realtime

3 modules

• realtime/sse_auth_guard.ts

  SSE auth guard and convenience factory for audit log SSE.

  create_sse_auth_guard bridges audit events to SubscriberRegistry.close_by_identity(), closing SSE streams when a subscriber's access is revoked (role revocation or session invalidation).

  create_audit_log_sse is a convenience factory that combines the registry, guard, and broadcaster — making the secure path the easy path for consumers.

• realtime/sse.ts

  SSE (Server-Sent Events) streaming utilities for Hono.

  Provides generic helpers for creating SSE response streams and a notification type aligned with JSON-RPC 2.0.

• realtime/subscriber_registry.ts

  Generic subscriber registry for broadcasting to SSE clients.

  Supports channel-based filtering — subscribers connect with optional channel filters, and broadcasts reach only matching subscribers.

  Two identity slots enable both targeted disconnection and per-scope cap enforcement: - scope — a single capped identity (e.g., session hash). Subject to the per-scope cap and matched by close_by_identity. Use for the narrowest identity the subscriber belongs to. - groups — any number of uncapped identities (e.g., account id). Matched by close_by_identity but not subject to any cap. Use for coarser scopes a stream should be reachable by.

  The split keeps "tabs-per-session" cap semantics sane when a stream also carries a broader identity for coarse close — the broader identity doesn't cap across sessions.