_help, and get_help_text
actions/action_event_helpers.ts view source
(kind: "request_response" | "remote_notification" | "local_call", phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", method: string, executor: "frontend" | "backend", input: unknown): { ...; } kind"request_response" | "remote_notification" | "local_call"phase"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"methodstringexecutor"frontend" | "backend"inputunknown{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; } http/jsonrpc_helpers.ts view source
(id: string | number | null, error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }): { ...; } Creates a JSON-RPC error response message.
idstring | number | nullerror{ [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }; } http/jsonrpc_helpers.ts view source
(id: string | number | null, error: unknown): { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }; } Creates a JSON-RPC error response from any error.
Handles ThrownJsonrpcError (preserves code/message/data) and
regular Error objects (maps to internal_error, includes stack in DEV).
idstring | number | nullerrorunknown{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }; } http/jsonrpc_helpers.ts view source
(method: string, params: { [x: string]: unknown; } | undefined): { [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } Creates a JSON-RPC notification message (no id, no response expected).
methodstringparams{ [x: string]: unknown; } | undefined{ [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } http/jsonrpc_helpers.ts view source
(method: string, params: { [x: string]: unknown; } | undefined, id: string | number): { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; } Creates a JSON-RPC request message.
methodstringparams{ [x: string]: unknown; } | undefinedidstring | number{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; } http/jsonrpc_helpers.ts view source
(id: string | number, result: { [x: string]: unknown; }): { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } Creates a JSON-RPC success response message.
idstring | numberresult{ [x: string]: unknown; }{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } (env_value: string | undefined): Keyring | null Create a keyring from environment variable.
Keys are separated by __ for rotation support. First key is used
for signing, all keys are tried for verification.
CryptoKeys are cached on first use for performance.
Security: key rotation is an operational concern. Old keys remain valid
for verification indefinitely โ a leaked old key can forge session cookies
until it is removed from SECRET_COOKIE_KEYS. After rotating to a new
signing key, remove the old key within a grace period (e.g. 24โ48 hours,
long enough for active sessions to re-sign with the new key via cookie
refresh). Treat SECRET_COOKIE_KEYS changes as security-critical deploys.
env_valuethe SECRET_COOKIE_KEYS environment variable
string | undefinedKeyring | null keyring or null if no keys configured
testing/mock_fs.ts view source
(initial_files?: Record<string, string>): MockFs Creates an in-memory file system for tests.
read_file throws an ENOENT-tagged error for missing paths so callers
can exercise the same "file doesn't exist" code path as node:fs.
initial_filesRecord<string, string>{}MockFs (args?: string[]): MockRuntime Create a mock RuntimeDeps for testing.
The mock exit records the code on exit_calls and throws MockExitError
(so the never-returning contract holds in tests). fetch throws TypeError
when no mock_fetch_responses pattern matches the request URL.
argsstring[][]MockRuntime MockRuntime with controllable state
const runtime = create_mock_runtime(['apply', 'tx.ts']);
runtime.mock_env.set('HOME', '/home/test');
runtime.mock_fs.set('/home/test/.app/config.json', '{}');
await some_function(runtime);
assert.strictEqual(runtime.command_calls.length, 1);
assert.deepStrictEqual(runtime.exit_calls, [0]);actions/action_codegen.ts view source
(sources: readonly SpecSource[], imports: ImportBuilder): { qualify_spec: (spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; ... 8 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }) => string; all_specs: readonly ({ ...; } | ... 1 more ... | { ...; })[]; } Multi-source consumer helper. Takes a list of {ns, module, specs} rows,
registers import * as ns from module for each on imports, builds the
method_to_ns lookup with duplicate-method detection, and returns
{qualify_spec, all_specs} ready to thread through the high-level
helpers.
Closes the per-file boilerplate gap that kept tx + visiones on hand-rolled
template strings even after qualify_spec? landed in API review II โ the
per-call callback wasn't enough; the import dance + dup-check was the
real boilerplate.
sourcesreadonly SpecSource[]imports{ qualify_spec: (spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<...>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }) => string; all_specs: rea... Error - if two sources contain the same method name (same-methodconst sources = [
{ns: 'tx_specs', module: './action_specs.js', specs: all_tx_action_specs},
{ns: 'admin_specs', module: '@fuzdev/fuz_app/auth/admin_action_specs.js', specs: all_admin_action_specs},
];
export const gen: Gen = ({origin_path}) => {
const imports = new ImportBuilder();
const {qualify_spec, all_specs} = create_namespace_qualifier(sources, imports);
return compose_gen_file({
origin_path,
imports,
blocks: [
generate_action_specs_record(all_specs, imports, {qualify_spec}),
generate_action_inputs_outputs(all_specs, imports, {qualify_spec}),
],
});
};(args?: readonly string[]): RuntimeDeps Create a RuntimeDeps backed by Node.js APIs.
argsCLI arguments (typically process.argv.slice(2))
readonly string[]process.argv.slice(2)RuntimeDeps RuntimeDeps implementation using Node.js runtime
<T = any>(_label: string, overrides?: Record<string, unknown> | undefined): T Create a Proxy where every method access returns a no-op async function.
Use for deps that may be reached during "correct auth passes guard" tests but whose return values don't matter. Unlike the explicit method listing, this auto-updates when interfaces change.
_labelstringoverrides?explicit properties to set (e.g. {db: stub_db})
Record<string, unknown> | undefinedT auth/permit_offer_actions.ts view source
(deps: PermitOfferActionDeps, options?: PermitOfferActionOptions): RpcAction[] Create the seven permit-offer RPC actions (six offer-lifecycle methods
plus permit_revoke).
depsPermitOfferActionDeps โ log, on_audit_event, optional audit_log_config (slice of AppDeps); optional notification_sender for WS fan-out
optionsrole schema, default TTL, authorization override
{}RpcAction[] the RpcAction array to spread into a create_rpc_endpoint call
(pool: Pool): DbDriverResult Create a Db backed by a pg.Pool.
Owns the transaction implementation, acquiring a dedicated pool client per transaction.
poolan already-constructed pg.Pool
PoolDbDriverResult the Db instance and a close callback bound to pool.end()
(init_schema: (db: Db) => Promise<void>, test_url?: string | undefined): DbFactory Create a pg (PostgreSQL) database factory for tests.
Skipped when test_url is not provided.
Drops schema_version before running init_schema, forcing migrations
to re-evaluate against the actual tables. Prevents stale tracker rows
from skipping migrations when DDL changes between test sessions.
For full clean-slate behavior (recommended), call drop_auth_schema(db)
at the start of init_schema before running migrations. This handles
upstream schema changes that go beyond adding new tables/columns.
init_schemacallback to initialize the database schema
(db: Db) => Promise<void>test_url?PostgreSQL connection URL (e.g. from TEST_DATABASE_URL)
string | undefinedDbFactory a factory that creates pg databases. The returned create()
throws when test_url is unset (despite the skip: true flag โ defense
against direct invocation), and rewrites Postgres "database does not
exist" errors into a createdb hint message.
(pglite: PGlite): DbDriverResult Create a Db backed by a PGlite instance.
Delegates transactions to PGlite's native transaction() method.
pglitean already-constructed PGlite instance
PGliteDbDriverResult the Db instance and a close callback bound to pglite.close()
(init_schema: (db: Db) => Promise<void>): DbFactory Create a pglite (in-memory) database factory for tests.
Always enabled โ no external dependencies required.
Shares a single PGlite WASM instance across all factories in the same
vitest worker thread (one test file). Subsequent create() calls reset
the schema via DROP SCHEMA public CASCADE instead of paying the WASM
cold-start cost again.
init_schemacallback to initialize the database schema
(db: Db) => Promise<void>DbFactory (options: ProxyOptions): MiddlewareHandler Create a Hono middleware that resolves the client IP from trusted proxies.
Sets client_ip on the Hono context for downstream use by get_client_ip.
All client IPs are normalized (lowercase, IPv4-mapped IPv6 stripped).
Resolution logic:
1. No X-Forwarded-For โ use connection IP directly.
2. X-Forwarded-For present but connection is untrusted โ ignore header
(spoofed by a direct attacker), use connection IP.
3. X-Forwarded-For present and connection is trusted โ walk header
right-to-left, strip trusted entries, use first untrusted entry.
optionstrusted proxy configuration
MiddlewareHandler Error - if any entry in `options.trusted_proxies` is invalid (parsed eagerly via `parse_proxy_entry`)(options: ProxyOptions): MiddlewareSpec Create a middleware spec for trusted proxy resolution.
Apply before auth middleware so client_ip is available for rate limiting.
optionstrusted proxy configuration
MiddlewareSpec (options?: Partial<RateLimiterOptions> | undefined): RateLimiter Create a RateLimiter with sensible defaults for per-IP login protection.
options?override individual options; unset fields use DEFAULT_LOGIN_IP_RATE_LIMIT
Partial<RateLimiterOptions> | undefinedRateLimiter auth/request_context.ts view source
(deps: QueryDeps, log: Logger, session_context_key?: string): MiddlewareHandler Create middleware that builds the request context from a session cookie.
Reads the session identity (set by session middleware), looks up
the auth_session, loads account + actor + active permits, and
sets the RequestContext on the Hono context.
If the session is invalid or the account is not found, the context
is set to null (unauthenticated). No 401 is returned โ use
require_role or require_auth for enforcement.
depsquery dependencies (pool-level db for middleware)
logthe logger instance
Loggersession_context_keythe Hono context key where session middleware stored the session token
string'auth_session_id'MiddlewareHandler auth/role_schema.ts view source
<T extends string>(app_roles: Record<T, RoleOptions>): RoleSchemaResult Create a role schema and config map that extends the builtins with app-defined roles.
Call once at server init. The returned Role schema validates role strings
at I/O boundaries (grant endpoint, permit queries). The role_options map
is used by middleware to check requires_daemon_token and by admin UI to
filter web_grantable roles.
app_rolesapp-defined roles with optional config overrides
Record<T, RoleOptions>RoleSchemaResult {Role, role_options} โ Zod schema and full config map
Error - if any `app_roles` key fails the `RoleName` regex or collides with a builtin role// visiones
const {Role, role_options} = create_role_schema({
teacher: {},
});
// Role validates 'keeper' | 'admin' | 'teacher'
// role_options has all 3 entries with defaults appliedactions/rpc_client.ts view source
<TApi extends object>(options: CreateRpcClientOptions<TApi>): TApi Creates a Proxy-based API from action specs.
Method calls are dynamically dispatched based on the action spec's kind:
- request_response โ send request, await response, return Result
- remote_notification โ send notification, return Result
- local_call โ execute locally (sync or async), return Result or throw
Generic TApi is the consumer's typed Proxy interface (typically a
codegen-derived ActionsApi). Required โ no default, so forgetting it
is a type error rather than a silent slide into any. The `as unknown
as TApi` coercion lives inside this function so call sites get a typed
return without a cast at the seam. TApi is a type-layer promise about
what the Proxy responds to; the runtime walks specs (kept in sync by
the consumer, codegen recommended).
const api_result = create_rpc_client<MyActionsApi>({peer, environment});optionsCreateRpcClientOptions<TApi>TApi a Proxy typed as TApi that responds to any method name found in the environment's specs
actions/action_rpc.ts view source
(options: CreateRpcEndpointOptions): RouteSpec[] Single JSON-RPC 2.0 endpoint โ the canonical RPC transport binding.
Returns two RouteSpec entries (GET + POST on the same path) for apply_route_specs. The internal dispatcher handles:
1. Parse envelope โ POST: JSON body as JsonrpcRequest. GET: method
and params from query string.
2. Lookup method โ find the RpcAction by method name.
3. Auth check โ verify identity against the action's auth requirement.
4. Validate params โ parse input against the action's input schema.
5. Dispatch โ acquire DB handle (transaction for mutations, pool for reads),
construct ActionContext, call handler, return JSON-RPC response.
GET is restricted to side_effects: false actions (cacheable reads).
All errors use JSON-RPC format: {jsonrpc, id, error: {code, message, data?}}.
The RouteSpecs use auth: {type: 'none'} because auth is checked per-action
inside the dispatcher, and transaction: false because transaction scope
is per-action (mutations get a transaction, reads get pool).
optionsendpoint path, actions, and logger
RouteSpec[] route specs (GET + POST) ready for apply_route_specs
Error - if two actions share the same `spec.method` (registration-timetesting/rpc_helpers.ts view source
(endpoint_path: string, method: string, params?: unknown, id?: string | number): string Build a GET URL with JSON-RPC query parameters.
endpoint_paththe RPC endpoint path (e.g., /api/rpc)
stringmethodstringparams?params (omit for parameterless methods)
unknownidrequest id (default 'test')
string | number'test'string testing/rpc_helpers.ts view source
(method: string, params?: unknown, id?: string | number): RequestInit Create a RequestInit for a JSON-RPC POST request.
methodstringparams?params (omit for parameterless methods; null is also
stripped for ergonomic call sites โ JSON-RPC 2.0 ยง4.2
forbids "params": null on the wire, and create_rpc_endpoint
rejects z.null() action input schemas at registration).
Tests that need to construct a literal "params": null
envelope (e.g. asserting envelope-level rejection) should
build the body inline rather than route through this helper.
unknownidrequest id (default 'test')
string | number'test'RequestInit auth/self_service_role_actions.ts view source
(deps: SelfServiceRoleActionDeps, options: SelfServiceRoleActionsOptions): RpcAction[] Build the unified self-service role toggle RPC action.
depsSelfServiceRoleActionDeps slice of AppDeps (log, on_audit_event, optional audit_log_config)
optionseligible-role allowlist plus optional role schema for typo-checking
RpcAction[] the RpcAction array to spread into a create_rpc_endpoint call
Error - at factory time if any `eligible_roles` entry is missing from `options.roles.role_options`http/common_routes.ts view source
(options: ServerStatusOptions): RouteSpec Create an authenticated server status route spec.
Returns version and uptime. Unlike the public health check, this requires authentication.
optionsRouteSpec auth/session_lifecycle.ts view source
(options: CreateSessionAndSetCookieOptions): Promise<void> Create an auth session and set the session cookie on the response.
Shared by login and bootstrap โ generates a token, hashes it, persists the session row, optionally enforces a per-account session limit, and sets the signed cookie.
optionsPromise<void> auth/session_cookie.ts view source
(cookie_name: string): SessionOptions<string> Create a session config for raw session token identity.
The standard pattern: cookie stores the raw session token,
server hashes it (blake3) to look up the auth_session row.
Only the cookie_name varies per app.
cookie_namecookie name (e.g. 'tx_session', 'visiones_session')
stringSessionOptions<string> a SessionOptions<string> ready for use with session middleware
auth/session_cookie.ts view source
<TIdentity>(keyring: Keyring, identity: TIdentity, options: SessionOptions<TIdentity>, now_seconds?: number | undefined): Promise<string> Create a signed session cookie value.
Format: ${encode(identity)}:${expires_at} signed with HMAC-SHA256.
Embeds expiration in the signed value itself for defense-in-depth.
keyringkey ring for signing
identitythe identity to encode
TIdentityoptionssession configuration with encode logic
SessionOptions<TIdentity>now_seconds?current time in seconds (for testing)
number | undefinedPromise<string> signed cookie value string
auth/session_middleware.ts view source
<TIdentity>(keyring: Keyring, options: SessionOptions<TIdentity>): MiddlewareHandler Create session middleware that parses cookies and sets identity on context.
Always sets the identity on context (null when invalid/missing) for type-safe reads.
Uses options.context_key as the Hono context variable name.
keyringkey ring for cookie verification
optionssession configuration
SessionOptions<TIdentity>MiddlewareHandler auth/signup_routes.ts view source
(deps: RouteFactoryDeps, options: SignupRouteOptions): RouteSpec[] Create signup route specs for account creation.
depsstateless capabilities
optionsper-factory configuration
RouteSpec[] route specs (not yet applied to Hono)
realtime/sse_auth_guard.ts view source
<T>(registry: SubscriberRegistry<T>, required_role: string | null, log: Logger): (event: AuditLogEvent) => void Create an audit event handler that closes SSE streams on auth changes.
Closes streams when:
- permit_revoke fires for the required_role targeting a connected subscriber
- session_revoke_all targets a connected subscriber (consistent invalidation)
- password_change targets a connected subscriber (sessions revoked implicitly)
The registry must use account_id as the identity key when subscribing
(passed as the third argument to registry.subscribe()).
registrythe subscriber registry to guard
SubscriberRegistry<T>required_rolethe role that grants access to the SSE endpoint,
or null to skip permit_revoke handling entirely (for streams not gated
by a specific permit)
string | nullloglogger for disconnect events
Logger(event: AuditLogEvent) => void an on_audit_event callback
<T = unknown>(c: Context<any, any, {}>, log: Logger): { response: Response; stream: SseStream<T>; } Create an SSE response for a Hono context.
Wraps Hono's streamSSE to provide a {response, stream} API
compatible with SubscriberRegistry push-based broadcasting.
The callback suspends via a promise that resolves on client disconnect
or explicit close(), keeping the stream alive for external sends.
Uses hono_stream.write() directly (not writeSSE) to avoid
Hono's HTML callback resolution โ keeps the same data: JSON\n\n format.
cContext<any, any, {}>loglogger for serialization and on_close listener errors
Logger{ response: Response; stream: SseStream<T>; } object with the streaming Response and an SseStream controller
testing/adversarial_headers.ts view source
(allowed_origin: string): AdversarialHeaderCase[] 7 standard adversarial header cases applicable to any middleware stack.
allowed_originan origin that passes the origin check
stringAdversarialHeaderCase[] auth/standard_rpc_actions.ts view source
(deps: PermitOfferActionDeps, options?: StandardRpcActionsOptions): RpcAction[] Build the combined admin + permit-offer + account RPC action set.
Spreads create_admin_actions(deps, {roles, app_settings}),
create_permit_offer_actions(deps, {roles, default_ttl_ms, authorize}),
and create_account_actions(deps, {max_tokens}). The shared roles
option flows to admin + permit-offer.
depsStandardRpcActionsDeps (log, on_audit_event, optional audit_log_config from AppDeps; optional notification_sender for WS fan-out)
optionsrole schema, optional app-settings ref, permit-offer config, account config
{}RpcAction[] RPC actions to pass as rpc_endpoints or spread into create_rpc_endpoint
(serve_static: ServeStaticFactory, options?: { root?: string | undefined; spa_fallback?: string | undefined; is_spa_route?: ((path: string) => boolean) | undefined; } | undefined): MiddlewareHandler[] Create static file serving middleware for SvelteKit static builds.
Returns an array of middleware handlers to register on '/*'.
serve_staticruntime-specific serveStatic factory
options?optional root directory and SPA fallback path
{ root?: string | undefined; spa_fallback?: string | undefined; is_spa_route?: ((path: string) => boolean) | undefined; } | undefinedMiddlewareHandler[] (options?: { include_daemon_token?: boolean | undefined; } | undefined): MiddlewareSpec[] Create the API middleware stub array matching create_auth_middleware_specs output.
options?{ include_daemon_token?: boolean | undefined; } | undefinedMiddlewareSpec[] (): AppDeps Create no-op AppDeps for auth surface testing.
AppDeps (session_options: SessionOptions<string>): AppServerContext Create a stub AppServerContext for attack surface testing.
Provides sensible defaults for all fields. Pass session_options since
it varies per consumer; other fields use stubs/nulls.
session_optionsconsumer's session config (required โ varies per app)
SessionOptions<string>AppServerContext (): Db Create a stub Db for handler tests that use apply_route_specs with declarative transactions.
Returns a real Db instance with:
- query returns empty rows (safety net for unmocked query functions)
- query_one returns undefined
- transaction(fn) calls fn(db) synchronously (no real transaction)
Db testing/ws_round_trip.ts view source
(): StubUpgrade Build a fake upgradeWebSocket that captures the createEvents
callback. The returned middleware is inert โ tests drive
createEvents directly.
StubUpgrade http/common_routes.ts view source
(options: SurfaceRouteOptions): RouteSpec Create an authenticated route spec that serves the AppSurface as JSON.
Surface data reveals API structure (routes, auth, schemas), so this requires authentication like the server status route.
optionsRouteSpec testing/entities.ts view source
(overrides?: TestAccountOverrides | undefined): Account Create a test Account with sensible defaults.
overrides?TestAccountOverrides | undefinedAccount testing/entities.ts view source
(overrides?: TestActorOverrides | undefined): Actor Create a test Actor with sensible defaults.
overrides?TestActorOverrides | undefinedActor testing/app_server.ts view source
(options: CreateTestAppOptions): Promise<TestApp> Create a fully assembled test app with a Hono server, middleware, and routes.
Combines create_test_app_server + create_app_server into a single call. Disables rate limiters and logging by default (test-friendly).
A fresh Hono app is created each call โ middleware closures bind to the
server's deps (db, keyring), so reuse across servers is unsafe.
The expensive resource (PGlite WASM) is cached separately in test_db.ts.
optionstest app configuration
Promise<TestApp> a TestApp ready for HTTP testing
testing/auth_apps.ts view source
(route_specs: RouteSpec[], auth_ctx?: RequestContext | undefined, credential_type?: "session" | "api_token" | "daemon_token" | undefined): Hono<BlankEnv, BlankSchema, "/"> Create a Hono test app from route specs with optional auth context.
route_specsthe route specs to register
RouteSpec[]auth_ctx?optional request context to inject via middleware
RequestContext | undefinedcredential_type?optional credential type (default: 'session' when auth_ctx provided)
"session" | "api_token" | "daemon_token" | undefinedHono<BlankEnv, BlankSchema, "/"> testing/app_server.ts view source
(options: TestAppServerOptions): Promise<TestAppServer> Create an app server with a bootstrapped account for testing.
Sets up:
- Auth tables (via cached PGlite factory, or reuses existing db)
- A keeper account with hashed password
- Role permits for each role in options.roles
- An API token for Bearer auth
- A session with a signed cookie value
Uses stub_password_deps by default โ deterministic hashing that works correctly for login/logout tests without Argon2 overhead.
optionssession options and optional overrides
Promise<TestAppServer> a TestAppServer ready for HTTP testing
(options: CreateTestAppSurfaceSpecOptions): AppSurfaceSpec Create an AppSurfaceSpec for attack surface testing.
Mirrors create_app_server's route assembly: consumer routes + factory-managed bootstrap routes + surface generation. If create_app_server changes how it wires routes, update this helper to stay in sync (single source of truth for all consumers).
optionssurface spec options
AppSurfaceSpec the surface spec for snapshot and adversarial testing
testing/entities.ts view source
(overrides?: TestAuditEventOverrides | undefined): AuditLogEvent Create a test AuditLogEvent with sensible defaults.
overrides?TestAuditEventOverrides | undefinedAuditLogEvent testing/entities.ts view source
(permits?: TestPermitOverrides[]): RequestContext Create a test RequestContext with permits from partial overrides.
permitsTestPermitOverrides[][{}]RequestContext testing/middleware.ts view source
(options?: TestMiddlewareStackOptions | undefined): TestMiddlewareStackApp Create a Hono app with real proxy + origin + bearer middleware for integration testing.
All DB queries return undefined (no real database needed).
The echo route at TEST_MIDDLEWARE_PATH returns {ok, client_ip, has_context}.
options?TestMiddlewareStackOptions | undefinedTestMiddlewareStackApp the app and mock spies (reconfigure via mockImplementation for valid-token paths)
testing/entities.ts view source
(overrides?: TestPermitOverrides | undefined): Permit Create a test Permit with sensible defaults.
overrides?TestPermitOverrides | undefinedPermit testing/auth_apps.ts view source
(role?: string | undefined): RequestContext Create a mock RequestContext with optional role permit.
role?string | undefinedRequestContext actions/rpc_client.ts view source
<TApi extends object>(api_result: TApi): ThrowingApi<TApi> Wrap a typed RPC client so every call resolves to its unwrapped value or
throws an Error carrying the JSON-RPC {code, message, data?} shape.
Implementation is a Proxy because the underlying create_rpc_client
return is itself a Proxy with no concrete keys โ a key-by-key wrap would
need to enumerate the typed surface, which only the consumer's generated
ActionsApi interface knows.
Pass-through on non-Result returns is deliberate: sync local_call
Proxy methods return values directly (see create_sync_local_call_method
above). The Proxy can't distinguish those at get-time, so the wrapper
inspects result shape at call-time and only unwraps when it sees a
Result. Non-object returns pass through unchanged.
Only {code, data} cross onto the thrown Error โ name / stack are
left as the Error's own properties so attacker-shaped result.error
payloads cannot overwrite them.
Recommended consumer convention: create_frontend_rpc_client ships
both shapes by default โ api (throwing) for hot-path call sites and
api_result (Result) for sites that inspect error.data.reason
without try/catch. Result is the protocol primitive; this wrapper is
the ergonomic layer over it. Picking is per call site โ both Proxies
share the same underlying transport.
Catch blocks read err.data?.reason โ optional chaining required
because JSON-RPC data is spec-level optional.
On unknown string-keyed methods, the get trap returns a function that
throws "rpc method not found: <prop>" on invocation โ clearer than
the JS default "api.foo is not a function". Symbol props and then
stay undefined so the Proxy isn't accidentally treated as a thenable
(await api would otherwise probe then and trip the thrower).
api_resulttyped Result-returning RPC client from
create_rpc_client<ActionsApi>(...). The "_result" suffix names
what the underlying calls return (Result<{value}, {error}>).
TApiThrowingApi<TApi> <T = any>(label: string): T Create a Proxy that throws descriptive errors on any property access or method call.
Use for deps that should never be reached during a test. If a test accidentally
calls through to a throwing stub, the error message identifies exactly which stub
was hit, catching test bugs that would silently pass with {} as any.
JS-internal probes (Symbol, then, constructor, $$typeof) return
undefined so the proxy doesn't crash framework-level identity checks;
toJSON returns "[throwing_stub:label]" so accidental serialization
surfaces the stub's identity in console output rather than silent "{}".
labeldescriptive name for error messages (e.g. 'keyring', 'db')
stringT Error - on any non-internal property access, labeled with the stub<T extends SseNotification>(broadcaster: { broadcast: (channel: string, data: T) => void; }, event_specs: EventSpec[], log: Logger): { broadcast: (channel: string, data: T) => void; } Create a broadcaster that validates events in DEV mode.
In DEV: warns on unknown methods and invalid params. In production: passes through with zero overhead.
broadcasterduck-typed broadcaster (e.g. SubscriberRegistry)
{ broadcast: (channel: string, data: T) => void; }event_specsevent specs to validate against
EventSpec[]loglogger used to emit DEV warnings on unknown methods or param mismatches
Logger{ broadcast: (channel: string, data: T) => void; } validated broadcaster wrapper (passthrough in production)
(env_value: string | undefined): ValidatedKeyringResult Validate and create a keyring in one step.
Returns a discriminated union so callers handle exit/logging their own way
(e.g. Deno.exit(1) vs runtime.exit(1)).
env_valuethe SECRET_COOKIE_KEYS environment variable
string | undefinedValidatedKeyringResult {ok: true, keyring} or {ok: false, errors}
actions/transports_ws_auth_guard.ts view source
(transport: BackendWebsocketTransport, log: Logger): AuditEventHandler Create an audit event handler that closes WebSocket connections on auth changes.
Ignores outcome === 'failure' events โ they carry attacker-controlled
identifiers (e.g. a session_revoke that the DB rejected still records
the submitted session_id), so reacting to them would let any authenticated
user close another user's socket by guessing a session hash or token id.
transportloglogger for disconnect events (info level on non-zero closures)
LoggerAuditEventHandler an on_audit_event callback suitable for CreateAppBackendOptions.
The returned callback mutates transport (closing matching sockets via
close_sockets_for_session / _token / _account) on every relevant event.
actions/transports_ws_auth_guard.ts view source
(transport: BackendWebsocketTransport, log: Logger): AuditEventHandler Create an audit event handler that closes WebSocket connections on user-initiated logout.
Sibling helper to create_ws_auth_guard โ kept separate because
WS_DISCONNECT_EVENT_TYPES deliberately omits logout (admin-initiated
revocations use session_revoke, while logout is the user-initiated
case). Three consumers (tx, undying, zzz) hand-rolled this same branch
before extraction.
Compose with create_ws_auth_guard to handle both kinds of disconnect:
const ws_guard = create_ws_auth_guard(transport, log);
const ws_logout_closer = create_ws_logout_closer(transport, log);
const on_audit_event = (event: AuditLogEvent): void => {
ws_guard(event);
ws_logout_closer(event);
};Ignores outcome === 'failure' events โ failed logouts carry
unauthenticated identifiers (no session to close anyway), and reacting
to them would let an unauthenticated probe close the targeted account's
sockets by submitting a logout for an arbitrary account_id.
transportloglogger for disconnect events (info level on non-zero closures)
LoggerAuditEventHandler an on_audit_event callback wireable alongside create_ws_auth_guard.
The returned callback mutates transport via close_sockets_for_account
on every successful logout event with a non-empty account_id.
testing/ws_round_trip.ts view source
<TCtx extends BaseHandlerContext>(options: CreateWsTestHarnessOptions<TCtx>): WsTestHarness Create a WebSocket test harness for the given specs + handlers.
Registers against a throwaway Hono app with a fake
upgradeWebSocket; the captured events factory is invoked per
connect() with a synthesized Hono context carrying the requested
auth identity. Returned clients drive the real
onOpen/onMessage/onClose path against a real WSContext.
optionsCreateWsTestHarnessOptions<TCtx>WsTestHarness auth/account_schema.ts view source
CreateAccountInput usernamepassword_hashstringemailEmail | nullserver/app_backend.ts view source
CreateAppBackendOptions Input for create_app_backend().
keyring is passed pre-validated โ callers handle their own error reporting
(e.g., tx uses runtime.exit(1) on invalid keys).
statGet file/directory stats, or null if path doesn't exist.
(path: string) => Promise<StatResult | null>read_text_fileRead a file as text.
(path: string) => Promise<string>delete_fileDelete a file.
(path: string) => Promise<void>database_urlDatabase connection URL (postgres://, file://, or memory://).
stringkeyringValidated cookie signing keyring.
passwordPassword hashing implementation. Use argon2_password_deps in production.
logStructured logger instance. Omit for default (new Logger('server')).
Loggeron_audit_eventCalled after each audit log INSERT succeeds. Use to broadcast audit events via SSE. Flows through AppDeps to all route factories automatically. Defaults to a noop.
(event: AuditLogEvent) => voidaudit_log_configAudit-log config for consumer event-type extensions. Built once at
startup via create_audit_log_config({extra_events}) and threaded
through AppDeps.audit_log_config to every fuz_app emit site so
consumer handlers cannot silently fall back to the builtin config.
Omit to use BUILTIN_AUDIT_LOG_CONFIG (no extra events).
migration_namespacesAdditional migration namespaces to run after the builtin auth namespace.
The shared schema_version table records one row per applied migration
(namespace, name, sequence); order is append-only so forward-only
guarantees hold per-namespace.
The reserved 'fuz_auth' namespace is rejected at startup. Omit for no
extra namespaces. This is the only place to splice consumer migrations
โ DB init belongs to the backend lifecycle, not server assembly.
ReadonlyArray<MigrationNamespace>auth/audit_log_schema.ts view source
CreateAuditLogConfigOptions Options for create_audit_log_config.
extra_eventsExtra event types keyed by event-type string. Value is a Zod metadata
schema, or null to register the type without validation (row still
written, metadata stored as raw JSONB).
Collisions with builtin event-type strings throw at construction.
Schemas are run via safeParse at insert time; mismatches log + count
but never throw (fail-open โ see the drift counters in auth/audit_log_queries.ts).
Readonly<Record<string, z.ZodType | null>>actions/broadcast_api.ts view source
CreateBroadcastApiOptions Options for create_broadcast_api.
peerThe peer holding the transport registry used for sends.
specsNotification specs to expose as broadcast methods. Typically the
remote_notification specs whose initiator is backend (or both).
Other kinds are accepted โ the helper only uses spec.method and
spec.input โ but the typical use is notifications.
ReadonlyArray<ActionSpecUnion>logLogger for validation/send errors. Defaults to a [broadcast] namespace.
LoggerType | nullshould_deliverOptional per-connection ACL predicate. When set, the broadcast fans out
via the transport's broadcast_filtered (feature-detected) โ each
connection's identity is checked before the message is sent. When
unset, the transport broadcasts unfiltered via transport.send.
Requires a transport that implements FilterableBroadcastTransport (today: only BackendWebsocketTransport). If set and the active transport is not filterable, the send is skipped and an error logged.
CreateDatabaseOptions Options for create_database.
logCreateDbResult Result of database initialization.
dbcloseClose the database connection. Bound to the actual driver at construction.
() => Promise<void>db_typedb_namestringactions/frontend_rpc_client.ts view source
CreateFrontendRpcClientOptions<TApi> Options for create_frontend_rpc_client.
TApiobjectobjectspecsAction specs the typed Proxy can dispatch. Methods absent from this
list silently return undefined from the Proxy โ the generic TApi
cannot constrain runtime membership, so consumers must keep this list
in sync with the typed surface (codegen recommended).
Protocol actions (heartbeat, cancel) are not auto-spread โ
they're filtered out of generated action_specs by codegen's
include_protocol_actions: false default and consumers spread them
in explicitly so the contract stays visible at every registration
site. For WS-using consumers, spread protocol_action_specs from
actions/protocol.ts here:
specs: [...protocol_action_specs, ...action_specs]. HTTP-only
consumers can omit them.
ReadonlyArray<ActionSpecUnion>pathHTTP RPC endpoint path for the default FrontendHttpTransport.
Defaults to /api/rpc. Ignored when transports is provided.
stringtransportsOptional explicit transport list. When provided, the default
FrontendHttpTransport(path) is not registered โ the caller is
responsible for at least one ready transport. Use for WS-first or
WS+HTTP mixed setups.
ReadonlyArray<Transport>transport_for_methodOptional per-method transport selector โ pure pass-through to
create_rpc_client. Return the transport name to use for a given
method, or undefined to fall back to the peer's default selection.
Useful when methods are registered on different backend dispatchers
(e.g. streaming actions on WS, REST RPC on HTTP) โ a tx-style mixed
setup. Per-call RpcClientCallOptions.transport_name overrides this
for individual dispatches.
on_action_eventOptional callback fired once per dispatched action โ pure pass-through
to create_rpc_client. Used by zzz-style consumers that thread the
ActionEvent into a reactive cell (add_from_json + listen_to_action_event)
for pending / failed / value derivations.
event.spec.method and event.data.method narrow to
keyof TApi & string โ drop the as ActionMethod cast at the call
site when TApi is a generated ActionsApi interface.
(event: ActionEvent<keyof TApi & string>) => voidlookup_action_handlerOptional handler resolver. Wired onto environment.lookup_action_handler
โ the registry the dispatcher uses to find handlers for inbound
messages and lifecycle phases. Defaults to () => undefined, which
is fine for HTTP-only frontends that never receive a server-pushed
notification or register a receive_error recovery hook.
Common reasons to provide this:
- Server-pushed notifications over WS โ return a handler for
(method, 'receive') so a remote_notification arriving on the
socket dispatches to your subscriber bus (tx-style).
- Per-method retry / telemetry on errors โ return a handler for
(method, 'receive_error'). Note that as of the
extract_action_result fix, a missing handler already produces
{ok: false, error} โ the stub is no longer required just to
surface server errors.
ActionEventEnvironment['lookup_action_handler']auth/invite_schema.ts view source
CreateInviteInput Input for creating an invite.
emailEmail | nullusernameUsername | nullcreated_byUuid | nullauth/permit_offer_schema.ts view source
CreatePermitOfferInput Input for query_permit_offer_create.
expires_at must be supplied โ the query layer does not apply a default,
so callers can thread their own TTL (typically PERMIT_OFFER_DEFAULT_TTL_MS).
from_actor_idUuidto_account_idUuidrolestringscope_idUuid | nullmessagestring | nullexpires_atDateactions/rpc_client.ts view source
CreateRpcClientOptions<TApi> Options for create_rpc_client.
TApiobjectobjectpeerenvironmenton_action_eventOptional callback fired once per dispatched action with the live
ActionEvent. Consumers wire reactive state here โ e.g. zzz's Actions
cell calls add_from_json + listen_to_action_event inside the
callback so its history stays decoupled from the rpc_client surface.
event.spec.method and event.data.method narrow to
keyof TApi & string โ drop the as ActionMethod cast at the call
site when TApi is a generated ActionsApi interface.
(event: ActionEvent<keyof TApi & string>) => voidtransport_for_methodOptional per-method transport selector. When provided, the client calls
peer.send(msg, {transport_name}) with the returned transport for each
request_response / remote_notification dispatch. Returning undefined
falls back to the peer's default selection.
actions/action_rpc.ts view source
CreateRpcEndpointOptions Options for create_rpc_endpoint.
pathMount path for the endpoint (e.g., /api/rpc).
stringactionsRPC actions to serve.
Array<RpcAction>logLogger instance for handler context.
Loggeraction_ip_rate_limiterPer-IP rate limiter consulted for actions whose spec declares
rate_limit: 'ip' or 'both'. null disables the IP check.
Per-action gate via action.spec.rate_limit. Same limiter is
shared with the WebSocket action dispatcher โ one budget per
action, not per transport.
RateLimiter | nullaction_account_rate_limiterPer-actor rate limiter consulted for actions whose spec declares
rate_limit: 'account' or 'both'. Keyed on
request_context.actor.id. null disables the account check.
Same limiter is shared with the WebSocket action dispatcher.
RateLimiter | nullauth/session_lifecycle.ts view source
CreateSessionAndSetCookieOptions Options for create_session_and_set_cookie.
keyringKeyring for cookie signing.
depsQuery deps (needs db for session creation).
cHono context for setting the cookie.
Contextaccount_idThe account to create a session for.
stringsession_optionsSession cookie configuration.
SessionOptions<string>max_sessionsPer-account session cap (null to skip enforcement).
number | nulltesting/app_server.ts view source
CreateTestAppOptions Configuration for create_test_app.
create_route_specsRoute spec factory โ called with the assembled AppServerContext.
(context: AppServerContext) => Array<RouteSpec>rpc_endpointsRPC endpoints mounted by create_app_server โ eager array or
(ctx: AppServerContext) => Array<RpcEndpointSpec> factory. Symmetric
with the suite-level rpc_endpoints option on
describe_standard_admin_integration_tests etc., so callers wiring a
full RPC stack don't have to switch shapes between low-level and
suite-level helpers. Equivalent to app_options.rpc_endpoints; when
both are set app_options wins and console.warn fires.
app_optionsOptional overrides for AppServerOptions (backend, session_options, and create_route_specs are managed).
Partial<
Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>
>CreateTestAppSurfaceSpecOptions Options for create_test_app_surface_spec.
session_optionsConsumer's session config (required โ varies per app).
SessionOptions<string>create_route_specsConsumer's route factory โ receives the same AppServerContext as production.
(ctx: AppServerContext) => Array<RouteSpec>env_schemaEnv schema for surface generation (default: BaseServerEnv).
z.ZodObjectevent_specsSSE event specs for surface generation.
Array<EventSpec>rpc_endpointsRPC endpoint specs for surface generation.
Accepts either an array (eager) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec> โ symmetric with
create_app_server's rpc_endpoints option, so consumers can pass
the same factory to both entry points. The factory runs once against
the stub AppServerContext this helper already builds.
Array<RpcEndpointSpec> | ((ctx: AppServerContext) => Array<RpcEndpointSpec>)transform_middlewareTransform middleware array (e.g., tx's extend_middleware_for_tx_binary).
(specs: Array<MiddlewareSpec>) => Array<MiddlewareSpec>bootstrap_route_prefixBootstrap route prefix (default: '/api/account').
stringtesting/ws_round_trip.ts view source
CreateWsTestHarnessOptions<TCtx> Options for create_ws_test_harness.
TCtxactionsThe actions registered on this endpoint โ matches the shape
register_action_ws accepts. Each entry is a {spec, handler?} tuple;
shared fuz_app primitives (like heartbeat_action) can be spread in
alongside consumer-specific actions.
ReadonlyArray<Action<TCtx>>extend_contextRegisterActionWsOptions<TCtx>['extend_context']transportPass a pre-created transport to share with a broadcast API.
heartbeatThreaded through to register_action_ws. Defaults to false in tests โ
fake timers + receive-silence detection need explicit opt-in and per-
test tuning to avoid spurious closes.
RegisterActionWsOptions<TCtx>['heartbeat']logOptional logger. Defaults to a silent [ws-test] logger.
Loggeron_socket_openThreaded straight through to register_action_ws.
RegisterActionWsOptions<TCtx>['on_socket_open']on_socket_closeThreaded straight through to register_action_ws.
RegisterActionWsOptions<TCtx>['on_socket_close']"credential_type" Hono context variable name for the credential type.
readonly ["session", "api_token", "daemon_token"] The credential types that can authenticate a request.
ZodEnum<{ session: "session"; api_token: "api_token"; daemon_token: "daemon_token"; }> Credential type โ how a request was authenticated.
auth/daemon_token.ts view source
"X-Daemon-Token" The X-Daemon-Token header name.
ZodObject<{ version: ZodNumber; pid: ZodNumber; port: ZodNumber; started: ZodString; app_version: ZodString; }, $strict> Daemon info schema for ~/.{name}/run/daemon.json.
auth/daemon_token.ts view source
ZodString Daemon token format: 43 base64url characters (256 bits).
auth/daemon_token_middleware.ts view source
DaemonTokenRotation Result of starting daemon token rotation.
stateThe mutable runtime state. Pass to create_daemon_token_middleware.
stopStop rotation, clean up the interval, and delete the token file. Call on graceful shutdown.
() => Promise<void>auth/daemon_token_middleware.ts view source
DaemonTokenRotationOptions Options for daemon token rotation.
app_nameApplication name (for ~/.{name}/run/daemon_token).
stringrotation_interval_msRotation interval in ms. Default: 30000 (30s).
numberauth/daemon_token.ts view source
DaemonTokenState Mutable runtime state for daemon token rotation.
This is runtime state (not AppDeps or *Options) โ it changes during
operation. Created at server startup, passed to the middleware factory.
current_tokenCurrent valid token.
stringprevious_tokenPrevious token, still valid during the race window. null before first rotation.
string | nullrotated_atWhen the last rotation occurred.
Datekeeper_account_idThe account ID of the keeper (resolved at startup, set by on_bootstrap).
string | nullauth/daemon_token_middleware.ts view source
DaemonTokenWriteDeps Deps for writing the daemon token to disk.
testing/data_exposure.ts view source
DataExposureTestOptions Options for describe_data_exposure_tests.
buildBuild the app surface spec (for schema-level checks).
() => AppSurfaceSpecsession_optionsSession config for runtime tests.
SessionOptions<string>create_route_specsRoute spec factory for runtime tests.
(ctx: AppServerContext) => Array<RouteSpec>sensitive_fieldsFields that must never appear in any response. Default: SENSITIVE_FIELD_BLOCKLIST.
ReadonlyArray<string>admin_only_fieldsFields that must not appear in non-admin responses. Default: ADMIN_ONLY_FIELD_BLOCKLIST.
ReadonlyArray<string>app_optionsOptional overrides for AppServerOptions.
Partial<
Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>
>db_factoriesDatabase factories to run tests against. Default: pglite only.
Array<DbFactory>skip_routesRoutes to skip, in 'METHOD /path' format.
Array<string>120 Default initial column width in pixels.
50 Default minimum column width in pixels.
DatatableColumn<T> Column definition for a Datatable.
TunknownkeyRow data accessor key.
string & keyof TlabelHeader label text.
stringwidthInitial column width in pixels.
numbermin_widthMinimum column width in pixels.
numberformatFormat a cell value for display. Falls back to format_value when absent.
(value: T[keyof T], row: T) => stringDatabase wrapper providing a consistent query and transaction interface.
Construct via create_pg_db() from db/db_pg.ts or create_pglite_db() from
db/db_pglite.ts for proper transaction support, or via create_db() for
URL-based auto-detection.
const {db, close} = await create_db('postgres://...');
const users = await db.query<User>('SELECT * FROM users WHERE active = $1', [true]);
await db.transaction(async (tx) => {
await tx.query('INSERT INTO users ...');
await tx.query('INSERT INTO audit_log ...');
});
await close();clienttype DbClient
constructortype new (options: DbDeps): Db
optionsqueryExecute a query and return all rows.
type <T>(text: string, values?: unknown[] | undefined): Promise<T[]>
textSQL text with $1, $2, ... parameter placeholders
stringvalues?parameter values bound to the placeholders in text
unknown[] | undefinedPromise<T[]>the result rows, typed as T
query_oneExecute a query and return the first row, or undefined if no rows.
type <T>(text: string, values?: unknown[] | undefined): Promise<T | undefined>
textSQL text with $1, $2, ... parameter placeholders
stringvalues?parameter values bound to the placeholders in text
unknown[] | undefinedPromise<T | undefined>the first row, or undefined when the result set is empty
transactionRun a function inside a database transaction.
The callback receives a transaction-scoped Db. Queries inside the callback go through the transaction connection; queries outside use the pool normally. Commits on success, rolls back on error.
type <T>(fn: (tx_db: Db) => Promise<T>): Promise<T>
fnasync function receiving a transaction-scoped Db
(tx_db: Db) => Promise<T>Promise<T>the value returned by fn
Error - propagated from `fn` after `ROLLBACK`, or from the driverDbClient Minimal interface that both pg and pglite satisfy.
query<T = unknown>(text: string, values?: Array<unknown>) => Promise<{rows: Array<T>}>DbDeps Configuration for constructing a Db with transaction support.
transaction is injected by create_db which knows the driver.
For pg: acquires a dedicated pool client per transaction.
For PGlite: delegates to pglite.transaction().
clienttransaction<T>(fn: (tx_db: Db) => Promise<T>) => Promise<T>DbDriverResult Result of constructing a driver-specific Db.
Returned by create_pg_db() and create_pglite_db().
The close callback is bound to the actual driver โ callers
never need to know which driver is in use.
dbcloseClose the database connection. Bound to the actual driver at construction.
() => Promise<void>DbFactory Factory interface for creating test database instances.
namestringcreate() => Promise<Db>close(db: Db) => Promise<void>skipbooleanskip_reasonstringDbRouteOptions Per-factory configuration for db routes.
db_typedb_namestringextra_statsOptional callback to provide app-specific stats in the health response.
(db: Db) => Promise<Record<string, unknown>>logOptional logger for server-side diagnostics (e.g. FK violation details).
LoggerDbStatus Full database status snapshot.
connectedWhether the database is reachable.
booleanerrorError message if connection failed.
stringtable_countNumber of public tables.
numbertablesPer-table row counts.
Array<TableStatus>migrationsPer-namespace migration status.
Array<MigrationStatus>old_tracker_shapeTrue if the pre-0.42 schema_version shape (with a version column)
was detected. The runner refuses to start in this state โ operators
see this flag as their cue to drop the table or call baseline().
booleanDbType Database driver type.
RateLimiterOptions Default options for per-actor action-dispatcher rate limiting: 1200 attempts per 15 minutes. Shared by the HTTP RPC and WebSocket action dispatchers. Permissive โ sustained ~80/min is well above any human admin workflow; an oracle probing 10k addresses still finishes in ~2 hours, slow enough to surface in audit. Tighten downstream.
RateLimiterOptions Default options for per-IP action-dispatcher rate limiting: 600 attempts per 15 minutes. Shared by the HTTP RPC and WebSocket action dispatchers (one budget per action, not per transport). Permissive โ catches runaway scripts and egregious oracle probes, but well above human or normal automation pace. Tighten downstream for stricter deployments.
actions/socket.svelte.ts view source
1.5 Exponential backoff factor: delay = base * factor^(attempt-1).
actions/socket.svelte.ts view source
1000 Default WebSocket close code (normal closure).
actions/action_codegen.ts view source
"./action_collections.js" Default collections_path โ every consumer's gen producers point at the sibling action_collections.js.
testing/surface_invariants.ts view source
ErrorSchemaTightnessOptions Baseline error schema tightness applied by describe_standard_attack_surface_tests when no config is passed.
Uses min_specificity: 'enum' (the assertion default) with ignore_statuses
for middleware-derived status codes that are commonly generic (auth middleware
produces multiple error codes at 401/403, and 429 comes from rate limiters),
and allowlist seeded with FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST so
fuz_app-shipped routes with heterogeneous generic schemas don't force every
consumer to hand-maintain an identical allowlist. Consumers can pass a
narrower config with project-specific allowlist entries, or pass null
to skip the assertion entirely.
ui/format_scope.ts view source
(args: { scope_id: string | null; role: string; }): string | null Default FormatScope โ always returns null so callers fall back to the raw uuid.
args{ scope_id: string | null; role: string; }string | null actions/socket.svelte.ts view source
30000 Idle interval before sending a heartbeat (ms).
actions/socket.svelte.ts view source
60000 Max receive silence before closing with WS_CLOSE_CLIENT_HEARTBEAT_TIMEOUT (ms).
testing/error_coverage.ts view source
0.2 Default minimum error coverage threshold for the standard integration and admin test suites. Conservative โ not all error paths are exercisable in the composable suites. Consumers should increase as their test suites mature.
RateLimiterOptions Default options for per-account login rate limiting: 10 attempts per 30 minutes.
auth/account_routes.ts view source
250 Default minimum wall-clock time (ms) for a login failure (401) response.
Picked to exceed the p99 of every 401 code path (Argon2id dominates at
~100ms, plus DB + overhead). The handler races failure work against
sleep(floor + jitter) via await, so observed response time = max(work,
delay). Found-vs-not-found and rate-limit-skipped-vs-not paths converge.
Only 401 is padded โ 429 stays fast by design to keep rate-limit DoS
handling cheap.
auth/account_routes.ts view source
25 Default uniform jitter window (ยฑms) layered on the floor.
Random jitter prevents a stable clamp point from leaking whenever a path
occasionally exceeds the floor. Math.random is sufficient โ we only need
unpredictability of the exact delay, not cryptographic guarantees.
RateLimiterOptions Default options for per-IP login rate limiting: 5 attempts per 15 minutes.
server/app_server.ts view source
number Default maximum request body size: 1 MiB.
auth/account_routes.ts view source
5 Default maximum sessions per account.
auth/account_routes.ts view source
10 Default maximum API tokens per account.
actions/action_codegen.ts view source
"./action_metatypes.js" Default metatypes_path โ sibling action_metatypes.js carrying the generated ActionMethod.
actions/socket.svelte.ts view source
100 Default bound on buffered requests while disconnected. Overflow rejects.
100000 Default tracked-key cap: bounds worst-case memory under key-enumeration attacks (an attacker rotating source IPs cannot grow the backing map indefinitely between cleanup ticks). Tuned to comfortably fit real traffic for a single-instance deployment while capping memory at a few MB in the worst case.
actions/socket.svelte.ts view source
1000 Base reconnect delay in ms.
actions/socket.svelte.ts view source
10000 Max reconnect delay in ms (cap on exponential backoff).
auth/daemon_token_middleware.ts view source
30000 Default rotation interval in milliseconds (30 seconds).
actions/register_action_ws.ts view source
60000 Default inactivity window before the server closes a silent socket.
SetupLogger Default logger using bracket format.
actions/action_codegen.ts view source
"./action_specs.js" Default specs_module โ sibling action_specs.js namespace bundled by the consumer.
http/error_schemas.ts view source
(auth: RouteAuth, has_input: boolean, has_params?: boolean, has_query?: boolean, rate_limit?: "both" | "ip" | "account" | undefined): Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> Derive error schemas from a route's auth requirement, input schema, and rate limit config.
Returns the error schemas that middleware will auto-produce for this route.
Route handlers can declare additional error schemas via RouteSpec.errors;
explicit entries override auto-derived ones for the same status code.
Derivation rules:
- Has input schema (non-null) or has params schema or has query schema: 400 (validation error with issues)
- auth: authenticated: 401
- auth: role: 401 + 403 (with required_role)
- auth: keeper: 401 + 403 (keeper-specific)
- rate_limit: 429 (rate limit exceeded with retry_after)
authhas_inputbooleanhas_paramsbooleanfalsehas_querybooleanfalserate_limit?"both" | "ip" | "account" | undefinedPartial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> actions/action_bridge.ts view source
(side_effects: boolean): RouteMethod Derive the default HTTP method from side effects.
side_effectsbooleanRouteMethod testing/adversarial_404.ts view source
(options: AdversarialTestOptions): void Generate adversarial 404 response validation tests.
For each route with params + 404 in error_schemas:
1. Creates a stub handler returning 404 with the declared error code
2. Fires a request with valid-format params (nil UUIDs for UUID params)
3. Validates response status is 404
4. Validates response body matches the declared 404 Zod schema
optionsvoid testing/attack_surface.ts view source
(options: AdversarialTestOptions): void Generate adversarial HTTP auth enforcement test suites.
Describe blocks: - unauthenticated โ 401 โ every protected route - wrong role โ 403 โ every role route, tested with all non-matching roles - authenticated without role โ 403 โ every role route, no-role context - correct auth passes guard โ every protected route, assert not 401/403
optionsvoid testing/adversarial_input.ts view source
(options: AdversarialTestOptions): void Generate adversarial input validation test suites.
Tests input body validation and params validation for all routes. Uses correct auth credentials so auth guards pass and validation middleware is actually exercised.
optionsvoid testing/audit_completeness.ts view source
(options: AuditCompletenessTestOptions): void Composable audit log completeness test suite.
Verifies that every auth mutation route produces the correct audit log
event type. Exercises routes via HTTP requests against a real PGlite
database, then queries the audit_log table to verify events.
optionsvoid Error - at setup time when `options.rpc_endpoints` is empty โ thetesting/middleware.ts view source
(suite_name: string, cases: BearerAuthTestCase[], ip_rate_limiter?: RateLimiter | null): void Run a table of bearer auth middleware test cases.
Generates one test() per case inside a describe() block.
suite_namestringcasesBearerAuthTestCase[]ip_rate_limiterRateLimiter | nullnullvoid testing/data_exposure.ts view source
(options: DataExposureTestOptions): void Composable data exposure test suite.
Three test groups: 1. Schema-level โ walk JSON Schema output/error schemas for sensitive field names 2. Runtime โ fire real requests and check response bodies against blocklists 3. Cross-privilege โ admin routes return 403 for non-admin, error responses contain no sensitive fields
optionsvoid testing/rate_limiting.ts view source
(options: RateLimitingTestOptions): void Standard rate limiting integration test suite.
Creates 3 test groups:
1. IP rate limiting on login โ fires max_attempts + 1 login requests,
verifies the last returns 429 with a valid RateLimitError body.
2. Per-account rate limiting on login โ fires max_attempts + 1 login
requests with the same username, verifies the last returns 429.
3. Bearer auth IP rate limiting โ fires max_attempts + 1 bearer requests
with an invalid token, verifies the last returns 429.
Each test group asserts that required routes exist, failing with a descriptive message if the consumer's route specs are misconfigured.
optionsvoid Error - at setup time when `options.rpc_endpoints` is empty โ thetesting/round_trip.ts view source
(options: RoundTripTestOptions): void Run schema-driven round-trip validation tests.
For each route: 1. Resolve URL with valid params 2. Generate a valid request body (or use override) 3. Pick auth headers matching the route's auth requirement 4. Fire the request and validate the response against declared schemas
SSE routes are skipped (Content-Type text/event-stream).
Routes returning non-2xx with valid input are still validated against
their declared error schemas.
optionsvoid testing/rpc_attack_surface.ts view source
(options: RpcAttackSurfaceOptions): void Run the standard RPC attack surface test suite.
Generates 3 test groups: 1. Auth enforcement โ per-method auth checks via JSON-RPC envelopes 2. Adversarial envelopes โ malformed JSON-RPC requests 3. Adversarial params โ schema-invalid params per method
Skips silently when surface.rpc_endpoints is empty.
optionsvoid testing/rpc_round_trip.ts view source
(options: RpcRoundTripTestOptions): void Run schema-driven round-trip validation for RPC endpoints.
For each method:
1. Generate valid params from the action's input schema
2. Fire a POST request with JSON-RPC envelope
3. For side_effects: false methods, also fire a GET request
4. Validate response is well-formed JSON-RPC; successful responses are
also validated against the method's declared output schema
Error responses (from missing DB state, etc.) are expected and validated
as well-formed JSON-RPC errors. Successful responses are validated against
action.spec.output.
optionsvoid testing/sse_round_trip.ts view source
(options: SseRouteTestOptions): void Run SSE route validation tests.
For each route: opens an authenticated SSE connection, asserts the connected comment, fires the trigger, validates the resulting payload, then asserts close-on-revoke (unless opted out).
optionsvoid Error - at setup time when `options.rpc_endpoints` is empty โ thetesting/admin_integration.ts view source
(options: StandardAdminIntegrationTestOptions): void Standard admin integration test suite for fuz_app admin routes.
Exercises account listing, permit grant/revoke (via RPC), session management, token management, audit log reads, admin-to-admin isolation, and 401/403 error-coverage on the admin REST surface. Output-schema conformance is not in scope โ see the module docstring for the suites that cover it.
optionsvoid Error - at setup time when `options.rpc_endpoints` is empty โ admintesting/adversarial_headers.ts view source
(suite_name: string, options: TestMiddlewareStackOptions, allowed_origin: string, extra_cases?: AdversarialHeaderCase[] | undefined): void Create a middleware stack app with standard adversarial header tests.
Convenience wrapper combining create_test_middleware_stack_app
and create_standard_adversarial_cases. Generates one test() per case
inside a describe() block โ asserts body content for both error and
success cases, and verifies that mock_validate was (or was not) reached
per the case's validate_expectation flag, ensuring earlier middleware
actually short-circuits before token validation in the rejection cases.
suite_namethe describe block name
stringoptionsmiddleware stack configuration
allowed_originan origin that passes the origin check (used for standard cases)
stringextra_cases?additional cases appended after the 7 standard ones
AdversarialHeaderCase[] | undefinedvoid testing/attack_surface.ts view source
(options: StandardAttackSurfaceOptions): void Run the standard attack surface test suite.
Generates 10 test groups:
1. Snapshot โ live surface matches committed JSON
2. Determinism โ building twice yields identical results
3. Public routes โ bidirectional check (no unexpected, no missing)
4. Middleware stack โ every API route has the full middleware chain
5. Surface invariants โ structural assertions (error schemas, descriptions, duplicates, consistency)
6. Security policy โ rate limiting on sensitive routes, no unexpected public mutations, method conventions
7. Error schema tightness โ informational log of generic vs specific error schemas, plus assertion against DEFAULT_ERROR_SCHEMA_TIGHTNESS by default (opt out with error_schema_tightness: null)
8. Adversarial auth โ unauthenticated/wrong-role/correct-auth enforcement
9. Adversarial input โ input body and params validation
10. Adversarial 404 โ stub 404 handlers, validate response bodies against declared schemas
Consumer test files call this with project-specific options, then add
any project-specific assertions in additional describe blocks.
optionsvoid testing/integration.ts view source
(options: StandardIntegrationTestOptions): void Standard integration test suite for fuz_app auth routes.
Exercises login/logout, cookie attributes, session security, session revocation, password change (incl. API token revocation), origin verification, bearer auth (incl. browser context discard on mutations), token revocation, cross-account isolation, expired credential rejection, signup invite edge cases, and response body validation.
Each test group asserts that required routes exist, failing with a descriptive message if the consumer's route specs are misconfigured.
optionsvoid Error - at setup time when `options.rpc_endpoints` is empty โ thetesting/standard.ts view source
(options: StandardTestOptions): void Run both standard integration and admin integration test suites.
Admin tests are only included when roles is provided.
optionsvoid testing/schema_generators.ts view source
(field_schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): string | null Detect format constraints on a field by converting to JSON Schema. Returns format string (e.g. 'uuid', 'email') or null.
field_schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>string | null realtime/sse_auth_guard.ts view source
ReadonlySet<string> Audit event types that trigger SSE stream disconnection.
permit_revoke requires the revoked role to match the guard's required_role
(or is skipped entirely when required_role is null โ useful for streams
not gated by any specific permit).
session_revoke_all and password_change close every stream for the target account.
session_revoke closes only the stream tied to the specific revoked session
(matched by the blake3 session hash in event.metadata.session_id) โ closing
all of a user's streams for a single-session revoke would be over-aggressive.
testing/ws_round_trip.ts view source
(on_message: (evt: MessageEvent<WSMessageReceive>, ws: WSContext<unknown>) => void, event: MessageEvent<any>, ws: WSContext<unknown>): Promise<...> Hono types WSEvents.onMessage as () => void | Promise<void>.
Awaits only the Promise branch so tests observe full dispatch
(auth, validation, handler, send).
on_message(evt: MessageEvent<WSMessageReceive>, ws: WSContext<unknown>) => voideventMessageEvent<any>wsWSContext<unknown>Promise<void> (db: Db): Promise<void> Drop all auth tables and schema version tracking for a clean slate.
Recommended at the start of init_schema callbacks for create_pg_factory.
Persistent test databases can accumulate stale schema from previous fuz_app
versions โ this ensures migrations run against a truly empty database.
Safe on fresh databases (IF EXISTS on all statements). No-op effect for
PGlite (already fresh), but harmless to call unconditionally.
dbPromise<void> server/app_server.ts view source
EffectErrorContext Context passed to on_effect_error when a pending effect rejects.
methodHTTP method of the request that spawned the effect.
stringpathURL path of the request that spawned the effect.
stringauth/account_schema.ts view source
ZodEmail Email validation.
http/pending_effects.ts view source
(ctx: PendingEffectsContext, fn: () => void): void Defer a side effect until after the handler's transaction commits.
Exceptions thrown by fn are caught and logged via ctx.log.error, so one
failed send cannot corrupt the already-committed response or starve other
queued effects in the same tick.
ctxcontext carrying log and the pending_effects queue
fnsynchronous side effect to run after commit
() => voidvoid (schema: ZodObject<$ZodLooseShape, $strip>): AppSurfaceEnv[] Convert env schema to surface entries using .meta() metadata.
schemaZod object schema with .meta() on fields
ZodObject<$ZodLooseShape, $strip>AppSurfaceEnv[] EnvDeps Environment variable access.
env_getGet an environment variable value.
(name: string) => string | undefinedenv_setSet an environment variable.
(name: string, value: string) => voidError thrown when environment validation fails.
Contains structured information for apps to format their own error messages.
ErrorrawThe raw env values that were read.
type Record<string, string | undefined>
zod_errorThe Zod validation error.
type z.core.$ZodError
all_undefinedTrue if every env var was undefined (nothing loaded).
type boolean
constructortype new (raw: Record<string, string | undefined>, zod_error: $ZodError<unknown>): EnvValidationError
rawRecord<string, string | undefined>zod_error$ZodError<unknown>format_issuesFormat Zod validation issues as human-readable strings.
type (): string[]
string[]array of formatted issue strings like "PORT: Expected number"
EnvValidationResult Result of env var validation.
Uses discriminated union for better type narrowing:
- ok: true, missing: null โ all vars present
- ok: false, missing: EnvVarRef[] โ some vars missing
EnvVarRef An env var reference found in a config.
nameVariable name (without $$ delimiters).
stringpathPath where the reference was found (e.g., "target.host", "resources[3].path").
stringhttp/error_schemas.ts view source
"account_not_found" Token references a deleted account.
http/error_schemas.ts view source
"already_bootstrapped" Bootstrap lock already acquired โ system already bootstrapped.
http/error_schemas.ts view source
"authentication_required" No valid session or bearer token.
http/error_schemas.ts view source
"bearer_token_rejected_in_browser_context" Bearer token sent with Origin/Referer header (browser context).
http/error_schemas.ts view source
"bootstrap_not_configured" Bootstrap endpoint called but no token path configured.
http/error_schemas.ts view source
"database_connection_failed" Database health-check query failed (connectivity or query error).
http/error_schemas.ts view source
"forbidden_origin" Request origin not in allowlist.
http/error_schemas.ts view source
"forbidden_referer" Request referer not in allowlist.
http/error_schemas.ts view source
"foreign_key_violation" DELETE blocked by a foreign key constraint.
http/error_schemas.ts view source
"insufficient_permissions" Authenticated but missing required role.
http/error_schemas.ts view source
"invalid_credentials" Username or password is wrong (intentionally vague for enumeration prevention).
http/error_schemas.ts view source
"invalid_daemon_token" Daemon token header present but malformed or not matching current/previous token.
http/error_schemas.ts view source
"invalid_event_type" Query parameter event_type is not a valid audit event type.
http/error_schemas.ts view source
"invalid_json_body" Request body is not valid JSON or not an object.
http/error_schemas.ts view source
"invalid_query_params" URL query params failed Zod validation.
http/error_schemas.ts view source
"invalid_request_body" Request body failed Zod validation.
http/error_schemas.ts view source
"invalid_route_params" URL path params failed Zod validation.
http/error_schemas.ts view source
"invalid_token" Bearer token failed validation (missing, malformed, or revoked).
http/error_schemas.ts view source
"invite_account_exists_email" An account already exists with this invite's email.
http/error_schemas.ts view source
"invite_account_exists_username" An account already exists with this invite's username.
http/error_schemas.ts view source
"invite_duplicate" An unclaimed invite already exists for this email or username.
http/error_schemas.ts view source
"invite_missing_identifier" Invite must have at least an email or username.
http/error_schemas.ts view source
"invite_not_found" Invite not found (for delete operations).
http/error_schemas.ts view source
"keeper_account_not_configured" Daemon token valid but keeper account not yet resolved (pre-bootstrap).
http/error_schemas.ts view source
"keeper_account_not_found" Keeper account ID set but account row not found.
http/error_schemas.ts view source
"keeper_requires_daemon_token" Keeper routes require daemon_token credential type.
http/error_schemas.ts view source
"no_matching_invite" No unclaimed invite matches the signup credentials.
auth/permit_offer_action_specs.ts view source
"offer_expired" Error reason โ offer's expires_at has passed.
auth/permit_offer_action_specs.ts view source
"offer_not_authorized" Error reason โ caller is not authorized to offer this role (default policy: caller lacks the role; consumer authorize callback may add further policy).
auth/permit_offer_action_specs.ts view source
"offer_not_found" Error reason โ offer does not exist or belongs to a different recipient (404-over-403 IDOR mask).
auth/permit_offer_action_specs.ts view source
"offer_role_not_grantable" Error reason โ the offered role is not web_grantable (nobody may offer it via this surface).
auth/permit_offer_action_specs.ts view source
"offer_self_target" Error reason โ caller tried to offer themselves a permit.
auth/permit_offer_action_specs.ts view source
"offer_terminal" Error reason โ offer is declined, retracted, or superseded.
http/error_schemas.ts view source
"payload_too_large" Request body exceeds the maximum allowed size.
http/error_schemas.ts view source
"permit_not_found" Permit ID not found or not owned by the target actor.
http/error_schemas.ts view source
"rate_limit_exceeded" Rate limiter rejected the request.
auth/self_service_role_action_specs.ts view source
"role_not_self_service_eligible" Error reason โ caller asked to self-toggle a role outside the configured allowlist.
http/error_schemas.ts view source
"role_not_web_grantable" Admin tried to grant a role that is not web-grantable.
http/error_schemas.ts view source
"row_not_found" Row with the given PK value not found.
http/error_schemas.ts view source
"signup_conflict" Signup conflict โ username or email already taken (intentionally vague for enumeration prevention).
http/error_schemas.ts view source
"table_no_primary_key" Table has no primary key constraint (cannot delete by PK).
http/error_schemas.ts view source
"table_not_found" Table name not found in information_schema.
http/error_schemas.ts view source
"token_file_missing" Bootstrap token file not found on disk.
testing/error_coverage.ts view source
Tracks which route ร status (and route ร status ร code) combinations have been exercised in tests.
Use record() to log an observed status (optionally with the body's error
code), or assert_and_record() to combine response validation with tracking
(auto-extracts body.error from the response when present).
After all tests, call uncovered() to find declared error paths never
exercised.
An observation recorded without a code still satisfies "any-code" coverage
requirements for the same status โ i.e., if a caller records just the status,
all declared codes for that status are considered covered. Per-code tracking
is additive: callers who know the body's error value should pass it to get
precise per-code gap reporting on routes with literal/enum error schemas.
observedObserved keys: "METHOD /spec-path:STATUS" or "METHOD /spec-path:STATUS:CODE".
Both shapes coexist โ the code-less key marks the status as covered at any code; a code-bearing key adds per-code precision.
type Set<string>
recordRecord an observed error status (optionally with the body's error code) for a route.
Resolves the concrete request path back to the spec template path
(e.g., /api/accounts/abc โ /api/accounts/:id). When code is provided,
it is stored alongside the status for per-code coverage tracking.
type (route_specs: RouteSpec[], method: string, path: string, status: number, code?: string | undefined): void
route_specsRouteSpec[]methodstringpathrequest path (may be concrete)
stringstatusnumbercode?observed body error code (pass when the route's error
schema declares specific codes via z.literal or z.enum)
string | undefinedvoidassert_and_recordValidate a response against its route spec and record the status.
Wraps assert_response_matches_spec and records the status code. For
error responses, auto-extracts body.error from the JSON body (via a
cloned response, so the original stream stays usable) and records it
for per-code coverage. Pass an explicit code to override the
auto-extracted value or when the body was already consumed.
type (route_specs: RouteSpec[], method: string, path: string, response: Response, code?: string | undefined): Promise<void>
route_specsRouteSpec[]methodstringpathstringresponseResponsecode?observed body error code (override; if omitted and the
response body is a JSON object with a string error field, that value
is auto-extracted)
string | undefinedPromise<void>Error - if the response body fails the route spec's declareduncoveredFind declared error paths that were never observed.
Computes the declared set from merge_error_schemas for each route spec.
For statuses whose error schema names specific codes (via z.literal or
z.enum), reports per-code rows; otherwise reports one row per status.
A status-only observation (no code) satisfies all declared codes for that
status โ the "any-code" rule.
type (route_specs: RouteSpec[], options?: CoverageFilterOptions | undefined): UncoveredEntry[]
route_specsRouteSpec[]options?CoverageFilterOptions | undefinedUncoveredEntry[]testing/error_coverage.ts view source
ErrorCoverageOptions Options for assert_error_coverage.
min_coverageMinimum coverage ratio (0โ1). Default 0 (informational only).
numbertesting/surface_invariants.ts view source
ErrorSchemaAuditEntry A single entry in the error schema tightness audit report.
methodstringroute_pathstringstatusstringspecificityerror_codesThe literal value or enum values, if specific.
Array<string> | nulltesting/surface_invariants.ts view source
ErrorSchemaSpecificity Specificity level of an error schema's error field.
testing/surface_invariants.ts view source
ErrorSchemaTightnessOptions Options for assert_error_schema_tightness.
min_specificityMinimum specificity level. Error schemas below this threshold fail. Default: 'enum'.
ignore_statusesHTTP status codes to skip (e.g., middleware-injected codes).
Array<number>allowlistRoutes to skip, in 'METHOD /path' format.
Array<string>(event_specs: EventSpec[]): AppSurfaceEvent[] Convert SSE event specs to surface entries.
event_specsEventSpec[]AppSurfaceEvent[] EventSpec Spec for a push event โ declares params schema, description, and channel.
methodEvent method name, used as the JSON-RPC notification method.
stringparamsZod schema for the notification params payload.
z.ZodTypedescriptionHuman-readable description for surface output and docs.
stringchannelChannel this event broadcasts on. Omit for cross-channel events.
stringactions/action_event_helpers.ts view source
(event: ActionEvent<string, "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", "initial" | "parsed" | "handling" | "handled" | "failed">): Result<...> Pull the terminal Result from an action event.
data.error populated โ error path (covers both explicit failed and
the unhandled receive_error / send_error case where no handler was
registered for the error phase). step === 'handled' โ success path.
eventActionEvent<string, "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", "initial" | "parsed" | "handling" | "handled" | "failed">Result<{ value: unknown; }, { error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }; }> Error - if the event is in a non-terminal state (programming error โtesting/error_coverage.ts view source
(schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): string[] | null Extract declared error code values from an error response schema.
Recognizes schemas shaped like z.object({error: z.literal(...)}) or
z.object({error: z.enum([...])}) (incl. looseObject/strictObject).
Returns the set of declared code values, or null if the schema doesn't
expose a literal/enum error field (e.g., bare ApiError with z.string()).
Used by coverage reporting to split a single declared status into per-code rows when the route's error schema names specific codes.
schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>string[] | null testing/ws_round_trip.ts view source
FakeHonoContextOptions Options for create_fake_hono_context.
credential_typeroleA single role to grant via create_test_request_context.
stringauth_session_idstring | nullapi_token_idstring | nullrequest_contextOverride the RequestContext outright (for multi-role or custom
account/actor fixtures). Takes precedence over role.
testing/ws_round_trip.ts view source
FakeWs A WSContext paired with capture arrays. Use sends to assert on
outgoing frames; use closes to assert on revocation / close.
wsWSContextsendsArray<string>closesArray<{code?: number; reason?: string}>FetchDeps HTTP fetch capability.
fetchFetch a URL. Same signature as the global fetch.
typeof globalThis.fetchhttp/surface_query.ts view source
(surface: AppSurface): (AppSurfaceRoute & { auth: { type: "authenticated"; }; })[] Filter routes that require basic authentication (no specific role).
surface(AppSurfaceRoute & { auth: { type: "authenticated"; }; })[] http/surface_query.ts view source
(surface: AppSurface): (AppSurfaceRoute & { auth: { type: "keeper"; }; })[] Filter routes that require keeper credentials.
surface(AppSurfaceRoute & { auth: { type: "keeper"; }; })[] http/surface_query.ts view source
(surface: AppSurface): AppSurfaceRoute[] Filter routes that are mutations (POST, PUT, DELETE, PATCH).
surfaceAppSurfaceRoute[] http/surface_query.ts view source
(surface: AppSurface): AppSurfaceRoute[] Filter routes that require any form of authentication.
surfaceAppSurfaceRoute[] http/surface_query.ts view source
(surface: AppSurface): AppSurfaceRoute[] Filter routes that are publicly accessible (no auth).
surfaceAppSurfaceRoute[] http/surface_query.ts view source
(surface: AppSurface): AppSurfaceRoute[] Filter routes that declare rate limiting.
surfaceAppSurfaceRoute[] http/surface_query.ts view source
(surface: AppSurface): (AppSurfaceRoute & { auth: { type: "role"; role: string; }; })[] Filter all role-guarded routes (any role).
surface(AppSurfaceRoute & { auth: { type: "role"; role: string; }; })[] http/surface_query.ts view source
(surface: AppSurface, prefix: string): AppSurfaceRoute[] Filter routes whose path starts with prefix.
surfaceprefixstringAppSurfaceRoute[] http/surface_query.ts view source
(surface: AppSurface, role: string): (AppSurfaceRoute & { auth: { type: "role"; role: string; }; })[] Filter routes that require a specific named role.
surfacerolestring(AppSurfaceRoute & { auth: { type: "role"; role: string; }; })[] http/surface_query.ts view source
(surface: AppSurface): AppSurfaceRoute[] Filter routes that have a non-null input schema.
surfaceAppSurfaceRoute[] http/surface_query.ts view source
(surface: AppSurface): AppSurfaceRoute[] Filter routes that have a non-null params schema.
surfaceAppSurfaceRoute[] http/surface_query.ts view source
(surface: AppSurface): AppSurfaceRoute[] Filter routes that have a non-null query schema.
surfaceAppSurfaceRoute[] actions/transports_ws_backend.ts view source
FilterableBroadcastTransport Structural capability for transports that can broadcast with a per-connection ACL predicate. Named separately from Transport so the broadcast API can feature-detect without importing a concrete class.
ConnectionIdentity is the auth-gated identity shape used today. When a
second implementation (e.g. SSE backend transport) lands with a
different identity, consider parameterizing on TIdentity.
broadcast_filtered(
message: JsonrpcMessageFromServerToClient,
predicate: (identity: ConnectionIdentity) => boolean,
) => numbertesting/integration_helpers.ts view source
(specs: RouteSpec[], suffix: "/login" | "/logout" | "/password" | "/verify" | "/signup" | "/bootstrap", method: RouteMethod): RouteSpec | undefined Find a REST auth route by suffix and method.
Decouples tests from consumer route prefix (/api/account/login,
/api/auth/login, etc.). suffix must be one of
REST_AUTH_ROUTE_SUFFIXES โ throws otherwise so a post-migration RPC
method name (e.g. /sessions/revoke-all) fails loudly at the call site
instead of silently returning undefined.
specsRouteSpec[]suffix"/login" | "/logout" | "/password" | "/verify" | "/signup" | "/bootstrap"methodRouteSpec | undefined Error - if `suffix` is not in `REST_AUTH_ROUTE_SUFFIXES`.testing/integration_helpers.ts view source
(specs: RouteSpec[], method: string, path: string): RouteSpec | undefined Find a route spec matching the given method and path.
Supports both exact matches and parameterized paths (:param segments).
specsRouteSpec[]methodstringpathrequest path (exact or with concrete param values)
stringRouteSpec | undefined testing/rpc_helpers.ts view source
(rpc_endpoints: readonly RpcEndpointSpec[], method: string): { path: string; action: RpcAction; } | undefined Find the RpcAction for a method within a set of RPC endpoint specs.
Returns both the endpoint path and the matched action. undefined when
the method is not registered.
rpc_endpointsreadonly RpcEndpointSpec[]methodstring{ path: string; action: RpcAction; } | undefined testing/rpc_helpers.ts view source
(rpc_endpoints: readonly AppSurfaceRpcEndpoint[], method: string): { path: string; method_spec: AppSurfaceRpcMethod; } | undefined Find the generated surface entry for a method โ the shape returned by generate_app_surface (JSON-serializable, useful for schema assertions at the boundary of a consumer test).
rpc_endpointsreadonly AppSurfaceRpcEndpoint[]methodstring{ path: string; method_spec: AppSurfaceRpcMethod; } | undefined http/error_schemas.ts view source
ZodObject<{ error: ZodLiteral<"foreign_key_violation">; }, $loose> Foreign key violation error โ returned when a delete is blocked by references.
(prop: ZodSchemaProperty): string Format argument name with short aliases for display.
Only single-char aliases are shown (e.g., -h, --help).
Flags use snake_case (e.g., --env_file, --detect_only).
propschema property
ZodSchemaPropertystring formatted name string
(event_type: string, metadata: Record<string, unknown> | null): string Format audit event metadata for display based on event type.
event_typebuiltin or consumer-registered audit event type
stringmetadataRecord<string, unknown> | nullstring (timestamp: string | number | Date): string Format a timestamp as an absolute datetime string for title attributes.
timestampstring | number | Datestring readable absolute datetime like "2026-03-21 14:30:00 UTC"
(status: DbStatus): string Format a DbStatus as a human-readable string for CLI output.
statusthe status to format
string multi-line string suitable for console output
(value: unknown, secret: boolean): string Format an env value for display, masking secrets.
valuethe env value to format
unknownsecretwhether the value is secret and should be masked
booleanstring display string โ masked placeholder for secrets, string values as-is, non-strings JSON-stringified
(missing: EnvVarRef[], options?: FormatMissingEnvVarsOptions | undefined): string Format missing env vars error message.
Groups refs by variable name so each missing var is shown once with all paths where it's referenced.
missingmissing env var references (may contain duplicate names)
EnvVarRef[]options?formatting options
FormatMissingEnvVarsOptions | undefinedstring formatted error message for display
(timestamp: string | number | Date, now?: number): string Format a timestamp as a relative time string.
timestampstring | number | DatenownumberDate.now()string human-friendly relative time (e.g. "2m ago", "3h ago", "5d ago", "2mo ago", "1y ago")
http/surface_query.ts view source
(route: AppSurfaceRoute): string Format a route as 'METHOD /path' (e.g. 'GET /health').
routestring ui/format_scope.ts view source
{ get: () => () => FormatScope; set: (value?: (() => FormatScope) | undefined) => () => FormatScope; } Svelte context carrying a getter for the consumer's FormatScope.
Provisioned by provide_admin_rpc_contexts from its format_scope option.
Default getter returns default_format_scope so unprovisioned trees render
the raw uuid.
(ms: number): string Format milliseconds as a human-friendly uptime string.
msnumberstring human-friendly duration (e.g. "45s", "12m", "3h 15m", "2d 5h")
(value: unknown): string Format an arbitrary value for table cell display.
valueunknownstring FormatMissingEnvVarsOptions Options for format_missing_env_vars.
env_filePath to env file if one was loaded.
stringsetup_hintHint text for how to set up the environment.
stringui/format_scope.ts view source
FormatScope Render a {scope_id, role} pair as a human label. Return null to fall
back to the raw scope uuid (or a caller-chosen global_label when
scope_id is null).
Returning null for unknown scope ids (stale cache, revoked resource) is
the recommended pattern โ components show the raw uuid rather than a
misleading blank.
ui/form_state.svelte.ts view source
formCreates a form attachment that handles Enter key advancing between
focusable elements and tracks field touched state via delegated focusout.
Fields are identified by their name attribute.
type (): Attachment<HTMLFormElement>
Attachment<HTMLFormElement>Error - in DEV when called while already attached, or when anis_touchedWhether a field has been blurred at least once.
type (field: string): boolean
fieldstringbooleanshowWhether to show validation errors for a field.
Returns true if the field has been blurred or a submit attempt was made.
type (field: string): boolean
fieldstringbooleantouchProgrammatically marks a field as touched without requiring a blur event.
type (field: string): void
fieldstringvoidfocusFocuses the named input within the form.
type (field: string): void
fieldstringvoidattemptMarks the form as having been submitted, causing all field errors to show.
type (): void
voidresetResets all touched and attempted state.
type (): void
voidactions/transports_http.ts view source
Thin fetch adapter for the JSON-RPC endpoint. POST by default; GET when
the optional has_side_effects(method) callback returns false for the
method (matches create_rpc_endpoint's GET convention). On non-OK HTTP
responses, synthesizes a JSON-RPC error envelope via
http_status_to_jsonrpc_error_code. Always reports ready.
transport_nameconstructortype new (url: string, headers?: Record<string, string> | undefined, has_side_effects?: ((method: string) => boolean) | undefined): FrontendHttpTransport
urlstringheaders?Record<string, string> | undefinedhas_side_effects?((method: string) => boolean) | undefinedsendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...is_readytype (): boolean
booleanactions/frontend_rpc_client.ts view source
FrontendRpcClient<TApi> Bundle returned by create_frontend_rpc_client.
TApiapiTyped throwing Proxy. await api.method(input) returns the unwrapped
value or throws an Error with {code, data} from the JSON-RPC
error. Default for call sites that don't inspect errors.
ThrowingApi<TApi>api_resultTyped Result-shaped Proxy. await api_result.method(input) returns
Result<{value}, {error: JsonrpcErrorObject}>. Use when call sites
inspect error.data.reason without try/catch, or when Error
allocation per {ok: false} would be wasteful.
TApipeerUnderlying peer โ exposed for consumers that need to register more transports or send raw messages.
environmentAction environment โ exposed for consumers that need to share it (e.g. attach a notification handler registry).
actions/socket.svelte.ts view source
Reactive WebSocket client implementing WebsocketConnection.
Construct with a URL and optional config; call connect() to open the
socket and begin auto-reconnect. Register message/error handlers via
add_message_handler / add_error_handler โ both return unsubscribe
functions. FrontendWebsocketTransport consumes this as its connection.
Session-revocation close codes (WS_CLOSE_SESSION_REVOKED) put the client in a permanently-closed state; reconnecting would just loop on 401.
Disposablewstype WebSocket | null
statustype SocketStatus
reconnect_counttype number
current_reconnect_delaytype number
last_connect_timeEpoch ms of the most recent successful open. Never cleared on close.
type number | null
last_close_timeEpoch ms of the most recent close event or client-initiated close.
type number | null
last_close_codeClose code from the most recent close. Initial null means "never closed."
type number | null
last_close_reasonReason string from the most recent close event (may be empty).
type string | null
last_send_errorThe error thrown by the most recent attempted send(), or null if the
most recent attempt succeeded or none has been attempted yet. Populated
when the underlying ws.send throws (e.g., buffer full, serialization
error); reset to null on the next successful send. Not touched when
send() short-circuits because the socket is not connected โ consult
connected for that case. Wrappers surfacing per-message failure
reasons can read this after a false return from send().
type Error | null
connectedtype boolean
constructortype new (url: string, options?: FrontendWebsocketClientOptions): FrontendWebsocketClient
urlstringoptions{}set_reconnectSwap the auto-reconnect policy in place. Accepts the same shape as the
constructor's reconnect option: false disables reconnect, true or
null/omitted restores the defaults, or a config object customizes
specific fields (missing fields fall back to defaults, not "keep
current" โ each call defines the whole policy atomically, same as the
constructor).
In-flight reconnect schedules are monotonically shortened: the effective total wait from arm-time never exceeds what the new policy prescribes. If the new target is already past the time already elapsed, the reconnect fires immediately (on the next tick). The wait is never extended.
Turning reconnect off while a reconnect timer is pending cancels that
timer and transitions status to closed (since the lie of
'reconnecting' would be visible to UI indicators). Turning it back on
does not synthesize a reconnect โ wait for the next close.
type (reconnect?: boolean | FrontendWebsocketReconnectOptions | null): void
reconnectboolean | FrontendWebsocketReconnectOptions | nullnullvoidset_heartbeatSwap the heartbeat policy in place. Accepts the same shape as the
constructor's heartbeat option: false disables the timer, true or
null/omitted restores the defaults, or a config object customizes
specific fields (missing fields fall back to defaults, not "keep
current" โ each call defines the whole policy atomically, same as the
constructor and set_reconnect).
When connected, the live timer is restarted immediately so the new
interval / receive_timeout take effect without a reconnect; when
disconnected, just stashes the policy for the next open.
type (heartbeat?: boolean | FrontendWebsocketHeartbeatOptions | null): void
heartbeatboolean | FrontendWebsocketHeartbeatOptions | nullnullvoidcancel_reconnectCancel a scheduled reconnect without closing the client or disabling
auto-reconnect. Transitions status from reconnecting โ closed and
resets the backoff counters โ the next close still triggers a fresh
reconnect cycle under the current policy. No-op when no reconnect is
pending.
Use this when UI state asks "stop trying for now" without the finality
of disconnect (which also rejects pending/queued requests and
clears heartbeat) or the policy change of set_reconnect(false)
(which disables future reconnects). The queue stays intact so that
calling connect later flushes buffered work.
type (): void
voidconnectOpen the WebSocket. No-op on SSR, or if the session has been revoked. Cancels any pending reconnect and tears down any existing connection first; an open prior socket is closed with a normal-closure code.
type (): void
voiddisconnectClose the WebSocket, cancel any pending reconnect, and reset the reconnect
backoff counters. Puts the client in closed status; call connect() to
reopen. Safe to call more than once.
type (code?: number): void
codenumberDEFAULT_CLOSE_CODEvoid[Symbol.dispose]Explicit-resource-management hook โ supports using client = new FrontendWebsocketClient(url).
type (): void
voidsendtype (data: object): boolean
dataobjectbooleanrequestPromise-based JSON-RPC over the socket. Auto-assigns a monotonic request
id (or uses an explicit one supplied via options.id โ used by
FrontendWebsocketTransport which delegates to this method and has its
own peer-minted UUID), tracks the pending promise, and resolves when the
server sends a matching response.
Callers supplying an explicit options.id are responsible for
uniqueness โ the pending map is keyed by id, and a duplicate silently
overwrites the prior entry. Auto-minted ids are monotonic and never
collide with themselves or with peer-minted UUIDs (the types differ:
integer vs string).
While the socket is disconnected, the request is buffered in a bounded
queue (default-on, DEFAULT_QUEUE_MAX_SIZE) and flushed on reopen. Pass
{queue: false} to reject immediately when disconnected โ used
internally by the heartbeat, which must not fight the queue for the
disconnect-detection slot.
On AbortSignal fire: rejects the local promise *and* sends the shared
cancel notification (cancel_action_spec.method) so the server-side
dispatcher can abort the matching handler's ctx.signal. Suppressed
for queued-but-never-sent (server doesn't know about it) and
response-beat-cancel races.
type <R = unknown>(method: string, params?: unknown, options?: { signal?: AbortSignal | undefined; queue?: boolean | undefined; id?: string | number | undefined; }): Promise<R>
methodstringparamsunknown{}options{ signal?: AbortSignal | undefined; queue?: boolean | undefined; id?: string | number | undefined; }{}Promise<R>ThrownJsonrpcError - on the returned promise โ never thrownadd_message_handlertype (handler: SocketMessageHandler): () => void
handler() => voidadd_error_handlertype (handler: SocketErrorHandler): () => void
handler() => voidactions/socket.svelte.ts view source
FrontendWebsocketClientOptions reconnectAuto-reconnect policy. false disables reconnect entirely; true or
omit for default timing; pass an object to customize.
boolean | FrontendWebsocketReconnectOptions | nullheartbeatActivity-aware heartbeat. true/null/omit for defaults; false disables
the timer entirely (only do this if the server side is also running
without heartbeat); pass an object to tune interval / receive_timeout.
boolean | FrontendWebsocketHeartbeatOptions | nullqueueDurable queue for FrontendWebsocketClient.request. true or omit
for defaults; false disables buffering (requests while disconnected
reject immediately). Raw FrontendWebsocketClient.send is never
queued โ use request() for RPC semantics.
boolean | FrontendWebsocketQueueOptionslogOptional logger for diagnostic messages.
Logger | nullactions/socket.svelte.ts view source
FrontendWebsocketHeartbeatOptions intervalIdle duration (ms) after which a heartbeat is sent. Reset by any send or receive โ chatty clients never emit extras. Defaults to DEFAULT_HEARTBEAT_INTERVAL.
numberreceive_timeoutReceive-silence (ms) after which the client closes the socket with
WS_CLOSE_CLIENT_HEARTBEAT_TIMEOUT, letting auto-reconnect kick
in. Should be a comfortable multiple of interval. Defaults to
DEFAULT_HEARTBEAT_RECEIVE_TIMEOUT.
numberactions/socket.svelte.ts view source
FrontendWebsocketQueueOptions max_sizeMaximum number of requests held while the socket is disconnected.
Enqueue past this rejects the new call with a queue_overflow error.
Defaults to DEFAULT_QUEUE_MAX_SIZE.
numberactions/socket.svelte.ts view source
FrontendWebsocketReconnectOptions delayBase reconnect delay in ms. Defaults to 1000.
numberdelay_maxMax reconnect delay in ms (cap on exponential backoff). Defaults to 10000.
numberfactorExponential backoff factor. Defaults to 1.5.
numberactions/transports_ws.ts view source
Thin adapter over WebsocketRpcConnection (canonical implementation:
FrontendWebsocketClient). Routes inbound server-pushed requests and
notifications into the supplied receive callback; responses are owned
by the connection's own request() pending map and are ignored here.
transport_nameconstructortype new (connection: WebsocketRpcConnection, receive: (data: unknown) => Promise<unknown>): FrontendWebsocketTransport
connectionreceive(data: unknown) => Promise<unknown>sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...sendtype (message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }, options?: TransportSendOptions | undefined): Promise<...>
message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; }options?TransportSendOptions | undefinedPromise<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; };...is_readytype (): boolean
booleandisposeDetach the inbound message and error handlers registered on the connection. Idempotent โ subsequent calls no-op. Does not close the underlying connection (that lifecycle is owned by the caller).
type (): void
voidFsReadDeps File system read operations.
statGet file/directory stats, or null if path doesn't exist.
(path: string) => Promise<StatResult | null>read_text_fileRead a file as text. Throws if the file does not exist.
(path: string) => Promise<string>read_fileRead a file as bytes. Throws if the file does not exist.
(path: string) => Promise<Uint8Array>read_text_from_offsetRead text starting from a byte offset. Throws if the file does not exist.
Returns content, bytes_read, and file_size so callers can detect
truncation (when file_size < offset) and tail incrementally without
re-reading the whole file.
(path: string, offset: number) => Promise<ReadTextFromOffsetResult>readdirList directory entries (names, not full paths). Throws if the directory does not exist.
(path: string) => Promise<Array<string>>FsRemoveDeps File system remove operations.
removeRemove a file or directory.
(path: string, options?: {recursive?: boolean}) => Promise<void>FsWriteDeps File system write operations.
mkdirCreate a directory.
(path: string, options?: {recursive?: boolean}) => Promise<void>write_text_fileWrite text to a file.
(path: string, content: string) => Promise<void>write_fileWrite bytes to a file.
(path: string, data: Uint8Array) => Promise<void>renameRename (move) a file.
(old_path: string, new_path: string) => Promise<void>testing/surface_invariants.ts view source
readonly string[] Routes shipped by fuz_app whose error schemas require a tightness exemption.
Currently empty โ every fuz_app-shipped route (account login/password/
bootstrap/signup, db health/tables/:name/tables/:name/rows/:id) was tightened
in place to z.enum([...]) / z.literal(...) against every emit-site error
code.
Kept as a forward-compatibility hook: when new stock routes ship with heterogeneous error surfaces that need an interim generic schema, add them here instead of forcing every consumer to hand-maintain the entry.
Paths assume the standard /api/account + /api/db prefixes used by every
fuz_app consumer. Merged into DEFAULT_ERROR_SCHEMA_TIGHTNESS.allowlist so
consumers calling assert_error_schema_tightness directly inherit the
exemptions; the standard attack-surface suite also prepends these entries
underneath any consumer-supplied allowlist so project-specific entries are
additive.
auth/route_guards.ts view source
(auth: RouteAuth): MiddlewareHandler[] Standard auth guard resolver for fuz_app.
Maps RouteAuth to middleware:
- none โ no guards
- authenticated โ require_auth
- role โ require_role(role)
- keeper โ require_keeper
authMiddlewareHandler[] auth/session_cookie.ts view source
SessionOptions<string> Canonical session config for fuz_app auth.
actions/action_codegen.ts view source
(specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[], imports: ImportBuilder, options?: { ...; } | undefined): string Emit the ActionEventDatas interface โ one ActionEvent*Data variant per
method, parameterized by the spec's kind:
- request_response โ ActionEventRequestResponseData<method, input, output>
- remote_notification โ ActionEventRemoteNotificationData<method, input>
- local_call โ ActionEventLocalCallData<method, input, output>
Adds the per-kind data type imports (only the kinds that appear in specs).
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...importsoptions?{ same_file?: boolean | undefined; collections_path?: string | undefined; include_protocol_actions?: boolean | undefined; } | undefinedstring actions/action_codegen.ts view source
(specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[], imports: ImportBuilder, options?: { ...; } | undefined): string Emit ActionInputs + ActionOutputs runtime consts and matching interfaces.
The runtime consts reference specs.{method}_action_spec.input /
.output; the interfaces use z.infer.
Adds import {z} from 'zod'; and the * as specs namespace import.
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...importsoptions?{ specs_module?: string | undefined; qualify_spec?: ((spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }) => string)...string actions/action_codegen.ts view source
(specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[], imports: ImportBuilder, options: { ...; }): string Emit a single named z.enum([...]) + z.infer block for an arbitrary
spec subset. Lower-level escape hatch from generate_action_method_enums โ
for cross-product or domain-specific enums the built-in discriminator
doesn't cover.
Mirrors the built-in helper's contract: protocol actions filtered by
default, empty subsets return '' (skip rather than emit z.enum([])),
zod import registered idempotently only when at least one method
qualifies.
The cross-product space is open-ended; rather than grow the ActionMethodEnumKind discriminator one cross-product at a time, callers own the subset shape โ name, jsdoc, predicate.
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...importsoptions{ name: string; jsdoc: string; predicate: (spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }) => boolean; include_p...string actions/action_codegen.ts view source
(specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[], imports: ImportBuilder, options?: { ...; } | undefined): string Emit one or more z.enum([...]) declarations for action method names โ
ActionMethod, RequestResponseActionMethod, RemoteNotificationActionMethod,
LocalCallActionMethod, FrontendActionMethod, BackendActionMethod,
FrontendRequestResponseMethod, BackendRequestResponseMethod,
BroadcastActionMethod. Pairs each runtime const with a z.infer type
alias under the same identifier.
Protocol-action methods (heartbeat, cancel) are filtered out by
default โ pass include_protocol_actions: true if a consumer genuinely
wants them on their typed surface. Empty kinds are skipped so the helper
never emits z.enum([]) (zod runtime-throws on that).
Adds import {z} from 'zod'; to imports only when at least one block
is emitted (idempotent).
For genuinely cross-product enums the discriminator doesn't cover, use generate_action_method_enum_block โ caller owns the predicate, name, and jsdoc.
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...importsoptions?{ emit?: ReadonlySet<ActionMethodEnumKind> | undefined; include_protocol_actions?: boolean | undefined; } | undefinedstring actions/action_codegen.ts view source
(specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[], imports: ImportBuilder, options?: { ...; } | undefined): string Emit the ActionSpecs runtime const + interface + the `action_specs:
Array<ActionSpecUnion> value bundling every spec. Adds the * as specs`
namespace import + the ActionSpecUnion type import.
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...importsoptions?{ specs_module?: string | undefined; qualify_spec?: ((spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }) => string)...string actions/action_codegen.ts view source
(spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }, imports: ImportBuilder, options?: { ...; } | undefined): string Generates one method line of the typed FrontendActionsApi interface for a
single spec. Encapsulates the input/options/return-type signature shape so
the surface evolves in one place when fields like signal or
transport_name are added to per-call options.
Async methods (request_response, remote_notification, async
local_call) get an optional second options?: RpcClientCallOptions arg
({signal?, transport_name?, queue?}) and a Promise<Result<...>> return
type. Sync local_call methods omit the options arg โ signal can't
cooperatively interrupt a synchronous handler and there's no transport to
select. remote_notification is async because
create_remote_notification_method returns a Promise that resolves to a
Result<{value: void}> (success) or Result<{error}> (transport send
failure). Earlier emit shapes declared notifications as => void โ
regenerate consumer typed clients to pick up the corrected return.
Registers exactly the imports the emitted line references on imports:
ActionInputs (when the spec has input), ActionOutputs (always),
RpcClientCallOptions (async only), and Result + JsonrpcErrorObject
(any return shape that wraps the value in Result<{value}, {error}> โ
every async method, plus sync local_call when `sync_returns_value:
false). Mirrors the leaf-level pattern get_handler_return_type` already
follows so wrappers no longer pre-register imports a per-spec emit might
not actually use.
spec{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }importsoptions?{ sync_returns_value?: boolean | undefined; collections_path?: string | undefined; } | undefinedstring one line like foo: (input: ActionInputs['foo'], options?: RpcClientCallOptions) => Promise<Result<...>>;
(): { token: string; id: string; token_hash: string; } Generate a new API token with its hash and public id.
The raw token is returned exactly once โ callers must present it to the user immediately.
{ token: string; id: string; token_hash: string; } the raw token, a public id, and the blake3 hash for storage
(options: GenerateAppSurfaceOptions): AppSurface Generate a JSON-serializable attack surface from middleware, route specs, and optional env/event metadata.
optionsAppSurface actions/action_codegen.ts view source
(imports: ImportBuilder, options?: { type_name?: string | undefined; method_enum_name?: string | undefined; context_type?: string | undefined; collections_path?: string | undefined; metatypes_path?: string | undefined; } | undefined): string Emit the BackendActionHandlers mapped type โ one entry per
BackendRequestResponseMethod, each (input, ctx) => output | Promise<output>.
Replaces the hand-maintained Exclude<> + parallel mapped-type pattern
(zzz had this at zzz/src/lib/server/zzz_action_handlers.ts:42-66).
The context type is consumer-defined (e.g. zzz's ZzzHandlerContext). Pass
context_type to name it; the helper assumes it's importable or defined
in the emitted module's scope (consumer's responsibility).
Adds ActionInputs / ActionOutputs type imports from collections_path
and the BackendRequestResponseMethod import from metatypes_path.
importsoptions?{ type_name?: string | undefined; method_enum_name?: string | undefined; context_type?: string | undefined; collections_path?: string | undefined; metatypes_path?: string | undefined; } | undefinedstring actions/action_codegen.ts view source
(specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[], imports: ImportBuilder, options?: { ...; } | undefined): string Emit BOTH the typed BackendActionsApi interface AND the
broadcast_action_specs runtime array. The interface is shaped for
create_broadcast_api: backend-initiated remote_notification methods,
each (input) => Promise<void>. The array bundles the matching specs as a
ReadonlyArray<ActionSpecUnion>.
Filter: kind === 'remote_notification' && initiator !== 'frontend',
additionally excluding methods that are the target of another spec's
streams field. Streams targets (e.g. completion_progress,
ollama_progress) are request-scoped notifications invoked via
ctx.notify inside their parent handler โ they're never callable through
the broadcast API. The discriminator is ActionSpec.streams, not a manual
exclusion list.
Adds the * as specs namespace import (from specs_module), the
ActionInputs type import (from collections_path), and the
ActionSpecUnion type import.
Method signature shape today is (input) => Promise<void> โ matches the
fire-and-forget runtime of create_broadcast_api. Generalizing per-kind
via generate_actions_api_method_signature is deferred until a second
backend runtime constructor lands.
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...importsoptions?{ specs_module?: string | undefined; collections_path?: string | undefined; qualify_spec?: ((spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; ... 8 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }) => string) | undefined; include_protocol_a...string auth/daemon_token.ts view source
(): string Generate a new daemon token (256-bit random, base64url).
string a 43-character base64url string
actions/action_codegen.ts view source
(specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[], imports: ImportBuilder, options?: { ...; } | undefined): string Emit the FrontendActionHandlers interface โ wraps generate_phase_handlers
with the TypedActionEvent action-event type and standard 1-tab per-method
indentation. Pairs with generate_typed_action_event_alias (emits the
matching TypedActionEvent alias) โ call both in the same gen producer.
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...importsoptions?{ collections_path?: string | undefined; include_protocol_actions?: boolean | undefined; } | undefinedstring actions/action_codegen.ts view source
(specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[], imports: ImportBuilder, options?: { ...; } | undefined): string Emit the FrontendActionsApi interface โ one method signature per spec via
generate_actions_api_method_signature. Optionally filter the spec set
(e.g. omit additional methods alongside the default protocol-action
filter) via method_filter.
Imports are registered by the leaf generate_actions_api_method_signature
per emitted line โ only what the spec set actually references shows up on
imports. A spec set with no async methods skips RpcClientCallOptions;
one with no inputs skips ActionInputs; sync local_call methods with
sync_returns_value: true (the default) skip Result / JsonrpcErrorObject.
The interface name is fixed at FrontendActionsApi โ the symmetric counterpart
of BackendActionsApi. Earlier consumer-named variants (MyActionsApi,
VisionesActionsApi) were retired in API review III to make the side-of-the-wire
intent visible at every call site. If a consumer needs a different name they
hand-roll the interface (the helper's job is the standard symmetric shape).
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...importsoptions?{ method_filter?: ((spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }) => boolean) | undefined; collections_path?: ...string testing/adversarial_input.ts view source
(input_schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): InputTestCase[] Generate adversarial test cases for a route's input schema.
Produces focused, non-redundant cases: - Whole-body: send array instead of object, extra unknown key - Missing required fields (without defaults) - One wrong-type value per field - Null for required non-nullable fields - One format violation per constrained field
input_schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>InputTestCase[] Error - if the seed body built by `generate_valid_value` failstesting/adversarial_input.ts view source
(params_schema: ZodObject<$ZodLooseShape, $strip>): ParamsTestCase[] Generate adversarial test cases for a route's params schema.
Params are always strings from URL segments. Only generates cases for format-constrained fields (uuid, pattern) since unconstrained string params accept any string value.
params_schemaZodObject<$ZodLooseShape, $strip>ParamsTestCase[] actions/action_codegen.ts view source
(spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }, executor: "frontend" | "backend", imports: ImportBuilder, options?: { ...; } | undefined): string Generates the phase handlers for an action spec using the unified ActionEvent type with the new phase/step type parameters.
Returns '' when the spec contributes no phases on the given executor side
(e.g. a backend-only local_call asked for 'frontend'). Upstream wrappers
compose blocks with .filter(Boolean) so empty entries are dropped from the
generated handler map. The earlier shape was ${method}?: never, which read
as "calling this here is a type error" but in practice produced useless rows
on FrontendActionHandlers for methods that don't belong on this side at
all โ drop the row instead so the typed surface only carries methods the
executor actually handles.
spec{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }executor"frontend" | "backend"importsoptions?{ action_event_type?: string | undefined; collections_path?: string | undefined; } | undefinedstring ui/position_helpers.ts view source
(position?: Position, align?: Alignment, offset?: string): Record<string, string> Generates CSS positioning styles for UI elements.
position'center'align'center'offsetdistance from the position (CSS value)
string'0'Record<string, string> UnreachableError - if `position` is not a known `Position` valuetesting/adversarial_input.ts view source
(query_schema: ZodObject<$ZodLooseShape, $strip>): QueryTestCase[] Generate adversarial test cases for a route's query schema.
Query params are always strings from the URL. Generates cases for: - Missing required fields - Format violations on constrained fields (uuid, pattern)
query_schemaZodObject<$ZodLooseShape, $strip>QueryTestCase[] (byte_length?: number): string Generate a cryptographically random base64url string.
byte_lengthnumber of random bytes (default 32 = 256 bits)
number32string base64url-encoded string without padding
(deps: CommandDeps): Promise<string> Generate a random base64 key using openssl.
depscommand execution capability
Promise<string> a random 32-byte base64-encoded key
Error - if `openssl rand` fails or is unavailableauth/session_queries.ts view source
(): string Generate a cryptographically random session token.
string a 32-byte base64url-encoded token
actions/action_codegen.ts view source
(imports: ImportBuilder, options?: { collections_path?: string | undefined; metatypes_path?: string | undefined; } | undefined): string Emit the fixed-shape TypedActionEvent alias used by FrontendActionHandlers
to narrow ActionEvent.data against the consumer's generated ActionEventDatas
map. Registers the four fuz_app type imports it needs (ActionEvent,
ActionEventPhase, ActionEventStep, ActionEventDatas) plus the
ActionMethod type import โ sourced from collections_path and
metatypes_path respectively.
Pair with generate_action_method_enums (emits ActionMethod into
metatypes_path) and generate_action_event_datas (emits
ActionEventDatas into collections_path).
importsoptions?{ collections_path?: string | undefined; metatypes_path?: string | undefined; } | undefinedstring testing/schema_generators.ts view source
(input_schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): Record<string, unknown> | undefined Generate a valid request body for a route's input schema.
input_schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>Record<string, unknown> | undefined a generated body that passes safeParse, or undefined for null /
non-object schemas
Error - if the generated body fails `input_schema.safeParse` โ catchestesting/schema_generators.ts view source
(field: ZodFieldInfo, field_schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): unknown Generate a valid-ish value for a field based on its base type.
fieldZodFieldInfofield_schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>unknown GenerateAppSurfaceOptions Options for generate_app_surface.
route_specsArray<RouteSpec>middleware_specsArray<MiddlewareSpec>env_schemaz.ZodObjectevent_specsArray<EventSpec>rpc_endpointsArray<RpcEndpointSpec>(runtime: Pick<EnvDeps, "env_get">, name: string): string | null Get the CLI config directory path (~/.{name}).
runtimeruntime with env_get capability
Pick<EnvDeps, "env_get">nameapplication name (e.g., "tx", "zzz")
stringstring | null path to config directory, or null if $HOME is not set
auth/audit_log_schema.ts view source
<T extends AuditEventType>(event: AuditLogEvent & { event_type: T; }): AuditMetadataMap[T] | null Narrow metadata type for a known event type.
Use after checking event_type to get typed metadata access.
eventAuditLogEvent & { event_type: T; }AuditMetadataMap[T] | null auth/audit_log_queries.ts view source
(): number Number of audit metadata validation failures observed since process start.
number auth/audit_log_queries.ts view source
(): number Number of audit unknown-event-type failures observed since process start.
number (c: Context<any, any, {}>): string Read the resolved client IP from the Hono context.
Returns 'unknown' if the proxy middleware has not run or no IP is available.
Set by create_proxy_middleware.
cContext<any, any, {}>string (runtime: Pick<EnvDeps, "env_get">, name: string): string | null Get the CLI config file path (~/.{name}/config.json).
runtimeruntime with env_get capability
Pick<EnvDeps, "env_get">nameapplication name
stringstring | null path to config.json, or null if $HOME is not set
(runtime: Pick<EnvDeps, "env_get">, name: string): string | null Get the daemon info file path (~/.{name}/run/daemon.json).
runtimeruntime with env_get capability
Pick<EnvDeps, "env_get">nameapplication name
stringstring | null path to daemon.json, or null if $HOME is not set
auth/daemon_token_middleware.ts view source
(runtime: Pick<EnvDeps, "env_get">, name: string): string | null Get the daemon token file path (~/.{name}/run/daemon_token).
runtimeruntime with env_get capability
Pick<EnvDeps, "env_get">nameapplication name
stringstring | null path to daemon_token, or null if $HOME is not set
(value: string): string[] Get list of env var names referenced in a string.
valuestring to scan
stringstring[] array of variable names (without $$ delimiters)
actions/action_codegen.ts view source
(spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }, executor: "frontend" | "backend"): ("send_request" | ... 7 more ... | "execute")[] Phases an executor can handle for the given spec โ kind + initiator โ set of phases.
spec{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }executor"frontend" | "backend"("send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute")[] actions/action_codegen.ts view source
(spec: { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }, phase: "send_request" | ... 7 more ... | "execute", imports: ImportBuilder, collections_path?: string): string Gets the handler return type for a specific phase and spec. Adds an
ActionOutputs import (from collections_path) when the phase carries an
output (request_response receive_request, local_call execute).
spec{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }phase"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"importscollections_pathstringDEFAULT_COLLECTIONS_PATHstring actions/action_event_helpers.ts view source
(kind: "request_response" | "remote_notification" | "local_call", initiator: "frontend" | "backend" | "both", executor: "frontend" | "backend"): "send_request" | "receive_request" | ... 7 more ... | null kind"request_response" | "remote_notification" | "local_call"initiator"frontend" | "backend" | "both"executor"frontend" | "backend""send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute" | null auth/request_context.ts view source
(c: Context<any, any, {}>): RequestContext | null Get the request context from a Hono context, or null if unauthenticated.
cthe Hono context
Context<any, any, {}>RequestContext | null the request context, or null
testing/assertions.ts view source
(lookup: Map<string, Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>>>, route: AppSurfaceRoute, status: number): ZodType<...> | undefined Look up the merged error schema for a route+status from a pre-built schema lookup.
lookupmap from "METHOD /path" to merged error schemas
Map<string, Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>>>routethe surface route to look up
statusHTTP status code
numberZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>> | undefined the Zod schema for that route+status, or undefined when no error
schema is declared for the status code
http/route_spec.ts view source
<T>(c: Context<any, any, {}>): T Get validated input from the Hono context.
Call after the input validation middleware has run. The type parameter
should match the route's input schema.
cContext<any, any, {}>T http/route_spec.ts view source
<T>(c: Context<any, any, {}>): T Get validated URL path params from the Hono context.
Call after the params validation middleware has run. The type parameter
should match the route's params schema.
TODO derive T from the route spec so the type parameter isn't manually
specified โ same applies to get_route_input / get_route_query.
cContext<any, any, {}>T http/route_spec.ts view source
<T>(c: Context<any, any, {}>): T Get validated URL query params from the Hono context.
Call after the query validation middleware has run. The type parameter
should match the route's query schema.
cContext<any, any, {}>T auth/session_middleware.ts view source
<T>(c: Context<any, any, {}>, options: SessionOptions<T>): string | undefined Read the session cookie value from a request.
cContext<any, any, {}>optionsSessionOptions<T>string | undefined auth/account_schema.ts view source
GrantPermitInput actor_idUuidrolestringscope_idScope the grant applies to. null / omitted grants a global permit.
Uuid | nullexpires_atDate | nullgranted_byUuid | nullsource_offer_idOffer id that produced this permit. Set by query_accept_offer; leave unset for direct grants.
Uuid | nullauth/request_context.ts view source
(ctx: RequestContext | null, roles: readonly string[], scope_id: string | null, now?: Date): boolean Whether the request context holds an active permit for any role in roles
at scope_id. Empty roles short-circuits to false โ documents intent
at the call site ("zero roles trivially admit no-one"). Same scope and
null-tolerance semantics as has_scoped_role.
ctxthe request context, or null for unauthenticated callers
RequestContext | nullrolesthe roles that would admit the caller (any-of)
readonly string[]scope_idthe scope to check (null for global)
string | nullnowcurrent time (defaults to new Date(), pass for testability)
Datenew Date()boolean true iff the actor holds an active permit for any role in roles at the requested scope
(value: string): boolean Check if a string contains unresolved env var references.
valuestring to check
stringboolean true if string contains $$VAR$$ patterns
auth/request_context.ts view source
(ctx: RequestContext | null, role: string, now?: Date): boolean Check if a request context has an active permit for a given role.
Checks the permits already loaded in the context (no DB query).
Null-tolerant โ null ctx (unauthenticated) returns false. Symmetric
with has_scoped_role / has_any_scoped_role so the three helpers
compose freely in the same predicate (e.g.
has_role(auth, ADMIN) || has_scoped_role(auth, role, scope)).
ctxthe request context, or null for unauthenticated callers
RequestContext | nullrolethe role to check
stringnowcurrent time (defaults to new Date(), pass for testability and hot-path efficiency)
Datenew Date()boolean true if the actor has an active permit for the role
auth/request_context.ts view source
(ctx: RequestContext | null, role: string, scope_id: string | null, now?: Date): boolean Whether the request context holds an active permit for role at scope_id.
Walks the in-memory ctx.permits snapshot loaded once per request by
create_request_context_middleware; zero DB roundtrip per check. The
"freshness" framing of a SQL re-query is illusory because the race window
is between predicate and the actual mutation, not predicate and middleware
load. Closing that race needs a transactional re-check inside the
UPDATE/INSERT, which neither style provides.
Null-tolerant โ null ctx (unauthenticated) returns false. Same
convention as has_role; lets the helper drop into auth: 'public'
handlers without a manual narrow. See cell_authorize for the
resource-side analog.
scope_id semantics: in-memory permit.scope_id is string | null, so
JS === matches the SQL IS NOT DISTINCT FROM semantics exactly:
- scope_id === null matches global permits (scope_id IS NULL).
- scope_id === '<uuid>' matches permits bound to that exact scope.
ctxthe request context, or null for unauthenticated callers
RequestContext | nullrolethe role to check
stringscope_idthe scope to check (null for global)
string | nullnowcurrent time (defaults to new Date(), pass for testability and hot-path efficiency)
Datenew Date()boolean true iff the actor holds an active permit for the role at the requested scope
(token: string): string Hash an API token for storage using blake3.
tokenthe raw API token
stringstring hex-encoded blake3 hash
auth/password_argon2.ts view source
(password: string): Promise<string> Hash a password using Argon2id.
passwordthe plaintext password to hash
stringPromise<string> the Argon2id hash string
auth/session_queries.ts view source
(token: string): string Hash a session token to its storage key using blake3.
tokenthe raw session token
stringstring hex-encoded blake3 hash
actions/heartbeat.ts view source
Action<BaseHandlerContext> Protocol-action tuple โ spread into the server's actions array for
dispatch (or via protocol_actions from actions/protocol.ts) so the
dispatcher resolves the heartbeat handler. The frontend-side spread
happens via protocol_action_specs โ the client doesn't run the echo
handler, but the spec must be in ActionRegistry so create_rpc_client
types app.api.heartbeat() against the shared spec.
actions/heartbeat.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: false; input: ZodObject<{}, $strict>; output: ZodObject<{}, $strict>; async: true; description: string; } ActionSpec for the shared heartbeat. authenticated auth โ upgrade-time
auth has already admitted the socket; heartbeats don't need role gating.
side_effects: false keeps it orthogonal to state changes.
actions/heartbeat.ts view source
(): Record<string, never> Handler โ nullary echo. Stateless, suitable for high-frequency pings.
Record<string, never> HelpCategory<TCategory> Category configuration for help display.
TCategorystringstringkeyTCategorytitlestringHelpGenerator Help generator returned by create_help.
generate_main_helpGenerate main help text with all commands grouped by category.
() => stringgenerate_command_helpGenerate help text for a specific command.
(command: string, meta: CommandMeta) => stringget_help_textGet help text for a command or main help.
(command?: string, subcommand?: string) => stringHelpOptions<TCategory> Configuration for create_help.
TCategorystringstringnameApplication name (e.g., "tx", "zzz").
stringversionApplication version string.
stringdescriptionShort description for the main help header.
stringcommandsCommand registry keyed by command path (e.g., "apply", "daemon start").
Record<string, CommandMeta<TCategory>>categoriesCategory display order for main help.
Array<HelpCategory<TCategory>>examplesExample commands for main help.
Array<string>global_args_schemaZod schema for global arguments (shown in all help output).
z.ZodTypeuse_colorsWhether to use ANSI colors in output. Defaults to true.
booleanhttp/jsonrpc_errors.ts view source
(status: number): -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">) Map an HTTP status code to a JSON-RPC error code.
Returns internal_error (-32603) for unrecognized status codes.
statusnumber-32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">) http/jsonrpc_errors.ts view source
Record<number, -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">)> Maps HTTP status codes to JSON-RPC error codes (reverse mapping).
When multiple error codes map to the same HTTP status (e.g. parse_error and invalid_request both map to 400), the last one wins. Use for best-effort HTTP โ JSON-RPC translation.
testing/rpc_helpers.ts view source
(app: { request: (input: string, init: RequestInit) => Response | Promise<Response>; }): RpcTestTransport Adapt a Hono-style app into an RpcTestTransport.
app{ request: (input: string, init: RequestInit) => Response | Promise<Response>; }RpcTestTransport actions/action_codegen.ts view source
Manages imports for generated code, building them on demand.
Automatically optimizes type-only imports to use import type syntax.
Why this matters:
- import type statements are completely removed during compilation
- Mixed imports like import { type A, B } cannot be safely removed
- This ensures optimal tree-shaking and smaller bundle sizes
const imports = new ImportBuilder();
imports.add_types('./types.js', 'Foo', 'Bar');
imports.add('./utils.js', 'helper');
imports.add_type('./utils.js', 'HelperOptions');
imports.add('./action_specs.js', '* as specs');
// Generates:
// import type {Foo, Bar} from './types.js';
// import {helper, type HelperOptions} from './utils.js';
// import * as specs from './action_specs.js';importstype Map<string, Map<string, ImportItem>>
addAdd a value import. Accepts * as ns strings as namespace imports.
type (from: string, what: string): this
fromstringwhatstringthisthis for chaining
add_typeAdd a type-only import.
type (from: string, what: string): this
fromstringwhatstringthisthis for chaining
add_manytype (from: string, ...items: string[]): this
fromstringitemsstring[]thisadd_typestype (from: string, ...items: string[]): this
fromstringitemsstring[]thisbuildGenerate the import statements. When every import from a module is a
type, emits import type {โฆ} so the whole statement disappears at
compile time.
type (): string
stringhas_importstype (): boolean
booleanpreviewBuild the same statement list as build without joining โ for inspection in tests.
type (): string[]
string[]clearClear all imports.
type (): this
thisthis for chaining
auth/invite_schema.ts view source
Invite Invite row from the database.
idUuidemailEmail | nullusernameUsername | nullclaimed_byUuid | nullclaimed_atstring | nullcreated_atstringcreated_byUuid | nullauth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: true; input: ZodObject<{ email: ZodOptional<ZodNullable<ZodEmail>>; username: ZodOptional<...>; }, $strict>; output: ZodObject<...>; async: true; description: string; rate_limit: "account"; } auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: true; input: ZodObject<{ invite_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict>; output: ZodObject<...>; async: true; description: string; rate_limit: "account"; } string[] auth/admin_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: false; input: ZodVoid; output: ZodObject<{ invites: ZodArray<ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 7 more ...; claimed_by_username: ZodNullable<...>; }, $strict>>; }, $strict>; async: true; de... "\nCREATE TABLE IF NOT EXISTS invite (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n email TEXT,\n username TEXT,\n claimed_by UUID REFERENCES account(id) ON DELETE SET NULL,\n claimed_at TIMESTAMPTZ,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n created_by UUID REFERENCES actor(id) ON DELETE SET NU... auth/admin_action_specs.ts view source
ZodObject<{ email: ZodOptional<ZodNullable<ZodEmail>>; username: ZodOptional<ZodNullable<ZodString>>; }, $strict> Input for invite_create. At least one of email / username must be provided.
auth/admin_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; invite: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; email: ZodNullable<ZodEmail>; username: ZodNullable<...>; claimed_by: ZodNullable<...>; claimed_at: ZodNullable<...>; created_at: ZodString; created_by: ZodNullable<...>; }, $strict>; }, $strict> Output for invite_create.
auth/admin_action_specs.ts view source
ZodObject<{ invite_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict> Input for invite_delete.
auth/admin_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; }, $strict> Output for invite_delete.
auth/invite_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; email: ZodNullable<ZodEmail>; username: ZodNullable<ZodString>; claimed_by: ZodNullable<...>; claimed_at: ZodNullable<...>; created_at: ZodString; created_by: ZodNullable<...>; }, $strict> Zod schema for client-safe invite data.
auth/admin_action_specs.ts view source
ZodVoid Input for invite_list.
auth/admin_action_specs.ts view source
ZodObject<{ invites: ZodArray<ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; email: ZodNullable<ZodEmail>; username: ZodNullable<ZodString>; ... 5 more ...; claimed_by_username: ZodNullable<...>; }, $strict>>; }, $strict> Output for invite_list. Uses the enriched row including creator/claimer usernames.
auth/invite_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; email: ZodNullable<ZodEmail>; username: ZodNullable<ZodString>; ... 5 more ...; claimed_by_username: ZodNullable<...>; }, $strict> Zod schema for invite data with resolved creator/claimer usernames.
actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): boolean data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_spec.ts view source
(value: unknown): value is { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<...>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; } Structural type guard for any ActionSpecUnion variant โ checks kind is one of the three known values.
valueunknownboolean boolean CI detection โ CI=true is set automatically by GitHub Actions, GitLab CI, etc.
(runtime: CommandDeps, pid: number): Promise<boolean> Check if a process is running by PID.
runtimeruntime with command execution capability
pidprocess ID to check
numberPromise<boolean> true if the process is running
actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ActionEventLocalCallData & { ...; } data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is { ...; } & { ...; } data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/transports_ws_backend.ts view source
(transport: Transport): transport is FilterableBroadcastTransport Type guard for FilterableBroadcastTransport.
transportboolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is { ...; } & { ...; } data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is { ...; } & { ...; } data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is { ...; } & { ...; } data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean http/jsonrpc_helpers.ts view source
(message: unknown): message is { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }; } Checks if a value is a JSON-RPC error response (has error + id).
messageunknownboolean http/jsonrpc_helpers.ts view source
(message: unknown): message is { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { ...; } | { ...; } | ({ ...; } | ... 2 more ... | { ...; })[] Checks if a value is any valid JSON-RPC message or batch array.
messageunknownboolean http/jsonrpc_helpers.ts view source
(message: unknown): message is { [x: string]: unknown; jsonrpc: "2.0"; method: string; params?: { [x: string]: unknown; } | undefined; } Checks if a value is a JSON-RPC notification (has method, no id).
messageunknownboolean http/jsonrpc_helpers.ts view source
(message: unknown): message is { jsonrpc: "2.0"; } Checks if a value is a JSON-RPC object (has jsonrpc: '2.0').
messageunknownboolean http/jsonrpc_helpers.ts view source
(message: unknown): message is { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; method: string; params?: { [x: string]: unknown; } | undefined; } Checks if a value is a JSON-RPC request (has method + id).
messageunknownboolean http/jsonrpc_helpers.ts view source
(id: unknown): id is string | number Checks if a value is a valid JSON-RPC request id (string or finite number).
idunknownboolean http/jsonrpc_helpers.ts view source
(message: unknown): message is { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } Checks if a value is a JSON-RPC success response (has result + id).
messageunknownboolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ActionEventLocalCallData data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean testing/ws_round_trip.ts view source
(method: string): (msg: unknown) => boolean Predicate matching a JSON-RPC notification with the given method name.
methodstring(msg: unknown) => boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ({ ...; } & { ...; }) | ... 3 more ... | ({ ...; } & { ...; }) data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ({ ...; } & { ...; }) | ... 3 more ... | ({ ...; } & { ...; }) data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
<TMethod extends string = string>(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ({ ...; } & { ...; }) | ({ ...; } & { ...; }) data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean testing/ws_round_trip.ts view source
<P>(method: string, match: (params: P) => boolean): (msg: unknown) => msg is JsonrpcNotificationFrame<P> Type-guard combinator: match a notification whose typed params satisfies
match. Collapses the common test pattern of casting msg to
JsonrpcNotificationFrame<P> in every predicate body.
const match_roster_for = (id: Uuid) =>
is_notification_with<RosterChangedParams>(
WORLD_METHODS.roster_changed,
(params) => params.character_id === id && !params.removed,
);
const roster = await client.wait_for(match_roster_for(char_id));methodstringmatch(params: P) => boolean(msg: unknown) => msg is JsonrpcNotificationFrame<P> http/schema_helpers.ts view source
(schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): boolean Check if a schema is exactly z.null().
Uses instanceof rather than runtime parsing to avoid false positives
from z.nullable(z.string()) or similar schemas that accept null
but also accept other values.
schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is { ...; } & { ...; } data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean auth/account_schema.ts view source
(p: { revoked_at?: string | null | undefined; expires_at: string | null; }, now?: Date): boolean p{ revoked_at?: string | null | undefined; expires_at: string | null; }nowDatenew Date()boolean (error: unknown): boolean Check if an error is a PostgreSQL unique constraint violation (error code 23505).
errorthe caught error
unknownboolean true if the error is a unique constraint violation
actions/action_codegen.ts view source
(method: string): method is "heartbeat" | "cancel" Type predicate for filtering protocol-action methods out of a typed
FrontendActionsApi method_filter. Avoids the (... as never) cast
required to call Array.prototype.includes on the readonly tuple at narrow
string types.
methodstringboolean generate_frontend_actions_api(specs, imports, { method_filter: (s) => !is_protocol_action_method(s.method), });
actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ({ ...; } & { ...; }) | ... 3 more ... | ({ ...; } & { ...; }) data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ({ ...; } & { ...; }) | ... 3 more ... | ({ ...; } & { ...; }) data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ActionEventRemoteNotificationData data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ActionEventRequestResponseData data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean testing/ws_round_trip.ts view source
(id: string | number): (msg: unknown) => boolean Predicate matching a JSON-RPC response frame (success or error) for the given request id.
idstring | number(msg: unknown) => boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ({ ...; } & { ...; }) | ... 3 more ... | ({ ...; } & { ...; }) data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
<TMethod extends string = string>(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ({ ...; } & { ...; }) | ({ ...; } & { ...; }) data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean actions/action_event_helpers.ts view source
(data: { kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }): data is ({ ...; } & { ...; }) | ... 3 more ... | ({ ...; } & { ...; }) data{ kind: "request_response" | "remote_notification" | "local_call"; phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"; ... 9 more ...; notification: { ...; } | null; }boolean http/schema_helpers.ts view source
(schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): boolean Check if a schema is a strict object (z.strictObject()).
Strict objects set catchall to ZodNever to reject unknown keys.
Regular z.object() has catchall: undefined (strips unknown keys in Zod 4).
schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>boolean (ip: string, proxies: ParsedProxy[]): boolean Check whether ip matches any entry in the trusted proxy list.
Normalizes ip before matching (lowercase, IPv4-mapped IPv6 stripped).
ipstringproxiesParsedProxy[]boolean http/schema_helpers.ts view source
(schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): boolean Check if a schema is exactly z.void().
RPC action specs use z.void() to declare a parameterless method โ
JSON-RPC 2.0 forbids params: null (params must be omitted or be a
Structured value), so z.void() is the correct schema for "no params"
and the dispatcher maps absent params to undefined for these specs.
schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>boolean http/jsonrpc_errors.ts view source
(code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">)): number Map a JSON-RPC error code to an HTTP status code.
Returns 500 for unrecognized codes (consumer-defined codes without a mapping default to internal server error).
code-32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">)number http/jsonrpc_errors.ts view source
Record<number, number> Maps JSON-RPC error codes to HTTP status codes.
Extensible โ consumers with domain-specific error codes assign directly
(JSONRPC_ERROR_CODE_TO_HTTP_STATUS[-32020] = 502) at module load. The
lookup function reads at call time, so mutation is the supported
extension mechanism.
http/jsonrpc_errors.ts view source
Readonly<Record<JsonrpcErrorName, -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">)>> Standard JSON-RPC error codes (5) plus general application codes (10).
Extensible โ consumers add domain-specific codes to their own objects
by casting as JsonrpcErrorCode. Application codes use the -32000 to
-32099 range reserved by the JSON-RPC spec.
Frozen with Object.freeze to convert accidental mutation (test
cross-contamination, cast escapes) into loud TypeErrors. Spread into
a fresh object to extend.
http/jsonrpc_errors.ts view source
Readonly<Record<JsonrpcErrorName, (...args: any[]) => { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }>> Named constructors for JsonrpcErrorObject values.
Each function creates a JSON-RPC error object with the correct code and a sensible default message. Used by the catch layer in apply_route_specs to build response bodies.
Frozen so tests must compose new objects rather than monkey-patch.
http/jsonrpc_errors.ts view source
{ readonly parse_error: (...args: any[]) => ThrownJsonrpcError; readonly invalid_request: (...args: any[]) => ThrownJsonrpcError; readonly method_not_found: (...args: any[]) => ThrownJsonrpcError; ... 11 more ...; readonly request_cancelled: (...args: any[]) => ThrownJsonrpcError; } Named constructors for ThrownJsonrpcError.
Usage: throw jsonrpc_errors.not_found('user') or throw jsonrpc_errors.forbidden().
-32603 -32602 -32600 -32601 -32700 -32099 End of the server-defined error code range (-32099).
-32000 Start of the server-defined error code range (-32000).
"2.0" ZodUnion<readonly [ZodLiteral<-32700>, ZodLiteral<-32600>, ZodLiteral<-32601>, ZodLiteral<-32602>, ZodLiteral<-32603>, $ZodBranded<...>]> A valid JSON-RPC error code โ one of the 5 standard codes or a server-defined code in the -32000 to -32099 range.
http/jsonrpc_errors.ts view source
JsonrpcErrorName Names of standard and general application JSON-RPC error codes.
ZodObject<{ code: ZodUnion<readonly [ZodLiteral<-32700>, ZodLiteral<-32600>, ZodLiteral<-32601>, ZodLiteral<-32602>, ZodLiteral<-32603>, $ZodBranded<...>]>; message: ZodString; data: ZodOptional<...>; }, $loose> Error object within a JSON-RPC error response.
ZodObject<{ jsonrpc: ZodLiteral<"2.0">; id: ZodNullable<ZodUnion<readonly [ZodString, ZodNumber]>>; error: ZodObject<{ code: ZodUnion<readonly [ZodLiteral<-32700>, ... 4 more ..., $ZodBranded<...>]>; message: ZodString; data: ZodOptional<...>; }, $loose>; }, $loose> A response that indicates an error occurred.
testing/ws_round_trip.ts view source
JsonrpcErrorResponseFrame<D> Dunknownjsonrpctypeof JSONRPC_VERSIONidnumber | stringerror{code: number; message: string; data?: D}ZodObject<{}, $loose> MCP metadata object โ loose to allow additional properties and .extend.
ZodUnion<readonly [ZodObject<{ jsonrpc: ZodLiteral<"2.0">; id: ZodUnion<readonly [ZodString, ZodNumber]>; method: ZodString; params: ZodOptional<ZodObject<{}, $loose>>; }, $loose>, ZodObject<...>, ZodObject<...>, ZodObject<...>]> Any valid JSON-RPC message (request, notification, response, or error response).
ZodUnion<readonly [ZodObject<{ jsonrpc: ZodLiteral<"2.0">; id: ZodUnion<readonly [ZodString, ZodNumber]>; method: ZodString; params: ZodOptional<ZodObject<{}, $loose>>; }, $loose>, ZodObject<...>]> Messages a client can send to a server (request or notification).
ZodUnion<readonly [ZodObject<{ jsonrpc: ZodLiteral<"2.0">; method: ZodString; params: ZodOptional<ZodObject<{}, $loose>>; }, $loose>, ZodObject<...>, ZodObject<...>]> Messages a server can send to a client (notification, response, or error response).
ZodString A JSON-RPC method name.
ZodObject<{ jsonrpc: ZodLiteral<"2.0">; method: ZodString; params: ZodOptional<ZodObject<{}, $loose>>; }, $loose> A notification which does not expect a response.
testing/ws_round_trip.ts view source
JsonrpcNotificationFrame<P> Punknownjsonrpctypeof JSONRPC_VERSIONmethodstringparamsPZodObject<{}, $loose> Notification params โ loose object. Per-action schemas validate _meta content.
ZodUnion<readonly [ZodString, ZodNumber]> A progress token, used to associate progress notifications with the original request.
ZodObject<{ jsonrpc: ZodLiteral<"2.0">; id: ZodUnion<readonly [ZodString, ZodNumber]>; method: ZodString; params: ZodOptional<ZodObject<{}, $loose>>; }, $loose> A request that expects a response.
ZodUnion<readonly [ZodString, ZodNumber]> A uniquely identifying id for a request in JSON-RPC. Like MCP, excludes null.
ZodObject<{}, $loose> Request params โ loose object. Per-action schemas validate _meta content.
ZodObject<{ progressToken: ZodOptional<ZodUnion<readonly [ZodString, ZodNumber]>>; }, $loose> Request params metadata โ extends MCP meta with optional progress token.
ZodObject<{ jsonrpc: ZodLiteral<"2.0">; id: ZodUnion<readonly [ZodString, ZodNumber]>; result: ZodObject<{}, $loose>; }, $loose> A successful (non-error) response to a request.
ZodUnion<readonly [ZodObject<{ jsonrpc: ZodLiteral<"2.0">; id: ZodUnion<readonly [ZodString, ZodNumber]>; result: ZodObject<{}, $loose>; }, $loose>, ZodObject<...>]> A successful response or an error response.
ZodObject<{}, $loose> Result โ loose object. Per-action schemas validate _meta content.
$ZodBranded<ZodNumber, "JsonrpcServerErrorCode", "out"> A server-defined error code in the -32000 to -32099 range.
testing/ws_round_trip.ts view source
JsonrpcSuccessResponseFrame<R> Runknownjsonrpctypeof JSONRPC_VERSIONidnumber | stringresultRtesting/ws_round_trip.ts view source
(): WsConnectIdentity Convenience: default identity for keeper-authenticated connections.
WsConnectIdentity http/error_schemas.ts view source
ZodObject<{ error: ZodLiteral<"keeper_requires_daemon_token">; credential_type: ZodString; }, $loose> Keeper credential error โ returned by require_keeper when credential type is wrong.
Keyring Opaque keyring that encapsulates secret keys. Only exposes sign/verify operations, never the raw keys.
signSign a value with HMAC SHA-256.
(value: string) => Promise<string>verifyVerify a signed value and extract the original. Tries all keys in order to support key rotation.
(signed_value: string) => Promise<{value: string; key_index: number} | null><T>(runtime: Pick<FsReadDeps, "stat" | "read_text_file"> & LogDeps, path: string, schema: ZodType<T, unknown, $ZodTypeInternals<T, unknown>>): Promise<...> Load CLI configuration from a JSON file with Zod schema validation.
runtimeruntime with file read capability
Pick<FsReadDeps, "stat" | "read_text_file"> & LogDepspathpath to the config JSON file
stringschemaZod schema to validate against
ZodType<T, unknown, $ZodTypeInternals<T, unknown>>Promise<T | null> parsed config, or null if file doesn't exist or is invalid
<T extends z.ZodObject>(schema: T, get_env: (key: string) => string | undefined): output<T> Load and validate env vars against a Zod schema.
schemaZod object schema defining expected env vars
Tget_envfunction to read an env var by key
(key: string) => string | undefinedoutput<T> validated env object
EnvValidationError - if Zod validation fails(runtime: Pick<FsReadDeps, "read_text_file">, path: string): Promise<Record<string, string> | null> Load and parse an env file.
Returns null only when the file does not exist. Other read errors (permission denied, I/O failure, etc.) are re-thrown so callers can distinguish "no file" from "couldn't read".
runtimeruntime with read_text_file capability
Pick<FsReadDeps, "read_text_file">pathpath to env file
stringPromise<Record<string, string> | null> parsed env record, or null if file doesn't exist
Error - if reading fails for any reason other than `ENOENT` / `NotFound`ui/loadable.svelte.ts view source
Base reactive state class with loading/error management.
Provides the common loading/error pattern shared by all state classes.
Subclasses add domain-specific $state fields and methods that call
the protected run helper for async operations.
TErrorstringclass ItemsState extends Loadable {
items: Array<Item> = $state.raw([]);
async fetch(): Promise<void> {
await this.run(async () => {
const response = await fetch('/api/items');
if (!response.ok) throw new Error('failed to fetch');
this.items = await response.json();
});
}
}// structured errors via map_error
class FormState extends Loadable<{field: string; message: string}> {
async submit(data: FormData): Promise<void> {
await this.run(
() => post_form(data),
(e) => ({field: 'form', message: e instanceof Error ? e.message : 'unknown'}),
);
}
}loadingerrortype TError | null
error_dataThe raw caught value from the last failed run(), for programmatic inspection.
type unknown
runRun an async operation with loading/error handling.
Sets loading to true, clears error and error_data, runs fn, catches errors.
Pass map_error to produce structured errors instead of strings.
type <T>(fn: () => Promise<T>, map_error?: ((e: unknown) => TError) | undefined): Promise<T | undefined>
fn() => Promise<T>map_error?((e: unknown) => TError) | undefinedPromise<T | undefined>the result or undefined if the operation failed
resetReset loading and error state. Subclasses override to clear data.
type (): void
voidactions/action_spec.ts view source
ZodObject<{ method: ZodString; initiator: ZodEnum<{ frontend: "frontend"; backend: "backend"; both: "both"; }>; side_effects: ZodBoolean; input: ZodCustom<ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>, ZodType<...>>; ... 7 more ...; auth: ZodDefault<...>; }, $strict> Local calls can wrap synchronous or asynchronous actions, and are the escape hatch for remote APIs that do not support SAES.
(factories: DbFactory[]): void Log factory status to console.
factoriesDbFactory[]void (error: EnvValidationError, label?: string | undefined): void Log formatted env validation issues to stderr.
Handles the common case: labels each Zod issue with an optional prefix.
Callers who want app-specific "getting started" instructions should check
error.all_undefined before calling this.
errorthe env validation error
label?optional prefix for log lines (e.g., 'tx daemon', 'env')
string | undefinedvoid (surface: AppSurface, log: Logger, env_values?: Record<string, unknown> | undefined): void Log a startup summary from an AppSurface.
Logs route count, middleware count, env breakdown (when non-empty),
and event/channel counts (when non-empty). When env_values is provided,
non-secret values are logged and secrets are masked with ***.
surfacelogLoggerenv_values?optional env values to log (secrets are masked)
Record<string, unknown> | undefinedvoid LogDeps Warning/diagnostic output.
warnLog a warning message.
(...args: Array<unknown>) => voidui/LoginForm.svelte view source
username_label?Label and placeholder for the username field โ set when the surface accepts only one of username/email so the UX matches.
stringredirect_on_login?Path to navigate to on successful login.
stringauth/account_routes.ts view source
ZodObject<{ username: ZodString; password: ZodString; }, $strict> Input for POST /login. Accepts a username or email in the username field.
auth/account_routes.ts view source
ZodObject<{ ok: ZodLiteral<true>; }, $strict> Output for POST /login. The signed session cookie is the operative side effect.
ui/LogoutButton.svelte view source
onclick?ComponentProps<typeof PendingButton>['onclick']children?Snippetauth/account_routes.ts view source
ZodNull Input for POST /logout. Session identity flows through the cookie.
auth/account_routes.ts view source
ZodObject<{ ok: ZodLiteral<true>; username: ZodString; }, $strict> Output for POST /logout. Includes the revoked account's username for UI redraw.
actions/action_bridge.ts view source
(auth: "public" | "authenticated" | "keeper" | { role: string; }): RouteAuth Map an ActionAuth value to a RouteAuth.
auth"public" | "authenticated" | "keeper" | { role: string; }RouteAuth "***" Placeholder displayed in place of secret values.
ui/MenuLink.svelte view source
pathRoute path passed to resolve from $app/paths to compute href.
stringhighlighted?Override the auto-derived highlighted flag (defaults to "current path is below href").
booleanchildren?Snippethttp/schema_helpers.ts view source
(spec: { auth: RouteAuth; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; params?: ZodObject<$ZodLooseShape, $strip> | undefined; query?: ZodObject<...> | undefined; rate_limit?: "both" | ... 2 more ... | undefined; errors?: Partial<...> | undefined; }, middleware_errors?: Partial<...> | ... 1 more ... | undefined): Partial<...> | null Merge auto-derived, middleware, and explicit error schemas for a route spec.
Merge order: derived -> middleware -> explicit route errors. Later layers override earlier ones for the same status code.
specthe route spec (needs auth, input, params, rate_limit, errors)
{ auth: RouteAuth; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; params?: ZodObject<$ZodLooseShape, $strip> | undefined; query?: ZodObject<...> | undefined; rate_limit?: "both" | ... 2 more ... | undefined; errors?: Partial<...> | undefined; }middleware_errors?Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> | null | undefinedPartial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> | null merged error schemas, or null if empty
http/schema_helpers.ts view source
(mw_path: string, route_path: string): boolean Check if a middleware path pattern applies to a route path.
Supports Hono-style patterns:
- /api/* matches /api/anything
- /api/tx/* matches /api/tx/runs but not /api/account/login
- Exact match: /health matches /health
mw_pathstringroute_pathstringboolean http/middleware_spec.ts view source
MiddlewareSpec A named middleware layer.
namestringpathstringhandlerMiddlewareHandlererrorsError response schemas this middleware can produce, keyed by HTTP status code.
Migration A single migration: a name + an up function applied inside a transaction.
Throw from up to roll back the entire chain.
namestringup(db: Db) => Promise<void>Tagged error thrown by run_migrations and baseline.
Branch on .kind; the message carries an operator-facing remediation hint.
Errorkindtype MigrationErrorKind
namespacetype string
at_indextype number
unknown_namestype ReadonlyArray<string>
constructortype new (kind: MigrationErrorKind, message: string, context?: MigrationErrorContext | undefined): MigrationError
kindmessagestringcontext?MigrationErrorContext | undefinedMigrationErrorContext Structured context passed alongside a MigrationError.
namespacestringat_indexnumberunknown_namesReadonlyArray<string>causeunknownMigrationErrorKind Tagged error vocabulary for run_migrations and baseline.
Callers branch on .kind rather than matching error messages โ message
text is for operators, not control flow.
MigrationNamespace A named group of ordered migrations.
Array index = position in the chain. Append-only after publish.
namespacestringmigrationsArray<Migration>MigrationResult Result of running migrations for a single namespace.
namespacestringapplied_namesMigrations applied in this run, in sequence-ascending (execution) order.
Array<string>MigrationStatus Migration status for a single namespace.
namespacestringapplied_namesNames of migrations recorded in the tracker, sequence-ascending.
Array<string>pending_namesNames of code migrations not yet applied (suffix of the code array).
Array<string>up_to_dateWhether applied_names is the full code array (no pending work).
booleantesting/ws_round_trip.ts view source
Minimal ActionEventEnvironment for tests that instantiate an ActionPeer without pulling in the full runtime. Pre-loads a spec map from the supplied list.
executortype 'frontend' | 'backend'
constructortype new (specs: readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; })[]): MinimalActionEnvironment
specsreadonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ...lookup_action_handlertype (): undefined
undefinedlookup_action_spectype (method: string): { method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 7 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; } | undefined
methodstring{ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } | { ...; }...Error thrown when mock runtime.exit() is called.
Tests can catch this to verify exit behavior.
Errorcodetype number
constructortype new (code: number): MockExitError
codenumbertesting/mock_fs.ts view source
MockFs In-memory file system mock for tests that use dependency-injected
read_file and write_file callbacks. Avoids module-level mocking.
read_file(path: string, encoding: string) => Promise<string>write_file(path: string, content: string, encoding: string) => Promise<void>get_file(path: string) => string | undefinedMockRuntime Mock RuntimeDeps with observable state for assertions.
mock_envMock environment variables.
Map<string, string>mock_fsMock file system (path -> content).
Map<string, string>mock_fs_bytesMock binary file system (path -> bytes).
Map<string, Uint8Array>mock_dirsMock directories that exist.
Set<string>exit_callsExit calls recorded (exit codes).
Array<number>command_callsCommands executed. Captures options when passed so tests can assert cwd/timeout/signal.
Array<{cmd: string; args: Array<string>; options?: RunCommandOptions}>command_inherit_callsCommands executed with inherit.
Array<{cmd: string; args: Array<string>}>stdout_writesStdout writes recorded.
Array<string>mock_command_resultsMock command results (cmd -> result).
Map<string, CommandResult>stdin_bufferStdin buffer for input simulation.
Uint8Array | nullfetch_callsFetch calls recorded.
Array<{input: string | URL | Request; init?: RequestInit}>mock_fetch_responsesMock fetch responses (URL substring -> Response).
Map<string, Response>testing/ws_round_trip.ts view source
MockWsClient A mock WS client: send requests, inspect/await incoming messages.
sendSend a JSON-RPC message (request or notification) to the server.
(message: unknown) => Promise<void>requestSend a JSON-RPC request and await its response. Resolves with the
result; throws with a useful message (code, text, and any data
payload) on an error frame โ without this, asserting on
result.foo for a failed request throws
Cannot read property 'foo' of undefined, which hides the real
cause. Use send + wait_for(is_response_for(id)) directly when
you need to assert on the error frame itself.
<R = unknown>(
id: number | string,
method: string,
params: unknown,
timeout_ms?: number,
) => Promise<R>closeClose the connection, firing onClose. Returns a promise that
resolves once on_socket_close (and the transport's own cleanup)
have completed โ tests that assert on post-close state should await.
(code?: number, reason?: string) => Promise<void>messagesEvery message the server has sent, in arrival order.
ReadonlyArray<unknown>wait_forWait until a message satisfies predicate. Matches are checked
against already-received messages first, then new arrivals until
the timeout (defaults to 1000ms).
When predicate is a type guard (e.g. is_notification_with<P>),
the result is narrowed automatically and callers don't need to
spell <JsonrpcNotificationFrame<P>> on the call site.
{
<T>(predicate: (msg: unknown) => msg is T, timeout_ms?: number): Promise<T>;
// eslint-disable-next-line @typescript-eslint/unified-signatures
<T = unknown>(predicate: (msg: unknown) => boolean, timeout_ms?: number): Promise<T>;
}server/validate_nginx.ts view source
NginxValidationResult Result of validating an nginx config template string.
okTrue when no errors were detected. Warnings do not affect this flag.
booleanwarningsNon-fatal issues โ missing optional headers, weakened defaults, etc.
Array<string>errorsFatal issues โ missing /api block, missing required security headers, etc.
Array<string><T>(fn: (tx_db: Db) => Promise<T>): Promise<T> Sentinel transaction function for transaction-scoped Db instances.
Used by driver adapters when constructing the inner Db passed to transaction callbacks.
fn(tx_db: Db) => Promise<T>Promise<T> Error - always โ nested transactions are not supported(ip: string): string Normalize an IP address for consistent matching and storage.
- Strips ::ffff: prefix from IPv4-mapped IPv6 addresses
(e.g. ::ffff:127.0.0.1 โ 127.0.0.1)
- Lowercases for case-insensitive IPv6 comparison
- Idempotent: calling twice produces the same result
- Safe on non-IP strings: normalize_ip('unknown') returns 'unknown'
ipstringstring auth/permit_offer_notifications.ts view source
NotificationSender Narrow structural capability for sending a JSON-RPC notification to every socket bound to an account.
BackendWebsocketTransport satisfies this interface โ its
send_to_account(account_id, message) signature accepts the broader
JsonrpcMessageFromServerToClient type, which is contravariantly
compatible with JsonrpcNotification here. The interface stays local so
handlers don't couple to the concrete transport, and tests can inject a
capturing stub with no WS machinery.
Returns the number of sockets the notification was sent to โ callers typically ignore it (used by telemetry / tests).
send_to_account(account_id: Uuid, message: JsonrpcNotification) => numberactions/action_event.ts view source
(raw_json: unknown, environment: ActionEventEnvironment): ActionEvent<string, "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", "initial" | ... 3 more ... | "failed"> raw_jsonunknownenvironmentActionEvent<string, "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", "initial" | "parsed" | "handling" | "handled" | "failed"> (env_value: string | undefined): RegExp[] Parses ALLOWED_ORIGINS env var into regex matchers for request source verification.
Origin allowlisting for locally-running services โ not the CSRF layer
(that's SameSite: strict on session cookies).
Accepts comma-separated patterns with limited wildcards:
- Exact origins: https://api.fuz.dev
- Wildcard subdomains: https://*.fuz.dev (matches exactly one subdomain level)
- Multiple wildcards: https://*.staging.*.fuz.dev (for deep subdomains)
- Wildcard ports: http://localhost:* (matches any port or no port)
- IPv6 addresses: http://[::1]:3000, https://[2001:db8::1]
- Combined: https://*.fuz.dev:*
Examples:
- http://localhost:3000,https://prod.fuz.dev
- https://*.api.fuz.dev,http://127.0.0.1:*
- http://[::1]:*,https://*.*.corp.fuz.dev:*
env_valuestring | undefinedRegExp[] Error - if any individual pattern is invalid (missing protocol, partial wildcards, etc.)<T extends Record<string, unknown>>(remaining: ParsedArgs, schema: ZodType<T, unknown, $ZodTypeInternals<T, unknown>>): ParseResult<T> Parse command-specific args against a Zod schema.
Validates remaining args (after global flag extraction) with alias expansion
and returns a typed result or a prettified error string.
remainingremaining args after global flag extraction
ParsedArgsschemaZod schema for the command
ZodType<T, unknown, $ZodTypeInternals<T, unknown>>ParseResult<T> parse result with typed data or error message
(url: string): string | null Extract the database name from a PostgreSQL URL.
urlstringstring | null the database name, or null if the URL is invalid or has no path
(content: string): Record<string, string> Parse a dotenv-format string into a record.
Values wrapped in "..." have \\ โ \, \" โ ", \n โ newline,
and \r โ carriage-return decoded (symmetric with the writer in
update_env_variable). Values wrapped in '...' are taken literally โ
no escape processing. Unquoted values are unchanged.
Inline comments are stripped after a closing quote (e.g. KEY="v" # c โ v)
and after whitespace on unquoted values (e.g. KEY=v # c โ v). Unquoted
values keep # literal when no whitespace precedes it so URL fragments
like KEY=https://x.com#frag round-trip unchanged.
Trailing whitespace on unquoted values is lost (the raw value is trimmed);
wrap the value in "..." or '...' to preserve surrounding spacing.
contentdotenv file content
stringRecord<string, string> parsed key-value pairs
(entry: string): ParsedProxy Parse a trusted proxy entry string into a structured form.
Accepts plain IPs ('127.0.0.1', '::1') and CIDR notation ('10.0.0.0/8', 'fe80::/10').
Plain IPs are normalized (lowercase, IPv4-mapped IPv6 stripped) and validated.
CIDR prefixes are validated against address family bounds.
entryIP address or CIDR notation
stringParsedProxy Error - on invalid IP, invalid CIDR network, or NaN/negative/over-range prefix(response: Response, fallback?: string | undefined): Promise<string> Safely extract an error message from a non-ok response.
Handles responses with non-JSON bodies (e.g. HTML 404 pages)
that would throw on response.json().
responseResponsefallback?message when no .error field is found
string | undefinedPromise<string> auth/session_cookie.ts view source
<TIdentity>(signed_value: string | undefined, keyring: Keyring, options: SessionOptions<TIdentity>, now_seconds?: number | undefined): Promise<ParsedSession<...> | null | undefined> Parse a signed session cookie value.
The signed value format is ${encode(identity)}:${expires_at}.
Tries all keys in order to support key rotation.
signed_valuethe raw cookie value (signed)
string | undefinedkeyringkey ring for verification
optionssession configuration with decode logic
SessionOptions<TIdentity>now_seconds?current time in seconds (for testing)
number | undefinedPromise<ParsedSession<TIdentity> | null | undefined> ParsedSession if valid, null if invalid/expired, undefined if empty/missing
ParsedProxy A parsed proxy entry โ either an exact IP or a CIDR range.
auth/session_cookie.ts view source
ParsedSession<TIdentity> Result of parsing a signed session cookie.
TIdentityidentityThe decoded identity.
TIdentityshould_refresh_signatureTrue if verified with a non-primary key (needs re-signing).
booleankey_indexIndex of the key that verified the signature.
numberParseResult<T> Discriminated union result for CLI argument parsing.
TZodString Password for account creation or password change โ enforces current length policy. Also usable for client-side UX validation.
300 Maximum password length. Caps hashing cost to prevent DoS via oversized passwords.
12 Minimum password length (OWASP recommendation).
auth/account_routes.ts view source
ZodObject<{ current_password: ZodString; new_password: ZodString; }, $strict> Input for POST /password. current_password is minimally validated; new_password enforces the full policy.
auth/account_routes.ts view source
ZodObject<{ ok: ZodLiteral<true>; sessions_revoked: ZodNumber; tokens_revoked: ZodNumber; }, $strict> Output for POST /password. Counts are returned so the UI can summarize the revoke-all cascade.
PasswordHashDeps Injectable password hashing dependencies.
Groups all three password operations for injection in route factories
and other callers. Use Pick<PasswordHashDeps, ...> when only a subset is needed:
// Login handler only needs verification
password: Pick<PasswordHashDeps, 'verify_password' | 'verify_dummy'>;
// Bootstrap only needs hashing
password: Pick<PasswordHashDeps, 'hash_password'>;hash_password(password: string) => Promise<string>verify_password(password: string, password_hash: string) => Promise<boolean>verify_dummy(password: string) => Promise<boolean>ZodString Password submitted for login or verification โ minimal validation for forward-compatibility if length requirements change.
http/error_schemas.ts view source
ZodObject<{ error: ZodLiteral<"payload_too_large">; }, $loose> Payload too large error โ returned when the request body exceeds the size limit.
http/pending_effects.ts view source
PendingEffectsContext Minimal structural context required by emit_after_commit.
logLoggerpending_effectsArray<Promise<void>>auth/account_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; role: ZodString; scope_id: ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>; from_actor_id: $ZodBranded<...>; from_username: ZodString; created_at: ZodString; expires_at: ZodString; }, $strict> Zod schema for a pending permit offer surfaced in admin account listings.
Deliberately narrower than PermitOfferJson: omits message and
decline_reason so cross-admin visibility of the listing does not expose
grantor-authored text that the audit log also withholds. Full offer
payloads remain available through the offer-specific RPC surface and the
audit log when admins need them.
from_username is resolved server-side so multi-admin deployments can see
at a glance whose pending offer is blocking a "+ {role}" button; the
resolution runs inside the listing query's parallel batch.
http/error_schemas.ts view source
ZodObject<{ error: ZodLiteral<"insufficient_permissions">; required_role: ZodString; }, $loose> Permission error โ returned by require_role() when the required role is missing.
auth/account_schema.ts view source
Permit Permit โ time-bounded, revocable grant of a role to an actor.
idUuidactor_idUuidrolestringscope_idResource scope this grant applies to (e.g. a classroom id). null for global permits.
Uuid | nullcreated_atstringexpires_atstring | nullrevoked_atstring | nullrevoked_byUuid | nullrevoked_reasonOptional free-form reason attached on revoke (surfaced in the revokee WS notification once it lands).
string | nullgranted_byUuid | nullsource_offer_idOffer that produced this permit (set by query_accept_offer). null for direct grants.
Uuid | nullstring[] auth/permit_offer_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodObject<{ offer_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict>; output: ZodObject<...>; async: true; description: string; error_reasons: ("offer_terminal" | ... 1 more ... | "offer_not_found")... auth/permit_offer_notifications.ts view source
"permit_offer_accepted" auth/permit_offer_notifications.ts view source
{ method: string; kind: "remote_notification"; initiator: "backend"; auth: null; side_effects: true; input: ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<...>; ... 11 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict>; output: ZodVoid; async... auth/permit_offer_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodObject<{ to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; role: ZodString; scope_id: ZodOptional<...>; message: ZodOptional<...>; }, $strict>; output: ZodObject<...>; async: true; description: s... auth/permit_offer_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodObject<{ offer_id: $ZodBranded<ZodUUID, "Uuid", "out">; reason: ZodOptional<...>; }, $strict>; output: ZodObject<...>; async: true; description: string; error_reasons: ("offer_terminal" | "offer_no... auth/permit_offer_notifications.ts view source
"permit_offer_declined" auth/permit_offer_notifications.ts view source
{ method: string; kind: "remote_notification"; initiator: "backend"; auth: null; side_effects: true; input: ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<...>; ... 11 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict>; output: ZodVoid; async... auth/permit_offer_schema.ts view source
number Default TTL for a newly created offer โ 30 days. Matches GitHub org-invite expiry.
auth/permit_offer_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: false; input: ZodObject<{ account_id: ZodOptional<ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>>; limit: ZodOptional<...>; offset: ZodOptional<...>; }, $strict>; output: ZodObject<...>; async: true; description... auth/permit_offer_schema.ts view source
"\nCREATE INDEX IF NOT EXISTS permit_offer_inbox\n ON permit_offer (to_account_id, expires_at)\n WHERE accepted_at IS NULL\n AND declined_at IS NULL\n AND retracted_at IS NULL\n AND superseded_at IS NULL" Inbox lookup โ pending offers for an account, ordered by soonest expiry.
auth/permit_offer_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: false; input: ZodObject<{ account_id: ZodOptional<ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>>; }, $strict>; output: ZodObject<...>; async: true; description: string; } auth/permit_offer_schema.ts view source
500 Maximum length of the optional message attached to an offer.
auth/permit_offer_notifications.ts view source
EventSpec[] SSE/WS event specs for the consentful-permits notification surface.
Pass to create_app_server's event_specs so the attack surface reflects
them and DEV-mode create_validated_broadcaster catches payload drift.
auth/permit_offer_schema.ts view source
"\nCREATE UNIQUE INDEX IF NOT EXISTS permit_offer_pending_unique\n ON permit_offer (\n to_account_id,\n role,\n COALESCE(scope_id, '00000000-0000-0000-0000-000000000000'::uuid),\n from_actor_id\n )\n WHERE accepted_at IS NULL\n AND declined_at IS NULL\n AND retracted_at IS NULL\n AND supersed... At most one pending offer per (to_account, role, scope, from_actor).
Including from_actor_id in the tuple lets multiple grantors coexist โ
teacher A and teacher B can each have a pending classroom_student offer
for the same student and scope. A same-grantor re-offer upserts the
existing pending row. COALESCE collapses NULL scopes into the
sentinel UUID so Postgres's NULL-in-unique-index quirk does not allow
duplicate global pending offers. The ON CONFLICT target in
query_permit_offer_create must match this expression literally.
auth/permit_offer_notifications.ts view source
"permit_offer_received" auth/permit_offer_notifications.ts view source
{ method: string; kind: "remote_notification"; initiator: "backend"; auth: null; side_effects: true; input: ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<...>; ... 11 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict>; output: ZodVoid; async... auth/permit_offer_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodObject<{ offer_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict>; output: ZodObject<...>; async: true; description: string; error_reasons: ("offer_terminal" | "offer_not_found")[]; } auth/permit_offer_notifications.ts view source
"permit_offer_retracted" auth/permit_offer_notifications.ts view source
{ method: string; kind: "remote_notification"; initiator: "backend"; auth: null; side_effects: true; input: ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<...>; ... 11 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict>; output: ZodVoid; async... auth/permit_offer_schema.ts view source
"\nCREATE TABLE IF NOT EXISTS permit_offer (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n from_actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n to_account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n role TEXT NOT NULL,\n scope_id UUID NULL,\n message TEXT NULL,\n created... auth/permit_offer_schema.ts view source
"00000000-0000-0000-0000-000000000000" Sentinel UUID used inside the partial unique indexes to collapse scope_id IS NULL into a comparable value.
auth/permit_offer_notifications.ts view source
"permit_offer_supersede" auth/permit_offer_notifications.ts view source
{ method: string; kind: "remote_notification"; initiator: "backend"; auth: null; side_effects: true; input: ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<...>; ... 11 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; reason: ZodEnum<...>; cause_id: $Zo... ui/permit_offers_state.svelte.ts view source
{ get: (error_message?: string | undefined) => PermitOffersState; get_maybe: () => PermitOffersState | undefined; set: (value: PermitOffersState) => PermitOffersState; } Svelte context for PermitOffersState.
Use permit_offers_state_context.set(state) in the provider and
permit_offers_state_context.get() to access.
auth/permit_offer_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: { role: string; }; side_effects: true; input: ZodObject<{ actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; permit_id: $ZodBranded<...>; reason: ZodOptional<...>; }, $strict>; ... 4 more ...; rate_limit: "account"; } auth/permit_offer_notifications.ts view source
"permit_revoke" auth/permit_offer_notifications.ts view source
{ method: string; kind: "remote_notification"; initiator: "backend"; auth: null; side_effects: true; input: ZodObject<{ permit_id: $ZodBranded<ZodUUID, "Uuid", "out">; role: ZodString; scope_id: ZodNullable<...>; reason: ZodNullable<...>; }, $strict>; output: ZodVoid; async: true; description: string; } auth/account_schema.ts view source
500 Maximum length of the optional free-form revoked_reason attached to a
revoked permit. Bounds the value at the schema layer so both the admin
input (when the route surfaces a reason field) and the revokee-facing
permit_revoke WS notification validate against the same ceiling.
"\nCREATE TABLE IF NOT EXISTS permit (\n id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n role TEXT NOT NULL,\n created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n expires_at TIMESTAMPTZ,\n revoked_at TIMESTAMPTZ,\n revoked_by UUID REFERENCES actor... auth/audit_log_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; seq: ZodNumber; event_type: ZodString; outcome: ZodEnum<{ success: "success"; failure: "failure"; }>; ... 7 more ...; target_username: ZodNullable<...>; }, $strict> Zod schema for permit history events with resolved usernames.
auth/permit_offer_schema.ts view source
PermitOffer Permit offer row as returned by the database.
idUuidfrom_actor_idUuidto_account_idUuidrolestringscope_idUuid | nullmessagestring | nullcreated_atstringexpires_atstringaccepted_atstring | nulldeclined_atstring | nulldecline_reasonstring | nullretracted_atstring | nullsuperseded_atSet when the offer was obsoleted by an external event โ a sibling offer was accepted (yielding the permit this offer's role+scope maps to) or the resulting permit for this (to_account, role, scope) was revoked. Closes the "accept a pre-revoke offer to bypass the revoke" path.
string | nullresulting_permit_idUuid | nullauth/permit_offer_notifications.ts view source
ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict> Params for permit_offer_accepted โ recipient accepted the offer.
auth/permit_offer_action_specs.ts view source
ZodObject<{ offer_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict> Input for permit_offer_accept.
auth/permit_offer_action_specs.ts view source
ZodObject<{ permit_id: $ZodBranded<ZodUUID, "Uuid", "out">; offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 11 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; superseded_offer_ids: ZodArray<...>; }, $strict> Output for permit_offer_accept.
auth/permit_offer_actions.ts view source
PermitOfferActionDeps Dependencies for create_permit_offer_actions.
notification_sender is optional โ when absent, WS fan-out is silently
skipped. Consumers wiring BackendWebsocketTransport assign its instance
directly (the transport's send_to_account signature accepts the broader
JsonrpcMessageFromServerToClient, which is contravariantly compatible).
Pick<
RouteFactoryDeps,
'log' | 'on_audit_event' | 'audit_log_config'
>notification_senderOptional WS fan-out primitive. null or absent โ notifications skipped.
NotificationSender | nullauth/permit_offer_actions.ts view source
PermitOfferActionOptions Options for create_permit_offer_actions.
rolesRole schema result from create_role_schema(). Defaults to builtin roles only.
The role_options map is read for web_grantable lookups.
default_ttl_msTTL applied to newly-created offers. Defaults to PERMIT_OFFER_DEFAULT_TTL_MS.
numberauthorizeCustom authorization for permit_offer_create. The default requires the
caller to hold an active permit for the offered role *and* the role to
be web_grantable. Consumers with richer policies (scope-aware, chained
roles) override this.
auth/permit_offer_queries.ts view source
Error thrown by offer-lifecycle queries when the offer is in a non-pending state (accepted / declined / retracted / superseded) and therefore not actionable. Distinct from PermitOfferExpiredError โ expiry has its own user-facing story ("ask the grantor to re-send") so it travels separately.
Errorconstructortype new (offer_id: string): PermitOfferAlreadyTerminalError
offer_idstringauth/permit_offer_actions.ts view source
PermitOfferCreateAuthorize Authorization callback for permit_offer_create. Returns true to allow,
false to reject (handler converts to forbidden).
Provided with the fully-resolved request context and the parsed input (pre-TTL, pre-normalization). Consumers override the default to implement policies like "teacher may offer classroom_student only in classrooms they teach".
auth/permit_offer_action_specs.ts view source
ZodObject<{ to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; role: ZodString; scope_id: ZodOptional<ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>>; message: ZodOptional<...>; }, $strict> Input for permit_offer_create.
auth/permit_offer_action_specs.ts view source
ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict> Output for permit_offer_create.
auth/permit_offer_notifications.ts view source
ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict> Params for permit_offer_declined. The decline reason (if any) rides along
inside offer.decline_reason โ the DB stamps it on the offer row during
decline, so a sibling reason field would just duplicate it.
auth/permit_offer_action_specs.ts view source
ZodObject<{ offer_id: $ZodBranded<ZodUUID, "Uuid", "out">; reason: ZodOptional<ZodNullable<ZodString>>; }, $strict> Input for permit_offer_decline.
auth/permit_offer_queries.ts view source
Error thrown when an offer's expires_at has passed. The accept path
enforces this independently of the sweep โ a stale offer past its expiry
must not be accepted, even in the race window between expiry and the
sweep stamping the audit event.
Errorconstructortype new (offer_id: string): PermitOfferExpiredError
offer_idstringui/PermitOfferForm.svelte view source
to_account_idstringrolesRoles the caller may offer โ caller filters by web_grantable upstream.
Array<string>scope_id?Resource scope for the offer; null (default) yields a global offer.
string | nullon_created?(offer: PermitOfferJson) => voidformat_role?(role: string) => stringui/PermitOfferHistory.svelte view source
current_actor_idUsed to label a row as sent vs received. When null, direction shows as -.
string | nullformat_actor?(from_actor_id: string) => stringformat_scope?Display label for an offer's scope. Bypasses format_scope_context
when supplied โ return null to fall back to a truncated uuid (or
'global' for null scope_id). Omit to use the context value directly.
format_role?(role: string) => stringauth/permit_offer_action_specs.ts view source
ZodObject<{ account_id: ZodOptional<ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>>; limit: ZodOptional<ZodNullable<ZodNumber>>; offset: ZodOptional<...>; }, $strict> Input for permit_offer_history. Returns every offer involving the account
in either direction (recipient or grantor), including terminal rows, newest
first. account_id is admin-only.
auth/permit_offer_action_specs.ts view source
ZodObject<{ offers: ZodArray<ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>>; }, $strict> Output for permit_offer_history.
ui/PermitOfferInbox.svelte view source
format_actor?Display label for from_actor_id. Defaults to a truncated uuid.
(from_actor_id: string) => stringformat_scope?Display label for an offer's scope. Bypasses format_scope_context
when supplied โ return null to fall back to a truncated uuid (or
'global' for null scope_id). Omit to use the context value directly.
format_role?Display label for a role constant. Defaults to identity.
(role: string) => stringauth/permit_offer_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict> Zod schema for client-safe permit offer data.
auth/permit_offer_action_specs.ts view source
ZodObject<{ account_id: ZodOptional<ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>>; }, $strict> Input for permit_offer_list. account_id is admin-only (inspect another account's inbox).
auth/permit_offer_action_specs.ts view source
ZodObject<{ offers: ZodArray<ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>>; }, $strict> Output for permit_offer_list.
auth/permit_offer_queries.ts view source
Error thrown when an offer cannot be located for the caller. Covers both "offer does not exist" and "offer belongs to a different recipient" (IDOR guard) โ the standard 404-over-403 pattern that avoids disclosing whether an offer id exists.
Errorconstructortype new (offer_id: string): PermitOfferNotFoundError
offer_idstringui/permit_offers_state.svelte.ts view source
PermitOfferNotification Narrow WS notification envelope โ method + params, matching JsonrpcNotification.
methodstringparamsunknownauth/permit_offer_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; }, $strict> Output for permit_offer_decline / permit_offer_retract.
auth/permit_offer_notifications.ts view source
ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict> Params for permit_offer_received โ offer delivered to its recipient.
auth/permit_offer_notifications.ts view source
ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; }, $strict> Params for permit_offer_retracted โ grantor-side retraction.
auth/permit_offer_action_specs.ts view source
ZodObject<{ offer_id: $ZodBranded<ZodUUID, "Uuid", "out">; }, $strict> Input for permit_offer_retract.
auth/permit_offer_queries.ts view source
Error thrown when a grantor attempts to offer a permit to their own account.
Enforced here (rather than via a CHECK constraint) so the constraint can
be expressed as a cross-row JOIN on actor.account_id without requiring
denormalized columns.
Errorconstructortype new (): PermitOfferSelfTargetError
ui/permit_offers_state.svelte.ts view source
PermitOffersRpc Narrow RPC surface consumed by PermitOffersState. Consumers adapt their
typed client (e.g. a create_rpc_client Proxy) to this shape โ the state
class stays decoupled from the client's Result return type so tests can
inject plain-function stubs.
list() => Promise<{offers: Array<PermitOfferJson>}>history(options?: {
limit?: number;
offset?: number;
}) => Promise<{offers: Array<PermitOfferJson>}>create(params: {
to_account_id: string;
role: string;
scope_id?: string | null;
message?: string | null;
}) => Promise<{offer: PermitOfferJson}>accept(offer_id: string) => Promise<{
permit_id: string;
offer: PermitOfferJson;
superseded_offer_ids: Array<string>;
}>decline(offer_id: string, reason?: string | null) => Promise<{ok: true}>retract(offer_id: string) => Promise<{ok: true}>ui/permit_offers_state.svelte.ts view source
incomingPending offers for the current account, soonest-expiring first.
type Array<PermitOfferJson>
outgoingPending offers from the current actor, newest-created first.
type Array<PermitOfferJson>
historyEvery offer known to this state, newest-created first. Feeds the history view.
type Array<PermitOfferJson>
incoming_counttype number
constructortype new (options: PermitOffersStateOptions): PermitOffersState
optionsfetchSeed the cache with the recipient-side pending inbox.
type (): Promise<void>
Promise<void>fetch_historySeed both-directions history (includes terminal rows).
type (options?: { limit?: number | undefined; offset?: number | undefined; } | undefined): Promise<void>
options?{ limit?: number | undefined; offset?: number | undefined; } | undefinedPromise<void>createIssue a new offer; merges the returned offer into the cache on success.
type (params: { to_account_id: string; role: string; scope_id?: string | null | undefined; message?: string | null | undefined; }): Promise<{ id: string & $brand<"Uuid">; from_actor_id: string & $brand<...>; ... 11 more ...; resulting_permit_id: (string & $brand<...>) | null; } | undefined>
params{ to_account_id: string; role: string; scope_id?: string | null | undefined; message?: string | null | undefined; }Promise<{ id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<...>) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; } | undefined>acceptAccept an offer; stamps it terminal in the cache and drops any siblings the server superseded.
type (offer_id: string): Promise<void>
offer_idstringPromise<void>declinetype (offer_id: string, reason?: string | null | undefined): Promise<void>
offer_idstringreason?string | null | undefinedPromise<void>retracttype (offer_id: string): Promise<void>
offer_idstringPromise<void>subscribeWire a notification subscription. The handler dispatches each matching
notification into apply_notification; the returned disposer unwires.
type (subscribe_fn: PermitOfferSubscribe): () => void
subscribe_fn() => voidapply_notificationReduce a single WS notification into the cache. Exposed so consumers
wiring their WS receiver directly (without subscribe) and tests can
drive the reducer without allocating a subscription.
type (notification: PermitOfferNotification): void
notificationvoidresetClear the cache and reset loading/error state.
type (): void
voidui/permit_offers_state.svelte.ts view source
PermitOffersStateOptions rpcaccount_idReactive accessor for the current account id; returns null when logged out.
() => string | nullactor_idReactive accessor for the current actor id โ required to classify
offers as outgoing. Returns null when unknown.
() => string | nullui/permit_offers_state.svelte.ts view source
PermitOfferSubscribe Subscription primitive โ consumer wires their WS receiver; returns a disposer.
auth/permit_offer_notifications.ts view source
ZodObject<{ offer: ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; from_actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; to_account_id: $ZodBranded<ZodUUID, "Uuid", "out">; ... 10 more ...; resulting_permit_id: ZodNullable<...>; }, $strict>; reason: ZodEnum<...>; cause_id: $ZodBranded<...>; }, $strict> Params for permit_offer_supersede. Fires to the grantor's sockets when
their pending offer is obsoleted โ either by a sibling accept
(reason: 'sibling_accepted'), by revoke of the resulting permit
(reason: 'permit_revoked'), or by deletion of the parent scope row
the offer was bound to (reason: 'scope_destroyed'). cause_id points
at the accepted offer id, the revoked permit id, or the destroyed scope
row id respectively.
auth/permit_offer_action_specs.ts view source
ZodObject<{ actor_id: $ZodBranded<ZodUUID, "Uuid", "out">; permit_id: $ZodBranded<ZodUUID, "Uuid", "out">; reason: ZodOptional<ZodNullable<ZodString>>; }, $strict> Input for permit_revoke. Admin-only mutation that revokes an active
permit on a target actor. actor_id is the natural key โ permits are
actor-scoped, and the admin UI reads row.actor.id straight from the
listing. Deriving actor_id from account_id would collapse under
multi-actor accounts.
auth/permit_offer_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; revoked: ZodLiteral<true>; }, $strict> Output for permit_revoke.
auth/permit_offer_notifications.ts view source
ZodObject<{ permit_id: $ZodBranded<ZodUUID, "Uuid", "out">; role: ZodString; scope_id: ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>; reason: ZodNullable<...>; }, $strict> Params for permit_revoke. Delivered to the revokee's sockets when one
of their active permits is revoked. Flat wire shape โ revoked_by is
admin-UI-visible but deliberately omitted here (the revokee doesn't need
to learn the admin's identity). Target account is implicit in the send
target.
auth/account_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; role: ZodString; scope_id: ZodNullable<$ZodBranded<ZodUUID, "Uuid", "out">>; created_at: ZodString; expires_at: ZodNullable<...>; granted_by: ZodNullable<...>; }, $strict> Zod schema for the permit summary returned in admin account listings.
testing/integration_helpers.ts view source
(spec: RouteSpec, test_app: TestApp, authed_account: TestAccount, admin_account: TestAccount): Record<string, string> Pick request headers matching a route spec's auth requirement.
Maps RouteAuth onto a test account's credentials:
- none โ origin headers only
- authenticated โ the authed account's session cookie
- role: admin โ the admin account's session cookie
- role: <other> โ the test app's bootstrapped keeper session
- keeper โ the test app's daemon token
spectest_appauthed_accountadmin_accountRecord<string, string> ui/popover.svelte.ts view source
Class that manages state and provides actions for popovers.
visibleWhether the popover is currently visible.
positionPosition of the popover relative to its trigger.
type Position
alignAlignment along the position edge.
type Alignment
offsetDistance from the position.
disable_outside_clickWhether to disable closing when clicking outside.
popover_classCustom class for the popover.
constructortype new (params?: PopoverParameters | undefined): Popover
params?PopoverParameters | undefinedupdateUpdates the popover configuration. Swaps popover_class on the live
content element when supplied and re-syncs the outside-click handler
if disable_outside_click changed.
type (params: PopoverParameters): void
paramsvoidshowShows the popover, registering the outside-click handler and updating
aria-expanded on the trigger. No-ops when already visible.
type (): void
voidhideHides the popover, removing the outside-click handler. No-ops when already hidden.
type (): void
voidtoggleToggles the popover visibility, or sets it to the given value.
type (visible?: boolean): void
visibledesired visibility (defaults to the inverse of current)
boolean!this.visiblevoidcontainerAttachment for the container element.
type Attachment<HTMLElement>
triggerAttachment factory for the trigger element that shows/hides the popover.
contentAttachment factory for the popover content element.
ui/PopoverButton.svelte view source
position?Position | undefinedalign?Alignment | undefineddisable_outside_click?boolean | undefinedpopover_class?string | undefinedpopover_attrs?SvelteHTMLElements['div'] | undefinedpopover_contentSnippet<[popover: Popover]>popover_container_attrs?SvelteHTMLElements['div'] | undefinedbutton?Snippet<[popover: Popover]> | undefinedchildren?Snippet<[popover: Popover]> | undefinedui/popover.svelte.ts view source
PopoverContentParameters Parameters for the popover content action.
ui/popover.svelte.ts view source
PopoverParameters Parameters for configuring the popover.
positionPosition of the popover relative to its trigger.
alignAlignment along the position edge.
offsetDistance from the position.
stringdisable_outside_clickWhether to disable closing when clicking outside.
booleanpopover_classCustom class for the popover content.
stringonshowOptional callback when popover is shown.
() => voidonhideOptional callback when popover is hidden.
() => voidui/popover.svelte.ts view source
PopoverTriggerParameters Parameters for the popover trigger action.
contentContent to render in the popover (as a snippet).
Snippetui/position_helpers.ts view source
Position Extended position options including overlay and center.
http/route_spec.ts view source
(prefix: string, specs: RouteSpec[]): RouteSpec[] Prepend a prefix to all route spec paths.
prefixthe path prefix (e.g. /api/account)
stringspecsRouteSpec[]RouteSpec[] a new array โ the input specs are not mutated
PrimaryKeyInfo Primary key constraint info.
column_namestringauth/session_cookie.ts view source
<TIdentity>(signed_value: string | undefined, keyring: Keyring, options: SessionOptions<TIdentity>, now_seconds?: number | undefined): Promise<ProcessSessionResult<TIdentity>> Process a session cookie and determine what action to take.
signed_valuethe raw cookie value (may be undefined)
string | undefinedkeyringkey ring for verification and signing
optionssession configuration
SessionOptions<TIdentity>now_seconds?current time in seconds (for testing)
number | undefinedPromise<ProcessSessionResult<TIdentity>> result with validity and action to take
ProcessDeps Process lifecycle.
exitExit the process with a code.
(code: number) => neverauth/session_cookie.ts view source
ProcessSessionResult<TIdentity> Result of processing a session cookie.
TIdentityvalidWhether the session is valid.
booleanactionAction the adapter should take.
'none' | 'clear' | 'refresh'new_signed_valueNew signed value when action is 'refresh'.
stringidentityThe decoded identity if the cookie was valid.
TIdentityactions/action_codegen.ts view source
readonly ["heartbeat", "cancel"] Method names of fuz_app's protocol actions โ heartbeat (auth-aware client
liveness probe) and cancel (request-scoped abort signal). Consumers spread
this list when filtering backend request_response methods so the
dispatcher-owned protocol actions don't show up in
BackendRequestResponseMethod / handler maps. Pairs with protocol_actions
/ protocol_action_specs from actions/protocol.ts (the runtime bundles).
actions/protocol.ts view source
readonly ({ method: string; initiator: "frontend" | "backend" | "both"; side_effects: boolean; input: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; output: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>; ... 6 more ...; rate_limit?: "both" | ... 2 more ... | undefined; } | { ...; } ... Canonical protocol specs for ActionRegistry construction on the
frontend. Spread before consumer-owned specs so dispatcher-owned methods
are present in the lookup map even though codegen excludes them from the
generated action_specs array:
new ActionRegistry([...protocol_action_specs, ...action_specs])Derived from protocol_actions so a future protocol action lands in one place โ the two arrays cannot drift.
actions/protocol.ts view source
readonly Action<BaseHandlerContext>[] Canonical protocol {spec, handler} tuples for the server's
register_action_ws actions array. Spread before consumer-owned actions
so disconnect detection and per-request cancel work uniformly:
register_action_ws({actions: [...protocol_actions, ...consumer_actions], ...})actions/action_codegen.ts view source
"heartbeat" | "cancel" Methods that ship from fuz_app, kept out of consumer-owned method enums + handler maps.
ui/admin_rpc_adapters.ts view source
(adapters: AdminRpcAdapters, options?: ProvideAdminRpcContextsOptions | undefined): void Wire all four admin RPC contexts in a single call.
Call once at the admin shell layout (e.g. src/routes/admin/+layout.svelte)
with adapters built from create_admin_rpc_adapters. Every Admin*.svelte
component that reads a context below this point sees the adapters.
Each context accessor reads adapters.{domain} on every invocation, so
mutating an adapter field on the same object propagates. Replacing the
whole adapter set requires calling provide_admin_rpc_contexts again
during init โ in practice this is one-shot at layout mount.
Pass options.format_scope to render permit/offer scope_id values as
human labels across AdminAccounts, AdminPermitHistory,
PermitOfferInbox, PermitOfferForm, and PermitOfferHistory.
Components that accept a format_scope prop honor the prop first; the
context is the fallback.
adaptersoptions?ProvideAdminRpcContextsOptions | undefinedvoid ui/admin_rpc_adapters.ts view source
ProvideAdminRpcContextsOptions Optional knobs alongside the adapters when wiring admin contexts.
format_scopeRender {scope_id, role} as a human label across permit-display
components. Omit (or return null) to fall back to the raw uuid.
ProxyOptions Configuration for trusted proxy resolution.
trusted_proxiesTrusted proxy IPs or CIDR ranges (e.g. '127.0.0.1', '10.0.0.0/8', '::1').
Array<string>get_connection_ipExtract the raw TCP connection IP from the Hono context.
(c: Context) => string | undefinedlogOptional logger for proxy resolution diagnostics.
Loggerauth/permit_offer_queries.ts view source
(deps: QueryDeps, input: AcceptOfferInput): Promise<AcceptOfferResult> Accept an offer atomically: mark accepted, insert the permit, stamp
resulting_permit_id, supersede sibling pending offers for the same
(to_account, role, scope), and emit permit_offer_accept +
permit_grant + one permit_offer_supersede per sibling. Must run
inside a transaction โ the caller's route spec should declare
transaction: true (or wrap explicitly).
Idempotent on race: if a second concurrent call observes the offer already accepted, returns the existing permit rather than creating a duplicate or throwing.
Error map:
- PermitOfferNotFoundError โ offer does not exist, or belongs to a
different recipient (IDOR guard). The offer row is untouched.
- PermitOfferAlreadyTerminalError โ offer is declined, retracted, or
superseded.
- PermitOfferExpiredError โ offer is pending but past expires_at.
Sibling supersede is what closes the "accept a pre-revoke sibling offer to bypass a revoke" path: once A is accepted, B/C/... can no longer be accepted even if the resulting permit is later revoked.
depsinputPromise<AcceptOfferResult> PermitOfferNotFoundError - if the offer is missing or belongs to another recipientPermitOfferAlreadyTerminalError - if the offer is declined, retracted, or supersededPermitOfferExpiredError - if the offer is pending but past `expires_at`Error - if the accepting account has no actor (1:1 invariant) or invariant assertions failauth/account_queries.ts view source
(deps: QueryDeps, email: string): Promise<Account | undefined> Find an account by email (case-insensitive).
depsemailstringPromise<Account | undefined> auth/account_queries.ts view source
(deps: QueryDeps, id: string): Promise<Account | undefined> Find an account by id.
depsidstringPromise<Account | undefined> auth/account_queries.ts view source
(deps: QueryDeps, username: string): Promise<Account | undefined> Find an account by username (case-insensitive).
depsusernamestringPromise<Account | undefined> auth/account_queries.ts view source
(deps: QueryDeps, input: string): Promise<Account | undefined> Find an account by username or email.
If the input contains @, tries email lookup first then username.
Otherwise tries username first then email. This supports a single
login field that accepts either format.
depsquery dependencies
inputusername or email address
stringPromise<Account | undefined> the matching account, or undefined
auth/account_queries.ts view source
(deps: QueryDeps): Promise<boolean> Check if any account exists.
depsPromise<boolean> auth/account_queries.ts view source
(deps: QueryDeps, account_id: string): Promise<Actor | undefined> Find the actor for an account.
For v1, each account has exactly one actor.
depsaccount_idstringPromise<Actor | undefined> auth/account_queries.ts view source
(deps: QueryDeps, id: string): Promise<Actor | undefined> Find an actor by id.
depsidstringPromise<Actor | undefined> auth/account_queries.ts view source
(deps: QueryDeps): Promise<{ account: { id: string & $brand<"Uuid">; username: string; email: string | null; email_verified: boolean; created_at: string; updated_at: string; updated_by: (string & $brand<...>) | null; }; actor: { ...; } | null; permits: { ...; }[]; pending_offers: { ...; }[]; }[]> List all accounts with their actors, active permits, and pending inbound permit offers for admin display.
Uses 4 flat queries instead of N+1 per-account loops. Pending offers surface
the "offer pending โ awaiting acceptance" UX without a second round-trip;
message is intentionally excluded (cross-admin visibility of grantor notes
would expand beyond what the audit log discloses).
depsquery dependencies
Promise<{ account: { id: string & $brand<"Uuid">; username: string; email: string | null; email_verified: boolean; created_at: string; updated_at: string; updated_by: (string & $brand<"Uuid">) | null; }; actor: { ...; } | null; permits: { ...; }[]; pending_offers: { ...; }[]; }[]> admin account entries sorted by creation date
auth/api_token_queries.ts view source
(deps: QueryDeps, account_id: string, max_tokens: number): Promise<number> Enforce a per-account token limit by evicting the oldest tokens.
Race safety: this function must run inside a transaction alongside the
INSERT that created the new token. The caller (the account_token_create
RPC handler) runs under the dispatcher's transaction path because the
spec declares side_effects: true, ensuring the INSERT + enforce_limit
pair is atomic โ concurrent token creation cannot interleave.
depsquery dependencies (must be transaction-scoped)
account_idthe account to enforce the limit for
stringmax_tokensmaximum number of tokens to keep
numberPromise<number> the number of tokens evicted
auth/api_token_queries.ts view source
(deps: QueryDeps, account_id: string): Promise<Omit<ApiToken, "token_hash">[]> List all tokens for an account (does not include hashes).
Columns are enumerated explicitly to exclude token_hash.
Must be updated if the api_token table gains new columns.
depsaccount_idstringPromise<Omit<ApiToken, "token_hash">[]> auth/app_settings_queries.ts view source
(deps: QueryDeps): Promise<AppSettings> Load the current app settings.
depsquery dependencies
Promise<AppSettings> the app settings row
Error - if the singleton `app_settings` row is missing (migration drift โ should not occur in practice)auth/app_settings_queries.ts view source
(deps: QueryDeps): Promise<{ open_signup: boolean; updated_at: string | null; updated_by: (string & $brand<"Uuid">) | null; updated_by_username: string | null; }> Load the current app settings with resolved updater username.
depsquery dependencies
Promise<{ open_signup: boolean; updated_at: string | null; updated_by: (string & $brand<"Uuid">) | null; updated_by_username: string | null; }> the app settings with updated_by_username
Error - if the singleton `app_settings` row is missingauth/app_settings_queries.ts view source
(deps: QueryDeps, open_signup: boolean, actor_id: string): Promise<AppSettings> Update app settings and return the updated row.
depsquery dependencies
open_signupnew value for the open_signup toggle
booleanactor_idthe actor making the change
stringPromise<AppSettings> the updated app settings row
Error - if the singleton `app_settings` row is missingauth/audit_log_queries.ts view source
<T extends string>(deps: QueryDeps, input: AuditLogInput<T>, config?: AuditLogConfig): Promise<AuditLogEvent> Insert an audit log entry.
RETURNING * so callers receive DB-assigned fields (id, seq,
created_at). Validates metadata against config.metadata_schemas;
unknown event_type and metadata mismatches log + bump their counters
but write the row anyway. Consumers extend the recognized set via
create_audit_log_config({extra_events}).
depsquery dependencies
inputthe audit event to record
AuditLogInput<T>configaudit-log config. Defaults to BUILTIN_AUDIT_LOG_CONFIG.
BUILTIN_AUDIT_LOG_CONFIGPromise<AuditLogEvent> the inserted audit log row
auth/audit_log_queries.ts view source
(deps: QueryDeps, before: Date): Promise<number> Delete audit log entries older than the given date.
depsquery dependencies
beforedelete entries created before this date
DatePromise<number> the number of entries deleted
auth/audit_log_queries.ts view source
(deps: QueryDeps, options?: AuditLogListOptions | undefined): Promise<AuditLogEvent[]> List audit log entries, newest first.
depsquery dependencies
options?filters and pagination
AuditLogListOptions | undefinedPromise<AuditLogEvent[]> matching audit log entries
auth/audit_log_queries.ts view source
(deps: QueryDeps, account_id: string, limit?: number): Promise<AuditLogEvent[]> List audit log entries related to an account (as actor or target).
depsquery dependencies
account_idthe account to query for
stringlimitmaximum entries to return
numberAUDIT_LOG_DEFAULT_LIMITPromise<AuditLogEvent[]> auth/audit_log_queries.ts view source
(deps: QueryDeps, limit?: number, offset?: number): Promise<{ id: string & $brand<"Uuid">; seq: number; event_type: string; outcome: "success" | "failure"; actor_id: (string & $brand<...>) | null; ... 6 more ...; target_username: string | null; }[]> List permit grant/revoke events with resolved usernames.
depsquery dependencies
limitmaximum entries to return
numberAUDIT_LOG_DEFAULT_LIMIToffsetnumber of entries to skip
number0Promise<{ id: string & $brand<"Uuid">; seq: number; event_type: string; outcome: "success" | "failure"; actor_id: (string & $brand<"Uuid">) | null; account_id: (string & $brand<...>) | null; ... 5 more ...; target_username: string | null; }[]> permit history events with username and target_username
auth/audit_log_queries.ts view source
(deps: QueryDeps, options?: AuditLogListOptions | undefined): Promise<{ id: string & $brand<"Uuid">; seq: number; event_type: string; outcome: "success" | "failure"; ... 7 more ...; target_username: string | null; }[]> List audit log entries with resolved usernames, newest first.
depsquery dependencies
options?filters and pagination
AuditLogListOptions | undefinedPromise<{ id: string & $brand<"Uuid">; seq: number; event_type: string; outcome: "success" | "failure"; actor_id: (string & $brand<"Uuid">) | null; account_id: (string & $brand<...>) | null; ... 5 more ...; target_username: string | null; }[]> matching audit log entries with username and target_username
auth/account_queries.ts view source
(deps: QueryDeps, input: CreateAccountInput): Promise<Account> Create a new account.
depsquery dependencies
inputthe account fields
Promise<Account> the created account
auth/account_queries.ts view source
(deps: QueryDeps, input: CreateAccountInput): Promise<{ account: Account; actor: Actor; }> Create an account and its actor in a single operation.
For v1, every account gets exactly one actor with the same name as the username.
depsquery dependencies
inputthe account fields
Promise<{ account: Account; actor: Actor; }> the created account and actor
auth/account_queries.ts view source
(deps: QueryDeps, account_id: string, name: string): Promise<Actor> Create a new actor for an account.
depsquery dependencies
account_idthe owning account
stringnamedisplay name (defaults to account username)
stringPromise<Actor> the created actor
auth/api_token_queries.ts view source
(deps: QueryDeps, id: string, account_id: string, name: string, token_hash: string, expires_at?: Date | null | undefined): Promise<ApiToken> Store a new API token (the hash, not the raw token).
depsquery dependencies
idthe public token id (e.g. tok_abc123)
stringaccount_idthe owning account
stringnamehuman-readable name
stringtoken_hashblake3 hash of the raw token
stringexpires_at?optional expiration
Date | null | undefinedPromise<ApiToken> the stored token record
auth/invite_queries.ts view source
(deps: QueryDeps, input: CreateInviteInput): Promise<Invite> Create a new invite.
depsquery dependencies
inputthe invite fields
Promise<Invite> the created invite
auth/session_queries.ts view source
(deps: QueryDeps, token_hash: string, account_id: string, expires_at: Date): Promise<void> Create a new auth session.
depsquery dependencies
token_hashblake3 hash of the session token (use hash_session_token)
stringaccount_idthe account this session belongs to
stringexpires_atwhen the session expires
DatePromise<void> (db: Db, namespaces?: MigrationNamespace[] | undefined): Promise<DbStatus> Query database status including connectivity, tables, and migration state.
Designed for CLI db:status commands. Does not modify the database.
dbthe database instance
namespaces?migration namespaces to check status for
MigrationNamespace[] | undefinedPromise<DbStatus> a snapshot of database status; connected: false with error
set when the initial connectivity probe fails
Error - propagated from the driver if a query fails after theauth/account_queries.ts view source
(deps: QueryDeps, id: string): Promise<boolean> Delete an account. Cascades to actors, permits, sessions, and tokens.
depsidstringPromise<boolean> auth/permit_queries.ts view source
(deps: QueryDeps, input: GrantPermitInput): Promise<Permit> Grant a permit to an actor. Idempotent โ if an active permit already exists for this actor, role, and scope, returns the existing permit instead of creating a duplicate.
The ON CONFLICT target and the fallback SELECT both collapse NULL
scopes via the same sentinel used by the partial unique index
(permit_actor_role_scope_active_unique). The IS NOT DISTINCT FROM
form on the fallback is deliberate โ plain = would miss the
NULL-scope case where the conflict fired.
depsquery dependencies
inputthe permit fields
Promise<Permit> the created or existing active permit
auth/invite_queries.ts view source
(deps: QueryDeps, invite_id: string, account_id: string): Promise<boolean> Claim an invite by setting the claimed_by and claimed_at fields.
depsquery dependencies
invite_idthe invite to claim
stringaccount_idthe account claiming the invite
stringPromise<boolean> true if the invite was claimed, false if already claimed or not found
auth/invite_queries.ts view source
(deps: QueryDeps, id: string): Promise<boolean> Delete an unclaimed invite.
depsquery dependencies
idthe invite id
stringPromise<boolean> true if deleted, false if not found or already claimed
auth/invite_queries.ts view source
(deps: QueryDeps, email: string): Promise<Invite | undefined> Find an unclaimed invite by email (case-insensitive).
depsemailstringPromise<Invite | undefined> auth/invite_queries.ts view source
(deps: QueryDeps, username: string): Promise<Invite | undefined> Find an unclaimed invite by username (case-insensitive).
depsusernamestringPromise<Invite | undefined> auth/invite_queries.ts view source
(deps: QueryDeps, email: string | null, username: string): Promise<Invite | undefined> Find an unclaimed invite matching email and/or username using three scoping modes:
- Email-only invite (email set, username NULL) โ matches only if signup provides matching email. - Username-only invite (username set, email NULL) โ matches only if signup provides matching username. - Both-field invite (both set) โ requires BOTH email and username to match.
depsquery dependencies
emailemail to match (or null if signup provides none)
string | nullusernameusername to match
stringPromise<Invite | undefined> the matching invite, or undefined
auth/invite_queries.ts view source
(deps: QueryDeps): Promise<Invite[]> List all invites, newest first.
depsPromise<Invite[]> auth/invite_queries.ts view source
(deps: QueryDeps): Promise<{ id: string & $brand<"Uuid">; email: string | null; username: string | null; claimed_by: (string & $brand<"Uuid">) | null; ... 4 more ...; claimed_by_username: string | null; }[]> List all invites with resolved creator/claimer usernames, newest first.
depsquery dependencies
Promise<{ id: string & $brand<"Uuid">; email: string | null; username: string | null; claimed_by: (string & $brand<"Uuid">) | null; claimed_at: string | null; created_at: string; created_by: (string & $brand<...>) | null; created_by_username: string | null; claimed_by_username: string | null; }[]> invites with created_by_username and claimed_by_username
auth/permit_queries.ts view source
(deps: QueryDeps, role: string): Promise<string | null> Find the account ID of an account that holds an active permit for a given role.
Joins permit โ actor โ account. Returns the first match, or null if none.
depsquery dependencies
rolethe role to search for
stringPromise<string | null> the account ID, or null
auth/permit_queries.ts view source
(deps: QueryDeps, actor_id: string): Promise<Permit[]> Find all active (non-revoked, non-expired) permits for an actor.
depsactor_idstringPromise<Permit[]> auth/permit_queries.ts view source
(deps: QueryDeps, permit_id: string, actor_id: string): Promise<{ role: string; } | null> Look up the role of an active permit, constrained to a specific actor.
Used by admin routes to inspect the permit's role before acting
(e.g., enforcing web_grantable on revoke). The actor constraint
mirrors query_revoke_permit so IDOR protection is consistent:
a caller can only see permits belonging to the target actor.
Returns null if the permit is not found, already revoked, or
belongs to a different actor.
depsquery dependencies
permit_idthe permit id to look up
stringactor_idthe actor that must own the permit
stringPromise<{ role: string; } | null> {role} on a match, or null
auth/permit_queries.ts view source
(deps: QueryDeps, actor_id: string, role: string, scope_id?: string | null | undefined): Promise<boolean> Check if an actor has an active permit for a given role.
The scope_id parameter selects between global and scoped checks:
- Omitted or null โ matches a global permit (scope_id IS NULL).
Pre-scope callers keep their existing semantics.
- A scope uuid โ matches a permit bound to that exact scope.
The IS NOT DISTINCT FROM comparison handles the NULL case uniformly.
depsactor_idstringrolestringscope_id?string | null | undefinedPromise<boolean> auth/permit_queries.ts view source
(deps: QueryDeps, actor_id: string): Promise<Permit[]> List all permits for an actor (including revoked/expired).
depsactor_idstringPromise<Permit[]> auth/permit_offer_queries.ts view source
(deps: QueryDeps, input: CreatePermitOfferInput): Promise<PermitOffer> Create a new permit offer, or refresh an existing pending offer for the
same (to_account_id, role, scope_id, from_actor_id) tuple.
Re-offer semantics: a second call by the same grantor with the same
(to_account, role, scope) while pending upserts the existing row,
refreshing message and expires_at. A different grantor offering the
same (to_account, role, scope) creates a distinct row โ multiple
pending grantors coexist. After a terminal state, a re-offer is a fresh
INSERT.
Self-offer rejection: throws PermitOfferSelfTargetError if the offering actor belongs to the recipient account.
depsinputPromise<PermitOffer> PermitOfferSelfTargetError - if the offering actor belongs to `to_account_id`auth/permit_offer_queries.ts view source
(deps: QueryDeps, offer_id: string, to_account_id: string, reason: string | null): Promise<PermitOffer | null> Mark an offer declined.
Guarded by to_account_id (IDOR). Returns null if the offer does not
exist or belongs to a different account. Throws
PermitOfferAlreadyTerminalError if the offer exists for the caller but
is already in a terminal state.
depsoffer_idstringto_account_idstringreasonstring | nullPromise<PermitOffer | null> PermitOfferAlreadyTerminalError - if the offer is already accepted, declined, retracted, or supersededauth/permit_offer_queries.ts view source
(deps: QueryDeps, offer_id: string): Promise<PermitOffer | null> Look up a pending offer by id. Returns null if the offer is terminal,
expired (server-side filter), or missing.
depsoffer_idstringPromise<PermitOffer | null> auth/permit_offer_queries.ts view source
(deps: QueryDeps, account_id: string, limit?: number, offset?: number): Promise<PermitOffer[]> List every offer involving an account (either direction), newest first.
Includes terminal offers โ used by the grantor-side admin / history view.
depsaccount_idstringlimitnumber100offsetnumber0Promise<PermitOffer[]> auth/permit_offer_queries.ts view source
(deps: QueryDeps, to_account_id: string): Promise<PermitOffer[]> List pending, non-expired offers for an account, soonest expiry first.
Expired offers are filtered server-side (expires_at > NOW()) so the
inbox never surfaces a row that can no longer be accepted. The periodic
sweep (query_permit_offer_sweep_expired) handles audit tombstoning.
depsto_account_idstringPromise<PermitOffer[]> auth/permit_offer_queries.ts view source
(deps: QueryDeps, offer_id: string, from_actor_id: string): Promise<PermitOffer | null> Mark an offer retracted by the grantor.
Guarded by from_actor_id (IDOR). Returns null if the offer does not
exist or was issued by a different actor. Throws
PermitOfferAlreadyTerminalError if the offer exists for this grantor
but is already in a terminal state.
depsoffer_idstringfrom_actor_idstringPromise<PermitOffer | null> PermitOfferAlreadyTerminalError - if the offer is already accepted, declined, retracted, or supersededauth/permit_offer_queries.ts view source
(deps: QueryDeps): Promise<PermitOffer[]> Return pending offers whose expires_at has passed.
Callers fire permit_offer_expire audit events for each row. The schema
does not tombstone the row, so callers are responsible for their own
idempotency (e.g. check whether a permit_offer_expire audit event
already exists for the offer id).
depsPromise<PermitOffer[]> auth/permit_queries.ts view source
(deps: QueryDeps, scope_id: string & $brand<"Uuid">, revoked_by: (string & $brand<"Uuid">) | null, reason?: string | null | undefined): Promise<RevokeForScopeResult> Revoke every active permit bound to a scope and supersede every pending offer at the scope, in one cascade.
Use this from a consumer's parent-scope delete handler (e.g., classroom
deletion) โ permit.scope_id and permit_offer.scope_id are polymorphic
with no FK constraint by design, so a parent row deletion would otherwise
orphan permits and offers. The cascade is role-agnostic: anything
attached to the destroyed scope is cleaned up.
Both updates run as separate statements inside the caller's transaction (mirrors query_permit_revoke_role's shape). The two halves are independent โ orphan pending offers can exist at a scope with no active permits, so the supersede half always runs even when no permit was revoked.
depsquery dependencies
scope_idthe scope whose permits and offers to terminate
string & $brand<"Uuid">revoked_bythe actor performing the cascade (audit trail)
(string & $brand<"Uuid">) | nullreason?optional free-form reason, stamped on permit.revoked_reason.
string | null | undefinedPromise<RevokeForScopeResult> the revoked permits (with account_id for fan-out) and superseded offers (with from_account_id for fan-out)
auth/permit_queries.ts view source
(deps: QueryDeps, actor_id: string, role: string, revoked_by: string | null, reason?: string | null | undefined): Promise<RevokeRoleResult> Revoke every active permit an actor holds for a given role.
With scoped permits a single actor+role tuple can hold several active
permits (one per scope), so this revokes all of them. Pass
query_revoke_permit(permit_id, ...) when a single scoped permit
is the target.
Also supersedes pending offers for the actor's account across every scope of this role (the actor can no longer hold the role, so any pending offer of the same role is a bypass vector).
depsquery dependencies
actor_idthe actor whose permits to revoke
stringrolethe role to revoke
stringrevoked_bythe actor who revoked it (for audit trail)
string | nullreason?optional free-form reason, stamped on permit.revoked_reason.
string | null | undefinedPromise<RevokeRoleResult> the list of revoked permits (empty if none were active) and superseded pending offers
auth/api_token_queries.ts view source
(deps: QueryDeps, account_id: string): Promise<number> Revoke all tokens for an account.
depsquery dependencies
account_idthe account whose tokens to revoke
stringPromise<number> the number of tokens revoked
auth/api_token_queries.ts view source
(deps: QueryDeps, id: string, account_id: string): Promise<boolean> Revoke a token only if it belongs to the specified account.
Prevents cross-account token revocation.
depsquery dependencies
idthe public token id
stringaccount_idthe account that must own the token
stringPromise<boolean> true if a token was revoked, false if not found or wrong account
auth/permit_queries.ts view source
(deps: QueryDeps, permit_id: string & $brand<"Uuid">, actor_id: string & $brand<"Uuid">, revoked_by: (string & $brand<"Uuid">) | null, reason?: string | ... 1 more ... | undefined): Promise<...> Revoke a permit by id, constrained to a specific actor.
Requires actor_id to prevent cross-account revocation (IDOR guard).
Returns null if the permit is not found, already revoked, or belongs
to a different actor.
Supersedes any pending offers for the revoked permit's
(to_account, role, scope) in the same transaction. Prevents the
"accept a pre-revoke offer to bypass the revoke" path โ any stale
offer becomes terminal at revoke time. A fresh post-revoke grant
requires the grantor to call query_permit_offer_create again.
depsquery dependencies
permit_idthe permit to revoke
string & $brand<"Uuid">actor_idthe actor that must own the permit
string & $brand<"Uuid">revoked_bythe actor who revoked it (for audit trail)
(string & $brand<"Uuid">) | nullreason?optional free-form reason, stamped on permit.revoked_reason and surfaced to the revokee notification.
string | null | undefinedPromise<RevokePermitResult | null> auth/session_queries.ts view source
(deps: QueryDeps): Promise<number> Delete expired sessions.
depsPromise<number> the number of sessions cleaned up
auth/session_queries.ts view source
(deps: QueryDeps, account_id: string, max_sessions: number): Promise<number> Enforce a per-account session limit by evicting the oldest sessions.
Keeps the newest max_sessions sessions and deletes the rest.
Race safety: this function must run inside a transaction alongside the
INSERT that created the new session. All callers satisfy this requirement:
- POST /login uses the default transaction: true (framework-managed
transaction wrapping in apply_route_specs)
- The account_token_create RPC handler runs under the dispatcher's
transaction path because its spec declares side_effects: true
- POST /bootstrap and POST /signup manage their own transactions
and pass the transaction-scoped deps to create_session_and_set_cookie
The transaction ensures the INSERT + enforce_limit pair is atomic โ concurrent session creation cannot interleave between the two statements.
depsquery dependencies (must be transaction-scoped)
account_idthe account to enforce the limit for
stringmax_sessionsmaximum number of sessions to keep
numberPromise<number> the number of sessions evicted
auth/session_queries.ts view source
(deps: QueryDeps, token_hash: string): Promise<AuthSession | undefined> Get a session if it exists, is not expired, and has not been revoked.
depsquery dependencies
token_hashblake3 hash of the session token
stringPromise<AuthSession | undefined> auth/session_queries.ts view source
(deps: QueryDeps, limit?: number): Promise<(AuthSession & { username: string; })[]> List all active sessions across all accounts with usernames.
depsquery dependencies
limitmaximum entries to return
number200Promise<(AuthSession & { username: string; })[]> active sessions joined with account usernames, newest activity first
auth/session_queries.ts view source
(deps: QueryDeps, account_id: string, limit?: number): Promise<AuthSession[]> List sessions for an account, newest first.
depsaccount_idstringlimitnumber50Promise<AuthSession[]> auth/session_queries.ts view source
(deps: QueryDeps, account_id: string): Promise<number> Revoke all sessions for an account.
depsaccount_idstringPromise<number> the number of sessions revoked
auth/session_queries.ts view source
(deps: QueryDeps, token_hash: string): Promise<void> Revoke (delete) a session by its token hash, with no account scoping.
The _unscoped suffix is the safety signal โ there is no account_id
constraint, so callers must guarantee the hash came from a trusted
source (the authenticated session cookie path is the only safe production
caller โ see auth/account_routes.ts /logout). For user-facing revocation
of a specific session by ID, use query_session_revoke_for_account
(IDOR-guarded).
depstoken_hashstringPromise<void> auth/session_queries.ts view source
(deps: QueryDeps, token_hash: string, account_id: string): Promise<boolean> Revoke a session only if it belongs to the specified account.
Prevents cross-account session revocation.
depsquery dependencies
token_hashblake3 hash of the session token
stringaccount_idthe account that must own the session
stringPromise<boolean> true if a session was revoked, false if not found or wrong account
auth/session_queries.ts view source
(deps: QueryDeps, token_hash: string): Promise<void> Update last_seen_at and optionally extend expiry for a session.
Extends if less than AUTH_SESSION_EXTEND_THRESHOLD_MS remaining.
depsquery dependencies
token_hashblake3 hash of the session token
stringPromise<void> auth/account_queries.ts view source
(deps: QueryDeps, id: string, password_hash: string, updated_by: string | null): Promise<void> Update the password hash for an account.
depsidstringpassword_hashstringupdated_bystring | nullPromise<void> auth/api_token_queries.ts view source
(deps: ApiTokenQueryDeps, raw_token: string, ip: string | undefined, pending_effects: Promise<void>[] | undefined): Promise<ApiToken | undefined> Validate a raw API token and return the token record.
Hashes the token with blake3, looks up the hash, and checks
expiration. Updates last_used_at and last_used_ip on success
(fire-and-forget โ errors logged, never thrown).
depsquery dependencies with logger
raw_tokenthe raw API token from the Authorization header
stringipthe client IP address (for audit)
string | undefinedpending_effectsoptional array to register the usage-tracking effect for later awaiting
Promise<void>[] | undefinedPromise<ApiToken | undefined> the token record if valid, or undefined
QueryDeps Base dependency for all query functions.
db(c: Context<any, any, {}>, retry_after: number): Response Build a 429 rate-limit-exceeded JSON response with Retry-After header.
cHono context
Context<any, any, {}>retry_afterseconds until the client should retry
numberResponse a 429 Response
In-memory sliding window rate limiter.
Stores an array of timestamps per key. On check/record, timestamps
outside the window are pruned. retry_after reports seconds until the
oldest active timestamp expires.
The backing store is an LruMap when options.max_keys is a positive
number (default DEFAULT_RATE_LIMITER_MAX_KEYS) and a plain Map when
max_keys is null. The LruMap path bounds memory under
key-enumeration attack at the cost of a slight per-op overhead and the
LRU trade-off described on RateLimiterOptions.max_keys.
Parameters that accept RateLimiter | null (e.g. ip_rate_limiter,
login_account_rate_limiter) silently disable rate limiting when null
is passed โ no checks are performed and all requests are allowed through.
optionstype RateLimiterOptions
constructortype new (options: RateLimiterOptions): RateLimiter
optionscheckCheck whether key is allowed without recording an attempt.
Prunes timestamps that fell outside the window as a side effect (and removes the key entirely when none remain), so the backing map stays bounded even under read-only traffic.
type (key: string, now?: number): RateLimitResult
keyrate limit key (e.g. IP address)
stringnowcurrent timestamp in ms (defaults to Date.now())
numberDate.now()recordRecord a failed attempt for key and return the updated result.
type (key: string, now?: number): RateLimitResult
keyrate limit key (e.g. IP address)
stringnowcurrent timestamp in ms (defaults to Date.now())
numberDate.now()resetClear all attempts for key (e.g. after successful login).
type (key: string): void
keystringvoidcleanupRemove entries whose timestamps are all outside the window.
type (now?: number): void
nowcurrent timestamp in ms (defaults to Date.now())
numberDate.now()voiddisposeStop the cleanup timer. Safe to call multiple times.
type (): void
voidRateLimiterOptions Configuration for a rate limiter instance.
max_attemptsMaximum allowed attempts within the window.
numberwindow_msSliding window duration in milliseconds.
numbercleanup_interval_msInterval for pruning stale entries (0 disables the timer).
numbermax_keysMaximum tracked keys. When exceeded, the least-recently-used key is
evicted โ bounds memory under key-enumeration attacks. Default:
DEFAULT_RATE_LIMITER_MAX_KEYS (100_000). Pass null to disable the
cap (falls back to an unbounded Map โ only recommended when the key
set is known to be closed, e.g. a per-account limiter keyed to a
bounded-size account table).
LRU trade-off: every check / record call marks the key as
most-recently-used, so keys under active attack stay fresh and won't
be evicted. A slow-burn attacker spread across many low-volume keys
can, however, drop out of the table and reset their budget โ set
max_keys high enough to fit the expected legitimate key set and
this stays theoretical.
number | nullhttp/error_schemas.ts view source
ZodObject<{ error: ZodLiteral<"rate_limit_exceeded">; retry_after: ZodNumber; }, $loose> Rate limit error โ returned when a rate limiter rejects the request.
testing/rate_limiting.ts view source
RateLimitingTestOptions Configuration for describe_rate_limiting_tests.
session_optionsSession config for cookie-based auth.
SessionOptions<string>create_route_specsRoute spec factory โ same one used in production.
(ctx: AppServerContext) => Array<RouteSpec>app_optionsOptional overrides for AppServerOptions.
db_factoriesDatabase factories to run tests against. Default: pglite only.
Array<DbFactory>max_attemptsMaximum attempts before rate limiting kicks in.
Default: 2 (tight limit for fast tests).
numberrpc_endpointsRPC endpoint specs โ required so the bearer-auth rate limiting test
can probe an authenticated method via the account_verify RPC
action. Hard-fails via require_rpc_endpoint_path on setup.
Accepts either an array (eager) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec> โ the factory form
is required when action handlers must close over the per-test
ctx.app_settings / ctx.deps. The factory must return the same
endpoint path regardless of ctx โ it is invoked once at setup with
a stub ctx for path lookup and again per-test by create_app_server
for live dispatch.
http/error_schemas.ts view source
ZodEnum<{ both: "both"; ip: "ip"; account: "account"; }> Rate limit key type โ declares what a route or RPC action's rate limiter is keyed on.
- 'ip' โ per-IP rate limiting (bootstrap, password change, bearer auth)
- 'account' โ per-account rate limiting. On REST auth routes the key is
the submitted identifier (login). On RPC actions (post-auth) the key is
the resolved actor id (request_context.actor.id) โ separate namespace.
- 'both' โ both keys.
RateLimitResult Result of a rate limit check or record operation.
allowedWhether the request is allowed.
booleanremainingRemaining attempts before blocking.
numberretry_afterSeconds until the oldest active attempt expires (0 if allowed).
number(runtime: Pick<EnvDeps, "env_get"> & Pick<FsReadDeps, "stat" | "read_text_file"> & LogDeps, name: string): Promise<{ version: number; pid: number; port: number; started: string; app_version: string; } | null> Read and validate daemon info from the PID file.
runtimeruntime with file read and env capabilities
Pick<EnvDeps, "env_get"> & Pick<FsReadDeps, "stat" | "read_text_file"> & LogDepsnameapplication name
stringPromise<{ version: number; pid: number; port: number; started: string; app_version: string; } | null> parsed daemon info, or null if missing or invalid
(deps: Pick<FsReadDeps, "stat" | "read_text_file">, env_path: string, name: string): Promise<string | undefined> Read a single env var from a dotenv-style file.
depsfile read capability
Pick<FsReadDeps, "stat" | "read_text_file">env_pathpath to the .env file
stringnamethe variable name to read
stringPromise<string | undefined> the value, or undefined if the file or variable doesn't exist
ReadTextFromOffsetResult Result of reading text from a byte offset.
contentDecoded text content read from the offset.
stringbytes_readNumber of bytes actually read.
numberfile_sizeTotal file size at the time of the read (for truncation detection).
numberauth/request_context.ts view source
(ctx: RequestContext, deps: QueryDeps): Promise<RequestContext> Reload active permits from the database, returning a new request context.
Useful for long-lived WebSocket connections where permits may change (grant or revoke) during the connection lifetime. Call periodically or after receiving a revocation signal.
Returns a new RequestContext with updated permits โ the original context is not mutated, making concurrent calls safe.
ctxthe request context to refresh
depsquery dependencies
Promise<RequestContext> a new RequestContext with fresh permits
actions/register_action_ws.ts view source
<TCtx extends BaseHandlerContext>(options: RegisterActionWsOptions<TCtx>): RegisterActionWsResult Mount a JSON-RPC WebSocket endpoint that dispatches to the supplied handler
map. Per-request context is built from the base + consumer-provided
RegisterActionWsOptions.extend_context.
Wire behavior:
- Batch JSON-RPC is rejected (single-message only).
- Notifications (method + no id) are silently dropped per JSON-RPC spec.
- Per-action auth: public / authenticated pass through (upgrade auth
already verified identity); keeper requires daemon_token credential
type *and* the keeper role; role-based {role} requires the named role
via has_role, matching the HTTP path in actions/action_rpc.ts.
- DEV mode validates handler output against the spec's output schema and
warns on mismatches.
optionsRegisterActionWsOptions<TCtx>RegisterActionWsResult the transport (supplied or freshly created) โ retain it to wire create_ws_auth_guard or broadcast on audit events.
actions/register_ws_endpoint.ts view source
<TCtx extends BaseHandlerContext>(options: RegisterWsEndpointOptions<TCtx>): RegisterActionWsResult Mount a WebSocket endpoint with the standard upgrade stack (origin check + auth + optional role) and JSON-RPC dispatch.
Returns the BackendWebsocketTransport (supplied or freshly
created), same as register_action_ws โ retain it to wire
create_ws_auth_guard on on_audit_event or to broadcast.
optionsRegisterWsEndpointOptions<TCtx>RegisterActionWsResult actions/register_action_ws.ts view source
RegisterActionWsOptions<TCtx> Options for register_action_ws.
TCtxpathMount path (e.g., /api/ws).
stringappThe Hono app to mount on.
HonoupgradeWebSocketHono's upgradeWebSocket helper from the runtime adapter.
UpgradeWebSocketactionsThe actions registered on this endpoint โ each carries a spec (drives method lookup, per-action auth, input/output validation) and an optional handler (omit for client-only specs like inbound notifications). Spread protocol_actions from actions/protocol.ts here to complete the disconnect-detection + per-request cancel pairing with the frontend client.
ReadonlyArray<Action<TCtx>>extend_contextBuild the per-request context from the base and the upgrade-time Hono
context. Called once per incoming message. Consumers use this to attach
domain singletons (backend) or per-socket auth (auth,
credential_type) without re-reading them from c inside every handler.
(base: BaseHandlerContext, c: Context) => TCtxtransportExisting transport to register connections with. When omitted, a fresh
one is created and returned in the result. Pass your own to keep a
handle for create_ws_auth_guard and send_to/broadcast.
heartbeatServer-side heartbeat policy. Default-on (receive-silence detection,
60s timeout). false disables the timer entirely โ only do this if
the upstream stack (TCP keepalive, Cloudflare idle timeout, etc.)
already owns disconnect detection. Pass an object to tune the timeout.
boolean | ServerHeartbeatOptionsartificial_delayOptional per-message delay for testing loading states. Ignored when 0.
numberlogOptional logger; defaults to [ws] namespace.
LoggerTypeon_socket_openCalled once per socket, after the transport registers the connection.
Awaited before any message is dispatched. Throwing logs an error and
closes the socket with an internal_error frame โ a failing bootstrap
should not leave a partially-initialized socket alive.
(ctx: SocketOpenContext) => void | Promise<void>on_socket_closeCalled once per socket on close, *before* the transport removes the
connection. Receives connection_id and identity captured at open
time, so it is safe to read even when the audit guard has already torn
down the transport's internal state. Errors are logged and swallowed.
(ctx: SocketCloseContext) => void | Promise<void>action_ip_rate_limiterPer-IP rate limiter consulted for actions whose spec declares
rate_limit: 'ip' or 'both'. null (or omitted) disables the
IP check. Same limiter is shared with the HTTP RPC dispatcher so
one budget covers both transports per action. Resolved at upgrade
time and reused for every message on the socket.
RateLimiter | nullaction_account_rate_limiterPer-actor rate limiter consulted for actions whose spec declares
rate_limit: 'account' or 'both'. Keyed on
request_context.actor.id. null (or omitted) disables the
account check. Same limiter is shared with the HTTP RPC dispatcher.
RateLimiter | nullactions/register_action_ws.ts view source
RegisterActionWsResult Result of register_action_ws.
transportThe transport bound to the endpoint โ supplied or freshly created.
actions/register_ws_endpoint.ts view source
RegisterWsEndpointOptions<TCtx> Options for register_ws_endpoint.
TCtxRegisterActionWsOptions<TCtx>allowed_originsOrigin allowlist regexes โ typically parsed from the ALLOWED_ORIGINS
env var via parse_allowed_origins. Passed straight to
verify_request_source.
Array<RegExp>required_roleRole required to upgrade. Omit for any authenticated account (require_auth
alone); set to e.g. ROLE_ADMIN to gate the endpoint behind a role. The
per-action auth in each spec still applies at dispatch time โ this is
a coarse upgrade-time gate.
actions/action_spec.ts view source
ZodObject<{ method: ZodString; initiator: ZodEnum<{ frontend: "frontend"; backend: "backend"; both: "both"; }>; input: ZodCustom<ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>, ZodType<...>>; ... 8 more ...; async: ZodDefault<...>; }, $strict> auth/request_context.ts view source
"request_context" Hono context variable name for the request context.
auth/request_context.ts view source
RequestContext The resolved identity context for an authenticated request.
accountactorpermitsArray<Permit>actions/action_spec.ts view source
ZodObject<{ method: ZodString; initiator: ZodEnum<{ frontend: "frontend"; backend: "backend"; both: "both"; }>; side_effects: ZodBoolean; input: ZodCustom<ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>, ZodType<...>>; ... 7 more ...; async: ZodDefault<...>; }, $strict> actions/request_tracker.svelte.ts view source
Reactive pending-request store with per-request timeouts. Used by transports that don't delegate request/response correlation to a WebsocketRpcConnection.
pending_requeststype SvelteMap<JsonrpcRequestId, RequestTrackerItem>
request_timeout_mstype number
constructortype new (request_timeout_ms?: number): RequestTracker
request_timeout_msnumber120_000track_requestTrack a new request keyed by id.
type (id: string | number): Deferred<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | ... 4 more ... | (number & $brand<...>); message: string; data?: unknown; }; }>
idstring | numberDeferred<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }...deferred resolved on response, or rejected via the timeout
resolve_requestResolve a pending request with its response.
type (id: string | number, response: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | ... 4 more ... | (number & $brand<...>); message: string; data?: unknown; }; }): void
idstring | numberresponse{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }; }voidreject_requestReject a pending request with error_message.
type (id: string | number, error_message: { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }; }): void
idstring | numbererror_message{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">); message: string; data?: unknown; }; }voidhandle_messageHandles an incoming JSON-RPC message. Resolves or rejects the associated request. Ignores notifications and unknown/invalid messages.
type (message: any): void
messageanyvoidcancel_requestCancel a pending request without rejecting its deferred โ just cleanup. The caller's promise stays unsettled; pair with an external resolution if needed.
type (id: string | number): void
idstring | numbervoidcancel_all_requestsCancel all pending requests.
type (reason?: string | undefined): void
reason?optional reason to include in rejection
string | undefinedvoidactions/request_tracker.svelte.ts view source
idtype JsonrpcRequestId
deferredtype Deferred<JsonrpcResponseOrError>
createdtype Datetime
statustype AsyncStatus
timeouttype NodeJS.Timeout | undefined
constructortype new (id: string | number, deferred: Deferred<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | ... 4 more ... | (number & $brand<...>); message: string; data?: unknown; }; }>, created: Datetime, status: AsyncStatus, timeout: Timeout | undefined): RequestTrackerItem
idstring | numberdeferredDeferred<{ [x: string]: unknown; jsonrpc: "2.0"; id: string | number; result: { [x: string]: unknown; }; } | { [x: string]: unknown; jsonrpc: "2.0"; id: string | number | null; error: { [x: string]: unknown; code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<...>); message: string; data?: unknown; }...createdDatetimestatusAsyncStatustimeoutTimeout | undefinedauth/request_context.ts view source
(c: Context<any, string, {}>, next: Next): Promise<void | Response> Middleware that requires authentication.
Returns 401 if no request context is set.
cContext<any, string, {}>nextNextPromise<void | Response> auth/require_keeper.ts view source
(c: Context<any, string, {}>, next: Next): Promise<void | Response> Middleware that requires keeper credentials.
Returns 401 if unauthenticated, 403 if credential type is not
daemon_token or if the keeper role is missing.
cContext<any, string, {}>nextNextPromise<void | Response> auth/request_context.ts view source
(c: Context<any, any, {}>): RequestContext Get the request context, throwing if unauthenticated.
Use in route handlers where auth middleware guarantees a context exists
(i.e., routes with auth: {type: 'authenticated'} or stricter).
Prefer this over get_request_context(c)! for explicit error handling.
cthe Hono context
Context<any, any, {}>RequestContext the request context (never null)
Error - if no request context is set (middleware misconfiguration)auth/request_context.ts view source
(role: string): MiddlewareHandler Create middleware that requires a specific role.
Returns 401 if unauthenticated, 403 if the role is missing.
rolethe required role
stringMiddlewareHandler testing/rpc_helpers.ts view source
(rpc_endpoints: readonly RpcEndpointSpec[]): string Resolve a single RPC endpoint path โ the common case where a consumer mounts exactly one create_rpc_endpoint.
Used at suite setup time to hard-fail integration suites (admin / audit /
SSE / rate-limiting) when the consumer omitted rpc_endpoints rather
than letting tests fail mid-run with confusing errors.
Callers that need multi-endpoint support should iterate rpc_endpoints
directly.
rpc_endpointsreadonly RpcEndpointSpec[]string Error - if `rpc_endpoints` is empty (hard-fail; see the suite optionsauth/audit_log_queries.ts view source
(): void Reset the counter โ for tests only.
void auth/audit_log_queries.ts view source
(): void Reset the counter โ for tests only.
void (deps: FsReadDeps & FsWriteDeps & FsRemoveDeps & CommandDeps & EnvDeps, app_name: string, options?: SetupBootstrapTokenOptions | undefined): Promise<...> Remove an existing bootstrap token and create a new one.
depsfile, command, env, and remove capabilities
FsReadDeps & FsWriteDeps & FsRemoveDeps & CommandDeps & EnvDepsapp_nameapplication name
stringoptions?state_dir override, permissions, logger
SetupBootstrapTokenOptions | undefinedPromise<SetupTokenResult> result from creating the new token
(deps: CommandDeps & FsReadDeps & FsRemoveDeps, database_url: string, options?: ResetDatabaseOptions | undefined): Promise<...> Reset a database to a clean slate.
For PostgreSQL: drops and recreates the database.
For pglite: removes the data directory if pglite_data_dir is provided.
For empty/missing URLs: skips.
depscommand and file capabilities
CommandDeps & FsReadDeps & FsRemoveDepsdatabase_urlthe DATABASE_URL value
stringoptions?pglite_data_dir, logger
ResetDatabaseOptions | undefinedPromise<ResetDbResult> result describing what happened
(runtime: MockRuntime): void Reset a mock runtime to initial state.
runtimevoid (db: Db): Promise<void> Reset a PGlite database to a clean state by dropping and recreating the public schema.
Removes all tables, sequences, indexes, types, and functions. The database instance remains usable after reset.
dbPromise<void> ResetDatabaseOptions Options for reset_database.
pglite_data_dirDirectory to remove for file-based pglite.
stringlogResetDbResult Result of reset_database.
resetWhether the database was actually reset.
booleanskippedWhether the operation was skipped (e.g. pglite with no data dir).
booleandb_typeWhat type of database was detected.
'postgres' | 'pglite' | 'none'(forwarded_for: string, proxies: ParsedProxy[]): string | undefined Resolve the real client IP from an X-Forwarded-For header value.
Walks right-to-left, skipping trusted proxy entries. The first non-trusted entry is the client IP. If all entries are trusted, returns the leftmost entry. All entries are normalized before matching and in the returned value.
forwarded_forthe X-Forwarded-For header value
stringproxiesparsed trusted proxy entries
ParsedProxy[]string | undefined the normalized client IP, or undefined if the header is empty
(runtime: Pick<EnvDeps, "env_get">, value: string): string Resolve environment variable references in a string.
Uses $$VAR$$ syntax (bookended double-dollar signs).
Only resolves variables that are actually set in the environment.
Unset variables are left as-is for clear error messages.
runtimeruntime with env_get capability
Pick<EnvDeps, "env_get">valuestring that may contain $$VAR$$ references
stringstring string with env vars resolved
<T extends Record<string, unknown>>(runtime: Pick<EnvDeps, "env_get">, obj: T): T Resolve env vars in an object's string values (shallow).
runtimeruntime with env_get capability
Pick<EnvDeps, "env_get">objobject with string values
TT new object with env vars resolved
(runtime: Pick<EnvDeps, "env_get">, value: string, context: string): string Resolve env vars and throw if any are missing/empty.
Use this for values that must be present.
runtimeruntime with env_get capability
Pick<EnvDeps, "env_get">valuestring with $$VAR$$ references
stringcontextdescription for error message (e.g., "target.host")
stringstring resolved string
Error - if any referenced env var is missing or emptytesting/assertions.ts view source
(filename: string, import_meta_url: string): string Resolve an absolute path relative to the caller's module.
filenamestringimport_meta_urlthe caller's import.meta.url
stringstring auth/daemon_token_middleware.ts view source
(deps: QueryDeps): Promise<string | null> Resolve the keeper account ID by querying for the account with an active keeper permit.
There is exactly one keeper account (the bootstrap account). Runs once at
server startup โ the result is cached in DaemonTokenState.keeper_account_id.
depsquery dependencies
Promise<string | null> the keeper account ID, or null if no keeper exists yet (pre-bootstrap)
testing/rpc_helpers.ts view source
(rpc_endpoints: RpcEndpointsSuiteOption, session_options: SessionOptions<string>): RpcEndpointSpec[] Resolve a suite's rpc_endpoints option to an array for setup-time
inspection (path lookup, action presence checks).
For the factory form this invokes the factory twice with stub AppServerContexts and asserts that both invocations produce the same (path, method-list) shape โ catching factories that close over mutable state or otherwise diverge across calls. The first array is returned; the second is discarded after the comparison. create_app_server invokes the factory again per-test with its real ctx, and those are the handlers that actually serve requests.
Safe as long as the factory is pure with respect to the endpoint path
and the action spec.method list โ the canonical helpers
(create_standard_rpc_actions, create_admin_actions, create_account_actions,
etc.) are. Factories that return a different path based on ctx will
produce a setup/runtime mismatch; the path-purity assert below surfaces
that as a clear gro check error rather than a silent test/runtime drift.
rpc_endpointssession_optionsSessionOptions<string>RpcEndpointSpec[] Error - if the factory's two stub-ctx invocations produce differentui/format_scope.ts view source
<G extends string | null>(scope_id: string | null, role: string, format_scope: FormatScope, global_label: G): string | G Resolve a scope label across the context โ raw-uuid fallback chain.
global_label is returned for scope_id === null. Callers pass null
to render no chip (admin tables โ global is the implicit default) or
'global' for explicit labels (offer surfaces). The return type
propagates null only when global_label is null.
scope_idstring | nullrolestringformat_scopeglobal_labelGstring | G testing/attack_surface.ts view source
(consumer: ErrorSchemaTightnessOptions | null | undefined): ErrorSchemaTightnessOptions | null Merge a consumer's error_schema_tightness option with
DEFAULT_ERROR_SCHEMA_TIGHTNESS so allowlist and ignore_statuses are
additive rather than replacing.
- undefined โ return the default as-is.
- null โ return null (opt out of the assertion).
- object โ spread the default, then consumer overrides for scalar fields
(min_specificity), then concat stock-then-consumer for the list fields
(allowlist, ignore_statuses) so consumer entries extend rather than
replace.
Exported for direct use when a consumer calls assert_error_schema_tightness outside the standard suite but still wants the additive merge.
consumerErrorSchemaTightnessOptions | null | undefinedErrorSchemaTightnessOptions | null testing/auth_apps.ts view source
(path: string): string Replace Hono route params (:foo) with dummy values for HTTP testing.
pathstringstring testing/schema_generators.ts view source
(path: string, params_schema?: ZodObject<$ZodLooseShape, $strip> | undefined): string Resolve a route path with valid-ish param values so params validation passes. Used when testing input on routes that also have params.
pathstringparams_schema?ZodObject<$ZodLooseShape, $strip> | undefinedstring testing/integration_helpers.ts view source
readonly ["/login", "/logout", "/password", "/verify", "/signup", "/bootstrap"] REST auth route suffixes still on the account/bootstrap surface after the 2026-04-22 RPC migration. find_auth_route rejects any other suffix at runtime โ session/token CRUD, admin operations, and permit flows live on the RPC surface and should be reached via rpc_call.
testing/integration_helpers.ts view source
"/login" | "/logout" | "/password" | "/verify" | "/signup" | "/bootstrap" auth/permit_queries.ts view source
RevokeForScopeResult Result of query_permit_revoke_for_scope โ every permit revoked plus every pending offer superseded by the scope-wide cascade.
revokedOne entry per permit revoked by this call. Carries the revokee's
account_id so callers can fan out a permit_revoke notification per
permit. Empty array means no active permit was bound to the scope.
Array<{permit_id: Uuid; role: string; scope_id: Uuid; account_id: Uuid}>superseded_offersEvery pending offer at the scope โ tuple-matched and orphan, undifferentiated
โ superseded in the same cascade. Each entry carries its grantor's
from_account_id for permit_offer_supersede notification fan-out.
The caller is responsible for emitting permit_offer_supersede audit
events with reason: 'scope_destroyed' and cause_id: <destroyed scope row id>
per entry โ the cause of every supersede here is the scope deletion,
not any individual permit revoke (the revokes are themselves
consequences of the scope going away).
Array<SupersededOffer>auth/permit_queries.ts view source
RevokePermitResult Result of query_revoke_permit โ the revoked permit plus any pending offers superseded by the revoke.
idUuidrolestringscope_idUuid | nullsuperseded_offersPending offers for the revoked permit's (account, role, scope) that
were marked superseded as a side effect. Each entry carries its
grantor's from_account_id so callers can fan out
permit_offer_supersede notifications without a second round-trip.
The caller is responsible for emitting a permit_offer_supersede
audit event per entry (with reason: 'permit_revoked' and
cause_id: <revoked permit id>).
Array<SupersededOffer>auth/permit_queries.ts view source
RevokeRoleResult Result of query_permit_revoke_role โ every permit revoked plus the pending offers superseded by the bulk revoke.
revokedOne entry per permit revoked by this call. Carries the revokee's
account_id so callers can fan out a permit_revoke notification per
scope-instance. Empty array means nothing was active for (actor, role).
Array<{permit_id: string; role: string; scope_id: string | null; account_id: string}>superseded_offersPending offers for the actor's account+role (all scopes) superseded by
the bulk revoke. Each entry carries its grantor's from_account_id so
callers can fan out permit_offer_supersede notifications without a
second round-trip.
Array<SupersededOffer>auth/role_schema.ts view source
"admin" App-level administrative role. Web-grantable, manages users and content.
auth/role_schema.ts view source
"keeper" System-level role. Requires daemon token (filesystem proof). Controls the keep.
auth/role_schema.ts view source
ZodString Valid role name: lowercase letters and underscores, no leading/trailing underscore.
auth/role_schema.ts view source
RoleOptions Configuration for a role.
Builtin roles have fixed configs. App-defined roles get sensible defaults
(requires_daemon_token: false, web_grantable: true).
requires_daemon_tokenIf true, exercising this role requires daemon token authentication. Only keeper for now.
booleanweb_grantableIf true, admins can grant this role via the web UI. Default true.
booleanauth/role_schema.ts view source
RoleSchemaResult The result of create_role_schema โ a Zod schema and config map for all roles.
RoleZod schema that validates role strings. Use at I/O boundaries (grant endpoint, permit queries).
z.ZodType<string>role_optionsOptions for every role (builtins + app-defined). Keyed by role name.
ReadonlyMap<string, Required<RoleOptions>>testing/round_trip.ts view source
RoundTripTestOptions Options for describe_round_trip_validation.
session_optionsSession config for cookie-based auth.
SessionOptions<string>create_route_specsRoute spec factory โ same one used in production.
(ctx: AppServerContext) => Array<RouteSpec>app_optionsOptional overrides for AppServerOptions.
Partial<
Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>
>db_factoriesDatabase factories to run tests against. Default: pglite only.
Array<DbFactory>skip_routesRoutes to skip, in 'METHOD /path' format.
Array<string>input_overridesOverride generated bodies for specific routes ('METHOD /path' โ body).
Map<string, Record<string, unknown>>http/route_spec.ts view source
RouteAuth Auth requirement for a route โ none, authenticated, a specific role, or keeper.
{type: 'none'} means the route is open to all clients โ including non-browser
callers (CLI, API tokens, scripts). No session or auth middleware guards are applied.
http/route_spec.ts view source
RouteContext Per-request deps provided by the framework to route handlers.
dbTransaction-scoped for mutations, pool-level for reads.
background_dbAlways pool-level โ for fire-and-forget effects that must outlive the transaction.
pending_effectsFire-and-forget side effects โ push here for post-response flushing.
Array<Promise<void>>http/error_schemas.ts view source
Partial<Record<number, ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>>> Error schema map โ maps HTTP status codes to Zod schemas.
Used on RouteSpec.errors and internally by derive_error_schemas.
RouteFactoryDeps Capabilities for route spec factories.
AppDeps without db โ route handlers receive database connections
via RouteContext, so factories don't capture a pool-level Db.
http/route_spec.ts view source
RouteHandler Route handler function โ receives the Hono context and a RouteContext with per-request deps (db, background_db, pending_effects).
TypeScript allows fewer params, so handlers that don't need route
can use (c) => ... without changes.
http/route_spec.ts view source
RouteMethod HTTP methods supported by route specs.
http/surface_query.ts view source
(surface: AppSurface): Map<string, AppSurfaceRoute[]> Group routes by auth type.
surfaceMap<string, AppSurfaceRoute[]> a map from auth type string to route arrays, with role routes keyed as 'role:name'
http/route_spec.ts view source
RouteSpec A single route definition โ the unit of the surface map.
input and output schemas align with SAES ActionSpec naming.
Use z.null() for routes with no request body (GET, DELETE without body).
methodpathstringauthhandlerdescriptionstringparamsURL path parameter schema. Use z.strictObject() with string fields matching :param segments.
REST-only โ actions dispatch through a single JSON-RPC endpoint and encode
everything in input, so params doesn't appear on ActionSpec.
z.ZodObjectqueryURL query parameter schema. Use z.strictObject() with string fields.
z.ZodObjectinputRequest body schema. Use z.null() for routes with no body.
z.ZodTypeoutputSuccess response body schema.
z.ZodTyperate_limitRate limit key type โ declares what this route's rate limiter is keyed on.
When set, 429 (RateLimitError) is auto-derived in derive_error_schemas. The actual RateLimiter instance is still wired imperatively in the handler โ this field is metadata for surface introspection and policy invariants.
errorsHandler-specific error response schemas keyed by HTTP status code.
Middleware errors (auth 401/403, validation 400, rate limit 429) are
auto-derived from auth, input, and rate_limit. Declare handler-specific
errors here (e.g., 404 for not-found, 409 for conflicts).
Explicit entries override auto-derived ones for the same status code.
transactionWhether to wrap the handler in a database transaction.
When omitted, defaults are derived from the HTTP method:
- GET โ false (read-only, no transaction)
- All others (POST, PUT, DELETE, PATCH) โ true
Set explicitly to override the default (e.g., false for a POST
that manages its own transaction like signup).
booleanactions/action_rpc.ts view source
<TSpec extends RequestResponseActionSpec>(spec: TSpec, handler: ActionHandler<output<TSpec["input"]>, output<TSpec["output"]>>): RpcAction Pair a spec with a handler while preserving per-method input/output types.
Constructing {spec, handler} literals widens handler to
ActionHandler<any, any>, so spec/handler drift (renamed Zod schema,
output field removal, input shape change) slips past the typechecker.
rpc_action(spec, handler) binds the handler signature to
(input: z.infer<spec.input>, ctx) => z.infer<spec.output> via the
generic spec parameter โ drift surfaces at the call site.
Fits fuz_app's factory-closure pattern (handlers close over
grantable_roles, app_settings ref, notification_sender, etc.).
zzz uses a different shape โ a codegen-keyed Record<Method, Handler>
map typed via generated ActionInputs/ActionOutputs โ which works when
handlers are pure (no closure state) and specs are codegen-enumerated.
fuz_app's admin + permit-offer actions have neither, so per-pair typing
at the registration site is the right fit.
specTSpechandlerActionHandler<output<TSpec["input"]>, output<TSpec["output"]>>RpcAction testing/rpc_helpers.ts view source
(args: RpcCallArgs): Promise<RpcCallResult> One-shot JSON-RPC call over a Hono app.
Merges sensible defaults (host, origin, Content-Type) under
caller-provided headers, fires POST (default) or GET, parses the envelope,
and returns a discriminated result.
argsPromise<RpcCallResult> Error - if the response body is neither a valid `JsonrpcResponse`testing/rpc_helpers.ts view source
<TSpec extends RequestResponseActionSpec>(args: RpcCallForSpecArgs<TSpec>): Promise<RpcCallResultForSpec<TSpec>> Typed wrapper over rpc_call โ binds params to z.infer<spec.input>
and the success result to z.infer<spec.output> via the generic.
Success results are validated at runtime against spec.output (same
contract as rpc_call_typed); a mismatch throws. Error responses come
back on the discriminated {ok: false, error} branch โ use this for
happy-path + denial-path assertions where the error data.reason shape
is still asserted manually. For adversarial input tests that send
malformed params, use the untyped rpc_call.
argsRpcCallForSpecArgs<TSpec>Promise<RpcCallResultForSpec<TSpec>> Error - if the success `result` does not parse against `spec.output`,testing/rpc_helpers.ts view source
(args: Omit<RpcCallArgs, "suppress_default_origin">): Promise<RpcCallResult> Same as rpc_call but without the default origin header. Use for
bearer-auth probes: bearer_auth discards the token when Origin or
Referer is present (browser context), so a bearer probe via rpc_call
would short-circuit to 401 before the token is ever validated.
Equivalent to rpc_call({...args, suppress_default_origin: true}).
argsOmit<RpcCallArgs, "suppress_default_origin">Promise<RpcCallResult> testing/rpc_helpers.ts view source
<T>(args: RpcCallArgs, output_schema: ZodType<T, unknown, $ZodTypeInternals<T, unknown>>): Promise<T> Same as rpc_call but parses the success result through the given
output schema and returns typed data. Envelope-level failures or error
responses throw โ use the untyped rpc_call for tests that need to
assert on specific error shapes.
argsoutput_schemaZodType<T, unknown, $ZodTypeInternals<T, unknown>>Promise<T> Error - if the response is a JSON-RPC error, if `rpc_call` throwsactions/action_rpc.ts view source
RpcAction An RPC action โ combines an action spec with its handler.
The spec defines the contract (method, auth, schemas, side effects). The handler implements the behavior.
spechandlertesting/rpc_attack_surface.ts view source
RpcAttackSurfaceOptions Options for describe_rpc_attack_surface_tests.
buildBuild the app surface bundle (surface + route specs + middleware specs + rpc_endpoints).
() => AppSurfaceSpecrolesAll roles in the app (e.g. ['admin', 'keeper']).
Array<string>testing/rpc_helpers.ts view source
RpcCallArgs Arguments for rpc_call.
appHono-like app (anything with a request(url, init) method).
{request: (input: string, init: RequestInit) => Promise<Response> | Response}pathRPC endpoint path, e.g. '/api/rpc'.
stringmethodJSON-RPC method name.
stringparamsParams for the call. Omit (or pass undefined) for parameterless
(z.void()) methods โ the helper drops params from the envelope
either way. See create_rpc_post_init for the null-stripping
affordance and JSON-RPC 2.0 ยง4.2's prohibition on params: null.
unknownheadersExtra request headers (session cookie, bearer, etc.). Overrides defaults.
Record<string, string>idRequest id. Defaults to 'test'.
string | numberverbHTTP verb โ 'POST' (default) or 'GET' for side_effects: false methods.
'POST' | 'GET'suppress_default_originSuppress the default origin header. Required for bearer-auth paths:
bearer_auth discards the token when Origin or Referer is present
(browser context), so probing it via rpc_call needs this flag โ or
use rpc_call_non_browser, which sets it for you.
booleantesting/rpc_helpers.ts view source
RpcCallForSpecArgs<TSpec> Arguments for rpc_call_for_spec. spec replaces the loose method field.
TSpectesting/rpc_helpers.ts view source
RpcCallResult Discriminated return from rpc_call. status is the HTTP status.
testing/rpc_helpers.ts view source
RpcCallResultForSpec<TSpec> Typed discriminated result returned by rpc_call_for_spec. The success
branch's result is inferred from TSpec['output']. The error branch
stays untyped because JSON-RPC error.data shapes vary per error and
are asserted per call site.
TSpecactions/rpc_client.ts view source
RpcClientCallOptions Per-call options accepted by every typed Proxy method. Same shape as
ActionPeerSendOptions โ the client threads these through unchanged
to the underlying peer. transport_name overrides the per-method
transport_for_method selector for this call.
RpcEndpointSpec An RPC endpoint definition for surface generation.
pathstringactionsArray<RpcAction>testing/rpc_helpers.ts view source
RpcEndpointsSuiteOption Union accepted by the suite-level rpc_endpoints option โ eager array or
a factory that takes an AppServerContext and returns endpoint specs. The
factory form is required when action handlers must close over the
per-test ctx.app_settings / ctx.deps (e.g. the canonical
create_standard_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})
pattern). create_app_server resolves either shape natively; test helpers
forward the raw value to app_options.rpc_endpoints for live dispatch.
testing/rpc_round_trip.ts view source
RpcRoundTripTestOptions Options for describe_rpc_round_trip_tests.
session_optionsSession config for cookie-based auth.
SessionOptions<string>create_route_specsRoute spec factory โ same one used in production.
(ctx: AppServerContext) => Array<RouteSpec>rpc_endpointsRPC endpoint specs โ the source RpcAction arrays for params generation.
Accepts either an array (eager) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec> โ the factory form
is required when action handlers must close over the per-test
ctx.app_settings / ctx.deps. The factory must return the same
endpoint path and spec.method list regardless of ctx โ it is
invoked once at setup (via a stub ctx) to enumerate methods and
again per-test by create_app_server for live dispatch.
app_optionsOptional overrides for AppServerOptions.
db_factoriesDatabase factories to run tests against. Default: pglite only.
Array<DbFactory>skip_methodsMethods to skip, by name (e.g., 'tx_plan').
Array<string>input_overridesOverride generated params for specific methods (method name โ params).
Map<string, Record<string, unknown>>testing/rpc_helpers.ts view source
RpcTestTransport Minimal transport surface โ the duck type Hono.request already satisfies.
Extracted so test setups that want an in-process / WS / mock path can plug
a different dispatcher without changing call sites.
(deps: AuthCleanupDeps): Promise<AuthCleanupResult> Run every auth cleanup sweep โ expired sessions and expired permit offers โ and return the counts.
Consumers call this from a scheduled task (setInterval, cron, etc.) alongside their own domain cleanup. Errors from individual sweeps are re-thrown so the caller's scheduler can log/alert; use the per-task helpers (query_session_cleanup_expired, cleanup_expired_permit_offers) directly if you need finer error isolation.
depsPromise<AuthCleanupResult> Error - re-thrown from any sweep that fails (no per-sweep isolation here)(runtime: CommandDeps, command: string, args: string[]): Promise<CommandResult> Run a local command and return the result.
runtimeruntime with run_command capability
commandcommand to run
stringargscommand arguments
string[]Promise<CommandResult> command result
(db: Db, namespaces: MigrationNamespace[]): Promise<MigrationResult[]> Run pending migrations for each namespace.
For each namespace: acquires an advisory lock, reads applied rows ordered
by sequence, length-checks (binary-older-than-db short-circuits), name-
prefix-verifies, then runs the pending tail in a single chain transaction.
Each migration's row is INSERTed with sequence = max(sequence) + 1 for
the namespace.
Length check before name verify is load-bearing: a binary-older case
with a rename in the overlap would otherwise fire name-divergence-at-N
first and the operator would chase a phantom source-revert before
discovering the binary is the real problem.
Atomicity: any failure rolls back every migration that ran in that invocation. Namespaces are independent: a later namespace's failure does not roll back an earlier namespace that already committed.
Concurrency: per-namespace advisory locks reduce contention in
multi-instance deployments but are best-effort on pool drivers (see
the module docstring's "Advisory locking" notes). Correctness on concurrent boots
falls out of chain-tx atomicity + the (namespace, name) PK โ the
loser's INSERT triggers PK violation and rollback; subsequent boots
see the committed state.
dbthe database instance
namespacesmigration namespaces, processed in the order passed
MigrationNamespace[]Promise<MigrationResult[]> one result per namespace where work happened (already-up-to-date namespaces are omitted)
MigrationError - with `kind` of `binary-older-than-db`,RunCommandOptions Options for run_command.
cwdWorking directory for the child process.
stringsignalAbortSignal to terminate the child process.
AbortSignaltimeout_msKill the process and return timed_out: true after this many milliseconds.
numberRuntimeDeps Full runtime capabilities returned by create_deno_runtime or create_node_runtime.
Extends all *Deps interfaces with additional app-level capabilities.
Functions should accept narrow *Deps interfaces, not this full type โ
this type is for the wiring layer that creates and passes the runtime.
env_allGet all environment variables.
() => Record<string, string>argsCLI arguments passed to the program.
ReadonlyArray<string>cwdGet current working directory.
() => stringrun_command_inheritRun a command with inherited stdout/stderr (output goes directly to terminal).
(cmd: string, args: Array<string>) => Promise<number><T>(runtime: Pick<FsWriteDeps, "mkdir" | "write_text_file">, path: string, dir: string, config: T): Promise<void> Save CLI configuration to a JSON file.
runtimeruntime with file write capability
Pick<FsWriteDeps, "mkdir" | "write_text_file">pathpath to the config JSON file
stringdirdirectory containing the config file (created if missing)
stringconfigconfiguration to save
TPromise<void> (obj: unknown): EnvVarRef[] Recursively scan an object for $$VAR$$ env var references.
Walks all string values in the object tree and extracts env var names with their path context for error reporting.
objobject to scan (typically a config)
unknownEnvVarRef[] array of env var references with paths
http/schema_helpers.ts view source
(schema: ZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>): unknown Convert a Zod schema to a JSON-serializable representation for the surface.
Returns null for null schemas, JSON Schema for object schemas.
schemaZodType<unknown, unknown, $ZodTypeInternals<unknown, unknown>>unknown SchemaFieldMeta Zod .meta() shape for fuz_app schema metadata conventions.
descriptionstringsensitivitySensitivity level for masking/redaction. 'secret' masks the value.
(deps: SeedDevAccountDeps, input: SeedDevAccountInput, options?: { log?: SetupLogger | undefined; } | undefined): Promise<...> Seed a development test account, bypassing username/password policy.
Idempotent by username โ if an account with the given username already exists, reuses it and only reconciles the requested role grants. Never updates an existing password (rerun would silently rotate it).
Intended for scripts/dev_setup.ts โ do not call in production.
depsinputoptions?{ log?: SetupLogger | undefined; } | undefinedPromise<SeedDevAccountResult> Error - if an existing account is found without an associated actor rowSeedDevAccountDeps Dependencies for seed_dev_account.
hash_passwordPassword hasher (e.g., argon2_password_deps.hash_password).
(password: string) => Promise<string>SeedDevAccountInput Input to seed_dev_account.
usernameAccount username. Policy is bypassed โ any non-empty string is accepted.
stringpasswordAccount password. Policy is bypassed โ any non-empty string is accepted.
stringrolesRoles to grant via permit (idempotent).
ReadonlyArray<string>SeedDevAccountResult Result of seed_dev_account.
account_idstringactor_idstringcreatedTrue if a new account was created; false if one already existed.
booleantesting/auth_apps.ts view source
(apps: AuthTestApps, auth: RouteAuth): Hono<BlankEnv, BlankSchema, "/"> Select the Hono test app with correct auth for a route.
appsauthHono<BlankEnv, BlankSchema, "/"> Error - if `auth.type === 'role'` and `auth.role` is not present inauth/self_service_role_action_specs.ts view source
{ method: string; kind: "request_response"; initiator: "frontend"; auth: "authenticated"; side_effects: true; input: ZodObject<{ role: ZodString; enabled: ZodBoolean; }, $strict>; output: ZodObject<...>; async: true; description: string; } auth/self_service_role_actions.ts view source
SelfServiceRoleActionDeps Dependencies for create_self_service_role_actions. Same shape as the
peer factories so consumers thread one deps object through all three.
audit_log_config flows from AppDeps and is consumed by
audit_log_fire_and_forget.
auth/self_service_role_actions.ts view source
SelfServiceRoleActionsOptions Options for create_self_service_role_actions.
eligible_rolesAllowlist of role strings eligible for self-service. Empty array
effectively disables the surface โ every call comes back as
forbidden with reason role_not_self_service_eligible.
ReadonlyArray<string>rolesOptional role schema. When supplied, eligible_roles entries are
checked against roles.role_options at factory time so typos throw
at startup instead of at first call.
auth/self_service_role_action_specs.ts view source
ZodObject<{ role: ZodString; enabled: ZodBoolean; }, $strict> Input for self_service_role_set.
auth/self_service_role_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; enabled: ZodBoolean; changed: ZodBoolean; }, $strict> Output for self_service_role_set. enabled echoes the post-call state
(always equals the input enabled on success). changed is true only
when the call mutated โ re-grants / re-revokes return false.
testing/integration_helpers.ts view source
readonly string[] Field names that must never appear in any HTTP response body.
"secret" Sensitivity level for a schema field.
- 'secret' โ value is masked in logs and UI (e.g. passwords, API keys, signing keys)
ServerEnvOptions Validated server env config โ the artifacts create_app_server() needs.
oktruekeyringallowed_originsArray<RegExp>bootstrap_token_pathstring | nullServerEnvOptionsError Error from validate_server_env โ keyring or origin validation failed.
okfalsefield'SECRET_COOKIE_KEYS' | 'ALLOWED_ORIGINS'errorsArray<string>ServerEnvOptionsResult actions/register_action_ws.ts view source
ServerHeartbeatOptions timeoutReceive-silence (ms) past which the server closes the socket with
WS_CLOSE_SERVER_HEARTBEAT_TIMEOUT. Any incoming message resets
the counter โ chatty clients never trip it. First timeout
window after socket open is exempt (cold-start grace).
numberhttp/common_routes.ts view source
ServerStatusOptions Options for the authenticated server status route.
versionApplication version string.
stringget_uptime_msReturns milliseconds since server start.
() => numberServeStaticFactory Factory function that creates a static file serving middleware.
Matches the signature of serveStatic from hono/deno and @hono/node-server/serve-static.
ServeStaticOptions Options for serve_static factory functions (matches Hono's serveStatic signature).
rootstringrewriteRequestPath(path: string) => stringmimesRecord<string, string>auth/session_cookie.ts view source
number Cookie max age in seconds (30 days โ aligned with AUTH_SESSION_LIFETIME_MS).
auth/session_cookie.ts view source
SessionCookieOptions Default cookie options for session cookies.
Uses strict security settings:
- secure: true - Works on localhost in Chrome/Firefox (treated as secure context)
- sameSite: 'strict' - Prevents CSRF
- httpOnly: true - Prevents XSS access to cookie
auth/session_queries.ts view source
(deps: QueryDeps, token_hash: string, pending_effects: Promise<void>[] | undefined, log: Logger): Promise<void> Touch a session without blocking the caller.
Errors are logged to console โ session touching never breaks request flows.
Pass pending_effects (from c.var.pending_effects) to register
the promise for test flushing.
depsquery dependencies
token_hashblake3 hash of the session token
stringpending_effectsoptional array to register the effect for later awaiting
Promise<void>[] | undefinedlogthe logger instance
LoggerPromise<void> the settled promise (callers may ignore it โ fire-and-forget semantics preserved)
auth/account_schema.ts view source
SessionAccount Account without sensitive fields, scoped to the authenticated user's own session.
idUuidusernameemailEmail | nullemail_verifiedbooleancreated_atstringauth/account_schema.ts view source
ZodObject<{ id: $ZodBranded<ZodUUID, "Uuid", "out">; username: ZodString; email: ZodNullable<ZodEmail>; email_verified: ZodBoolean; created_at: ZodString; }, $strict> Zod schema for SessionAccount โ account without sensitive fields.
auth/session_cookie.ts view source
SessionCookieOptions Cookie options for session cookies.
pathstringhttpOnlybooleansecurebooleansameSite'strict' | 'lax' | 'none'maxAgenumberauth/account_action_specs.ts view source
ZodVoid Input for account_session_list. No parameters.
auth/account_action_specs.ts view source
ZodObject<{ sessions: ZodArray<ZodObject<{ id: ZodString; account_id: $ZodBranded<ZodUUID, "Uuid", "out">; created_at: ZodString; expires_at: ZodString; last_seen_at: ZodString; }, $strict>>; }, $strict> Output for account_session_list.
auth/session_cookie.ts view source
SessionOptions<TIdentity> Configuration for a session cookie format.
Apps provide encode/decode to control the identity portion of the cookie payload.
The TIdentity type parameter determines the trust model:
- string (e.g. a session_id) โ the cookie references a server-side session record,
enabling per-session revocation and metadata. Use when you need admin controls
like "revoke all sessions" or per-session audit trails.
- number (e.g. an account_id) โ the cookie directly encodes the user identity,
requiring no server-side session state. Simpler, but individual sessions
can only be invalidated by rotating the signing key (which invalidates all sessions).
TIdentity// tx: 3-part format (admin:session_id)
const tx_config: SessionOptions<string> = {
cookie_name: 'tx_session',
context_key: 'auth_session_id',
encode_identity: (session_id) => `admin:${session_id}`,
decode_identity: (payload) => {
const parts = payload.split(':');
if (parts.length !== 2 || parts[0] !== 'admin') return null;
return parts[1] || null;
},
};
// visiones: 1-part format (account_id)
const visiones_config: SessionOptions<number> = {
cookie_name: 'session_id',
context_key: 'auth_session_id',
encode_identity: (id) => String(id),
decode_identity: (payload) => {
const n = parseInt(payload, 10);
return Number.isFinite(n) && n > 0 ? n : null;
},
};cookie_namestringcontext_keyHono context variable name for the identity.
stringmax_agenumbercookie_optionsPartial<SessionCookieOptions>encode_identityEncode identity into the cookie payload (before the :expires_at suffix).
(identity: TIdentity) => stringdecode_identityDecode identity from cookie payload. Return null if invalid.
(payload: string) => TIdentity | nullauth/account_action_specs.ts view source
ZodVoid Input for account_session_revoke_all. No parameters.
auth/account_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; count: ZodNumber; }, $strict> Output for account_session_revoke_all.
auth/account_action_specs.ts view source
ZodObject<{ session_id: ZodString; }, $strict> Input for account_session_revoke. session_id is the blake3 hash.
auth/account_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; revoked: ZodBoolean; }, $strict> Output for account_session_revoke. revoked is false for IDOR misses.
(runtime: MockRuntime, input: string): void Set stdin buffer for simulating user input.
runtimeinputstring to provide as stdin input
stringvoid auth/session_middleware.ts view source
<T>(c: Context<any, any, {}>, value: string, options: SessionOptions<T>): void Set the session cookie on a response.
cContext<any, any, {}>valuestringoptionsSessionOptions<T>void (deps: FsReadDeps & FsWriteDeps & CommandDeps & EnvDeps, app_name: string, options?: SetupBootstrapTokenOptions | undefined): Promise<...> Create a bootstrap token file if it doesn't exist.
The token is a one-shot secret used to create the first admin account.
Stored at ~/.{app_name}/secret_bootstrap_token by default.
depsfile, command, and env capabilities
FsReadDeps & FsWriteDeps & CommandDeps & EnvDepsapp_nameapplication name (used for default state directory)
stringoptions?state_dir override, permissions, logger
SetupBootstrapTokenOptions | undefinedPromise<SetupTokenResult> result indicating whether a token was created
(deps: FsReadDeps & FsWriteDeps & CommandDeps, env_path: string, example_path: string, options?: SetupEnvOptions | undefined): Promise<...> Create an env file from its example template, auto-generating SECRET_COOKIE_KEYS.
If the file already exists, backfills any empty values that have generators. Idempotent โ safe to re-run.
depsfile read, write, and command capabilities
FsReadDeps & FsWriteDeps & CommandDepsenv_pathpath for the env file (e.g. .env.development)
stringexample_pathpath to the example template
stringoptions?extra replacements, permissions, logger
SetupEnvOptions | undefinedPromise<SetupEnvResult> result indicating whether the file was created or updated
SetupBootstrapTokenOptions Options for setup_bootstrap_token.
state_dirState directory override. Defaults to ~/.{app_name}.
stringset_permissionsOptional callback to set file/directory permissions.
(path: string, mode: number) => Promise<void>logSetupEnvOptions Options for setup_env_file.
replacementsExtra env var replacements beyond the default SECRET_COOKIE_KEYS.
Keys are env var names, values are async generators.
Replaces ^KEY=$ (empty value) patterns in the env file.
Record<string, () => Promise<string>>set_permissionsOptional callback to set file permissions (e.g. Deno.chmod).
(path: string, mode: number) => Promise<void>logSetupEnvResult Result of setup_env_file.
createdWhether a new file was created (vs updating existing).
booleanupdatedWhether any values were generated/replaced.
booleanpathThe env file path.
stringSetupLogger Optional logger for setup helpers.
Functions that accept a logger use it for status messages. When omitted, a default bracket-format logger writes to console.
ok(msg: string) => voidskip(msg: string) => voiderror(msg: string) => voidSetupTokenResult Result of setup_bootstrap_token.
createdWhether a new token was created (false if already existed).
booleantoken_pathThe token file path.
string(origin: string, allowed_patterns: RegExp[]): boolean Tests if a request source (origin or referer) matches any of the allowed patterns. Pattern matching is case-insensitive for domains (as per web standards).
originstringallowed_patternsRegExp[]boolean actions/action_event_helpers.ts view source
(kind: "request_response" | "remote_notification" | "local_call", phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"): boolean kind"request_response" | "remote_notification" | "local_call"phase"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"boolean actions/broadcast_api.ts view source
ShouldDeliverFn Per-connection delivery predicate for subscription ACLs.
Called once per connection for every broadcast send. Returning false
skips that connection. Keep it fast โ this runs in the broadcast hot path.
input is the already-validated payload (matches the spec's input schema);
method is the action method name.
ui/sidebar_state.svelte.ts view source
{ get: (error_message?: string | undefined) => () => SidebarState; get_maybe: () => (() => SidebarState) | undefined; set: (value: () => SidebarState) => () => SidebarState; } Svelte context carrying a reactive SidebarState accessor. Set by
AppShell.svelte (creates a fresh SidebarState if not supplied);
consumers call sidebar_state_context.get() to read or toggle visibility.
ui/sidebar_state.svelte.ts view source
constructortype new (options?: SidebarStateOptions | undefined): SidebarState
options?SidebarStateOptions | undefinedtoggle_sidebartype (value?: boolean): void
valueboolean!this.show_sidebarvoidactivateShow the sidebar and enable the toggle. The returned disposer hides
and disables on cleanup โ pair with $effect for scoped activation.
type (): () => void
() => voidui/sidebar_state.svelte.ts view source
SidebarStateOptions enabledReactive getter that controls whether the sidebar is enabled. When
supplied, overrides the internal enabled state โ show_sidebar
auto-returns false while the getter returns false.
() => booleanui/SignupForm.svelte view source
redirect_on_signup?Path to navigate to after a successful signup.
stringauth/signup_routes.ts view source
ZodObject<{ username: ZodString; password: ZodString; email: ZodOptional<ZodEmail>; }, $strict> Input for POST /signup. email is optional and must match any referenced invite.
auth/signup_routes.ts view source
ZodObject<{ ok: ZodLiteral<true>; }, $strict> Output for POST /signup. Session cookie is the operative side effect.
auth/signup_routes.ts view source
SignupRouteOptions Per-factory configuration for signup route specs.
signup_account_rate_limiterRate limiter for signup attempts, keyed by submitted username. Pass null to disable.
RateLimiter | nullapp_settingsMutable ref to app settings โ when open_signup is true, invite check is skipped.
actions/socket.svelte.ts view source
(status: SocketStatus, revoked: boolean): AsyncStatus Project SocketStatus onto fuz_util's AsyncStatus โ the
5-way โ 4-way mapping every consumer re-derives to surface connection state
to UI (loading indicators, retry banners). Collapses reconnecting into
failure (UI shows "lost, retrying") and splits closed by revoked so
a terminal session-revocation read as failure while a clean client-
initiated close reads as initial (the "not connected, not trying" state).
statusrevokedwhether the session has been permanently revoked
(typically FrontendWebsocketClient.revoked)
booleanAsyncStatus actions/register_action_ws.ts view source
SocketCloseContext Context passed to the on_socket_close hook.
Fires before transport.remove_connection runs, so consumer cleanup can
still read identity before it's torn down. Fires for both client-initiated
closes (Hono onClose) and server-initiated closes via audit revocation
(the audit guard calls ws.close(), which triggers Hono's onClose).
wsThe raw WebSocket context at close time.
WSContextconnection_idConnection id captured at open time.
UuididentityAuth identity captured at open time โ still valid even if the transport already cleaned up.
actions/socket.svelte.ts view source
SocketErrorHandler actions/socket.svelte.ts view source
SocketMessageHandler actions/register_action_ws.ts view source
SocketOpenContext Context passed to the on_socket_open hook.
Fires after the transport has registered the new connection (so
connection_id is valid) but before any client message can dispatch.
Consumers use this to bootstrap per-socket domain state โ e.g. undying
spawns the per-account spirit unit and pushes an initial state snapshot.
wsThe raw WebSocket context โ exposed for edge cases; prefer notify for sends.
WSContextconnection_idConnection id assigned by BackendWebsocketTransport.add_connection.
UuididentityAuth identity registered for this connection.
notifySend a JSON-RPC notification to just this socket. Mirrors ctx.notify
on per-message handler contexts โ same socket-scoped semantics.
(method: string, params: unknown) => voidsignalFires when this socket closes โ threaded through to every handler's ctx.signal.
AbortSignalactions/socket.svelte.ts view source
SocketStatus Client-side WebSocket status.
- initial โ never connected; connect() has not been called.
- connecting โ WebSocket readyState === CONNECTING.
- connected โ WebSocket readyState === OPEN.
- reconnecting โ close fired; waiting out backoff before next attempt.
- closed โ socket is not open. Terminal only when revoked is true
or auto-reconnect is disabled; otherwise connect() reopens.
actions/action_codegen.ts view source
SpecSource One source in a multi-source consumer's namespace map. ns is the local
alias used inside the generated file; module is the import path; specs
is the runtime spec array. create_namespace_qualifier consumes a list of
these.
nsstringmodulestringspecsReadonlyArray<ActionSpecUnion>": connected\n\n" SSE comment sent on connect to flush headers through proxies. Exported for test assertions.
SseNotification Notification shape aligned with JSON-RPC 2.0.
Uses {method, params} to match the JSON-RPC notification format.
methodNotification method name (e.g. 'run_created', 'host_updated').
stringparamsMethod-specific payload.
unknowntesting/sse_round_trip.ts view source
SseRouteTestOptions Options for describe_sse_route_tests.
session_optionsSession config for cookie-based auth.
SessionOptions<string>create_route_specsRoute spec factory โ same shape as production.
(ctx: AppServerContext) => Array<RouteSpec>app_optionsOptional overrides for AppServerOptions.
db_factoriesDatabase factories to run tests against. Default: pglite only.
Array<DbFactory>on_audit_eventBackend audit event callback โ threaded to create_test_app_server.
Use to wire a close-on-revoke guard for consumer SSE registries
(e.g., via create_sse_auth_guard) so session_revoke_all actually
closes the tested streams.
(event: AuditLogEvent) => voidrpc_endpointsRPC endpoint specs โ required so the close-on-revoke assertion can
dispatch account_session_revoke_all via RPC (the former REST route
POST /api/account/sessions/revoke-all was removed in the 2026-04-23
migration). Hard-fails via require_rpc_endpoint_path on setup.
Accepts either an array (eager) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec> โ the factory form
is required when action handlers must close over the per-test
ctx.app_settings / ctx.deps. The factory must return the same
endpoint path regardless of ctx โ it is invoked once at setup with
a stub ctx for path lookup and again per-test by create_app_server
for live dispatch.
routesSSE routes to exercise.
Array<SseRouteTestSpec>testing/sse_round_trip.ts view source
SseRouteTestSpec Config for a single SSE route under test.
pathFull HTTP path of the SSE endpoint (e.g., '/api/tx/subscribe').
stringtriggerFire an event matching one of the declared event_specs that should
reach the open stream. Called after the : connected comment is observed.
The triggered frame must be a JSON-serializable {method, params} payload.
(ctx: {test_app: TestApp; account: TestAccount}) => Promise<void>event_specsEvent specs to validate the triggered payload against. When omitted,
the payload is only asserted to be well-formed {method, params}.
Array<EventSpec>assert_closes_on_revokeWhether to assert the stream closes after session_revoke_all.
Default true. Set false for endpoints that don't wire a close-on-revoke
guard (leaves a TODO to fix, rather than silently passing).
booleanSseStream<T> Generic SSE stream controller interface.
Transport-agnostic โ works with any serializable type.
TunknownsendSend data to the client as a JSON SSE event.
(data: T) => voidcommentSend a comment (for keep-alive pings).
(text: string) => voidcloseClose the stream.
() => voidon_closeRegister a listener called when the stream closes (client disconnect or explicit close).
(fn: () => void) => voidtesting/admin_integration.ts view source
StandardAdminIntegrationTestOptions Configuration for describe_standard_admin_integration_tests.
session_optionsSession config for cookie-based auth.
SessionOptions<string>create_route_specsRoute spec factory โ same one used in production.
(ctx: AppServerContext) => Array<RouteSpec>rolesRole schema result from create_role_schema() โ used to determine valid/invalid/web-grantable roles.
rpc_endpointsRPC endpoint specs โ the source RpcAction arrays. Required; permit grant/revoke are RPC-only and the suite hard-fails without them.
Accepts either an array (eager) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec> โ the factory form
is required when action handlers must close over the per-test
ctx.app_settings / ctx.deps (e.g. the canonical
create_standard_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})
pattern). The factory must return the same endpoint path regardless
of ctx โ it is invoked once at setup with a stub ctx for path lookup
and again per-test by create_app_server for live dispatch.
admin_prefixPath prefix where admin routes are mounted (e.g., '/api/admin').
Used by the 401/403 error-coverage probe to scope to fuz_app admin
routes only, avoiding app-specific admin-gated routes that may use
stub deps. Default '/api/admin'.
stringapp_optionsOptional overrides for AppServerOptions.
db_factoriesDatabase factories to run tests against. Default: pglite only.
Pass consumer factories (e.g. [pglite_factory, pg_factory]) to also test against PostgreSQL.
Array<DbFactory>testing/attack_surface.ts view source
StandardAttackSurfaceOptions Options for the standard attack surface test suite.
buildBuild the app surface bundle (surface + route specs + middleware specs).
() => AppSurfaceSpecsnapshot_pathAbsolute path to the committed snapshot JSON file.
stringexpected_public_routesExpected public routes, e.g. ['GET /health', 'POST /api/account/login'].
Array<string>expected_api_middlewareExpected middleware names for API routes, e.g. ['origin', 'session', 'request_context', 'bearer_auth'].
Array<string>rolesAll roles in the app (e.g. ['admin', 'keeper']).
Array<string>api_path_prefixPath prefix for middleware stack assertion. Default '/api/'.
stringsecurity_policySecurity policy configuration. Omit for sensible defaults.
error_schema_tightnessError schema tightness assertion config. Defaults to
DEFAULT_ERROR_SCHEMA_TIGHTNESS (ignores 401/403/429,
min_specificity: 'enum', allowlist seeded with
FUZ_APP_STOCK_ROUTE_TIGHTNESS_ALLOWLIST).
Consumer-supplied allowlist and ignore_statuses are additive โ
the suite merges them underneath the stock defaults, so project-specific
entries don't need to re-list fuz_app's own stock routes. Pass a narrower
config to extend either list or tighten min_specificity; pass null
to skip the assertion and keep the audit log informational-only.
ErrorSchemaTightnessOptions | nulltesting/integration.ts view source
StandardIntegrationTestOptions Configuration for describe_standard_integration_tests.
session_optionsSession config for cookie-based auth.
SessionOptions<string>create_route_specsRoute spec factory โ same one used in production.
(ctx: AppServerContext) => Array<RouteSpec>app_optionsOptional overrides for AppServerOptions.
db_factoriesDatabase factories to run tests against. Default: pglite only.
Pass consumer factories (e.g. [pglite_factory, pg_factory]) to also test against PostgreSQL.
Array<DbFactory>rpc_endpointsRPC endpoint specs โ required. This suite dispatches
account_verify, account_session_*, and account_token_* via
rpc_call_for_spec (the /api/account/verify REST route is a
status-only nginx shim with no payload). Hard-fails via
require_rpc_endpoint_path on setup so consumer projects see a
clear setup error instead of confusing test failures.
Accepts either an array (eager) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec> โ the factory form
is required when action handlers must close over the per-test
ctx.app_settings / ctx.deps (e.g. the canonical
create_standard_rpc_actions(ctx.deps, {app_settings: ctx.app_settings})
pattern). The factory must return the same endpoint path regardless
of ctx โ it is invoked once at setup with a stub ctx for path lookup
and again per-test by create_app_server for live dispatch.
auth/standard_rpc_actions.ts view source
PermitOfferActionDeps Dependencies for create_standard_rpc_actions.
Same shape as PermitOfferActionDeps โ log, on_audit_event, and an
optional notification_sender for permit-offer WS fan-out. Admin and
account factories only read log + on_audit_event; the extra field
is harmless.
auth/standard_rpc_actions.ts view source
StandardRpcActionsOptions Options for create_standard_rpc_actions.
Composes AdminActionOptions (roles, app_settings),
PermitOfferActionOptions (roles, default_ttl_ms, authorize), and
AccountActionOptions (max_tokens). roles is shared between admin
and permit-offer โ the caller supplies it once and the helper threads
the same reference to both.
testing/standard.ts view source
StandardTestOptions Configuration for describe_standard_tests.
session_optionsSession config for cookie-based auth.
SessionOptions<string>create_route_specsRoute spec factory โ same one used in production.
(ctx: AppServerContext) => Array<RouteSpec>app_optionsOptional overrides for AppServerOptions.
Partial<
Omit<AppServerOptions, 'backend' | 'session_options' | 'create_route_specs'>
>db_factoriesDatabase factories to run tests against. Default: pglite only.
Array<DbFactory>rolesRole schema result from create_role_schema().
When provided, admin integration tests are included.
rpc_endpointsRPC endpoint specs โ required. The standard integration tests drive
account_verify, account_session_*, account_token_* through the
RPC surface (and admin tests, when wired, drive permit grant/revoke
through it too).
Accepts either an array (eager) or a factory
(ctx: AppServerContext) => Array<RpcEndpointSpec>. Round-tripped
to both sub-suites unchanged โ see their docstrings for the full
factory-form contract.
admin_prefixPath prefix where admin routes are mounted.
Default '/api/admin'.
stringauth/daemon_token_middleware.ts view source
(runtime: Pick<EnvDeps, "env_get"> & Pick<FsWriteDeps, "mkdir" | "write_text_file" | "rename"> & { chmod?: ((path: string, mode: number) => Promise<...>) | undefined; } & FsRemoveDeps, deps: QueryDeps, options: DaemonTokenRotationOptions, log: Logger): Promise<...> Start daemon token rotation.
Generates an initial token, writes it to disk, resolves the keeper account, and sets up periodic rotation. Returns the mutable state object and a stop function.
runtimeruntime with file, env, and remove capabilities
Pick<EnvDeps, "env_get"> & Pick<FsWriteDeps, "mkdir" | "write_text_file" | "rename"> & { chmod?: ((path: string, mode: number) => Promise<void>) | undefined; } & FsRemoveDepsdepsquery dependencies for resolving keeper account
optionsrotation configuration
logthe logger instance
LoggerPromise<DaemonTokenRotation> rotation state and stop function
Error - if `$HOME` is not set so the daemon token path cannot be resolvedStatResult Result of a stat operation.
is_filebooleanis_directoryboolean(runtime: Pick<EnvDeps, "env_get"> & Pick<FsReadDeps, "stat" | "read_text_file"> & FsRemoveDeps & CommandDeps & LogDeps, name: string): Promise<...> Stop a running daemon by sending SIGTERM and cleaning up the PID file.
Returns a result object instead of logging directly, separating lifecycle from presentation. Errors removing the PID file are swallowed (the daemon's own shutdown handler may have removed it concurrently).
runtimeruntime with command, file, and env capabilities
Pick<EnvDeps, "env_get"> & Pick<FsReadDeps, "stat" | "read_text_file"> & FsRemoveDeps & CommandDeps & LogDepsnameapplication name
stringPromise<StopDaemonResult> result describing the outcome
StopDaemonResult Result of a stop_daemon operation.
stoppedWhether a daemon was stopped.
booleanpidPID of the stopped daemon, if any.
numbermessageHuman-readable message describing the outcome.
stringany Throwing stub โ use for deps that should never be reached.
AppDeps Stub AppDeps for auth surface tests โ throws on any method access.
(): Response Stub handler that returns a 200 response.
Response (_c: any, next: any): Promise<void> Stub middleware that passes through.
_canynextanyPromise<void> testing/app_server.ts view source
PasswordHashDeps Fast password stub for tests that don't exercise login/password flows.
Hashes are deterministic (stub_hash_<password>) and verify correctly,
so auth bootstrap and session creation work without Argon2 overhead.
testing/ws_round_trip.ts view source
StubUpgrade The return of create_stub_upgrade โ fake upgradeWebSocket + factory capture.
upgradeWebSocketUpgradeWebSocketget_create_events() => (c: Context) => WSEvents | Promise<WSEvents>realtime/subscriber_registry.ts view source
SubscribeOptions Options for SubscriberRegistry.subscribe.
channelsChannels to subscribe to. Empty/absent = all channels.
ReadonlyArray<string>scopePrimary (capped) identity โ e.g., session hash. Subject to
max_per_scope and matched by close_by_identity.
stringgroupsGrouping identities โ e.g., account id. Matched by close_by_identity
but NOT subject to the cap. Use for coarse-targeted close.
ReadonlyArray<string>realtime/subscriber_registry.ts view source
Subscriber<T> TstreamSseStream<T>channelsChannels this subscriber listens to. null means all channels.
Set<string> | nullscopePrimary (capped) identity. null when none.
string | nullgroupsGrouping identities for close_by_identity. null when none.
Set<string> | nullrealtime/subscriber_registry.ts view source
Generic subscriber registry with channel-based filtering and identity-keyed disconnection.
Subscribers connect with optional channel filters, a capped scope, and
uncapped groups. Broadcasts go to a specific channel and reach only
matching subscribers. close_by_identity force-closes all subscribers
whose scope or groups contain the given key โ use for auth revocation.
Tconst registry = new SubscriberRegistry<SseNotification>();
// subscriber connects (from SSE endpoint)
const unsubscribe = registry.subscribe(stream, {channels: ['runs']});
// when a run changes
registry.broadcast('runs', {method: 'run_created', params: {run}});
// subscriber disconnects
unsubscribe();// scope = session hash (capped), groups = [account id] (close-only)
const unsubscribe = registry.subscribe(stream, {
channels: ['audit_log'],
scope: session_hash,
groups: [account_id],
});
// coarse โ close all of a user's streams on role revocation
registry.close_by_identity(account_id);
// fine โ close just the stream(s) tied to a specific session
registry.close_by_identity(session_hash);constructortype new <T>(options?: SubscriberRegistryOptions | undefined): SubscriberRegistry<T>
options?SubscriberRegistryOptions | undefinedsubscribeAdd a subscriber.
type (stream: SseStream<T>, options?: SubscribeOptions | undefined): () => void
streamSSE stream to send data to
SseStream<T>options?channel filter and identity slots (scope + groups)
SubscribeOptions | undefined() => voidunsubscribe function
broadcastBroadcast data to all subscribers on a channel.
Subscribers with no channel filter receive all broadcasts. Subscribers with a channel filter only receive matching broadcasts.
type (channel: string, data: T): void
channelstringdataTvoidclose_by_identityForce-close all subscribers whose scope or groups match the given key.
Closes each matching stream and removes the subscriber from the registry. Use for auth revocation โ when a user's permissions change, close their SSE connections so they must reconnect and re-authenticate.
type (identity: string): number
identitythe identity key to match (checked against scope and groups)
stringnumberthe number of subscribers closed
realtime/subscriber_registry.ts view source
SubscriberRegistryOptions Options for SubscriberRegistry.
max_per_scopeMax subscribers sharing a single scope. On subscribe, when the count
of subscribers with the same scope reaches this limit, the oldest
matching subscriber(s) are closed before the new one is added.
null (default) disables the cap. groups identities are never capped.
number | nulltesting/app_server.ts view source
Partial<Omit<AppServerOptions, "backend" | "session_options" | "create_route_specs" | "rpc_endpoints">> app_options shape accepted by DB-backed suite helpers
(describe_standard_integration_tests, describe_audit_completeness_tests,
etc.). Excludes rpc_endpoints on top of the fields CreateTestAppOptions
excludes โ suites require rpc_endpoints at the suite level (hard-failed
by require_rpc_endpoint_path) so setup-time path lookup and runtime
dispatch read from one source of truth. Low-level create_test_app
callers still pass rpc_endpoints via app_options.
auth/permit_offer_schema.ts view source
SupersededOffer A superseded offer row annotated with the grantor's account_id.
Carried by superseded_offers in accept/revoke query results so callers
can fan out permit_offer_supersede notifications to the grantor's
sockets without a second round-trip. Populated via a CTE join on actor
in the supersede UPDATE.
from_account_idUuidhttp/surface_query.ts view source
(surface: AppSurface): { none: number; authenticated: number; role: Map<string, number>; keeper: number; } Summarize route auth distribution across the surface.
surface{ none: number; authenticated: number; role: Map<string, number>; keeper: number; } counts by auth type, with role counts broken out by role name
ui/SurfaceExplorer.svelte view source
surfacehttp/common_routes.ts view source
SurfaceRouteOptions Options for the surface explorer route.
surfaceThe generated app surface to serve.
testing/surface_invariants.ts view source
SurfaceSecurityPolicyOptions Configuration for security policy invariants.
All fields have sensible defaults. Pass overrides for project-specific needs.
sensitive_route_patternsPath patterns for routes that should be rate-limited.
Default: common sensitive REST patterns (login, password, bootstrap).
account_token_create became RPC-only in the 2026-04-23 migration;
per-method RPC rate limiting is a separate invariant if consumers want it.
Array<string | RegExp>public_mutation_allowlistRoutes explicitly allowed to be public mutations (e.g., webhooks, bootstrap).
Format: 'METHOD /path' (e.g., 'POST /api/account/login').
Array<string>keeper_route_prefixesAllowed path prefixes for keeper-protected routes.
Default: ['/api/']. Catches keeper routes outside expected namespaces.
Array<string>ui/table_state.svelte.ts view source
1000 Maximum number of rows that can be fetched in a single page.
TableInfo Table metadata from information_schema.
table_namestringui/table_state.svelte.ts view source
table_nametype string
columnstype Array<ColumnInfo>
rowstype Array<Record<string, unknown>>
totaloffsetlimitprimary_keytype string | null
deletingtype string | null
delete_errortype string | null
showing_startshowing_endhas_prevhas_nextfetchFetch a page of rows for table_name from GET /api/db/tables/{table_name}.
limit is clamped to [1, TABLE_LIMIT_MAX].
type (table_name: string, offset?: number, limit?: number): Promise<void>
table_namestringoffsetnumber0limitnumber100Promise<void>go_prevtype (): void
voidgo_nexttype (): void
voiddelete_rowDelete a row by its primary key via DELETE /api/db/tables/{table_name}/rows/{pk}.
Optimistically drops it from rows and decrements total on success;
surfaces server errors on delete_error.
type (row: Record<string, unknown>): Promise<boolean>
rowRecord<string, unknown>Promise<boolean>true when the row was removed; false on missing primary key or server error
TableStatus Table info with row count.
namestringrow_countnumberTableWithCount Table info with row count.
namestringrow_countnumberTerminalDeps Terminal I/O operations.
stdout_writeWrite bytes to stdout.
(data: Uint8Array) => Promise<number>stdin_readRead bytes from stdin, or null on EOF.
(buffer: Uint8Array) => Promise<number | null>testing/middleware.ts view source
"127.0.0.1" Default client IP set by the proxy stub in test apps.
testing/app_server.ts view source
string 64-hex-char test cookie secret โ deterministic, never used in production.
testing/middleware.ts view source
"/api/test" Path used by the echo route in create_test_middleware_stack_app.
testing/app_server.ts view source
TestAccount A bootstrapped test account with credentials.
account{id: Uuid; username: string}actor{id: Uuid}session_cookieSigned session cookie value.
stringapi_tokenRaw API token for Bearer auth.
stringcreate_session_headersBuild request headers with this account's session cookie.
(extra?: Record<string, string>) => Record<string, string>create_bearer_headersBuild request headers with this account's Bearer token.
(extra?: Record<string, string>) => Record<string, string>testing/entities.ts view source
TestAccountOverrides Override type for create_test_account โ id-like fields accept plain string.
testing/entities.ts view source
TestActorOverrides Override type for create_test_actor โ id-like fields accept plain string.
testing/app_server.ts view source
TestApp A fully assembled test app โ Hono app + backend + helpers.
appHonobackendsurface_specsurfaceroute_specsArray<RouteSpec>create_session_headersBuild request headers with the bootstrapped session cookie.
(extra?: Record<string, string>) => Record<string, string>create_bearer_headersBuild request headers with the bootstrapped Bearer token.
(extra?: Record<string, string>) => Record<string, string>create_daemon_token_headersBuild request headers with the daemon token (keeper auth).
(extra?: Record<string, string>) => Record<string, string>create_accountCreate an additional account with credentials.
(options?: {
username?: string;
password_value?: string;
roles?: Array<string>;
}) => Promise<TestAccount>cleanupCleanup resources (delegates to TestAppServer.cleanup).
() => Promise<void>testing/app_server.ts view source
TestAppServer An AppBackend with a bootstrapped account, API token, and session cookie.
accountThe bootstrapped account.
{id: Uuid; username: string}actorThe actor linked to the account.
{id: Uuid}api_tokenRaw API token for Bearer auth.
stringsession_cookieSigned session cookie value for cookie auth.
stringkeyringKeyring used for cookie signing โ exposed for forging expired/tampered cookies in tests.
cleanupRelease test resources (no-op when DB is injected or factory-cached).
() => Promise<void>testing/app_server.ts view source
TestAppServerOptions Configuration for create_test_app_server.
session_optionsSession options โ needed for cookie signing.
SessionOptions<string>dbExisting database โ skips internal DB creation when provided. Caller owns the DB lifecycle.
db_typeDatabase driver type โ only used when db is provided. Default: 'pglite-memory'.
passwordPassword implementation. Default: stub_password_deps. Pass argon2_password_deps for tests that exercise login.
usernameUsername for the bootstrapped account. Default: 'keeper'.
stringpassword_valuePassword for the bootstrapped account. Default: 'test-password-123'.
stringrolesRoles to grant. Default: [ROLE_KEEPER].
Array<string>on_audit_eventBackend audit event callback โ wired into backend.deps.on_audit_event.
When audit_log_sse: true is passed to create_app_server, this runs
after the audit SSE broadcast (composed downstream by app_server).
Use to wire consumer SSE auth guards in tests.
Default: no-op.
(event: AuditLogEvent) => voidaudit_log_configOptional audit log config โ written onto backend.deps.audit_log_config
before return so it lands in time for create_app_server's shallow
spread of backend.deps (SSE branch) and the no-SSE alias branch alike.
Use when the consumer registers extra event types via
create_audit_log_config({extra_events}) โ without this, emits for
those events fall back to BUILTIN_AUDIT_LOG_CONFIG and log
"unknown event_type" warnings.
testing/entities.ts view source
TestAuditEventOverrides Override type for create_test_audit_event โ id-like fields accept plain string.
testing/middleware.ts view source
TestMiddlewareStackApp Return type of create_test_middleware_stack_app.
appHonomock_validateReturnType<typeof vi.fn>mock_find_by_idReturnType<typeof vi.fn>mock_find_by_accountReturnType<typeof vi.fn>mock_find_active_for_actorReturnType<typeof vi.fn>testing/middleware.ts view source
TestMiddlewareStackOptions Options for create_test_middleware_stack_app.
trusted_proxiesTrusted proxy IPs.
Array<string>allowed_originsComma-separated allowed origin patterns.
stringconnection_ipConnection IP or factory.
string | (() => string | undefined)ip_rate_limiterRate limiter for bearer auth.
RateLimiter | nulltesting/entities.ts view source
TestPermitOverrides Override type for create_test_permit โ id-like fields accept plain string.
actions/rpc_client.ts view source
ThrowingApi<TApi> Maps a typed ActionsApi to a throwing variant.
For each method whose return type matches the create_rpc_client shape
(Promise<Result<{value: T}, {error: JsonrpcErrorObject}>>), the wrapped
method returns Promise<T> directly. Other shapes (notifications typed
as => void, sync local_call methods) pass through unchanged โ there
is nothing to unwrap.
Input + options parameters are preserved verbatim via ...args: infer TArgs
so the conditional matches both required-input (input: T) and
optional-input (input?: T / nullary) signatures uniformly. Required-input
shapes (e.g. admin_session_revoke_all(input: AdminSessionRevokeAllInput))
are not assignable to a (input?: TInput) => โฆ pattern under
--strictFunctionTypes, so an earlier (input?, options?) => form
silently fell through to TApi[K] and left those methods Result-shaped โ
create_admin_rpc_adapters(api) would then reject the typed throwing
Proxy because half its surface still returned Result<...>. The rest-args
form preserves both required and optional parameters and resolves the gap.
TApihttp/jsonrpc_errors.ts view source
Error class carrying a JSON-RPC error code โ thrown by handlers, caught by apply_route_specs and mapped to HTTP status + JSON-RPC error response.
Named for what it is: an error with a JSON-RPC error code that gets thrown.
Errorcodetype JsonrpcErrorCode
datatype unknown
constructortype new (code: -32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">), message: string, data?: unknown, options?: ErrorOptions | undefined): ThrownJsonrpcError
code-32700 | -32600 | -32601 | -32602 | -32603 | (number & $brand<"JsonrpcServerErrorCode">)messagestringdata?unknownoptions?ErrorOptions | undefinedactions/action_codegen.ts view source
(method: string): string methodstringstring actions/action_codegen.ts view source
(method: string): string methodstringstring actions/action_codegen.ts view source
(method: string): string methodstringstring auth/account_schema.ts view source
(account: Account): { id: string & $brand<"Uuid">; username: string; email: string | null; email_verified: boolean; created_at: string; updated_at: string; updated_by: (string & $brand<...>) | null; } Convert an Account to an AdminAccountJson for admin listings.
accountthe full account record
{ id: string & $brand<"Uuid">; username: string; email: string | null; email_verified: boolean; created_at: string; updated_at: string; updated_by: (string & $brand<"Uuid">) | null; } the admin-safe account with audit fields
http/jsonrpc_helpers.ts view source
(message_or_id: unknown): string | number | null Extracts a JSON-RPC request id from a message or raw value.
Returns null if no valid id can be extracted.
message_or_idunknownstring | number | null http/jsonrpc_helpers.ts view source
(input: unknown): Record<string, any> | undefined Normalizes input to JSON-RPC params format.
Returns undefined for null/undefined, wraps primitives in {value}.
inputunknownRecord<string, any> | undefined http/jsonrpc_helpers.ts view source
(output: unknown): Record<string, any> Normalizes output to JSON-RPC result format.
Returns empty object for null/undefined, wraps primitives in {value}.
outputunknownRecord<string, any> <T>(items: T[], to_string: (item: T) => string): number Get maximum length from array.
itemsarray of items
T[]to_stringfunction to convert item to string for length measurement
(item: T) => stringnumber maximum string length
auth/permit_offer_schema.ts view source
(offer: PermitOffer): { id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; ... 10 more ...; resulting_permit_id: (string & $brand<...>) | null; } Convert a PermitOffer row to its JSON payload shape.
offer{ id: string & $brand<"Uuid">; from_actor_id: string & $brand<"Uuid">; to_account_id: string & $brand<"Uuid">; role: string; scope_id: (string & $brand<"Uuid">) | null; ... 8 more ...; resulting_permit_id: (string & $brand<...>) | null; } auth/account_schema.ts view source
(account: Account): SessionAccount Convert an Account to a SessionAccount by stripping sensitive fields.
accountthe full account record
SessionAccount the client-safe account
auth/account_action_specs.ts view source
ZodObject<{ name: ZodDefault<ZodString>; }, $strict> Input for account_token_create.
auth/account_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; token: ZodString; id: ZodString; name: ZodString; }, $strict> Output for account_token_create. token is returned exactly once.
auth/account_action_specs.ts view source
ZodVoid Input for account_token_list. No parameters.
auth/account_action_specs.ts view source
ZodObject<{ tokens: ZodArray<ZodObject<{ id: ZodString; account_id: $ZodBranded<ZodUUID, "Uuid", "out">; name: ZodString; expires_at: ZodNullable<ZodString>; last_used_at: ZodNullable<...>; last_used_ip: ZodNullable<...>; created_at: ZodString; }, $strict>>; }, $strict> Output for account_token_list. Hashes are excluded.
auth/account_action_specs.ts view source
ZodObject<{ token_id: ZodString; }, $strict> Input for account_token_revoke.
auth/account_action_specs.ts view source
ZodObject<{ ok: ZodLiteral<true>; revoked: ZodBoolean; }, $strict> Output for account_token_revoke. revoked is false for IDOR misses.
ui/popover.svelte.ts view source
TransitionFunction Support both Svelte transitions and custom transitions.
actions/transports.ts view source
Transport transport_nameis_ready() => booleandispose() => voidactions/rpc_client.ts view source
TransportForMethod Optional per-method transport selector. Return the transport to use for a
given method, or undefined to let the peer pick via its fallback rules.
Useful when methods are registered on different backend dispatchers โ e.g. a streaming action mounted on the WebSocket endpoint while the rest of the RPC surface lives on HTTP.
actions/transports.ts view source
ZodString actions/transports.ts view source
allow_fallbackWhether to allow fallback to other transports if the current one is not available.
type boolean
register_transportRegisters a transport. The first transport registered also becomes the current.
type (transport: Transport): void
transportvoidset_current_transportSwitch the current transport selection by name.
type (transport_name: string): void
transport_namestringvoidError - if no transport with `transport_name` has been registeredget_transportResolve a transport. With allow_fallback, walks specified โ current โ
any-ready; without, returns the named transport (or current) only when
it's ready.
type (transport_name?: string | undefined): Transport | null
transport_name?string | undefinedTransport | nullthe resolved transport, or null when none is ready
is_readytype (): boolean | null
boolean | nullget_current_transporttype (): Transport | null
Transport | nullget_current_transport_nametype (): string | null
string | nullget_transport_by_nametype (transport_name: string): Transport | null
transport_namestringTransport | nullactions/transports.ts view source
TransportSendOptions Per-call options accepted by every transport's send. Optional and
extensible โ adding a field is non-breaking. Source of truth for the
shared option shape; ActionPeerSendOptions and RpcClientCallOptions
extend it.
signalPer-call cancellation. Bottoms out at
FrontendWebsocketClient.request({signal}) on the WS path (sends the
shared cancel notification on abort) and at fetch({signal}) on
HTTP. Backend transport has no per-call abort surface to honor.
AbortSignalqueuePer-call durable-queue opt-in. Names the client-authoritative vs
server-authoritative distinction โ server-authoritative consumers
(e.g. zzz completion calls) fail fast with service_unavailable when
the transport is down; client-authoritative consumers (games,
real-time apps) buffer and replay on reconnect because the user
already committed to the action at click time. Honored only by
FrontendWebsocketTransport on the request_response path (default
false). HTTP and backend transports ignore it; WS notifications
also ignore it and always fail-fast when disconnected (fire-and-forget
connection.send has no queue semantic).
boolean(str: string, max_length: number, separator?: string): string Truncate a string by keeping the start and end, with a separator in the middle.
strstringmax_lengthtotal length including separator
numberseparatorstring'โฆ'string the truncated string, or the original if it fits
(uuid: string): string Truncate a UUID for display, keeping start and end visible.
uuidstringstring a 12-character truncated UUID like a1b2cโฆ7890
(input: RequestInfo | URL, init?: RequestInit | undefined): Promise<Response> Fetch with credentials included (sends cookies).
inputRequestInfo | URLinit?RequestInit | undefinedPromise<Response> testing/error_coverage.ts view source
UncoveredEntry Uncovered entry โ either a status-level row (no code) or a specific-code row.
methodstringpathstringstatusnumbercodeDeclared code value missing, when the status's error schema names specific codes.
stringhttp/jsonrpc_errors.ts view source
"unknown error" Default message for unknown errors.
env/update_env_variable.ts view source
(key: string, value: string, options: UpdateEnvVariableOptions): Promise<void> Updates or adds an environment variable in the .env file. Preserves existing formatting, comments, and other variables.
Behavior:
- Duplicate keys: updates the LAST occurrence (matches dotenv behavior)
- Inline comments: preserved after the value (e.g., KEY=value # comment)
- Quote style: preserved from original (quoted/unquoted)
keythe environment variable name (e.g., 'SOME_CONFIGURATION_KEY')
stringvaluethe new value for the environment variable
stringoptionsfile path and optional read/write overrides
Promise<void> Error - if the file read fails for any reason other than `ENOENT`, or if the write failsauth/app_settings_schema.ts view source
ZodObject<{ open_signup: ZodBoolean; }, $strict> Zod schema for updating app settings.
env/update_env_variable.ts view source
UpdateEnvVariableOptions Options for updating environment variables in a .env file.
env_file_pathPath to the .env file.
stringread_fileFunction to read file contents (defaults to node:fs/promises readFile).
(path: string, encoding: string) => Promise<string>write_fileFunction to write file contents (defaults to node:fs/promises writeFile).
(path: string, content: string, encoding: string) => Promise<void>auth/account_schema.ts view source
ZodString Username for account creation โ starts with letter, alphanumeric/dash/underscore middle, ends with alphanumeric. No @ or . allowed.
auth/account_schema.ts view source
39 Maximum username length (matches GitHub's limit).
auth/account_schema.ts view source
3 Minimum username length (must have start + middle + end characters).
auth/account_schema.ts view source
255 Maximum length for username input on login/lookup โ more permissive than USERNAME_LENGTH_MAX for forward-compatibility if the creation limit is raised.
auth/account_schema.ts view source
ZodString Username submitted for login or lookup โ minimal validation for forward-compatibility if format rules change.
db/sql_identifier.ts view source
RegExp Pattern matching valid SQL identifiers: starts with a letter or underscore, followed by letters, digits, or underscores.
auth/daemon_token.ts view source
(provided: string, state: DaemonTokenState): boolean Validate a daemon token against the current state.
Accepts both the current and previous token (2-token race window). Uses timing-safe comparison.
providedthe token from the X-Daemon-Token header
stringstatethe daemon token state
boolean true if the token is valid
(runtime: Pick<EnvDeps, "env_get">, refs: EnvVarRef[]): EnvValidationResult Validate that all referenced env vars exist in the environment.
Returns all missing refs (including duplicates by name). Grouping and deduplication is handled by format_missing_env_vars at display time.
runtimeruntime with env_get capability
Pick<EnvDeps, "env_get">refsenv var references from scan_env_vars
EnvVarRef[]EnvValidationResult validation result with any missing vars
(env_value: string | undefined): string[] Validate key ring configuration.
Returns an error when no keys are configured (undefined, empty string,
or all-separator input like '____'), and for each key shorter than
MIN_KEY_LENGTH characters.
env_valuethe SECRET_COOKIE_KEYS environment variable
string | undefinedstring[] array of validation errors (empty if valid)
server/validate_nginx.ts view source
(config: string): NginxValidationResult Validate an nginx config template string for security properties.
Checks for required security headers, Authorization stripping in /api
blocks, and the nginx add_header inheritance gotcha. Designed for
fuz_app consumer deploy configs (tx.ts NGINX_CONFIG constants).
Limitations: string pattern matching, not a real nginx parser. Catches common omissions in fuz_app deploy configs but won't catch all possible misconfigurations.
configstringNginxValidationResult actions/action_event_helpers.ts view source
(kind: "request_response" | "remote_notification" | "local_call", phase: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"): void Validate that phase is one of the phases allowed for kind per
ACTION_EVENT_PHASE_BY_KIND.
kind"request_response" | "remote_notification" | "local_call"phase"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"void Error - if `phase` is not valid for `kind`actions/action_event_helpers.ts view source
(from: "send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute", to: "send_request" | "receive_request" | ... 6 more ... | "execute"): void Validate that a phase chain is legal per ACTION_EVENT_PHASE_TRANSITIONS.
from"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"to"send_request" | "receive_request" | "send_response" | "receive_response" | "send_error" | "receive_error" | "send" | "receive" | "execute"void Error - if `from โ to` is not the permitted next phase (or `from` is terminal)(env: { NODE_ENV: "development" | "production"; PORT: number; HOST: string; DATABASE_URL: string; SECRET_COOKIE_KEYS: string; ALLOWED_ORIGINS: string; PUBLIC_API_URL: string; PUBLIC_WEBSOCKET_URL?: string | undefined; ... 4 more ...; SMTP_PASSWORD?: string | undefined; }): ServerEnvOptionsResult Validate a loaded BaseServerEnv and produce the artifacts needed for server init.
Handles keyring validation, origin parsing, and bootstrap token path extraction. Returns a Result so callers handle errors their own way (exit, logging, etc).
enva loaded and Zod-validated BaseServerEnv
{ NODE_ENV: "development" | "production"; PORT: number; HOST: string; DATABASE_URL: string; SECRET_COOKIE_KEYS: string; ALLOWED_ORIGINS: string; PUBLIC_API_URL: string; PUBLIC_WEBSOCKET_URL?: string | undefined; ... 4 more ...; SMTP_PASSWORD?: string | undefined; }ServerEnvOptionsResult {ok: true, keyring, allowed_origins, bootstrap_token_path} or {ok: false, field, errors}
actions/action_event_helpers.ts view source
(from: "initial" | "parsed" | "handling" | "handled" | "failed", to: "initial" | "parsed" | "handling" | "handled" | "failed"): void Validate that a step transition is legal per ACTION_EVENT_STEP_TRANSITIONS.
from"initial" | "parsed" | "handling" | "handled" | "failed"to"initial" | "parsed" | "handling" | "handled" | "failed"void Error - if `from โ to` is not a permitted transitionValidatedKeyringResult Result of create_validated_keyring. Discriminated union โ callers handle the error case their own way.
http/error_schemas.ts view source
ZodObject<{ error: ZodString; issues: ZodArray<ZodObject<{ code: ZodString; message: ZodString; path: ZodArray<ZodUnion<readonly [ZodString, ZodNumber]>>; }, $loose>>; }, $loose> Input validation error โ returned when the request body fails Zod parsing.
issues contains the Zod validation issues for diagnostic display.
auth/password_argon2.ts view source
(password: string): Promise<boolean> Verify a password against a dummy hash for timing attack resistance.
Always returns false, but takes the same time as a real verification.
Call when account lookup fails to prevent timing-based user enumeration.
passwordthe plaintext password to "verify"
stringPromise<boolean> always false
auth/password_argon2.ts view source
(password: string, password_hash: string): Promise<boolean> Verify a password against an Argon2id hash.
passwordthe plaintext password to verify
stringpassword_hashthe Argon2id hash to verify against
stringPromise<boolean> true if the password matches
(allowed_patterns: RegExp[]): Handler Middleware that verifies the request source against an allowlist.
Origin allowlisting (not the CSRF layer โ that's SameSite: strict cookies):
- Checks the Origin header first (if present)
- Falls back to Referer header (if no Origin)
- Allows requests without Origin/Referer headers (direct access, curl, etc.)
allowed_patternscompiled regex patterns from parse_allowed_origins
RegExp[]Handler auth/account_action_specs.ts view source
ZodVoid Input for account_verify. No parameters โ the caller is the subject.
actions/transports_ws.ts view source
WebsocketConnection Minimal interface for a WebSocket connection, decoupled from the concrete Socket Cell.
send(data: object) => booleanconnectedbooleanadd_message_handler(handler: (event: MessageEvent) => void) => () => voidadd_error_handler(handler: (event: Event) => void) => () => voidactions/transports_ws.ts view source
WebsocketRpcConnection RPC-capable WebSocket connection โ a WebsocketConnection that also
handles request/response correlation with timeout, queue,
AbortSignal cancel, and explicit-id support. Required by
FrontendWebsocketTransport so it can delegate the pending-map
bookkeeping to one canonical implementation
(FrontendWebsocketClient) instead of running a parallel one.
Consumer wrappers around FrontendWebsocketClient (e.g. zzz's
Socket) implement this by adding a one-line delegate to the
underlying client's request.
request(
method: string,
params: unknown,
options?: {signal?: AbortSignal; queue?: boolean; id?: JsonrpcRequestId},
) => Promise<unknown>(runtime: Pick<EnvDeps, "env_get"> & Pick<FsWriteDeps, "mkdir" | "write_text_file" | "rename">, name: string, info: { version: number; pid: number; port: number; started: string; app_version: string; }): Promise<...> Write daemon info to the PID file, creating directories as needed.
runtimeruntime with file write and env capabilities
Pick<EnvDeps, "env_get"> & Pick<FsWriteDeps, "mkdir" | "write_text_file" | "rename">nameapplication name
stringinfodaemon info to write
{ version: number; pid: number; port: number; started: string; app_version: string; }Promise<void> Error - if `$HOME` is not setauth/daemon_token_middleware.ts view source
(runtime: DaemonTokenWriteDeps, token_path: string, token: string): Promise<void> Write the current token to disk atomically.
Uses write_file_atomic (temp file + rename) and optionally sets mode 0600.
runtimeruntime with file write capabilities
token_pathpath to write the token
stringtokenthe raw token string
stringPromise<void> (deps: Pick<FsWriteDeps, "write_text_file" | "rename">, path: string, content: string): Promise<void> Write a file atomically via temp file + rename.
Writes to <path>.tmp then renames over path so readers either see the
old contents or the full new contents โ never a partial write.
depsPick<FsWriteDeps, "write_text_file" | "rename">pathstringcontentstringPromise<void> Error - if `write_text_file` or `rename` rejects (permissions, disk full, cross-device rename, etc.)actions/transports.ts view source
4002 WebSocket close code โ client timed out waiting for a response.
actions/transports.ts view source
4003 WebSocket close code โ server timed out with no incoming activity.
actions/transports.ts view source
4001 WebSocket close code for session revocation.
actions/transports_ws_auth_guard.ts view source
ReadonlySet<string> Audit event types that trigger WebSocket socket closure.
- session_revoke โ close only the socket tied to the revoked session hash.
- token_revoke โ close only the socket(s) authenticated with the revoked api_token.id.
- session_revoke_all / token_revoke_all / password_change โ close every socket
for the affected account (all credentials invalidated).
permit_revoke is intentionally omitted: the WS transport does not track
per-connection role requirements, so role-scoped disconnection would
require either closing all sockets (too aggressive) or new tracking
(out of scope). Consumers that need it compose their own callback.
actions/action_types.ts view source
WsActionHandler<TCtx> Handler signature โ receives validated input and per-request context.
Named to disambiguate from actions/action_rpc.ts's ActionHandler
(HTTP-side, ActionContext + two generic slots). The WS variant is
single-slotted on the context and returns unknown.
TCtxtesting/ws_round_trip.ts view source
WsConnectIdentity Auth identity for a mock connection.
account_idAccount id for the connection. Defaults to a fresh uuid per call.
Uuidcredential_typeCredential type. Defaults to 'session'. Keeper actions require 'daemon_token'.
session_idSession id (any string). Defaults to a fresh uuid. Hashed by the dispatcher.
stringapi_token_idApi token id; set for bearer connections, null otherwise.
string | nullrolesRoles to grant via active permits. Pass [ROLE_KEEPER] for keeper actions.
Array<string>testing/ws_round_trip.ts view source
WsTestHarness A harness instance โ transport handle + connection factory.
transportconnectOpen a mock connection. Resolves after on_socket_open (and the
transport's register_ws) completes, so broadcasts issued
immediately after the await reach the connection. Earlier
revisions returned synchronously and required a settle_open()
microtask drain โ no longer necessary.
(identity?: WsConnectIdentity) => Promise<MockWsClient>