@fuzdev/fuz_app 0.29.0 → 0.31.0

package/dist/ui/permit_offers_state.svelte.d.ts

@@ -0,0 +1,125 @@
+/**
+ * Reactive state for the consentful-permits offer flow.
+ *
+ * Maintains one offer cache keyed by id, seeded by the RPC list/history
+ * actions and kept live by the six permit-offer WebSocket notifications.
+ * `incoming` (recipient-side pending) and `outgoing` (grantor-side pending)
+ * are derived views; `history` is the full cache ordered newest-first for
+ * the grantor/admin history view.
+ *
+ * Wiring is transport-agnostic: the ctor accepts a narrow RPC interface
+ * the consumer adapts from their typed client, plus an `account_id` /
+ * `actor_id` getter pair (typically bound to `auth_state`). Notification
+ * delivery is pull-only via `subscribe()` — the consumer plumbs their
+ * `FrontendWebsocketClient` / `ActionPeer` receiver to `apply_notification`.
+ *
+ * @module
+ */
+import { Loadable } from './loadable.svelte.js';
+import type { PermitOfferJson } from '../auth/permit_offer_schema.js';
+/**
+ * Svelte context for `PermitOffersState`.
+ * Use `permit_offers_state_context.set(state)` in the provider and
+ * `permit_offers_state_context.get()` to access.
+ */
+export declare const permit_offers_state_context: {
+    get: (error_message?: string) => PermitOffersState;
+    get_maybe: () => PermitOffersState | undefined;
+    set: (value: PermitOffersState) => PermitOffersState;
+};
+/**
+ * Narrow RPC surface consumed by `PermitOffersState`. Consumers adapt their
+ * typed client (e.g. a `create_rpc_client` Proxy) to this shape — the state
+ * class stays decoupled from the client's `Result` return type so tests can
+ * inject plain-function stubs.
+ */
+export interface PermitOffersRpc {
+    list: () => Promise<{
+        offers: Array<PermitOfferJson>;
+    }>;
+    history: (options?: {
+        limit?: number;
+        offset?: number;
+    }) => Promise<{
+        offers: Array<PermitOfferJson>;
+    }>;
+    create: (params: {
+        to_account_id: string;
+        role: string;
+        scope_id?: string | null;
+        message?: string | null;
+    }) => Promise<{
+        offer: PermitOfferJson;
+    }>;
+    accept: (offer_id: string) => Promise<{
+        permit_id: string;
+        offer: PermitOfferJson;
+        superseded_offer_ids: Array<string>;
+    }>;
+    decline: (offer_id: string, reason?: string | null) => Promise<{
+        ok: true;
+    }>;
+    retract: (offer_id: string) => Promise<{
+        ok: true;
+    }>;
+}
+/** Narrow WS notification envelope — method + params, matching `JsonrpcNotification`. */
+export interface PermitOfferNotification {
+    method: string;
+    params: unknown;
+}
+/** Subscription primitive — consumer wires their WS receiver; returns a disposer. */
+export type PermitOfferSubscribe = (handler: (notification: PermitOfferNotification) => void) => () => void;
+export interface PermitOffersStateOptions {
+    rpc: PermitOffersRpc;
+    /** Reactive accessor for the current account id; returns `null` when logged out. */
+    account_id: () => string | null;
+    /**
+     * Reactive accessor for the current actor id — required to classify
+     * offers as outgoing. Returns `null` when unknown.
+     */
+    actor_id: () => string | null;
+}
+export declare class PermitOffersState extends Loadable {
+    #private;
+    /** Pending offers for the current account, soonest-expiring first. */
+    readonly incoming: Array<PermitOfferJson>;
+    /** Pending offers from the current actor, newest-created first. */
+    readonly outgoing: Array<PermitOfferJson>;
+    /** Every offer known to this state, newest-created first. Feeds the history view. */
+    readonly history: Array<PermitOfferJson>;
+    readonly incoming_count: number;
+    constructor(options: PermitOffersStateOptions);
+    /** Seed the cache with the recipient-side pending inbox. */
+    fetch(): Promise<void>;
+    /** Seed both-directions history (includes terminal rows). */
+    fetch_history(options?: {
+        limit?: number;
+        offset?: number;
+    }): Promise<void>;
+    /** Issue a new offer; merges the returned offer into the cache on success. */
+    create(params: {
+        to_account_id: string;
+        role: string;
+        scope_id?: string | null;
+        message?: string | null;
+    }): Promise<PermitOfferJson | undefined>;
+    /** Accept an offer; stamps it terminal in the cache and drops any siblings the server superseded. */
+    accept(offer_id: string): Promise<void>;
+    decline(offer_id: string, reason?: string | null): Promise<void>;
+    retract(offer_id: string): Promise<void>;
+    /**
+     * Wire a notification subscription. The handler dispatches each matching
+     * notification into `apply_notification`; the returned disposer unwires.
+     */
+    subscribe(subscribe_fn: PermitOfferSubscribe): () => void;
+    /**
+     * Reduce a single WS notification into the cache. Exposed so consumers
+     * wiring their WS receiver directly (without `subscribe`) and tests can
+     * drive the reducer without allocating a subscription.
+     */
+    apply_notification(notification: PermitOfferNotification): void;
+    /** Clear the cache and reset loading/error state. */
+    reset(): void;
+}
+//# sourceMappingURL=permit_offers_state.svelte.d.ts.map

package/dist/ui/permit_offers_state.svelte.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"permit_offers_state.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/permit_offers_state.svelte.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH,OAAO,EAAC,QAAQ,EAAC,MAAM,sBAAsB,CAAC;AAC9C,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,gCAAgC,CAAC;AAUpE;;;;GAIG;AACH,eAAO,MAAM,2BAA2B;;;;CAAsC,CAAC;AAE/E;;;;;GAKG;AACH,MAAM,WAAW,eAAe;IAC/B,IAAI,EAAE,MAAM,OAAO,CAAC;QAAC,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAAA;KAAC,CAAC,CAAC;IACtD,OAAO,EAAE,CAAC,OAAO,CAAC,EAAE;QACnB,KAAK,CAAC,EAAE,MAAM,CAAC;QACf,MAAM,CAAC,EAAE,MAAM,CAAC;KAChB,KAAK,OAAO,CAAC;QAAC,MAAM,EAAE,KAAK,CAAC,eAAe,CAAC,CAAA;KAAC,CAAC,CAAC;IAChD,MAAM,EAAE,CAAC,MAAM,EAAE;QAChB,aAAa,EAAE,MAAM,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KACxB,KAAK,OAAO,CAAC;QAAC,KAAK,EAAE,eAAe,CAAA;KAAC,CAAC,CAAC;IACxC,MAAM,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC;QACrC,SAAS,EAAE,MAAM,CAAC;QAClB,KAAK,EAAE,eAAe,CAAC;QACvB,oBAAoB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;KACpC,CAAC,CAAC;IACH,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,KAAK,OAAO,CAAC;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC,CAAC;IAC3E,OAAO,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC;QAAC,EAAE,EAAE,IAAI,CAAA;KAAC,CAAC,CAAC;CACnD;AAED,yFAAyF;AACzF,MAAM,WAAW,uBAAuB;IACvC,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,OAAO,CAAC;CAChB;AAED,qFAAqF;AACrF,MAAM,MAAM,oBAAoB,GAAG,CAClC,OAAO,EAAE,CAAC,YAAY,EAAE,uBAAuB,KAAK,IAAI,KACpD,MAAM,IAAI,CAAC;AAEhB,MAAM,WAAW,wBAAwB;IACxC,GAAG,EAAE,eAAe,CAAC;IACrB,oFAAoF;IACpF,UAAU,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;IAChC;;;OAGG;IACH,QAAQ,EAAE,MAAM,MAAM,GAAG,IAAI,CAAC;CAC9B;AAQD,qBAAa,iBAAkB,SAAQ,QAAQ;;IAO9C,sEAAsE;IACtE,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC,eAAe,CAAC,CAatC;IAEH,mEAAmE;IACnE,QAAQ,CAAC,QAAQ,EAAE,KAAK,CAAC,eAAe,CAAC,CAatC;IAEH,qFAAqF;IACrF,QAAQ,CAAC,OAAO,EAAE,KAAK,CAAC,eAAe,CAAC,CAIrC;IAEH,QAAQ,CAAC,cAAc,EAAE,MAAM,CAAkC;gBAErD,OAAO,EAAE,wBAAwB;IAO7C,4DAA4D;IACtD,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC;IAO5B,6DAA6D;IACvD,aAAa,CAAC,OAAO,CAAC,EAAE;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAC,GAAG,OAAO,CAAC,IAAI,CAAC;IAO/E,8EAA8E;IACxE,MAAM,CAAC,MAAM,EAAE;QACpB,aAAa,EAAE,MAAM,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;QACzB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;KACxB,GAAG,OAAO,CAAC,eAAe,GAAG,SAAS,CAAC;IAQxC,qGAAqG;IAC/F,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAavC,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;IAOhE,OAAO,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAO9C;;;OAGG;IACH,SAAS,CAAC,YAAY,EAAE,oBAAoB,GAAG,MAAM,IAAI;IAMzD;;;;OAIG;IACH,kBAAkB,CAAC,YAAY,EAAE,uBAAuB,GAAG,IAAI;IAwB/D,qDAAqD;IAC5C,KAAK,IAAI,IAAI;CAmBtB"}

package/dist/ui/permit_offers_state.svelte.js

@@ -0,0 +1,197 @@
+/**
+ * Reactive state for the consentful-permits offer flow.
+ *
+ * Maintains one offer cache keyed by id, seeded by the RPC list/history
+ * actions and kept live by the six permit-offer WebSocket notifications.
+ * `incoming` (recipient-side pending) and `outgoing` (grantor-side pending)
+ * are derived views; `history` is the full cache ordered newest-first for
+ * the grantor/admin history view.
+ *
+ * Wiring is transport-agnostic: the ctor accepts a narrow RPC interface
+ * the consumer adapts from their typed client, plus an `account_id` /
+ * `actor_id` getter pair (typically bound to `auth_state`). Notification
+ * delivery is pull-only via `subscribe()` — the consumer plumbs their
+ * `FrontendWebsocketClient` / `ActionPeer` receiver to `apply_notification`.
+ *
+ * @module
+ */
+import { create_context } from '@fuzdev/fuz_ui/context_helpers.js';
+import { Loadable } from './loadable.svelte.js';
+import { PERMIT_OFFER_ACCEPTED_NOTIFICATION_METHOD, PERMIT_OFFER_DECLINED_NOTIFICATION_METHOD, PERMIT_OFFER_RECEIVED_NOTIFICATION_METHOD, PERMIT_OFFER_RETRACTED_NOTIFICATION_METHOD, PERMIT_OFFER_SUPERSEDE_NOTIFICATION_METHOD, PERMIT_REVOKE_NOTIFICATION_METHOD, } from '../auth/permit_offer_notifications.js';
+/**
+ * Svelte context for `PermitOffersState`.
+ * Use `permit_offers_state_context.set(state)` in the provider and
+ * `permit_offers_state_context.get()` to access.
+ */
+export const permit_offers_state_context = create_context();
+const is_terminal = (o) => o.accepted_at !== null ||
+    o.declined_at !== null ||
+    o.retracted_at !== null ||
+    o.superseded_at !== null;
+export class PermitOffersState extends Loadable {
+    #rpc;
+    #get_account_id;
+    #get_actor_id;
+    #offers = $state.raw(new Map());
+    /** Pending offers for the current account, soonest-expiring first. */
+    incoming = $derived.by(() => {
+        const account_id = this.#get_account_id();
+        if (!account_id)
+            return [];
+        const now = Date.now();
+        const rows = [];
+        for (const o of this.#offers.values()) {
+            if (o.to_account_id !== account_id)
+                continue;
+            if (is_terminal(o))
+                continue;
+            if (Date.parse(o.expires_at) <= now)
+                continue;
+            rows.push(o);
+        }
+        rows.sort((a, b) => Date.parse(a.expires_at) - Date.parse(b.expires_at));
+        return rows;
+    });
+    /** Pending offers from the current actor, newest-created first. */
+    outgoing = $derived.by(() => {
+        const actor_id = this.#get_actor_id();
+        if (!actor_id)
+            return [];
+        const now = Date.now();
+        const rows = [];
+        for (const o of this.#offers.values()) {
+            if (o.from_actor_id !== actor_id)
+                continue;
+            if (is_terminal(o))
+                continue;
+            if (Date.parse(o.expires_at) <= now)
+                continue;
+            rows.push(o);
+        }
+        rows.sort((a, b) => Date.parse(b.created_at) - Date.parse(a.created_at));
+        return rows;
+    });
+    /** Every offer known to this state, newest-created first. Feeds the history view. */
+    history = $derived.by(() => {
+        const rows = Array.from(this.#offers.values());
+        rows.sort((a, b) => Date.parse(b.created_at) - Date.parse(a.created_at));
+        return rows;
+    });
+    incoming_count = $derived(this.incoming.length);
+    constructor(options) {
+        super();
+        this.#rpc = options.rpc;
+        this.#get_account_id = options.account_id;
+        this.#get_actor_id = options.actor_id;
+    }
+    /** Seed the cache with the recipient-side pending inbox. */
+    async fetch() {
+        await this.run(async () => {
+            const { offers } = await this.#rpc.list();
+            this.#merge_offers(offers);
+        });
+    }
+    /** Seed both-directions history (includes terminal rows). */
+    async fetch_history(options) {
+        await this.run(async () => {
+            const { offers } = await this.#rpc.history(options);
+            this.#merge_offers(offers);
+        });
+    }
+    /** Issue a new offer; merges the returned offer into the cache on success. */
+    async create(params) {
+        return this.run(async () => {
+            const { offer } = await this.#rpc.create(params);
+            this.#merge_offers([offer]);
+            return offer;
+        });
+    }
+    /** Accept an offer; stamps it terminal in the cache and drops any siblings the server superseded. */
+    async accept(offer_id) {
+        await this.run(async () => {
+            const result = await this.#rpc.accept(offer_id);
+            this.#merge_offers([result.offer]);
+            // siblings are authoritatively superseded server-side; the
+            // corresponding WS notifications will also arrive, but dropping
+            // them eagerly keeps the inbox accurate in the gap.
+            for (const sibling_id of result.superseded_offer_ids) {
+                this.#remove_offer(sibling_id);
+            }
+        });
+    }
+    async decline(offer_id, reason) {
+        await this.run(async () => {
+            await this.#rpc.decline(offer_id, reason);
+            this.#remove_offer(offer_id);
+        });
+    }
+    async retract(offer_id) {
+        await this.run(async () => {
+            await this.#rpc.retract(offer_id);
+            this.#remove_offer(offer_id);
+        });
+    }
+    /**
+     * Wire a notification subscription. The handler dispatches each matching
+     * notification into `apply_notification`; the returned disposer unwires.
+     */
+    subscribe(subscribe_fn) {
+        return subscribe_fn((notification) => {
+            this.apply_notification(notification);
+        });
+    }
+    /**
+     * Reduce a single WS notification into the cache. Exposed so consumers
+     * wiring their WS receiver directly (without `subscribe`) and tests can
+     * drive the reducer without allocating a subscription.
+     */
+    apply_notification(notification) {
+        switch (notification.method) {
+            case PERMIT_OFFER_RECEIVED_NOTIFICATION_METHOD:
+            case PERMIT_OFFER_RETRACTED_NOTIFICATION_METHOD:
+            case PERMIT_OFFER_ACCEPTED_NOTIFICATION_METHOD:
+            case PERMIT_OFFER_DECLINED_NOTIFICATION_METHOD:
+            case PERMIT_OFFER_SUPERSEDE_NOTIFICATION_METHOD: {
+                const params = notification.params;
+                if (!params || typeof params !== 'object' || !('offer' in params))
+                    return;
+                const offer = params.offer;
+                if (!is_permit_offer_like(offer))
+                    return;
+                this.#merge_offers([offer]);
+                return;
+            }
+            case PERMIT_REVOKE_NOTIFICATION_METHOD:
+                // permit_revoke is a permit-lifecycle event — the offer cache
+                // is unaffected. Consumers handle it in an auth/permits state.
+                return;
+            default:
+                // unrelated notifications — ignore silently.
+                return;
+        }
+    }
+    /** Clear the cache and reset loading/error state. */
+    reset() {
+        super.reset();
+        this.#offers = new Map();
+    }
+    #merge_offers(offers) {
+        const next = new Map(this.#offers);
+        for (const offer of offers) {
+            next.set(offer.id, offer);
+        }
+        this.#offers = next;
+    }
+    #remove_offer(offer_id) {
+        if (!this.#offers.has(offer_id))
+            return;
+        const next = new Map(this.#offers);
+        next.delete(offer_id);
+        this.#offers = next;
+    }
+}
+const is_permit_offer_like = (value) => !!value &&
+    typeof value === 'object' &&
+    typeof value.id === 'string' &&
+    typeof value.to_account_id === 'string' &&
+    typeof value.from_actor_id === 'string';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.29.0",
+  "version": "0.31.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",
@@ -19,7 +19,7 @@
   },
   "type": "module",
   "engines": {
-    "node": ">=22.15"
+    "node": ">=24.14"
   },
   "peerDependencies": {
     "@electric-sql/pglite": ">=0.3",
@@ -46,7 +46,7 @@
     "@fuzdev/fuz_code": "^0.45.1",
     "@fuzdev/fuz_css": "^0.58.0",
     "@fuzdev/fuz_ui": "^0.191.4",
-    "@fuzdev/fuz_util": "^0.57.0",
+    "@fuzdev/fuz_util": "^0.58.0",
     "@fuzdev/gro": "^0.198.0",
     "@jridgewell/trace-mapping": "^0.3.31",
     "@node-rs/argon2": "^2.0.2",

package/dist/auth/admin_routes.d.ts

@@ -1,29 +0,0 @@
-/**
- * Generic admin route specs — account listing, permit management, session and token revocation.
- *
- * All routes require the `admin` role.
- *
- * @module
- */
-import { type RoleSchemaResult } from './role_schema.js';
-import { type RouteSpec } from '../http/route_spec.js';
-import type { RouteFactoryDeps } from './deps.js';
-/** Options for admin route specs. */
-export interface AdminRouteOptions {
-    /**
-     * Role schema result from `create_role_schema()`. Defaults to builtin roles only.
-     * Pass the full result to enable extended app-defined roles in the admin UI.
-     * Both `Role` and `role_options` come from the same call — passing them together
-     * via this field ensures they stay in sync.
-     */
-    roles?: RoleSchemaResult;
-}
-/**
- * Create admin route specs for account listing and permit management.
- *
- * @param deps - stateless capabilities (log)
- * @param options - optional options with role schema for validation
- * @returns route specs for admin account management
- */
-export declare const create_admin_account_route_specs: (deps: Pick<RouteFactoryDeps, "log" | "on_audit_event">, options?: AdminRouteOptions) => Array<RouteSpec>;
-//# sourceMappingURL=admin_routes.d.ts.map

package/dist/auth/admin_routes.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"admin_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_routes.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,EAA8C,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AAGpG,OAAO,EAAoC,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAcxF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAShD,qCAAqC;AACrC,MAAM,WAAW,iBAAiB;IACjC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,gBAAgB,CAAC,EACtD,UAAU,iBAAiB,KACzB,KAAK,CAAC,SAAS,CAoPjB,CAAC"}

package/dist/auth/admin_routes.js

@@ -1,226 +0,0 @@
-/**
- * Generic admin route specs — account listing, permit management, session and token revocation.
- *
- * All routes require the `admin` role.
- *
- * @module
- */
-import { z } from 'zod';
-import { BUILTIN_ROLE_OPTIONS, BuiltinRole, RoleName } from './role_schema.js';
-import { AdminAccountEntryJson } from './account_schema.js';
-import { require_request_context } from './request_context.js';
-import { get_route_input, get_route_params } from '../http/route_spec.js';
-import { query_account_by_id, query_actor_by_account, query_admin_account_list, } from './account_queries.js';
-import { query_grant_permit, query_permit_find_active_role_for_actor, query_revoke_permit, } from './permit_queries.js';
-import { query_session_revoke_all_for_account } from './session_queries.js';
-import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
-import { ERROR_ACCOUNT_NOT_FOUND, ERROR_ROLE_NOT_WEB_GRANTABLE, ERROR_PERMIT_NOT_FOUND, ERROR_INSUFFICIENT_PERMISSIONS, } from '../http/error_schemas.js';
-import { get_client_ip } from '../http/proxy.js';
-/**
- * Create admin route specs for account listing and permit management.
- *
- * @param deps - stateless capabilities (log)
- * @param options - optional options with role schema for validation
- * @returns route specs for admin account management
- */
-export const create_admin_account_route_specs = (deps, options) => {
-    const role = 'admin';
-    const { on_audit_event } = deps;
-    const role_schema = options?.roles?.Role ?? BuiltinRole;
-    const role_options = options?.roles?.role_options ?? BUILTIN_ROLE_OPTIONS;
-    const grantable_roles = [];
-    for (const [name, rc] of role_options) {
-        if (rc.web_grantable)
-            grantable_roles.push(name);
-    }
-    return [
-        {
-            method: 'GET',
-            path: '/accounts',
-            auth: { type: 'role', role },
-            description: 'List all accounts with their permits',
-            input: z.null(),
-            output: z.strictObject({
-                accounts: z.array(AdminAccountEntryJson),
-                grantable_roles: z.array(RoleName),
-            }),
-            handler: async (c, route) => {
-                const accounts = await query_admin_account_list(route);
-                return c.json({ accounts, grantable_roles });
-            },
-        },
-        {
-            method: 'POST',
-            path: '/accounts/:account_id/permits/grant',
-            auth: { type: 'role', role },
-            description: 'Grant a role permit to an account',
-            params: z.strictObject({ account_id: z.uuid() }),
-            input: z.strictObject({ role: role_schema }),
-            output: z.strictObject({
-                ok: z.literal(true),
-                permit: z.strictObject({ id: z.string(), role: z.string() }),
-            }),
-            errors: {
-                403: z.looseObject({
-                    error: z.enum([ERROR_INSUFFICIENT_PERMISSIONS, ERROR_ROLE_NOT_WEB_GRANTABLE]),
-                }),
-                404: z.looseObject({ error: z.literal(ERROR_ACCOUNT_NOT_FOUND) }),
-            },
-            handler: async (c, route) => {
-                const { account_id } = get_route_params(c);
-                const { role: role_name } = get_route_input(c);
-                const ctx = require_request_context(c);
-                // Enforce web_grantable — direct API calls must respect the same
-                // restrictions as the UI. Keeper role can only be granted via daemon token.
-                const rc = role_options.get(role_name);
-                if (!rc?.web_grantable) {
-                    void audit_log_fire_and_forget(route, {
-                        event_type: 'permit_grant',
-                        outcome: 'failure',
-                        actor_id: ctx.actor.id,
-                        account_id: ctx.account.id,
-                        target_account_id: account_id,
-                        ip: get_client_ip(c),
-                        metadata: { role: role_name },
-                    }, deps.log, on_audit_event);
-                    return c.json({ error: ERROR_ROLE_NOT_WEB_GRANTABLE }, 403);
-                }
-                const actor = await query_actor_by_account(route, account_id);
-                if (!actor) {
-                    return c.json({ error: ERROR_ACCOUNT_NOT_FOUND }, 404);
-                }
-                const permit = await query_grant_permit(route, {
-                    actor_id: actor.id,
-                    role: role_name,
-                    granted_by: ctx.actor.id,
-                });
-                void audit_log_fire_and_forget(route, {
-                    event_type: 'permit_grant',
-                    actor_id: ctx.actor.id,
-                    account_id: ctx.account.id,
-                    target_account_id: account_id,
-                    ip: get_client_ip(c),
-                    metadata: { role: role_name, permit_id: permit.id },
-                }, deps.log, on_audit_event);
-                return c.json({ ok: true, permit: { id: permit.id, role: permit.role } });
-            },
-        },
-        {
-            method: 'POST',
-            path: '/accounts/:account_id/sessions/revoke-all',
-            auth: { type: 'role', role },
-            description: 'Revoke all sessions for an account',
-            params: z.strictObject({ account_id: z.uuid() }),
-            input: z.null(),
-            output: z.strictObject({ ok: z.literal(true), count: z.number() }),
-            errors: { 404: z.looseObject({ error: z.literal(ERROR_ACCOUNT_NOT_FOUND) }) },
-            handler: async (c, route) => {
-                const { account_id } = get_route_params(c);
-                const account = await query_account_by_id(route, account_id);
-                if (!account) {
-                    return c.json({ error: ERROR_ACCOUNT_NOT_FOUND }, 404);
-                }
-                const ctx = require_request_context(c);
-                const count = await query_session_revoke_all_for_account(route, account_id);
-                void audit_log_fire_and_forget(route, {
-                    event_type: 'session_revoke_all',
-                    actor_id: ctx.actor.id,
-                    account_id: ctx.account.id,
-                    target_account_id: account_id,
-                    ip: get_client_ip(c),
-                    metadata: { count },
-                }, deps.log, on_audit_event);
-                return c.json({ ok: true, count });
-            },
-        },
-        {
-            method: 'POST',
-            path: '/accounts/:account_id/tokens/revoke-all',
-            auth: { type: 'role', role },
-            description: 'Revoke all API tokens for an account',
-            params: z.strictObject({ account_id: z.uuid() }),
-            input: z.null(),
-            output: z.strictObject({ ok: z.literal(true), count: z.number() }),
-            errors: { 404: z.looseObject({ error: z.literal(ERROR_ACCOUNT_NOT_FOUND) }) },
-            handler: async (c, route) => {
-                const { account_id } = get_route_params(c);
-                const account = await query_account_by_id(route, account_id);
-                if (!account) {
-                    return c.json({ error: ERROR_ACCOUNT_NOT_FOUND }, 404);
-                }
-                const ctx = require_request_context(c);
-                const count = await query_revoke_all_api_tokens_for_account(route, account_id);
-                void audit_log_fire_and_forget(route, {
-                    event_type: 'token_revoke_all',
-                    actor_id: ctx.actor.id,
-                    account_id: ctx.account.id,
-                    target_account_id: account_id,
-                    ip: get_client_ip(c),
-                    metadata: { count },
-                }, deps.log, on_audit_event);
-                return c.json({ ok: true, count });
-            },
-        },
-        {
-            method: 'POST',
-            path: '/accounts/:account_id/permits/:permit_id/revoke',
-            auth: { type: 'role', role },
-            description: 'Revoke a permit',
-            params: z.strictObject({ account_id: z.uuid(), permit_id: z.uuid() }),
-            input: z.null(),
-            output: z.strictObject({ ok: z.literal(true), revoked: z.literal(true) }),
-            errors: {
-                403: z.looseObject({
-                    error: z.enum([ERROR_INSUFFICIENT_PERMISSIONS, ERROR_ROLE_NOT_WEB_GRANTABLE]),
-                }),
-                404: z.looseObject({
-                    error: z.enum([ERROR_ACCOUNT_NOT_FOUND, ERROR_PERMIT_NOT_FOUND]),
-                }),
-            },
-            handler: async (c, route) => {
-                const { account_id, permit_id } = get_route_params(c);
-                const ctx = require_request_context(c);
-                // resolve the target actor from the URL account_id to prevent IDOR
-                const target_actor = await query_actor_by_account(route, account_id);
-                if (!target_actor) {
-                    return c.json({ error: ERROR_ACCOUNT_NOT_FOUND }, 404);
-                }
-                // Look up the permit's role so we can enforce web_grantable symmetrically
-                // with the grant route. Without this, an admin could revoke the keeper
-                // permit via the web, breaking the "only daemon token manages keeper" invariant.
-                // Route wraps POST handlers in a transaction, so SELECT-then-UPDATE is atomic.
-                const permit_row = await query_permit_find_active_role_for_actor(route, permit_id, target_actor.id);
-                if (!permit_row) {
-                    return c.json({ error: ERROR_PERMIT_NOT_FOUND }, 404);
-                }
-                const rc = role_options.get(permit_row.role);
-                if (!rc?.web_grantable) {
-                    void audit_log_fire_and_forget(route, {
-                        event_type: 'permit_revoke',
-                        outcome: 'failure',
-                        actor_id: ctx.actor.id,
-                        account_id: ctx.account.id,
-                        target_account_id: account_id,
-                        ip: get_client_ip(c),
-                        metadata: { role: permit_row.role, permit_id },
-                    }, deps.log, on_audit_event);
-                    return c.json({ error: ERROR_ROLE_NOT_WEB_GRANTABLE }, 403);
-                }
-                const result = await query_revoke_permit(route, permit_id, target_actor.id, ctx.actor.id);
-                if (!result) {
-                    return c.json({ error: ERROR_PERMIT_NOT_FOUND }, 404);
-                }
-                void audit_log_fire_and_forget(route, {
-                    event_type: 'permit_revoke',
-                    actor_id: ctx.actor.id,
-                    account_id: ctx.account.id,
-                    target_account_id: account_id,
-                    ip: get_client_ip(c),
-                    metadata: { role: result.role, permit_id },
-                }, deps.log, on_audit_event);
-                return c.json({ ok: true, revoked: true });
-            },
-        },
-    ];
-};

package/dist/auth/app_settings_routes.d.ts

@@ -1,27 +0,0 @@
-/**
- * Admin app settings route specs.
- *
- * GET and PATCH routes for managing global app settings (e.g. open signup toggle).
- * All routes require the `admin` role.
- *
- * @module
- */
-import { type RouteSpec } from '../http/route_spec.js';
-import { type AppSettings } from './app_settings_schema.js';
-import type { RouteFactoryDeps } from './deps.js';
-/**
- * Per-factory configuration for app settings route specs.
- */
-export interface AppSettingsRouteOptions {
-    /** Mutable ref to the in-memory app settings — mutated on PATCH. */
-    app_settings: AppSettings;
-}
-/**
- * Create admin app settings route specs.
- *
- * @param deps - stateless capabilities (log, on_audit_event)
- * @param options - per-factory configuration
- * @returns route specs for app settings management
- */
-export declare const create_app_settings_route_specs: (deps: Pick<RouteFactoryDeps, "log" | "on_audit_event">, options: AppSettingsRouteOptions) => Array<RouteSpec>;
-//# sourceMappingURL=app_settings_routes.d.ts.map

package/dist/auth/app_settings_routes.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"app_settings_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/app_settings_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAQtE,OAAO,EAGN,KAAK,WAAW,EAChB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAEhD;;GAEG;AACH,MAAM,WAAW,uBAAuB;IACvC,oEAAoE;IACpE,YAAY,EAAE,WAAW,CAAC;CAC1B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,gBAAgB,CAAC,EACtD,SAAS,uBAAuB,KAC9B,KAAK,CAAC,SAAS,CAoDjB,CAAC"}