lalalalal

Update paths in .gitignore, cmd, develop, mgmt, sync.sh, check.sh,
fixup.sh, CLAUDE.md, docs/new-project.md, and backend/*.sh scripts.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

.gitignore

@@ -1,5 +1,5 @@
 **/node_modules
-framework/downloads
-framework/binaries
-framework/.nodejs
-framework/.nodejs-config
+diachron/downloads
+diachron/binaries
+diachron/.nodejs
+diachron/.nodejs-config

CLAUDE.md

@@ -38,7 +38,7 @@ master process. Key design principles:
 
 **Format TypeScript code:**
 ```bash
-cd express && ../cmd pnpm biome check --write .
+cd backend && ../cmd pnpm biome check --write .
 ```
 
 **Build Go master process:**
@@ -54,9 +54,9 @@ cd master && go build
 
 ### Components
 
-- **express/** - TypeScript/Express.js backend application
+- **backend/** - TypeScript/Express.js backend application
 - **master/** - Go-based master process for file watching and process management
-- **framework/** - Managed binaries (Node.js, pnpm), command wrappers, and
+- **diachron/** - Managed binaries (Node.js, pnpm), command wrappers, and
   framework-specific library code
 - **monitor/** - Go file watcher that triggers rebuilds (experimental)
 
@@ -68,7 +68,7 @@ Responsibilities:
 - Proxy web requests to backend workers
 - Behaves identically in all environments (no dev/prod distinction)
 
-### Express App Structure
+### Backend App Structure
 
 - `app.ts` - Main Express application setup with route matching
 - `routes.ts` - Route definitions
@@ -78,7 +78,7 @@ Responsibilities:
 
 ### Framework Command System
 
-Commands flow through: `./cmd` → `framework/cmd.d/*` → `framework/shims/*` → managed binaries in `framework/binaries/`
+Commands flow through: `./cmd` → `diachron/cmd.d/*` → `diachron/shims/*` → managed binaries in `diachron/binaries/`
 
 This ensures consistent tooling versions across the team without system-wide installations.
 
@@ -94,8 +94,8 @@ This ensures consistent tooling versions across the team without system-wide ins
 
 ## Platform Requirements
 
-Linux x86_64 only (currently). Requires:
-- Modern libc for Go binaries
+Linux or macOS on x86_64. Requires:
+- Modern libc for Go binaries (Linux)
 - docker compose (for full stack)
 - fd, shellcheck, shfmt (for development)
 

README.md

@@ -2,16 +2,13 @@ diachron
 
 ## Introduction
 
-Is your answer to some of these questions "yes"?  If so, you might like
-diachron.  (When it comes to that dev/test/prod one, hear us out first, ok?)
-
 - Do you want to share a lot of backend and frontend code?
 
 - Are you tired of your web stack breaking when you blink too hard?
 
 - Have you read [Taking PHP
-  Seriously](https://slack.engineering/taking-php-seriously/) and wish you had
-  something similar for Typescript?
+  Seriously](https://slack.engineering/taking-php-seriously/) and do you wish
+  you had something similar for Typescript?
 
 - Do you think that ORMs are not all that?  Do you wish you had first class
   unmediated access to your database?  And do you think that database
@@ -35,6 +32,9 @@ diachron.  (When it comes to that dev/test/prod one, hear us out first, ok?)
   you're trying to fix?  We're talking authentication, authorization, XSS,
   https, nested paths, all that stuff.
 
+Is your answer to some of these questions "yes"?  If so, you might like
+diachron.  (When it comes to that dev/test/prod one, hear us out first, ok?)
+
 ## Getting started
 
 Different situations require different getting started docs.
@@ -44,9 +44,8 @@ Different situations require different getting started docs.
 
 ## Requirements
 
-To run diachron, you currently need to have a Linux box running x86_64 with a
-new enough libc to run golang binaries.  Support for other platforms will come
-eventually.
+To run diachron, you need Linux or macOS on x86_64.  Linux requires a new
+enough libc to run golang binaries.
 
 To run a more complete system, you also need to have docker compose installed.
 

TODO.md

@@ -1,8 +1,11 @@
 ## high importance
 
+- Many of the UUIDs generated are not UUIDv7.  This needs to be fixed.
+
 - [ ] Add unit tests all over the place.
   - ⚠️ Huge task - needs breakdown before starting
 
+- [ ] map exceptions back to source lines
 
 - [ ] migrations, seeding, fixtures
 

backend/app.ts

@@ -3,15 +3,13 @@ import express, {
     type Response as ExpressResponse,
 } from "express";
 import { match } from "path-to-regexp";
-import { Session } from "./auth";
-import { cli } from "./cli";
-import { contentTypes } from "./content-types";
-import { runWithContext } from "./context";
-import { core } from "./core";
-import { httpCodes } from "./http-codes";
-import { request } from "./request";
-import { routes } from "./routes";
-
+import { Session } from "./diachron/auth";
+import { cli } from "./diachron/cli";
+import { contentTypes } from "./diachron/content-types";
+import { runWithContext } from "./diachron/context";
+import { core } from "./diachron/core";
+import { httpCodes } from "./diachron/http-codes";
+import { request } from "./diachron/request";
 // import { URLPattern } from 'node:url';
 import {
     AuthenticationRequired,
@@ -25,7 +23,8 @@ import {
     type ProcessedRoute,
     type Result,
     type Route,
-} from "./types";
+} from "./diachron/types";
+import { routes } from "./routes";
 
 const app = express();
 

backend/check.sh

@@ -8,7 +8,7 @@ check_dir="$DIR"
 
 out_dir="$check_dir/out"
 
-source "$check_dir"/../framework/shims/common
-source "$check_dir"/../framework/shims/node.common
+source "$check_dir"/../diachron/shims/common
+source "$check_dir"/../diachron/shims/node.common
 
 $ROOT/cmd pnpm tsc --outDir "$out_dir"

backend/diachron/auth/password.spec.ts

@@ -0,0 +1,80 @@
+// Tests for auth/password.ts
+// Pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { hashPassword, verifyPassword } from "./password";
+
+describe("password", () => {
+    describe("hashPassword", () => {
+        it("returns a scrypt formatted hash", async () => {
+            const hash = await hashPassword("testpassword");
+            assert.ok(hash.startsWith("$scrypt$"));
+        });
+
+        it("includes all scrypt parameters", async () => {
+            const hash = await hashPassword("testpassword");
+            const parts = hash.split("$");
+            // Format: $scrypt$N$r$p$salt$hash
+            assert.equal(parts.length, 7);
+            assert.equal(parts[0], "");
+            assert.equal(parts[1], "scrypt");
+            // N, r, p should be numbers
+            assert.ok(!Number.isNaN(parseInt(parts[2], 10)));
+            assert.ok(!Number.isNaN(parseInt(parts[3], 10)));
+            assert.ok(!Number.isNaN(parseInt(parts[4], 10)));
+        });
+
+        it("generates different hashes for same password (different salt)", async () => {
+            const hash1 = await hashPassword("testpassword");
+            const hash2 = await hashPassword("testpassword");
+            assert.notEqual(hash1, hash2);
+        });
+    });
+
+    describe("verifyPassword", () => {
+        it("returns true for correct password", async () => {
+            const hash = await hashPassword("correctpassword");
+            const result = await verifyPassword("correctpassword", hash);
+            assert.equal(result, true);
+        });
+
+        it("returns false for incorrect password", async () => {
+            const hash = await hashPassword("correctpassword");
+            const result = await verifyPassword("wrongpassword", hash);
+            assert.equal(result, false);
+        });
+
+        it("throws for invalid hash format", async () => {
+            await assert.rejects(
+                verifyPassword("password", "invalid-hash"),
+                /Invalid password hash format/,
+            );
+        });
+
+        it("throws for non-scrypt hash", async () => {
+            await assert.rejects(
+                verifyPassword("password", "$bcrypt$10$salt$hash"),
+                /Invalid password hash format/,
+            );
+        });
+
+        it("works with empty password", async () => {
+            const hash = await hashPassword("");
+            const result = await verifyPassword("", hash);
+            assert.equal(result, true);
+        });
+
+        it("works with unicode password", async () => {
+            const hash = await hashPassword("p@$$w0rd\u{1F511}");
+            const result = await verifyPassword("p@$$w0rd\u{1F511}", hash);
+            assert.equal(result, true);
+        });
+
+        it("is case sensitive", async () => {
+            const hash = await hashPassword("Password");
+            const result = await verifyPassword("password", hash);
+            assert.equal(result, false);
+        });
+    });
+});

backend/diachron/auth/service.spec.ts

@@ -0,0 +1,419 @@
+// Tests for auth/service.ts
+// Uses InMemoryAuthStore - no database needed
+
+import assert from "node:assert/strict";
+import { beforeEach, describe, it } from "node:test";
+import { AuthService } from "./service";
+import { InMemoryAuthStore } from "./store";
+
+describe("AuthService", () => {
+    let store: InMemoryAuthStore;
+    let service: AuthService;
+
+    beforeEach(() => {
+        store = new InMemoryAuthStore();
+        service = new AuthService(store);
+    });
+
+    describe("register", () => {
+        it("creates a new user", async () => {
+            const result = await service.register(
+                "test@example.com",
+                "password123",
+                "Test User",
+            );
+
+            assert.equal(result.success, true);
+            if (result.success) {
+                assert.equal(result.user.email, "test@example.com");
+                assert.equal(result.user.displayName, "Test User");
+                assert.ok(result.verificationToken.length > 0);
+            }
+        });
+
+        it("fails when email already registered", async () => {
+            await service.register("test@example.com", "password123");
+            const result = await service.register(
+                "test@example.com",
+                "password456",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Email already registered");
+            }
+        });
+
+        it("creates user without displayName", async () => {
+            const result = await service.register(
+                "test@example.com",
+                "password123",
+            );
+
+            assert.equal(result.success, true);
+            if (result.success) {
+                assert.equal(result.user.displayName, undefined);
+            }
+        });
+    });
+
+    describe("login", () => {
+        beforeEach(async () => {
+            // Create and verify a user
+            const result = await service.register(
+                "test@example.com",
+                "password123",
+                "Test User",
+            );
+            if (result.success) {
+                // Verify email to activate user
+                await service.verifyEmail(result.verificationToken);
+            }
+        });
+
+        it("succeeds with correct credentials", async () => {
+            const result = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+
+            assert.equal(result.success, true);
+            if (result.success) {
+                assert.ok(result.token.length > 0);
+                assert.equal(result.user.email, "test@example.com");
+            }
+        });
+
+        it("fails with wrong password", async () => {
+            const result = await service.login(
+                "test@example.com",
+                "wrongpassword",
+                "cookie",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Invalid credentials");
+            }
+        });
+
+        it("fails with unknown email", async () => {
+            const result = await service.login(
+                "unknown@example.com",
+                "password123",
+                "cookie",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Invalid credentials");
+            }
+        });
+
+        it("fails for inactive user", async () => {
+            // Create a user but don't verify email (stays pending)
+            await service.register("pending@example.com", "password123");
+
+            const result = await service.login(
+                "pending@example.com",
+                "password123",
+                "cookie",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Account is not active");
+            }
+        });
+
+        it("stores metadata", async () => {
+            const result = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+                { userAgent: "TestAgent", ipAddress: "192.168.1.1" },
+            );
+
+            assert.equal(result.success, true);
+        });
+    });
+
+    describe("validateToken", () => {
+        let token: string;
+
+        beforeEach(async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            const loginResult = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            if (loginResult.success) {
+                token = loginResult.token;
+            }
+        });
+
+        it("returns authenticated for valid token", async () => {
+            const result = await service.validateToken(token);
+
+            assert.equal(result.authenticated, true);
+            if (result.authenticated) {
+                assert.equal(result.user.email, "test@example.com");
+                assert.notEqual(result.session, null);
+            }
+        });
+
+        it("returns unauthenticated for invalid token", async () => {
+            const result = await service.validateToken("invalid-token");
+
+            assert.equal(result.authenticated, false);
+            assert.equal(result.user.isAnonymous(), true);
+            assert.equal(result.session, null);
+        });
+    });
+
+    describe("logout", () => {
+        it("invalidates the session", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            const loginResult = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            assert.equal(loginResult.success, true);
+            if (!loginResult.success) return;
+
+            const token = loginResult.token;
+
+            // Token should be valid before logout
+            const beforeLogout = await service.validateToken(token);
+            assert.equal(beforeLogout.authenticated, true);
+
+            // Logout
+            await service.logout(token);
+
+            // Token should be invalid after logout
+            const afterLogout = await service.validateToken(token);
+            assert.equal(afterLogout.authenticated, false);
+        });
+    });
+
+    describe("logoutAllSessions", () => {
+        it("invalidates all user sessions", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            // Create multiple sessions
+            const login1 = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            const login2 = await service.login(
+                "test@example.com",
+                "password123",
+                "bearer",
+            );
+
+            assert.equal(login1.success, true);
+            assert.equal(login2.success, true);
+            if (!login1.success || !login2.success) return;
+
+            // Both should be valid
+            const before1 = await service.validateToken(login1.token);
+            const before2 = await service.validateToken(login2.token);
+            assert.equal(before1.authenticated, true);
+            assert.equal(before2.authenticated, true);
+
+            // Logout all
+            const user = await store.getUserByEmail("test@example.com");
+            const count = await service.logoutAllSessions(user!.id);
+            assert.equal(count, 2);
+
+            // Both should be invalid
+            const after1 = await service.validateToken(login1.token);
+            const after2 = await service.validateToken(login2.token);
+            assert.equal(after1.authenticated, false);
+            assert.equal(after2.authenticated, false);
+        });
+    });
+
+    describe("verifyEmail", () => {
+        it("activates user with valid token", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            assert.equal(regResult.success, true);
+            if (!regResult.success) return;
+
+            const result = await service.verifyEmail(
+                regResult.verificationToken,
+            );
+            assert.equal(result.success, true);
+
+            // User should now be active and can login
+            const loginResult = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            assert.equal(loginResult.success, true);
+        });
+
+        it("fails with invalid token", async () => {
+            const result = await service.verifyEmail("invalid-token");
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(
+                    result.error,
+                    "Invalid or expired verification token",
+                );
+            }
+        });
+
+        it("fails when token already used", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            assert.equal(regResult.success, true);
+            if (!regResult.success) return;
+
+            // First verification succeeds
+            const result1 = await service.verifyEmail(
+                regResult.verificationToken,
+            );
+            assert.equal(result1.success, true);
+
+            // Second verification fails (token deleted)
+            const result2 = await service.verifyEmail(
+                regResult.verificationToken,
+            );
+            assert.equal(result2.success, false);
+        });
+    });
+
+    describe("createPasswordResetToken", () => {
+        it("returns token for existing user", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            assert.equal(regResult.success, true);
+
+            const result =
+                await service.createPasswordResetToken("test@example.com");
+            assert.notEqual(result, null);
+            assert.ok(result!.token.length > 0);
+        });
+
+        it("returns null for unknown email", async () => {
+            const result = await service.createPasswordResetToken(
+                "unknown@example.com",
+            );
+            assert.equal(result, null);
+        });
+    });
+
+    describe("resetPassword", () => {
+        it("changes password with valid token", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "oldpassword",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            const resetToken =
+                await service.createPasswordResetToken("test@example.com");
+            assert.notEqual(resetToken, null);
+
+            const result = await service.resetPassword(
+                resetToken!.token,
+                "newpassword",
+            );
+            assert.equal(result.success, true);
+
+            // Old password should no longer work
+            const loginOld = await service.login(
+                "test@example.com",
+                "oldpassword",
+                "cookie",
+            );
+            assert.equal(loginOld.success, false);
+
+            // New password should work
+            const loginNew = await service.login(
+                "test@example.com",
+                "newpassword",
+                "cookie",
+            );
+            assert.equal(loginNew.success, true);
+        });
+
+        it("fails with invalid token", async () => {
+            const result = await service.resetPassword(
+                "invalid-token",
+                "newpassword",
+            );
+
+            assert.equal(result.success, false);
+            if (!result.success) {
+                assert.equal(result.error, "Invalid or expired reset token");
+            }
+        });
+
+        it("invalidates all existing sessions", async () => {
+            const regResult = await service.register(
+                "test@example.com",
+                "password123",
+            );
+            if (regResult.success) {
+                await service.verifyEmail(regResult.verificationToken);
+            }
+
+            // Create a session
+            const loginResult = await service.login(
+                "test@example.com",
+                "password123",
+                "cookie",
+            );
+            assert.equal(loginResult.success, true);
+            if (!loginResult.success) return;
+
+            const sessionToken = loginResult.token;
+
+            // Reset password
+            const resetToken =
+                await service.createPasswordResetToken("test@example.com");
+            await service.resetPassword(resetToken!.token, "newpassword");
+
+            // Old session should be invalid
+            const validateResult = await service.validateToken(sessionToken);
+            assert.equal(validateResult.authenticated, false);
+        });
+    });
+});

backend/diachron/auth/store.spec.ts

@@ -0,0 +1,321 @@
+// Tests for auth/store.ts (InMemoryAuthStore)
+// Pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { after, before, beforeEach, describe, it } from "node:test";
+import type { UserId } from "../user";
+import { InMemoryAuthStore } from "./store";
+import { hashToken } from "./token";
+import type { TokenId } from "./types";
+
+describe("InMemoryAuthStore", () => {
+    let store: InMemoryAuthStore;
+
+    beforeEach(() => {
+        store = new InMemoryAuthStore();
+    });
+
+    describe("createUser", () => {
+        it("creates a user with pending status", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+                displayName: "Test User",
+            });
+
+            assert.equal(user.email, "test@example.com");
+            assert.equal(user.displayName, "Test User");
+            assert.equal(user.status, "pending");
+        });
+
+        it("creates a user without displayName", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            assert.equal(user.email, "test@example.com");
+            assert.equal(user.displayName, undefined);
+        });
+
+        it("generates a unique id", async () => {
+            const user1 = await store.createUser({
+                email: "test1@example.com",
+                passwordHash: "hash123",
+            });
+            const user2 = await store.createUser({
+                email: "test2@example.com",
+                passwordHash: "hash456",
+            });
+
+            assert.notEqual(user1.id, user2.id);
+        });
+    });
+
+    describe("getUserByEmail", () => {
+        it("returns user when found", async () => {
+            await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const user = await store.getUserByEmail("test@example.com");
+            assert.notEqual(user, null);
+            assert.equal(user!.email, "test@example.com");
+        });
+
+        it("is case-insensitive", async () => {
+            await store.createUser({
+                email: "Test@Example.COM",
+                passwordHash: "hash123",
+            });
+
+            const user = await store.getUserByEmail("test@example.com");
+            assert.notEqual(user, null);
+        });
+
+        it("returns null when not found", async () => {
+            const user = await store.getUserByEmail("notfound@example.com");
+            assert.equal(user, null);
+        });
+    });
+
+    describe("getUserById", () => {
+        it("returns user when found", async () => {
+            const created = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const user = await store.getUserById(created.id);
+            assert.notEqual(user, null);
+            assert.equal(user!.id, created.id);
+        });
+
+        it("returns null when not found", async () => {
+            const user = await store.getUserById("nonexistent" as UserId);
+            assert.equal(user, null);
+        });
+    });
+
+    describe("getUserPasswordHash", () => {
+        it("returns hash when found", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const hash = await store.getUserPasswordHash(user.id);
+            assert.equal(hash, "hash123");
+        });
+
+        it("returns null when not found", async () => {
+            const hash = await store.getUserPasswordHash(
+                "nonexistent" as UserId,
+            );
+            assert.equal(hash, null);
+        });
+    });
+
+    describe("setUserPassword", () => {
+        it("updates password hash", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "oldhash",
+            });
+
+            await store.setUserPassword(user.id, "newhash");
+
+            const hash = await store.getUserPasswordHash(user.id);
+            assert.equal(hash, "newhash");
+        });
+    });
+
+    describe("updateUserEmailVerified", () => {
+        it("sets user status to active", async () => {
+            const created = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+            assert.equal(created.status, "pending");
+
+            await store.updateUserEmailVerified(created.id);
+
+            const user = await store.getUserById(created.id);
+            assert.equal(user!.status, "active");
+        });
+    });
+
+    describe("createSession", () => {
+        it("creates a session with token", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token, session } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            assert.ok(token.length > 0);
+            assert.equal(session.userId, user.id);
+            assert.equal(session.tokenType, "session");
+            assert.equal(session.authMethod, "cookie");
+        });
+
+        it("stores metadata", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { session } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+                userAgent: "Mozilla/5.0",
+                ipAddress: "127.0.0.1",
+            });
+
+            assert.equal(session.userAgent, "Mozilla/5.0");
+            assert.equal(session.ipAddress, "127.0.0.1");
+        });
+    });
+
+    describe("getSession", () => {
+        it("returns session when found and not expired", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000), // 1 hour from now
+            });
+
+            const tokenId = hashToken(token) as TokenId;
+            const session = await store.getSession(tokenId);
+            assert.notEqual(session, null);
+            assert.equal(session!.userId, user.id);
+        });
+
+        it("returns null for expired session", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() - 1000), // Expired 1 second ago
+            });
+
+            const tokenId = hashToken(token) as TokenId;
+            const session = await store.getSession(tokenId);
+            assert.equal(session, null);
+        });
+
+        it("returns null for nonexistent session", async () => {
+            const session = await store.getSession("nonexistent" as TokenId);
+            assert.equal(session, null);
+        });
+    });
+
+    describe("deleteSession", () => {
+        it("removes the session", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            const tokenId = hashToken(token) as TokenId;
+            await store.deleteSession(tokenId);
+
+            const session = await store.getSession(tokenId);
+            assert.equal(session, null);
+        });
+    });
+
+    describe("deleteUserSessions", () => {
+        it("removes all sessions for user", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token: token1 } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            const { token: token2 } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "bearer",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            const count = await store.deleteUserSessions(user.id);
+            assert.equal(count, 2);
+
+            const session1 = await store.getSession(
+                hashToken(token1) as TokenId,
+            );
+            const session2 = await store.getSession(
+                hashToken(token2) as TokenId,
+            );
+            assert.equal(session1, null);
+            assert.equal(session2, null);
+        });
+
+        it("returns 0 when user has no sessions", async () => {
+            const count = await store.deleteUserSessions(
+                "nonexistent" as UserId,
+            );
+            assert.equal(count, 0);
+        });
+    });
+
+    describe("updateLastUsed", () => {
+        it("updates lastUsedAt timestamp", async () => {
+            const user = await store.createUser({
+                email: "test@example.com",
+                passwordHash: "hash123",
+            });
+
+            const { token } = await store.createSession({
+                userId: user.id,
+                tokenType: "session",
+                authMethod: "cookie",
+                expiresAt: new Date(Date.now() + 3600000),
+            });
+
+            const tokenId = hashToken(token) as TokenId;
+            const beforeUpdate = await store.getSession(tokenId);
+            assert.equal(beforeUpdate!.lastUsedAt, undefined);
+
+            await store.updateLastUsed(tokenId);
+
+            const afterUpdate = await store.getSession(tokenId);
+            assert.ok(afterUpdate!.lastUsedAt instanceof Date);
+        });
+    });
+});

backend/diachron/auth/token.spec.ts

@@ -0,0 +1,94 @@
+// Tests for auth/token.ts
+// Pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import {
+    generateToken,
+    hashToken,
+    parseAuthorizationHeader,
+    SESSION_COOKIE_NAME,
+} from "./token";
+
+describe("token", () => {
+    describe("generateToken", () => {
+        it("generates a non-empty string", () => {
+            const token = generateToken();
+            assert.equal(typeof token, "string");
+            assert.ok(token.length > 0);
+        });
+
+        it("generates unique tokens", () => {
+            const tokens = new Set<string>();
+            for (let i = 0; i < 100; i++) {
+                tokens.add(generateToken());
+            }
+            assert.equal(tokens.size, 100);
+        });
+
+        it("generates base64url encoded tokens", () => {
+            const token = generateToken();
+            // base64url uses A-Z, a-z, 0-9, -, _
+            assert.match(token, /^[A-Za-z0-9_-]+$/);
+        });
+    });
+
+    describe("hashToken", () => {
+        it("returns a hex string", () => {
+            const hash = hashToken("test-token");
+            assert.match(hash, /^[a-f0-9]+$/);
+        });
+
+        it("returns consistent hash for same input", () => {
+            const hash1 = hashToken("test-token");
+            const hash2 = hashToken("test-token");
+            assert.equal(hash1, hash2);
+        });
+
+        it("returns different hash for different input", () => {
+            const hash1 = hashToken("token-1");
+            const hash2 = hashToken("token-2");
+            assert.notEqual(hash1, hash2);
+        });
+
+        it("returns 64 character hash (SHA-256)", () => {
+            const hash = hashToken("test-token");
+            assert.equal(hash.length, 64);
+        });
+    });
+
+    describe("parseAuthorizationHeader", () => {
+        it("returns null for undefined header", () => {
+            assert.equal(parseAuthorizationHeader(undefined), null);
+        });
+
+        it("returns null for empty string", () => {
+            assert.equal(parseAuthorizationHeader(""), null);
+        });
+
+        it("returns null for non-bearer auth", () => {
+            assert.equal(parseAuthorizationHeader("Basic abc123"), null);
+        });
+
+        it("returns null for malformed header", () => {
+            assert.equal(parseAuthorizationHeader("Bearer"), null);
+            assert.equal(parseAuthorizationHeader("Bearer token extra"), null);
+        });
+
+        it("extracts token from valid bearer header", () => {
+            assert.equal(parseAuthorizationHeader("Bearer abc123"), "abc123");
+        });
+
+        it("is case-insensitive for Bearer keyword", () => {
+            assert.equal(parseAuthorizationHeader("bearer abc123"), "abc123");
+            assert.equal(parseAuthorizationHeader("BEARER abc123"), "abc123");
+        });
+    });
+
+    describe("SESSION_COOKIE_NAME", () => {
+        it("is defined", () => {
+            assert.equal(typeof SESSION_COOKIE_NAME, "string");
+            assert.ok(SESSION_COOKIE_NAME.length > 0);
+        });
+    });
+});

backend/diachron/auth/types.spec.ts

@@ -0,0 +1,253 @@
+// Tests for auth/types.ts
+// Pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { z } from "zod";
+import { AuthenticatedUser, anonymousUser } from "../user";
+import {
+    authMethodParser,
+    forgotPasswordInputParser,
+    loginInputParser,
+    registerInputParser,
+    resetPasswordInputParser,
+    Session,
+    sessionDataParser,
+    tokenLifetimes,
+    tokenTypeParser,
+} from "./types";
+
+describe("auth/types", () => {
+    describe("tokenTypeParser", () => {
+        it("accepts valid token types", () => {
+            assert.equal(tokenTypeParser.parse("session"), "session");
+            assert.equal(
+                tokenTypeParser.parse("password_reset"),
+                "password_reset",
+            );
+            assert.equal(tokenTypeParser.parse("email_verify"), "email_verify");
+        });
+
+        it("rejects invalid token types", () => {
+            assert.throws(() => tokenTypeParser.parse("invalid"));
+        });
+    });
+
+    describe("authMethodParser", () => {
+        it("accepts valid auth methods", () => {
+            assert.equal(authMethodParser.parse("cookie"), "cookie");
+            assert.equal(authMethodParser.parse("bearer"), "bearer");
+        });
+
+        it("rejects invalid auth methods", () => {
+            assert.throws(() => authMethodParser.parse("basic"));
+        });
+    });
+
+    describe("sessionDataParser", () => {
+        it("accepts valid session data", () => {
+            const data = {
+                tokenId: "abc123",
+                userId: "user-1",
+                tokenType: "session",
+                authMethod: "cookie",
+                createdAt: new Date(),
+                expiresAt: new Date(),
+            };
+            const result = sessionDataParser.parse(data);
+            assert.equal(result.tokenId, "abc123");
+            assert.equal(result.userId, "user-1");
+        });
+
+        it("coerces date strings to dates", () => {
+            const data = {
+                tokenId: "abc123",
+                userId: "user-1",
+                tokenType: "session",
+                authMethod: "cookie",
+                createdAt: "2025-01-01T00:00:00Z",
+                expiresAt: "2025-01-02T00:00:00Z",
+            };
+            const result = sessionDataParser.parse(data);
+            assert.ok(result.createdAt instanceof Date);
+            assert.ok(result.expiresAt instanceof Date);
+        });
+
+        it("accepts optional fields", () => {
+            const data = {
+                tokenId: "abc123",
+                userId: "user-1",
+                tokenType: "session",
+                authMethod: "cookie",
+                createdAt: new Date(),
+                expiresAt: new Date(),
+                lastUsedAt: new Date(),
+                userAgent: "Mozilla/5.0",
+                ipAddress: "127.0.0.1",
+                isUsed: true,
+            };
+            const result = sessionDataParser.parse(data);
+            assert.equal(result.userAgent, "Mozilla/5.0");
+            assert.equal(result.ipAddress, "127.0.0.1");
+            assert.equal(result.isUsed, true);
+        });
+    });
+
+    describe("loginInputParser", () => {
+        it("accepts valid login input", () => {
+            const result = loginInputParser.parse({
+                email: "test@example.com",
+                password: "secret",
+            });
+            assert.equal(result.email, "test@example.com");
+            assert.equal(result.password, "secret");
+        });
+
+        it("rejects invalid email", () => {
+            assert.throws(() =>
+                loginInputParser.parse({
+                    email: "not-an-email",
+                    password: "secret",
+                }),
+            );
+        });
+
+        it("rejects empty password", () => {
+            assert.throws(() =>
+                loginInputParser.parse({
+                    email: "test@example.com",
+                    password: "",
+                }),
+            );
+        });
+    });
+
+    describe("registerInputParser", () => {
+        it("accepts valid registration input", () => {
+            const result = registerInputParser.parse({
+                email: "test@example.com",
+                password: "password123",
+                displayName: "Test User",
+            });
+            assert.equal(result.email, "test@example.com");
+            assert.equal(result.password, "password123");
+            assert.equal(result.displayName, "Test User");
+        });
+
+        it("accepts registration without displayName", () => {
+            const result = registerInputParser.parse({
+                email: "test@example.com",
+                password: "password123",
+            });
+            assert.equal(result.displayName, undefined);
+        });
+
+        it("rejects password shorter than 8 characters", () => {
+            assert.throws(() =>
+                registerInputParser.parse({
+                    email: "test@example.com",
+                    password: "short",
+                }),
+            );
+        });
+    });
+
+    describe("forgotPasswordInputParser", () => {
+        it("accepts valid email", () => {
+            const result = forgotPasswordInputParser.parse({
+                email: "test@example.com",
+            });
+            assert.equal(result.email, "test@example.com");
+        });
+
+        it("rejects invalid email", () => {
+            assert.throws(() =>
+                forgotPasswordInputParser.parse({
+                    email: "invalid",
+                }),
+            );
+        });
+    });
+
+    describe("resetPasswordInputParser", () => {
+        it("accepts valid reset input", () => {
+            const result = resetPasswordInputParser.parse({
+                token: "abc123",
+                password: "newpassword",
+            });
+            assert.equal(result.token, "abc123");
+            assert.equal(result.password, "newpassword");
+        });
+
+        it("rejects empty token", () => {
+            assert.throws(() =>
+                resetPasswordInputParser.parse({
+                    token: "",
+                    password: "newpassword",
+                }),
+            );
+        });
+
+        it("rejects password shorter than 8 characters", () => {
+            assert.throws(() =>
+                resetPasswordInputParser.parse({
+                    token: "abc123",
+                    password: "short",
+                }),
+            );
+        });
+    });
+
+    describe("tokenLifetimes", () => {
+        it("defines session lifetime", () => {
+            assert.ok(tokenLifetimes.session > 0);
+            // 30 days in ms
+            assert.equal(tokenLifetimes.session, 30 * 24 * 60 * 60 * 1000);
+        });
+
+        it("defines password_reset lifetime", () => {
+            assert.ok(tokenLifetimes.password_reset > 0);
+            // 1 hour in ms
+            assert.equal(tokenLifetimes.password_reset, 1 * 60 * 60 * 1000);
+        });
+
+        it("defines email_verify lifetime", () => {
+            assert.ok(tokenLifetimes.email_verify > 0);
+            // 24 hours in ms
+            assert.equal(tokenLifetimes.email_verify, 24 * 60 * 60 * 1000);
+        });
+    });
+
+    describe("Session", () => {
+        it("wraps authenticated session", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                id: "user-1",
+            });
+            const sessionData = {
+                tokenId: "token-1",
+                userId: "user-1",
+                tokenType: "session" as const,
+                authMethod: "cookie" as const,
+                createdAt: new Date(),
+                expiresAt: new Date(),
+            };
+            const session = new Session(sessionData, user);
+
+            assert.equal(session.isAuthenticated(), true);
+            assert.equal(session.getUser(), user);
+            assert.equal(session.getData(), sessionData);
+            assert.equal(session.tokenId, "token-1");
+            assert.equal(session.userId, "user-1");
+        });
+
+        it("wraps anonymous session", () => {
+            const session = new Session(null, anonymousUser);
+
+            assert.equal(session.isAuthenticated(), false);
+            assert.equal(session.getUser(), anonymousUser);
+            assert.equal(session.getData(), null);
+            assert.equal(session.tokenId, undefined);
+            assert.equal(session.userId, undefined);
+        });
+    });
+});

backend/diachron/basic/login.spec.ts

@@ -0,0 +1,24 @@
+// Tests for basic/login.ts
+// These tests verify the route structure and export
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { loginRoute } from "./login";
+
+describe("basic/login", () => {
+    describe("loginRoute", () => {
+        it("has correct path", () => {
+            assert.equal(loginRoute.path, "/login");
+        });
+
+        it("handles GET and POST methods", () => {
+            assert.ok(loginRoute.methods.includes("GET"));
+            assert.ok(loginRoute.methods.includes("POST"));
+            assert.equal(loginRoute.methods.length, 2);
+        });
+
+        it("has a handler function", () => {
+            assert.equal(typeof loginRoute.handler, "function");
+        });
+    });
+});

backend/diachron/basic/logout.spec.ts

@@ -0,0 +1,24 @@
+// Tests for basic/logout.ts
+// These tests verify the route structure and export
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { logoutRoute } from "./logout";
+
+describe("basic/logout", () => {
+    describe("logoutRoute", () => {
+        it("has correct path", () => {
+            assert.equal(logoutRoute.path, "/logout");
+        });
+
+        it("handles GET and POST methods", () => {
+            assert.ok(logoutRoute.methods.includes("GET"));
+            assert.ok(logoutRoute.methods.includes("POST"));
+            assert.equal(logoutRoute.methods.length, 2);
+        });
+
+        it("has a handler function", () => {
+            assert.equal(typeof logoutRoute.handler, "function");
+        });
+    });
+});

backend/diachron/basic/routes.spec.ts

@@ -0,0 +1,73 @@
+// Tests for basic/routes.ts
+// These tests verify the route structure and exports
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import { routes } from "./routes";
+
+describe("basic/routes", () => {
+    describe("routes object", () => {
+        it("exports routes as an object", () => {
+            assert.equal(typeof routes, "object");
+        });
+
+        it("contains hello route", () => {
+            assert.ok("hello" in routes);
+            assert.equal(routes.hello.path, "/hello");
+            assert.ok(routes.hello.methods.includes("GET"));
+        });
+
+        it("contains home route", () => {
+            assert.ok("home" in routes);
+            assert.equal(routes.home.path, "/");
+            assert.ok(routes.home.methods.includes("GET"));
+        });
+
+        it("contains login route", () => {
+            assert.ok("login" in routes);
+            assert.equal(routes.login.path, "/login");
+        });
+
+        it("contains logout route", () => {
+            assert.ok("logout" in routes);
+            assert.equal(routes.logout.path, "/logout");
+        });
+
+        it("all routes have handlers", () => {
+            for (const [name, route] of Object.entries(routes)) {
+                assert.equal(
+                    typeof route.handler,
+                    "function",
+                    `Route ${name} should have a handler function`,
+                );
+            }
+        });
+
+        it("all routes have methods array", () => {
+            for (const [name, route] of Object.entries(routes)) {
+                assert.ok(
+                    Array.isArray(route.methods),
+                    `Route ${name} should have methods array`,
+                );
+                assert.ok(
+                    route.methods.length > 0,
+                    `Route ${name} should have at least one method`,
+                );
+            }
+        });
+
+        it("all routes have path string", () => {
+            for (const [name, route] of Object.entries(routes)) {
+                assert.equal(
+                    typeof route.path,
+                    "string",
+                    `Route ${name} should have a path string`,
+                );
+                assert.ok(
+                    route.path.startsWith("/"),
+                    `Route ${name} path should start with /`,
+                );
+            }
+        });
+    });
+});

backend/diachron/basic/routes.ts

@@ -1,4 +1,5 @@
 import { DateTime } from "ts-luxon";
+import { get, User } from "../hydrators/user";
 import { request } from "../request";
 import { html, render } from "../request/util";
 import type { Call, Result, Route } from "../types";
@@ -23,11 +24,18 @@ const routes: Record<string, Route> = {
             const _auth = request.auth;
             const me = request.session.getUser();
 
-            const email = me.toString();
+            const id = me.id;
+            console.log(`*** id: ${id}`);
+
+            const u = await get(id);
+
+            const email = u?.email || "anonymous@example.com";
+            const name = u?.display_name || "anonymous";
             const showLogin = me.isAnonymous();
             const showLogout = !me.isAnonymous();
 
             const c = await render("basic/home", {
+                name,
                 email,
                 showLogin,
                 showLogout,

backend/diachron/database.spec.ts

@@ -0,0 +1,285 @@
+// Tests for database.ts
+// Requires test PostgreSQL: docker compose -f docker-compose.test.yml up -d
+
+import assert from "node:assert/strict";
+import { after, before, beforeEach, describe, it } from "node:test";
+import {
+    connectionConfig,
+    db,
+    migrate,
+    migrationStatus,
+    PostgresAuthStore,
+    pool,
+    raw,
+    rawPool,
+} from "./database";
+import type { UserId } from "./user";
+
+describe("database", () => {
+    before(async () => {
+        // Run migrations to set up schema
+        await migrate();
+    });
+
+    after(async () => {
+        await pool.end();
+    });
+
+    describe("connectionConfig", () => {
+        it("has required fields", () => {
+            assert.ok("host" in connectionConfig);
+            assert.ok("port" in connectionConfig);
+            assert.ok("user" in connectionConfig);
+            assert.ok("password" in connectionConfig);
+            assert.ok("database" in connectionConfig);
+        });
+
+        it("port is a number", () => {
+            assert.equal(typeof connectionConfig.port, "number");
+        });
+    });
+
+    describe("raw", () => {
+        it("executes raw SQL queries", async () => {
+            const result = await raw<{ one: number }>("SELECT 1 as one");
+            assert.equal(result.length, 1);
+            assert.equal(result[0].one, 1);
+        });
+
+        it("supports parameterized queries", async () => {
+            const result = await raw<{ sum: number }>(
+                "SELECT $1::int + $2::int as sum",
+                [2, 3],
+            );
+            assert.equal(result[0].sum, 5);
+        });
+    });
+
+    describe("db (Kysely instance)", () => {
+        it("can execute SELECT queries", async () => {
+            const result = await db
+                .selectFrom("users")
+                .select("id")
+                .limit(1)
+                .execute();
+
+            // May be empty, just verify it runs
+            assert.ok(Array.isArray(result));
+        });
+    });
+
+    describe("rawPool", () => {
+        it("is a pg Pool instance", () => {
+            assert.ok(rawPool.query !== undefined);
+        });
+
+        it("can execute queries", async () => {
+            const result = await rawPool.query("SELECT 1 as one");
+            assert.equal(result.rows[0].one, 1);
+        });
+    });
+
+    describe("migrate", () => {
+        it("runs without error when migrations are up to date", async () => {
+            // Should not throw
+            await migrate();
+        });
+    });
+
+    describe("migrationStatus", () => {
+        it("returns applied and pending arrays", async () => {
+            const status = await migrationStatus();
+
+            assert.ok(Array.isArray(status.applied));
+            assert.ok(Array.isArray(status.pending));
+        });
+
+        it("shows framework migrations as applied", async () => {
+            const status = await migrationStatus();
+
+            // At least the users migration should be applied
+            const hasUsersMigration = status.applied.some((m) =>
+                m.includes("users"),
+            );
+            assert.ok(hasUsersMigration);
+        });
+    });
+
+    describe("PostgresAuthStore", () => {
+        let store: PostgresAuthStore;
+
+        before(() => {
+            store = new PostgresAuthStore();
+        });
+
+        beforeEach(async () => {
+            // Clean up test data before each test
+            await rawPool.query("DELETE FROM sessions");
+            await rawPool.query("DELETE FROM user_credentials");
+            await rawPool.query("DELETE FROM user_emails");
+            await rawPool.query("DELETE FROM users");
+        });
+
+        describe("createUser", () => {
+            it("creates a user with pending status", async () => {
+                const user = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "hash123",
+                    displayName: "Test User",
+                });
+
+                assert.equal(user.email, "test@example.com");
+                assert.equal(user.displayName, "Test User");
+                assert.equal(user.status, "pending");
+            });
+
+            it("stores the password hash", async () => {
+                const user = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "secrethash",
+                });
+
+                const hash = await store.getUserPasswordHash(user.id);
+                assert.equal(hash, "secrethash");
+            });
+        });
+
+        describe("getUserByEmail", () => {
+            it("returns user when found", async () => {
+                await store.createUser({
+                    email: "find@example.com",
+                    passwordHash: "hash",
+                });
+
+                const user = await store.getUserByEmail("find@example.com");
+                assert.notEqual(user, null);
+                assert.equal(user!.email, "find@example.com");
+            });
+
+            it("is case-insensitive", async () => {
+                await store.createUser({
+                    email: "UPPER@EXAMPLE.COM",
+                    passwordHash: "hash",
+                });
+
+                const user = await store.getUserByEmail("upper@example.com");
+                assert.notEqual(user, null);
+            });
+
+            it("returns null when not found", async () => {
+                const user = await store.getUserByEmail("notfound@example.com");
+                assert.equal(user, null);
+            });
+        });
+
+        describe("getUserById", () => {
+            it("returns user when found", async () => {
+                const created = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "hash",
+                });
+
+                const user = await store.getUserById(created.id);
+                assert.notEqual(user, null);
+                assert.equal(user!.id, created.id);
+            });
+
+            it("returns null when not found", async () => {
+                const user = await store.getUserById(
+                    "00000000-0000-0000-0000-000000000000" as UserId,
+                );
+                assert.equal(user, null);
+            });
+        });
+
+        describe("setUserPassword", () => {
+            it("updates the password hash", async () => {
+                const user = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "oldhash",
+                });
+
+                await store.setUserPassword(user.id, "newhash");
+
+                const hash = await store.getUserPasswordHash(user.id);
+                assert.equal(hash, "newhash");
+            });
+        });
+
+        describe("updateUserEmailVerified", () => {
+            it("sets user status to active", async () => {
+                const created = await store.createUser({
+                    email: "test@example.com",
+                    passwordHash: "hash",
+                });
+                assert.equal(created.status, "pending");
+
+                await store.updateUserEmailVerified(created.id);
+
+                const user = await store.getUserById(created.id);
+                assert.equal(user!.status, "active");
+            });
+        });
+
+        describe("session operations", () => {
+            let userId: UserId;
+
+            beforeEach(async () => {
+                const user = await store.createUser({
+                    email: "session@example.com",
+                    passwordHash: "hash",
+                });
+                userId = user.id;
+            });
+
+            it("creates and retrieves sessions", async () => {
+                const { token, session } = await store.createSession({
+                    userId,
+                    tokenType: "session",
+                    authMethod: "cookie",
+                    expiresAt: new Date(Date.now() + 3600000),
+                });
+
+                assert.ok(token.length > 0);
+                assert.equal(session.userId, userId);
+                assert.equal(session.tokenType, "session");
+            });
+
+            it("deletes sessions", async () => {
+                const { session } = await store.createSession({
+                    userId,
+                    tokenType: "session",
+                    authMethod: "cookie",
+                    expiresAt: new Date(Date.now() + 3600000),
+                });
+
+                await store.deleteSession(session.tokenId as any);
+
+                // Session should be soft-deleted (revoked)
+                const retrieved = await store.getSession(
+                    session.tokenId as any,
+                );
+                assert.equal(retrieved, null);
+            });
+
+            it("deletes all user sessions", async () => {
+                await store.createSession({
+                    userId,
+                    tokenType: "session",
+                    authMethod: "cookie",
+                    expiresAt: new Date(Date.now() + 3600000),
+                });
+
+                await store.createSession({
+                    userId,
+                    tokenType: "session",
+                    authMethod: "bearer",
+                    expiresAt: new Date(Date.now() + 3600000),
+                });
+
+                const count = await store.deleteUserSessions(userId);
+                assert.equal(count, 2);
+            });
+        });
+    });
+});

backend/diachron/database.ts

@@ -21,13 +21,13 @@ import type { SessionData, TokenId } from "./auth/types";
 import type { Domain } from "./types";
 import { AuthenticatedUser, type User, type UserId } from "./user";
 
-// Connection configuration
+// Connection configuration (supports environment variable overrides)
 const connectionConfig = {
-    host: "localhost",
-    port: 5432,
-    user: "diachron",
-    password: "diachron",
-    database: "diachron",
+    host: process.env.DB_HOST ?? "localhost",
+    port: Number(process.env.DB_PORT ?? 5432),
+    user: process.env.DB_USER ?? "diachron",
+    password: process.env.DB_PASSWORD ?? "diachron",
+    database: process.env.DB_NAME ?? "diachron",
 };
 
 // Database schema types for Kysely
@@ -113,7 +113,7 @@ async function raw<T = unknown>(
 //
 // Migrations directory: express/migrations/
 
-const FRAMEWORK_MIGRATIONS_DIR = path.join(__dirname, "framework/migrations");
+const FRAMEWORK_MIGRATIONS_DIR = path.join(__dirname, "diachron/migrations");
 const APP_MIGRATIONS_DIR = path.join(__dirname, "migrations");
 const MIGRATIONS_TABLE = "_migrations";
 

backend/diachron/handlers.spec.ts

@@ -0,0 +1,71 @@
+// Tests for handlers.ts
+// These tests use mock Call objects
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import type { Request as ExpressRequest } from "express";
+import { Session } from "./auth/types";
+import { contentTypes } from "./content-types";
+import { multiHandler } from "./handlers";
+import { httpCodes } from "./http-codes";
+import type { Call } from "./types";
+import { anonymousUser } from "./user";
+
+// Helper to create a minimal mock Call
+function createMockCall(overrides: Partial<Call> = {}): Call {
+    const defaultSession = new Session(null, anonymousUser);
+    return {
+        pattern: "/test",
+        path: "/test",
+        method: "GET",
+        parameters: {},
+        request: {} as ExpressRequest,
+        user: anonymousUser,
+        session: defaultSession,
+        ...overrides,
+    };
+}
+
+describe("handlers", () => {
+    describe("multiHandler", () => {
+        it("returns OK status", async () => {
+            const call = createMockCall({ method: "GET" });
+            const result = await multiHandler(call);
+
+            assert.equal(result.code, httpCodes.success.OK);
+        });
+
+        it("returns text/plain content type", async () => {
+            const call = createMockCall();
+            const result = await multiHandler(call);
+
+            assert.equal(result.contentType, contentTypes.text.plain);
+        });
+
+        it("includes method in result", async () => {
+            const call = createMockCall({ method: "POST" });
+            const result = await multiHandler(call);
+
+            assert.ok(result.result.includes("POST"));
+        });
+
+        it("includes a random number in result", async () => {
+            const call = createMockCall();
+            const result = await multiHandler(call);
+
+            // Result format: "that was GET (0.123456789)"
+            assert.match(result.result, /that was \w+ \(\d+\.?\d*\)/);
+        });
+
+        it("works with different HTTP methods", async () => {
+            const methods = ["GET", "POST", "PUT", "PATCH", "DELETE"] as const;
+
+            for (const method of methods) {
+                const call = createMockCall({ method });
+                const result = await multiHandler(call);
+
+                assert.ok(result.result.includes(method));
+            }
+        });
+    });
+});

backend/diachron/hydrators/hydrator.ts

@@ -0,0 +1,29 @@
+import { Kysely, PostgresDialect } from "kysely";
+import { Pool } from "pg";
+import type { DB } from "../../generated/db";
+import { connectionConfig } from "../database";
+
+const db = new Kysely<DB>({
+    dialect: new PostgresDialect({
+        pool: new Pool(connectionConfig),
+    }),
+    log(event) {
+        if (event.level === "query") {
+            // FIXME: Wire this up to the logging system
+            console.log("SQL:", event.query.sql);
+            console.log("Params:", event.query.parameters);
+        }
+    },
+});
+
+abstract class Hydrator<T> {
+    public db: Kysely<DB>;
+
+    protected abstract table: string;
+
+    constructor() {
+        this.db = db;
+    }
+}
+
+export { Hydrator, db };

backend/diachron/hydrators/index.ts

@@ -0,0 +1 @@
+export type Hydrators = {};

backend/diachron/hydrators/tests/setup.ts

@@ -0,0 +1,44 @@
+// Test setup for hydrator tests
+// Run: DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test npx tsx --test tests/*.test.ts
+
+import { Pool } from "pg";
+import { connectionConfig, migrate } from "../../database";
+
+const pool = new Pool(connectionConfig);
+
+export async function setupTestDatabase(): Promise<void> {
+    await migrate();
+}
+
+export async function cleanupTables(): Promise<void> {
+    // Clean in reverse dependency order
+    await pool.query("DELETE FROM user_emails");
+    await pool.query("DELETE FROM users");
+}
+
+export async function teardownTestDatabase(): Promise<void> {
+    await pool.end();
+}
+
+export async function insertTestUser(data: {
+    id: string;
+    displayName: string;
+    status: string;
+    email: string;
+}): Promise<void> {
+    const emailId = crypto.randomUUID();
+    const normalizedEmail = data.email.toLowerCase().trim();
+
+    await pool.query(
+        `INSERT INTO users (id, display_name, status) VALUES ($1, $2, $3)`,
+        [data.id, data.displayName, data.status],
+    );
+
+    await pool.query(
+        `INSERT INTO user_emails (id, user_id, email, normalized_email, is_primary)
+         VALUES ($1, $2, $3, $4, true)`,
+        [emailId, data.id, data.email, normalizedEmail],
+    );
+}
+
+export { pool };

backend/diachron/hydrators/tests/user.spec.ts

@@ -0,0 +1,98 @@
+// Tests for user hydrator
+// Run with: cd express && DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test ../cmd npx tsx --test diachron/hydrators/tests/user.test.ts
+
+import assert from "node:assert/strict";
+import { after, before, beforeEach, describe, it } from "node:test";
+import { get } from "../user";
+import {
+    cleanupTables,
+    insertTestUser,
+    setupTestDatabase,
+    teardownTestDatabase,
+} from "./setup";
+
+describe("user hydrator", () => {
+    before(async () => {
+        await setupTestDatabase();
+    });
+
+    after(async () => {
+        await teardownTestDatabase();
+    });
+
+    beforeEach(async () => {
+        await cleanupTables();
+    });
+
+    describe("get", () => {
+        it("returns null for non-existent user", async () => {
+            const result = await get("00000000-0000-0000-0000-000000000000");
+            assert.equal(result, null);
+        });
+
+        it("returns user when found", async () => {
+            const userId = "cfae0a19-6515-4813-bc2d-1e032b72b203";
+            await insertTestUser({
+                id: userId,
+                displayName: "Test User",
+                status: "active",
+                email: "test@example.com",
+            });
+
+            const result = await get(userId);
+
+            assert.notEqual(result, null);
+            assert.equal(result!.id, userId);
+            assert.equal(result!.display_name, "Test User");
+            assert.equal(result!.status, "active");
+            assert.equal(result!.email, "test@example.com");
+        });
+
+        it("validates user data with zod parser", async () => {
+            const userId = crypto.randomUUID();
+            await insertTestUser({
+                id: userId,
+                displayName: "Valid User",
+                status: "active",
+                email: "valid@example.com",
+            });
+
+            const result = await get(userId);
+
+            // If we get here without throwing, parsing succeeded
+            assert.notEqual(result, null);
+            assert.equal(typeof result!.id, "string");
+            assert.equal(typeof result!.email, "string");
+        });
+
+        it("returns user with pending status", async () => {
+            const userId = crypto.randomUUID();
+            await insertTestUser({
+                id: userId,
+                displayName: "Pending User",
+                status: "pending",
+                email: "pending@example.com",
+            });
+
+            const result = await get(userId);
+
+            assert.notEqual(result, null);
+            assert.equal(result!.status, "pending");
+        });
+
+        it("returns user with suspended status", async () => {
+            const userId = crypto.randomUUID();
+            await insertTestUser({
+                id: userId,
+                displayName: "Suspended User",
+                status: "suspended",
+                email: "suspended@example.com",
+            });
+
+            const result = await get(userId);
+
+            assert.notEqual(result, null);
+            assert.equal(result!.status, "suspended");
+        });
+    });
+});

backend/diachron/hydrators/user.ts

@@ -0,0 +1,59 @@
+import {
+    ColumnType,
+    Generated,
+    Insertable,
+    JSONColumnType,
+    Selectable,
+    Updateable,
+} from "kysely";
+import type { TypeID } from "typeid-js";
+import { z } from "zod";
+import { db, Hydrator } from "./hydrator";
+
+const parser = z.object({
+    // id: z.uuidv7(),
+    id: z.uuid(),
+    display_name: z.string(),
+    // FIXME: status is duplicated elsewhere
+    status: z.union([
+        z.literal("active"),
+        z.literal("suspended"),
+        z.literal("pending"),
+    ]),
+    email: z.email(),
+});
+
+const tp = parser.parse({
+    id: "cfae0a19-6515-4813-bc2d-1e032b72b203",
+    display_name: "foo",
+    status: "active",
+    email: "mw@philologue.net",
+});
+
+export type User = z.infer<typeof parser>;
+
+const get = async (id: string): Promise<null | User> => {
+    const ret = await db
+        .selectFrom("users")
+        .where("users.id", "=", id)
+        .innerJoin("user_emails", "user_emails.user_id", "users.id")
+        .select([
+            "users.id",
+            "users.status",
+            "users.display_name",
+            "user_emails.email",
+        ])
+        .executeTakeFirst();
+
+    if (ret === undefined) {
+        return null;
+    }
+
+    console.dir(ret);
+
+    const parsed = parser.parse(ret);
+
+    return parsed;
+};
+
+export { get };

backend/diachron/logging.spec.ts

@@ -0,0 +1,53 @@
+// Tests for logging.ts
+// Note: These tests verify the module structure and types.
+// Full integration tests would require a running logging service.
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+
+// We can't easily test log() and getLogs() without mocking fetch,
+// but we can verify the module exports correctly and types work.
+
+describe("logging", () => {
+    describe("module structure", () => {
+        it("exports log function", async () => {
+            const { log } = await import("./logging");
+            assert.equal(typeof log, "function");
+        });
+
+        it("exports getLogs function", async () => {
+            const { getLogs } = await import("./logging");
+            assert.equal(typeof getLogs, "function");
+        });
+    });
+
+    describe("Message type", () => {
+        // Type-level tests - if these compile, the types are correct
+        it("accepts valid message sources", () => {
+            type MessageSource = "logging" | "diagnostic" | "user";
+            const sources: MessageSource[] = ["logging", "diagnostic", "user"];
+            assert.equal(sources.length, 3);
+        });
+    });
+
+    describe("FilterArgument type", () => {
+        // Type-level tests
+        it("accepts valid filter options", () => {
+            type FilterArgument = {
+                limit?: number;
+                before?: number;
+                after?: number;
+                match?: (string | RegExp)[];
+            };
+
+            const filter: FilterArgument = {
+                limit: 10,
+                before: Date.now(),
+                after: Date.now() - 3600000,
+                match: ["error", /warning/i],
+            };
+
+            assert.ok(filter.limit === 10);
+        });
+    });
+});

backend/diachron/package.json

@@ -4,8 +4,10 @@
     "description": "",
     "main": "index.js",
     "scripts": {
-        "test": "echo \"Error: no test specified\" && exit 1",
-        "nodemon": "nodemon dist/index.js"
+        "test": "DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test tsx --test '**/*.{test,spec}.ts'",
+        "test:watch": "DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test tsx --test --watch '**/*.{test,spec}.ts'",
+        "nodemon": "nodemon dist/index.js",
+        "kysely-codegen": "kysely-codegen"
     },
     "keywords": [],
     "author": "",
@@ -24,6 +26,7 @@
         "ts-luxon": "^6.2.0",
         "ts-node": "^10.9.2",
         "tsx": "^4.20.6",
+        "typeid-js": "^1.2.0",
         "typescript": "^5.9.3",
         "zod": "^4.1.12"
     },

backend/diachron/pnpm-lock.yaml

@@ -44,6 +44,9 @@ importers:
       tsx:
         specifier: ^4.20.6
         version: 4.20.6
+      typeid-js:
+        specifier: ^1.2.0
+        version: 1.2.0
       typescript:
         specifier: ^5.9.3
         version: 5.9.3
@@ -1065,6 +1068,9 @@ packages:
     resolution: {integrity: sha512-OZs6gsjF4vMp32qrCbiVSkrFmXtG/AZhY3t0iAMrMBiAZyV9oALtXO8hsrHbMXF9x6L3grlFuwW2oAz7cav+Gw==}
     engines: {node: '>= 0.6'}
 
+  typeid-js@1.2.0:
+    resolution: {integrity: sha512-t76ZucAnvGC60ea/HjVsB0TSoB0cw9yjnfurUgtInXQWUI/VcrlZGpO23KN3iSe8yOGUgb1zr7W7uEzJ3hSljA==}
+
   typescript@5.9.3:
     resolution: {integrity: sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==}
     engines: {node: '>=14.17'}
@@ -1080,6 +1086,10 @@ packages:
     resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==}
     engines: {node: '>= 0.8'}
 
+  uuid@10.0.0:
+    resolution: {integrity: sha512-8XkAphELsDnEGrDxUOHB3RGvXz6TeuYSGEZBOjtTtPm2lwhGBjLgOzLHB63IUWfBpNucQjND6d3AOudO+H3RWQ==}
+    hasBin: true
+
   v8-compile-cache-lib@3.0.1:
     resolution: {integrity: sha512-wa7YjyUGfNZngI/vtK0UHAN+lgDCxBPCylVXGp0zu59Fz5aiGtNXaq3DhIov063MorB+VfufLh3JlF2KdTK3xg==}
 
@@ -2024,6 +2034,10 @@ snapshots:
       media-typer: 1.1.0
       mime-types: 3.0.1
 
+  typeid-js@1.2.0:
+    dependencies:
+      uuid: 10.0.0
+
   typescript@5.9.3: {}
 
   undefsafe@2.0.5: {}
@@ -2032,6 +2046,8 @@ snapshots:
 
   unpipe@1.0.0: {}
 
+  uuid@10.0.0: {}
+
   v8-compile-cache-lib@3.0.1: {}
 
   vary@1.1.2: {}

backend/diachron/types.spec.ts

@@ -0,0 +1,179 @@
+// Tests for types.ts
+// Pure unit tests
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import type { Request as ExpressRequest } from "express";
+import { Session } from "./auth/types";
+import { contentTypes } from "./content-types";
+import { httpCodes } from "./http-codes";
+import {
+    AuthenticationRequired,
+    AuthorizationDenied,
+    type Call,
+    isRedirect,
+    massageMethod,
+    methodParser,
+    type Permission,
+    type RedirectResult,
+    type Result,
+    requireAuth,
+    requirePermission,
+} from "./types";
+import { AuthenticatedUser, anonymousUser } from "./user";
+
+// Helper to create a minimal mock Call
+function createMockCall(overrides: Partial<Call> = {}): Call {
+    const defaultSession = new Session(null, anonymousUser);
+    return {
+        pattern: "/test",
+        path: "/test",
+        method: "GET",
+        parameters: {},
+        request: {} as ExpressRequest,
+        user: anonymousUser,
+        session: defaultSession,
+        ...overrides,
+    };
+}
+
+describe("types", () => {
+    describe("methodParser", () => {
+        it("accepts valid HTTP methods", () => {
+            assert.equal(methodParser.parse("GET"), "GET");
+            assert.equal(methodParser.parse("POST"), "POST");
+            assert.equal(methodParser.parse("PUT"), "PUT");
+            assert.equal(methodParser.parse("PATCH"), "PATCH");
+            assert.equal(methodParser.parse("DELETE"), "DELETE");
+        });
+
+        it("rejects invalid methods", () => {
+            assert.throws(() => methodParser.parse("get"));
+            assert.throws(() => methodParser.parse("OPTIONS"));
+            assert.throws(() => methodParser.parse("HEAD"));
+            assert.throws(() => methodParser.parse(""));
+        });
+    });
+
+    describe("massageMethod", () => {
+        it("converts lowercase to uppercase", () => {
+            assert.equal(massageMethod("get"), "GET");
+            assert.equal(massageMethod("post"), "POST");
+            assert.equal(massageMethod("put"), "PUT");
+            assert.equal(massageMethod("patch"), "PATCH");
+            assert.equal(massageMethod("delete"), "DELETE");
+        });
+
+        it("handles mixed case", () => {
+            assert.equal(massageMethod("Get"), "GET");
+            assert.equal(massageMethod("pOsT"), "POST");
+        });
+
+        it("throws for invalid methods", () => {
+            assert.throws(() => massageMethod("options"));
+            assert.throws(() => massageMethod("head"));
+        });
+    });
+
+    describe("isRedirect", () => {
+        it("returns true for redirect results", () => {
+            const result: RedirectResult = {
+                code: httpCodes.redirection.Found,
+                contentType: contentTypes.text.html,
+                result: "",
+                redirect: "/other",
+            };
+            assert.equal(isRedirect(result), true);
+        });
+
+        it("returns false for non-redirect results", () => {
+            const result: Result = {
+                code: httpCodes.success.OK,
+                contentType: contentTypes.text.html,
+                result: "hello",
+            };
+            assert.equal(isRedirect(result), false);
+        });
+    });
+
+    describe("AuthenticationRequired", () => {
+        it("has correct name and message", () => {
+            const err = new AuthenticationRequired();
+            assert.equal(err.name, "AuthenticationRequired");
+            assert.equal(err.message, "Authentication required");
+        });
+
+        it("is an instance of Error", () => {
+            const err = new AuthenticationRequired();
+            assert.ok(err instanceof Error);
+        });
+    });
+
+    describe("AuthorizationDenied", () => {
+        it("has correct name and message", () => {
+            const err = new AuthorizationDenied();
+            assert.equal(err.name, "AuthorizationDenied");
+            assert.equal(err.message, "Authorization denied");
+        });
+
+        it("is an instance of Error", () => {
+            const err = new AuthorizationDenied();
+            assert.ok(err instanceof Error);
+        });
+    });
+
+    describe("requireAuth", () => {
+        it("returns user for authenticated call", () => {
+            const user = AuthenticatedUser.create("test@example.com");
+            const session = new Session(null, user);
+            const call = createMockCall({ user, session });
+
+            const result = requireAuth(call);
+            assert.equal(result, user);
+        });
+
+        it("throws AuthenticationRequired for anonymous user", () => {
+            const call = createMockCall({ user: anonymousUser });
+
+            assert.throws(() => requireAuth(call), AuthenticationRequired);
+        });
+    });
+
+    describe("requirePermission", () => {
+        it("returns user when they have the permission", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                permissions: ["posts:create" as Permission],
+            });
+            const session = new Session(null, user);
+            const call = createMockCall({ user, session });
+
+            const result = requirePermission(
+                call,
+                "posts:create" as Permission,
+            );
+            assert.equal(result, user);
+        });
+
+        it("throws AuthenticationRequired for anonymous user", () => {
+            const call = createMockCall({ user: anonymousUser });
+
+            assert.throws(
+                () => requirePermission(call, "posts:create" as Permission),
+                AuthenticationRequired,
+            );
+        });
+
+        it("throws AuthorizationDenied when missing permission", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                permissions: ["posts:read" as Permission],
+            });
+            const session = new Session(null, user);
+            const call = createMockCall({ user, session });
+
+            assert.throws(
+                () => requirePermission(call, "posts:create" as Permission),
+                AuthorizationDenied,
+            );
+        });
+    });
+});

backend/diachron/user.spec.ts

@@ -0,0 +1,213 @@
+// Tests for user.ts
+// These are pure unit tests - no database needed
+
+import assert from "node:assert/strict";
+import { describe, it } from "node:test";
+import {
+    AnonymousUser,
+    AuthenticatedUser,
+    anonymousUser,
+    type Permission,
+    type Role,
+} from "./user";
+
+describe("User", () => {
+    describe("AuthenticatedUser.create", () => {
+        it("creates a user with default values", () => {
+            const user = AuthenticatedUser.create("test@example.com");
+
+            assert.equal(user.email, "test@example.com");
+            assert.equal(user.status, "active");
+            assert.equal(user.isAnonymous(), false);
+            assert.deepEqual([...user.roles], []);
+            assert.deepEqual([...user.permissions], []);
+        });
+
+        it("creates a user with custom values", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                id: "custom-id",
+                displayName: "Test User",
+                status: "pending",
+                roles: ["admin"],
+                permissions: ["posts:create"],
+            });
+
+            assert.equal(user.id, "custom-id");
+            assert.equal(user.displayName, "Test User");
+            assert.equal(user.status, "pending");
+            assert.deepEqual([...user.roles], ["admin"]);
+            assert.deepEqual([...user.permissions], ["posts:create"]);
+        });
+    });
+
+    describe("status checks", () => {
+        it("isActive returns true for active users", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                status: "active",
+            });
+            assert.equal(user.isActive(), true);
+        });
+
+        it("isActive returns false for suspended users", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                status: "suspended",
+            });
+            assert.equal(user.isActive(), false);
+        });
+
+        it("isActive returns false for pending users", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                status: "pending",
+            });
+            assert.equal(user.isActive(), false);
+        });
+    });
+
+    describe("role checks", () => {
+        it("hasRole returns true when user has the role", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin", "editor"],
+            });
+            assert.equal(user.hasRole("admin"), true);
+            assert.equal(user.hasRole("editor"), true);
+        });
+
+        it("hasRole returns false when user does not have the role", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["user"],
+            });
+            assert.equal(user.hasRole("admin"), false);
+        });
+
+        it("hasAnyRole returns true when user has at least one role", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["editor"],
+            });
+            assert.equal(user.hasAnyRole(["admin", "editor"]), true);
+        });
+
+        it("hasAnyRole returns false when user has none of the roles", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["user"],
+            });
+            assert.equal(user.hasAnyRole(["admin", "editor"]), false);
+        });
+
+        it("hasAllRoles returns true when user has all roles", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin", "editor", "user"],
+            });
+            assert.equal(user.hasAllRoles(["admin", "editor"]), true);
+        });
+
+        it("hasAllRoles returns false when user is missing a role", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin"],
+            });
+            assert.equal(user.hasAllRoles(["admin", "editor"]), false);
+        });
+    });
+
+    describe("permission checks", () => {
+        it("hasPermission returns true for direct permissions", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                permissions: ["posts:create" as Permission],
+            });
+            assert.equal(
+                user.hasPermission("posts:create" as Permission),
+                true,
+            );
+        });
+
+        it("hasPermission returns true for role-derived permissions", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin" as Role],
+            });
+            // admin role has users:read, users:create, users:update, users:delete
+            assert.equal(user.hasPermission("users:read" as Permission), true);
+            assert.equal(
+                user.hasPermission("users:delete" as Permission),
+                true,
+            );
+        });
+
+        it("hasPermission returns false when permission not granted", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["user" as Role],
+            });
+            // user role only has users:read
+            assert.equal(
+                user.hasPermission("users:delete" as Permission),
+                false,
+            );
+        });
+
+        it("can() is a convenience method for hasPermission", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["admin" as Role],
+            });
+            assert.equal(user.can("read", "users"), true);
+            assert.equal(user.can("delete", "users"), true);
+            assert.equal(user.can("create", "posts"), false);
+        });
+    });
+
+    describe("effectivePermissions", () => {
+        it("returns combined direct and role-derived permissions", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                roles: ["user" as Role],
+                permissions: ["posts:create" as Permission],
+            });
+
+            const perms = user.effectivePermissions();
+            assert.equal(perms.has("posts:create" as Permission), true);
+            assert.equal(perms.has("users:read" as Permission), true); // from user role
+        });
+
+        it("returns empty set for user with no roles or permissions", () => {
+            const user = AuthenticatedUser.create("test@example.com");
+            const perms = user.effectivePermissions();
+            assert.equal(perms.size, 0);
+        });
+    });
+
+    describe("serialization", () => {
+        it("toJSON returns plain object", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                id: "test-id",
+                displayName: "Test",
+                status: "active",
+                roles: ["admin"],
+                permissions: ["posts:create"],
+            });
+
+            const json = user.toJSON();
+            assert.equal(json.id, "test-id");
+            assert.equal(json.email, "test@example.com");
+            assert.equal(json.displayName, "Test");
+            assert.equal(json.status, "active");
+            assert.deepEqual(json.roles, ["admin"]);
+            assert.deepEqual(json.permissions, ["posts:create"]);
+        });
+
+        it("toString returns readable string", () => {
+            const user = AuthenticatedUser.create("test@example.com", {
+                id: "test-id",
+            });
+            assert.equal(user.toString(), "User(id test-id)");
+        });
+    });
+
+    describe("AnonymousUser", () => {
+        it("isAnonymous returns true", () => {
+            const user = AnonymousUser.create("anon@example.com");
+            assert.equal(user.isAnonymous(), true);
+        });
+
+        it("anonymousUser singleton is anonymous", () => {
+            assert.equal(anonymousUser.isAnonymous(), true);
+            assert.equal(anonymousUser.id, "-1");
+            assert.equal(anonymousUser.email, "anonymous@example.com");
+        });
+    });
+});

backend/diachron/util.spec.ts

@@ -0,0 +1,61 @@
+// Tests for util.ts
+// Pure unit tests with filesystem
+
+import assert from "node:assert/strict";
+import { mkdir, rm, writeFile } from "node:fs/promises";
+import { join } from "node:path";
+import { after, before, describe, it } from "node:test";
+import { loadFile } from "./util";
+
+describe("util", () => {
+    const testDir = join(import.meta.dirname, ".test-util-tmp");
+
+    before(async () => {
+        await mkdir(testDir, { recursive: true });
+    });
+
+    after(async () => {
+        await rm(testDir, { recursive: true, force: true });
+    });
+
+    describe("loadFile", () => {
+        it("loads file contents as string", async () => {
+            const testFile = join(testDir, "test.txt");
+            await writeFile(testFile, "hello world");
+
+            const content = await loadFile(testFile);
+            assert.equal(content, "hello world");
+        });
+
+        it("handles utf-8 content", async () => {
+            const testFile = join(testDir, "utf8.txt");
+            await writeFile(testFile, "hello \u{1F511} world");
+
+            const content = await loadFile(testFile);
+            assert.equal(content, "hello \u{1F511} world");
+        });
+
+        it("handles empty file", async () => {
+            const testFile = join(testDir, "empty.txt");
+            await writeFile(testFile, "");
+
+            const content = await loadFile(testFile);
+            assert.equal(content, "");
+        });
+
+        it("handles multiline content", async () => {
+            const testFile = join(testDir, "multiline.txt");
+            await writeFile(testFile, "line1\nline2\nline3");
+
+            const content = await loadFile(testFile);
+            assert.equal(content, "line1\nline2\nline3");
+        });
+
+        it("throws for nonexistent file", async () => {
+            await assert.rejects(
+                loadFile(join(testDir, "nonexistent.txt")),
+                /ENOENT/,
+            );
+        });
+    });
+});

backend/generated/db.d.ts

@@ -0,0 +1,109 @@
+/**
+ * This file was generated by kysely-codegen.
+ * Please do not edit it manually.
+ */
+
+import type { ColumnType } from "kysely";
+
+export type Generated<T> =
+    T extends ColumnType<infer S, infer I, infer U>
+        ? ColumnType<S, I | undefined, U>
+        : ColumnType<T, T | undefined, T>;
+
+export type Timestamp = ColumnType<Date, Date | string, Date | string>;
+
+export interface _Migrations {
+    applied_at: Generated<Timestamp>;
+    id: Generated<number>;
+    name: string;
+}
+
+export interface Capabilities {
+    description: string | null;
+    id: string;
+    name: string;
+}
+
+export interface Groups {
+    created_at: Generated<Timestamp>;
+    id: string;
+    name: string;
+}
+
+export interface RoleCapabilities {
+    capability_id: string;
+    granted_at: Generated<Timestamp>;
+    revoked_at: Timestamp | null;
+    role_id: string;
+}
+
+export interface Roles {
+    description: string | null;
+    id: string;
+    name: string;
+}
+
+export interface Sessions {
+    auth_method: string;
+    created_at: Generated<Timestamp>;
+    expires_at: Timestamp;
+    id: Generated<string>;
+    ip_address: string | null;
+    is_used: Generated<boolean | null>;
+    revoked_at: Timestamp | null;
+    token_hash: string;
+    token_type: string;
+    user_agent: string | null;
+    user_email_id: string | null;
+    user_id: string;
+}
+
+export interface UserCredentials {
+    created_at: Generated<Timestamp>;
+    credential_type: Generated<string>;
+    id: string;
+    password_hash: string | null;
+    updated_at: Generated<Timestamp>;
+    user_id: string;
+}
+
+export interface UserEmails {
+    created_at: Generated<Timestamp>;
+    email: string;
+    id: string;
+    is_primary: Generated<boolean>;
+    is_verified: Generated<boolean>;
+    normalized_email: string;
+    revoked_at: Timestamp | null;
+    user_id: string;
+    verified_at: Timestamp | null;
+}
+
+export interface UserGroupRoles {
+    granted_at: Generated<Timestamp>;
+    group_id: string;
+    revoked_at: Timestamp | null;
+    role_id: string;
+    user_id: string;
+}
+
+export interface Users {
+    created_at: Generated<Timestamp>;
+    display_name: string | null;
+    id: string;
+    status: Generated<string>;
+    updated_at: Generated<Timestamp>;
+}
+
+export interface DB {
+    _migrations: _Migrations;
+    capabilities: Capabilities;
+    groups: Groups;
+    role_capabilities: RoleCapabilities;
+    roles: Roles;
+    sessions: Sessions;
+    user_credentials: UserCredentials;
+    user_emails: UserEmails;
+    user_group_roles: UserGroupRoles;
+    users: Users;
+}

backend/migrations/2026-01-15_01-create-test-application-table.sql

@@ -0,0 +1 @@
+CREATE TABLE test_application_table ();

backend/migrations/2026-01-15_01.sql

@@ -0,0 +1 @@
+CREATE TABLE test_application_table ();

backend/package.json

@@ -0,0 +1,20 @@
+{
+    "name": "my app",
+    "version": "0.0.1",
+    "description": "",
+    "main": "index.js",
+    "scripts": {
+        "test": "DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test tsx --test '**/*.{test,spec}.ts'",
+        "test:watch": "DB_PORT=5433 DB_USER=diachron_test DB_PASSWORD=diachron_test DB_NAME=diachron_test tsx --test --watch '**/*.{test,spec}.ts'",
+        "nodemon": "nodemon dist/index.js",
+        "kysely-codegen": "kysely-codegen"
+    },
+    "keywords": [],
+    "author": "",
+    "license": "ISC",
+    "packageManager": "pnpm@10.12.4",
+    "dependencies": {
+    },
+    "devDependencies": {
+    }
+}

backend/pnpm-workspace.yaml

@@ -0,0 +1,2 @@
+packages:
+  - 'diachron'

backend/routes.ts

@@ -2,13 +2,13 @@
 
 import nunjucks from "nunjucks";
 import { DateTime } from "ts-luxon";
-import { authRoutes } from "./auth/routes";
-import { routes as basicRoutes } from "./basic/routes";
-import { contentTypes } from "./content-types";
-import { core } from "./core";
-import { multiHandler } from "./handlers";
-import { httpCodes } from "./http-codes";
-import type { Call, Result, Route } from "./types";
+import { authRoutes } from "./diachron/auth/routes";
+import { routes as basicRoutes } from "./diachron/basic/routes";
+import { contentTypes } from "./diachron/content-types";
+import { core } from "./diachron/core";
+import { multiHandler } from "./diachron/handlers";
+import { httpCodes } from "./diachron/http-codes";
+import type { Call, Result, Route } from "./diachron/types";
 
 // FIXME: Obviously put this somewhere else
 const okText = (result: string): Result => {

backend/show-config.sh

@@ -6,7 +6,7 @@ DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 check_dir="$DIR"
 
-source "$check_dir"/../framework/shims/common
-source "$check_dir"/../framework/shims/node.common
+source "$check_dir"/../diachron/shims/common
+source "$check_dir"/../diachron/shims/node.common
 
 $ROOT/cmd pnpm tsc --showConfig

backend/tsconfig.json

@@ -9,5 +9,6 @@
         "strict": true,
         "types": ["node"],
         "outDir": "out"
-    }
+    },
+    "exclude": ["**/*.spec.ts", "**/*.test.ts"]
 }

backend/watch.sh

@@ -6,8 +6,8 @@ DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 
 check_dir="$DIR"
 
-source "$check_dir"/../framework/shims/common
-source "$check_dir"/../framework/shims/node.common
+source "$check_dir"/../diachron/shims/common
+source "$check_dir"/../diachron/shims/node.common
 
 # $ROOT/cmd pnpm tsc --lib ES2023  --esModuleInterop -w $check_dir/app.ts
 # $ROOT/cmd pnpm tsc -w $check_dir/app.ts

check.sh

@@ -10,7 +10,7 @@ cd "$DIR"
 #
 exclusions="SC2002"
 
-source "$DIR/framework/versions"
+source "$DIR/diachron/versions"
 
 if [[ $# -ne 0 ]]; then
     shellcheck --exclude="$exclusions" "$@"
@@ -20,10 +20,10 @@ fi
 shell_scripts="$(fd .sh | xargs)"
 
 # The files we need to check all either end in .sh or else they're the files
-# in framework/cmd.d and framework/shims.  -x instructs shellcheck to also
+# in diachron/cmd.d and diachron/shims.  -x instructs shellcheck to also
 # check `source`d files.
 
-shellcheck -x --exclude="$exclusions" "$DIR/cmd" "$DIR"/framework/cmd.d/* "$DIR"/framework/shims/* "$shell_scripts"
+shellcheck -x --exclude="$exclusions" "$DIR/cmd" "$DIR"/diachron/cmd.d/* "$DIR"/diachron/shims/* "$shell_scripts"
 
 pushd "$DIR/master"
 docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint:$golangci_lint golangci-lint run

cmd

@@ -13,7 +13,7 @@ if [ $# -lt 1 ]; then
     echo "Usage: ./cmd <command> [args...]"
     echo ""
     echo "Available commands:"
-    for cmd in "$DIR"/framework/cmd.d/*; do
+    for cmd in "$DIR"/diachron/cmd.d/*; do
         if [ -x "$cmd" ]; then
             basename "$cmd"
         fi
@@ -24,4 +24,4 @@ fi
 subcmd="$1"
 shift
 
-exec "$DIR"/framework/cmd.d/"$subcmd" "$@"
+exec "$DIR"/diachron/cmd.d/"$subcmd" "$@"

develop

@@ -13,7 +13,7 @@ if [ $# -lt 1 ]; then
     echo "Usage: ./develop <command> [args...]"
     echo ""
     echo "Available commands:"
-    for cmd in "$DIR"/framework/develop.d/*; do
+    for cmd in "$DIR"/diachron/develop.d/*; do
         if [ -x "$cmd" ]; then
             basename "$cmd"
         fi
@@ -24,4 +24,4 @@ fi
 subcmd="$1"
 shift
 
-exec "$DIR"/framework/develop.d/"$subcmd" "$@"
+exec "$DIR"/diachron/develop.d/"$subcmd" "$@"

diachron/cmd.d/test

@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -eu
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+cd "$DIR/../../backend"
+
+if [ $# -eq 0 ]; then
+    # Find all test files - use -print0/xargs to handle filenames safely
+    find . -type f \( -name '*.spec.ts' -o -name '*.test.ts' \) -print0 |
+        xargs -0 "$DIR"/../shims/pnpm tsx --test
+else
+    "$DIR"/../shims/pnpm tsx --test "$@"
+fi

diachron/common.d/migrate

@@ -5,5 +5,5 @@ set -eu
 DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 ROOT="$DIR/../.."
 
-cd "$ROOT/express"
+cd "$ROOT/backend"
 "$DIR"/tsx migrate.ts "$@"