http/error_schemas.ts

Base API error — all JSON error responses have at least {error: string}.

Derive error schemas from a route's auth requirement, input schema, and rate limit config.

Returns the error schemas that middleware will auto-produce for this route. Route handlers can declare additional error schemas via RouteSpec.errors; explicit entries override auto-derived ones for the same status code.

Derivation rules: - Has input schema (non-null) or has params schema or has query schema: 400 (validation error with issues) - auth: authenticated: 401 - auth: role: 401 + 403 (with required_role) - auth: keeper: 401 + 403 (keeper-specific) - rate_limit: 429 (rate limit exceeded with retry_after)

Token references a deleted account.

Bootstrap lock already acquired — system already bootstrapped.

No valid session or bearer token.

Bearer token sent with Origin/Referer header (browser context).

Bootstrap endpoint called but no token path configured.

Request origin not in allowlist.

Request referer not in allowlist.

DELETE blocked by a foreign key constraint.

Authenticated but missing required role.

Username or password is wrong (intentionally vague for enumeration prevention).

Daemon token header present but malformed or not matching current/previous token.

Query parameter event_type is not a valid audit event type.

Request body is not valid JSON or not an object.

URL query params failed Zod validation.

Request body failed Zod validation.

URL path params failed Zod validation.

Bearer token failed validation (missing, malformed, or revoked).

An account already exists with this invite's email.

An account already exists with this invite's username.

An unclaimed invite already exists for this email or username.

Invite must have at least an email or username.

Invite not found (for delete operations).

Daemon token valid but keeper account not yet resolved (pre-bootstrap).

Keeper account ID set but account row not found.

Keeper routes require daemon_token credential type.

No unclaimed invite matches the signup credentials.

Request body exceeds the maximum allowed size.

Permit ID not found or not owned by the target actor.

Rate limiter rejected the request.

Admin tried to grant a role that is not web-grantable.

Row with the given PK value not found.

Signup conflict — username or email already taken (intentionally vague for enumeration prevention).

Table has no primary key constraint (cannot delete by PK).

Table name not found in information_schema.

Bootstrap token file not found on disk.

Foreign key violation error — returned when a delete is blocked by references.

Keeper credential error — returned by require_keeper when credential type is wrong.

Payload too large error — returned when the request body exceeds the size limit.

Permission error — returned by require_role() when the required role is missing.

Rate limit error — returned when a rate limiter rejects the request.

Rate limit key type — declares what a route's rate limiter is keyed on.

- 'ip' — per-IP rate limiting (bootstrap, password change, bearer auth) - 'account' — per-account rate limiting (keyed on submitted identifier) - 'both' — both per-IP and per-account (login)

Error schema map — maps HTTP status codes to Zod schemas.

Used on RouteSpec.errors and internally by derive_error_schemas.

Input validation error — returned when the request body fails Zod parsing.

issues contains the Zod validation issues for diagnostic display.