Provides the threadline_operator_surface/2 macro to mount the Threadline LiveView interface within a Phoenix router.

This module enforces a secure-by-default mount by requiring either:

1. A pipe_through directive in the enclosing router scope.
2. An explicit :authorize_fn option.
3. An explicit :adopter_acknowledges_unauthenticated option.

Export endpoints (Phase 65+)

When phoenix is available at compile time, the macro also emits a sibling scope <path>/exports block with three GET routes — /changes.csv, /changes.json, /changes.ndjson — backed by Threadline.OperatorSurface.Controllers.ExportController. The export endpoints are guarded by Threadline.OperatorSurface.ExportAuthPlug (Conn-shaped twin of Threadline.OperatorSurface.Auth.on_mount/4).

The sibling scope is OUTSIDE the live_session :threadline block because live_session's on_mount callback does not apply to get/3 routes; the controller scope needs its own auth plug. LiveDashboard alias: false, as: false hygiene is preserved so the host's alias namespace is not polluted.

Options (Phase 65+)

• :exports (boolean, default true) — set to false to suppress the sibling export-controller scope (rare LV-only adopters).
• :scope_query_fn ((Ecto.Query.t(), scope, %{surface: atom(), params: map()} -> Ecto.Query.t()), optional) — host-owned query transform used when :authorize_fn returns {:ok, scope}. Threadline treats scope as opaque data and calls this function for timeline, actor-history, transaction, and export flows.

• :export_authorize_fn ((Plug.Conn.t() -> :ok | true | {:ok, scope} | _), default delegates to :authorize_fn via a synthetic %{assigns: conn.assigns} mirror) — Conn-shaped authorize callback for HTTP requests. The v1.17 :authorize_fn.(socket) contract is preserved verbatim; this is an additive opt that lets adopters provide a separate callback for the HTTP-side surface if they need one (rare — the synthetic mirror is sufficient for most cases since adopter functions typically only access assigns.current_user or similar).