@fuzdev/fuz_app 0.29.0 → 0.31.0

package/dist/auth/account_action_specs.d.ts

@@ -0,0 +1,216 @@
+/**
+ * Account RPC action specs — declarative contract for self-service account
+ * operations. Import this module for the specs, Input/Output schemas, and
+ * the `all_account_action_specs` registry. Handlers live in
+ * `./account_actions.js` so consumers doing typed-client codegen or surface
+ * reporting don't transitively drag in server-only query code.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RequestResponseActionSpec } from '../actions/action_spec.js';
+/** Input for `account_verify`. No parameters — the caller is the subject. */
+export declare const VerifyInput: z.ZodNull;
+export type VerifyInput = z.infer<typeof VerifyInput>;
+/** Input for `account_session_list`. No parameters. */
+export declare const SessionListInput: z.ZodNull;
+export type SessionListInput = z.infer<typeof SessionListInput>;
+/** Output for `account_session_list`. */
+export declare const SessionListOutput: z.ZodObject<{
+    sessions: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        created_at: z.ZodString;
+        expires_at: z.ZodString;
+        last_seen_at: z.ZodString;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type SessionListOutput = z.infer<typeof SessionListOutput>;
+/** Input for `account_session_revoke`. `session_id` is the blake3 hash. */
+export declare const SessionRevokeInput: z.ZodObject<{
+    session_id: z.ZodString;
+}, z.core.$strict>;
+export type SessionRevokeInput = z.infer<typeof SessionRevokeInput>;
+/** Output for `account_session_revoke`. `revoked` is `false` for IDOR misses. */
+export declare const SessionRevokeOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    revoked: z.ZodBoolean;
+}, z.core.$strict>;
+export type SessionRevokeOutput = z.infer<typeof SessionRevokeOutput>;
+/** Input for `account_session_revoke_all`. No parameters. */
+export declare const SessionRevokeAllInput: z.ZodNull;
+export type SessionRevokeAllInput = z.infer<typeof SessionRevokeAllInput>;
+/** Output for `account_session_revoke_all`. */
+export declare const SessionRevokeAllOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    count: z.ZodNumber;
+}, z.core.$strict>;
+export type SessionRevokeAllOutput = z.infer<typeof SessionRevokeAllOutput>;
+/** Input for `account_token_create`. */
+export declare const TokenCreateInput: z.ZodObject<{
+    name: z.ZodDefault<z.ZodString>;
+}, z.core.$strict>;
+export type TokenCreateInput = z.infer<typeof TokenCreateInput>;
+/** Output for `account_token_create`. `token` is returned exactly once. */
+export declare const TokenCreateOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    token: z.ZodString;
+    id: z.ZodString;
+    name: z.ZodString;
+}, z.core.$strict>;
+export type TokenCreateOutput = z.infer<typeof TokenCreateOutput>;
+/** Input for `account_token_list`. No parameters. */
+export declare const TokenListInput: z.ZodNull;
+export type TokenListInput = z.infer<typeof TokenListInput>;
+/** Output for `account_token_list`. Hashes are excluded. */
+export declare const TokenListOutput: z.ZodObject<{
+    tokens: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        name: z.ZodString;
+        expires_at: z.ZodNullable<z.ZodString>;
+        last_used_at: z.ZodNullable<z.ZodString>;
+        last_used_ip: z.ZodNullable<z.ZodString>;
+        created_at: z.ZodString;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type TokenListOutput = z.infer<typeof TokenListOutput>;
+/** Input for `account_token_revoke`. */
+export declare const TokenRevokeInput: z.ZodObject<{
+    token_id: z.ZodString;
+}, z.core.$strict>;
+export type TokenRevokeInput = z.infer<typeof TokenRevokeInput>;
+/** Output for `account_token_revoke`. `revoked` is `false` for IDOR misses. */
+export declare const TokenRevokeOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    revoked: z.ZodBoolean;
+}, z.core.$strict>;
+export type TokenRevokeOutput = z.infer<typeof TokenRevokeOutput>;
+export declare const account_verify_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: false;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        username: z.ZodString;
+        email: z.ZodNullable<z.ZodEmail>;
+        email_verified: z.ZodBoolean;
+        created_at: z.ZodString;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const account_session_list_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: false;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        sessions: z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+            expires_at: z.ZodString;
+            last_seen_at: z.ZodString;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const account_session_revoke_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        session_id: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        revoked: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const account_session_revoke_all_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        count: z.ZodNumber;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const account_token_create_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        name: z.ZodDefault<z.ZodString>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        token: z.ZodString;
+        id: z.ZodString;
+        name: z.ZodString;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const account_token_list_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: false;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        tokens: z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+            expires_at: z.ZodNullable<z.ZodString>;
+            last_used_at: z.ZodNullable<z.ZodString>;
+            last_used_ip: z.ZodNullable<z.ZodString>;
+            created_at: z.ZodString;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const account_token_revoke_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        token_id: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        revoked: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+/**
+ * All self-service account action specs — a codegen-ready registry.
+ * Consumers spread this into their own action-spec array to include
+ * account methods in a typed client surface.
+ */
+export declare const all_account_action_specs: Array<RequestResponseActionSpec>;
+//# sourceMappingURL=account_action_specs.d.ts.map

package/dist/auth/account_action_specs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAMzE,6EAA6E;AAC7E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,WAAW,CAAC;AACzC,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,iBAAiB;;;;;;;;kBAE5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,iFAAiF;AACjF,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,6DAA6D;AAC7D,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,+CAA+C;AAC/C,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAK3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB;;;;;kBAK5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,qDAAqD;AACrD,eAAO,MAAM,cAAc,WAAW,CAAC;AACvC,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,4DAA4D;AAC5D,eAAO,MAAM,eAAe;;;;;;;;;;kBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAIlE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;CAUV,CAAC;AAEtC,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;CAUd,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,EAAE,KAAK,CAAC,yBAAyB,CAQrE,CAAC"}

package/dist/auth/account_action_specs.js

@@ -0,0 +1,159 @@
+/**
+ * Account RPC action specs — declarative contract for self-service account
+ * operations. Import this module for the specs, Input/Output schemas, and
+ * the `all_account_action_specs` registry. Handlers live in
+ * `./account_actions.js` so consumers doing typed-client codegen or surface
+ * reporting don't transitively drag in server-only query code.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Blake3Hash } from '@fuzdev/fuz_util/hash_blake3.js';
+import { AuthSessionJson, ClientApiTokenJson, SessionAccountJson } from './account_schema.js';
+import { ApiTokenId } from './api_token.js';
+// -- Input/output schemas ---------------------------------------------------
+/** Input for `account_verify`. No parameters — the caller is the subject. */
+export const VerifyInput = z.null();
+/** Input for `account_session_list`. No parameters. */
+export const SessionListInput = z.null();
+/** Output for `account_session_list`. */
+export const SessionListOutput = z.strictObject({
+    sessions: z.array(AuthSessionJson),
+});
+/** Input for `account_session_revoke`. `session_id` is the blake3 hash. */
+export const SessionRevokeInput = z.strictObject({
+    session_id: Blake3Hash.meta({ description: 'Session id (blake3 hash) to revoke.' }),
+});
+/** Output for `account_session_revoke`. `revoked` is `false` for IDOR misses. */
+export const SessionRevokeOutput = z.strictObject({
+    ok: z.literal(true),
+    revoked: z.boolean(),
+});
+/** Input for `account_session_revoke_all`. No parameters. */
+export const SessionRevokeAllInput = z.null();
+/** Output for `account_session_revoke_all`. */
+export const SessionRevokeAllOutput = z.strictObject({
+    ok: z.literal(true),
+    count: z.number(),
+});
+/** Input for `account_token_create`. */
+export const TokenCreateInput = z.strictObject({
+    name: z
+        .string()
+        .default('CLI token')
+        .meta({ description: 'Human-friendly label; shown in the token list.' }),
+});
+/** Output for `account_token_create`. `token` is returned exactly once. */
+export const TokenCreateOutput = z.strictObject({
+    ok: z.literal(true),
+    token: z.string().meta({ description: 'Raw token — shown once, store securely.' }),
+    id: ApiTokenId,
+    name: z.string(),
+});
+/** Input for `account_token_list`. No parameters. */
+export const TokenListInput = z.null();
+/** Output for `account_token_list`. Hashes are excluded. */
+export const TokenListOutput = z.strictObject({
+    tokens: z.array(ClientApiTokenJson),
+});
+/** Input for `account_token_revoke`. */
+export const TokenRevokeInput = z.strictObject({
+    token_id: ApiTokenId.meta({ description: 'Public API token id (e.g. `tok_<12 chars>`).' }),
+});
+/** Output for `account_token_revoke`. `revoked` is `false` for IDOR misses. */
+export const TokenRevokeOutput = z.strictObject({
+    ok: z.literal(true),
+    revoked: z.boolean(),
+});
+// -- Action specs -----------------------------------------------------------
+export const account_verify_action_spec = {
+    method: 'account_verify',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: false,
+    input: VerifyInput,
+    output: SessionAccountJson,
+    async: true,
+    description: 'Verify the current session and echo the caller account.',
+};
+export const account_session_list_action_spec = {
+    method: 'account_session_list',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: false,
+    input: SessionListInput,
+    output: SessionListOutput,
+    async: true,
+    description: 'List auth sessions for the current account.',
+};
+export const account_session_revoke_action_spec = {
+    method: 'account_session_revoke',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: true,
+    input: SessionRevokeInput,
+    output: SessionRevokeOutput,
+    async: true,
+    description: 'Revoke a single auth session for the current account (IDOR-guarded).',
+};
+export const account_session_revoke_all_action_spec = {
+    method: 'account_session_revoke_all',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: true,
+    input: SessionRevokeAllInput,
+    output: SessionRevokeAllOutput,
+    async: true,
+    description: 'Revoke every auth session for the current account.',
+};
+export const account_token_create_action_spec = {
+    method: 'account_token_create',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: true,
+    input: TokenCreateInput,
+    output: TokenCreateOutput,
+    async: true,
+    description: 'Create an API token for the current account. Raw token is returned once.',
+};
+export const account_token_list_action_spec = {
+    method: 'account_token_list',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: false,
+    input: TokenListInput,
+    output: TokenListOutput,
+    async: true,
+    description: 'List API tokens for the current account. Hashes are never returned.',
+};
+export const account_token_revoke_action_spec = {
+    method: 'account_token_revoke',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: true,
+    input: TokenRevokeInput,
+    output: TokenRevokeOutput,
+    async: true,
+    description: 'Revoke an API token for the current account (IDOR-guarded).',
+};
+/**
+ * All self-service account action specs — a codegen-ready registry.
+ * Consumers spread this into their own action-spec array to include
+ * account methods in a typed client surface.
+ */
+export const all_account_action_specs = [
+    account_verify_action_spec,
+    account_session_list_action_spec,
+    account_session_revoke_action_spec,
+    account_session_revoke_all_action_spec,
+    account_token_create_action_spec,
+    account_token_list_action_spec,
+    account_token_revoke_action_spec,
+];

package/dist/auth/account_actions.d.ts

@@ -0,0 +1,51 @@
+/**
+ * Account RPC action handlers — self-service operations for the authenticated
+ * account.
+ *
+ * Seven `request_response` actions bound to handlers:
+ *
+ * - Session reads: `account_verify`, `account_session_list`.
+ * - Session mutations: `account_session_revoke`, `account_session_revoke_all`.
+ * - API token management: `account_token_create`, `account_token_list`,
+ *   `account_token_revoke`.
+ *
+ * The action specs themselves live in `./account_action_specs.js`. Every spec
+ * declares `auth: 'authenticated'` so the dispatcher enforces auth before the
+ * handler runs. Revoke operations are account-scoped (via
+ * `query_session_revoke_for_account` / `query_revoke_api_token_for_account`)
+ * so passing another account's session or token id returns `revoked: false`
+ * rather than revealing whether the id exists.
+ *
+ * Counterpart to `account_routes.ts`, which keeps the cookie-lifecycle flows
+ * (`login`, `logout`, `password`, `signup`, `bootstrap`) on REST.
+ *
+ * @module
+ */
+import { type RpcAction } from '../actions/action_rpc.js';
+import type { RouteFactoryDeps } from './deps.js';
+/** Options for `create_account_actions`. */
+export interface AccountActionOptions {
+    /**
+     * Max API tokens per account. When set, `account_token_create` enforces the
+     * cap via `query_api_token_enforce_limit` inside the same transaction —
+     * oldest tokens are evicted once the cap is exceeded. Default
+     * `DEFAULT_MAX_TOKENS`; pass `null` to disable the cap.
+     */
+    max_tokens?: number | null;
+}
+/**
+ * Dependencies for `create_account_actions`.
+ *
+ * Shares shape with `AdminActionDeps` / `PermitOfferActionDeps` so consumers
+ * can pass the same deps to every action factory.
+ */
+export type AccountActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event'>;
+/**
+ * Create the self-service account RPC actions.
+ *
+ * @param deps - stateless capabilities (log, on_audit_event)
+ * @param options - per-factory configuration
+ * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
+ */
+export declare const create_account_actions: (deps: AccountActionDeps, options?: AccountActionOptions) => Array<RpcAction>;
+//# sourceMappingURL=account_actions.d.ts.map

package/dist/auth/account_actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAgBxF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,MAAM,iBAAiB,GAAG,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,gBAAgB,CAAC,CAAC;AAEjF;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,iBAAiB,EACvB,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CA8HjB,CAAC"}

package/dist/auth/account_actions.js

@@ -0,0 +1,119 @@
+/**
+ * Account RPC action handlers — self-service operations for the authenticated
+ * account.
+ *
+ * Seven `request_response` actions bound to handlers:
+ *
+ * - Session reads: `account_verify`, `account_session_list`.
+ * - Session mutations: `account_session_revoke`, `account_session_revoke_all`.
+ * - API token management: `account_token_create`, `account_token_list`,
+ *   `account_token_revoke`.
+ *
+ * The action specs themselves live in `./account_action_specs.js`. Every spec
+ * declares `auth: 'authenticated'` so the dispatcher enforces auth before the
+ * handler runs. Revoke operations are account-scoped (via
+ * `query_session_revoke_for_account` / `query_revoke_api_token_for_account`)
+ * so passing another account's session or token id returns `revoked: false`
+ * rather than revealing whether the id exists.
+ *
+ * Counterpart to `account_routes.ts`, which keeps the cookie-lifecycle flows
+ * (`login`, `logout`, `password`, `signup`, `bootstrap`) on REST.
+ *
+ * @module
+ */
+import { rpc_action } from '../actions/action_rpc.js';
+import { to_session_account } from './account_schema.js';
+import { query_session_list_for_account, query_session_revoke_for_account, query_session_revoke_all_for_account, } from './session_queries.js';
+import { query_api_token_enforce_limit, query_api_token_list_for_account, query_create_api_token, query_revoke_api_token_for_account, } from './api_token_queries.js';
+import { generate_api_token } from './api_token.js';
+import { audit_log_fire_and_forget } from './audit_log_queries.js';
+import { DEFAULT_MAX_TOKENS } from './account_routes.js';
+import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from './account_action_specs.js';
+/**
+ * Create the self-service account RPC actions.
+ *
+ * @param deps - stateless capabilities (log, on_audit_event)
+ * @param options - per-factory configuration
+ * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
+ */
+export const create_account_actions = (deps, options = {}) => {
+    const { log, on_audit_event } = deps;
+    const { max_tokens = DEFAULT_MAX_TOKENS } = options;
+    const verify_handler = (_input, ctx) => {
+        const auth = ctx.auth;
+        return to_session_account(auth.account);
+    };
+    const session_list_handler = async (_input, ctx) => {
+        const auth = ctx.auth;
+        const sessions = await query_session_list_for_account(ctx, auth.account.id);
+        return { sessions };
+    };
+    const session_revoke_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const revoked = await query_session_revoke_for_account(ctx, input.session_id, auth.account.id);
+        void audit_log_fire_and_forget(ctx, {
+            event_type: 'session_revoke',
+            outcome: revoked ? 'success' : 'failure',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: { session_id: input.session_id },
+        }, log, on_audit_event);
+        return { ok: true, revoked };
+    };
+    const session_revoke_all_handler = async (_input, ctx) => {
+        const auth = ctx.auth;
+        const count = await query_session_revoke_all_for_account(ctx, auth.account.id);
+        void audit_log_fire_and_forget(ctx, {
+            event_type: 'session_revoke_all',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: { count },
+        }, log, on_audit_event);
+        return { ok: true, count };
+    };
+    const token_create_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const { token, id, token_hash } = generate_api_token();
+        await query_create_api_token(ctx, id, auth.account.id, input.name, token_hash);
+        if (max_tokens != null) {
+            await query_api_token_enforce_limit(ctx, auth.account.id, max_tokens);
+        }
+        void audit_log_fire_and_forget(ctx, {
+            event_type: 'token_create',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: { token_id: id, name: input.name },
+        }, log, on_audit_event);
+        return { ok: true, token, id, name: input.name };
+    };
+    const token_list_handler = async (_input, ctx) => {
+        const auth = ctx.auth;
+        const tokens = await query_api_token_list_for_account(ctx, auth.account.id);
+        return { tokens };
+    };
+    const token_revoke_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const revoked = await query_revoke_api_token_for_account(ctx, input.token_id, auth.account.id);
+        void audit_log_fire_and_forget(ctx, {
+            event_type: 'token_revoke',
+            outcome: revoked ? 'success' : 'failure',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: { token_id: input.token_id },
+        }, log, on_audit_event);
+        return { ok: true, revoked };
+    };
+    return [
+        rpc_action(account_verify_action_spec, verify_handler),
+        rpc_action(account_session_list_action_spec, session_list_handler),
+        rpc_action(account_session_revoke_action_spec, session_revoke_handler),
+        rpc_action(account_session_revoke_all_action_spec, session_revoke_all_handler),
+        rpc_action(account_token_create_action_spec, token_create_handler),
+        rpc_action(account_token_list_action_spec, token_list_handler),
+        rpc_action(account_token_revoke_action_spec, token_revoke_handler),
+    ];
+};

package/dist/auth/account_queries.d.ts

@@ -85,9 +85,13 @@ export declare const query_create_account_with_actor: (deps: QueryDeps, input: C
     actor: Actor;
 }>;
 /**
- * List all accounts with their actors and active permits for admin display.
+ * List all accounts with their actors, active permits, and pending inbound
+ * permit offers for admin display.
  *
- * Uses 3 flat queries instead of N+1 per-account loops.
+ * Uses 4 flat queries instead of N+1 per-account loops. Pending offers surface
+ * the "offer pending — awaiting acceptance" UX without a second round-trip;
+ * `message` is intentionally excluded (cross-admin visibility of grantor notes
+ * would expand beyond what the audit log discloses).
  *
  * @param deps - query dependencies
  * @returns admin account entries sorted by creation date

package/dist/auth/account_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAEN,KAAK,OAAO,EACZ,KAAK,KAAK,EACV,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,EAC1B,MAAM,qBAAqB,CAAC;AAE7B;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,GAAG,SAAS,CAE7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAS7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,EACV,eAAe,MAAM,EACrB,YAAY,MAAM,GAAG,IAAI,KACvB,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,GAAU,MAAM,SAAS,EAAE,IAAI,MAAM,KAAG,OAAO,CAAC,OAAO,CAKvF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,OAAO,CAK5E,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,KAAK,CAMf,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,KAAK,CAAA;CAAC,CAI1C,CAAC;AAYF;;;;;;;GAOG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CA4CtC,CAAC"}
+{"version":3,"file":"account_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnD,OAAO,EAEN,KAAK,OAAO,EACZ,KAAK,KAAK,EACV,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,EAC1B,MAAM,qBAAqB,CAAC;AAE7B;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,GAAG,SAAS,CAE7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAS7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,EACV,eAAe,MAAM,EACrB,YAAY,MAAM,GAAG,IAAI,KACvB,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,GAAU,MAAM,SAAS,EAAE,IAAI,MAAM,KAAG,OAAO,CAAC,OAAO,CAKvF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,OAAO,CAK5E,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,KAAK,CAMf,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,KAAK,CAAA;CAAC,CAI1C,CAAC;AAyBF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CA+EtC,CAAC"}

package/dist/auth/account_queries.js

@@ -123,21 +123,36 @@ export const query_create_account_with_actor = async (deps, input) => {
     return { account, actor };
 };
 /**
- * List all accounts with their actors and active permits for admin display.
+ * List all accounts with their actors, active permits, and pending inbound
+ * permit offers for admin display.
  *
- * Uses 3 flat queries instead of N+1 per-account loops.
+ * Uses 4 flat queries instead of N+1 per-account loops. Pending offers surface
+ * the "offer pending — awaiting acceptance" UX without a second round-trip;
+ * `message` is intentionally excluded (cross-admin visibility of grantor notes
+ * would expand beyond what the audit log discloses).
  *
  * @param deps - query dependencies
  * @returns admin account entries sorted by creation date
  */
 export const query_admin_account_list = async (deps) => {
-    const [accounts, actors, permits] = await Promise.all([
+    const [accounts, actors, permits, pending_offers] = await Promise.all([
         deps.db.query(`SELECT * FROM account ORDER BY created_at`),
         deps.db.query(`SELECT * FROM actor`),
-        deps.db.query(`SELECT id, actor_id, role, created_at, expires_at, granted_by
+        deps.db.query(`SELECT id, actor_id, role, scope_id, created_at, expires_at, granted_by
 			 FROM permit
 			 WHERE revoked_at IS NULL
 			   AND (expires_at IS NULL OR expires_at > NOW())`),
+        deps.db.query(`SELECT po.id, po.to_account_id, po.from_actor_id, po.role, po.scope_id,
+			        po.created_at, po.expires_at, a.username AS from_username
+			 FROM permit_offer po
+			 JOIN actor act ON act.id = po.from_actor_id
+			 JOIN account a ON a.id = act.account_id
+			 WHERE po.accepted_at IS NULL
+			   AND po.declined_at IS NULL
+			   AND po.retracted_at IS NULL
+			   AND po.superseded_at IS NULL
+			   AND po.expires_at > NOW()
+			 ORDER BY po.expires_at ASC`),
     ]);
     // Index actors by account_id (1:1 in v1)
     const actor_by_account = new Map();
@@ -154,19 +169,40 @@ export const query_admin_account_list = async (deps) => {
         }
         list.push(permit);
     }
+    // Group pending offers by recipient account_id
+    const offers_by_account = new Map();
+    for (const offer of pending_offers) {
+        let list = offers_by_account.get(offer.to_account_id);
+        if (!list) {
+            list = [];
+            offers_by_account.set(offer.to_account_id, list);
+        }
+        list.push(offer);
+    }
     return accounts.map((account) => {
         const actor = actor_by_account.get(account.id);
         const actor_permits = actor ? (permits_by_actor.get(actor.id) ?? []) : [];
+        const account_offers = offers_by_account.get(account.id) ?? [];
         return {
             account: to_admin_account(account),
             actor: actor ? { id: actor.id, name: actor.name } : null,
             permits: actor_permits.map((p) => ({
                 id: p.id,
                 role: p.role,
+                scope_id: p.scope_id,
                 created_at: p.created_at,
                 expires_at: p.expires_at,
                 granted_by: p.granted_by,
             })),
+            pending_offers: account_offers.map((o) => ({
+                id: o.id,
+                role: o.role,
+                scope_id: o.scope_id,
+                from_actor_id: o.from_actor_id,
+                from_username: o.from_username,
+                created_at: o.created_at,
+                expires_at: o.expires_at,
+            })),
         };
     });
 };