@byline/admin 0.9.3

package/dist/lib/assert-admin-actor.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"assert-admin-actor.js","sourceRoot":"","sources":["../../src/lib/assert-admin-actor.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAkB,mBAAmB,EAAE,WAAW,EAAuB,MAAM,cAAc,CAAA;AAEpG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AACH,MAAM,UAAU,gBAAgB,CAAC,OAAmC,EAAE,OAAe;IACnF,MAAM,KAAK,GAAG,iBAAiB,CAAC,OAAO,EAAE,2BAA2B,OAAO,GAAG,CAAC,CAAA;IAC/E,KAAK,CAAC,aAAa,CAAC,OAAO,CAAC,CAAA;IAC5B,OAAO,KAAK,CAAA;AACd,CAAC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,iBAAiB,CAC/B,OAAmC,EACnC,YAAoB;IAEpB,IAAI,CAAC,OAAO,EAAE,CAAC;QACb,MAAM,mBAAmB,CAAC;YACxB,OAAO,EACL,6BAA6B,YAAY,mCAAmC;gBAC5E,uFAAuF;gBACvF,uCAAuC;SAC1C,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,EAAE,KAAK,EAAE,GAAG,OAAO,CAAA;IACzB,IAAI,KAAK,IAAI,IAAI,EAAE,CAAC;QAClB,MAAM,mBAAmB,CAAC;YACxB,OAAO,EAAE,mCAAmC,YAAY,EAAE;SAC3D,CAAC,CAAA;IACJ,CAAC;IACD,IAAI,CAAC,WAAW,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,MAAM,mBAAmB,CAAC;YACxB,OAAO,EAAE,kCAAkC,YAAY,EAAE;SAC1D,CAAC,CAAA;IACJ,CAAC;IAED,OAAO,KAAK,CAAA;AACd,CAAC"}

package/dist/modules/admin-account/commands.d.ts

@@ -0,0 +1,30 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { RequestContext } from '@byline/auth';
+import type { AdminStore } from '../../store.js';
+import type { AccountResponse } from './schemas.js';
+/**
+ * Transport-agnostic commands for admin-account self-service.
+ *
+ * Same shape as the other admin module commands (`*-users`, `*-roles`,
+ * `*-permissions`) with one deliberate difference: enforcement uses
+ * `requireAdminActor` rather than `assertAdminActor`. There is no
+ * ability key to gate against — the security property is "you may
+ * only mutate your own row," and these commands enforce it
+ * structurally by sourcing the target id from `actor.id` rather than
+ * from the request payload. A request with an `id` field would have
+ * no way to express "operate on someone else" because the schemas
+ * don't accept one.
+ */
+export interface AdminAccountCommandDeps {
+    store: AdminStore;
+}
+export declare function getAccountCommand(context: RequestContext | undefined, input: unknown, deps: AdminAccountCommandDeps): Promise<AccountResponse>;
+export declare function updateAccountCommand(context: RequestContext | undefined, input: unknown, deps: AdminAccountCommandDeps): Promise<AccountResponse>;
+export declare function changeAccountPasswordCommand(context: RequestContext | undefined, input: unknown, deps: AdminAccountCommandDeps): Promise<AccountResponse>;
+//# sourceMappingURL=commands.d.ts.map

package/dist/modules/admin-account/commands.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"commands.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-account/commands.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAUlD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAEnD;;;;;;;;;;;;GAYG;AAEH,MAAM,WAAW,uBAAuB;IACtC,KAAK,EAAE,UAAU,CAAA;CAClB;AAMD,wBAAsB,iBAAiB,CACrC,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAQ1B;AAED,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAK1B;AAED,wBAAsB,4BAA4B,CAChD,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,uBAAuB,GAC5B,OAAO,CAAC,eAAe,CAAC,CAK1B"}

package/dist/modules/admin-account/commands.js

@@ -0,0 +1,36 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { requireAdminActor } from '../../lib/assert-admin-actor.js';
+import { adminUserResponseSchema } from '../admin-users/schemas.js';
+import { changeAccountPasswordRequestSchema, getAccountRequestSchema, updateAccountRequestSchema, } from './schemas.js';
+import { AdminAccountService } from './service.js';
+function serviceOf(deps) {
+    return new AdminAccountService({ repo: deps.store.adminUsers });
+}
+export async function getAccountCommand(context, input, deps) {
+    // No-op parse — `getAccountRequestSchema` is `{}.strict()` so it
+    // rejects stray payloads but yields no usable data. The schema is
+    // validated for shape consistency with the other commands.
+    getAccountRequestSchema.parse(input ?? {});
+    const actor = requireAdminActor(context, 'reading own admin account');
+    const result = await serviceOf(deps).getAccount(actor.id);
+    return adminUserResponseSchema.parse(result);
+}
+export async function updateAccountCommand(context, input, deps) {
+    const parsed = updateAccountRequestSchema.parse(input);
+    const actor = requireAdminActor(context, 'updating own admin account');
+    const result = await serviceOf(deps).updateAccount(actor.id, parsed);
+    return adminUserResponseSchema.parse(result);
+}
+export async function changeAccountPasswordCommand(context, input, deps) {
+    const parsed = changeAccountPasswordRequestSchema.parse(input);
+    const actor = requireAdminActor(context, 'changing own admin password');
+    const result = await serviceOf(deps).changePassword(actor.id, parsed);
+    return adminUserResponseSchema.parse(result);
+}
+//# sourceMappingURL=commands.js.map

package/dist/modules/admin-account/commands.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"commands.js","sourceRoot":"","sources":["../../../src/modules/admin-account/commands.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAAE,iBAAiB,EAAE,MAAM,iCAAiC,CAAA;AACnE,OAAO,EAAE,uBAAuB,EAAE,MAAM,2BAA2B,CAAA;AACnE,OAAO,EACL,kCAAkC,EAClC,uBAAuB,EACvB,0BAA0B,GAC3B,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAA;AAsBlD,SAAS,SAAS,CAAC,IAA6B;IAC9C,OAAO,IAAI,mBAAmB,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,EAAE,CAAC,CAAA;AACjE,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,iBAAiB,CACrC,OAAmC,EACnC,KAAc,EACd,IAA6B;IAE7B,iEAAiE;IACjE,kEAAkE;IAClE,2DAA2D;IAC3D,uBAAuB,CAAC,KAAK,CAAC,KAAK,IAAI,EAAE,CAAC,CAAA;IAC1C,MAAM,KAAK,GAAG,iBAAiB,CAAC,OAAO,EAAE,2BAA2B,CAAC,CAAA;IACrE,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,EAAE,CAAC,CAAA;IACzD,OAAO,uBAAuB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAC9C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,OAAmC,EACnC,KAAc,EACd,IAA6B;IAE7B,MAAM,MAAM,GAAG,0BAA0B,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IACtD,MAAM,KAAK,GAAG,iBAAiB,CAAC,OAAO,EAAE,4BAA4B,CAAC,CAAA;IACtE,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,aAAa,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;IACpE,OAAO,uBAAuB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAC9C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,4BAA4B,CAChD,OAAmC,EACnC,KAAc,EACd,IAA6B;IAE7B,MAAM,MAAM,GAAG,kCAAkC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;IAC9D,MAAM,KAAK,GAAG,iBAAiB,CAAC,OAAO,EAAE,6BAA6B,CAAC,CAAA;IACvE,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC,cAAc,CAAC,KAAK,CAAC,EAAE,EAAE,MAAM,CAAC,CAAA;IACrE,OAAO,uBAAuB,CAAC,KAAK,CAAC,MAAM,CAAC,CAAA;AAC9C,CAAC"}

package/dist/modules/admin-account/errors.d.ts

@@ -0,0 +1,52 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Module-local error codes for admin-account self-service.
+ *
+ * Same `code + factory` shape as the other admin modules. The codes are
+ * prefixed `admin.account.*` so they sort alongside any future
+ * `admin.account` ability keys (today there are none — self-service is
+ * gated only by "you must be authenticated and you can only act on
+ * yourself") and so transport layers can branch on them distinctly
+ * from `admin.users.*`. Note that `admin.users.versionConflict` and
+ * `admin.users.emailInUse` are also reachable here because the service
+ * delegates to `AdminUsersRepository.update` / `setPasswordHash`; both
+ * are deliberately surfaced unmodified so the UI sees a single error
+ * code per condition.
+ */
+export declare const AdminAccountErrorCodes: {
+    readonly NOT_FOUND: "admin.account.notFound";
+    readonly INVALID_CURRENT_PASSWORD: "admin.account.invalidCurrentPassword";
+};
+export type AdminAccountErrorCode = (typeof AdminAccountErrorCodes)[keyof typeof AdminAccountErrorCodes];
+export interface AdminAccountErrorOptions {
+    message?: string;
+    cause?: unknown;
+}
+export declare class AdminAccountError extends Error {
+    readonly code: AdminAccountErrorCode;
+    constructor(code: AdminAccountErrorCode, options: {
+        message: string;
+        cause?: unknown;
+    });
+}
+/**
+ * The actor's admin-user id no longer resolves to a row. Typically
+ * means the session refers to a user that has been deleted out of band
+ * — the transport handler should clear cookies and redirect to
+ * sign-in.
+ */
+export declare const ERR_ADMIN_ACCOUNT_NOT_FOUND: (options?: AdminAccountErrorOptions) => AdminAccountError;
+/**
+ * The supplied current password did not verify against the stored hash.
+ * Returned for the change-password flow — message is intentionally
+ * generic so it can be surfaced verbatim to end users without leaking
+ * timing or existence signals.
+ */
+export declare const ERR_ADMIN_ACCOUNT_INVALID_CURRENT_PASSWORD: (options?: AdminAccountErrorOptions) => AdminAccountError;
+//# sourceMappingURL=errors.d.ts.map

package/dist/modules/admin-account/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-account/errors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;GAaG;AAEH,eAAO,MAAM,sBAAsB;;;CAGzB,CAAA;AAEV,MAAM,MAAM,qBAAqB,GAC/B,CAAC,OAAO,sBAAsB,CAAC,CAAC,MAAM,OAAO,sBAAsB,CAAC,CAAA;AAEtE,MAAM,WAAW,wBAAwB;IACvC,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,KAAK,CAAC,EAAE,OAAO,CAAA;CAChB;AAED,qBAAa,iBAAkB,SAAQ,KAAK;IAC1C,SAAgB,IAAI,EAAE,qBAAqB,CAAA;gBAE/B,IAAI,EAAE,qBAAqB,EAAE,OAAO,EAAE;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,OAAO,CAAA;KAAE;CAKvF;AAUD;;;;;GAKG;AACH,eAAO,MAAM,2BAA2B,aAZ3B,wBAAwB,KAAG,iBAevC,CAAA;AAED;;;;;GAKG;AACH,eAAO,MAAM,0CAA0C,aAvB1C,wBAAwB,KAAG,iBA0BvC,CAAA"}

package/dist/modules/admin-account/errors.js

@@ -0,0 +1,52 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Module-local error codes for admin-account self-service.
+ *
+ * Same `code + factory` shape as the other admin modules. The codes are
+ * prefixed `admin.account.*` so they sort alongside any future
+ * `admin.account` ability keys (today there are none — self-service is
+ * gated only by "you must be authenticated and you can only act on
+ * yourself") and so transport layers can branch on them distinctly
+ * from `admin.users.*`. Note that `admin.users.versionConflict` and
+ * `admin.users.emailInUse` are also reachable here because the service
+ * delegates to `AdminUsersRepository.update` / `setPasswordHash`; both
+ * are deliberately surfaced unmodified so the UI sees a single error
+ * code per condition.
+ */
+export const AdminAccountErrorCodes = {
+    NOT_FOUND: 'admin.account.notFound',
+    INVALID_CURRENT_PASSWORD: 'admin.account.invalidCurrentPassword',
+};
+export class AdminAccountError extends Error {
+    code;
+    constructor(code, options) {
+        super(options.message, options.cause != null ? { cause: options.cause } : undefined);
+        this.name = 'AdminAccountError';
+        this.code = code;
+    }
+}
+const make = (code, defaultMessage) => (options) => new AdminAccountError(code, {
+    message: options?.message ?? defaultMessage,
+    cause: options?.cause,
+});
+/**
+ * The actor's admin-user id no longer resolves to a row. Typically
+ * means the session refers to a user that has been deleted out of band
+ * — the transport handler should clear cookies and redirect to
+ * sign-in.
+ */
+export const ERR_ADMIN_ACCOUNT_NOT_FOUND = make(AdminAccountErrorCodes.NOT_FOUND, 'admin account not found');
+/**
+ * The supplied current password did not verify against the stored hash.
+ * Returned for the change-password flow — message is intentionally
+ * generic so it can be surfaced verbatim to end users without leaking
+ * timing or existence signals.
+ */
+export const ERR_ADMIN_ACCOUNT_INVALID_CURRENT_PASSWORD = make(AdminAccountErrorCodes.INVALID_CURRENT_PASSWORD, 'current password is incorrect');
+//# sourceMappingURL=errors.js.map

package/dist/modules/admin-account/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../../src/modules/admin-account/errors.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;GAaG;AAEH,MAAM,CAAC,MAAM,sBAAsB,GAAG;IACpC,SAAS,EAAE,wBAAwB;IACnC,wBAAwB,EAAE,sCAAsC;CACxD,CAAA;AAUV,MAAM,OAAO,iBAAkB,SAAQ,KAAK;IAC1B,IAAI,CAAuB;IAE3C,YAAY,IAA2B,EAAE,OAA6C;QACpF,KAAK,CAAC,OAAO,CAAC,OAAO,EAAE,OAAO,CAAC,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,EAAE,KAAK,EAAE,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAA;QACpF,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAA;QAC/B,IAAI,CAAC,IAAI,GAAG,IAAI,CAAA;IAClB,CAAC;CACF;AAED,MAAM,IAAI,GACR,CAAC,IAA2B,EAAE,cAAsB,EAAE,EAAE,CACxD,CAAC,OAAkC,EAAqB,EAAE,CACxD,IAAI,iBAAiB,CAAC,IAAI,EAAE;IAC1B,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,cAAc;IAC3C,KAAK,EAAE,OAAO,EAAE,KAAK;CACtB,CAAC,CAAA;AAEN;;;;;GAKG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG,IAAI,CAC7C,sBAAsB,CAAC,SAAS,EAChC,yBAAyB,CAC1B,CAAA;AAED;;;;;GAKG;AACH,MAAM,CAAC,MAAM,0CAA0C,GAAG,IAAI,CAC5D,sBAAsB,CAAC,wBAAwB,EAC/C,+BAA+B,CAChC,CAAA"}

package/dist/modules/admin-account/index.d.ts

@@ -0,0 +1,37 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * `@byline/admin/admin-account` — self-service surfaces for the currently
+ * signed-in admin user.
+ *
+ * Distinct from `@byline/admin/admin-users` in two ways:
+ *
+ *   1. The actor IS the target. Commands take no `id` field — the
+ *      target is sourced from `actor.id` on the authenticated
+ *      `RequestContext`. There is no way at the command surface to
+ *      ask "operate on someone else."
+ *   2. There is no ability gate. The other admin modules use
+ *      `assertAdminActor(context, ability)`; this module uses
+ *      `requireAdminActor(context)` — authn-only. "Anyone may change
+ *      their own password" is the policy.
+ *
+ * Reuses `AdminUsersRepository` from `@byline/admin/admin-users` rather
+ * than introducing a parallel repo — the table is the same and the
+ * narrower self-service surface is structural rather than physical.
+ *
+ * Active-session listing / revocation is intentionally not included
+ * yet — that depends on `RefreshTokensRepository` semantics and a
+ * "sign out everywhere on password change" follow-up.
+ */
+export { changeAccountPasswordCommand, getAccountCommand, updateAccountCommand, } from './commands.js';
+export { AdminAccountError, type AdminAccountErrorCode, AdminAccountErrorCodes, ERR_ADMIN_ACCOUNT_INVALID_CURRENT_PASSWORD, ERR_ADMIN_ACCOUNT_NOT_FOUND, } from './errors.js';
+export { accountResponseSchema, changeAccountPasswordRequestSchema, getAccountRequestSchema, okResponseSchema, updateAccountRequestSchema, } from './schemas.js';
+export { AdminAccountService } from './service.js';
+export type { AdminAccountCommandDeps } from './commands.js';
+export type { AccountResponse, ChangeAccountPasswordRequest, GetAccountRequest, OkResponse, UpdateAccountRequest, } from './schemas.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/modules/admin-account/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-account/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EACL,4BAA4B,EAC5B,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,eAAe,CAAA;AACtB,OAAO,EACL,iBAAiB,EACjB,KAAK,qBAAqB,EAC1B,sBAAsB,EACtB,0CAA0C,EAC1C,2BAA2B,GAC5B,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,qBAAqB,EACrB,kCAAkC,EAClC,uBAAuB,EACvB,gBAAgB,EAChB,0BAA0B,GAC3B,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAA;AAClD,YAAY,EAAE,uBAAuB,EAAE,MAAM,eAAe,CAAA;AAC5D,YAAY,EACV,eAAe,EACf,4BAA4B,EAC5B,iBAAiB,EACjB,UAAU,EACV,oBAAoB,GACrB,MAAM,cAAc,CAAA"}

package/dist/modules/admin-account/index.js

@@ -0,0 +1,35 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * `@byline/admin/admin-account` — self-service surfaces for the currently
+ * signed-in admin user.
+ *
+ * Distinct from `@byline/admin/admin-users` in two ways:
+ *
+ *   1. The actor IS the target. Commands take no `id` field — the
+ *      target is sourced from `actor.id` on the authenticated
+ *      `RequestContext`. There is no way at the command surface to
+ *      ask "operate on someone else."
+ *   2. There is no ability gate. The other admin modules use
+ *      `assertAdminActor(context, ability)`; this module uses
+ *      `requireAdminActor(context)` — authn-only. "Anyone may change
+ *      their own password" is the policy.
+ *
+ * Reuses `AdminUsersRepository` from `@byline/admin/admin-users` rather
+ * than introducing a parallel repo — the table is the same and the
+ * narrower self-service surface is structural rather than physical.
+ *
+ * Active-session listing / revocation is intentionally not included
+ * yet — that depends on `RefreshTokensRepository` semantics and a
+ * "sign out everywhere on password change" follow-up.
+ */
+export { changeAccountPasswordCommand, getAccountCommand, updateAccountCommand, } from './commands.js';
+export { AdminAccountError, AdminAccountErrorCodes, ERR_ADMIN_ACCOUNT_INVALID_CURRENT_PASSWORD, ERR_ADMIN_ACCOUNT_NOT_FOUND, } from './errors.js';
+export { accountResponseSchema, changeAccountPasswordRequestSchema, getAccountRequestSchema, okResponseSchema, updateAccountRequestSchema, } from './schemas.js';
+export { AdminAccountService } from './service.js';
+//# sourceMappingURL=index.js.map

package/dist/modules/admin-account/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/modules/admin-account/index.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EACL,4BAA4B,EAC5B,iBAAiB,EACjB,oBAAoB,GACrB,MAAM,eAAe,CAAA;AACtB,OAAO,EACL,iBAAiB,EAEjB,sBAAsB,EACtB,0CAA0C,EAC1C,2BAA2B,GAC5B,MAAM,aAAa,CAAA;AACpB,OAAO,EACL,qBAAqB,EACrB,kCAAkC,EAClC,uBAAuB,EACvB,gBAAgB,EAChB,0BAA0B,GAC3B,MAAM,cAAc,CAAA;AACrB,OAAO,EAAE,mBAAmB,EAAE,MAAM,cAAc,CAAA"}

package/dist/modules/admin-account/schemas.d.ts

@@ -0,0 +1,31 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { z } from 'zod';
+import { adminUserResponseSchema, okResponseSchema } from '../admin-users/schemas.js';
+/** No payload — target is the actor on context. */
+export declare const getAccountRequestSchema: z.ZodObject<{}, z.core.$strict>;
+export type GetAccountRequest = z.infer<typeof getAccountRequestSchema>;
+export declare const updateAccountRequestSchema: z.ZodObject<{
+    vid: z.ZodNumber;
+    patch: z.ZodObject<{
+        email: z.ZodOptional<z.ZodPipe<z.ZodEmail, z.ZodTransform<string, string>>>;
+        given_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        family_name: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, z.core.$strip>;
+}, z.core.$strip>;
+export type UpdateAccountRequest = z.infer<typeof updateAccountRequestSchema>;
+export declare const changeAccountPasswordRequestSchema: z.ZodObject<{
+    vid: z.ZodNumber;
+    currentPassword: z.ZodString;
+    newPassword: z.ZodString;
+}, z.core.$strip>;
+export type ChangeAccountPasswordRequest = z.infer<typeof changeAccountPasswordRequestSchema>;
+export { adminUserResponseSchema as accountResponseSchema, okResponseSchema };
+export type { AdminUserResponse as AccountResponse, OkResponse } from '../admin-users/schemas.js';
+//# sourceMappingURL=schemas.d.ts.map

package/dist/modules/admin-account/schemas.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-account/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AA2BH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAmBrF,mDAAmD;AACnD,eAAO,MAAM,uBAAuB,iCAAwB,CAAA;AAC5D,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAA;AAEvE,eAAO,MAAM,0BAA0B;;;;;;;;iBAUrC,CAAA;AACF,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAA;AAE7E,eAAO,MAAM,kCAAkC;;;;iBAI7C,CAAA;AACF,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kCAAkC,CAAC,CAAA;AAM7F,OAAO,EAAE,uBAAuB,IAAI,qBAAqB,EAAE,gBAAgB,EAAE,CAAA;AAC7E,YAAY,EAAE,iBAAiB,IAAI,eAAe,EAAE,UAAU,EAAE,MAAM,2BAA2B,CAAA"}

package/dist/modules/admin-account/schemas.js

@@ -0,0 +1,69 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Zod schemas for the admin-account commands.
+ *
+ * Self-service is intentionally narrower than admin-users:
+ *
+ *   - The actor IS the target. None of the request schemas accept an
+ *     `id` field — the command resolves the target from
+ *     `actor.id`. Persisting `id` in the request shape would
+ *     immediately invite "but what if I pass someone else's id?"
+ *     mistakes downstream.
+ *   - The update patch excludes `is_super_admin`, `is_enabled`, and
+ *     `is_email_verified`. Self-service must never let a user grant
+ *     themselves super-admin or flip their own enabled state. Those
+ *     fields stay editable through the admin-users module by an admin
+ *     who holds the relevant ability.
+ *   - `changePassword` requires the *current* password as a defence
+ *     against session-hijack abuse: an attacker with a stolen session
+ *     cookie still needs the password they don't have to swap it out.
+ *
+ * The response shape is the same as `adminUserResponseSchema` so the
+ * admin-account UI and the admin-users UI render the same row shape
+ * — re-exported here for convenience.
+ */
+import { passwordSchema } from '@byline/core/validation';
+import { z } from 'zod';
+import { adminUserResponseSchema, okResponseSchema } from '../admin-users/schemas.js';
+const vidSchema = z
+    .number({ message: 'vid is required' })
+    .int({ message: 'vid must be an integer' })
+    .positive({ message: 'vid must be positive' });
+const emailSchema = z
+    .email({ message: 'email must be a valid address' })
+    .min(3)
+    .max(254)
+    .transform((v) => v.toLowerCase());
+const nameSchema = z.string().min(1).max(100);
+// ---------------------------------------------------------------------------
+// Requests
+// ---------------------------------------------------------------------------
+/** No payload — target is the actor on context. */
+export const getAccountRequestSchema = z.object({}).strict();
+export const updateAccountRequestSchema = z.object({
+    vid: vidSchema,
+    patch: z
+        .object({
+        email: emailSchema.optional(),
+        given_name: nameSchema.nullish(),
+        family_name: nameSchema.nullish(),
+        username: z.string().min(1).max(100).nullish(),
+    })
+        .refine((p) => Object.keys(p).length > 0, { message: 'patch cannot be empty' }),
+});
+export const changeAccountPasswordRequestSchema = z.object({
+    vid: vidSchema,
+    currentPassword: z.string().min(1, { message: 'current password is required' }),
+    newPassword: passwordSchema,
+});
+// ---------------------------------------------------------------------------
+// Responses (re-exports — same shape as the admin-users module)
+// ---------------------------------------------------------------------------
+export { adminUserResponseSchema as accountResponseSchema, okResponseSchema };
+//# sourceMappingURL=schemas.js.map

package/dist/modules/admin-account/schemas.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schemas.js","sourceRoot":"","sources":["../../../src/modules/admin-account/schemas.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAE,cAAc,EAAE,MAAM,yBAAyB,CAAA;AACxD,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAEvB,OAAO,EAAE,uBAAuB,EAAE,gBAAgB,EAAE,MAAM,2BAA2B,CAAA;AAErF,MAAM,SAAS,GAAG,CAAC;KAChB,MAAM,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC;KACtC,GAAG,CAAC,EAAE,OAAO,EAAE,wBAAwB,EAAE,CAAC;KAC1C,QAAQ,CAAC,EAAE,OAAO,EAAE,sBAAsB,EAAE,CAAC,CAAA;AAEhD,MAAM,WAAW,GAAG,CAAC;KAClB,KAAK,CAAC,EAAE,OAAO,EAAE,+BAA+B,EAAE,CAAC;KACnD,GAAG,CAAC,CAAC,CAAC;KACN,GAAG,CAAC,GAAG,CAAC;KACR,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAA;AAEpC,MAAM,UAAU,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAA;AAE7C,8EAA8E;AAC9E,WAAW;AACX,8EAA8E;AAE9E,mDAAmD;AACnD,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,MAAM,EAAE,CAAA;AAG5D,MAAM,CAAC,MAAM,0BAA0B,GAAG,CAAC,CAAC,MAAM,CAAC;IACjD,GAAG,EAAE,SAAS;IACd,KAAK,EAAE,CAAC;SACL,MAAM,CAAC;QACN,KAAK,EAAE,WAAW,CAAC,QAAQ,EAAE;QAC7B,UAAU,EAAE,UAAU,CAAC,OAAO,EAAE;QAChC,WAAW,EAAE,UAAU,CAAC,OAAO,EAAE;QACjC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE;KAC/C,CAAC;SACD,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC;CAClF,CAAC,CAAA;AAGF,MAAM,CAAC,MAAM,kCAAkC,GAAG,CAAC,CAAC,MAAM,CAAC;IACzD,GAAG,EAAE,SAAS;IACd,eAAe,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,CAAC,CAAC,EAAE,EAAE,OAAO,EAAE,8BAA8B,EAAE,CAAC;IAC/E,WAAW,EAAE,cAAc;CAC5B,CAAC,CAAA;AAGF,8EAA8E;AAC9E,gEAAgE;AAChE,8EAA8E;AAE9E,OAAO,EAAE,uBAAuB,IAAI,qBAAqB,EAAE,gBAAgB,EAAE,CAAA"}

package/dist/modules/admin-account/service.d.ts

@@ -0,0 +1,44 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AdminUsersRepository } from '../admin-users/repository.js';
+import type { AccountResponse, ChangeAccountPasswordRequest, UpdateAccountRequest } from './schemas.js';
+/**
+ * Self-service business logic for the currently signed-in admin user.
+ *
+ * Reuses `AdminUsersRepository` rather than introducing a parallel
+ * repository — the underlying table is the same, and self-service is
+ * just a narrower surface over it. The narrowing is structural:
+ *
+ *   - Every method takes `actorId` (sourced server-side from the
+ *     authenticated `RequestContext`) and uses it as the target id.
+ *     Callers cannot supply a target id; commands look it up from
+ *     `actor.id` and pass it in.
+ *   - `updateAccount` excludes `is_super_admin`, `is_enabled`, and
+ *     `is_email_verified` from the writable surface. The schema
+ *     already strips them, but the service signature reinforces it.
+ *   - `changePassword` verifies the *current* password before swapping
+ *     in the new hash. A hijacked session cannot use this flow to lock
+ *     out the legitimate owner.
+ *
+ * Note on session revocation: changing a password here does **not**
+ * currently revoke other refresh tokens — existing access tokens stay
+ * valid until their 15-minute expiry, and other refresh tokens remain
+ * useable. A "sign out everywhere on password change" follow-up should
+ * call `RefreshTokensRepository.revokeAllExcept(adminUserId, currentJti)`
+ * once that lands.
+ */
+export declare class AdminAccountService {
+    #private;
+    constructor(deps: {
+        repo: AdminUsersRepository;
+    });
+    getAccount(actorId: string): Promise<AccountResponse>;
+    updateAccount(actorId: string, request: UpdateAccountRequest): Promise<AccountResponse>;
+    changePassword(actorId: string, request: ChangeAccountPasswordRequest): Promise<AccountResponse>;
+}
+//# sourceMappingURL=service.d.ts.map

package/dist/modules/admin-account/service.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-account/service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AASH,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAA;AACxE,OAAO,KAAK,EACV,eAAe,EACf,4BAA4B,EAC5B,oBAAoB,EACrB,MAAM,cAAc,CAAA;AAErB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,qBAAa,mBAAmB;;gBAGlB,IAAI,EAAE;QAAE,IAAI,EAAE,oBAAoB,CAAA;KAAE;IAI1C,UAAU,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAMrD,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,eAAe,CAAC;IAavF,cAAc,CAClB,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,4BAA4B,GACpC,OAAO,CAAC,eAAe,CAAC;CAe5B"}

package/dist/modules/admin-account/service.js

@@ -0,0 +1,76 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import { toAdminUser } from '../admin-users/dto.js';
+import { ERR_ADMIN_USER_EMAIL_IN_USE } from '../admin-users/errors.js';
+import { hashPassword, verifyPassword } from '../auth/password.js';
+import { ERR_ADMIN_ACCOUNT_INVALID_CURRENT_PASSWORD, ERR_ADMIN_ACCOUNT_NOT_FOUND, } from './errors.js';
+/**
+ * Self-service business logic for the currently signed-in admin user.
+ *
+ * Reuses `AdminUsersRepository` rather than introducing a parallel
+ * repository — the underlying table is the same, and self-service is
+ * just a narrower surface over it. The narrowing is structural:
+ *
+ *   - Every method takes `actorId` (sourced server-side from the
+ *     authenticated `RequestContext`) and uses it as the target id.
+ *     Callers cannot supply a target id; commands look it up from
+ *     `actor.id` and pass it in.
+ *   - `updateAccount` excludes `is_super_admin`, `is_enabled`, and
+ *     `is_email_verified` from the writable surface. The schema
+ *     already strips them, but the service signature reinforces it.
+ *   - `changePassword` verifies the *current* password before swapping
+ *     in the new hash. A hijacked session cannot use this flow to lock
+ *     out the legitimate owner.
+ *
+ * Note on session revocation: changing a password here does **not**
+ * currently revoke other refresh tokens — existing access tokens stay
+ * valid until their 15-minute expiry, and other refresh tokens remain
+ * useable. A "sign out everywhere on password change" follow-up should
+ * call `RefreshTokensRepository.revokeAllExcept(adminUserId, currentJti)`
+ * once that lands.
+ */
+export class AdminAccountService {
+    #repo;
+    constructor(deps) {
+        this.#repo = deps.repo;
+    }
+    async getAccount(actorId) {
+        const row = await this.#repo.getById(actorId);
+        if (!row)
+            throw ERR_ADMIN_ACCOUNT_NOT_FOUND();
+        return toAdminUser(row);
+    }
+    async updateAccount(actorId, request) {
+        const current = await this.#repo.getById(actorId);
+        if (!current)
+            throw ERR_ADMIN_ACCOUNT_NOT_FOUND();
+        if (request.patch.email != null && request.patch.email !== current.email) {
+            const owner = await this.#repo.getByEmail(request.patch.email);
+            if (owner && owner.id !== actorId)
+                throw ERR_ADMIN_USER_EMAIL_IN_USE();
+        }
+        const row = await this.#repo.update(actorId, request.vid, request.patch);
+        return toAdminUser(row);
+    }
+    async changePassword(actorId, request) {
+        // Pull the row *with* the password hash so we can verify the
+        // supplied current password before persisting a new one. The
+        // sign-in-shaped row is treated as ephemeral here — the hash
+        // string is never propagated outside this method.
+        const withHash = await this.#repo.getByIdForSignIn(actorId);
+        if (!withHash)
+            throw ERR_ADMIN_ACCOUNT_NOT_FOUND();
+        const ok = await verifyPassword(request.currentPassword, withHash.password_hash);
+        if (!ok)
+            throw ERR_ADMIN_ACCOUNT_INVALID_CURRENT_PASSWORD();
+        const newHash = await hashPassword(request.newPassword);
+        const row = await this.#repo.setPasswordHash(actorId, request.vid, newHash);
+        return toAdminUser(row);
+    }
+}
+//# sourceMappingURL=service.js.map

package/dist/modules/admin-account/service.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"service.js","sourceRoot":"","sources":["../../../src/modules/admin-account/service.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,WAAW,EAAE,MAAM,uBAAuB,CAAA;AACnD,OAAO,EAAE,2BAA2B,EAAE,MAAM,0BAA0B,CAAA;AACtE,OAAO,EAAE,YAAY,EAAE,cAAc,EAAE,MAAM,qBAAqB,CAAA;AAClE,OAAO,EACL,0CAA0C,EAC1C,2BAA2B,GAC5B,MAAM,aAAa,CAAA;AAQpB;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,MAAM,OAAO,mBAAmB;IACrB,KAAK,CAAsB;IAEpC,YAAY,IAAoC;QAC9C,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,CAAA;IACxB,CAAC;IAED,KAAK,CAAC,UAAU,CAAC,OAAe;QAC9B,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;QAC7C,IAAI,CAAC,GAAG;YAAE,MAAM,2BAA2B,EAAE,CAAA;QAC7C,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,aAAa,CAAC,OAAe,EAAE,OAA6B;QAChE,MAAM,OAAO,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,OAAO,CAAC,CAAA;QACjD,IAAI,CAAC,OAAO;YAAE,MAAM,2BAA2B,EAAE,CAAA;QAEjD,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,IAAI,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,KAAK,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC;YACzE,MAAM,KAAK,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAAA;YAC9D,IAAI,KAAK,IAAI,KAAK,CAAC,EAAE,KAAK,OAAO;gBAAE,MAAM,2BAA2B,EAAE,CAAA;QACxE,CAAC;QAED,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,KAAK,CAAC,CAAA;QACxE,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;IAED,KAAK,CAAC,cAAc,CAClB,OAAe,EACf,OAAqC;QAErC,6DAA6D;QAC7D,6DAA6D;QAC7D,6DAA6D;QAC7D,kDAAkD;QAClD,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,gBAAgB,CAAC,OAAO,CAAC,CAAA;QAC3D,IAAI,CAAC,QAAQ;YAAE,MAAM,2BAA2B,EAAE,CAAA;QAElD,MAAM,EAAE,GAAG,MAAM,cAAc,CAAC,OAAO,CAAC,eAAe,EAAE,QAAQ,CAAC,aAAa,CAAC,CAAA;QAChF,IAAI,CAAC,EAAE;YAAE,MAAM,0CAA0C,EAAE,CAAA;QAE3D,MAAM,OAAO,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,WAAW,CAAC,CAAA;QACvD,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,OAAO,EAAE,OAAO,CAAC,GAAG,EAAE,OAAO,CAAC,CAAA;QAC3E,OAAO,WAAW,CAAC,GAAG,CAAC,CAAA;IACzB,CAAC;CACF"}

package/dist/modules/admin-permissions/abilities.d.ts

@@ -0,0 +1,27 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AbilityRegistry } from '@byline/auth';
+/**
+ * Ability keys for the admin-permissions module.
+ *
+ * `read` gates the inspector view (Phase 8 in AUTHN-AUTHZ-ANALYSIS.md).
+ * `update` will gate the per-role ability editor mounted on the
+ * admin-roles role detail page — declared here so the role editor can
+ * assert against it once that surface lands. The per-role editor shares
+ * the `update` key rather than minting `grant` / `revoke` keys: granting
+ * abilities to a role is a single editorial operation from the admin's
+ * perspective, and a granular split would force a redundant key on
+ * every permission-managing role.
+ */
+export declare const ADMIN_PERMISSIONS_ABILITIES: {
+    readonly read: "admin.permissions.read";
+    readonly update: "admin.permissions.update";
+};
+export type AdminPermissionsAbilityKey = (typeof ADMIN_PERMISSIONS_ABILITIES)[keyof typeof ADMIN_PERMISSIONS_ABILITIES];
+export declare function registerAdminPermissionsAbilities(registry: AbilityRegistry): void;
+//# sourceMappingURL=abilities.d.ts.map

package/dist/modules/admin-permissions/abilities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"abilities.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-permissions/abilities.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,cAAc,CAAA;AAEnD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,2BAA2B;;;CAG9B,CAAA;AAEV,MAAM,MAAM,0BAA0B,GACpC,CAAC,OAAO,2BAA2B,CAAC,CAAC,MAAM,OAAO,2BAA2B,CAAC,CAAA;AAEhF,wBAAgB,iCAAiC,CAAC,QAAQ,EAAE,eAAe,GAAG,IAAI,CAejF"}

package/dist/modules/admin-permissions/abilities.js

@@ -0,0 +1,40 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+/**
+ * Ability keys for the admin-permissions module.
+ *
+ * `read` gates the inspector view (Phase 8 in AUTHN-AUTHZ-ANALYSIS.md).
+ * `update` will gate the per-role ability editor mounted on the
+ * admin-roles role detail page — declared here so the role editor can
+ * assert against it once that surface lands. The per-role editor shares
+ * the `update` key rather than minting `grant` / `revoke` keys: granting
+ * abilities to a role is a single editorial operation from the admin's
+ * perspective, and a granular split would force a redundant key on
+ * every permission-managing role.
+ */
+export const ADMIN_PERMISSIONS_ABILITIES = {
+    read: 'admin.permissions.read',
+    update: 'admin.permissions.update',
+};
+export function registerAdminPermissionsAbilities(registry) {
+    registry.register({
+        key: ADMIN_PERMISSIONS_ABILITIES.read,
+        label: 'Read admin permissions',
+        description: 'View the abilities inspector and per-role ability grants.',
+        group: 'admin.permissions',
+        source: 'admin',
+    });
+    registry.register({
+        key: ADMIN_PERMISSIONS_ABILITIES.update,
+        label: 'Update admin permissions',
+        description: "Edit a role's ability grants.",
+        group: 'admin.permissions',
+        source: 'admin',
+    });
+}
+//# sourceMappingURL=abilities.js.map

package/dist/modules/admin-permissions/abilities.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"abilities.js","sourceRoot":"","sources":["../../../src/modules/admin-permissions/abilities.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,MAAM,2BAA2B,GAAG;IACzC,IAAI,EAAE,wBAAwB;IAC9B,MAAM,EAAE,0BAA0B;CAC1B,CAAA;AAKV,MAAM,UAAU,iCAAiC,CAAC,QAAyB;IACzE,QAAQ,CAAC,QAAQ,CAAC;QAChB,GAAG,EAAE,2BAA2B,CAAC,IAAI;QACrC,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,2DAA2D;QACxE,KAAK,EAAE,mBAAmB;QAC1B,MAAM,EAAE,OAAO;KAChB,CAAC,CAAA;IACF,QAAQ,CAAC,QAAQ,CAAC;QAChB,GAAG,EAAE,2BAA2B,CAAC,MAAM;QACvC,KAAK,EAAE,0BAA0B;QACjC,WAAW,EAAE,+BAA+B;QAC5C,KAAK,EAAE,mBAAmB;QAC1B,MAAM,EAAE,OAAO;KAChB,CAAC,CAAA;AACJ,CAAC"}

package/dist/modules/admin-permissions/commands.d.ts

@@ -0,0 +1,30 @@
+/**
+ * This Source Code is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * Copyright (c) Infonomic Company Limited
+ */
+import type { AbilityRegistry, RequestContext } from '@byline/auth';
+import type { AdminStore } from '../../store.js';
+import type { GetRoleAbilitiesResponse, ListRegisteredAbilitiesResponse, SetRoleAbilitiesResponse, WhoHasAbilityResponse } from './schemas.js';
+/**
+ * Transport-agnostic commands for the admin-permissions inspector.
+ *
+ * Same four-step shape as the other modules — Zod-validate, assert the
+ * admin actor + ability, call the service, validate the output. The
+ * inspector commands all gate on `admin.permissions.read`.
+ *
+ * Deps include the `AbilityRegistry` alongside the `AdminStore` because
+ * the inspector reads the registered abilities directly from the
+ * registry (no DB). The webapp threads `bylineCore.abilities` in.
+ */
+export interface AdminPermissionsCommandDeps {
+    store: AdminStore;
+    abilities: AbilityRegistry;
+}
+export declare function listRegisteredAbilitiesCommand(context: RequestContext | undefined, input: unknown, deps: AdminPermissionsCommandDeps): Promise<ListRegisteredAbilitiesResponse>;
+export declare function whoHasAbilityCommand(context: RequestContext | undefined, input: unknown, deps: AdminPermissionsCommandDeps): Promise<WhoHasAbilityResponse>;
+export declare function getRoleAbilitiesCommand(context: RequestContext | undefined, input: unknown, deps: AdminPermissionsCommandDeps): Promise<GetRoleAbilitiesResponse>;
+export declare function setRoleAbilitiesCommand(context: RequestContext | undefined, input: unknown, deps: AdminPermissionsCommandDeps): Promise<SetRoleAbilitiesResponse>;
+//# sourceMappingURL=commands.d.ts.map

package/dist/modules/admin-permissions/commands.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"commands.d.ts","sourceRoot":"","sources":["../../../src/modules/admin-permissions/commands.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,cAAc,CAAA;AAenE,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,gBAAgB,CAAA;AAChD,OAAO,KAAK,EACV,wBAAwB,EACxB,+BAA+B,EAC/B,wBAAwB,EACxB,qBAAqB,EACtB,MAAM,cAAc,CAAA;AAErB;;;;;;;;;;GAUG;AAEH,MAAM,WAAW,2BAA2B;IAC1C,KAAK,EAAE,UAAU,CAAA;IACjB,SAAS,EAAE,eAAe,CAAA;CAC3B;AAMD,wBAAsB,8BAA8B,CAClD,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,2BAA2B,GAChC,OAAO,CAAC,+BAA+B,CAAC,CAK1C;AAED,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,2BAA2B,GAChC,OAAO,CAAC,qBAAqB,CAAC,CAKhC;AAED,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,2BAA2B,GAChC,OAAO,CAAC,wBAAwB,CAAC,CAKnC;AAED,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE,cAAc,GAAG,SAAS,EACnC,KAAK,EAAE,OAAO,EACd,IAAI,EAAE,2BAA2B,GAChC,OAAO,CAAC,wBAAwB,CAAC,CAKnC"}