@fuzdev/fuz_app 0.29.0 → 0.31.0

package/dist/auth/admin_action_specs.d.ts

@@ -0,0 +1,674 @@
+/**
+ * Admin RPC action specs — declarative contract for admin-only operations.
+ *
+ * Import this module for the specs, Input/Output schemas, and the
+ * `all_admin_action_specs` registry. Handlers live in `./admin_actions.js`.
+ *
+ * Authorization is declared at the spec level (`auth: {role: ROLE_ADMIN}`)
+ * so the RPC dispatcher enforces admin before the handler runs and the
+ * generated surface accurately reports the requirement.
+ *
+ * The registry always includes `app_settings_get` / `app_settings_update` —
+ * the runtime factory only wires their handlers when
+ * `AdminActionOptions.app_settings` is provided; dispatch falls back to
+ * `method_not_found` when absent.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RequestResponseActionSpec } from '../actions/action_spec.js';
+/** Max audit-log page size. Mirrors the former REST route's clamp. */
+export declare const AUDIT_LOG_LIST_LIMIT_MAX = 200;
+/** Input for `admin_account_list`. No parameters — the caller is the subject. */
+export declare const AdminAccountListInput: z.ZodNull;
+export type AdminAccountListInput = z.infer<typeof AdminAccountListInput>;
+/** Output for `admin_account_list`. */
+export declare const AdminAccountListOutput: z.ZodObject<{
+    accounts: z.ZodArray<z.ZodObject<{
+        account: z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            username: z.ZodString;
+            email: z.ZodNullable<z.ZodEmail>;
+            email_verified: z.ZodBoolean;
+            created_at: z.ZodString;
+            updated_at: z.ZodString;
+            updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        }, z.core.$strict>;
+        actor: z.ZodNullable<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            name: z.ZodString;
+        }, z.core.$strict>>;
+        permits: z.ZodArray<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            role: z.ZodString;
+            scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            created_at: z.ZodString;
+            expires_at: z.ZodNullable<z.ZodString>;
+            granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        }, z.core.$strict>>;
+        pending_offers: z.ZodArray<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            role: z.ZodString;
+            scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            from_username: z.ZodString;
+            created_at: z.ZodString;
+            expires_at: z.ZodString;
+        }, z.core.$strict>>;
+    }, z.core.$strict>>;
+    grantable_roles: z.ZodArray<z.ZodString>;
+}, z.core.$strict>;
+export type AdminAccountListOutput = z.infer<typeof AdminAccountListOutput>;
+/** Input for `admin_session_list`. No parameters — reads every active session. */
+export declare const AdminSessionListInput: z.ZodNull;
+export type AdminSessionListInput = z.infer<typeof AdminSessionListInput>;
+/** Output for `admin_session_list`. Cross-account listing; fan-out already scoped by role auth. */
+export declare const AdminSessionListOutput: z.ZodObject<{
+    sessions: z.ZodArray<z.ZodObject<{
+        id: z.ZodString;
+        account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        created_at: z.ZodString;
+        expires_at: z.ZodString;
+        last_seen_at: z.ZodString;
+        username: z.ZodString;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type AdminSessionListOutput = z.infer<typeof AdminSessionListOutput>;
+/** Input for `admin_session_revoke_all`. */
+export declare const AdminSessionRevokeAllInput: z.ZodObject<{
+    account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+}, z.core.$strict>;
+export type AdminSessionRevokeAllInput = z.infer<typeof AdminSessionRevokeAllInput>;
+/** Output for `admin_session_revoke_all`. */
+export declare const AdminSessionRevokeAllOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    count: z.ZodNumber;
+}, z.core.$strict>;
+export type AdminSessionRevokeAllOutput = z.infer<typeof AdminSessionRevokeAllOutput>;
+/** Input for `admin_token_revoke_all`. */
+export declare const AdminTokenRevokeAllInput: z.ZodObject<{
+    account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+}, z.core.$strict>;
+export type AdminTokenRevokeAllInput = z.infer<typeof AdminTokenRevokeAllInput>;
+/** Output for `admin_token_revoke_all`. */
+export declare const AdminTokenRevokeAllOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    count: z.ZodNumber;
+}, z.core.$strict>;
+export type AdminTokenRevokeAllOutput = z.infer<typeof AdminTokenRevokeAllOutput>;
+/**
+ * Input for `audit_log_list`. All filter fields are optional — omit for the
+ * default newest-first page. `since_seq` exists for SSE reconnection gap
+ * fill (caller supplies the highest seq seen; server returns everything
+ * after).
+ */
+export declare const AuditLogListInput: z.ZodObject<{
+    event_type: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
+        login: "login";
+        logout: "logout";
+        bootstrap: "bootstrap";
+        signup: "signup";
+        password_change: "password_change";
+        session_revoke: "session_revoke";
+        session_revoke_all: "session_revoke_all";
+        token_create: "token_create";
+        token_revoke: "token_revoke";
+        token_revoke_all: "token_revoke_all";
+        permit_grant: "permit_grant";
+        permit_revoke: "permit_revoke";
+        permit_offer_create: "permit_offer_create";
+        permit_offer_accept: "permit_offer_accept";
+        permit_offer_decline: "permit_offer_decline";
+        permit_offer_retract: "permit_offer_retract";
+        permit_offer_expire: "permit_offer_expire";
+        permit_offer_supersede: "permit_offer_supersede";
+        invite_create: "invite_create";
+        invite_delete: "invite_delete";
+        app_settings_update: "app_settings_update";
+    }>>>;
+    outcome: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
+        success: "success";
+        failure: "failure";
+    }>>>;
+    account_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+    limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+    offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+    since_seq: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+}, z.core.$strict>;
+export type AuditLogListInput = z.infer<typeof AuditLogListInput>;
+/** Output for `audit_log_list`. */
+export declare const AuditLogListOutput: z.ZodObject<{
+    events: z.ZodArray<z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        seq: z.ZodNumber;
+        event_type: z.ZodEnum<{
+            login: "login";
+            logout: "logout";
+            bootstrap: "bootstrap";
+            signup: "signup";
+            password_change: "password_change";
+            session_revoke: "session_revoke";
+            session_revoke_all: "session_revoke_all";
+            token_create: "token_create";
+            token_revoke: "token_revoke";
+            token_revoke_all: "token_revoke_all";
+            permit_grant: "permit_grant";
+            permit_revoke: "permit_revoke";
+            permit_offer_create: "permit_offer_create";
+            permit_offer_accept: "permit_offer_accept";
+            permit_offer_decline: "permit_offer_decline";
+            permit_offer_retract: "permit_offer_retract";
+            permit_offer_expire: "permit_offer_expire";
+            permit_offer_supersede: "permit_offer_supersede";
+            invite_create: "invite_create";
+            invite_delete: "invite_delete";
+            app_settings_update: "app_settings_update";
+        }>;
+        outcome: z.ZodEnum<{
+            success: "success";
+            failure: "failure";
+        }>;
+        actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        ip: z.ZodNullable<z.ZodString>;
+        created_at: z.ZodString;
+        metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        username: z.ZodNullable<z.ZodString>;
+        target_username: z.ZodNullable<z.ZodString>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type AuditLogListOutput = z.infer<typeof AuditLogListOutput>;
+/** Input for `audit_log_permit_history`. */
+export declare const AuditLogPermitHistoryInput: z.ZodObject<{
+    limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+    offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+}, z.core.$strict>;
+export type AuditLogPermitHistoryInput = z.infer<typeof AuditLogPermitHistoryInput>;
+/** Output for `audit_log_permit_history`. */
+export declare const AuditLogPermitHistoryOutput: z.ZodObject<{
+    events: z.ZodArray<z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        seq: z.ZodNumber;
+        event_type: z.ZodEnum<{
+            login: "login";
+            logout: "logout";
+            bootstrap: "bootstrap";
+            signup: "signup";
+            password_change: "password_change";
+            session_revoke: "session_revoke";
+            session_revoke_all: "session_revoke_all";
+            token_create: "token_create";
+            token_revoke: "token_revoke";
+            token_revoke_all: "token_revoke_all";
+            permit_grant: "permit_grant";
+            permit_revoke: "permit_revoke";
+            permit_offer_create: "permit_offer_create";
+            permit_offer_accept: "permit_offer_accept";
+            permit_offer_decline: "permit_offer_decline";
+            permit_offer_retract: "permit_offer_retract";
+            permit_offer_expire: "permit_offer_expire";
+            permit_offer_supersede: "permit_offer_supersede";
+            invite_create: "invite_create";
+            invite_delete: "invite_delete";
+            app_settings_update: "app_settings_update";
+        }>;
+        outcome: z.ZodEnum<{
+            success: "success";
+            failure: "failure";
+        }>;
+        actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        ip: z.ZodNullable<z.ZodString>;
+        created_at: z.ZodString;
+        metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        username: z.ZodNullable<z.ZodString>;
+        target_username: z.ZodNullable<z.ZodString>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type AuditLogPermitHistoryOutput = z.infer<typeof AuditLogPermitHistoryOutput>;
+/** Input for `invite_create`. At least one of `email` / `username` must be provided. */
+export declare const InviteCreateInput: z.ZodObject<{
+    email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
+    username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+}, z.core.$strict>;
+export type InviteCreateInput = z.infer<typeof InviteCreateInput>;
+/** Output for `invite_create`. */
+export declare const InviteCreateOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    invite: z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        email: z.ZodNullable<z.ZodEmail>;
+        username: z.ZodNullable<z.ZodString>;
+        claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        claimed_at: z.ZodNullable<z.ZodString>;
+        created_at: z.ZodString;
+        created_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type InviteCreateOutput = z.infer<typeof InviteCreateOutput>;
+/** Input for `invite_list`. */
+export declare const InviteListInput: z.ZodNull;
+export type InviteListInput = z.infer<typeof InviteListInput>;
+/** Output for `invite_list`. Uses the enriched row including creator/claimer usernames. */
+export declare const InviteListOutput: z.ZodObject<{
+    invites: z.ZodArray<z.ZodObject<{
+        id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        email: z.ZodNullable<z.ZodEmail>;
+        username: z.ZodNullable<z.ZodString>;
+        claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        claimed_at: z.ZodNullable<z.ZodString>;
+        created_at: z.ZodString;
+        created_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        created_by_username: z.ZodNullable<z.ZodString>;
+        claimed_by_username: z.ZodNullable<z.ZodString>;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type InviteListOutput = z.infer<typeof InviteListOutput>;
+/** Input for `invite_delete`. */
+export declare const InviteDeleteInput: z.ZodObject<{
+    invite_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+}, z.core.$strict>;
+export type InviteDeleteInput = z.infer<typeof InviteDeleteInput>;
+/** Output for `invite_delete`. */
+export declare const InviteDeleteOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+}, z.core.$strict>;
+export type InviteDeleteOutput = z.infer<typeof InviteDeleteOutput>;
+/** Input for `app_settings_get`. No parameters. */
+export declare const AppSettingsGetInput: z.ZodNull;
+export type AppSettingsGetInput = z.infer<typeof AppSettingsGetInput>;
+/** Output for `app_settings_get`. */
+export declare const AppSettingsGetOutput: z.ZodObject<{
+    settings: z.ZodObject<{
+        open_signup: z.ZodBoolean;
+        updated_at: z.ZodNullable<z.ZodString>;
+        updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        updated_by_username: z.ZodNullable<z.ZodString>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type AppSettingsGetOutput = z.infer<typeof AppSettingsGetOutput>;
+/** Input for `app_settings_update`. */
+export declare const AppSettingsUpdateInput: z.ZodObject<{
+    open_signup: z.ZodBoolean;
+}, z.core.$strict>;
+export type AppSettingsUpdateInput = z.infer<typeof AppSettingsUpdateInput>;
+/** Output for `app_settings_update`. */
+export declare const AppSettingsUpdateOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    settings: z.ZodObject<{
+        open_signup: z.ZodBoolean;
+        updated_at: z.ZodNullable<z.ZodString>;
+        updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        updated_by_username: z.ZodNullable<z.ZodString>;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type AppSettingsUpdateOutput = z.infer<typeof AppSettingsUpdateOutput>;
+export declare const admin_account_list_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: false;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        accounts: z.ZodArray<z.ZodObject<{
+            account: z.ZodObject<{
+                id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+                username: z.ZodString;
+                email: z.ZodNullable<z.ZodEmail>;
+                email_verified: z.ZodBoolean;
+                created_at: z.ZodString;
+                updated_at: z.ZodString;
+                updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            }, z.core.$strict>;
+            actor: z.ZodNullable<z.ZodObject<{
+                id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+                name: z.ZodString;
+            }, z.core.$strict>>;
+            permits: z.ZodArray<z.ZodObject<{
+                id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+                role: z.ZodString;
+                scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+                created_at: z.ZodString;
+                expires_at: z.ZodNullable<z.ZodString>;
+                granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            }, z.core.$strict>>;
+            pending_offers: z.ZodArray<z.ZodObject<{
+                id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+                role: z.ZodString;
+                scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+                from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+                from_username: z.ZodString;
+                created_at: z.ZodString;
+                expires_at: z.ZodString;
+            }, z.core.$strict>>;
+        }, z.core.$strict>>;
+        grantable_roles: z.ZodArray<z.ZodString>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const admin_session_list_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: false;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        sessions: z.ZodArray<z.ZodObject<{
+            id: z.ZodString;
+            account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+            expires_at: z.ZodString;
+            last_seen_at: z.ZodString;
+            username: z.ZodString;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const admin_session_revoke_all_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        count: z.ZodNumber;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const admin_token_revoke_all_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        count: z.ZodNumber;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const audit_log_list_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: false;
+    input: z.ZodObject<{
+        event_type: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
+            login: "login";
+            logout: "logout";
+            bootstrap: "bootstrap";
+            signup: "signup";
+            password_change: "password_change";
+            session_revoke: "session_revoke";
+            session_revoke_all: "session_revoke_all";
+            token_create: "token_create";
+            token_revoke: "token_revoke";
+            token_revoke_all: "token_revoke_all";
+            permit_grant: "permit_grant";
+            permit_revoke: "permit_revoke";
+            permit_offer_create: "permit_offer_create";
+            permit_offer_accept: "permit_offer_accept";
+            permit_offer_decline: "permit_offer_decline";
+            permit_offer_retract: "permit_offer_retract";
+            permit_offer_expire: "permit_offer_expire";
+            permit_offer_supersede: "permit_offer_supersede";
+            invite_create: "invite_create";
+            invite_delete: "invite_delete";
+            app_settings_update: "app_settings_update";
+        }>>>;
+        outcome: z.ZodOptional<z.ZodNullable<z.ZodEnum<{
+            success: "success";
+            failure: "failure";
+        }>>>;
+        account_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+        limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+        offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+        since_seq: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        events: z.ZodArray<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            seq: z.ZodNumber;
+            event_type: z.ZodEnum<{
+                login: "login";
+                logout: "logout";
+                bootstrap: "bootstrap";
+                signup: "signup";
+                password_change: "password_change";
+                session_revoke: "session_revoke";
+                session_revoke_all: "session_revoke_all";
+                token_create: "token_create";
+                token_revoke: "token_revoke";
+                token_revoke_all: "token_revoke_all";
+                permit_grant: "permit_grant";
+                permit_revoke: "permit_revoke";
+                permit_offer_create: "permit_offer_create";
+                permit_offer_accept: "permit_offer_accept";
+                permit_offer_decline: "permit_offer_decline";
+                permit_offer_retract: "permit_offer_retract";
+                permit_offer_expire: "permit_offer_expire";
+                permit_offer_supersede: "permit_offer_supersede";
+                invite_create: "invite_create";
+                invite_delete: "invite_delete";
+                app_settings_update: "app_settings_update";
+            }>;
+            outcome: z.ZodEnum<{
+                success: "success";
+                failure: "failure";
+            }>;
+            actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            ip: z.ZodNullable<z.ZodString>;
+            created_at: z.ZodString;
+            metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+            username: z.ZodNullable<z.ZodString>;
+            target_username: z.ZodNullable<z.ZodString>;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const audit_log_permit_history_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: false;
+    input: z.ZodObject<{
+        limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+        offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        events: z.ZodArray<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            seq: z.ZodNumber;
+            event_type: z.ZodEnum<{
+                login: "login";
+                logout: "logout";
+                bootstrap: "bootstrap";
+                signup: "signup";
+                password_change: "password_change";
+                session_revoke: "session_revoke";
+                session_revoke_all: "session_revoke_all";
+                token_create: "token_create";
+                token_revoke: "token_revoke";
+                token_revoke_all: "token_revoke_all";
+                permit_grant: "permit_grant";
+                permit_revoke: "permit_revoke";
+                permit_offer_create: "permit_offer_create";
+                permit_offer_accept: "permit_offer_accept";
+                permit_offer_decline: "permit_offer_decline";
+                permit_offer_retract: "permit_offer_retract";
+                permit_offer_expire: "permit_offer_expire";
+                permit_offer_supersede: "permit_offer_supersede";
+                invite_create: "invite_create";
+                invite_delete: "invite_delete";
+                app_settings_update: "app_settings_update";
+            }>;
+            outcome: z.ZodEnum<{
+                success: "success";
+                failure: "failure";
+            }>;
+            actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            ip: z.ZodNullable<z.ZodString>;
+            created_at: z.ZodString;
+            metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+            username: z.ZodNullable<z.ZodString>;
+            target_username: z.ZodNullable<z.ZodString>;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const invite_create_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
+        username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        invite: z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            email: z.ZodNullable<z.ZodEmail>;
+            username: z.ZodNullable<z.ZodString>;
+            claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            claimed_at: z.ZodNullable<z.ZodString>;
+            created_at: z.ZodString;
+            created_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const invite_list_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: false;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        invites: z.ZodArray<z.ZodObject<{
+            id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            email: z.ZodNullable<z.ZodEmail>;
+            username: z.ZodNullable<z.ZodString>;
+            claimed_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            claimed_at: z.ZodNullable<z.ZodString>;
+            created_at: z.ZodString;
+            created_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            created_by_username: z.ZodNullable<z.ZodString>;
+            claimed_by_username: z.ZodNullable<z.ZodString>;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const invite_delete_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        invite_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const app_settings_get_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: false;
+    input: z.ZodNull;
+    output: z.ZodObject<{
+        settings: z.ZodObject<{
+            open_signup: z.ZodBoolean;
+            updated_at: z.ZodNullable<z.ZodString>;
+            updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            updated_by_username: z.ZodNullable<z.ZodString>;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const app_settings_update_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        role: string;
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        open_signup: z.ZodBoolean;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        settings: z.ZodObject<{
+            open_signup: z.ZodBoolean;
+            updated_at: z.ZodNullable<z.ZodString>;
+            updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            updated_by_username: z.ZodNullable<z.ZodString>;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+/**
+ * All admin action specs — a codegen-ready registry. Consumers spread this
+ * into their own action-spec array to include admin methods in a typed
+ * client surface. Always includes the two app-settings specs; the runtime
+ * factory only wires their handlers when `AdminActionOptions.app_settings`
+ * is provided.
+ */
+export declare const all_admin_action_specs: Array<RequestResponseActionSpec>;
+//# sourceMappingURL=admin_action_specs.d.ts.map

package/dist/auth/admin_action_specs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAezE,sEAAsE;AACtE,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAI5C,iFAAiF;AACjF,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,kFAAkF;AAClF,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,mGAAmG;AACnG,eAAO,MAAM,sBAAsB;;;;;;;;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;kBAEnC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAmB5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,mCAAmC;AACnC,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAWrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAEtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,wFAAwF;AACxF,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;;;;;;;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,+BAA+B;AAC/B,eAAO,MAAM,eAAe,WAAW,CAAC;AACxC,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;;;;;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iCAAiC;AACjC,eAAO,MAAM,iBAAiB;;kBAE5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,mDAAmD;AACnD,eAAO,MAAM,mBAAmB,WAAW,CAAC;AAC5C,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,qCAAqC;AACrC,eAAO,MAAM,oBAAoB;;;;;;;kBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;kBAGlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAI9E,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;CAUV,CAAC;AAEtC,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;CAUD,CAAC;AAEtC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;CAUC,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;CAUD,CAAC;AAEtC,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;CAUJ,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;CAUP,CAAC;AAEtC;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,EAAE,KAAK,CAAC,yBAAyB,CAYnE,CAAC"}