lalalalal

Update paths in .gitignore, cmd, develop, mgmt, sync.sh, check.sh,
fixup.sh, CLAUDE.md, docs/new-project.md, and backend/*.sh scripts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.beads/issues.jsonl

@@ -0,0 +1,4 @@
+{"id":"diachron-2vh","title":"Add unit testing to golang programs","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-03T12:31:41.281891462-06:00","created_by":"mw","updated_at":"2026-01-03T12:31:41.281891462-06:00"}
+{"id":"diachron-64w","title":"Add unit testing to express backend","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-03T12:31:30.439206099-06:00","created_by":"mw","updated_at":"2026-01-03T12:31:30.439206099-06:00"}
+{"id":"diachron-fzd","title":"Add generic 'user' functionality","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-03T12:35:53.73213604-06:00","created_by":"mw","updated_at":"2026-01-03T12:35:53.73213604-06:00"}
+{"id":"diachron-ngx","title":"Teach the master and/or build process to send messages with notify-send when builds fail or succeed.  Ideally this will be fairly generic.","status":"open","priority":2,"issue_type":"task","created_at":"2026-01-03T14:10:11.773218844-06:00","created_by":"mw","updated_at":"2026-01-03T14:10:11.773218844-06:00"}

.claude/instructions.md

@@ -0,0 +1,2 @@
+When asked "what's next?" or during downtime, check TODO.md and suggest items to work on.
+

.gitignore

@@ -0,0 +1,5 @@
+**/node_modules
+diachron/downloads
+diachron/binaries
+diachron/.nodejs
+diachron/.nodejs-config

.go-version

@@ -0,0 +1 @@
+1.23.6

CLAUDE.md

@@ -0,0 +1,122 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with
+code in this repository.
+
+## Project Overview
+
+Diachron is an opinionated TypeScript/Node.js web framework with a Go-based
+master process. Key design principles:
+- No development/production distinction - single mode of operation everywhere
+- Everything loggable and inspectable for debuggability
+- Minimal magic, explicit behavior
+- PostgreSQL-only (no database abstraction)
+- Inspired by "Taking PHP Seriously" essay
+
+## Commands
+
+### General
+
+**Install dependencies:**
+```bash
+./sync.sh
+```
+
+**Run an app:**
+```bash
+./master
+```
+
+
+
+### Development
+
+**Check shell scripts (shellcheck + shfmt) (eventually go fmt and biome or similar):**
+```bash
+./check.sh
+```
+
+**Format TypeScript code:**
+```bash
+cd backend && ../cmd pnpm biome check --write .
+```
+
+**Build Go master process:**
+```bash
+cd master && go build
+```
+
+### Operational
+
+(to be written)
+
+## Architecture
+
+### Components
+
+- **backend/** - TypeScript/Express.js backend application
+- **master/** - Go-based master process for file watching and process management
+- **diachron/** - Managed binaries (Node.js, pnpm), command wrappers, and
+  framework-specific library code
+- **monitor/** - Go file watcher that triggers rebuilds (experimental)
+
+### Master Process (Go)
+
+Responsibilities:
+- Watch TypeScript source for changes and trigger rebuilds
+- Manage worker processes
+- Proxy web requests to backend workers
+- Behaves identically in all environments (no dev/prod distinction)
+
+### Backend App Structure
+
+- `app.ts` - Main Express application setup with route matching
+- `routes.ts` - Route definitions
+- `handlers.ts` - Route handlers
+- `services.ts` - Service layer (database, logging, misc)
+- `types.ts` - TypeScript type definitions (Route, Call, Handler, Result, Method)
+
+### Framework Command System
+
+Commands flow through: `./cmd` → `diachron/cmd.d/*` → `diachron/shims/*` → managed binaries in `diachron/binaries/`
+
+This ensures consistent tooling versions across the team without system-wide installations.
+
+## Tech Stack
+
+- TypeScript 5.9+ / Node.js 22.15
+- Express.js 5.1
+- Go 1.23.3+ (master process)
+- pnpm 10.12.4 (package manager)
+- Zod (runtime validation)
+- Nunjucks (templating)
+- @vercel/ncc (bundling)
+
+## Platform Requirements
+
+Linux or macOS on x86_64. Requires:
+- Modern libc for Go binaries (Linux)
+- docker compose (for full stack)
+- fd, shellcheck, shfmt (for development)
+
+## Current Status
+
+Early stage - most implementations are stubs:
+- Database service is placeholder
+- Logging functions marked WRITEME
+- No test framework configured yet
+
+# meta
+
+## formatting and sorting
+
+- When a typescript file exports symbols, they should be listed in order
+
+## guidelines for this document
+
+- Try to keep lines below 80 characters in length, especially prose.  But if
+  embedded code or literals are longer, that's fine.
+- Use formatting such as bold or italics sparingly
+- In general, we treat this document like source code insofar as it should be
+  both human-readable and machine-readable
+- Keep this meta section at the end of the file.

README.md

@@ -1,18 +1,61 @@
 diachron
 
+## Introduction
+
+- Do you want to share a lot of backend and frontend code?
+
+- Are you tired of your web stack breaking when you blink too hard?
+
+- Have you read [Taking PHP
+  Seriously](https://slack.engineering/taking-php-seriously/) and do you wish
+  you had something similar for Typescript?
+
+- Do you think that ORMs are not all that?  Do you wish you had first class
+  unmediated access to your database?  And do you think that database
+  agnosticism is overrated?
+
+- Do you think dev/testing/prod distinctions are a bad idea?  (Hear us out on
+  this one.)
+
+- Have you ever lost hours getting everyone on your team to have the exact
+  same environment, yet you're not willing to take the plunge and use a tool
+  like [nix](https://nixos.org)?
+
+- Are you frustrated by unclear documentation?  Is ramping up a frequent
+  problem?
+
+- Do you want a framework that's not only easy to write but also easy to get
+  inside and debug?
+
+- Have you been bogged down with details that are not relevant to the problems
+  you're trying to solve, the features you're trying to implement, the bugs
+  you're trying to fix?  We're talking authentication, authorization, XSS,
+  https, nested paths, all that stuff.
+
+Is your answer to some of these questions "yes"?  If so, you might like
+diachron.  (When it comes to that dev/test/prod one, hear us out first, ok?)
+
+## Getting started
+
+Different situations require different getting started docs.
+
+- [How to create a new project](docs/new-project.md)
+- [How to work on an existing project](docs/existing-project.md)
+
 ## Requirements
 
-To run diachron, you currently need the following requirements:
+To run diachron, you need Linux or macOS on x86_64.  Linux requires a new
+enough libc to run golang binaries.
 
-- docker compose
-- deno
+To run a more complete system, you also need to have docker compose installed.
 
-## Development requirements
+### Development requirements
 
-To hack on diachron, you need the following:
+To hack on diachron itself, you need the following:
 
-- docker compose
-- deno
+- bash
+- docker and docker compose
+- [fd](https://github.com/sharkdp/fd)
 - golang, version 1.23.6 or greater
-
-
+- shellcheck
+- shfmt

TODO.md

@@ -0,0 +1,180 @@
+## high importance
+
+- Many of the UUIDs generated are not UUIDv7.  This needs to be fixed.
+
+- [ ] Add unit tests all over the place.
+  - ⚠️ Huge task - needs breakdown before starting
+
+- [ ] map exceptions back to source lines
+
+- [ ] migrations, seeding, fixtures
+
+```sql
+CREATE SCHEMA fw;
+CREATE TABLE fw.users (...);
+CREATE TABLE fw.groups (...);
+```
+
+```sql
+CREATE TABLE app.user_profiles (...);
+CREATE TABLE app.customer_metadata (...);
+```
+
+- [ ] flesh out `mgmt` and `develop` (does not exist yet)
+
+4.1 What belongs in develop
+
+- Create migrations
+- Squash migrations
+- Reset DB
+- Roll back migrations
+- Seed large test datasets
+- Run tests
+- Snapshot / restore local DB state (!!!)
+
+`develop` fails if APP_ENV (or whatever) is `production`.  Or maybe even
+`testing`.
+
+- [ ] Add default user table(s) to database.
+
+
+- [ ] Add authentication
+  - [ ] password
+  - [ ] third party?
+
+
+- [ ] Add middleware concept
+
+- [ ] Add authorization
+  - for specific routes / resources / etc
+
+- [ ] Add basic text views
+  Partially done; see the /time route.  But we need to figure out where to
+  store templates, static files, etc.
+
+- [ ] fix process management: if you control-c `master` process sometimes it
+      leaves around `master-bin`, `logger-bin`, and `diachron:nnnn` processes.
+      Huge problem.
+
+## medium importance
+
+- [ ] Add a log viewer
+  - with queries
+  - convert to logfmt and is there a viewer UI we could pull in and use
+    instead?
+
+- [ ] add nested routes.  Note that this might be easy to do without actually
+      changing the logic in express/routes.ts.  A function that takes an array
+      of routes and maps over them rewriting them.  Maybe.
+
+  - [ ] related: add something to do with default templates and stuff... I
+        think we can make handlers a lot shorter to write, sometimes not even
+        necessary at all, with some sane defaults and an easy to use override
+        mechanism
+
+- [ ] time library
+
+- [ ] fill in the rest of express/http-codes.ts
+
+- [ ] fill out express/content-types.ts
+
+
+- [ ] identify redundant "old skool" and ajax routes, factor out their
+      commonalities, etc.
+
+- [ ] figure out and add logging to disk
+
+- [ ] I don't really feel close to satisfied with template location /
+      rendering / etc.  Rethink and rework.
+
+- [ ] Add email verification (this is partially done already)
+
+- [ ] Reading .env files and dealing with the environment should be immune to
+      the extent possible from idiotic errors
+
+- [ ] Update check script:
+  - [x] shellcheck on shell scripts
+  - [x] `go vet` on go files
+  - [x] `golangci-lint` on go files
+  - [x] Run `go fmt` on all .go files
+  - [ ] Eventually, run unit tests
+
+- [ ] write docs
+  - upgrade docs
+  - starting docs
+  - taking over docs
+  - reference
+  - internals
+
+- [ ] make migration creation default to something like yyyy-mm-dd_ssss (are
+      9999 migrations in a day enough?)
+
+- [ ] clean up `cmd` and `mgmt`: do the right thing with their commonalities
+      and make very plain which is which for what.  Consider additional
+      commands.  Maybe `develop` for specific development tasks,
+      `operate` for operational tasks, and we keep `cmd` for project-specific
+      commands.  Something like that.
+
+
+## low importance
+
+- [ ] add a prometheus-style `/metrics` endpoint to master
+- [ ] create a metrics server analogous to the logging server
+  - accept various stats from the workers (TBD)
+
+- [ ] move `master-bin` into a subdir like `master/cmd` or whatever is
+      idiomatic for golang programs; adapt `master` wrapper shell script
+      accordingly
+
+- [ ] flesh out the `sync.sh` script
+  - [ ] update framework-managed node
+  - [ ] update framework-managed pnpm
+  - [ ] update pnpm-managed deps
+  - [ ] rebuild golang programs
+
+- [ ] If the number of workers is large, then there is a long lapse between
+      when you change a file and when the server responds
+  - One solution: start and stop workers serially: stop one, restart it with new
+    code; repeat
+  - Slow start them: only start a few at first
+
+- [ ] in express/user.ts: FIXME: set createdAt and updatedAt to start of epoch
+
+
+
+
+## finished
+
+- [x] Reimplement fixup.sh
+  - [x] run shfmt on all shell scripts (and the files they `source`)
+  - [x] Run `go fmt` on all .go files
+  - [x] Run ~~prettier~~ biome on all .ts files and maybe others
+
+- [x] Adapt master program so that it reads configuration from command line
+  args instead of from environment variables
+  - Should have sane defaults
+  - Adding new arguments should be easy and obvious
+
+- [x] Add wrapper script to run master program (so that various assumptions related
+  to relative paths are safer)
+
+- [x] Add logging service
+  - New golang program, in the same directory as master
+    - Intended to be started by master
+    - Listens to a port specified command line arg
+    - Accepts POSTed (or possibly PUT) json messages, currently in a
+      to-be-defined format.  We will work on this format later.
+    - Keeps the most recent N messages in memory.  N can be a fairly large
+      number; let's start by assuming 1 million.
+
+- [x] Log to logging service from the express backend
+  - Fill out types and functions in `express/logging.ts`
+
+- [x] Add first cut at database access.  Remember that ORMs are not all that!
+
+- [x] Create initial docker-compose.yml file for local development
+  - include most recent stable postgres
+  - include beanstalkd
+  - include memcached
+  - include redis
+  - include mailpit

backend/.gitignore

@@ -0,0 +1,2 @@
+out/
+dist/

backend/app.ts

@@ -0,0 +1,172 @@
+import express, {
+    type Request as ExpressRequest,
+    type Response as ExpressResponse,
+} from "express";
+import { match } from "path-to-regexp";
+import { Session } from "./diachron/auth";
+import { cli } from "./diachron/cli";
+import { contentTypes } from "./diachron/content-types";
+import { runWithContext } from "./diachron/context";
+import { core } from "./diachron/core";
+import { httpCodes } from "./diachron/http-codes";
+import { request } from "./diachron/request";
+// import { URLPattern } from 'node:url';
+import {
+    AuthenticationRequired,
+    AuthorizationDenied,
+    type Call,
+    type InternalHandler,
+    isRedirect,
+    type Method,
+    massageMethod,
+    methodParser,
+    type ProcessedRoute,
+    type Result,
+    type Route,
+} from "./diachron/types";
+import { routes } from "./routes";
+
+const app = express();
+
+// Parse request bodies
+app.use(express.json());
+app.use(express.urlencoded({ extended: true }));
+
+core.logging.log({ source: "logging", text: ["1"] });
+const processedRoutes: { [K in Method]: ProcessedRoute[] } = {
+    GET: [],
+    POST: [],
+    PUT: [],
+    PATCH: [],
+    DELETE: [],
+};
+
+function _isPromise<T>(value: T | Promise<T>): value is Promise<T> {
+    return typeof (value as any)?.then === "function";
+}
+
+routes.forEach((route: Route, _idx: number, _allRoutes: Route[]) => {
+    // const pattern /*: URLPattern */ = new URLPattern({ pathname: route.path });
+    const matcher = match<Record<string, string>>(route.path);
+    const methodList = route.methods;
+
+    const handler: InternalHandler = async (
+        expressRequest: ExpressRequest,
+    ): Promise<Result> => {
+        const method = massageMethod(expressRequest.method);
+
+        console.log("method", method);
+
+        if (!methodList.includes(method)) {
+            // XXX: Worth asserting this?
+        }
+
+        console.log("request.originalUrl", expressRequest.originalUrl);
+
+        // Authenticate the request
+        const auth = await request.auth.validateRequest(expressRequest);
+
+        const req: Call = {
+            pattern: route.path,
+            path: expressRequest.originalUrl,
+            method,
+            parameters: { one: 1, two: 2 },
+            request: expressRequest,
+            user: auth.user,
+            session: new Session(auth.session, auth.user),
+        };
+
+        try {
+            const retval = await runWithContext({ user: auth.user }, () =>
+                route.handler(req),
+            );
+            return retval;
+        } catch (error) {
+            // Handle authentication errors
+            if (error instanceof AuthenticationRequired) {
+                return {
+                    code: httpCodes.clientErrors.Unauthorized,
+                    contentType: contentTypes.application.json,
+                    result: JSON.stringify({
+                        error: "Authentication required",
+                    }),
+                };
+            }
+            if (error instanceof AuthorizationDenied) {
+                return {
+                    code: httpCodes.clientErrors.Forbidden,
+                    contentType: contentTypes.application.json,
+                    result: JSON.stringify({ error: "Access denied" }),
+                };
+            }
+            throw error;
+        }
+    };
+
+    for (const [_idx, method] of methodList.entries()) {
+        const pr: ProcessedRoute = { matcher, method, handler };
+
+        processedRoutes[method].push(pr);
+    }
+});
+
+async function handler(
+    req: ExpressRequest,
+    _res: ExpressResponse,
+): Promise<Result> {
+    const method = await methodParser.parseAsync(req.method);
+
+    const byMethod = processedRoutes[method];
+    console.log(
+        "DEBUG: req.path =",
+        JSON.stringify(req.path),
+        "method =",
+        method,
+    );
+    for (const [_idx, pr] of byMethod.entries()) {
+        const match = pr.matcher(req.path);
+        console.log("DEBUG: trying pattern, match result =", match);
+        if (match) {
+            console.log("match", match);
+            const resp = await pr.handler(req);
+
+            return resp;
+        }
+    }
+
+    const retval: Result = {
+        code: httpCodes.clientErrors.NotFound,
+        contentType: contentTypes.text.plain,
+        result: "not found!",
+    };
+
+    return retval;
+}
+
+app.use(async (req: ExpressRequest, res: ExpressResponse) => {
+    const result0 = await handler(req, res);
+
+    const code = result0.code.code;
+    const result = result0.result;
+
+    console.log(result);
+
+    // Set any cookies from the result
+    if (result0.cookies) {
+        for (const cookie of result0.cookies) {
+            res.cookie(cookie.name, cookie.value, cookie.options ?? {});
+        }
+    }
+
+    if (isRedirect(result0)) {
+        res.redirect(code, result0.redirect);
+    } else {
+        res.status(code).send(result);
+    }
+});
+
+process.title = `diachron:${cli.listen.port}`;
+
+app.listen(cli.listen.port, cli.listen.host, () => {
+    console.log(`Listening on ${cli.listen.host}:${cli.listen.port}`);
+});

backend/biome.jsonc

@@ -0,0 +1,39 @@
+{
+    "$schema": "https://biomejs.dev/schemas/2.3.10/schema.json",
+    "vcs": {
+        "enabled": true,
+        "clientKind": "git",
+        "useIgnoreFile": true
+    },
+    "files": {
+        "includes": ["**", "!!**/dist"]
+    },
+    "formatter": {
+        "enabled": true,
+        "indentStyle": "space",
+        "indentWidth": 4
+    },
+
+    "linter": {
+        "enabled": true,
+        "rules": {
+            "recommended": true,
+            "style": {
+                "useBlockStatements": "error"
+            }
+        }
+    },
+    "javascript": {
+        "formatter": {
+            "quoteStyle": "double"
+        }
+    },
+    "assist": {
+        "enabled": true,
+        "actions": {
+            "source": {
+                "organizeImports": "on"
+            }
+        }
+    }
+}

backend/build.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -eu
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+cd "$DIR"
+
+../cmd pnpm ncc build ./app.ts -o dist

backend/check.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -eu
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+check_dir="$DIR"
+
+out_dir="$check_dir/out"
+
+source "$check_dir"/../diachron/shims/common
+source "$check_dir"/../diachron/shims/node.common
+
+$ROOT/cmd pnpm tsc --outDir "$out_dir"

backend/diachron/auth/index.ts

@@ -0,0 +1,20 @@
+// index.ts
+//
+// Barrel export for auth module.
+//
+// NOTE: authRoutes is NOT exported here to avoid circular dependency:
+// services.ts → auth/index.ts → auth/routes.ts → services.ts
+// Import authRoutes directly from "./auth/routes" instead.
+
+export { hashPassword, verifyPassword } from "./password";
+export { type AuthResult, AuthService } from "./service";
+export { type AuthStore, InMemoryAuthStore } from "./store";
+export { generateToken, hashToken, SESSION_COOKIE_NAME } from "./token";
+export {
+    type AuthMethod,
+    Session,
+    type SessionData,
+    type TokenId,
+    type TokenType,
+    tokenLifetimes,
+} from "./types";

backend/diachron/auth/password.spec.ts

@@ -0,0 +1,80 @@
+// Tests for auth/password.ts
+// Pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { hashPassword, verifyPassword } from "./password";
+
+describe("password", () => {
+    describe("hashPassword", () => {
+        it("returns a scrypt formatted hash", async () => {
+            const hash = await hashPassword("testpassword");
+            assert.ok(hash.startsWith("$scrypt$"));
+        });
+
+        it("includes all scrypt parameters", async () => {
+            const hash = await hashPassword("testpassword");
+            const parts = hash.split("$");
+            // Format: $scrypt$N$r$p$salt$hash
+            assert.equal(parts.length, 7);
+            assert.equal(parts[0], "");
+            assert.equal(parts[1], "scrypt");
+            // N, r, p should be numbers
+            assert.ok(!Number.isNaN(parseInt(parts[2], 10)));
+            assert.ok(!Number.isNaN(parseInt(parts[3], 10)));
+            assert.ok(!Number.isNaN(parseInt(parts[4], 10)));
+        });
+
+        it("generates different hashes for same password (different salt)", async () => {
+            const hash1 = await hashPassword("testpassword");
+            const hash2 = await hashPassword("testpassword");
+            assert.notEqual(hash1, hash2);
+        });
+    });
+
+    describe("verifyPassword", () => {
+        it("returns true for correct password", async () => {
+            const hash = await hashPassword("correctpassword");
+            const result = await verifyPassword("correctpassword", hash);
+            assert.equal(result, true);
+        });
+
+        it("returns false for incorrect password", async () => {
+            const hash = await hashPassword("correctpassword");
+            const result = await verifyPassword("wrongpassword", hash);
+            assert.equal(result, false);
+        });
+
+        it("throws for invalid hash format", async () => {
+            await assert.rejects(
+                verifyPassword("password", "invalid-hash"),
+                /Invalid password hash format/,
+            );
+        });
+
+        it("throws for non-scrypt hash", async () => {
+            await assert.rejects(
+                verifyPassword("password", "$bcrypt$10$salt$hash"),
+                /Invalid password hash format/,
+            );
+        });
+
+        it("works with empty password", async () => {
+            const hash = await hashPassword("");
+            const result = await verifyPassword("", hash);
+            assert.equal(result, true);
+        });
+
+        it("works with unicode password", async () => {
+            const hash = await hashPassword("p@$$w0rd\u{1F511}");
+            const result = await verifyPassword("p@$$w0rd\u{1F511}", hash);
+            assert.equal(result, true);
+        });
+
+        it("is case sensitive", async () => {
+            const hash = await hashPassword("Password");
+            const result = await verifyPassword("password", hash);
+            assert.equal(result, false);
+        });
+    });
+});

backend/diachron/auth/password.ts

@@ -0,0 +1,70 @@
+// password.ts
+//
+// Password hashing using Node.js scrypt (no external dependencies).
+// Format: $scrypt$N$r$p$salt$hash (all base64)
+
+import {
+    randomBytes,
+    type ScryptOptions,
+    scrypt,
+    timingSafeEqual,
+} from "node:crypto";
+
+// Configuration
+const SALT_LENGTH = 32;
+const KEY_LENGTH = 64;
+const SCRYPT_PARAMS: ScryptOptions = {
+    N: 16384, // CPU/memory cost parameter (2^14)
+    r: 8, // Block size
+    p: 1, // Parallelization
+};
+
+// Promisified scrypt with options support
+function scryptAsync(
+    password: string,
+    salt: Buffer,
+    keylen: number,
+    options: ScryptOptions,
+): Promise<Buffer> {
+    return new Promise((resolve, reject) => {
+        scrypt(password, salt, keylen, options, (err, derivedKey) => {
+            if (err) {
+                reject(err);
+            } else {
+                resolve(derivedKey);
+            }
+        });
+    });
+}
+
+async function hashPassword(password: string): Promise<string> {
+    const salt = randomBytes(SALT_LENGTH);
+    const hash = await scryptAsync(password, salt, KEY_LENGTH, SCRYPT_PARAMS);
+
+    const { N, r, p } = SCRYPT_PARAMS;
+    return `$scrypt$${N}$${r}$${p}$${salt.toString("base64")}$${hash.toString("base64")}`;
+}
+
+async function verifyPassword(
+    password: string,
+    stored: string,
+): Promise<boolean> {
+    const parts = stored.split("$");
+    if (parts[1] !== "scrypt" || parts.length !== 7) {
+        throw new Error("Invalid password hash format");
+    }
+
+    const [, , nStr, rStr, pStr, saltB64, hashB64] = parts;
+    const salt = Buffer.from(saltB64, "base64");
+    const storedHash = Buffer.from(hashB64, "base64");
+
+    const computedHash = await scryptAsync(password, salt, storedHash.length, {
+        N: parseInt(nStr, 10),
+        r: parseInt(rStr, 10),
+        p: parseInt(pStr, 10),
+    });
+
+    return timingSafeEqual(storedHash, computedHash);
+}
+
+export { hashPassword, verifyPassword };

backend/diachron/auth/routes.ts

@@ -0,0 +1,231 @@
+// routes.ts
+//
+// Authentication route handlers.
+
+import { z } from "zod";
+import { contentTypes } from "../content-types";
+import { httpCodes } from "../http-codes";
+import { request } from "../request";
+import type { Call, Result, Route } from "../types";
+import {
+    forgotPasswordInputParser,
+    loginInputParser,
+    registerInputParser,
+    resetPasswordInputParser,
+} from "./types";
+
+// Helper for JSON responses
+const jsonResponse = (
+    code: (typeof httpCodes.success)[keyof typeof httpCodes.success],
+    data: object,
+): Result => ({
+    code,
+    contentType: contentTypes.application.json,
+    result: JSON.stringify(data),
+});
+
+const errorResponse = (
+    code: (typeof httpCodes.clientErrors)[keyof typeof httpCodes.clientErrors],
+    error: string,
+): Result => ({
+    code,
+    contentType: contentTypes.application.json,
+    result: JSON.stringify({ error }),
+});
+
+// POST /auth/login
+const loginHandler = async (call: Call): Promise<Result> => {
+    try {
+        const body = call.request.body;
+        const { email, password } = loginInputParser.parse(body);
+
+        const result = await request.auth.login(email, password, "cookie", {
+            userAgent: call.request.get("User-Agent"),
+            ipAddress: call.request.ip,
+        });
+
+        if (!result.success) {
+            return errorResponse(
+                httpCodes.clientErrors.Unauthorized,
+                result.error,
+            );
+        }
+
+        return jsonResponse(httpCodes.success.OK, {
+            token: result.token,
+            user: {
+                id: result.user.id,
+                email: result.user.email,
+                displayName: result.user.displayName,
+            },
+        });
+    } catch (error) {
+        if (error instanceof z.ZodError) {
+            return errorResponse(
+                httpCodes.clientErrors.BadRequest,
+                "Invalid input",
+            );
+        }
+        throw error;
+    }
+};
+
+// POST /auth/logout
+const logoutHandler = async (call: Call): Promise<Result> => {
+    const token = request.auth.extractToken(call.request);
+    if (token) {
+        await request.auth.logout(token);
+    }
+
+    return jsonResponse(httpCodes.success.OK, { message: "Logged out" });
+};
+
+// POST /auth/register
+const registerHandler = async (call: Call): Promise<Result> => {
+    try {
+        const body = call.request.body;
+        const { email, password, displayName } =
+            registerInputParser.parse(body);
+
+        const result = await request.auth.register(
+            email,
+            password,
+            displayName,
+        );
+
+        if (!result.success) {
+            return errorResponse(httpCodes.clientErrors.Conflict, result.error);
+        }
+
+        // TODO: Send verification email with result.verificationToken
+        // For now, log it for development
+        console.log(
+            `[AUTH] Verification token for ${email}: ${result.verificationToken}`,
+        );
+
+        return jsonResponse(httpCodes.success.Created, {
+            message:
+                "Registration successful. Please check your email to verify your account.",
+            user: {
+                id: result.user.id,
+                email: result.user.email,
+            },
+        });
+    } catch (error) {
+        if (error instanceof z.ZodError) {
+            return errorResponse(
+                httpCodes.clientErrors.BadRequest,
+                "Invalid input",
+            );
+        }
+        throw error;
+    }
+};
+
+// POST /auth/forgot-password
+const forgotPasswordHandler = async (call: Call): Promise<Result> => {
+    try {
+        const body = call.request.body;
+        const { email } = forgotPasswordInputParser.parse(body);
+
+        const result = await request.auth.createPasswordResetToken(email);
+
+        // Always return success (don't reveal if email exists)
+        if (result) {
+            // TODO: Send password reset email
+            console.log(
+                `[AUTH] Password reset token for ${email}: ${result.token}`,
+            );
+        }
+
+        return jsonResponse(httpCodes.success.OK, {
+            message:
+                "If an account exists with that email, a password reset link has been sent.",
+        });
+    } catch (error) {
+        if (error instanceof z.ZodError) {
+            return errorResponse(
+                httpCodes.clientErrors.BadRequest,
+                "Invalid input",
+            );
+        }
+        throw error;
+    }
+};
+
+// POST /auth/reset-password
+const resetPasswordHandler = async (call: Call): Promise<Result> => {
+    try {
+        const body = call.request.body;
+        const { token, password } = resetPasswordInputParser.parse(body);
+
+        const result = await request.auth.resetPassword(token, password);
+
+        if (!result.success) {
+            return errorResponse(
+                httpCodes.clientErrors.BadRequest,
+                result.error,
+            );
+        }
+
+        return jsonResponse(httpCodes.success.OK, {
+            message:
+                "Password has been reset. You can now log in with your new password.",
+        });
+    } catch (error) {
+        if (error instanceof z.ZodError) {
+            return errorResponse(
+                httpCodes.clientErrors.BadRequest,
+                "Invalid input",
+            );
+        }
+        throw error;
+    }
+};
+
+// GET /auth/verify-email?token=xxx
+const verifyEmailHandler = async (call: Call): Promise<Result> => {
+    const url = new URL(call.path, "http://localhost");
+    const token = url.searchParams.get("token");
+
+    if (!token) {
+        return errorResponse(
+            httpCodes.clientErrors.BadRequest,
+            "Missing token",
+        );
+    }
+
+    const result = await request.auth.verifyEmail(token);
+
+    if (!result.success) {
+        return errorResponse(httpCodes.clientErrors.BadRequest, result.error);
+    }
+
+    return jsonResponse(httpCodes.success.OK, {
+        message: "Email verified successfully. You can now log in.",
+    });
+};
+
+// Export routes
+const authRoutes: Route[] = [
+    { path: "/auth/login", methods: ["POST"], handler: loginHandler },
+    { path: "/auth/logout", methods: ["POST"], handler: logoutHandler },
+    { path: "/auth/register", methods: ["POST"], handler: registerHandler },
+    {
+        path: "/auth/forgot-password",
+        methods: ["POST"],
+        handler: forgotPasswordHandler,
+    },
+    {
+        path: "/auth/reset-password",
+        methods: ["POST"],
+        handler: resetPasswordHandler,
+    },
+    {
+        path: "/auth/verify-email",
+        methods: ["GET"],
+        handler: verifyEmailHandler,
+    },
+];
+
+export { authRoutes };

backend/diachron/auth/service.spec.ts

@@ -0,0 +1,419 @@
+// Tests for auth/service.ts
+// Uses InMemoryAuthStore - no database needed
+
+import assert from "node:assert/strict";
+import { beforeEach, describe, it } from "node:test";
+import { AuthService } from "./service";
+import { InMemoryAuthStore } from "./store";
+
+describe("AuthService", () => {
+    let store: InMemoryAuthStore;
+    let service: AuthService;
+
+    beforeEach(() => {
+        store = new InMemoryAuthStore();
+        service = new AuthService(store);
+    });
+
+    describe("register", () => {
+        it("creates a new user", async () => {
+            const result = await service.register(
+                "test@example.com",
+                "password123",
+                "Test User",
+            );
+
+            assert.equal(result.success, true);
+            if (result.success) {
+                assert.equal(result.user.email, "test@example.com");
+                assert.equal(result.user.displayName, "Test User");
+                assert.ok(result.verificationToken.length > 0);
+            }
+        });
+
+        it("fails when email already registered", async () => {
+            await service.register("test@example.com", "password123");
+            const result = await service.register(
+                "test@example.com",
+                "password456",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Email already registered");
+            }
+        });
+
+        it("creates user without displayName", async () => {
+            const result = await service.register(
+                "test@example.com",
+                "password123",
+            );
+
+            assert.equal(result.success, true);
+            if (result.success) {
+                assert.equal(result.user.displayName, undefined);
+            }
+        });
+    });
+
+    describe("login", () => {
+        beforeEach(async () => {
+            // Create and verify a user
+            const result = await service.register(
+                "test@example.com",
+                "password123",
+                "Test User",
+            );
+            if (result.success) {
+                // Verify email to activate user
+                await service.verifyEmail(result.verificationToken);
+            }
+        });
+
+        it("succeeds with correct credentials", async () => {
+            const result = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+
+            assert.equal(result.success, true);
+            if (result.success) {
+                assert.ok(result.token.length > 0);
+                assert.equal(result.user.email, "test@example.com");
+            }
+        });
+
+        it("fails with wrong password", async () => {
+            const result = await service.login(
+                "test@example.com",
+                "wrongpassword",
+                "cookie",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Invalid credentials");
+            }
+        });
+
+        it("fails with unknown email", async () => {
+            const result = await service.login(
+                "unknown@example.com",
+                "password123",
+                "cookie",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Invalid credentials");
+            }
+        });
+
+        it("fails for inactive user", async () => {
+            // Create a user but don't verify email (stays pending)
+            await service.register("pending@example.com", "password123");
+
+            const result = await service.login(
+                "pending@example.com",
+                "password123",
+                "cookie",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Account is not active");
+            }
+        });
+
+        it("stores metadata", async () => {
+            const result = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+                { userAgent: "TestAgent", ipAddress: "192.168.1.1" },
+            );
+
+            assert.equal(result.success, true);
+        });
+    });
+
+    describe("validateToken", () => {
+        let token: string;
+
+        beforeEach(async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            const loginResult = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            if (loginResult.success) {
+                token = loginResult.token;
+            }
+        });
+
+        it("returns authenticated for valid token", async () => {
+            const result = await service.validateToken(token);
+
+            assert.equal(result.authenticated, true);
+            if (result.authenticated) {
+                assert.equal(result.user.email, "test@example.com");
+                assert.notEqual(result.session, null);
+            }
+        });
+
+        it("returns unauthenticated for invalid token", async () => {
+            const result = await service.validateToken("invalid-token");
+
+            assert.equal(result.authenticated, false);
+            assert.equal(result.user.isAnonymous(), true);
+            assert.equal(result.session, null);
+        });
+    });
+
+    describe("logout", () => {
+        it("invalidates the session", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            const loginResult = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            assert.equal(loginResult.success, true);
+            if (!loginResult.success) return;
+
+            const token = loginResult.token;
+
+            // Token should be valid before logout
+            const beforeLogout = await service.validateToken(token);
+            assert.equal(beforeLogout.authenticated, true);
+
+            // Logout
+            await service.logout(token);
+
+            // Token should be invalid after logout
+            const afterLogout = await service.validateToken(token);
+            assert.equal(afterLogout.authenticated, false);
+        });
+    });
+
+    describe("logoutAllSessions", () => {
+        it("invalidates all user sessions", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            // Create multiple sessions
+            const login1 = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            const login2 = await service.login(
+                "test@example.com",
+                "password123",
+                "bearer",
+            );
+
+            assert.equal(login1.success, true);
+            assert.equal(login2.success, true);
+            if (!login1.success || !login2.success) return;
+
+            // Both should be valid
+            const before1 = await service.validateToken(login1.token);
+            const before2 = await service.validateToken(login2.token);
+            assert.equal(before1.authenticated, true);
+            assert.equal(before2.authenticated, true);
+
+            // Logout all
+            const user = await store.getUserByEmail("test@example.com");
+            const count = await service.logoutAllSessions(user!.id);
+            assert.equal(count, 2);
+
+            // Both should be invalid
+            const after1 = await service.validateToken(login1.token);
+            const after2 = await service.validateToken(login2.token);
+            assert.equal(after1.authenticated, false);
+            assert.equal(after2.authenticated, false);
+        });
+    });
+
+    describe("verifyEmail", () => {
+        it("activates user with valid token", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            assert.equal(regResult.success, true);
+            if (!regResult.success) return;
+
+            const result = await service.verifyEmail(
+                regResult.verificationToken,
+            );
+            assert.equal(result.success, true);
+
+            // User should now be active and can login
+            const loginResult = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            assert.equal(loginResult.success, true);
+        });
+
+        it("fails with invalid token", async () => {
+            const result = await service.verifyEmail("invalid-token");
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(
+                    result.error,
+                    "Invalid or expired verification token",
+                );
+            }
+        });
+
+        it("fails when token already used", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            assert.equal(regResult.success, true);
+            if (!regResult.success) return;
+
+            // First verification succeeds
+            const result1 = await service.verifyEmail(
+                regResult.verificationToken,
+            );
+            assert.equal(result1.success, true);
+
+            // Second verification fails (token deleted)
+            const result2 = await service.verifyEmail(
+                regResult.verificationToken,
+            );
+            assert.equal(result2.success, false);
+        });
+    });
+
+    describe("createPasswordResetToken", () => {
+        it("returns token for existing user", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            assert.equal(regResult.success, true);
+
+            const result =
+                await service.createPasswordResetToken("test@example.com");
+            assert.notEqual(result, null);
+            assert.ok(result!.token.length > 0);
+        });
+
+        it("returns null for unknown email", async () => {
+            const result = await service.createPasswordResetToken(
+                "unknown@example.com",
+            );
+            assert.equal(result, null);
+        });
+    });
+
+    describe("resetPassword", () => {
+        it("changes password with valid token", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "oldpassword",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            const resetToken =
+                await service.createPasswordResetToken("test@example.com");
+            assert.notEqual(resetToken, null);
+
+            const result = await service.resetPassword(
+                resetToken!.token,
+                "newpassword",
+            );
+            assert.equal(result.success, true);
+
+            // Old password should no longer work
+            const loginOld = await service.login(
+                "test@example.com",
+                "oldpassword",
+                "cookie",
+            );
+            assert.equal(loginOld.success, false);
+
+            // New password should work
+            const loginNew = await service.login(
+                "test@example.com",
+                "newpassword",
+                "cookie",
+            );
+            assert.equal(loginNew.success, true);
+        });
+
+        it("fails with invalid token", async () => {
+            const result = await service.resetPassword(
+                "invalid-token",
+                "newpassword",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Invalid or expired reset token");
+            }
+        });
+
+        it("invalidates all existing sessions", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            // Create a session
+            const loginResult = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            assert.equal(loginResult.success, true);
+            if (!loginResult.success) return;
+
+            const sessionToken = loginResult.token;
+
+            // Reset password
+            const resetToken =
+                await service.createPasswordResetToken("test@example.com");
+            await service.resetPassword(resetToken!.token, "newpassword");
+
+            // Old session should be invalid
+            const validateResult = await service.validateToken(sessionToken);
+            assert.equal(validateResult.authenticated, false);
+        });
+    });
+});

backend/diachron/auth/service.ts

@@ -0,0 +1,262 @@
+// service.ts
+//
+// Core authentication service providing login, logout, registration,
+// password reset, and email verification.
+
+import type { Request as ExpressRequest } from "express";
+import {
+    type AnonymousUser,
+    anonymousUser,
+    type User,
+    type UserId,
+} from "../user";
+import { hashPassword, verifyPassword } from "./password";
+import type { AuthStore } from "./store";
+import {
+    hashToken,
+    parseAuthorizationHeader,
+    SESSION_COOKIE_NAME,
+} from "./token";
+import { type SessionData, type TokenId, tokenLifetimes } from "./types";
+
+type LoginResult =
+    | { success: true; token: string; user: User }
+    | { success: false; error: string };
+
+type RegisterResult =
+    | { success: true; user: User; verificationToken: string }
+    | { success: false; error: string };
+
+type SimpleResult = { success: true } | { success: false; error: string };
+
+// Result of validating a request/token - contains both user and session
+export type AuthResult =
+    | { authenticated: true; user: User; session: SessionData }
+    | { authenticated: false; user: AnonymousUser; session: null };
+
+export class AuthService {
+    constructor(private store: AuthStore) {}
+
+    // === Login ===
+
+    async login(
+        email: string,
+        password: string,
+        authMethod: "cookie" | "bearer",
+        metadata?: { userAgent?: string; ipAddress?: string },
+    ): Promise<LoginResult> {
+        const user = await this.store.getUserByEmail(email);
+        if (!user) {
+            return { success: false, error: "Invalid credentials" };
+        }
+
+        if (!user.isActive()) {
+            return { success: false, error: "Account is not active" };
+        }
+
+        const passwordHash = await this.store.getUserPasswordHash(user.id);
+        if (!passwordHash) {
+            return { success: false, error: "Invalid credentials" };
+        }
+
+        const valid = await verifyPassword(password, passwordHash);
+        if (!valid) {
+            return { success: false, error: "Invalid credentials" };
+        }
+
+        const { token } = await this.store.createSession({
+            userId: user.id,
+            tokenType: "session",
+            authMethod,
+            expiresAt: new Date(Date.now() + tokenLifetimes.session),
+            userAgent: metadata?.userAgent,
+            ipAddress: metadata?.ipAddress,
+        });
+
+        return { success: true, token, user };
+    }
+
+    // === Session Validation ===
+
+    async validateRequest(request: ExpressRequest): Promise<AuthResult> {
+        // Try cookie first (for web requests)
+        let token = this.extractCookieToken(request);
+
+        // Fall back to Authorization header (for API requests)
+        if (!token) {
+            token = parseAuthorizationHeader(request.get("Authorization"));
+        }
+
+        if (!token) {
+            return { authenticated: false, user: anonymousUser, session: null };
+        }
+
+        return this.validateToken(token);
+    }
+
+    async validateToken(token: string): Promise<AuthResult> {
+        const tokenId = hashToken(token) as TokenId;
+        const session = await this.store.getSession(tokenId);
+
+        if (!session) {
+            return { authenticated: false, user: anonymousUser, session: null };
+        }
+
+        if (session.tokenType !== "session") {
+            return { authenticated: false, user: anonymousUser, session: null };
+        }
+
+        const user = await this.store.getUserById(session.userId as UserId);
+        if (!user || !user.isActive()) {
+            return { authenticated: false, user: anonymousUser, session: null };
+        }
+
+        // Update last used (fire and forget)
+        this.store.updateLastUsed(tokenId).catch(() => {});
+
+        return { authenticated: true, user, session };
+    }
+
+    private extractCookieToken(request: ExpressRequest): string | null {
+        const cookies = request.get("Cookie");
+        if (!cookies) {
+            return null;
+        }
+
+        for (const cookie of cookies.split(";")) {
+            const [name, ...valueParts] = cookie.trim().split("=");
+            if (name === SESSION_COOKIE_NAME) {
+                return valueParts.join("="); // Handle = in token value
+            }
+        }
+        return null;
+    }
+
+    // === Logout ===
+
+    async logout(token: string): Promise<void> {
+        const tokenId = hashToken(token) as TokenId;
+        await this.store.deleteSession(tokenId);
+    }
+
+    async logoutAllSessions(userId: UserId): Promise<number> {
+        return this.store.deleteUserSessions(userId);
+    }
+
+    // === Registration ===
+
+    async register(
+        email: string,
+        password: string,
+        displayName?: string,
+    ): Promise<RegisterResult> {
+        const existing = await this.store.getUserByEmail(email);
+        if (existing) {
+            return { success: false, error: "Email already registered" };
+        }
+
+        const passwordHash = await hashPassword(password);
+        const user = await this.store.createUser({
+            email,
+            passwordHash,
+            displayName,
+        });
+
+        // Create email verification token
+        const { token: verificationToken } = await this.store.createSession({
+            userId: user.id,
+            tokenType: "email_verify",
+            authMethod: "bearer",
+            expiresAt: new Date(Date.now() + tokenLifetimes.email_verify),
+        });
+
+        return { success: true, user, verificationToken };
+    }
+
+    // === Email Verification ===
+
+    async verifyEmail(token: string): Promise<SimpleResult> {
+        const tokenId = hashToken(token) as TokenId;
+        const session = await this.store.getSession(tokenId);
+
+        if (!session || session.tokenType !== "email_verify") {
+            return {
+                success: false,
+                error: "Invalid or expired verification token",
+            };
+        }
+
+        if (session.isUsed) {
+            return { success: false, error: "Token already used" };
+        }
+
+        await this.store.updateUserEmailVerified(session.userId as UserId);
+        await this.store.deleteSession(tokenId);
+
+        return { success: true };
+    }
+
+    // === Password Reset ===
+
+    async createPasswordResetToken(
+        email: string,
+    ): Promise<{ token: string } | null> {
+        const user = await this.store.getUserByEmail(email);
+        if (!user) {
+            // Don't reveal whether email exists
+            return null;
+        }
+
+        const { token } = await this.store.createSession({
+            userId: user.id,
+            tokenType: "password_reset",
+            authMethod: "bearer",
+            expiresAt: new Date(Date.now() + tokenLifetimes.password_reset),
+        });
+
+        return { token };
+    }
+
+    async resetPassword(
+        token: string,
+        newPassword: string,
+    ): Promise<SimpleResult> {
+        const tokenId = hashToken(token) as TokenId;
+        const session = await this.store.getSession(tokenId);
+
+        if (!session || session.tokenType !== "password_reset") {
+            return { success: false, error: "Invalid or expired reset token" };
+        }
+
+        if (session.isUsed) {
+            return { success: false, error: "Token already used" };
+        }
+
+        const passwordHash = await hashPassword(newPassword);
+        await this.store.setUserPassword(
+            session.userId as UserId,
+            passwordHash,
+        );
+
+        // Invalidate all existing sessions (security: password changed)
+        await this.store.deleteUserSessions(session.userId as UserId);
+
+        // Delete the reset token
+        await this.store.deleteSession(tokenId);
+
+        return { success: true };
+    }
+
+    // === Token Extraction Helper (for routes) ===
+
+    extractToken(request: ExpressRequest): string | null {
+        // Try Authorization header first
+        const token = parseAuthorizationHeader(request.get("Authorization"));
+        if (token) {
+            return token;
+        }
+
+        // Try cookie
+        return this.extractCookieToken(request);
+    }
+}

backend/diachron/auth/store.spec.ts

@@ -0,0 +1,321 @@
+// Tests for auth/store.ts (InMemoryAuthStore)
+// Pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { after, before, beforeEach, describe, it } from "node:test";
+import type { UserId } from "../user";
+import { InMemoryAuthStore } from "./store";
+import { hashToken } from "./token";
+import type { TokenId } from "./types";
+
+describe("InMemoryAuthStore", () => {
+    let store: InMemoryAuthStore;
+
+    beforeEach(() => {
+        store = new InMemoryAuthStore();
+    });
+
+    describe("createUser", () => {
+        it("creates a user with pending status", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+                displayName: "Test User",
+            });
+
+            assert.equal(user.email, "test@example.com");
+            assert.equal(user.displayName, "Test User");
+            assert.equal(user.status, "pending");
+        });
+
+        it("creates a user without displayName", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            assert.equal(user.email, "test@example.com");
+            assert.equal(user.displayName, undefined);
+        });
+
+        it("generates a unique id", async () => {
+            const user1 = await store.createUser({
+                email: "test1@example.com",
+                passwordHash: "hash123",
+            });
+            const user2 = await store.createUser({
+                email: "test2@example.com",
+                passwordHash: "hash456",
+            });
+
+            assert.notEqual(user1.id, user2.id);
+        });
+    });
+
+    describe("getUserByEmail", () => {
+        it("returns user when found", async () => {
+            await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const user = await store.getUserByEmail("test@example.com");
+            assert.notEqual(user, null);
+            assert.equal(user!.email, "test@example.com");
+        });
+
+        it("is case-insensitive", async () => {
+            await store.createUser({
+                email: "Test@Example.COM",
+                passwordHash: "hash123",
+            });
+
+            const user = await store.getUserByEmail("test@example.com");
+            assert.notEqual(user, null);
+        });
+
+        it("returns null when not found", async () => {
+            const user = await store.getUserByEmail("notfound@example.com");
+            assert.equal(user, null);
+        });
+    });
+
+    describe("getUserById", () => {
+        it("returns user when found", async () => {
+            const created = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const user = await store.getUserById(created.id);
+            assert.notEqual(user, null);
+            assert.equal(user!.id, created.id);
+        });
+
+        it("returns null when not found", async () => {
+            const user = await store.getUserById("nonexistent" as UserId);
+            assert.equal(user, null);
+        });
+    });
+
+    describe("getUserPasswordHash", () => {
+        it("returns hash when found", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const hash = await store.getUserPasswordHash(user.id);
+            assert.equal(hash, "hash123");
+        });
+
+        it("returns null when not found", async () => {
+            const hash = await store.getUserPasswordHash(
+                "nonexistent" as UserId,
+            );
+            assert.equal(hash, null);
+        });
+    });
+
+    describe("setUserPassword", () => {
+        it("updates password hash", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "oldhash",
+            });
+
+            await store.setUserPassword(user.id, "newhash");
+
+            const hash = await store.getUserPasswordHash(user.id);
+            assert.equal(hash, "newhash");
+        });
+    });
+
+    describe("updateUserEmailVerified", () => {
+        it("sets user status to active", async () => {
+            const created = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+            assert.equal(created.status, "pending");
+
+            await store.updateUserEmailVerified(created.id);
+
+            const user = await store.getUserById(created.id);
+            assert.equal(user!.status, "active");
+        });
+    });
+
+    describe("createSession", () => {
+        it("creates a session with token", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token, session } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            assert.ok(token.length > 0);
+            assert.equal(session.userId, user.id);
+            assert.equal(session.tokenType, "session");
+            assert.equal(session.authMethod, "cookie");
+        });
+
+        it("stores metadata", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { session } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+                userAgent: "Mozilla/5.0",
+                ipAddress: "127.0.0.1",
+            });
+
+            assert.equal(session.userAgent, "Mozilla/5.0");
+            assert.equal(session.ipAddress, "127.0.0.1");
+        });
+    });
+
+    describe("getSession", () => {
+        it("returns session when found and not expired", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000), // 1 hour from now
+            });
+
+            const tokenId = hashToken(token) as TokenId;
+            const session = await store.getSession(tokenId);
+            assert.notEqual(session, null);
+            assert.equal(session!.userId, user.id);
+        });
+
+        it("returns null for expired session", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() - 1000), // Expired 1 second ago
+            });
+
+            const tokenId = hashToken(token) as TokenId;
+            const session = await store.getSession(tokenId);
+            assert.equal(session, null);
+        });
+
+        it("returns null for nonexistent session", async () => {
+            const session = await store.getSession("nonexistent" as TokenId);
+            assert.equal(session, null);
+        });
+    });
+
+    describe("deleteSession", () => {
+        it("removes the session", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            const tokenId = hashToken(token) as TokenId;
+            await store.deleteSession(tokenId);
+
+            const session = await store.getSession(tokenId);
+            assert.equal(session, null);
+        });
+    });
+
+    describe("deleteUserSessions", () => {
+        it("removes all sessions for user", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token: token1 } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            const { token: token2 } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "bearer",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            const count = await store.deleteUserSessions(user.id);
+            assert.equal(count, 2);
+
+            const session1 = await store.getSession(
+                hashToken(token1) as TokenId,
+            );
+            const session2 = await store.getSession(
+                hashToken(token2) as TokenId,
+            );
+            assert.equal(session1, null);
+            assert.equal(session2, null);
+        });
+
+        it("returns 0 when user has no sessions", async () => {
+            const count = await store.deleteUserSessions(
+                "nonexistent" as UserId,
+            );
+            assert.equal(count, 0);
+        });
+    });
+
+    describe("updateLastUsed", () => {
+        it("updates lastUsedAt timestamp", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            const tokenId = hashToken(token) as TokenId;
+            const beforeUpdate = await store.getSession(tokenId);
+            assert.equal(beforeUpdate!.lastUsedAt, undefined);
+
+            await store.updateLastUsed(tokenId);
+
+            const afterUpdate = await store.getSession(tokenId);
+            assert.ok(afterUpdate!.lastUsedAt instanceof Date);
+        });
+    });
+});

backend/diachron/auth/store.ts

@@ -0,0 +1,164 @@
+// store.ts
+//
+// Authentication storage interface and in-memory implementation.
+// The interface allows easy migration to PostgreSQL later.
+
+import { AuthenticatedUser, type User, type UserId } from "../user";
+import { generateToken, hashToken } from "./token";
+import type { AuthMethod, SessionData, TokenId, TokenType } from "./types";
+
+// Data for creating a new session (tokenId generated internally)
+export type CreateSessionData = {
+    userId: string;
+    tokenType: TokenType;
+    authMethod: AuthMethod;
+    expiresAt: Date;
+    userAgent?: string;
+    ipAddress?: string;
+};
+
+// Data for creating a new user
+export type CreateUserData = {
+    email: string;
+    passwordHash: string;
+    displayName?: string;
+};
+
+// Abstract interface for auth storage - implement for PostgreSQL later
+export interface AuthStore {
+    // Session operations
+    createSession(
+        data: CreateSessionData,
+    ): Promise<{ token: string; session: SessionData }>;
+    getSession(tokenId: TokenId): Promise<SessionData | null>;
+    updateLastUsed(tokenId: TokenId): Promise<void>;
+    deleteSession(tokenId: TokenId): Promise<void>;
+    deleteUserSessions(userId: UserId): Promise<number>;
+
+    // User operations
+    getUserByEmail(email: string): Promise<User | null>;
+    getUserById(userId: UserId): Promise<User | null>;
+    createUser(data: CreateUserData): Promise<User>;
+    getUserPasswordHash(userId: UserId): Promise<string | null>;
+    setUserPassword(userId: UserId, passwordHash: string): Promise<void>;
+    updateUserEmailVerified(userId: UserId): Promise<void>;
+}
+
+// In-memory implementation for development
+export class InMemoryAuthStore implements AuthStore {
+    private sessions: Map<string, SessionData> = new Map();
+    private users: Map<string, User> = new Map();
+    private usersByEmail: Map<string, string> = new Map();
+    private passwordHashes: Map<string, string> = new Map();
+    private emailVerified: Map<string, boolean> = new Map();
+
+    async createSession(
+        data: CreateSessionData,
+    ): Promise<{ token: string; session: SessionData }> {
+        const token = generateToken();
+        const tokenId = hashToken(token);
+
+        const session: SessionData = {
+            tokenId,
+            userId: data.userId,
+            tokenType: data.tokenType,
+            authMethod: data.authMethod,
+            createdAt: new Date(),
+            expiresAt: data.expiresAt,
+            userAgent: data.userAgent,
+            ipAddress: data.ipAddress,
+        };
+
+        this.sessions.set(tokenId, session);
+        return { token, session };
+    }
+
+    async getSession(tokenId: TokenId): Promise<SessionData | null> {
+        const session = this.sessions.get(tokenId);
+        if (!session) {
+            return null;
+        }
+
+        // Check expiration
+        if (new Date() > session.expiresAt) {
+            this.sessions.delete(tokenId);
+            return null;
+        }
+
+        return session;
+    }
+
+    async updateLastUsed(tokenId: TokenId): Promise<void> {
+        const session = this.sessions.get(tokenId);
+        if (session) {
+            session.lastUsedAt = new Date();
+        }
+    }
+
+    async deleteSession(tokenId: TokenId): Promise<void> {
+        this.sessions.delete(tokenId);
+    }
+
+    async deleteUserSessions(userId: UserId): Promise<number> {
+        let count = 0;
+        for (const [tokenId, session] of this.sessions) {
+            if (session.userId === userId) {
+                this.sessions.delete(tokenId);
+                count++;
+            }
+        }
+        return count;
+    }
+
+    async getUserByEmail(email: string): Promise<User | null> {
+        const userId = this.usersByEmail.get(email.toLowerCase());
+        if (!userId) {
+            return null;
+        }
+        return this.users.get(userId) ?? null;
+    }
+
+    async getUserById(userId: UserId): Promise<User | null> {
+        return this.users.get(userId) ?? null;
+    }
+
+    async createUser(data: CreateUserData): Promise<User> {
+        const user = AuthenticatedUser.create(data.email, {
+            displayName: data.displayName,
+            status: "pending", // Pending until email verified
+        });
+
+        this.users.set(user.id, user);
+        this.usersByEmail.set(data.email.toLowerCase(), user.id);
+        this.passwordHashes.set(user.id, data.passwordHash);
+        this.emailVerified.set(user.id, false);
+
+        return user;
+    }
+
+    async getUserPasswordHash(userId: UserId): Promise<string | null> {
+        return this.passwordHashes.get(userId) ?? null;
+    }
+
+    async setUserPassword(userId: UserId, passwordHash: string): Promise<void> {
+        this.passwordHashes.set(userId, passwordHash);
+    }
+
+    async updateUserEmailVerified(userId: UserId): Promise<void> {
+        this.emailVerified.set(userId, true);
+
+        // Update user status to active
+        const user = this.users.get(userId);
+        if (user) {
+            // Create new user with active status
+            const updatedUser = AuthenticatedUser.create(user.email, {
+                id: user.id,
+                displayName: user.displayName,
+                status: "active",
+                roles: [...user.roles],
+                permissions: [...user.permissions],
+            });
+            this.users.set(userId, updatedUser);
+        }
+    }
+}

backend/diachron/auth/token.spec.ts

@@ -0,0 +1,94 @@
+// Tests for auth/token.ts
+// Pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import {
+    generateToken,
+    hashToken,
+    parseAuthorizationHeader,
+    SESSION_COOKIE_NAME,
+} from "./token";
+
+describe("token", () => {
+    describe("generateToken", () => {
+        it("generates a non-empty string", () => {
+            const token = generateToken();
+            assert.equal(typeof token, "string");
+            assert.ok(token.length > 0);
+        });
+
+        it("generates unique tokens", () => {
+            const tokens = new Set<string>();
+            for (let i = 0; i < 100; i++) {
+                tokens.add(generateToken());
+            }
+            assert.equal(tokens.size, 100);
+        });
+
+        it("generates base64url encoded tokens", () => {
+            const token = generateToken();
+            // base64url uses A-Z, a-z, 0-9, -, _
+            assert.match(token, /^[A-Za-z0-9_-]+$/);
+        });
+    });
+
+    describe("hashToken", () => {
+        it("returns a hex string", () => {
+            const hash = hashToken("test-token");
+            assert.match(hash, /^[a-f0-9]+$/);
+        });
+
+        it("returns consistent hash for same input", () => {
+            const hash1 = hashToken("test-token");
+            const hash2 = hashToken("test-token");
+            assert.equal(hash1, hash2);
+        });
+
+        it("returns different hash for different input", () => {
+            const hash1 = hashToken("token-1");
+            const hash2 = hashToken("token-2");
+            assert.notEqual(hash1, hash2);
+        });
+
+        it("returns 64 character hash (SHA-256)", () => {
+            const hash = hashToken("test-token");
+            assert.equal(hash.length, 64);
+        });
+    });
+
+    describe("parseAuthorizationHeader", () => {
+        it("returns null for undefined header", () => {
+            assert.equal(parseAuthorizationHeader(undefined), null);
+        });
+
+        it("returns null for empty string", () => {
+            assert.equal(parseAuthorizationHeader(""), null);
+        });
+
+        it("returns null for non-bearer auth", () => {
+            assert.equal(parseAuthorizationHeader("Basic abc123"), null);
+        });
+
+        it("returns null for malformed header", () => {
+            assert.equal(parseAuthorizationHeader("Bearer"), null);
+            assert.equal(parseAuthorizationHeader("Bearer token extra"), null);
+        });
+
+        it("extracts token from valid bearer header", () => {
+            assert.equal(parseAuthorizationHeader("Bearer abc123"), "abc123");
+        });
+
+        it("is case-insensitive for Bearer keyword", () => {
+            assert.equal(parseAuthorizationHeader("bearer abc123"), "abc123");
+            assert.equal(parseAuthorizationHeader("BEARER abc123"), "abc123");
+        });
+    });
+
+    describe("SESSION_COOKIE_NAME", () => {
+        it("is defined", () => {
+            assert.equal(typeof SESSION_COOKIE_NAME, "string");
+            assert.ok(SESSION_COOKIE_NAME.length > 0);
+        });
+    });
+});

backend/diachron/auth/token.ts

@@ -0,0 +1,42 @@
+// token.ts
+//
+// Token generation and hashing utilities for authentication.
+// Raw tokens are never stored - only their SHA-256 hashes.
+
+import { createHash, randomBytes } from "node:crypto";
+
+const TOKEN_BYTES = 32; // 256 bits of entropy
+
+// Generate a cryptographically secure random token
+function generateToken(): string {
+    return randomBytes(TOKEN_BYTES).toString("base64url");
+}
+
+// Hash token for storage (never store raw tokens)
+function hashToken(token: string): string {
+    return createHash("sha256").update(token).digest("hex");
+}
+
+// Parse token from Authorization header
+function parseAuthorizationHeader(header: string | undefined): string | null {
+    if (!header) {
+        return null;
+    }
+
+    const parts = header.split(" ");
+    if (parts.length !== 2 || parts[0].toLowerCase() !== "bearer") {
+        return null;
+    }
+
+    return parts[1];
+}
+
+// Cookie name for web sessions
+const SESSION_COOKIE_NAME = "diachron_session";
+
+export {
+    generateToken,
+    hashToken,
+    parseAuthorizationHeader,
+    SESSION_COOKIE_NAME,
+};

backend/diachron/auth/types.spec.ts

@@ -0,0 +1,253 @@
+// Tests for auth/types.ts
+// Pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { z } from "zod";
+import { AuthenticatedUser, anonymousUser } from "../user";
+import {
+    authMethodParser,
+    forgotPasswordInputParser,
+    loginInputParser,
+    registerInputParser,
+    resetPasswordInputParser,
+    Session,
+    sessionDataParser,
+    tokenLifetimes,
+    tokenTypeParser,
+} from "./types";
+
+describe("auth/types", () => {
+    describe("tokenTypeParser", () => {
+        it("accepts valid token types", () => {
+            assert.equal(tokenTypeParser.parse("session"), "session");
+            assert.equal(
+                tokenTypeParser.parse("password_reset"),
+                "password_reset",
+            );
+            assert.equal(tokenTypeParser.parse("email_verify"), "email_verify");
+        });
+
+        it("rejects invalid token types", () => {
+            assert.throws(() => tokenTypeParser.parse("invalid"));
+        });
+    });
+
+    describe("authMethodParser", () => {
+        it("accepts valid auth methods", () => {
+            assert.equal(authMethodParser.parse("cookie"), "cookie");
+            assert.equal(authMethodParser.parse("bearer"), "bearer");
+        });
+
+        it("rejects invalid auth methods", () => {
+            assert.throws(() => authMethodParser.parse("basic"));
+        });
+    });
+
+    describe("sessionDataParser", () => {
+        it("accepts valid session data", () => {
+            const data = {
+                tokenId: "abc123",
+                userId: "user-1",
+                tokenType: "session",
+                authMethod: "cookie",
+                createdAt: new Date(),
+                expiresAt: new Date(),
+            };
+            const result = sessionDataParser.parse(data);
+            assert.equal(result.tokenId, "abc123");
+            assert.equal(result.userId, "user-1");
+        });
+
+        it("coerces date strings to dates", () => {
+            const data = {
+                tokenId: "abc123",
+                userId: "user-1",
+                tokenType: "session",
+                authMethod: "cookie",
+                createdAt: "2025-01-01T00:00:00Z",
+                expiresAt: "2025-01-02T00:00:00Z",
+            };
+            const result = sessionDataParser.parse(data);
+            assert.ok(result.createdAt instanceof Date);
+            assert.ok(result.expiresAt instanceof Date);
+        });
+
+        it("accepts optional fields", () => {
+            const data = {
+                tokenId: "abc123",
+                userId: "user-1",
+                tokenType: "session",
+                authMethod: "cookie",
+                createdAt: new Date(),
+                expiresAt: new Date(),
+                lastUsedAt: new Date(),
+                userAgent: "Mozilla/5.0",
+                ipAddress: "127.0.0.1",
+                isUsed: true,
+            };
+            const result = sessionDataParser.parse(data);
+            assert.equal(result.userAgent, "Mozilla/5.0");
+            assert.equal(result.ipAddress, "127.0.0.1");
+            assert.equal(result.isUsed, true);
+        });
+    });
+
+    describe("loginInputParser", () => {
+        it("accepts valid login input", () => {
+            const result = loginInputParser.parse({
+                email: "test@example.com",
+                password: "secret",
+            });
+            assert.equal(result.email, "test@example.com");
+            assert.equal(result.password, "secret");
+        });
+
+        it("rejects invalid email", () => {
+            assert.throws(() =>
+                loginInputParser.parse({
+                    email: "not-an-email",
+                    password: "secret",
+                }),
+            );
+        });
+
+        it("rejects empty password", () => {
+            assert.throws(() =>
+                loginInputParser.parse({
+                    email: "test@example.com",
+                    password: "",
+                }),
+            );
+        });
+    });
+
+    describe("registerInputParser", () => {
+        it("accepts valid registration input", () => {
+            const result = registerInputParser.parse({
+                email: "test@example.com",
+                password: "password123",
+                displayName: "Test User",
+            });
+            assert.equal(result.email, "test@example.com");
+            assert.equal(result.password, "password123");
+            assert.equal(result.displayName, "Test User");
+        });
+
+        it("accepts registration without displayName", () => {
+            const result = registerInputParser.parse({
+                email: "test@example.com",
+                password: "password123",
+            });
+            assert.equal(result.displayName, undefined);
+        });
+
+        it("rejects password shorter than 8 characters", () => {
+            assert.throws(() =>
+                registerInputParser.parse({
+                    email: "test@example.com",
+                    password: "short",
+                }),
+            );
+        });
+    });
+
+    describe("forgotPasswordInputParser", () => {
+        it("accepts valid email", () => {
+            const result = forgotPasswordInputParser.parse({
+                email: "test@example.com",
+            });
+            assert.equal(result.email, "test@example.com");
+        });
+
+        it("rejects invalid email", () => {
+            assert.throws(() =>
+                forgotPasswordInputParser.parse({
+                    email: "invalid",
+                }),
+            );
+        });
+    });
+
+    describe("resetPasswordInputParser", () => {
+        it("accepts valid reset input", () => {
+            const result = resetPasswordInputParser.parse({
+                token: "abc123",
+                password: "newpassword",
+            });
+            assert.equal(result.token, "abc123");
+            assert.equal(result.password, "newpassword");
+        });
+
+        it("rejects empty token", () => {
+            assert.throws(() =>
+                resetPasswordInputParser.parse({
+                    token: "",
+                    password: "newpassword",
+                }),
+            );
+        });
+
+        it("rejects password shorter than 8 characters", () => {
+            assert.throws(() =>
+                resetPasswordInputParser.parse({
+                    token: "abc123",
+                    password: "short",
+                }),
+            );
+        });
+    });
+
+    describe("tokenLifetimes", () => {
+        it("defines session lifetime", () => {
+            assert.ok(tokenLifetimes.session > 0);
+            // 30 days in ms
+            assert.equal(tokenLifetimes.session, 30 * 24 * 60 * 60 * 1000);
+        });
+
+        it("defines password_reset lifetime", () => {
+            assert.ok(tokenLifetimes.password_reset > 0);
+            // 1 hour in ms
+            assert.equal(tokenLifetimes.password_reset, 1 * 60 * 60 * 1000);
+        });
+
+        it("defines email_verify lifetime", () => {
+            assert.ok(tokenLifetimes.email_verify > 0);
+            // 24 hours in ms
+            assert.equal(tokenLifetimes.email_verify, 24 * 60 * 60 * 1000);
+        });
+    });
+
+    describe("Session", () => {
+        it("wraps authenticated session", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                id: "user-1",
+            });
+            const sessionData = {
+                tokenId: "token-1",
+                userId: "user-1",
+                tokenType: "session" as const,
+                authMethod: "cookie" as const,
+                createdAt: new Date(),
+                expiresAt: new Date(),
+            };
+            const session = new Session(sessionData, user);
+
+            assert.equal(session.isAuthenticated(), true);
+            assert.equal(session.getUser(), user);
+            assert.equal(session.getData(), sessionData);
+            assert.equal(session.tokenId, "token-1");
+            assert.equal(session.userId, "user-1");
+        });
+
+        it("wraps anonymous session", () => {
+            const session = new Session(null, anonymousUser);
+
+            assert.equal(session.isAuthenticated(), false);
+            assert.equal(session.getUser(), anonymousUser);
+            assert.equal(session.getData(), null);
+            assert.equal(session.tokenId, undefined);
+            assert.equal(session.userId, undefined);
+        });
+    });
+});

backend/diachron/auth/types.ts

@@ -0,0 +1,96 @@
+// types.ts
+//
+// Authentication types and Zod schemas.
+
+import { z } from "zod";
+
+// Branded type for token IDs (the hash, not the raw token)
+export type TokenId = string & { readonly __brand: "TokenId" };
+
+// Token types for different purposes
+export const tokenTypeParser = z.enum([
+    "session",
+    "password_reset",
+    "email_verify",
+]);
+export type TokenType = z.infer<typeof tokenTypeParser>;
+
+// Authentication method - how the token was delivered
+export const authMethodParser = z.enum(["cookie", "bearer"]);
+export type AuthMethod = z.infer<typeof authMethodParser>;
+
+// Session data schema - what gets stored
+export const sessionDataParser = z.object({
+    tokenId: z.string().min(1),
+    userId: z.string().min(1),
+    tokenType: tokenTypeParser,
+    authMethod: authMethodParser,
+    createdAt: z.coerce.date(),
+    expiresAt: z.coerce.date(),
+    lastUsedAt: z.coerce.date().optional(),
+    userAgent: z.string().optional(),
+    ipAddress: z.string().optional(),
+    isUsed: z.boolean().optional(), // For one-time tokens
+});
+
+export type SessionData = z.infer<typeof sessionDataParser>;
+
+// Input validation schemas for auth endpoints
+export const loginInputParser = z.object({
+    email: z.string().email(),
+    password: z.string().min(1),
+});
+
+export const registerInputParser = z.object({
+    email: z.string().email(),
+    password: z.string().min(8),
+    displayName: z.string().optional(),
+});
+
+export const forgotPasswordInputParser = z.object({
+    email: z.string().email(),
+});
+
+export const resetPasswordInputParser = z.object({
+    token: z.string().min(1),
+    password: z.string().min(8),
+});
+
+// Token lifetimes in milliseconds
+export const tokenLifetimes: Record<TokenType, number> = {
+    session: 30 * 24 * 60 * 60 * 1000, // 30 days
+    password_reset: 1 * 60 * 60 * 1000, // 1 hour
+    email_verify: 24 * 60 * 60 * 1000, // 24 hours
+};
+
+// Import here to avoid circular dependency at module load time
+import type { User } from "../user";
+
+// Session wrapper class providing a consistent interface for handlers.
+// Always present on Call (never null), but may represent an anonymous session.
+export class Session {
+    constructor(
+        private readonly data: SessionData | null,
+        private readonly user: User,
+    ) {}
+
+    getUser(): User {
+        return this.user;
+    }
+
+    getData(): SessionData | null {
+        return this.data;
+    }
+
+    isAuthenticated(): boolean {
+        return !this.user.isAnonymous();
+    }
+
+    get tokenId(): string | undefined {
+        return this.data?.tokenId;
+    }
+
+    get userId(): string | undefined {
+        return this.data?.userId;
+    }
+}

backend/diachron/basic/login.spec.ts

@@ -0,0 +1,24 @@
+// Tests for basic/login.ts
+// These tests verify the route structure and export
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { loginRoute } from "./login";
+
+describe("basic/login", () => {
+    describe("loginRoute", () => {
+        it("has correct path", () => {
+            assert.equal(loginRoute.path, "/login");
+        });
+
+        it("handles GET and POST methods", () => {
+            assert.ok(loginRoute.methods.includes("GET"));
+            assert.ok(loginRoute.methods.includes("POST"));
+            assert.equal(loginRoute.methods.length, 2);
+        });
+
+        it("has a handler function", () => {
+            assert.equal(typeof loginRoute.handler, "function");
+        });
+    });
+});

backend/diachron/basic/login.ts

@@ -0,0 +1,62 @@
+import { SESSION_COOKIE_NAME } from "../auth/token";
+import { tokenLifetimes } from "../auth/types";
+import { request } from "../request";
+import { html, redirect, render } from "../request/util";
+import type { Call, Result, Route } from "../types";
+
+const loginHandler = async (call: Call): Promise<Result> => {
+    if (call.method === "GET") {
+        const c = await render("basic/login", {});
+        return html(c);
+    }
+
+    // POST - handle login
+    const { email, password } = call.request.body;
+
+    if (!email || !password) {
+        const c = await render("basic/login", {
+            error: "Email and password are required",
+            email,
+        });
+        return html(c);
+    }
+
+    const result = await request.auth.login(email, password, "cookie", {
+        userAgent: call.request.get("User-Agent"),
+        ipAddress: call.request.ip,
+    });
+
+    if (!result.success) {
+        const c = await render("basic/login", {
+            error: result.error,
+            email,
+        });
+        return html(c);
+    }
+
+    // Success - set cookie and redirect to home
+    const redirectResult = redirect("/");
+    redirectResult.cookies = [
+        {
+            name: SESSION_COOKIE_NAME,
+            value: result.token,
+            options: {
+                httpOnly: true,
+                secure: false, // Set to true in production with HTTPS
+                sameSite: "lax",
+                maxAge: tokenLifetimes.session,
+                path: "/",
+            },
+        },
+    ];
+
+    return redirectResult;
+};
+
+const loginRoute: Route = {
+    path: "/login",
+    methods: ["GET", "POST"],
+    handler: loginHandler,
+};
+
+export { loginRoute };

backend/diachron/basic/logout.spec.ts

@@ -0,0 +1,24 @@
+// Tests for basic/logout.ts
+// These tests verify the route structure and export
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { logoutRoute } from "./logout";
+
+describe("basic/logout", () => {
+    describe("logoutRoute", () => {
+        it("has correct path", () => {
+            assert.equal(logoutRoute.path, "/logout");
+        });
+
+        it("handles GET and POST methods", () => {
+            assert.ok(logoutRoute.methods.includes("GET"));
+            assert.ok(logoutRoute.methods.includes("POST"));
+            assert.equal(logoutRoute.methods.length, 2);
+        });
+
+        it("has a handler function", () => {
+            assert.equal(typeof logoutRoute.handler, "function");
+        });
+    });
+});

backend/diachron/basic/logout.ts

@@ -0,0 +1,38 @@
+import { SESSION_COOKIE_NAME } from "../auth/token";
+import { request } from "../request";
+import { redirect } from "../request/util";
+import type { Call, Result, Route } from "../types";
+
+const logoutHandler = async (call: Call): Promise<Result> => {
+    // Extract token from cookie and invalidate the session
+    const token = request.auth.extractToken(call.request);
+    if (token) {
+        await request.auth.logout(token);
+    }
+
+    // Clear the cookie and redirect to login
+    const redirectResult = redirect("/login");
+    redirectResult.cookies = [
+        {
+            name: SESSION_COOKIE_NAME,
+            value: "",
+            options: {
+                httpOnly: true,
+                secure: false,
+                sameSite: "lax",
+                maxAge: 0,
+                path: "/",
+            },
+        },
+    ];
+
+    return redirectResult;
+};
+
+const logoutRoute: Route = {
+    path: "/logout",
+    methods: ["GET", "POST"],
+    handler: logoutHandler,
+};
+
+export { logoutRoute };

backend/diachron/basic/routes.spec.ts

@@ -0,0 +1,73 @@
+// Tests for basic/routes.ts
+// These tests verify the route structure and exports
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { routes } from "./routes";
+
+describe("basic/routes", () => {
+    describe("routes object", () => {
+        it("exports routes as an object", () => {
+            assert.equal(typeof routes, "object");
+        });
+
+        it("contains hello route", () => {
+            assert.ok("hello" in routes);
+            assert.equal(routes.hello.path, "/hello");
+            assert.ok(routes.hello.methods.includes("GET"));
+        });
+
+        it("contains home route", () => {
+            assert.ok("home" in routes);
+            assert.equal(routes.home.path, "/");
+            assert.ok(routes.home.methods.includes("GET"));
+        });
+
+        it("contains login route", () => {
+            assert.ok("login" in routes);
+            assert.equal(routes.login.path, "/login");
+        });
+
+        it("contains logout route", () => {
+            assert.ok("logout" in routes);
+            assert.equal(routes.logout.path, "/logout");
+        });
+
+        it("all routes have handlers", () => {
+            for (const [name, route] of Object.entries(routes)) {
+                assert.equal(
+                    typeof route.handler,
+                    "function",
+                    `Route ${name} should have a handler function`,
+                );
+            }
+        });
+
+        it("all routes have methods array", () => {
+            for (const [name, route] of Object.entries(routes)) {
+                assert.ok(
+                    Array.isArray(route.methods),
+                    `Route ${name} should have methods array`,
+                );
+                assert.ok(
+                    route.methods.length > 0,
+                    `Route ${name} should have at least one method`,
+                );
+            }
+        });
+
+        it("all routes have path string", () => {
+            for (const [name, route] of Object.entries(routes)) {
+                assert.equal(
+                    typeof route.path,
+                    "string",
+                    `Route ${name} should have a path string`,
+                );
+                assert.ok(
+                    route.path.startsWith("/"),
+                    `Route ${name} path should start with /`,
+                );
+            }
+        });
+    });
+});

backend/diachron/basic/routes.ts

@@ -0,0 +1,51 @@
+import { DateTime } from "ts-luxon";
+import { get, User } from "../hydrators/user";
+import { request } from "../request";
+import { html, render } from "../request/util";
+import type { Call, Result, Route } from "../types";
+import { loginRoute } from "./login";
+import { logoutRoute } from "./logout";
+
+const routes: Record<string, Route> = {
+    hello: {
+        path: "/hello",
+        methods: ["GET"],
+        handler: async (_call: Call): Promise<Result> => {
+            const now = DateTime.now();
+            const c = await render("basic/hello", { now });
+
+            return html(c);
+        },
+    },
+    home: {
+        path: "/",
+        methods: ["GET"],
+        handler: async (_call: Call): Promise<Result> => {
+            const _auth = request.auth;
+            const me = request.session.getUser();
+
+            const id = me.id;
+            console.log(`*** id: ${id}`);
+
+            const u = await get(id);
+
+            const email = u?.email || "anonymous@example.com";
+            const name = u?.display_name || "anonymous";
+            const showLogin = me.isAnonymous();
+            const showLogout = !me.isAnonymous();
+
+            const c = await render("basic/home", {
+                name,
+                email,
+                showLogin,
+                showLogout,
+            });
+
+            return html(c);
+        },
+    },
+    login: loginRoute,
+    logout: logoutRoute,
+};
+
+export { routes };

backend/diachron/cli.ts

@@ -0,0 +1,55 @@
+import { parseArgs } from "node:util";
+
+const { values } = parseArgs({
+    options: {
+        listen: {
+            type: "string",
+            short: "l",
+        },
+        "log-address": {
+            type: "string",
+            default: "8085",
+        },
+    },
+    strict: true,
+    allowPositionals: false,
+});
+
+function parseListenAddress(listen: string | undefined): {
+    host: string;
+    port: number;
+} {
+    const defaultHost = "127.0.0.1";
+    const defaultPort = 3500;
+
+    if (!listen) {
+        return { host: defaultHost, port: defaultPort };
+    }
+
+    const lastColon = listen.lastIndexOf(":");
+    if (lastColon === -1) {
+        // Just a port number
+        const port = parseInt(listen, 10);
+        if (Number.isNaN(port)) {
+            throw new Error(`Invalid listen address: ${listen}`);
+        }
+        return { host: defaultHost, port };
+    }
+
+    const host = listen.slice(0, lastColon);
+    const port = parseInt(listen.slice(lastColon + 1), 10);
+
+    if (Number.isNaN(port)) {
+        throw new Error(`Invalid port in listen address: ${listen}`);
+    }
+
+    return { host, port };
+}
+
+const listenAddress = parseListenAddress(values.listen);
+const logAddress = parseListenAddress(values["log-address"]);
+
+export const cli = {
+    listen: listenAddress,
+    logAddress,
+};

backend/diachron/content-types.ts

@@ -0,0 +1,122 @@
+// This file belongs to the framework.  You are not expected to modify it.
+
+export type ContentType = string;
+
+// tx claude https://claude.ai/share/344fc7bd-5321-4763-af2f-b82275e9f865
+const contentTypes = {
+    text: {
+        plain: "text/plain",
+        html: "text/html",
+        css: "text/css",
+        javascript: "text/javascript",
+        xml: "text/xml",
+        csv: "text/csv",
+        markdown: "text/markdown",
+        calendar: "text/calendar",
+    },
+    image: {
+        jpeg: "image/jpeg",
+        png: "image/png",
+        gif: "image/gif",
+        svgPlusXml: "image/svg+xml",
+        webp: "image/webp",
+        bmp: "image/bmp",
+        ico: "image/x-icon",
+        tiff: "image/tiff",
+        avif: "image/avif",
+    },
+    audio: {
+        mpeg: "audio/mpeg",
+        wav: "audio/wav",
+        ogg: "audio/ogg",
+        webm: "audio/webm",
+        aac: "audio/aac",
+        midi: "audio/midi",
+        opus: "audio/opus",
+        flac: "audio/flac",
+    },
+    video: {
+        mp4: "video/mp4",
+        webm: "video/webm",
+        xMsvideo: "video/x-msvideo",
+        mpeg: "video/mpeg",
+        ogg: "video/ogg",
+        quicktime: "video/quicktime",
+        xMatroska: "video/x-matroska",
+    },
+    application: {
+        json: "application/json",
+        pdf: "application/pdf",
+        zip: "application/zip",
+        xWwwFormUrlencoded: "application/x-www-form-urlencoded",
+        octetStream: "application/octet-stream",
+        xml: "application/xml",
+        gzip: "application/gzip",
+        javascript: "application/javascript",
+        ld_json: "application/ld+json",
+        msword: "application/msword",
+        vndOpenxmlformatsOfficedocumentWordprocessingmlDocument:
+            "application/vnd.openxmlformats-officedocument.wordprocessingml.document",
+        vndMsExcel: "application/vnd.ms-excel",
+        vndOpenxmlformatsOfficedocumentSpreadsheetmlSheet:
+            "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet",
+        vndMsPowerpoint: "application/vnd.ms-powerpoint",
+        vndOpenxmlformatsOfficedocumentPresentationmlPresentation:
+            "application/vnd.openxmlformats-officedocument.presentationml.presentation",
+        sql: "application/sql",
+        graphql: "application/graphql",
+        wasm: "application/wasm",
+        xTar: "application/x-tar",
+        x7zCompressed: "application/x-7z-compressed",
+        xRarCompressed: "application/x-rar-compressed",
+    },
+    multipart: {
+        formData: "multipart/form-data",
+        byteranges: "multipart/byteranges",
+    },
+    font: {
+        woff: "font/woff",
+        woff2: "font/woff2",
+        ttf: "font/ttf",
+        otf: "font/otf",
+    },
+};
+
+export { contentTypes };
+
+/*
+
+possible additions for later
+
+Looking at what's there, here are a few gaps that might be worth filling:
+Streaming/Modern Web:
+
+application/x-ndjson or application/jsonlines - newline-delimited JSON (popular for streaming APIs)
+text/event-stream - Server-Sent Events
+
+API/Data Exchange:
+
+application/yaml or text/yaml - YAML files
+application/protobuf - Protocol Buffers
+application/msgpack - MessagePack
+
+Archives you're missing:
+
+application/x-bzip2 - bzip2 compression
+
+Images:
+
+image/heic - HEIC/HEIF (common on iOS)
+
+Fonts:
+
+application/vnd.ms-fontobject - EOT fonts (legacy but still seen)
+
+Text:
+
+text/rtf - Rich Text Format
+
+The most impactful would probably be text/event-stream (if you do any SSE), application/x-ndjson (common in modern APIs), and maybe text/yaml. The rest are more situational.
+But honestly, what you have covers 95% of common web development scenarios. You can definitely add as you go when you encounter specific needs!
+
+*/

backend/diachron/context.ts

@@ -0,0 +1,27 @@
+// context.ts
+//
+// Request-scoped context using AsyncLocalStorage.
+// Allows services to access request data (like the current user) without
+// needing to pass Call through every function.
+
+import { AsyncLocalStorage } from "node:async_hooks";
+import { anonymousUser, type User } from "./user";
+
+type RequestContext = {
+    user: User;
+};
+
+const asyncLocalStorage = new AsyncLocalStorage<RequestContext>();
+
+// Run a function within a request context
+function runWithContext<T>(context: RequestContext, fn: () => T): T {
+    return asyncLocalStorage.run(context, fn);
+}
+
+// Get the current user from context, or AnonymousUser if not in a request
+function getCurrentUser(): User {
+    const context = asyncLocalStorage.getStore();
+    return context?.user ?? anonymousUser;
+}
+
+export { getCurrentUser, runWithContext, type RequestContext };

backend/diachron/core/index.ts

@@ -0,0 +1,48 @@
+import nunjucks from "nunjucks";
+import { db, migrate, migrationStatus } from "../database";
+import { getLogs, log } from "../logging";
+
+// FIXME: This doesn't belong here; move it somewhere else.
+const conf = {
+    templateEngine: () => {
+        return {
+            renderTemplate: (template: string, context: object) => {
+                return nunjucks.renderString(template, context);
+            },
+        };
+    },
+};
+
+const database = {
+    db,
+    migrate,
+    migrationStatus,
+};
+
+const logging = {
+    log,
+    getLogs,
+};
+
+const random = {
+    randomNumber: () => {
+        return Math.random();
+    },
+};
+
+const misc = {
+    sleep: (ms: number) => {
+        return new Promise((resolve) => setTimeout(resolve, ms));
+    },
+};
+
+// Keep this asciibetically sorted
+const core = {
+    conf,
+    database,
+    logging,
+    misc,
+    random,
+};
+
+export { core };

backend/diachron/database.spec.ts

@@ -0,0 +1,285 @@
+// Tests for database.ts
+// Requires test PostgreSQL: docker compose -f docker-compose.test.yml up -d
+
+import assert from "node:assert/strict";
+import { after, before, beforeEach, describe, it } from "node:test";
+import {
+    connectionConfig,
+    db,
+    migrate,
+    migrationStatus,
+    PostgresAuthStore,
+    pool,
+    raw,
+    rawPool,
+} from "./database";
+import type { UserId } from "./user";
+
+describe("database", () => {
+    before(async () => {
+        // Run migrations to set up schema
+        await migrate();
+    });
+
+    after(async () => {
+        await pool.end();
+    });
+
+    describe("connectionConfig", () => {
+        it("has required fields", () => {
+            assert.ok("host" in connectionConfig);
+            assert.ok("port" in connectionConfig);
+            assert.ok("user" in connectionConfig);
+            assert.ok("password" in connectionConfig);
+            assert.ok("database" in connectionConfig);
+        });
+
+        it("port is a number", () => {
+            assert.equal(typeof connectionConfig.port, "number");
+        });
+    });
+
+    describe("raw", () => {
+        it("executes raw SQL queries", async () => {
+            const result = await raw<{ one: number }>("SELECT 1 as one");
+            assert.equal(result.length, 1);
+            assert.equal(result[0].one, 1);
+        });
+
+        it("supports parameterized queries", async () => {
+            const result = await raw<{ sum: number }>(
+                "SELECT $1::int + $2::int as sum",
+                [2, 3],
+            );
+            assert.equal(result[0].sum, 5);
+        });
+    });
+
+    describe("db (Kysely instance)", () => {
+        it("can execute SELECT queries", async () => {
+            const result = await db
+                .selectFrom("users")
+                .select("id")
+                .limit(1)
+                .execute();
+
+            // May be empty, just verify it runs
+            assert.ok(Array.isArray(result));
+        });
+    });
+
+    describe("rawPool", () => {
+        it("is a pg Pool instance", () => {
+            assert.ok(rawPool.query !== undefined);
+        });
+
+        it("can execute queries", async () => {
+            const result = await rawPool.query("SELECT 1 as one");
+            assert.equal(result.rows[0].one, 1);
+        });
+    });
+
+    describe("migrate", () => {
+        it("runs without error when migrations are up to date", async () => {
+            // Should not throw
+            await migrate();
+        });
+    });
+
+    describe("migrationStatus", () => {
+        it("returns applied and pending arrays", async () => {
+            const status = await migrationStatus();
+
+            assert.ok(Array.isArray(status.applied));
+            assert.ok(Array.isArray(status.pending));
+        });
+
+        it("shows framework migrations as applied", async () => {
+            const status = await migrationStatus();
+
+            // At least the users migration should be applied
+            const hasUsersMigration = status.applied.some((m) =>
+                m.includes("users"),
+            );
+            assert.ok(hasUsersMigration);
+        });
+    });
+
+    describe("PostgresAuthStore", () => {
+        let store: PostgresAuthStore;
+
+        before(() => {
+            store = new PostgresAuthStore();
+        });
+
+        beforeEach(async () => {
+            // Clean up test data before each test
+            await rawPool.query("DELETE FROM sessions");
+            await rawPool.query("DELETE FROM user_credentials");
+            await rawPool.query("DELETE FROM user_emails");
+            await rawPool.query("DELETE FROM users");
+        });
+
+        describe("createUser", () => {
+            it("creates a user with pending status", async () => {
+                const user = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "hash123",
+                    displayName: "Test User",
+                });
+
+                assert.equal(user.email, "test@example.com");
+                assert.equal(user.displayName, "Test User");
+                assert.equal(user.status, "pending");
+            });
+
+            it("stores the password hash", async () => {
+                const user = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "secrethash",
+                });
+
+                const hash = await store.getUserPasswordHash(user.id);
+                assert.equal(hash, "secrethash");
+            });
+        });
+
+        describe("getUserByEmail", () => {
+            it("returns user when found", async () => {
+                await store.createUser({
+                    email: "find@example.com",
+                    passwordHash: "hash",
+                });
+
+                const user = await store.getUserByEmail("find@example.com");
+                assert.notEqual(user, null);
+                assert.equal(user!.email, "find@example.com");
+            });
+
+            it("is case-insensitive", async () => {
+                await store.createUser({
+                    email: "UPPER@EXAMPLE.COM",
+                    passwordHash: "hash",
+                });
+
+                const user = await store.getUserByEmail("upper@example.com");
+                assert.notEqual(user, null);
+            });
+
+            it("returns null when not found", async () => {
+                const user = await store.getUserByEmail("notfound@example.com");
+                assert.equal(user, null);
+            });
+        });
+
+        describe("getUserById", () => {
+            it("returns user when found", async () => {
+                const created = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "hash",
+                });
+
+                const user = await store.getUserById(created.id);
+                assert.notEqual(user, null);
+                assert.equal(user!.id, created.id);
+            });
+
+            it("returns null when not found", async () => {
+                const user = await store.getUserById(
+                    "00000000-0000-0000-0000-000000000000" as UserId,
+                );
+                assert.equal(user, null);
+            });
+        });
+
+        describe("setUserPassword", () => {
+            it("updates the password hash", async () => {
+                const user = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "oldhash",
+                });
+
+                await store.setUserPassword(user.id, "newhash");
+
+                const hash = await store.getUserPasswordHash(user.id);
+                assert.equal(hash, "newhash");
+            });
+        });
+
+        describe("updateUserEmailVerified", () => {
+            it("sets user status to active", async () => {
+                const created = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "hash",
+                });
+                assert.equal(created.status, "pending");
+
+                await store.updateUserEmailVerified(created.id);
+
+                const user = await store.getUserById(created.id);
+                assert.equal(user!.status, "active");
+            });
+        });
+
+        describe("session operations", () => {
+            let userId: UserId;
+
+            beforeEach(async () => {
+                const user = await store.createUser({
+                    email: "session@example.com",
+                    passwordHash: "hash",
+                });
+                userId = user.id;
+            });
+
+            it("creates and retrieves sessions", async () => {
+                const { token, session } = await store.createSession({
+                    userId,
+                    tokenType: "session",
+                    authMethod: "cookie",
+                    expiresAt: new Date(Date.now() + 3600000),
+                });
+
+                assert.ok(token.length > 0);
+                assert.equal(session.userId, userId);
+                assert.equal(session.tokenType, "session");
+            });
+
+            it("deletes sessions", async () => {
+                const { session } = await store.createSession({
+                    userId,
+                    tokenType: "session",
+                    authMethod: "cookie",
+                    expiresAt: new Date(Date.now() + 3600000),
+                });
+
+                await store.deleteSession(session.tokenId as any);
+
+                // Session should be soft-deleted (revoked)
+                const retrieved = await store.getSession(
+                    session.tokenId as any,
+                );
+                assert.equal(retrieved, null);
+            });
+
+            it("deletes all user sessions", async () => {
+                await store.createSession({
+                    userId,
+                    tokenType: "session",
+                    authMethod: "cookie",
+                    expiresAt: new Date(Date.now() + 3600000),
+                });
+
+                await store.createSession({
+                    userId,
+                    tokenType: "session",
+                    authMethod: "bearer",
+                    expiresAt: new Date(Date.now() + 3600000),
+                });
+
+                const count = await store.deleteUserSessions(userId);
+                assert.equal(count, 2);
+            });
+        });
+    });
+});

backend/diachron/database.ts

@@ -0,0 +1,548 @@
+// database.ts
+// PostgreSQL database access with Kysely query builder and simple migrations
+
+import * as fs from "node:fs";
+import * as path from "node:path";
+import {
+    type Generated,
+    Kysely,
+    PostgresDialect,
+    type Selectable,
+    sql,
+} from "kysely";
+import { Pool } from "pg";
+import type {
+    AuthStore,
+    CreateSessionData,
+    CreateUserData,
+} from "./auth/store";
+import { generateToken, hashToken } from "./auth/token";
+import type { SessionData, TokenId } from "./auth/types";
+import type { Domain } from "./types";
+import { AuthenticatedUser, type User, type UserId } from "./user";
+
+// Connection configuration (supports environment variable overrides)
+const connectionConfig = {
+    host: process.env.DB_HOST ?? "localhost",
+    port: Number(process.env.DB_PORT ?? 5432),
+    user: process.env.DB_USER ?? "diachron",
+    password: process.env.DB_PASSWORD ?? "diachron",
+    database: process.env.DB_NAME ?? "diachron",
+};
+
+// Database schema types for Kysely
+// Generated<T> marks columns with database defaults (optional on insert)
+interface UsersTable {
+    id: string;
+    status: Generated<string>;
+    display_name: string | null;
+    created_at: Generated<Date>;
+    updated_at: Generated<Date>;
+}
+
+interface UserEmailsTable {
+    id: string;
+    user_id: string;
+    email: string;
+    normalized_email: string;
+    is_primary: Generated<boolean>;
+    is_verified: Generated<boolean>;
+    created_at: Generated<Date>;
+    verified_at: Date | null;
+    revoked_at: Date | null;
+}
+
+interface UserCredentialsTable {
+    id: string;
+    user_id: string;
+    credential_type: Generated<string>;
+    password_hash: string | null;
+    created_at: Generated<Date>;
+    updated_at: Generated<Date>;
+}
+
+interface SessionsTable {
+    id: Generated<string>;
+    token_hash: string;
+    user_id: string;
+    user_email_id: string | null;
+    token_type: string;
+    auth_method: string;
+    created_at: Generated<Date>;
+    expires_at: Date;
+    revoked_at: Date | null;
+    ip_address: string | null;
+    user_agent: string | null;
+    is_used: Generated<boolean | null>;
+}
+
+interface Database {
+    users: UsersTable;
+    user_emails: UserEmailsTable;
+    user_credentials: UserCredentialsTable;
+    sessions: SessionsTable;
+}
+
+// Create the connection pool
+const pool = new Pool(connectionConfig);
+
+// Create the Kysely instance
+const db = new Kysely<Database>({
+    dialect: new PostgresDialect({ pool }),
+});
+
+// Raw pool access for when you need it
+const rawPool = pool;
+
+// Execute raw SQL (for when Kysely doesn't fit)
+async function raw<T = unknown>(
+    query: string,
+    params: unknown[] = [],
+): Promise<T[]> {
+    const result = await pool.query(query, params);
+    return result.rows as T[];
+}
+
+// ============================================================================
+// Migrations
+// ============================================================================
+
+// Migration file naming convention:
+//   yyyy-mm-dd_ss_description.sql
+//   e.g., 2025-01-15_01_initial.sql, 2025-01-15_02_add_users.sql
+//
+// Migrations directory: express/migrations/
+
+const FRAMEWORK_MIGRATIONS_DIR = path.join(__dirname, "diachron/migrations");
+const APP_MIGRATIONS_DIR = path.join(__dirname, "migrations");
+const MIGRATIONS_TABLE = "_migrations";
+
+interface MigrationRecord {
+    id: number;
+    name: string;
+    applied_at: Date;
+}
+
+// Ensure migrations table exists
+async function ensureMigrationsTable(): Promise<void> {
+    await pool.query(`
+        CREATE TABLE IF NOT EXISTS ${MIGRATIONS_TABLE} (
+            id SERIAL PRIMARY KEY,
+            name TEXT NOT NULL UNIQUE,
+            applied_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+        )
+    `);
+}
+
+// Get list of applied migrations
+async function getAppliedMigrations(): Promise<string[]> {
+    const result = await pool.query<MigrationRecord>(
+        `SELECT name FROM ${MIGRATIONS_TABLE} ORDER BY name`,
+    );
+    return result.rows.map((r) => r.name);
+}
+
+// Get pending migration files
+function getMigrationFiles(kind: Domain): string[] {
+    const dir = kind === "fw" ? FRAMEWORK_MIGRATIONS_DIR : APP_MIGRATIONS_DIR;
+
+    if (!fs.existsSync(dir)) {
+        return [];
+    }
+
+    const root = __dirname;
+
+    const mm = fs
+        .readdirSync(dir)
+        .filter((f) => f.endsWith(".sql"))
+        .filter((f) => /^\d{4}-\d{2}-\d{2}_\d{2}-/.test(f))
+        .map((f) => `${dir}/${f}`)
+        .map((f) => f.replace(`${root}/`, ""))
+        .sort();
+
+    return mm;
+}
+
+// Run a single migration
+async function runMigration(filename: string): Promise<void> {
+    // const filepath = path.join(MIGRATIONS_DIR, filename);
+    const filepath = filename;
+    const content = fs.readFileSync(filepath, "utf-8");
+
+    process.stdout.write(`  Migration: ${filename}...`);
+
+    // Run migration in a transaction
+    const client = await pool.connect();
+    try {
+        await client.query("BEGIN");
+        await client.query(content);
+        await client.query(
+            `INSERT INTO ${MIGRATIONS_TABLE} (name) VALUES ($1)`,
+            [filename],
+        );
+        await client.query("COMMIT");
+        console.log(" ✓");
+    } catch (err) {
+        console.log(" ✗");
+        const message = err instanceof Error ? err.message : String(err);
+        console.error(`    Error: ${message}`);
+        await client.query("ROLLBACK");
+        throw err;
+    } finally {
+        client.release();
+    }
+}
+
+function getAllMigrationFiles() {
+    const fw_files = getMigrationFiles("fw");
+    const app_files = getMigrationFiles("app");
+    const all = [...fw_files, ...app_files];
+
+    return all;
+}
+
+// Run all pending migrations
+async function migrate(): Promise<void> {
+    await ensureMigrationsTable();
+
+    const applied = new Set(await getAppliedMigrations());
+    const all = getAllMigrationFiles();
+    const pending = all.filter((all) => !applied.has(all));
+
+    if (pending.length === 0) {
+        console.log("No pending migrations");
+        return;
+    }
+
+    console.log(`Applying ${pending.length} migration(s):`);
+    for (const file of pending) {
+        await runMigration(file);
+    }
+}
+
+// List migration status
+async function migrationStatus(): Promise<{
+    applied: string[];
+    pending: string[];
+}> {
+    await ensureMigrationsTable();
+    const applied = new Set(await getAppliedMigrations());
+    const ff = getAllMigrationFiles();
+    return {
+        applied: ff.filter((ff) => applied.has(ff)),
+        pending: ff.filter((ff) => !applied.has(ff)),
+    };
+}
+
+// ============================================================================
+// PostgresAuthStore - Database-backed authentication storage
+// ============================================================================
+
+class PostgresAuthStore implements AuthStore {
+    // Session operations
+
+    async createSession(
+        data: CreateSessionData,
+    ): Promise<{ token: string; session: SessionData }> {
+        const token = generateToken();
+        const tokenHash = hashToken(token);
+
+        const row = await db
+            .insertInto("sessions")
+            .values({
+                token_hash: tokenHash,
+                user_id: data.userId,
+                token_type: data.tokenType,
+                auth_method: data.authMethod,
+                expires_at: data.expiresAt,
+                user_agent: data.userAgent ?? null,
+                ip_address: data.ipAddress ?? null,
+            })
+            .returningAll()
+            .executeTakeFirstOrThrow();
+
+        const session: SessionData = {
+            tokenId: row.token_hash,
+            userId: row.user_id,
+            tokenType: row.token_type as SessionData["tokenType"],
+            authMethod: row.auth_method as SessionData["authMethod"],
+            createdAt: row.created_at,
+            expiresAt: row.expires_at,
+            userAgent: row.user_agent ?? undefined,
+            ipAddress: row.ip_address ?? undefined,
+            isUsed: row.is_used ?? undefined,
+        };
+
+        return { token, session };
+    }
+
+    async getSession(tokenId: TokenId): Promise<SessionData | null> {
+        const row = await db
+            .selectFrom("sessions")
+            .selectAll()
+            .where("token_hash", "=", tokenId)
+            .where("expires_at", ">", new Date())
+            .where("revoked_at", "is", null)
+            .executeTakeFirst();
+
+        if (!row) {
+            return null;
+        }
+
+        return {
+            tokenId: row.token_hash,
+            userId: row.user_id,
+            tokenType: row.token_type as SessionData["tokenType"],
+            authMethod: row.auth_method as SessionData["authMethod"],
+            createdAt: row.created_at,
+            expiresAt: row.expires_at,
+            userAgent: row.user_agent ?? undefined,
+            ipAddress: row.ip_address ?? undefined,
+            isUsed: row.is_used ?? undefined,
+        };
+    }
+
+    async updateLastUsed(_tokenId: TokenId): Promise<void> {
+        // The new schema doesn't have last_used_at column
+        // This is now a no-op; session activity tracking could be added later
+    }
+
+    async deleteSession(tokenId: TokenId): Promise<void> {
+        // Soft delete by setting revoked_at
+        await db
+            .updateTable("sessions")
+            .set({ revoked_at: new Date() })
+            .where("token_hash", "=", tokenId)
+            .execute();
+    }
+
+    async deleteUserSessions(userId: UserId): Promise<number> {
+        const result = await db
+            .updateTable("sessions")
+            .set({ revoked_at: new Date() })
+            .where("user_id", "=", userId)
+            .where("revoked_at", "is", null)
+            .executeTakeFirst();
+
+        return Number(result.numUpdatedRows);
+    }
+
+    // User operations
+
+    async getUserByEmail(email: string): Promise<User | null> {
+        // Find user through user_emails table
+        const normalizedEmail = email.toLowerCase().trim();
+
+        const row = await db
+            .selectFrom("user_emails")
+            .innerJoin("users", "users.id", "user_emails.user_id")
+            .select([
+                "users.id",
+                "users.status",
+                "users.display_name",
+                "users.created_at",
+                "users.updated_at",
+                "user_emails.email",
+            ])
+            .where("user_emails.normalized_email", "=", normalizedEmail)
+            .where("user_emails.revoked_at", "is", null)
+            .executeTakeFirst();
+
+        if (!row) {
+            return null;
+        }
+        return this.rowToUser(row);
+    }
+
+    async getUserById(userId: UserId): Promise<User | null> {
+        // Get user with their primary email
+        const row = await db
+            .selectFrom("users")
+            .leftJoin("user_emails", (join) =>
+                join
+                    .onRef("user_emails.user_id", "=", "users.id")
+                    .on("user_emails.is_primary", "=", true)
+                    .on("user_emails.revoked_at", "is", null),
+            )
+            .select([
+                "users.id",
+                "users.status",
+                "users.display_name",
+                "users.created_at",
+                "users.updated_at",
+                "user_emails.email",
+            ])
+            .where("users.id", "=", userId)
+            .executeTakeFirst();
+
+        if (!row) {
+            return null;
+        }
+        return this.rowToUser(row);
+    }
+
+    async createUser(data: CreateUserData): Promise<User> {
+        const userId = crypto.randomUUID();
+        const emailId = crypto.randomUUID();
+        const credentialId = crypto.randomUUID();
+        const now = new Date();
+        const normalizedEmail = data.email.toLowerCase().trim();
+
+        // Create user record
+        await db
+            .insertInto("users")
+            .values({
+                id: userId,
+                display_name: data.displayName ?? null,
+                status: "pending",
+                created_at: now,
+                updated_at: now,
+            })
+            .execute();
+
+        // Create user_email record
+        await db
+            .insertInto("user_emails")
+            .values({
+                id: emailId,
+                user_id: userId,
+                email: data.email,
+                normalized_email: normalizedEmail,
+                is_primary: true,
+                is_verified: false,
+                created_at: now,
+            })
+            .execute();
+
+        // Create user_credential record
+        await db
+            .insertInto("user_credentials")
+            .values({
+                id: credentialId,
+                user_id: userId,
+                credential_type: "password",
+                password_hash: data.passwordHash,
+                created_at: now,
+                updated_at: now,
+            })
+            .execute();
+
+        return new AuthenticatedUser({
+            id: userId,
+            email: data.email,
+            displayName: data.displayName,
+            status: "pending",
+            roles: [],
+            permissions: [],
+            createdAt: now,
+            updatedAt: now,
+        });
+    }
+
+    async getUserPasswordHash(userId: UserId): Promise<string | null> {
+        const row = await db
+            .selectFrom("user_credentials")
+            .select("password_hash")
+            .where("user_id", "=", userId)
+            .where("credential_type", "=", "password")
+            .executeTakeFirst();
+
+        return row?.password_hash ?? null;
+    }
+
+    async setUserPassword(userId: UserId, passwordHash: string): Promise<void> {
+        const now = new Date();
+
+        // Try to update existing credential
+        const result = await db
+            .updateTable("user_credentials")
+            .set({ password_hash: passwordHash, updated_at: now })
+            .where("user_id", "=", userId)
+            .where("credential_type", "=", "password")
+            .executeTakeFirst();
+
+        // If no existing credential, create one
+        if (Number(result.numUpdatedRows) === 0) {
+            await db
+                .insertInto("user_credentials")
+                .values({
+                    id: crypto.randomUUID(),
+                    user_id: userId,
+                    credential_type: "password",
+                    password_hash: passwordHash,
+                    created_at: now,
+                    updated_at: now,
+                })
+                .execute();
+        }
+
+        // Update user's updated_at
+        await db
+            .updateTable("users")
+            .set({ updated_at: now })
+            .where("id", "=", userId)
+            .execute();
+    }
+
+    async updateUserEmailVerified(userId: UserId): Promise<void> {
+        const now = new Date();
+
+        // Update user_emails to mark as verified
+        await db
+            .updateTable("user_emails")
+            .set({
+                is_verified: true,
+                verified_at: now,
+            })
+            .where("user_id", "=", userId)
+            .where("is_primary", "=", true)
+            .execute();
+
+        // Update user status to active
+        await db
+            .updateTable("users")
+            .set({
+                status: "active",
+                updated_at: now,
+            })
+            .where("id", "=", userId)
+            .execute();
+    }
+
+    // Helper to convert database row to User object
+    private rowToUser(row: {
+        id: string;
+        status: string;
+        display_name: string | null;
+        created_at: Date;
+        updated_at: Date;
+        email: string | null;
+    }): User {
+        return new AuthenticatedUser({
+            id: row.id,
+            email: row.email ?? "unknown@example.com",
+            displayName: row.display_name ?? undefined,
+            status: row.status as "active" | "suspended" | "pending",
+            roles: [], // TODO: query from RBAC tables
+            permissions: [], // TODO: query from RBAC tables
+            createdAt: row.created_at,
+            updatedAt: row.updated_at,
+        });
+    }
+}
+
+// ============================================================================
+// Exports
+// ============================================================================
+
+export {
+    db,
+    raw,
+    rawPool,
+    pool,
+    migrate,
+    migrationStatus,
+    connectionConfig,
+    PostgresAuthStore,
+    type Database,
+};

backend/diachron/deps.ts

@@ -0,0 +1,7 @@
+// Database
+//export { Client as PostgresClient } from "https://deno.land/x/postgres@v0.19.3/mod.ts";
+//export type { ClientOptions as PostgresOptions } from "https://deno.land/x/postgres@v0.19.3/mod.ts";
+
+// Redis
+//export { connect as redisConnect } from "https://deno.land/x/redis@v0.37.1/mod.ts";
+//export type { Redis } from "https://deno.land/x/redis@v0.37.1/mod.ts";

backend/diachron/develop/clear-db.ts

@@ -0,0 +1,17 @@
+import { connectionConfig, migrate, pool } from "../database";
+import { dropTables, exitIfUnforced } from "./util";
+
+async function main(): Promise<void> {
+    exitIfUnforced();
+
+    try {
+        await dropTables();
+    } finally {
+        await pool.end();
+    }
+}
+
+main().catch((err) => {
+    console.error("Failed to clear database:", err.message);
+    process.exit(1);
+});

backend/diachron/develop/reset-db.ts

@@ -0,0 +1,26 @@
+// reset-db.ts
+// Development command to wipe the database and apply all migrations from scratch
+
+import { connectionConfig, migrate, pool } from "../database";
+import { dropTables, exitIfUnforced } from "./util";
+
+async function main(): Promise<void> {
+    exitIfUnforced();
+
+    try {
+        await dropTables();
+
+        console.log("");
+        await migrate();
+
+        console.log("");
+        console.log("Database reset complete.");
+    } finally {
+        await pool.end();
+    }
+}
+
+main().catch((err) => {
+    console.error("Failed to reset database:", err.message);
+    process.exit(1);
+});

backend/diachron/develop/util.ts

@@ -0,0 +1,42 @@
+// FIXME: this is at the wrong level of specificity
+
+import { connectionConfig, migrate, pool } from "../database";
+
+const exitIfUnforced = () => {
+    const args = process.argv.slice(2);
+
+    // Require explicit confirmation unless --force is passed
+    if (!args.includes("--force")) {
+        console.error("This will DROP ALL TABLES in the database!");
+        console.error(`  Database: ${connectionConfig.database}`);
+        console.error(
+            `  Host: ${connectionConfig.host}:${connectionConfig.port}`,
+        );
+        console.error("");
+        console.error("Run with --force to proceed.");
+        process.exit(1);
+    }
+};
+
+const dropTables = async () => {
+    console.log("Dropping all tables...");
+
+    // Get all table names in the public schema
+    const result = await pool.query<{ tablename: string }>(`
+            SELECT tablename FROM pg_tables
+            WHERE schemaname = 'public'
+        `);
+
+    if (result.rows.length > 0) {
+        // Drop all tables with CASCADE to handle foreign key constraints
+        const tableNames = result.rows
+            .map((r) => `"${r.tablename}"`)
+            .join(", ");
+        await pool.query(`DROP TABLE IF EXISTS ${tableNames} CASCADE`);
+        console.log(`Dropped ${result.rows.length} table(s)`);
+    } else {
+        console.log("No tables to drop");
+    }
+};
+
+export { dropTables, exitIfUnforced };

backend/diachron/execution-context-schema.ts

@@ -0,0 +1,13 @@
+import { z } from "zod";
+
+export const executionContextSchema = z.object({
+    diachron_root: z.string(),
+});
+
+export type ExecutionContext = z.infer<typeof executionContextSchema>;
+
+export function parseExecutionContext(
+    env: Record<string, string | undefined>,
+): ExecutionContext {
+    return executionContextSchema.parse(env);
+}

backend/diachron/execution-context.spec.ts

@@ -0,0 +1,38 @@
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { ZodError } from "zod";
+
+import {
+    executionContextSchema,
+    parseExecutionContext,
+} from "./execution-context-schema";
+
+describe("parseExecutionContext", () => {
+    it("parses valid executionContext with diachron_root", () => {
+        const env = { diachron_root: "/some/path" };
+        const result = parseExecutionContext(env);
+        assert.deepEqual(result, { diachron_root: "/some/path" });
+    });
+
+    it("throws ZodError when diachron_root is missing", () => {
+        const env = {};
+        assert.throws(() => parseExecutionContext(env), ZodError);
+    });
+
+    it("strips extra fields not in schema", () => {
+        const env = {
+            diachron_root: "/some/path",
+            EXTRA_VAR: "should be stripped",
+        };
+        const result = parseExecutionContext(env);
+        assert.deepEqual(result, { diachron_root: "/some/path" });
+        assert.equal("EXTRA_VAR" in result, false);
+    });
+});
+
+describe("executionContextSchema", () => {
+    it("requires diachron_root to be a string", () => {
+        const result = executionContextSchema.safeParse({ diachron_root: 123 });
+        assert.equal(result.success, false);
+    });
+});

backend/diachron/execution-context.ts

@@ -0,0 +1,5 @@
+import { parseExecutionContext } from "./execution-context-schema";
+
+const executionContext = parseExecutionContext(process.env);
+
+export { executionContext };

backend/diachron/handlers.spec.ts

@@ -0,0 +1,71 @@
+// Tests for handlers.ts
+// These tests use mock Call objects
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import type { Request as ExpressRequest } from "express";
+import { Session } from "./auth/types";
+import { contentTypes } from "./content-types";
+import { multiHandler } from "./handlers";
+import { httpCodes } from "./http-codes";
+import type { Call } from "./types";
+import { anonymousUser } from "./user";
+
+// Helper to create a minimal mock Call
+function createMockCall(overrides: Partial<Call> = {}): Call {
+    const defaultSession = new Session(null, anonymousUser);
+    return {
+        pattern: "/test",
+        path: "/test",
+        method: "GET",
+        parameters: {},
+        request: {} as ExpressRequest,
+        user: anonymousUser,
+        session: defaultSession,
+        ...overrides,
+    };
+}
+
+describe("handlers", () => {
+    describe("multiHandler", () => {
+        it("returns OK status", async () => {
+            const call = createMockCall({ method: "GET" });
+            const result = await multiHandler(call);
+
+            assert.equal(result.code, httpCodes.success.OK);
+        });
+
+        it("returns text/plain content type", async () => {
+            const call = createMockCall();
+            const result = await multiHandler(call);
+
+            assert.equal(result.contentType, contentTypes.text.plain);
+        });
+
+        it("includes method in result", async () => {
+            const call = createMockCall({ method: "POST" });
+            const result = await multiHandler(call);
+
+            assert.ok(result.result.includes("POST"));
+        });
+
+        it("includes a random number in result", async () => {
+            const call = createMockCall();
+            const result = await multiHandler(call);
+
+            // Result format: "that was GET (0.123456789)"
+            assert.match(result.result, /that was \w+ \(\d+\.?\d*\)/);
+        });
+
+        it("works with different HTTP methods", async () => {
+            const methods = ["GET", "POST", "PUT", "PATCH", "DELETE"] as const;
+
+            for (const method of methods) {
+                const call = createMockCall({ method });
+                const result = await multiHandler(call);
+
+                assert.ok(result.result.includes(method));
+            }
+        });
+    });
+});

backend/diachron/handlers.ts

@@ -0,0 +1,19 @@
+import { contentTypes } from "./content-types";
+import { core } from "./core";
+import { httpCodes } from "./http-codes";
+import type { Call, Handler, Result } from "./types";
+
+const multiHandler: Handler = async (call: Call): Promise<Result> => {
+    const code = httpCodes.success.OK;
+    const rn = core.random.randomNumber();
+
+    const retval: Result = {
+        code,
+        result: `that was ${call.method} (${rn})`,
+        contentType: contentTypes.text.plain,
+    };
+
+    return retval;
+};
+
+export { multiHandler };

backend/diachron/http-codes.ts

@@ -0,0 +1,76 @@
+// This file belongs to the framework.  You are not expected to modify it.
+
+export type HttpCode = {
+    code: number;
+    name: string;
+    description?: string;
+};
+type Group = "success" | "redirection" | "clientErrors" | "serverErrors";
+type CodeDefinitions = {
+    [K in Group]: {
+        [K: string]: HttpCode;
+    };
+};
+
+// tx claude https://claude.ai/share/344fc7bd-5321-4763-af2f-b82275e9f865
+const httpCodes: CodeDefinitions = {
+    success: {
+        OK: { code: 200, name: "OK", description: "" },
+        Created: { code: 201, name: "Created" },
+        Accepted: { code: 202, name: "Accepted" },
+        NonAuthoritativeInformation: {
+            code: 203,
+            name: "Non-Authoritative Information",
+        },
+        NoContent: { code: 204, name: "No Content" },
+        ResetContent: { code: 205, name: "Reset Content" },
+        PartialContent: { code: 206, name: "Partial Content" },
+    },
+    redirection: {
+        MultipleChoices: { code: 300, name: "Multiple Choices" },
+        MovedPermanently: { code: 301, name: "Moved Permanently" },
+        Found: { code: 302, name: "Found" },
+        SeeOther: { code: 303, name: "See Other" },
+        NotModified: { code: 304, name: "Not Modified" },
+        TemporaryRedirect: { code: 307, name: "Temporary Redirect" },
+        PermanentRedirect: { code: 308, name: "Permanent Redirect" },
+    },
+    clientErrors: {
+        BadRequest: { code: 400, name: "Bad Request" },
+        Unauthorized: { code: 401, name: "Unauthorized" },
+        PaymentRequired: { code: 402, name: "Payment Required" },
+        Forbidden: { code: 403, name: "Forbidden" },
+        NotFound: { code: 404, name: "Not Found" },
+        MethodNotAllowed: { code: 405, name: "Method Not Allowed" },
+        NotAcceptable: { code: 406, name: "Not Acceptable" },
+        ProxyAuthenticationRequired: {
+            code: 407,
+            name: "Proxy Authentication Required",
+        },
+        RequestTimeout: { code: 408, name: "Request Timeout" },
+        Conflict: { code: 409, name: "Conflict" },
+        Gone: { code: 410, name: "Gone" },
+        LengthRequired: { code: 411, name: "Length Required" },
+        PreconditionFailed: { code: 412, name: "Precondition Failed" },
+        PayloadTooLarge: { code: 413, name: "Payload Too Large" },
+        URITooLong: { code: 414, name: "URI Too Long" },
+        UnsupportedMediaType: { code: 415, name: "Unsupported Media Type" },
+        RangeNotSatisfiable: { code: 416, name: "Range Not Satisfiable" },
+        ExpectationFailed: { code: 417, name: "Expectation Failed" },
+        ImATeapot: { code: 418, name: "I'm a teapot" },
+        UnprocessableEntity: { code: 422, name: "Unprocessable Entity" },
+        TooManyRequests: { code: 429, name: "Too Many Requests" },
+    },
+    serverErrors: {
+        InternalServerError: { code: 500, name: "Internal Server Error" },
+        NotImplemented: { code: 501, name: "Not Implemented" },
+        BadGateway: { code: 502, name: "Bad Gateway" },
+        ServiceUnavailable: { code: 503, name: "Service Unavailable" },
+        GatewayTimeout: { code: 504, name: "Gateway Timeout" },
+        HTTPVersionNotSupported: {
+            code: 505,
+            name: "HTTP Version Not Supported",
+        },
+    },
+};
+export { httpCodes };

backend/diachron/hydrators/hydrator.ts

@@ -0,0 +1,29 @@
+import { Kysely, PostgresDialect } from "kysely";
+import { Pool } from "pg";
+import type { DB } from "../../generated/db";
+import { connectionConfig } from "../database";
+
+const db = new Kysely<DB>({
+    dialect: new PostgresDialect({
+        pool: new Pool(connectionConfig),
+    }),
+    log(event) {
+        if (event.level === "query") {
+            // FIXME: Wire this up to the logging system
+            console.log("SQL:", event.query.sql);
+            console.log("Params:", event.query.parameters);
+        }
+    },
+});
+
+abstract class Hydrator<T> {
+    public db: Kysely<DB>;
+
+    protected abstract table: string;
+
+    constructor() {
+        this.db = db;
+    }
+}
+
+export { Hydrator, db };

backend/diachron/hydrators/index.ts

@@ -0,0 +1 @@
+export type Hydrators = {};

backend/diachron/hydrators/tests/setup.ts

@@ -0,0 +1,44 @@
+// Test setup for hydrator tests
+// Run: DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test npx tsx --test tests/*.test.ts
+
+import { Pool } from "pg";
+import { connectionConfig, migrate } from "../../database";
+
+const pool = new Pool(connectionConfig);
+
+export async function setupTestDatabase(): Promise<void> {
+    await migrate();
+}
+
+export async function cleanupTables(): Promise<void> {
+    // Clean in reverse dependency order
+    await pool.query("DELETE FROM user_emails");
+    await pool.query("DELETE FROM users");
+}
+
+export async function teardownTestDatabase(): Promise<void> {
+    await pool.end();
+}
+
+export async function insertTestUser(data: {
+    id: string;
+    displayName: string;
+    status: string;
+    email: string;
+}): Promise<void> {
+    const emailId = crypto.randomUUID();
+    const normalizedEmail = data.email.toLowerCase().trim();
+
+    await pool.query(
+        `INSERT INTO users (id, display_name, status) VALUES ($1, $2, $3)`,
+        [data.id, data.displayName, data.status],
+    );
+
+    await pool.query(
+        `INSERT INTO user_emails (id, user_id, email, normalized_email, is_primary)
+         VALUES ($1, $2, $3, $4, true)`,
+        [emailId, data.id, data.email, normalizedEmail],
+    );
+}
+
+export { pool };

backend/diachron/hydrators/tests/user.spec.ts

@@ -0,0 +1,98 @@
+// Tests for user hydrator
+// Run with: cd express && DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test ../cmd npx tsx --test diachron/hydrators/tests/user.test.ts
+
+import assert from "node:assert/strict";
+import { after, before, beforeEach, describe, it } from "node:test";
+import { get } from "../user";
+import {
+    cleanupTables,
+    insertTestUser,
+    setupTestDatabase,
+    teardownTestDatabase,
+} from "./setup";
+
+describe("user hydrator", () => {
+    before(async () => {
+        await setupTestDatabase();
+    });
+
+    after(async () => {
+        await teardownTestDatabase();
+    });
+
+    beforeEach(async () => {
+        await cleanupTables();
+    });
+
+    describe("get", () => {
+        it("returns null for non-existent user", async () => {
+            const result = await get("00000000-0000-0000-0000-000000000000");
+            assert.equal(result, null);
+        });
+
+        it("returns user when found", async () => {
+            const userId = "cfae0a19-6515-4813-bc2d-1e032b72b203";
+            await insertTestUser({
+                id: userId,
+                displayName: "Test User",
+                status: "active",
+                email: "test@example.com",
+            });
+
+            const result = await get(userId);
+
+            assert.notEqual(result, null);
+            assert.equal(result!.id, userId);
+            assert.equal(result!.display_name, "Test User");
+            assert.equal(result!.status, "active");
+            assert.equal(result!.email, "test@example.com");
+        });
+
+        it("validates user data with zod parser", async () => {
+            const userId = crypto.randomUUID();
+            await insertTestUser({
+                id: userId,
+                displayName: "Valid User",
+                status: "active",
+                email: "valid@example.com",
+            });
+
+            const result = await get(userId);
+
+            // If we get here without throwing, parsing succeeded
+            assert.notEqual(result, null);
+            assert.equal(typeof result!.id, "string");
+            assert.equal(typeof result!.email, "string");
+        });
+
+        it("returns user with pending status", async () => {
+            const userId = crypto.randomUUID();
+            await insertTestUser({
+                id: userId,
+                displayName: "Pending User",
+                status: "pending",
+                email: "pending@example.com",
+            });
+
+            const result = await get(userId);
+
+            assert.notEqual(result, null);
+            assert.equal(result!.status, "pending");
+        });
+
+        it("returns user with suspended status", async () => {
+            const userId = crypto.randomUUID();
+            await insertTestUser({
+                id: userId,
+                displayName: "Suspended User",
+                status: "suspended",
+                email: "suspended@example.com",
+            });
+
+            const result = await get(userId);
+
+            assert.notEqual(result, null);
+            assert.equal(result!.status, "suspended");
+        });
+    });
+});

backend/diachron/hydrators/user.ts

@@ -0,0 +1,59 @@
+import {
+    ColumnType,
+    Generated,
+    Insertable,
+    JSONColumnType,
+    Selectable,
+    Updateable,
+} from "kysely";
+import type { TypeID } from "typeid-js";
+import { z } from "zod";
+import { db, Hydrator } from "./hydrator";
+
+const parser = z.object({
+    // id: z.uuidv7(),
+    id: z.uuid(),
+    display_name: z.string(),
+    // FIXME: status is duplicated elsewhere
+    status: z.union([
+        z.literal("active"),
+        z.literal("suspended"),
+        z.literal("pending"),
+    ]),
+    email: z.email(),
+});
+
+const tp = parser.parse({
+    id: "cfae0a19-6515-4813-bc2d-1e032b72b203",
+    display_name: "foo",
+    status: "active",
+    email: "mw@philologue.net",
+});
+
+export type User = z.infer<typeof parser>;
+
+const get = async (id: string): Promise<null | User> => {
+    const ret = await db
+        .selectFrom("users")
+        .where("users.id", "=", id)
+        .innerJoin("user_emails", "user_emails.user_id", "users.id")
+        .select([
+            "users.id",
+            "users.status",
+            "users.display_name",
+            "user_emails.email",
+        ])
+        .executeTakeFirst();
+
+    if (ret === undefined) {
+        return null;
+    }
+
+    console.dir(ret);
+
+    const parsed = parser.parse(ret);
+
+    return parsed;
+};
+
+export { get };

backend/diachron/logging.spec.ts

@@ -0,0 +1,53 @@
+// Tests for logging.ts
+// Note: These tests verify the module structure and types.
+// Full integration tests would require a running logging service.
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+
+// We can't easily test log() and getLogs() without mocking fetch,
+// but we can verify the module exports correctly and types work.
+
+describe("logging", () => {
+    describe("module structure", () => {
+        it("exports log function", async () => {
+            const { log } = await import("./logging");
+            assert.equal(typeof log, "function");
+        });
+
+        it("exports getLogs function", async () => {
+            const { getLogs } = await import("./logging");
+            assert.equal(typeof getLogs, "function");
+        });
+    });
+
+    describe("Message type", () => {
+        // Type-level tests - if these compile, the types are correct
+        it("accepts valid message sources", () => {
+            type MessageSource = "logging" | "diagnostic" | "user";
+            const sources: MessageSource[] = ["logging", "diagnostic", "user"];
+            assert.equal(sources.length, 3);
+        });
+    });
+
+    describe("FilterArgument type", () => {
+        // Type-level tests
+        it("accepts valid filter options", () => {
+            type FilterArgument = {
+                limit?: number;
+                before?: number;
+                after?: number;
+                match?: (string | RegExp)[];
+            };
+
+            const filter: FilterArgument = {
+                limit: 10,
+                before: Date.now(),
+                after: Date.now() - 3600000,
+                match: ["error", /warning/i],
+            };
+
+            assert.ok(filter.limit === 10);
+        });
+    });
+});

backend/diachron/logging.ts

@@ -0,0 +1,73 @@
+// internal-logging.ts
+
+import { cli } from "./cli";
+
+// FIXME: Move this to somewhere more appropriate
+type AtLeastOne<T> = [T, ...T[]];
+
+type MessageSource = "logging" | "diagnostic" | "user";
+
+type Message = {
+    // FIXME: number probably isn't what we want here
+    timestamp?: number;
+    source: MessageSource;
+
+    text: AtLeastOne<string>;
+};
+
+const _m1: Message = { timestamp: 123, source: "logging", text: ["foo"] };
+const _m2: Message = {
+    timestamp: 321,
+    source: "diagnostic",
+    text: ["ok", "whatever"],
+};
+
+type FilterArgument = {
+    limit?: number;
+    before?: number;
+    after?: number;
+
+    // FIXME: add offsets to use instead of or in addition to before/after
+
+    match?: (string | RegExp)[];
+};
+
+const loggerUrl = `http://${cli.logAddress.host}:${cli.logAddress.port}`;
+
+const log = (message: Message) => {
+    const payload = {
+        timestamp: message.timestamp ?? Date.now(),
+        source: message.source,
+        text: message.text,
+    };
+
+    fetch(`${loggerUrl}/log`, {
+        method: "POST",
+        headers: { "Content-Type": "application/json" },
+        body: JSON.stringify(payload),
+    }).catch((err) => {
+        console.error("[logging] Failed to send log:", err.message);
+    });
+};
+
+const getLogs = async (filter: FilterArgument): Promise<Message[]> => {
+    const params = new URLSearchParams();
+    if (filter.limit) {
+        params.set("limit", String(filter.limit));
+    }
+    if (filter.before) {
+        params.set("before", String(filter.before));
+    }
+    if (filter.after) {
+        params.set("after", String(filter.after));
+    }
+
+    const url = `${loggerUrl}/logs?${params.toString()}`;
+    const response = await fetch(url);
+    return response.json();
+};
+
+// FIXME: there's scope for more specialized functions although they
+// probably should be defined in terms of the basic ones here.
+
+export { getLogs, log };

backend/diachron/mgmt/add-user.ts

@@ -0,0 +1,69 @@
+// add-user.ts
+// Management command to create users from the command line
+
+import { hashPassword } from "../auth/password";
+import { PostgresAuthStore, pool } from "../database";
+
+async function main(): Promise<void> {
+    const args = process.argv.slice(2);
+
+    if (args.length < 2) {
+        console.error(
+            "Usage: ./mgmt add-user <email> <password> [--display-name <name>] [--active]",
+        );
+        process.exit(1);
+    }
+
+    const email = args[0];
+    const password = args[1];
+
+    // Parse optional flags
+    let displayName: string | undefined;
+    let makeActive = false;
+
+    for (let i = 2; i < args.length; i++) {
+        if (args[i] === "--display-name" && args[i + 1]) {
+            displayName = args[i + 1];
+            i++;
+        } else if (args[i] === "--active") {
+            makeActive = true;
+        }
+    }
+
+    try {
+        const store = new PostgresAuthStore();
+
+        // Check if user already exists
+        const existing = await store.getUserByEmail(email);
+        if (existing) {
+            console.error(`Error: User with email '${email}' already exists`);
+            process.exit(1);
+        }
+
+        // Hash password and create user
+        const passwordHash = await hashPassword(password);
+        const user = await store.createUser({
+            email,
+            passwordHash,
+            displayName,
+        });
+
+        // Optionally activate user immediately
+        if (makeActive) {
+            await store.updateUserEmailVerified(user.id);
+            console.log(
+                `Created and activated user: ${user.email} (${user.id})`,
+            );
+        } else {
+            console.log(`Created user: ${user.email} (${user.id})`);
+            console.log("  Status: pending (use --active to create as active)");
+        }
+    } finally {
+        await pool.end();
+    }
+}
+
+main().catch((err) => {
+    console.error("Failed to create user:", err.message);
+    process.exit(1);
+});

backend/diachron/migrate.ts

@@ -0,0 +1,45 @@
+// migrate.ts
+// CLI script for running database migrations
+
+import { migrate, migrationStatus, pool } from "./database";
+
+async function main(): Promise<void> {
+    const command = process.argv[2] || "run";
+
+    try {
+        switch (command) {
+            case "run":
+                await migrate();
+                break;
+
+            case "status": {
+                const status = await migrationStatus();
+                console.log("Applied migrations:");
+                for (const name of status.applied) {
+                    console.log(`  ✓ ${name}`);
+                }
+                if (status.pending.length > 0) {
+                    console.log("\nPending migrations:");
+                    for (const name of status.pending) {
+                        console.log(`  • ${name}`);
+                    }
+                } else {
+                    console.log("\nNo pending migrations");
+                }
+                break;
+            }
+
+            default:
+                console.error(`Unknown command: ${command}`);
+                console.error("Usage: migrate [run|status]");
+                process.exit(1);
+        }
+    } finally {
+        await pool.end();
+    }
+}
+
+main().catch((err) => {
+    console.error("Migration failed:", err);
+    process.exit(1);
+});

backend/diachron/migrations/2026-01-01_01-users.sql

@@ -0,0 +1,29 @@
+-- 0001_users.sql
+-- Create users table for authentication
+
+CREATE TABLE users (
+    id UUID PRIMARY KEY,
+    status TEXT NOT NULL DEFAULT 'active',
+    display_name TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE user_emails (
+    id UUID PRIMARY KEY,
+    user_id UUID NOT NULL REFERENCES users(id),
+    email TEXT NOT NULL,
+    normalized_email TEXT NOT NULL,
+    is_primary BOOLEAN NOT NULL DEFAULT FALSE,
+    is_verified BOOLEAN NOT NULL DEFAULT FALSE,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    verified_at TIMESTAMPTZ,
+    revoked_at TIMESTAMPTZ
+);
+
+-- Enforce uniqueness only among *active* emails
+CREATE UNIQUE INDEX user_emails_unique_active
+ON user_emails (normalized_email)
+WHERE revoked_at IS NULL;
+
+

backend/diachron/migrations/2026-01-01_02-sessions.sql

@@ -0,0 +1,26 @@
+-- 0002_sessions.sql
+-- Create sessions table for auth tokens
+
+CREATE TABLE sessions (
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    token_hash TEXT UNIQUE NOT NULL,
+    user_id UUID NOT NULL REFERENCES users(id),
+    user_email_id UUID REFERENCES user_emails(id),
+    token_type TEXT NOT NULL,
+    auth_method TEXT NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    expires_at TIMESTAMPTZ NOT NULL,
+    revoked_at TIMESTAMPTZ,
+    ip_address INET,
+    user_agent TEXT,
+    is_used BOOLEAN DEFAULT FALSE
+);
+
+-- Index for user session lookups (logout all, etc.)
+CREATE INDEX sessions_user_id_idx ON sessions (user_id);
+
+-- Index for expiration cleanup
+CREATE INDEX sessions_expires_at_idx ON sessions (expires_at);
+
+-- Index for token type filtering
+CREATE INDEX sessions_token_type_idx ON sessions (token_type);

backend/diachron/migrations/2026-01-01_03-user-credentials.sql

@@ -0,0 +1,17 @@
+-- 0003_user_credentials.sql
+-- Create user_credentials table for password storage (extensible for other auth methods)
+
+CREATE TABLE user_credentials (
+    id UUID PRIMARY KEY,
+    user_id UUID NOT NULL REFERENCES users(id),
+    credential_type TEXT NOT NULL DEFAULT 'password',
+    password_hash TEXT,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+-- Each user can have at most one credential per type
+CREATE UNIQUE INDEX user_credentials_user_type_idx ON user_credentials (user_id, credential_type);
+
+-- Index for user lookups
+CREATE INDEX user_credentials_user_id_idx ON user_credentials (user_id);

backend/diachron/migrations/2026-01-24_01-roles-and-groups.sql

@@ -0,0 +1,20 @@
+CREATE TABLE roles (
+    id UUID PRIMARY KEY,
+    name TEXT UNIQUE NOT NULL,
+    description TEXT
+);
+
+CREATE TABLE groups (
+    id UUID PRIMARY KEY,
+    name TEXT NOT NULL,
+    created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+
+CREATE TABLE user_group_roles (
+    user_id UUID NOT NULL REFERENCES users(id),
+    group_id UUID NOT NULL REFERENCES groups(id),
+    role_id UUID NOT NULL REFERENCES roles(id),
+    granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    revoked_at TIMESTAMPTZ,
+    PRIMARY KEY (user_id, group_id, role_id)
+);

backend/diachron/migrations/2026-01-24_02-capabilities.sql

@@ -0,0 +1,14 @@
+CREATE TABLE capabilities (
+    id UUID PRIMARY KEY,
+    name TEXT UNIQUE NOT NULL,
+    description TEXT
+);
+
+CREATE TABLE role_capabilities (
+    role_id UUID NOT NULL REFERENCES roles(id),
+    capability_id UUID NOT NULL REFERENCES capabilities(id),
+    granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+    revoked_at TIMESTAMPTZ,
+    PRIMARY KEY (role_id, capability_id)
+);
+

backend/diachron/package.json

@@ -0,0 +1,39 @@
+{
+    "name": "express",
+    "version": "1.0.0",
+    "description": "",
+    "main": "index.js",
+    "scripts": {
+        "test": "DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test tsx --test '**/*.{test,spec}.ts'",
+        "test:watch": "DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test tsx --test --watch '**/*.{test,spec}.ts'",
+        "nodemon": "nodemon dist/index.js",
+        "kysely-codegen": "kysely-codegen"
+    },
+    "keywords": [],
+    "author": "",
+    "license": "ISC",
+    "packageManager": "pnpm@10.12.4",
+    "dependencies": {
+        "@types/node": "^24.10.1",
+        "@types/nunjucks": "^3.2.6",
+        "@vercel/ncc": "^0.38.4",
+        "express": "^5.1.0",
+        "kysely": "^0.28.9",
+        "nodemon": "^3.1.11",
+        "nunjucks": "^3.2.4",
+        "path-to-regexp": "^8.3.0",
+        "pg": "^8.16.3",
+        "ts-luxon": "^6.2.0",
+        "ts-node": "^10.9.2",
+        "tsx": "^4.20.6",
+        "typeid-js": "^1.2.0",
+        "typescript": "^5.9.3",
+        "zod": "^4.1.12"
+    },
+    "devDependencies": {
+        "@biomejs/biome": "2.3.10",
+        "@types/express": "^5.0.5",
+        "@types/pg": "^8.16.0",
+        "kysely-codegen": "^0.19.0"
+    }
+}

backend/diachron/request/index.ts

@@ -0,0 +1,25 @@
+import { AuthService } from "../auth";
+import { getCurrentUser } from "../context";
+import { PostgresAuthStore } from "../database";
+import type { User } from "../user";
+import { html, redirect, render } from "./util";
+
+const util = { html, redirect, render };
+
+const session = {
+    getUser: (): User => {
+        return getCurrentUser();
+    },
+};
+
+// Initialize auth with PostgreSQL store
+const authStore = new PostgresAuthStore();
+const auth = new AuthService(authStore);
+
+const request = {
+    auth,
+    session,
+    util,
+};
+
+export { request };

backend/diachron/request/util.ts

@@ -0,0 +1,45 @@
+import { contentTypes } from "../content-types";
+import { core } from "../core";
+import { executionContext } from "../execution-context";
+import { httpCodes } from "../http-codes";
+import type { RedirectResult, Result } from "../types";
+import { loadFile } from "../util";
+import { request } from "./index";
+
+type NoUser = {
+    [key: string]: unknown;
+} & {
+    user?: never;
+};
+
+const render = async (path: string, ctx?: NoUser): Promise<string> => {
+    const fullPath = `${executionContext.diachron_root}/templates/${path}.html.njk`;
+    const template = await loadFile(fullPath);
+    const user = request.session.getUser();
+    const context = { user, ...ctx };
+    const engine = core.conf.templateEngine();
+    const retval = engine.renderTemplate(template, context);
+
+    return retval;
+};
+
+const html = (payload: string): Result => {
+    const retval: Result = {
+        code: httpCodes.success.OK,
+        result: payload,
+        contentType: contentTypes.text.html,
+    };
+
+    return retval;
+};
+
+const redirect = (location: string): RedirectResult => {
+    return {
+        code: httpCodes.redirection.SeeOther,
+        contentType: contentTypes.text.plain,
+        result: "",
+        redirect: location,
+    };
+};
+
+export { html, redirect, render };

backend/diachron/types.spec.ts

@@ -0,0 +1,179 @@
+// Tests for types.ts
+// Pure unit tests
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import type { Request as ExpressRequest } from "express";
+import { Session } from "./auth/types";
+import { contentTypes } from "./content-types";
+import { httpCodes } from "./http-codes";
+import {
+    AuthenticationRequired,
+    AuthorizationDenied,
+    type Call,
+    isRedirect,
+    massageMethod,
+    methodParser,
+    type Permission,
+    type RedirectResult,
+    type Result,
+    requireAuth,
+    requirePermission,
+} from "./types";
+import { AuthenticatedUser, anonymousUser } from "./user";
+
+// Helper to create a minimal mock Call
+function createMockCall(overrides: Partial<Call> = {}): Call {
+    const defaultSession = new Session(null, anonymousUser);
+    return {
+        pattern: "/test",
+        path: "/test",
+        method: "GET",
+        parameters: {},
+        request: {} as ExpressRequest,
+        user: anonymousUser,
+        session: defaultSession,
+        ...overrides,
+    };
+}
+
+describe("types", () => {
+    describe("methodParser", () => {
+        it("accepts valid HTTP methods", () => {
+            assert.equal(methodParser.parse("GET"), "GET");
+            assert.equal(methodParser.parse("POST"), "POST");
+            assert.equal(methodParser.parse("PUT"), "PUT");
+            assert.equal(methodParser.parse("PATCH"), "PATCH");
+            assert.equal(methodParser.parse("DELETE"), "DELETE");
+        });
+
+        it("rejects invalid methods", () => {
+            assert.throws(() => methodParser.parse("get"));
+            assert.throws(() => methodParser.parse("OPTIONS"));
+            assert.throws(() => methodParser.parse("HEAD"));
+            assert.throws(() => methodParser.parse(""));
+        });
+    });
+
+    describe("massageMethod", () => {
+        it("converts lowercase to uppercase", () => {
+            assert.equal(massageMethod("get"), "GET");
+            assert.equal(massageMethod("post"), "POST");
+            assert.equal(massageMethod("put"), "PUT");
+            assert.equal(massageMethod("patch"), "PATCH");
+            assert.equal(massageMethod("delete"), "DELETE");
+        });
+
+        it("handles mixed case", () => {
+            assert.equal(massageMethod("Get"), "GET");
+            assert.equal(massageMethod("pOsT"), "POST");
+        });
+
+        it("throws for invalid methods", () => {
+            assert.throws(() => massageMethod("options"));
+            assert.throws(() => massageMethod("head"));
+        });
+    });
+
+    describe("isRedirect", () => {
+        it("returns true for redirect results", () => {
+            const result: RedirectResult = {
+                code: httpCodes.redirection.Found,
+                contentType: contentTypes.text.html,
+                result: "",
+                redirect: "/other",
+            };
+            assert.equal(isRedirect(result), true);
+        });
+
+        it("returns false for non-redirect results", () => {
+            const result: Result = {
+                code: httpCodes.success.OK,
+                contentType: contentTypes.text.html,
+                result: "hello",
+            };
+            assert.equal(isRedirect(result), false);
+        });
+    });
+
+    describe("AuthenticationRequired", () => {
+        it("has correct name and message", () => {
+            const err = new AuthenticationRequired();
+            assert.equal(err.name, "AuthenticationRequired");
+            assert.equal(err.message, "Authentication required");
+        });
+
+        it("is an instance of Error", () => {
+            const err = new AuthenticationRequired();
+            assert.ok(err instanceof Error);
+        });
+    });
+
+    describe("AuthorizationDenied", () => {
+        it("has correct name and message", () => {
+            const err = new AuthorizationDenied();
+            assert.equal(err.name, "AuthorizationDenied");
+            assert.equal(err.message, "Authorization denied");
+        });
+
+        it("is an instance of Error", () => {
+            const err = new AuthorizationDenied();
+            assert.ok(err instanceof Error);
+        });
+    });
+
+    describe("requireAuth", () => {
+        it("returns user for authenticated call", () => {
+            const user = AuthenticatedUser.create("test@example.com");
+            const session = new Session(null, user);
+            const call = createMockCall({ user, session });
+
+            const result = requireAuth(call);
+            assert.equal(result, user);
+        });
+
+        it("throws AuthenticationRequired for anonymous user", () => {
+            const call = createMockCall({ user: anonymousUser });
+
+            assert.throws(() => requireAuth(call), AuthenticationRequired);
+        });
+    });
+
+    describe("requirePermission", () => {
+        it("returns user when they have the permission", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                permissions: ["posts:create" as Permission],
+            });
+            const session = new Session(null, user);
+            const call = createMockCall({ user, session });
+
+            const result = requirePermission(
+                call,
+                "posts:create" as Permission,
+            );
+            assert.equal(result, user);
+        });
+
+        it("throws AuthenticationRequired for anonymous user", () => {
+            const call = createMockCall({ user: anonymousUser });
+
+            assert.throws(
+                () => requirePermission(call, "posts:create" as Permission),
+                AuthenticationRequired,
+            );
+        });
+
+        it("throws AuthorizationDenied when missing permission", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                permissions: ["posts:read" as Permission],
+            });
+            const session = new Session(null, user);
+            const call = createMockCall({ user, session });
+
+            assert.throws(
+                () => requirePermission(call, "posts:create" as Permission),
+                AuthorizationDenied,
+            );
+        });
+    });
+});

backend/diachron/types.ts

@@ -0,0 +1,117 @@
+// types.ts
+
+// FIXME: split this up into types used by app developers and types internal
+// to the framework.
+import type { Request as ExpressRequest } from "express";
+import type { MatchFunction } from "path-to-regexp";
+import { z } from "zod";
+import type { Session } from "./auth/types";
+import type { ContentType } from "./content-types";
+import type { HttpCode } from "./http-codes";
+import type { Permission, User } from "./user";
+
+const methodParser = z.union([
+    z.literal("GET"),
+    z.literal("POST"),
+    z.literal("PUT"),
+    z.literal("PATCH"),
+    z.literal("DELETE"),
+]);
+
+export type Method = z.infer<typeof methodParser>;
+const massageMethod = (input: string): Method => {
+    const r = methodParser.parse(input.toUpperCase());
+
+    return r;
+};
+
+export type Call = {
+    pattern: string;
+    path: string;
+    method: Method;
+    parameters: object;
+    request: ExpressRequest;
+    user: User;
+    session: Session;
+};
+
+export type InternalHandler = (req: ExpressRequest) => Promise<Result>;
+
+export type Handler = (call: Call) => Promise<Result>;
+export type ProcessedRoute = {
+    matcher: MatchFunction<Record<string, string>>;
+    method: Method;
+    handler: InternalHandler;
+};
+
+export type CookieOptions = {
+    httpOnly?: boolean;
+    secure?: boolean;
+    sameSite?: "strict" | "lax" | "none";
+    maxAge?: number;
+    path?: string;
+};
+
+export type Cookie = {
+    name: string;
+    value: string;
+    options?: CookieOptions;
+};
+
+export type Result = {
+    code: HttpCode;
+    contentType: ContentType;
+    result: string;
+    cookies?: Cookie[];
+};
+
+export type RedirectResult = Result & {
+    redirect: string;
+};
+
+export function isRedirect(result: Result): result is RedirectResult {
+    return "redirect" in result;
+}
+
+export type Route = {
+    path: string;
+    methods: Method[];
+    handler: Handler;
+    interruptable?: boolean;
+};
+
+// Authentication error classes
+export class AuthenticationRequired extends Error {
+    constructor() {
+        super("Authentication required");
+        this.name = "AuthenticationRequired";
+    }
+}
+
+export class AuthorizationDenied extends Error {
+    constructor() {
+        super("Authorization denied");
+        this.name = "AuthorizationDenied";
+    }
+}
+
+// Helper for handlers to require authentication
+export function requireAuth(call: Call): User {
+    if (call.user.isAnonymous()) {
+        throw new AuthenticationRequired();
+    }
+    return call.user;
+}
+
+// Helper for handlers to require specific permission
+export function requirePermission(call: Call, permission: Permission): User {
+    const user = requireAuth(call);
+    if (!user.hasPermission(permission)) {
+        throw new AuthorizationDenied();
+    }
+    return user;
+}
+
+export type Domain = "app" | "fw";
+
+export { methodParser, massageMethod };

backend/diachron/user.spec.ts

@@ -0,0 +1,213 @@
+// Tests for user.ts
+// These are pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import {
+    AnonymousUser,
+    AuthenticatedUser,
+    anonymousUser,
+    type Permission,
+    type Role,
+} from "./user";
+
+describe("User", () => {
+    describe("AuthenticatedUser.create", () => {
+        it("creates a user with default values", () => {
+            const user = AuthenticatedUser.create("test@example.com");
+
+            assert.equal(user.email, "test@example.com");
+            assert.equal(user.status, "active");
+            assert.equal(user.isAnonymous(), false);
+            assert.deepEqual([...user.roles], []);
+            assert.deepEqual([...user.permissions], []);
+        });
+
+        it("creates a user with custom values", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                id: "custom-id",
+                displayName: "Test User",
+                status: "pending",
+                roles: ["admin"],
+                permissions: ["posts:create"],
+            });
+
+            assert.equal(user.id, "custom-id");
+            assert.equal(user.displayName, "Test User");
+            assert.equal(user.status, "pending");
+            assert.deepEqual([...user.roles], ["admin"]);
+            assert.deepEqual([...user.permissions], ["posts:create"]);
+        });
+    });
+
+    describe("status checks", () => {
+        it("isActive returns true for active users", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                status: "active",
+            });
+            assert.equal(user.isActive(), true);
+        });
+
+        it("isActive returns false for suspended users", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                status: "suspended",
+            });
+            assert.equal(user.isActive(), false);
+        });
+
+        it("isActive returns false for pending users", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                status: "pending",
+            });
+            assert.equal(user.isActive(), false);
+        });
+    });
+
+    describe("role checks", () => {
+        it("hasRole returns true when user has the role", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin", "editor"],
+            });
+            assert.equal(user.hasRole("admin"), true);
+            assert.equal(user.hasRole("editor"), true);
+        });
+
+        it("hasRole returns false when user does not have the role", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["user"],
+            });
+            assert.equal(user.hasRole("admin"), false);
+        });
+
+        it("hasAnyRole returns true when user has at least one role", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["editor"],
+            });
+            assert.equal(user.hasAnyRole(["admin", "editor"]), true);
+        });
+
+        it("hasAnyRole returns false when user has none of the roles", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["user"],
+            });
+            assert.equal(user.hasAnyRole(["admin", "editor"]), false);
+        });
+
+        it("hasAllRoles returns true when user has all roles", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin", "editor", "user"],
+            });
+            assert.equal(user.hasAllRoles(["admin", "editor"]), true);
+        });
+
+        it("hasAllRoles returns false when user is missing a role", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin"],
+            });
+            assert.equal(user.hasAllRoles(["admin", "editor"]), false);
+        });
+    });
+
+    describe("permission checks", () => {
+        it("hasPermission returns true for direct permissions", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                permissions: ["posts:create" as Permission],
+            });
+            assert.equal(
+                user.hasPermission("posts:create" as Permission),
+                true,
+            );
+        });
+
+        it("hasPermission returns true for role-derived permissions", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin" as Role],
+            });
+            // admin role has users:read, users:create, users:update, users:delete
+            assert.equal(user.hasPermission("users:read" as Permission), true);
+            assert.equal(
+                user.hasPermission("users:delete" as Permission),
+                true,
+            );
+        });
+
+        it("hasPermission returns false when permission not granted", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["user" as Role],
+            });
+            // user role only has users:read
+            assert.equal(
+                user.hasPermission("users:delete" as Permission),
+                false,
+            );
+        });
+
+        it("can() is a convenience method for hasPermission", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin" as Role],
+            });
+            assert.equal(user.can("read", "users"), true);
+            assert.equal(user.can("delete", "users"), true);
+            assert.equal(user.can("create", "posts"), false);
+        });
+    });
+
+    describe("effectivePermissions", () => {
+        it("returns combined direct and role-derived permissions", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["user" as Role],
+                permissions: ["posts:create" as Permission],
+            });
+
+            const perms = user.effectivePermissions();
+            assert.equal(perms.has("posts:create" as Permission), true);
+            assert.equal(perms.has("users:read" as Permission), true); // from user role
+        });
+
+        it("returns empty set for user with no roles or permissions", () => {
+            const user = AuthenticatedUser.create("test@example.com");
+            const perms = user.effectivePermissions();
+            assert.equal(perms.size, 0);
+        });
+    });
+
+    describe("serialization", () => {
+        it("toJSON returns plain object", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                id: "test-id",
+                displayName: "Test",
+                status: "active",
+                roles: ["admin"],
+                permissions: ["posts:create"],
+            });
+
+            const json = user.toJSON();
+            assert.equal(json.id, "test-id");
+            assert.equal(json.email, "test@example.com");
+            assert.equal(json.displayName, "Test");
+            assert.equal(json.status, "active");
+            assert.deepEqual(json.roles, ["admin"]);
+            assert.deepEqual(json.permissions, ["posts:create"]);
+        });
+
+        it("toString returns readable string", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                id: "test-id",
+            });
+            assert.equal(user.toString(), "User(id test-id)");
+        });
+    });
+
+    describe("AnonymousUser", () => {
+        it("isAnonymous returns true", () => {
+            const user = AnonymousUser.create("anon@example.com");
+            assert.equal(user.isAnonymous(), true);
+        });
+
+        it("anonymousUser singleton is anonymous", () => {
+            assert.equal(anonymousUser.isAnonymous(), true);
+            assert.equal(anonymousUser.id, "-1");
+            assert.equal(anonymousUser.email, "anonymous@example.com");
+        });
+    });
+});

backend/diachron/user.ts

@@ -0,0 +1,232 @@
+// user.ts
+//
+// User model for authentication and authorization.
+//
+// Design notes:
+// - `id` is the stable internal identifier (UUID when database-backed)
+// - `email` is the primary human-facing identifier
+// - Roles provide coarse-grained authorization (admin, editor, etc.)
+// - Permissions provide fine-grained authorization (posts:create, etc.)
+// - Users can have both roles (which grant permissions) and direct permissions
+
+import { z } from "zod";
+
+// Branded type for user IDs to prevent accidental mixing with other strings
+export type UserId = string & { readonly __brand: "UserId" };
+
+// User account status
+const userStatusParser = z.enum(["active", "suspended", "pending"]);
+export type UserStatus = z.infer<typeof userStatusParser>;
+
+// Role - simple string identifier
+const roleParser = z.string().min(1);
+export type Role = z.infer<typeof roleParser>;
+
+// Permission format: "resource:action" e.g. "posts:create", "users:delete"
+const permissionParser = z.string().regex(/^[a-z_]+:[a-z_]+$/, {
+    message: "Permission must be in format 'resource:action'",
+});
+export type Permission = z.infer<typeof permissionParser>;
+
+// Core user data schema - this is what gets stored/serialized
+const userDataParser = z.object({
+    id: z.string().min(1),
+    email: z.email(),
+    displayName: z.string().optional(),
+    status: userStatusParser,
+    roles: z.array(roleParser),
+    permissions: z.array(permissionParser),
+    createdAt: z.coerce.date(),
+    updatedAt: z.coerce.date(),
+});
+
+export type UserData = z.infer<typeof userDataParser>;
+
+// Role-to-permission mappings
+// In a real system this might be database-driven or configurable
+type RolePermissionMap = Map<Role, Permission[]>;
+
+const defaultRolePermissions: RolePermissionMap = new Map([
+    ["admin", ["users:read", "users:create", "users:update", "users:delete"]],
+    ["user", ["users:read"]],
+]);
+
+export abstract class User {
+    protected readonly data: UserData;
+    protected rolePermissions: RolePermissionMap;
+
+    constructor(data: UserData, rolePermissions?: RolePermissionMap) {
+        this.data = userDataParser.parse(data);
+        this.rolePermissions = rolePermissions ?? defaultRolePermissions;
+    }
+
+    // Identity
+    get id(): UserId {
+        return this.data.id as UserId;
+    }
+
+    get email(): string {
+        return this.data.email;
+    }
+
+    get displayName(): string | undefined {
+        return this.data.displayName;
+    }
+
+    // Status
+    get status(): UserStatus {
+        return this.data.status;
+    }
+
+    isActive(): boolean {
+        return this.data.status === "active";
+    }
+
+    // Roles
+    get roles(): readonly Role[] {
+        return this.data.roles;
+    }
+
+    hasRole(role: Role): boolean {
+        return this.data.roles.includes(role);
+    }
+
+    hasAnyRole(roles: Role[]): boolean {
+        return roles.some((role) => this.hasRole(role));
+    }
+
+    hasAllRoles(roles: Role[]): boolean {
+        return roles.every((role) => this.hasRole(role));
+    }
+
+    // Permissions
+    get permissions(): readonly Permission[] {
+        return this.data.permissions;
+    }
+
+    // Get all permissions: direct + role-derived
+    effectivePermissions(): Set<Permission> {
+        const perms = new Set<Permission>(this.data.permissions);
+
+        for (const role of this.data.roles) {
+            const rolePerms = this.rolePermissions.get(role);
+            if (rolePerms) {
+                for (const p of rolePerms) {
+                    perms.add(p);
+                }
+            }
+        }
+
+        return perms;
+    }
+
+    // Check if user has a specific permission (direct or via role)
+    hasPermission(permission: Permission): boolean {
+        // Check direct permissions first
+        if (this.data.permissions.includes(permission)) {
+            return true;
+        }
+
+        // Check role-derived permissions
+        for (const role of this.data.roles) {
+            const rolePerms = this.rolePermissions.get(role);
+            if (rolePerms?.includes(permission)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
+    // Convenience method: can user perform action on resource?
+    can(action: string, resource: string): boolean {
+        const permission = `${resource}:${action}` as Permission;
+        return this.hasPermission(permission);
+    }
+
+    // Timestamps
+    get createdAt(): Date {
+        return this.data.createdAt;
+    }
+
+    get updatedAt(): Date {
+        return this.data.updatedAt;
+    }
+
+    // Serialization - returns plain object for storage/transmission
+    toJSON(): UserData {
+        return { ...this.data };
+    }
+
+    toString(): string {
+        return `User(id ${this.id})`;
+    }
+
+    abstract isAnonymous(): boolean;
+}
+
+export class AuthenticatedUser extends User {
+    // Factory for creating new users with sensible defaults
+    static create(
+        email: string,
+        options?: {
+            id?: string;
+            displayName?: string;
+            status?: UserStatus;
+            roles?: Role[];
+            permissions?: Permission[];
+        },
+    ): User {
+        const now = new Date();
+        return new AuthenticatedUser({
+            id: options?.id ?? crypto.randomUUID(),
+            email,
+            displayName: options?.displayName,
+            status: options?.status ?? "active",
+            roles: options?.roles ?? [],
+            permissions: options?.permissions ?? [],
+            createdAt: now,
+            updatedAt: now,
+        });
+    }
+
+    isAnonymous(): boolean {
+        return false;
+    }
+}
+
+// For representing "no user" in contexts where user is optional
+export class AnonymousUser extends User {
+    // FIXME: this is C&Ped with only minimal changes.  No bueno.
+    static create(
+        email: string,
+        options?: {
+            id?: string;
+            displayName?: string;
+            status?: UserStatus;
+            roles?: Role[];
+            permissions?: Permission[];
+        },
+    ): AnonymousUser {
+        const now = new Date(0);
+        return new AnonymousUser({
+            id: options?.id ?? crypto.randomUUID(),
+            email,
+            displayName: options?.displayName,
+            status: options?.status ?? "active",
+            roles: options?.roles ?? [],
+            permissions: options?.permissions ?? [],
+            createdAt: now,
+            updatedAt: now,
+        });
+    }
+
+    isAnonymous(): boolean {
+        return true;
+    }
+}
+
+export const anonymousUser = AnonymousUser.create("anonymous@example.com", {
+    id: "-1",
+    displayName: "Anonymous User",
+});

backend/diachron/util.spec.ts

@@ -0,0 +1,61 @@
+// Tests for util.ts
+// Pure unit tests with filesystem
+
+import assert from "node:assert/strict";
+import { mkdir, rm, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+import { after, before, describe, it } from "node:test";
+import { loadFile } from "./util";
+
+describe("util", () => {
+    const testDir = join(import.meta.dirname, ".test-util-tmp");
+
+    before(async () => {
+        await mkdir(testDir, { recursive: true });
+    });
+
+    after(async () => {
+        await rm(testDir, { recursive: true, force: true });
+    });
+
+    describe("loadFile", () => {
+        it("loads file contents as string", async () => {
+            const testFile = join(testDir, "test.txt");
+            await writeFile(testFile, "hello world");
+
+            const content = await loadFile(testFile);
+            assert.equal(content, "hello world");
+        });
+
+        it("handles utf-8 content", async () => {
+            const testFile = join(testDir, "utf8.txt");
+            await writeFile(testFile, "hello \u{1F511} world");
+
+            const content = await loadFile(testFile);
+            assert.equal(content, "hello \u{1F511} world");
+        });
+
+        it("handles empty file", async () => {
+            const testFile = join(testDir, "empty.txt");
+            await writeFile(testFile, "");
+
+            const content = await loadFile(testFile);
+            assert.equal(content, "");
+        });
+
+        it("handles multiline content", async () => {
+            const testFile = join(testDir, "multiline.txt");
+            await writeFile(testFile, "line1\nline2\nline3");
+
+            const content = await loadFile(testFile);
+            assert.equal(content, "line1\nline2\nline3");
+        });
+
+        it("throws for nonexistent file", async () => {
+            await assert.rejects(
+                loadFile(join(testDir, "nonexistent.txt")),
+                /ENOENT/,
+            );
+        });
+    });
+});

backend/diachron/util.ts

@@ -0,0 +1,11 @@
+import { readFile } from "node:fs/promises";
+
+// FIXME: Handle the error here
+const loadFile = async (path: string): Promise<string> => {
+    // Specifying 'utf8' returns a string; otherwise, it returns a Buffer
+    const data = await readFile(path, "utf8");
+
+    return data;
+};
+
+export { loadFile };

backend/generated/db.d.ts

@@ -0,0 +1,109 @@
+/**
+ * This file was generated by kysely-codegen.
+ * Please do not edit it manually.
+ */
+
+import type { ColumnType } from "kysely";
+
+export type Generated<T> =
+    T extends ColumnType<infer S, infer I, infer U>
+        ? ColumnType<S, I | undefined, U>
+        : ColumnType<T, T | undefined, T>;
+
+export type Timestamp = ColumnType<Date, Date | string, Date | string>;
+
+export interface _Migrations {
+    applied_at: Generated<Timestamp>;
+    id: Generated<number>;
+    name: string;
+}
+
+export interface Capabilities {
+    description: string | null;
+    id: string;
+    name: string;
+}
+
+export interface Groups {
+    created_at: Generated<Timestamp>;
+    id: string;
+    name: string;
+}
+
+export interface RoleCapabilities {
+    capability_id: string;
+    granted_at: Generated<Timestamp>;
+    revoked_at: Timestamp | null;
+    role_id: string;
+}
+
+export interface Roles {
+    description: string | null;
+    id: string;
+    name: string;
+}
+
+export interface Sessions {
+    auth_method: string;
+    created_at: Generated<Timestamp>;
+    expires_at: Timestamp;
+    id: Generated<string>;
+    ip_address: string | null;
+    is_used: Generated<boolean | null>;
+    revoked_at: Timestamp | null;
+    token_hash: string;
+    token_type: string;
+    user_agent: string | null;
+    user_email_id: string | null;
+    user_id: string;
+}
+
+export interface UserCredentials {
+    created_at: Generated<Timestamp>;
+    credential_type: Generated<string>;
+    id: string;
+    password_hash: string | null;
+    updated_at: Generated<Timestamp>;
+    user_id: string;
+}
+
+export interface UserEmails {
+    created_at: Generated<Timestamp>;
+    email: string;
+    id: string;
+    is_primary: Generated<boolean>;
+    is_verified: Generated<boolean>;
+    normalized_email: string;
+    revoked_at: Timestamp | null;
+    user_id: string;
+    verified_at: Timestamp | null;
+}
+
+export interface UserGroupRoles {
+    granted_at: Generated<Timestamp>;
+    group_id: string;
+    revoked_at: Timestamp | null;
+    role_id: string;
+    user_id: string;
+}
+
+export interface Users {
+    created_at: Generated<Timestamp>;
+    display_name: string | null;
+    id: string;
+    status: Generated<string>;
+    updated_at: Generated<Timestamp>;
+}
+
+export interface DB {
+    _migrations: _Migrations;
+    capabilities: Capabilities;
+    groups: Groups;
+    role_capabilities: RoleCapabilities;
+    roles: Roles;
+    sessions: Sessions;
+    user_credentials: UserCredentials;
+    user_emails: UserEmails;
+    user_group_roles: UserGroupRoles;
+    users: Users;
+}

backend/migrations/2026-01-15_01-create-test-application-table.sql

@@ -0,0 +1 @@
+CREATE TABLE test_application_table ();

backend/migrations/2026-01-15_01.sql

@@ -0,0 +1 @@
+CREATE TABLE test_application_table ();

backend/package.json

@@ -0,0 +1,20 @@
+{
+    "name": "my app",
+    "version": "0.0.1",
+    "description": "",
+    "main": "index.js",
+    "scripts": {
+        "test": "DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test tsx --test '**/*.{test,spec}.ts'",
+        "test:watch": "DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test tsx --test --watch '**/*.{test,spec}.ts'",
+        "nodemon": "nodemon dist/index.js",
+        "kysely-codegen": "kysely-codegen"
+    },
+    "keywords": [],
+    "author": "",
+    "license": "ISC",
+    "packageManager": "pnpm@10.12.4",
+    "dependencies": {
+    },
+    "devDependencies": {
+    }
+}

backend/pnpm-workspace.yaml

@@ -0,0 +1,2 @@
+packages:
+  - 'diachron'

backend/routes.ts

@@ -0,0 +1,148 @@
+/// <reference lib="dom" />
+
+import nunjucks from "nunjucks";
+import { DateTime } from "ts-luxon";
+import { authRoutes } from "./diachron/auth/routes";
+import { routes as basicRoutes } from "./diachron/basic/routes";
+import { contentTypes } from "./diachron/content-types";
+import { core } from "./diachron/core";
+import { multiHandler } from "./diachron/handlers";
+import { httpCodes } from "./diachron/http-codes";
+import type { Call, Result, Route } from "./diachron/types";
+
+// FIXME: Obviously put this somewhere else
+const okText = (result: string): Result => {
+    const code = httpCodes.success.OK;
+
+    const retval: Result = {
+        code,
+        result,
+        contentType: contentTypes.text.plain,
+    };
+
+    return retval;
+};
+
+const routes: Route[] = [
+    ...authRoutes,
+    basicRoutes.home,
+    basicRoutes.hello,
+    basicRoutes.login,
+    basicRoutes.logout,
+    {
+        path: "/slow",
+        methods: ["GET"],
+        handler: async (_call: Call): Promise<Result> => {
+            console.log("starting slow request");
+
+            await core.misc.sleep(2);
+
+            console.log("finishing slow request");
+            const retval = okText("that was slow");
+
+            return retval;
+        },
+    },
+    {
+        path: "/list",
+        methods: ["GET"],
+        handler: async (_call: Call): Promise<Result> => {
+            const code = httpCodes.success.OK;
+            const lr = (rr: Route[]) => {
+                const ret = rr.map((r: Route) => {
+                    return r.path;
+                });
+
+                return ret;
+            };
+
+            const rrr = lr(routes);
+
+            const template = `
+<html>
+  <head></head>
+  <body>
+    <ul>
+    {% for route in rrr %}
+      <li><a href="{{ route }}">{{ route }}</a></li>
+    {% endfor %}
+    </ul>
+  </body>
+</html>
+`;
+            const result = nunjucks.renderString(template, { rrr });
+
+            const _listing = lr(routes).join(", ");
+            return {
+                code,
+                result,
+                contentType: contentTypes.text.html,
+            };
+        },
+    },
+    {
+        path: "/whoami",
+        methods: ["GET"],
+        handler: async (call: Call): Promise<Result> => {
+            const me = call.session.getUser();
+            const template = `
+<html>
+  <head></head>
+  <body>
+    {{ me }}
+  </body>
+</html>
+`;
+
+            const result = nunjucks.renderString(template, { me });
+
+            return {
+                code: httpCodes.success.OK,
+                contentType: contentTypes.text.html,
+                result,
+            };
+        },
+    },
+    {
+        path: "/ok",
+        methods: ["GET", "POST", "PUT"],
+        handler: multiHandler,
+    },
+    {
+        path: "/alsook",
+        methods: ["GET"],
+        handler: async (_req): Promise<Result> => {
+            const code = httpCodes.success.OK;
+            return {
+                code,
+                result: "it is also ok",
+                contentType: contentTypes.text.plain,
+            };
+        },
+    },
+    {
+        path: "/time",
+        methods: ["GET"],
+        handler: async (_req): Promise<Result> => {
+            const now = DateTime.now();
+            const template = `
+<html>
+  <head></head>
+  <body>
+    {{ now }}
+  </body>
+</html>
+`;
+
+            const result = nunjucks.renderString(template, { now });
+
+            return {
+                code: httpCodes.success.OK,
+                contentType: contentTypes.text.html,
+                result,
+            };
+        },
+    },
+];
+
+export { routes };

backend/run.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -eu
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+cd "$DIR"
+
+exec ../cmd node dist/index.js "$@"

backend/show-config.sh

@@ -0,0 +1,12 @@
+#!/bin/bash
+
+set -e
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+check_dir="$DIR"
+
+source "$check_dir"/../diachron/shims/common
+source "$check_dir"/../diachron/shims/node.common
+
+$ROOT/cmd pnpm tsc --showConfig

backend/tsconfig.json

@@ -0,0 +1,14 @@
+{
+    "compilerOptions": {
+        "esModuleInterop": true,
+        "target": "ES2022",
+        "lib": ["ES2023"],
+        "module": "NodeNext",
+        "moduleResolution": "NodeNext",
+        "noImplicitAny": true,
+        "strict": true,
+        "types": ["node"],
+        "outDir": "out"
+    },
+    "exclude": ["**/*.spec.ts", "**/*.test.ts"]
+}

backend/watch.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+set -e
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+check_dir="$DIR"
+
+source "$check_dir"/../diachron/shims/common
+source "$check_dir"/../diachron/shims/node.common
+
+# $ROOT/cmd pnpm tsc --lib ES2023  --esModuleInterop -w $check_dir/app.ts
+# $ROOT/cmd pnpm tsc -w $check_dir/app.ts
+$ROOT/cmd pnpm tsc --watch --project ./tsconfig.json

check.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+cd "$DIR"
+
+# Keep exclusions sorted.  And list them here.
+#
+# - SC2002 is useless use of cat
+#
+exclusions="SC2002"
+
+source "$DIR/diachron/versions"
+
+if [[ $# -ne 0 ]]; then
+    shellcheck --exclude="$exclusions" "$@"
+    exit $?
+fi
+
+shell_scripts="$(fd .sh | xargs)"
+
+# The files we need to check all either end in .sh or else they're the files
+# in diachron/cmd.d and diachron/shims.  -x instructs shellcheck to also
+# check `source`d files.
+
+shellcheck -x --exclude="$exclusions" "$DIR/cmd" "$DIR"/diachron/cmd.d/* "$DIR"/diachron/shims/* "$shell_scripts"
+
+pushd "$DIR/master"
+docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:$golangci_lint golangci-lint run
+popd

cmd

@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# This file belongs to the framework.  You are not expected to modify it.
+
+# Managed binary runner - runs framework-managed binaries like node, pnpm, tsx
+# Usage: ./cmd <command> [args...]
+
+set -eu
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+if [ $# -lt 1 ]; then
+    echo "Usage: ./cmd <command> [args...]"
+    echo ""
+    echo "Available commands:"
+    for cmd in "$DIR"/diachron/cmd.d/*; do
+        if [ -x "$cmd" ]; then
+            basename "$cmd"
+        fi
+    done
+    exit 1
+fi
+
+subcmd="$1"
+shift
+
+exec "$DIR"/diachron/cmd.d/"$subcmd" "$@"

deno/app.ts

@@ -1,45 +0,0 @@
-// app.ts
-
-import { services } from "./services";
-import{DenoRequest, Method, ProcessedRoute, Request, Route} from './types'
-
-import {routes} from './routes'
-
-services.logging.log({ foo: 1 });
-const processedRoutes: ProcessedRoute[] = routes.map(
-    (route: Route, idx: number, allRoutes: Route[]) => {
-        const pattern: URLPattern = new URLPattern({ pathname: route.path });
-        const method: Method = route.method;
-        const handler = async (denoRequest: DenoRequest) => {
-            const req: Request = {
-                pattern: route.pattern,
-                path: denoRequest.path,
-                method: denoRequest.method,
-                parameters: { one: 1, two: 2 },
-                denoRequest,
-            };
-            return route.handler(req);
-        };
-
-        const retval: ProcessedRoute = { pattern, method, handler };
-
-         return retval
-    },
-);
-
-
-async function handler(req: globalThis.Request): globalThis.Response {
-    for (const [idx, pr] of processedRoutes.entries()) {
-        const match = pr.pattern.exec(req.url);
-        if (match) {
-            const resp = await pr.handler(req);
-
-            return new globalThis.Response(resp.result);
-        }
-    }
-
-    return new globalThis.Response("not found", { status: 404 });
-}
-
-Deno.serve(handler);
-

deno/content-types.ts

@@ -1,38 +0,0 @@
-import { Extensible } from "./interfaces.ts";
-
-export type ContentType = string;
-
-const contentTypes = {
-    text: {
-        plain: "text/plain",
-        html: "text/html",
-        css: "text/css",
-        javascript: "text/javascript",
-        xml: "text/xml",
-    },
-    image: {
-        jpeg: "image/jpeg",
-        png: "image/png",
-        gif: "image/gif",
-        svgPlusXml: "image/svg+xml",
-        webp: "image/webp",
-    },
-    audio: {
-        "mpeg": "audio/mpeg",
-        "wav": "audio/wav",
-    },
-    video: {
-        mp4: "video/mp4",
-        webm: "video/webm",
-        xMsvideo: "video/x-msvideo",
-    },
-    application: {
-        json: "application/json",
-        pdf: "application/pdf",
-        zip: "application/zip",
-        xWwwFormUrlencoded: "x-www-form-urlencoded",
-        octetStream: "octet-stream",
-    },
-};
-
-export { contentTypes };

deno/deno.json

@@ -1,15 +0,0 @@
-{
-	"compilerOptions": {
-		    "lib": ["deno.ns", "dom"]
-		      },
-    "tasks": {
-        "dev": "deno run --watch main.ts"
-    },
-    "imports": {
-        "@std/assert": "jsr:@std/assert@1",
-        "zod": "npm:zod@^3.24.2"
-    },
-    "fmt": {
-        "indentWidth": 4
-    }
-}

deno/deno.lock

@@ -1,202 +0,0 @@
-{
-  "version": "4",
-  "specifiers": {
-    "jsr:@std/assert@1": "1.0.11",
-    "jsr:@std/async@1": "1.0.10",
-    "jsr:@std/bytes@1": "1.0.5",
-    "jsr:@std/bytes@^1.0.2-rc.3": "1.0.5",
-    "jsr:@std/internal@^1.0.5": "1.0.5",
-    "jsr:@std/io@0.224.5": "0.224.5",
-    "npm:zod@^3.24.2": "3.24.2"
-  },
-  "jsr": {
-    "@std/assert@1.0.11": {
-      "integrity": "2461ef3c368fe88bc60e186e7744a93112f16fd110022e113a0849e94d1c83c1",
-      "dependencies": [
-        "jsr:@std/internal"
-      ]
-    },
-    "@std/async@1.0.10": {
-      "integrity": "2ff1b1c7d33d1416159989b0f69e59ec7ee8cb58510df01e454def2108b3dbec"
-    },
-    "@std/bytes@1.0.5": {
-      "integrity": "4465dd739d7963d964c809202ebea6d5c6b8e3829ef25c6a224290fbb8a1021e"
-    },
-    "@std/internal@1.0.5": {
-      "integrity": "54a546004f769c1ac9e025abd15a76b6671ddc9687e2313b67376125650dc7ba"
-    },
-    "@std/io@0.224.5": {
-      "integrity": "cb84fe655d1273fca94efcff411465027a8b0b4225203f19d6ee98d9c8920a2d",
-      "dependencies": [
-        "jsr:@std/bytes@^1.0.2-rc.3"
-      ]
-    }
-  },
-  "npm": {
-    "zod@3.24.2": {
-      "integrity": "sha512-lY7CDW43ECgW9u1TcT3IoXHflywfVqDYze4waEz812jR/bZ8FHDsl7pFQoSZTz5N+2NqRXs8GBwnAwo3ZNxqhQ=="
-    }
-  },
-  "redirects": {
-    "https://deno.land/x/random_number/mod.ts": "https://deno.land/x/random_number@2.0.0/mod.ts",
-    "https://deno.land/x/sleep/mod.ts": "https://deno.land/x/sleep@v1.3.0/mod.ts"
-  },
-  "remote": {
-    "https://deno.land/std@0.214.0/assert/assert.ts": "bec068b2fccdd434c138a555b19a2c2393b71dfaada02b7d568a01541e67cdc5",
-    "https://deno.land/std@0.214.0/assert/assertion_error.ts": "9f689a101ee586c4ce92f52fa7ddd362e86434ffdf1f848e45987dc7689976b8",
-    "https://deno.land/std@0.214.0/async/delay.ts": "8e1d18fe8b28ff95885e2bc54eccec1713f57f756053576d8228e6ca110793ad",
-    "https://deno.land/std@0.214.0/bytes/copy.ts": "f29c03168853720dfe82eaa57793d0b9e3543ebfe5306684182f0f1e3bfd422a",
-    "https://deno.land/std@0.214.0/crypto/_fnv/fnv32.ts": "ba2c5ef976b9f047d7ce2d33dfe18671afc75154bcf20ef89d932b2fe8820535",
-    "https://deno.land/std@0.214.0/crypto/_fnv/fnv64.ts": "580cadfe2ff333fe253d15df450f927c8ac7e408b704547be26aab41b5772558",
-    "https://deno.land/std@0.214.0/crypto/_fnv/mod.ts": "8dbb60f062a6e77b82f7a62ac11fabfba52c3cd408c21916b130d8f57a880f96",
-    "https://deno.land/std@0.214.0/crypto/_fnv/util.ts": "27b36ce3440d0a180af6bf1cfc2c326f68823288540a354dc1d636b781b9b75f",
-    "https://deno.land/std@0.214.0/crypto/_wasm/lib/deno_std_wasm_crypto.generated.mjs": "76c727912539737def4549bb62a96897f37eb334b979f49c57b8af7a1617635e",
-    "https://deno.land/std@0.214.0/crypto/_wasm/mod.ts": "c55f91473846827f077dfd7e5fc6e2726dee5003b6a5747610707cdc638a22ba",
-    "https://deno.land/std@0.214.0/crypto/crypto.ts": "4448f8461c797adba8d70a2c60f7795a546d7a0926e96366391bffdd06491c16",
-    "https://deno.land/std@0.214.0/datetime/_common.ts": "a62214c1924766e008e27d3d843ceba4b545dc2aa9880de0ecdef9966d5736b6",
-    "https://deno.land/std@0.214.0/datetime/parse.ts": "bb248bbcb3cd54bcaf504a1ee670fc4695e429d9019c06af954bbe2bcb8f1d02",
-    "https://deno.land/std@0.214.0/encoding/_util.ts": "beacef316c1255da9bc8e95afb1fa56ed69baef919c88dc06ae6cb7a6103d376",
-    "https://deno.land/std@0.214.0/encoding/base64.ts": "96e61a556d933201266fea84ae500453293f2aff130057b579baafda096a96bc",
-    "https://deno.land/std@0.214.0/encoding/hex.ts": "4d47d3b25103cf81a2ed38f54b394d39a77b63338e1eaa04b70c614cb45ec2e6",
-    "https://deno.land/std@0.214.0/fmt/colors.ts": "aeaee795471b56fc62a3cb2e174ed33e91551b535f44677f6320336aabb54fbb",
-    "https://deno.land/std@0.214.0/io/buf_reader.ts": "c73aad99491ee6db3d6b001fa4a780e9245c67b9296f5bad9c0fa7384e35d47a",
-    "https://deno.land/std@0.214.0/io/buf_writer.ts": "f82f640c8b3a820f600a8da429ad0537037c7d6a78426bbca2396fb1f75d3ef4",
-    "https://deno.land/std@0.214.0/io/types.ts": "748bbb3ac96abda03594ef5a0db15ce5450dcc6c0d841c8906f8b10ac8d32c96",
-    "https://deno.land/std@0.214.0/path/_common/assert_path.ts": "2ca275f36ac1788b2acb60fb2b79cb06027198bc2ba6fb7e163efaedde98c297",
-    "https://deno.land/std@0.214.0/path/_common/basename.ts": "569744855bc8445f3a56087fd2aed56bdad39da971a8d92b138c9913aecc5fa2",
-    "https://deno.land/std@0.214.0/path/_common/common.ts": "6157c7ec1f4db2b4a9a187efd6ce76dcaf1e61cfd49f87e40d4ea102818df031",
-    "https://deno.land/std@0.214.0/path/_common/constants.ts": "dc5f8057159f4b48cd304eb3027e42f1148cf4df1fb4240774d3492b5d12ac0c",
-    "https://deno.land/std@0.214.0/path/_common/dirname.ts": "684df4aa71a04bbcc346c692c8485594fc8a90b9408dfbc26ff32cf3e0c98cc8",
-    "https://deno.land/std@0.214.0/path/_common/format.ts": "92500e91ea5de21c97f5fe91e178bae62af524b72d5fcd246d6d60ae4bcada8b",
-    "https://deno.land/std@0.214.0/path/_common/from_file_url.ts": "d672bdeebc11bf80e99bf266f886c70963107bdd31134c4e249eef51133ceccf",
-    "https://deno.land/std@0.214.0/path/_common/glob_to_reg_exp.ts": "2007aa87bed6eb2c8ae8381adcc3125027543d9ec347713c1ad2c68427330770",
-    "https://deno.land/std@0.214.0/path/_common/normalize.ts": "684df4aa71a04bbcc346c692c8485594fc8a90b9408dfbc26ff32cf3e0c98cc8",
-    "https://deno.land/std@0.214.0/path/_common/normalize_string.ts": "dfdf657a1b1a7db7999f7c575ee7e6b0551d9c20f19486c6c3f5ff428384c965",
-    "https://deno.land/std@0.214.0/path/_common/relative.ts": "faa2753d9b32320ed4ada0733261e3357c186e5705678d9dd08b97527deae607",
-    "https://deno.land/std@0.214.0/path/_common/strip_trailing_separators.ts": "7024a93447efcdcfeaa9339a98fa63ef9d53de363f1fbe9858970f1bba02655a",
-    "https://deno.land/std@0.214.0/path/_common/to_file_url.ts": "7f76adbc83ece1bba173e6e98a27c647712cab773d3f8cbe0398b74afc817883",
-    "https://deno.land/std@0.214.0/path/_interface.ts": "a1419fcf45c0ceb8acdccc94394e3e94f99e18cfd32d509aab514c8841799600",
-    "https://deno.land/std@0.214.0/path/_os.ts": "8fb9b90fb6b753bd8c77cfd8a33c2ff6c5f5bc185f50de8ca4ac6a05710b2c15",
-    "https://deno.land/std@0.214.0/path/basename.ts": "5d341aadb7ada266e2280561692c165771d071c98746fcb66da928870cd47668",
-    "https://deno.land/std@0.214.0/path/common.ts": "03e52e22882402c986fe97ca3b5bb4263c2aa811c515ce84584b23bac4cc2643",
-    "https://deno.land/std@0.214.0/path/constants.ts": "0c206169ca104938ede9da48ac952de288f23343304a1c3cb6ec7625e7325f36",
-    "https://deno.land/std@0.214.0/path/dirname.ts": "85bd955bf31d62c9aafdd7ff561c4b5fb587d11a9a5a45e2b01aedffa4238a7c",
-    "https://deno.land/std@0.214.0/path/extname.ts": "593303db8ae8c865cbd9ceec6e55d4b9ac5410c1e276bfd3131916591b954441",
-    "https://deno.land/std@0.214.0/path/format.ts": "98fad25f1af7b96a48efb5b67378fcc8ed77be895df8b9c733b86411632162af",
-    "https://deno.land/std@0.214.0/path/from_file_url.ts": "911833ae4fd10a1c84f6271f36151ab785955849117dc48c6e43b929504ee069",
-    "https://deno.land/std@0.214.0/path/glob_to_regexp.ts": "83c5fd36a8c86f5e72df9d0f45317f9546afa2ce39acaafe079d43a865aced08",
-    "https://deno.land/std@0.214.0/path/is_absolute.ts": "4791afc8bfd0c87f0526eaa616b0d16e7b3ab6a65b62942e50eac68de4ef67d7",
-    "https://deno.land/std@0.214.0/path/is_glob.ts": "a65f6195d3058c3050ab905705891b412ff942a292bcbaa1a807a74439a14141",
-    "https://deno.land/std@0.214.0/path/join.ts": "ae2ec5ca44c7e84a235fd532e4a0116bfb1f2368b394db1c4fb75e3c0f26a33a",
-    "https://deno.land/std@0.214.0/path/join_globs.ts": "e9589869a33dc3982101898ee50903db918ca00ad2614dbe3934d597d7b1fbea",
-    "https://deno.land/std@0.214.0/path/mod.ts": "ffeaccb713dbe6c72e015b7c767f753f8ec5fbc3b621ff5eeee486ffc2c0ddda",
-    "https://deno.land/std@0.214.0/path/normalize.ts": "4155743ccceeed319b350c1e62e931600272fad8ad00c417b91df093867a8352",
-    "https://deno.land/std@0.214.0/path/normalize_glob.ts": "98ee8268fad271193603271c203ae973280b5abfbdd2cbca1053fd2af71869ca",
-    "https://deno.land/std@0.214.0/path/parse.ts": "65e8e285f1a63b714e19ef24b68f56e76934c3df0b6e65fd440d3991f4f8aefb",
-    "https://deno.land/std@0.214.0/path/posix/_util.ts": "1e3937da30f080bfc99fe45d7ed23c47dd8585c5e473b2d771380d3a6937cf9d",
-    "https://deno.land/std@0.214.0/path/posix/basename.ts": "39ee27a29f1f35935d3603ccf01d53f3d6e0c5d4d0f84421e65bd1afeff42843",
-    "https://deno.land/std@0.214.0/path/posix/common.ts": "26f60ccc8b2cac3e1613000c23ac5a7d392715d479e5be413473a37903a2b5d4",
-    "https://deno.land/std@0.214.0/path/posix/constants.ts": "93481efb98cdffa4c719c22a0182b994e5a6aed3047e1962f6c2c75b7592bef1",
-    "https://deno.land/std@0.214.0/path/posix/dirname.ts": "6535d2bdd566118963537b9dda8867ba9e2a361015540dc91f5afbb65c0cce8b",
-    "https://deno.land/std@0.214.0/path/posix/extname.ts": "8d36ae0082063c5e1191639699e6f77d3acf501600a3d87b74943f0ae5327427",
-    "https://deno.land/std@0.214.0/path/posix/format.ts": "185e9ee2091a42dd39e2a3b8e4925370ee8407572cee1ae52838aed96310c5c1",
-    "https://deno.land/std@0.214.0/path/posix/from_file_url.ts": "951aee3a2c46fd0ed488899d024c6352b59154c70552e90885ed0c2ab699bc40",
-    "https://deno.land/std@0.214.0/path/posix/glob_to_regexp.ts": "54d3ff40f309e3732ab6e5b19d7111d2d415248bcd35b67a99defcbc1972e697",
-    "https://deno.land/std@0.214.0/path/posix/is_absolute.ts": "cebe561ad0ae294f0ce0365a1879dcfca8abd872821519b4fcc8d8967f888ede",
-    "https://deno.land/std@0.214.0/path/posix/is_glob.ts": "8a8b08c08bf731acf2c1232218f1f45a11131bc01de81e5f803450a5914434b9",
-    "https://deno.land/std@0.214.0/path/posix/join.ts": "aef88d5fa3650f7516730865dbb951594d1a955b785e2450dbee93b8e32694f3",
-    "https://deno.land/std@0.214.0/path/posix/join_globs.ts": "ee2f4676c5b8a0dfa519da58b8ade4d1c4aa8dd3fe35619edec883ae9df1f8c9",
-    "https://deno.land/std@0.214.0/path/posix/mod.ts": "563a18c2b3ddc62f3e4a324ff0f583e819b8602a72ad880cb98c9e2e34f8db5b",
-    "https://deno.land/std@0.214.0/path/posix/normalize.ts": "baeb49816a8299f90a0237d214cef46f00ba3e95c0d2ceb74205a6a584b58a91",
-    "https://deno.land/std@0.214.0/path/posix/normalize_glob.ts": "65f0138fa518ef9ece354f32889783fc38cdf985fb02dcf1c3b14fa47d665640",
-    "https://deno.land/std@0.214.0/path/posix/parse.ts": "d5bac4eb21262ab168eead7e2196cb862940c84cee572eafedd12a0d34adc8fb",
-    "https://deno.land/std@0.214.0/path/posix/relative.ts": "3907d6eda41f0ff723d336125a1ad4349112cd4d48f693859980314d5b9da31c",
-    "https://deno.land/std@0.214.0/path/posix/resolve.ts": "bac20d9921beebbbb2b73706683b518b1d0c1b1da514140cee409e90d6b2913a",
-    "https://deno.land/std@0.214.0/path/posix/separator.ts": "c9ecae5c843170118156ac5d12dc53e9caf6a1a4c96fc8b1a0ab02dff5c847b0",
-    "https://deno.land/std@0.214.0/path/posix/to_file_url.ts": "7aa752ba66a35049e0e4a4be5a0a31ac6b645257d2e031142abb1854de250aaf",
-    "https://deno.land/std@0.214.0/path/posix/to_namespaced_path.ts": "28b216b3c76f892a4dca9734ff1cc0045d135532bfd9c435ae4858bfa5a2ebf0",
-    "https://deno.land/std@0.214.0/path/relative.ts": "ab739d727180ed8727e34ed71d976912461d98e2b76de3d3de834c1066667add",
-    "https://deno.land/std@0.214.0/path/resolve.ts": "a6f977bdb4272e79d8d0ed4333e3d71367cc3926acf15ac271f1d059c8494d8d",
-    "https://deno.land/std@0.214.0/path/separator.ts": "c6c890507f944a1f5cb7d53b8d638d6ce3cf0f34609c8d84a10c1eaa400b77a9",
-    "https://deno.land/std@0.214.0/path/to_file_url.ts": "88f049b769bce411e2d2db5bd9e6fd9a185a5fbd6b9f5ad8f52bef517c4ece1b",
-    "https://deno.land/std@0.214.0/path/to_namespaced_path.ts": "b706a4103b104cfadc09600a5f838c2ba94dbcdb642344557122dda444526e40",
-    "https://deno.land/std@0.214.0/path/windows/_util.ts": "d5f47363e5293fced22c984550d5e70e98e266cc3f31769e1710511803d04808",
-    "https://deno.land/std@0.214.0/path/windows/basename.ts": "e2dbf31d1d6385bfab1ce38c333aa290b6d7ae9e0ecb8234a654e583cf22f8fe",
-    "https://deno.land/std@0.214.0/path/windows/common.ts": "26f60ccc8b2cac3e1613000c23ac5a7d392715d479e5be413473a37903a2b5d4",
-    "https://deno.land/std@0.214.0/path/windows/constants.ts": "5afaac0a1f67b68b0a380a4ef391bf59feb55856aa8c60dfc01bd3b6abb813f5",
-    "https://deno.land/std@0.214.0/path/windows/dirname.ts": "33e421be5a5558a1346a48e74c330b8e560be7424ed7684ea03c12c21b627bc9",
-    "https://deno.land/std@0.214.0/path/windows/extname.ts": "165a61b00d781257fda1e9606a48c78b06815385e7d703232548dbfc95346bef",
-    "https://deno.land/std@0.214.0/path/windows/format.ts": "bbb5ecf379305b472b1082cd2fdc010e44a0020030414974d6029be9ad52aeb6",
-    "https://deno.land/std@0.214.0/path/windows/from_file_url.ts": "ced2d587b6dff18f963f269d745c4a599cf82b0c4007356bd957cb4cb52efc01",
-    "https://deno.land/std@0.214.0/path/windows/glob_to_regexp.ts": "6dcd1242bd8907aa9660cbdd7c93446e6927b201112b0cba37ca5d80f81be51b",
-    "https://deno.land/std@0.214.0/path/windows/is_absolute.ts": "4a8f6853f8598cf91a835f41abed42112cebab09478b072e4beb00ec81f8ca8a",
-    "https://deno.land/std@0.214.0/path/windows/is_glob.ts": "8a8b08c08bf731acf2c1232218f1f45a11131bc01de81e5f803450a5914434b9",
-    "https://deno.land/std@0.214.0/path/windows/join.ts": "e0b3356615c1a75c56ebb6a7311157911659e11fd533d80d724800126b761ac3",
-    "https://deno.land/std@0.214.0/path/windows/join_globs.ts": "ee2f4676c5b8a0dfa519da58b8ade4d1c4aa8dd3fe35619edec883ae9df1f8c9",
-    "https://deno.land/std@0.214.0/path/windows/mod.ts": "7d6062927bda47c47847ffb55d8f1a37b0383840aee5c7dfc93984005819689c",
-    "https://deno.land/std@0.214.0/path/windows/normalize.ts": "78126170ab917f0ca355a9af9e65ad6bfa5be14d574c5fb09bb1920f52577780",
-    "https://deno.land/std@0.214.0/path/windows/normalize_glob.ts": "179c86ba89f4d3fe283d2addbe0607341f79ee9b1ae663abcfb3439db2e97810",
-    "https://deno.land/std@0.214.0/path/windows/parse.ts": "b9239edd892a06a06625c1b58425e199f018ce5649ace024d144495c984da734",
-    "https://deno.land/std@0.214.0/path/windows/relative.ts": "3e1abc7977ee6cc0db2730d1f9cb38be87b0ce4806759d271a70e4997fc638d7",
-    "https://deno.land/std@0.214.0/path/windows/resolve.ts": "75b2e3e1238d840782cee3d8864d82bfaa593c7af8b22f19c6422cf82f330ab3",
-    "https://deno.land/std@0.214.0/path/windows/separator.ts": "e51c5522140eff4f8402617c5c68a201fdfa3a1a8b28dc23587cff931b665e43",
-    "https://deno.land/std@0.214.0/path/windows/to_file_url.ts": "1cd63fd35ec8d1370feaa4752eccc4cc05ea5362a878be8dc7db733650995484",
-    "https://deno.land/std@0.214.0/path/windows/to_namespaced_path.ts": "4ffa4fb6fae321448d5fe810b3ca741d84df4d7897e61ee29be961a6aac89a4c",
-    "https://deno.land/x/memcached@v1.0.0/mod.ts": "3c8528631e603638ded48f8fadcf61cde00fb1d2054e8647cc033bc9f2ea5867",
-    "https://deno.land/x/postgres@v0.19.3/client.ts": "d141c65c20484c545a1119c9af7a52dcc24f75c1a5633de2b9617b0f4b2ed5c1",
-    "https://deno.land/x/postgres@v0.19.3/client/error.ts": "05b0e35d65caf0ba21f7f6fab28c0811da83cd8b4897995a2f411c2c83391036",
-    "https://deno.land/x/postgres@v0.19.3/connection/auth.ts": "db15c1659742ef4d2791b32834950278dc7a40cb931f8e434e6569298e58df51",
-    "https://deno.land/x/postgres@v0.19.3/connection/connection.ts": "198a0ecf92a0d2aa72db3bb88b8f412d3b1f6b87d464d5f7bff9aa3b6aff8370",
-    "https://deno.land/x/postgres@v0.19.3/connection/connection_params.ts": "463d7a9ed559f537a55d6928cab62e1c31b808d08cd0411b6ae461d0c0183c93",
-    "https://deno.land/x/postgres@v0.19.3/connection/message.ts": "20da5d80fc4d7ddb7b850083e0b3fa8734eb26642221dad89c62e27d78e57a4d",
-    "https://deno.land/x/postgres@v0.19.3/connection/message_code.ts": "12bcb110df6945152f9f6c63128786558d7ad1e61006920daaa16ef85b3bab7d",
-    "https://deno.land/x/postgres@v0.19.3/connection/packet.ts": "050aeff1fc13c9349e89451a155ffcd0b1343dc313a51f84439e3e45f64b56c8",
-    "https://deno.land/x/postgres@v0.19.3/connection/scram.ts": "532d4d58b565a2ab48fb5e1e14dc9bfb3bb283d535011e371e698eb4a89dd994",
-    "https://deno.land/x/postgres@v0.19.3/debug.ts": "8add17699191f11e6830b8c95d9de25857d221bb2cf6c4ae22254d395895c1f9",
-    "https://deno.land/x/postgres@v0.19.3/deps.ts": "c312038fe64b8368f8a294119f11d8f235fe67de84d7c3b0ef67b3a56628171a",
-    "https://deno.land/x/postgres@v0.19.3/mod.ts": "4930c7b44f8d16ea71026f7e3ef22a2322d84655edceacd55f7461a9218d8560",
-    "https://deno.land/x/postgres@v0.19.3/pool.ts": "2289f029e7a3bd3d460d4faa71399a920b7406c92a97c0715d6e31dbf1380ec3",
-    "https://deno.land/x/postgres@v0.19.3/query/array_parser.ts": "ff72d3e026e3022a1a223a6530be5663f8ebbd911ed978291314e7fe6c2f2464",
-    "https://deno.land/x/postgres@v0.19.3/query/decode.ts": "3e89ad2a662eab66a4f4e195ff0924d71d199af3c2f5637d1ae650301a03fa9b",
-    "https://deno.land/x/postgres@v0.19.3/query/decoders.ts": "6a73da1024086ab91e233648c850dccbde59248b90d87054bbbd7f0bf4a50681",
-    "https://deno.land/x/postgres@v0.19.3/query/encode.ts": "5b1c305bc7352a6f9fe37f235dddfc23e26419c77a133b4eaea42cf136481aa6",
-    "https://deno.land/x/postgres@v0.19.3/query/oid.ts": "21fc714ac212350ba7df496f88ea9e01a4ee0458911d0f2b6a81498e12e7af4c",
-    "https://deno.land/x/postgres@v0.19.3/query/query.ts": "510f9a27da87ed7b31b5cbcd14bf3028b441ac2ddc368483679d0b86a9d9f213",
-    "https://deno.land/x/postgres@v0.19.3/query/transaction.ts": "8f4eef68f8e9b4be216199404315e6e08fe1fe98afb2e640bffd077662f79678",
-    "https://deno.land/x/postgres@v0.19.3/query/types.ts": "540f6f973d493d63f2c0059a09f3368071f57931bba68bea408a635a3e0565d6",
-    "https://deno.land/x/postgres@v0.19.3/utils/deferred.ts": "5420531adb6c3ea29ca8aac57b9b59bd3e4b9a938a4996bbd0947a858f611080",
-    "https://deno.land/x/postgres@v0.19.3/utils/utils.ts": "ca47193ea03ff5b585e487a06f106d367e509263a960b787197ce0c03113a738",
-    "https://deno.land/x/random_number@2.0.0/mod.ts": "83010e4a0192b015ba4491d8bb8c73a458f352ebc613b847ff6349961d1c7827",
-    "https://deno.land/x/redis@v0.37.1/backoff.ts": "33e4a6e245f8743fbae0ce583993a671a3ac2ecee433a3e7f0bd77b5dd541d84",
-    "https://deno.land/x/redis@v0.37.1/command.ts": "2d1da4b32495ea852bdff0c2e7fd191a056779a696b9f83fb648c5ebac45cfc3",
-    "https://deno.land/x/redis@v0.37.1/connection.ts": "cee30a6310298441de17d1028d4ce3fd239dcf05a92294fba7173a922d0596cb",
-    "https://deno.land/x/redis@v0.37.1/deps/std/async.ts": "5a588aefb041cca49f0e6b7e3c397119693a3e07bea89c54cf7fe4a412e37bbf",
-    "https://deno.land/x/redis@v0.37.1/deps/std/bytes.ts": "f5b437ebcac77600101a81ef457188516e4944b3c2a931dff5ced3fa0c239b62",
-    "https://deno.land/x/redis@v0.37.1/deps/std/io.ts": "b7505c5e738384f5f7a021d7bbd78380490c059cc7c83cd8dada1f86ec16e835",
-    "https://deno.land/x/redis@v0.37.1/errors.ts": "8293f56a70ea8388cb80b6e1caa15d350ed1719529fc06573b01a443d0caad69",
-    "https://deno.land/x/redis@v0.37.1/events.ts": "704767b1beed2d5acfd5e86bd1ef93befdc8a8f8c8bb4ae1b4485664a8a6a625",
-    "https://deno.land/x/redis@v0.37.1/executor.ts": "5ac4c1f7bec44d12ebc0f3702bf074bd3ba6c1aae74953582f6358d2948718e7",
-    "https://deno.land/x/redis@v0.37.1/internal/encoding.ts": "0525f7f444a96b92cd36423abdfe221f8d8de4a018dc5cb6750a428a5fc897c2",
-    "https://deno.land/x/redis@v0.37.1/internal/symbols.ts": "e36097bab1da1c9fe84a3bb9cb0ed1ec10c3dc7dd0b557769c5c54e15d110dd2",
-    "https://deno.land/x/redis@v0.37.1/mod.ts": "e11d9384c2ffe1b3d81ce0ad275254519990635ad1ba39f46d49a73b3c35238d",
-    "https://deno.land/x/redis@v0.37.1/pipeline.ts": "974fff59bf0befa2ad7eee50ecba40006c47364f5e3285e1335c9f9541b7ebae",
-    "https://deno.land/x/redis@v0.37.1/protocol/deno_streams/command.ts": "5c5e5fb639cae22c1f9bfdc87631edcd67bb28bf8590161ae484d293b733aa01",
-    "https://deno.land/x/redis@v0.37.1/protocol/deno_streams/mod.ts": "b084bf64d6b795f6c1d0b360d9be221e246a9c033e5d88fd1e82fa14f711d25b",
-    "https://deno.land/x/redis@v0.37.1/protocol/deno_streams/reply.ts": "639de34541f207f793393a3cd45f9a23ef308f094d9d3d6ce62f84b175d3af47",
-    "https://deno.land/x/redis@v0.37.1/protocol/shared/command.ts": "e75f6be115ff73bd865e01be4e2a28077a9993b1e0c54ed96b6825bfe997d382",
-    "https://deno.land/x/redis@v0.37.1/protocol/shared/protocol.ts": "5b9284ee28ec74dfc723c7c7f07dca8d5f9d303414f36689503622dfdde12551",
-    "https://deno.land/x/redis@v0.37.1/protocol/shared/reply.ts": "3311ff66357bacbd60785cb43b97539c341d8a7d963bc5e80cb864ac81909ea5",
-    "https://deno.land/x/redis@v0.37.1/protocol/shared/types.ts": "c6bf2b9eafd69e358a972823d94b8b478c00bac195b87b33b7437de2a9bb7fb4",
-    "https://deno.land/x/redis@v0.37.1/pubsub.ts": "a36892455b0a4a50af169332a165b0985cc90d84486087f036e507e3137b2afb",
-    "https://deno.land/x/redis@v0.37.1/redis.ts": "4904772596c8a82d7112092e7edea45243eae38809b2f2ea8db61a4207fe246b",
-    "https://deno.land/x/redis@v0.37.1/stream.ts": "d43076815d046eb8428fcd2799544a9fd07b3480099f5fc67d2ba12fdc73725f",
-    "https://deno.land/x/sleep@v1.3.0/mod.ts": "e9955ecd3228a000e29d46726cd6ab14b65cf83904e9b365f3a8d64ec61c1af3",
-    "https://deno.land/x/sleep@v1.3.0/sleep.ts": "b6abaca093b094b0c2bba94f287b19a60946a8d15764d168f83fcf555f5bb59e"
-  },
-  "workspace": {
-    "dependencies": [
-      "jsr:@std/assert@1",
-      "npm:zod@^3.24.2"
-    ]
-  }
-}

deno/deps.ts

@@ -1,7 +0,0 @@
-// Database
-export { Client as PostgresClient } from "https://deno.land/x/postgres@v0.19.3/mod.ts";
-export type { ClientOptions as PostgresOptions } from "https://deno.land/x/postgres@v0.19.3/mod.ts";
-
-// Redis
-export { connect as redisConnect } from "https://deno.land/x/redis@v0.37.1/mod.ts";
-export type { Redis } from "https://deno.land/x/redis@v0.37.1/mod.ts";

deno/http-codes.ts

@@ -1,43 +0,0 @@
-import { Extensible } from "./interfaces.ts";
-
-export type HttpCode = {
-    code: number;
-    name: string;
-    description?: string;
-};
-type Group = "success" | "redirection" | "clientErrors" | "serverErrors";
-type CodeDefinitions = {
-    [K in Group]: {
-        [K: string]: HttpCode;
-    };
-};
-// FIXME: Figure out how to brand CodeDefinitions in a way that isn't
-// tedious.
-
-const httpCodes: CodeDefinitions = {
-    success: {
-        OK: { code: 200, name: "OK", "description": "" },
-        Created: { code: 201, name: "Created" },
-        Accepted: { code: 202, name: "Accepted" },
-        NoContent: { code: 204, name: "No content" },
-    },
-    redirection: {
-        // later
-    },
-    clientErrors: {
-        BadRequest: { code: 400, name: "Bad Request" },
-        Unauthorized: { code: 401, name: "Unauthorized" },
-        Forbidden: { code: 403, name: "Forbidden" },
-        NotFound: { code: 404, name: "Not Found" },
-        MethodNotAllowed: { code: 405, name: "Method Not Allowed" },
-        NotAcceptable: { code: 406, name: "Not Acceptable" },
-        // More later
-    },
-    serverErrors: {
-        InternalServerError: { code: 500, name: "Internal Server Error" },
-        NotImplemented: { code: 500, name: "Not implemented" },
-        // more later
-    },
-};
-
-export { httpCodes };

deno/logging.ts

@@ -1,44 +0,0 @@
-// internal-logging.ts
-
-// FIXME: Move this to somewhere more appropriate
-type AtLeastOne<T> = [T, ...T[]];
-
-type MessageSource = "logging" | "diagnostic" | "user";
-
-type Message = {
-    // FIXME: number probably isn't what we want here
-    timestamp?: number;
-    source: MessageSource;
-
-    text: AtLeastOne<string>;
-};
-
-const m1: Message = { timestamp: 123, source: "logging", text: ["foo"] };
-const m2: Message = {
-    timestamp: 321,
-    source: "diagnostic",
-    text: ["ok", "whatever"],
-};
-
-type FilterArgument = {
-    limit?: number;
-    before?: number;
-    after?: number;
-
-    // FIXME: add offsets to use instead of or in addition to before/after
-
-    match?: (string | RegExp)[];
-};
-
-const log = (_message: Message) => {
-    // WRITEME
-};
-
-const getLogs = (filter: FilterArgument) => {
-    // WRITEME
-};
-
-// FIXME: there's scope for more specialized functions although they
-// probably should be defined in terms of the basic ones here.
-
-export { getLogs, log };

deno/main.ts

@@ -1,8 +0,0 @@
-export function add(a: number, b: number): number {
-    return a + b;
-}
-
-// Learn more at https://docs.deno.com/runtime/manual/examples/module_metadata#concepts
-if (import.meta.main) {
-    console.log("Add 2 + 3 =", add(2, 3));
-}

deno/main_test.ts

@@ -1,6 +0,0 @@
-import { assertEquals } from "@std/assert";
-import { add } from "./main.ts";
-
-Deno.test(function addTest() {
-    assertEquals(add(2, 3), 5);
-});

deno/routes.ts

@@ -1,99 +0,0 @@
-/// <reference lib="dom" />
-
-import { sleep } from "https://deno.land/x/sleep/mod.ts";
-
-import { HttpCode, httpCodes } from "./http-codes.ts";
-import { ContentType, contentTypes } from "./content-types.ts";
-import { services } from "./services.ts";
-import {
-    DenoRequest,
-    Handler,
-    Method,
-    ProcessedRoute,
-    Request,
-    Response,
-    Route,
-    UserRequest,
-} from "./types.ts";
-
-const phandler: Handler = async (_req: Request) => {
-    const code = httpCodes.success.OK;
-    return {
-        code,
-        result: "it is ok ",
-        contentType: contentTypes.text.plain,
-    };
-};
-
-// FIXME: Obviously put this somewhere else
-const okText = (out: string) => {
-    const code = httpCodes.success.OK;
-
-    return {
-        code,
-        result: out,
-        contentType: contentTypes.text.plain,
-    };
-};
-
-const routes: Route[] = [
-    {
-        path: "/slow",
-        methods: ["get"],
-        handler: async (_req) => {
-            console.log("starting slow request");
-            await sleep(10);
-            console.log("finishing slow request");
-            return okText("that was slow");
-        },
-    },
-    {
-        path: "/list",
-        methods: ["get"],
-        handler: async (_req) => {
-            const code = httpCodes.success.OK;
-            const lr = (rr: Route[]) => {
-                const ret = rr.map((r: Route) => {
-                    return r.path;
-                });
-
-                return ret;
-            };
-
-            const listing = lr(routes).join(", ");
-            return {
-                code,
-                result: listing + "\n",
-                contentType: contentTypes.text.plain,
-            };
-        },
-    },
-    {
-        path: "/ok",
-        methods: ["get"],
-        handler: async (_req) => {
-            const code = httpCodes.success.OK;
-            const rn = services.random.randomNumber();
-
-            return {
-                code,
-                result: "it is ok " + rn,
-                contentType: contentTypes.text.plain,
-            };
-        },
-    },
-    {
-        path: "/alsook",
-        methods: ["get"],
-        handler: async (_req) => {
-            const code = httpCodes.success.OK;
-            return {
-                code,
-                result: "it is also ok",
-                contentType: contentTypes.text.plain,
-            };
-        },
-    },
-];
-
-export { routes };

deno/run.sh

@@ -1,11 +0,0 @@
-#!/bin/bash
-
-set -e
-
-DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
-
-cd "$DIR"
-
-deno run --allow-net --unstable-sloppy-imports --watch app.ts
-
-

deno/services.ts

@@ -1,29 +0,0 @@
-// services.ts
-
-import { randomNumber } from "https://deno.land/x/random_number/mod.ts";
-import { config } from "./config.ts";
-import { getLogs, log } from "./logging.ts";
-
-
-//const database = Client({
-
-//})
-
-const database = {};
-
-const logging = {
-    log,
-    getLogs,
-};
-
-const random = {
-    randomNumber,
-};
-
-const services = {
-    database,
-    logging,
-    random,
-};
-
-export { services };