npm - @fuzdev/fuz_app - Versions diffs - 0.30.0 → 0.31.0 - Mend

@fuzdev/fuz_app 0.30.0 → 0.31.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (207) hide show

package/dist/actions/CLAUDE.md +630 -0
package/dist/actions/action_rpc.d.ts +29 -0
package/dist/actions/action_rpc.d.ts.map +1 -1
package/dist/actions/action_rpc.js +42 -6
package/dist/actions/action_types.d.ts +2 -2
package/dist/actions/cancel.d.ts +12 -13
package/dist/actions/cancel.d.ts.map +1 -1
package/dist/actions/cancel.js +10 -13
package/dist/actions/heartbeat.d.ts +8 -13
package/dist/actions/heartbeat.d.ts.map +1 -1
package/dist/actions/heartbeat.js +5 -8
package/dist/actions/register_action_ws.d.ts +3 -3
package/dist/actions/register_action_ws.js +2 -2
package/dist/actions/register_ws_endpoint.d.ts +4 -4
package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
package/dist/actions/register_ws_endpoint.js +3 -3
package/dist/actions/socket.svelte.d.ts +16 -16
package/dist/actions/socket.svelte.d.ts.map +1 -1
package/dist/actions/socket.svelte.js +15 -15
package/dist/actions/transports_ws_auth_guard.d.ts.map +1 -1
package/dist/auth/CLAUDE.md +923 -0
package/dist/auth/account_action_specs.d.ts +216 -0
package/dist/auth/account_action_specs.d.ts.map +1 -0
package/dist/auth/account_action_specs.js +159 -0
package/dist/auth/account_actions.d.ts +51 -0
package/dist/auth/account_actions.d.ts.map +1 -0
package/dist/auth/account_actions.js +119 -0
package/dist/auth/account_queries.d.ts +6 -2
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +40 -4
package/dist/auth/account_routes.d.ts +94 -16
package/dist/auth/account_routes.d.ts.map +1 -1
package/dist/auth/account_routes.js +108 -180
package/dist/auth/account_schema.d.ts +85 -30
package/dist/auth/account_schema.d.ts.map +1 -1
package/dist/auth/account_schema.js +40 -8
package/dist/auth/admin_action_specs.d.ts +674 -0
package/dist/auth/admin_action_specs.d.ts.map +1 -0
package/dist/auth/admin_action_specs.js +287 -0
package/dist/auth/admin_actions.d.ts +69 -0
package/dist/auth/admin_actions.d.ts.map +1 -0
package/dist/auth/admin_actions.js +256 -0
package/dist/auth/api_token.d.ts +10 -0
package/dist/auth/api_token.d.ts.map +1 -1
package/dist/auth/api_token.js +9 -0
package/dist/auth/api_token_queries.d.ts +3 -3
package/dist/auth/api_token_queries.js +3 -3
package/dist/auth/app_settings_schema.d.ts +4 -3
package/dist/auth/app_settings_schema.d.ts.map +1 -1
package/dist/auth/app_settings_schema.js +2 -1
package/dist/auth/audit_log_routes.d.ts +14 -6
package/dist/auth/audit_log_routes.d.ts.map +1 -1
package/dist/auth/audit_log_routes.js +22 -79
package/dist/auth/audit_log_schema.d.ts +100 -29
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +83 -11
package/dist/auth/bootstrap_routes.d.ts +14 -0
package/dist/auth/bootstrap_routes.d.ts.map +1 -1
package/dist/auth/bootstrap_routes.js +10 -3
package/dist/auth/cleanup.d.ts +63 -0
package/dist/auth/cleanup.d.ts.map +1 -0
package/dist/auth/cleanup.js +80 -0
package/dist/auth/invite_schema.d.ts +11 -10
package/dist/auth/invite_schema.d.ts.map +1 -1
package/dist/auth/invite_schema.js +4 -3
package/dist/auth/migrations.d.ts +6 -0
package/dist/auth/migrations.d.ts.map +1 -1
package/dist/auth/migrations.js +28 -0
package/dist/auth/permit_offer_action_specs.d.ts +364 -0
package/dist/auth/permit_offer_action_specs.d.ts.map +1 -0
package/dist/auth/permit_offer_action_specs.js +216 -0
package/dist/auth/permit_offer_actions.d.ts +96 -0
package/dist/auth/permit_offer_actions.d.ts.map +1 -0
package/dist/auth/permit_offer_actions.js +428 -0
package/dist/auth/permit_offer_notifications.d.ts +361 -0
package/dist/auth/permit_offer_notifications.d.ts.map +1 -0
package/dist/auth/permit_offer_notifications.js +179 -0
package/dist/auth/permit_offer_queries.d.ts +165 -0
package/dist/auth/permit_offer_queries.d.ts.map +1 -0
package/dist/auth/permit_offer_queries.js +390 -0
package/dist/auth/permit_offer_schema.d.ts +103 -0
package/dist/auth/permit_offer_schema.d.ts.map +1 -0
package/dist/auth/permit_offer_schema.js +142 -0
package/dist/auth/permit_queries.d.ts +77 -14
package/dist/auth/permit_queries.d.ts.map +1 -1
package/dist/auth/permit_queries.js +119 -24
package/dist/auth/session_queries.d.ts +4 -2
package/dist/auth/session_queries.d.ts.map +1 -1
package/dist/auth/session_queries.js +4 -2
package/dist/auth/signup_routes.d.ts +13 -0
package/dist/auth/signup_routes.d.ts.map +1 -1
package/dist/auth/signup_routes.js +14 -7
package/dist/http/CLAUDE.md +584 -0
package/dist/http/pending_effects.d.ts +29 -0
package/dist/http/pending_effects.d.ts.map +1 -0
package/dist/http/pending_effects.js +31 -0
package/dist/http/route_spec.d.ts.map +1 -1
package/dist/http/route_spec.js +4 -3
package/dist/rate_limiter.d.ts +30 -0
package/dist/rate_limiter.d.ts.map +1 -1
package/dist/rate_limiter.js +25 -2
package/dist/realtime/sse_auth_guard.d.ts +2 -0
package/dist/realtime/sse_auth_guard.d.ts.map +1 -1
package/dist/realtime/sse_auth_guard.js +5 -3
package/dist/testing/CLAUDE.md +668 -1
package/dist/testing/admin_integration.d.ts +10 -7
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +382 -482
package/dist/testing/app_server.d.ts +7 -6
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/attack_surface.d.ts +9 -3
package/dist/testing/attack_surface.d.ts.map +1 -1
package/dist/testing/attack_surface.js +4 -4
package/dist/testing/audit_completeness.d.ts +6 -0
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +158 -134
package/dist/testing/auth_apps.d.ts.map +1 -1
package/dist/testing/auth_apps.js +4 -33
package/dist/testing/db.d.ts +1 -1
package/dist/testing/db.d.ts.map +1 -1
package/dist/testing/db.js +2 -0
package/dist/testing/entities.d.ts +35 -13
package/dist/testing/entities.d.ts.map +1 -1
package/dist/testing/entities.js +17 -0
package/dist/testing/integration.d.ts +10 -0
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +352 -340
package/dist/testing/integration_helpers.d.ts +16 -5
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +24 -4
package/dist/testing/rate_limiting.d.ts +7 -0
package/dist/testing/rate_limiting.d.ts.map +1 -1
package/dist/testing/rate_limiting.js +41 -10
package/dist/testing/rpc_helpers.d.ts +153 -1
package/dist/testing/rpc_helpers.d.ts.map +1 -1
package/dist/testing/rpc_helpers.js +184 -8
package/dist/testing/sse_round_trip.d.ts +8 -0
package/dist/testing/sse_round_trip.d.ts.map +1 -1
package/dist/testing/sse_round_trip.js +10 -3
package/dist/testing/standard.d.ts +9 -1
package/dist/testing/standard.d.ts.map +1 -1
package/dist/testing/standard.js +6 -2
package/dist/testing/surface_invariants.d.ts +7 -3
package/dist/testing/surface_invariants.d.ts.map +1 -1
package/dist/testing/surface_invariants.js +5 -4
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/testing/ws_round_trip.js +9 -38
package/dist/ui/AccountSessions.svelte +8 -4
package/dist/ui/AccountSessions.svelte.d.ts.map +1 -1
package/dist/ui/AdminAccounts.svelte +61 -33
package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -1
package/dist/ui/AdminAuditLog.svelte +3 -2
package/dist/ui/AdminAuditLog.svelte.d.ts.map +1 -1
package/dist/ui/AdminInvites.svelte +3 -2
package/dist/ui/AdminInvites.svelte.d.ts.map +1 -1
package/dist/ui/AdminOverview.svelte +14 -9
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
package/dist/ui/AdminPermitHistory.svelte +3 -2
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +1 -1
package/dist/ui/AdminSessions.svelte +29 -25
package/dist/ui/AdminSessions.svelte.d.ts.map +1 -1
package/dist/ui/CLAUDE.md +351 -0
package/dist/ui/OpenSignupToggle.svelte +6 -3
package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -1
package/dist/ui/PermitOfferForm.svelte +141 -0
package/dist/ui/PermitOfferForm.svelte.d.ts +14 -0
package/dist/ui/PermitOfferForm.svelte.d.ts.map +1 -0
package/dist/ui/PermitOfferHistory.svelte +109 -0
package/dist/ui/PermitOfferHistory.svelte.d.ts +11 -0
package/dist/ui/PermitOfferHistory.svelte.d.ts.map +1 -0
package/dist/ui/PermitOfferInbox.svelte +121 -0
package/dist/ui/PermitOfferInbox.svelte.d.ts +12 -0
package/dist/ui/PermitOfferInbox.svelte.d.ts.map +1 -0
package/dist/ui/account_sessions_state.svelte.d.ts +53 -3
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.js +39 -16
package/dist/ui/admin_accounts_state.svelte.d.ts +118 -2
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_accounts_state.svelte.js +99 -23
package/dist/ui/admin_invites_state.svelte.d.ts +47 -1
package/dist/ui/admin_invites_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_invites_state.svelte.js +38 -26
package/dist/ui/admin_sessions_state.svelte.d.ts +26 -0
package/dist/ui/admin_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_sessions_state.svelte.js +35 -21
package/dist/ui/app_settings_state.svelte.d.ts +39 -0
package/dist/ui/app_settings_state.svelte.d.ts.map +1 -1
package/dist/ui/app_settings_state.svelte.js +34 -18
package/dist/ui/audit_log_state.svelte.d.ts +40 -3
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +36 -42
package/dist/ui/auth_state.svelte.d.ts +4 -3
package/dist/ui/auth_state.svelte.d.ts.map +1 -1
package/dist/ui/auth_state.svelte.js +4 -1
package/dist/ui/permit_offers_state.svelte.d.ts +125 -0
package/dist/ui/permit_offers_state.svelte.d.ts.map +1 -0
package/dist/ui/permit_offers_state.svelte.js +197 -0
package/package.json +3 -3
package/dist/auth/admin_routes.d.ts +0 -29
package/dist/auth/admin_routes.d.ts.map +0 -1
package/dist/auth/admin_routes.js +0 -226
package/dist/auth/app_settings_routes.d.ts +0 -27
package/dist/auth/app_settings_routes.d.ts.map +0 -1
package/dist/auth/app_settings_routes.js +0 -66
package/dist/auth/invite_routes.d.ts +0 -18
package/dist/auth/invite_routes.d.ts.map +0 -1
package/dist/auth/invite_routes.js +0 -129

package/dist/auth/api_token_queries.js CHANGED Viewed

@@ -94,9 +94,9 @@ export const query_api_token_list_for_account = async (deps, account_id) => {
  * Enforce a per-account token limit by evicting the oldest tokens.
  *
  * Race safety: this function must run inside a transaction alongside the
- * INSERT that created the new token. The caller (`POST /tokens/create`)
- * uses the default `transaction: true` (framework-managed transaction
- * wrapping in `apply_route_specs`), ensuring the INSERT + enforce_limit
+ * INSERT that created the new token. The caller (the `account_token_create`
+ * RPC handler) runs under the dispatcher's transaction path because the
+ * spec declares `side_effects: true`, ensuring the INSERT + enforce_limit
  * pair is atomic — concurrent token creation cannot interleave.
  *
  * @param deps - query dependencies (must be transaction-scoped)

package/dist/auth/app_settings_schema.d.ts CHANGED Viewed

@@ -6,24 +6,25 @@
  * @module
  */
 import { z } from 'zod';
+import { Uuid } from '../uuid.js';
 /** App settings row from the database. */
 export interface AppSettings {
     open_signup: boolean;
     updated_at: string | null;
-    updated_by: string | null;
+    updated_by: Uuid | null;
 }
 /** Zod schema for client-safe app settings data. */
 export declare const AppSettingsJson: z.ZodObject<{
     open_signup: z.ZodBoolean;
     updated_at: z.ZodNullable<z.ZodString>;
-    updated_by: z.ZodNullable<z.ZodString>;
+    updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
 export type AppSettingsJson = z.infer<typeof AppSettingsJson>;
 /** Zod schema for admin app settings with resolved updater username. */
 export declare const AppSettingsWithUsernameJson: z.ZodObject<{
     open_signup: z.ZodBoolean;
     updated_at: z.ZodNullable<z.ZodString>;
-    updated_by: z.ZodNullable<z.ZodString>;
+    updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     updated_by_username: z.ZodNullable<z.ZodString>;
 }, z.core.$strict>;
 export type AppSettingsWithUsernameJson = z.infer<typeof AppSettingsWithUsernameJson>;

package/dist/auth/app_settings_schema.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"app_settings_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/app_settings_schema.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,0CAA0C;AAC1C,MAAM,WAAW,WAAW;IAC3B,WAAW,EAAE,OAAO,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,~~MAAM~~,GAAG,IAAI,CAAC;~~CAC1B~~;AAED,oDAAoD;AACpD,eAAO,MAAM,eAAe;;;;kBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wEAAwE;AACxE,eAAO,MAAM,2BAA2B;;;;;kBAEtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,4CAA4C;AAC5C,eAAO,MAAM,sBAAsB;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}
1	+ {"version":3,"file":"app_settings_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/app_settings_schema.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AAEhC,0CAA0C;AAC1C,MAAM,WAAW,WAAW;IAC3B,WAAW,EAAE,OAAO,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,oDAAoD;AACpD,eAAO,MAAM,eAAe;;;;kBAI1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wEAAwE;AACxE,eAAO,MAAM,2BAA2B;;;;;kBAEtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,4CAA4C;AAC5C,eAAO,MAAM,sBAAsB;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC"}

package/dist/auth/app_settings_schema.js CHANGED Viewed

@@ -6,11 +6,12 @@
  * @module
  */
 import { z } from 'zod';
+import { Uuid } from '../uuid.js';
 /** Zod schema for client-safe app settings data. */
 export const AppSettingsJson = z.strictObject({
     open_signup: z.boolean(),
     updated_at: z.string().nullable(),
-    updated_by: z.string().nullable(),
+    updated_by: Uuid.nullable(),
 });
 /** Zod schema for admin app settings with resolved updater username. */
 export const AppSettingsWithUsernameJson = AppSettingsJson.extend({

package/dist/auth/audit_log_routes.d.ts CHANGED Viewed

@@ -1,8 +1,13 @@
 /**
- * Audit log and admin observability route specs.
+ * Audit log SSE stream route.
  *
- * All routes require admin role by default. Provides audit event listing,
- * permit history shortcut, and active session overview.
+ * The two list-reads (`audit_log_list`, `audit_log_permit_history`) moved to
+ * RPC in `admin_actions.ts`, and the admin session listing moved to
+ * `admin_session_list` on the same file. What remains here is the optional
+ * `GET /audit-log/stream` SSE route — streams aren't an action-kind, so they
+ * stay on REST. The event payload broadcast on the stream surfaces via
+ * `AUDIT_LOG_EVENT_SPECS` (one `EventSpec` per audit event type) declared
+ * alongside the broadcaster in `../realtime/sse_auth_guard.ts`.
  *
  * @module
  */
@@ -25,10 +30,13 @@ export interface AuditLogRouteOptions {
     };
 }
 /**
- * Create audit log and admin observability route specs.
+ * Create the optional audit-log SSE route spec.
  *
- * @param options - optional options with role override
- * @returns route specs for audit log and admin session management
+ * Returns an empty array when `options.stream` is not set — no REST routes
+ * live here apart from the stream.
+ *
+ * @param options - optional stream wiring + role override
+ * @returns the SSE route spec (when `options.stream` is provided) or an empty array
  */
 export declare const create_audit_log_route_specs: (options?: AuditLogRouteOptions) => Array<RouteSpec>;
 //# sourceMappingURL=audit_log_routes.d.ts.map

package/dist/auth/audit_log_routes.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA~~;;;;;;;GAOG~~;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;~~AAQpD~~,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;~~AAQrD~~,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;~~AAUzE~~,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;QAC1F,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED~~;;;;;GAKG~~;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,~~CAgG5F~~,CAAC"}
1	+ {"version":3,"file":"audit_log_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,EAAsB,KAAK,SAAS,EAAE,KAAK,eAAe,EAAC,MAAM,oBAAoB,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,oCAAoC,CAAC;AAIzE,yCAAyC;AACzC,MAAM,WAAW,oBAAoB;IACpC,+DAA+D;IAC/D,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB;;;;OAIG;IACH,MAAM,CAAC,EAAE;QACR,SAAS,EAAE,CAAC,MAAM,EAAE,SAAS,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC,EAAE,gBAAgB,KAAK,MAAM,IAAI,CAAC;QAC1F,GAAG,EAAE,MAAM,CAAC;KACZ,CAAC;CACF;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,UAAU,oBAAoB,KAAG,KAAK,CAAC,SAAS,CAgC5F,CAAC"}

package/dist/auth/audit_log_routes.js CHANGED Viewed

@@ -1,92 +1,36 @@
 /**
- * Audit log and admin observability route specs.
+ * Audit log SSE stream route.
  *
- * All routes require admin role by default. Provides audit event listing,
- * permit history shortcut, and active session overview.
+ * The two list-reads (`audit_log_list`, `audit_log_permit_history`) moved to
+ * RPC in `admin_actions.ts`, and the admin session listing moved to
+ * `admin_session_list` on the same file. What remains here is the optional
+ * `GET /audit-log/stream` SSE route — streams aren't an action-kind, so they
+ * stay on REST. The event payload broadcast on the stream surfaces via
+ * `AUDIT_LOG_EVENT_SPECS` (one `EventSpec` per audit event type) declared
+ * alongside the broadcaster in `../realtime/sse_auth_guard.ts`.
  *
  * @module
  */
 import { z } from 'zod';
-import { AuditLogEventWithUsernamesJson, AdminSessionJson, AuditEventType, PermitHistoryEventJson, } from './audit_log_schema.js';
-import { AUDIT_LOG_DEFAULT_LIMIT, query_audit_log_list_with_usernames, query_audit_log_list_permit_history, } from './audit_log_queries.js';
-import { query_session_list_all_active } from './session_queries.js';
-import { ERROR_INVALID_EVENT_TYPE } from '../http/error_schemas.js';
 import { create_sse_response } from '../realtime/sse.js';
 import { AUTH_SESSION_TOKEN_HASH_KEY, require_request_context } from './request_context.js';
-// TODO upstream to fuz_util
-/** Parse a string to an integer, returning `undefined` for non-numeric input (including `NaN`). */
-const parse_int_or_undefined = (value) => {
-    const n = parseInt(value, 10);
-    return Number.isFinite(n) ? n : undefined;
-};
+import { AUDIT_LOG_CHANNEL } from '../realtime/sse_auth_guard.js';
 /**
- * Create audit log and admin observability route specs.
+ * Create the optional audit-log SSE route spec.
+ *
+ * Returns an empty array when `options.stream` is not set — no REST routes
+ * live here apart from the stream.
  *
- * @param options - optional options with role override
- * @returns route specs for audit log and admin session management
+ * @param options - optional stream wiring + role override
+ * @returns the SSE route spec (when `options.stream` is provided) or an empty array
  */
 export const create_audit_log_route_specs = (options) => {
     const role = options?.required_role ?? 'admin';
-    const routes = [
-        {
-            method: 'GET',
-            path: '/audit-log',
-            auth: { type: 'role', role },
-            description: 'List audit log events with optional filters',
-            input: z.null(),
-            output: z.strictObject({ events: z.array(AuditLogEventWithUsernamesJson) }),
-            errors: { 400: z.looseObject({ error: z.literal(ERROR_INVALID_EVENT_TYPE) }) },
-            handler: async (c, route) => {
-                const raw_event_type = c.req.query('event_type') || undefined;
-                if (raw_event_type && !AuditEventType.safeParse(raw_event_type).success) {
-                    return c.json({ error: ERROR_INVALID_EVENT_TYPE }, 400);
-                }
-                const event_type = raw_event_type;
-                const account_id = c.req.query('account_id') || undefined;
-                const limit = Math.max(1, Math.min(200, parseInt(c.req.query('limit') ?? '', 10) || AUDIT_LOG_DEFAULT_LIMIT));
-                const offset = Math.max(0, parseInt(c.req.query('offset') ?? '', 10) || 0);
-                const raw_since_seq = c.req.query('since_seq');
-                const since_seq = raw_since_seq != null ? parse_int_or_undefined(raw_since_seq) : undefined;
-                const events = await query_audit_log_list_with_usernames(route, {
-                    event_type,
-                    account_id,
-                    limit,
-                    offset,
-                    since_seq,
-                });
-                return c.json({ events });
-            },
-        },
+    if (!options?.stream)
+        return [];
+    const { subscribe, log } = options.stream;
+    return [
         {
-            method: 'GET',
-            path: '/audit-log/permit-history',
-            auth: { type: 'role', role },
-            description: 'List permit grant and revoke events with usernames',
-            input: z.null(),
-            output: z.strictObject({ events: z.array(PermitHistoryEventJson) }),
-            handler: async (c, route) => {
-                const limit = Math.max(1, Math.min(200, parseInt(c.req.query('limit') ?? '', 10) || AUDIT_LOG_DEFAULT_LIMIT));
-                const offset = Math.max(0, parseInt(c.req.query('offset') ?? '', 10) || 0);
-                const events = await query_audit_log_list_permit_history(route, limit, offset);
-                return c.json({ events });
-            },
-        },
-        {
-            method: 'GET',
-            path: '/sessions',
-            auth: { type: 'role', role },
-            description: 'List all active sessions across all accounts',
-            input: z.null(),
-            output: z.strictObject({ sessions: z.array(AdminSessionJson) }),
-            handler: async (c, route) => {
-                const sessions = await query_session_list_all_active(route);
-                return c.json({ sessions });
-            },
-        },
-    ];
-    if (options?.stream) {
-        const { subscribe, log } = options.stream;
-        routes.push({
             method: 'GET',
             path: '/audit-log/stream',
             auth: { type: 'role', role },
@@ -102,14 +46,13 @@ export const create_audit_log_route_specs = (options) => {
                 const token_hash = c.get(AUTH_SESSION_TOKEN_HASH_KEY) ?? null;
                 const { response, stream } = create_sse_response(c, log);
                 const unsubscribe = subscribe(stream, {
-                    channels: ['audit_log'],
+                    channels: [AUDIT_LOG_CHANNEL],
                     scope: token_hash ?? undefined,
                     groups: [ctx.account.id],
                 });
                 stream.on_close(unsubscribe);
                 return response;
             },
-        });
-    }
-    return routes;
+        },
+    ];
 };

package/dist/auth/audit_log_schema.d.ts CHANGED Viewed

@@ -7,8 +7,9 @@
  * @module
  */
 import { z } from 'zod';
+import { Uuid } from '../uuid.js';
 /** All tracked auth event types. */
-export declare const AUDIT_EVENT_TYPES: readonly ["login", "logout", "bootstrap", "signup", "password_change", "session_revoke", "session_revoke_all", "token_create", "token_revoke", "token_revoke_all", "permit_grant", "permit_revoke", "invite_create", "invite_delete", "app_settings_update"];
+export declare const AUDIT_EVENT_TYPES: readonly ["login", "logout", "bootstrap", "signup", "password_change", "session_revoke", "session_revoke_all", "token_create", "token_revoke", "token_revoke_all", "permit_grant", "permit_revoke", "permit_offer_create", "permit_offer_accept", "permit_offer_decline", "permit_offer_retract", "permit_offer_expire", "permit_offer_supersede", "invite_create", "invite_delete", "app_settings_update"];
 /** Zod schema for audit event types. */
 export declare const AuditEventType: z.ZodEnum<{
     login: "login";
@@ -23,6 +24,12 @@ export declare const AuditEventType: z.ZodEnum<{
     token_revoke_all: "token_revoke_all";
     permit_grant: "permit_grant";
     permit_revoke: "permit_revoke";
+    permit_offer_create: "permit_offer_create";
+    permit_offer_accept: "permit_offer_accept";
+    permit_offer_decline: "permit_offer_decline";
+    permit_offer_retract: "permit_offer_retract";
+    permit_offer_expire: "permit_offer_expire";
+    permit_offer_supersede: "permit_offer_supersede";
     invite_create: "invite_create";
     invite_delete: "invite_delete";
     app_settings_update: "app_settings_update";
@@ -51,7 +58,7 @@ export declare const AUDIT_METADATA_SCHEMAS: {
     }, z.core.$loose>>;
     signup: z.ZodObject<{
         username: z.ZodString;
-        invite_id: z.ZodOptional<z.ZodString>;
+        invite_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         open_signup: z.ZodOptional<z.ZodBoolean>;
     }, z.core.$loose>;
     password_change: z.ZodNullable<z.ZodObject<{
@@ -61,7 +68,9 @@ export declare const AUDIT_METADATA_SCHEMAS: {
         session_id: z.ZodString;
     }, z.core.$loose>;
     session_revoke_all: z.ZodObject<{
-        count: z.ZodNumber;
+        count: z.ZodOptional<z.ZodNumber>;
+        reason: z.ZodOptional<z.ZodString>;
+        attempted_account_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$loose>;
     token_create: z.ZodObject<{
         token_id: z.ZodString;
@@ -71,23 +80,67 @@ export declare const AUDIT_METADATA_SCHEMAS: {
         token_id: z.ZodString;
     }, z.core.$loose>;
     token_revoke_all: z.ZodObject<{
-        count: z.ZodNumber;
+        count: z.ZodOptional<z.ZodNumber>;
+        reason: z.ZodOptional<z.ZodString>;
+        attempted_account_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$loose>;
     permit_grant: z.ZodObject<{
         role: z.ZodString;
-        permit_id: z.ZodOptional<z.ZodString>;
+        permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+        source_offer_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$loose>;
     permit_revoke: z.ZodObject<{
         role: z.ZodString;
-        permit_id: z.ZodString;
+        permit_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+        reason: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
+    permit_offer_create: z.ZodObject<{
+        offer_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        role: z.ZodString;
+        scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+        to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$loose>;
+    permit_offer_accept: z.ZodObject<{
+        offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        permit_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role: z.ZodString;
+        scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+    }, z.core.$loose>;
+    permit_offer_decline: z.ZodObject<{
+        offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role: z.ZodString;
+        scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+        reason: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
+    permit_offer_retract: z.ZodObject<{
+        offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role: z.ZodString;
+        scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+    }, z.core.$loose>;
+    permit_offer_expire: z.ZodObject<{
+        offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role: z.ZodString;
+        scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+    }, z.core.$loose>;
+    permit_offer_supersede: z.ZodObject<{
+        offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role: z.ZodString;
+        scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+        reason: z.ZodEnum<{
+            sibling_accepted: "sibling_accepted";
+            permit_revoked: "permit_revoked";
+        }>;
+        cause_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     }, z.core.$loose>;
     invite_create: z.ZodObject<{
-        invite_id: z.ZodString;
+        invite_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         email: z.ZodNullable<z.ZodString>;
         username: z.ZodNullable<z.ZodString>;
     }, z.core.$loose>;
     invite_delete: z.ZodObject<{
-        invite_id: z.ZodString;
+        invite_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     }, z.core.$loose>;
     app_settings_update: z.ZodObject<{
         setting: z.ZodString;
@@ -101,13 +154,13 @@ export type AuditMetadataMap = {
 };
 /** Audit log row from the database. */
 export interface AuditLogEvent {
-    id: string;
+    id: Uuid;
     seq: number;
     event_type: AuditEventType;
     outcome: AuditOutcome;
-    actor_id: string | null;
-    account_id: string | null;
-    target_account_id: string | null;
+    actor_id: Uuid | null;
+    account_id: Uuid | null;
+    target_account_id: Uuid | null;
     ip: string | null;
     created_at: string;
     metadata: Record<string, unknown> | null;
@@ -124,9 +177,9 @@ export declare const get_audit_metadata: <T extends AuditEventType>(event: Audit
 export interface AuditLogInput<T extends AuditEventType = AuditEventType> {
     event_type: T;
     outcome?: AuditOutcome;
-    actor_id?: string | null;
-    account_id?: string | null;
-    target_account_id?: string | null;
+    actor_id?: Uuid | null;
+    account_id?: Uuid | null;
+    target_account_id?: Uuid | null;
     ip?: string | null;
     metadata?: (AuditMetadataMap[T] & Record<string, unknown>) | null;
 }
@@ -136,14 +189,14 @@ export interface AuditLogListOptions {
     offset?: number;
     event_type?: AuditEventType;
     event_type_in?: Array<AuditEventType>;
-    account_id?: string;
+    account_id?: Uuid;
     outcome?: AuditOutcome;
     /** When set, only return events with `seq` greater than this value. Enables SSE reconnection gap fill. */
     since_seq?: number;
 }
 /** Zod schema for client-safe audit log event. */
 export declare const AuditLogEventJson: z.ZodObject<{
-    id: z.ZodString;
+    id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     seq: z.ZodNumber;
     event_type: z.ZodEnum<{
         login: "login";
@@ -158,6 +211,12 @@ export declare const AuditLogEventJson: z.ZodObject<{
         token_revoke_all: "token_revoke_all";
         permit_grant: "permit_grant";
         permit_revoke: "permit_revoke";
+        permit_offer_create: "permit_offer_create";
+        permit_offer_accept: "permit_offer_accept";
+        permit_offer_decline: "permit_offer_decline";
+        permit_offer_retract: "permit_offer_retract";
+        permit_offer_expire: "permit_offer_expire";
+        permit_offer_supersede: "permit_offer_supersede";
         invite_create: "invite_create";
         invite_delete: "invite_delete";
         app_settings_update: "app_settings_update";
@@ -166,9 +225,9 @@ export declare const AuditLogEventJson: z.ZodObject<{
         success: "success";
         failure: "failure";
     }>;
-    actor_id: z.ZodNullable<z.ZodString>;
-    account_id: z.ZodNullable<z.ZodString>;
-    target_account_id: z.ZodNullable<z.ZodString>;
+    actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
@@ -176,7 +235,7 @@ export declare const AuditLogEventJson: z.ZodObject<{
 export type AuditLogEventJson = z.infer<typeof AuditLogEventJson>;
 /** Zod schema for audit log events with resolved usernames. */
 export declare const AuditLogEventWithUsernamesJson: z.ZodObject<{
-    id: z.ZodString;
+    id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     seq: z.ZodNumber;
     event_type: z.ZodEnum<{
         login: "login";
@@ -191,6 +250,12 @@ export declare const AuditLogEventWithUsernamesJson: z.ZodObject<{
         token_revoke_all: "token_revoke_all";
         permit_grant: "permit_grant";
         permit_revoke: "permit_revoke";
+        permit_offer_create: "permit_offer_create";
+        permit_offer_accept: "permit_offer_accept";
+        permit_offer_decline: "permit_offer_decline";
+        permit_offer_retract: "permit_offer_retract";
+        permit_offer_expire: "permit_offer_expire";
+        permit_offer_supersede: "permit_offer_supersede";
         invite_create: "invite_create";
         invite_delete: "invite_delete";
         app_settings_update: "app_settings_update";
@@ -199,9 +264,9 @@ export declare const AuditLogEventWithUsernamesJson: z.ZodObject<{
         success: "success";
         failure: "failure";
     }>;
-    actor_id: z.ZodNullable<z.ZodString>;
-    account_id: z.ZodNullable<z.ZodString>;
-    target_account_id: z.ZodNullable<z.ZodString>;
+    actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
@@ -211,7 +276,7 @@ export declare const AuditLogEventWithUsernamesJson: z.ZodObject<{
 export type AuditLogEventWithUsernamesJson = z.infer<typeof AuditLogEventWithUsernamesJson>;
 /** Zod schema for permit history events with resolved usernames. */
 export declare const PermitHistoryEventJson: z.ZodObject<{
-    id: z.ZodString;
+    id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     seq: z.ZodNumber;
     event_type: z.ZodEnum<{
         login: "login";
@@ -226,6 +291,12 @@ export declare const PermitHistoryEventJson: z.ZodObject<{
         token_revoke_all: "token_revoke_all";
         permit_grant: "permit_grant";
         permit_revoke: "permit_revoke";
+        permit_offer_create: "permit_offer_create";
+        permit_offer_accept: "permit_offer_accept";
+        permit_offer_decline: "permit_offer_decline";
+        permit_offer_retract: "permit_offer_retract";
+        permit_offer_expire: "permit_offer_expire";
+        permit_offer_supersede: "permit_offer_supersede";
         invite_create: "invite_create";
         invite_delete: "invite_delete";
         app_settings_update: "app_settings_update";
@@ -234,9 +305,9 @@ export declare const PermitHistoryEventJson: z.ZodObject<{
         success: "success";
         failure: "failure";
     }>;
-    actor_id: z.ZodNullable<z.ZodString>;
-    account_id: z.ZodNullable<z.ZodString>;
-    target_account_id: z.ZodNullable<z.ZodString>;
+    actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
@@ -247,7 +318,7 @@ export type PermitHistoryEventJson = z.infer<typeof PermitHistoryEventJson>;
 /** Zod schema for admin session listing (session + username). */
 export declare const AdminSessionJson: z.ZodObject<{
     id: z.ZodString;
-    account_id: z.ZodString;
+    account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     created_at: z.ZodString;
     expires_at: z.ZodString;
     last_seen_at: z.ZodString;

package/dist/auth/audit_log_schema.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;~~AAItB~~,oCAAoC;AACpC,eAAO,MAAM,iBAAiB,~~8PAgBpB~~,CAAC;AAEX,wCAAwC;AACxC,eAAO,MAAM,cAAc~~;;;;;;;;;;;;;;;;~~EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA8BU~~,CAAC;AAE9C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,uCAAuC;AACvC,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,~~MAAM~~,CAAC;~~IACX~~,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,cAAc,CAAC;IAC3B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,~~MAAM~~,GAAG,IAAI,CAAC;~~IACxB~~,UAAU,EAAE,~~MAAM~~,GAAG,IAAI,CAAC;~~IAC1B~~,iBAAiB,EAAE,~~MAAM~~,GAAG,IAAI,CAAC;~~IACjC~~,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc;IACvE,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,~~MAAM~~,GAAG,IAAI,CAAC;~~IACzB~~,UAAU,CAAC,EAAE,~~MAAM~~,GAAG,IAAI,CAAC;~~IAC3B~~,iBAAiB,CAAC,EAAE,~~MAAM~~,GAAG,IAAI,CAAC;~~IAClC~~,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,QAAQ,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;CAClE;AAED,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,aAAa,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,~~MAAM~~,CAAC;~~IACpB~~,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,kDAAkD;AAClD,eAAO,MAAM,iBAAiB~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}
1	+ {"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AAGhC,oCAAoC;AACpC,eAAO,MAAM,iBAAiB,6YAsBpB,CAAC;AAEX,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA+FU,CAAC;AAE9C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,uCAAuC;AACvC,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,cAAc,CAAC;IAC3B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,cAAc,GAAG,cAAc;IACvE,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,QAAQ,CAAC,EAAE,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,CAAC;CAClE;AAED,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,cAAc,CAAC;IAC5B,aAAa,CAAC,EAAE,KAAK,CAAC,cAAc,CAAC,CAAC;IACtC,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED,kDAAkD;AAClD,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}

package/dist/auth/audit_log_schema.js CHANGED Viewed

@@ -7,6 +7,7 @@
  * @module
  */
 import { z } from 'zod';
+import { Uuid } from '../uuid.js';
 import { AuthSessionJson } from './account_schema.js';
 /** All tracked auth event types. */
 export const AUDIT_EVENT_TYPES = [
@@ -22,6 +23,12 @@ export const AUDIT_EVENT_TYPES = [
     'token_revoke_all',
     'permit_grant',
     'permit_revoke',
+    'permit_offer_create',
+    'permit_offer_accept',
+    'permit_offer_decline',
+    'permit_offer_retract',
+    'permit_offer_expire',
+    'permit_offer_supersede',
     'invite_create',
     'invite_delete',
     'app_settings_update',
@@ -43,25 +50,90 @@ export const AUDIT_METADATA_SCHEMAS = {
     bootstrap: z.looseObject({ error: z.string() }).nullable(),
     signup: z.looseObject({
         username: z.string(),
-        invite_id: z.string().optional(),
+        invite_id: Uuid.optional(),
         open_signup: z.boolean().optional(),
     }),
     password_change: z.looseObject({ sessions_revoked: z.number() }).nullable(),
     session_revoke: z.looseObject({ session_id: z.string() }),
-    session_revoke_all: z.looseObject({ count: z.number() }),
+    session_revoke_all: z.looseObject({
+        // Omitted on `outcome='failure'` (no revocation attempted — e.g. target
+        // account not found); `reason` carries the failure category, and
+        // `attempted_account_id` preserves the probed id (the `target_account_id`
+        // column is null in that case because it's a FK to `account`).
+        count: z.number().optional(),
+        reason: z.string().optional(),
+        attempted_account_id: Uuid.optional(),
+    }),
     token_create: z.looseObject({ token_id: z.string(), name: z.string() }),
     token_revoke: z.looseObject({ token_id: z.string() }),
-    token_revoke_all: z.looseObject({ count: z.number() }),
+    token_revoke_all: z.looseObject({
+        // Same shape as `session_revoke_all` for failures.
+        count: z.number().optional(),
+        reason: z.string().optional(),
+        attempted_account_id: Uuid.optional(),
+    }),
     // `permit_id` is optional on `permit_grant` because failed grants
     // (e.g. `web_grantable` denied) never produce a permit row.
-    permit_grant: z.looseObject({ role: z.string(), permit_id: z.string().optional() }),
-    permit_revoke: z.looseObject({ role: z.string(), permit_id: z.string() }),
+    permit_grant: z.looseObject({
+        role: z.string(),
+        permit_id: Uuid.optional(),
+        scope_id: Uuid.nullish(),
+        source_offer_id: Uuid.optional(),
+    }),
+    permit_revoke: z.looseObject({
+        role: z.string(),
+        permit_id: Uuid,
+        scope_id: Uuid.nullish(),
+        reason: z.string().optional(),
+    }),
+    // `offer_id` is optional because failed creates (e.g. `web_grantable`
+    // denied, `authorize` callback denied) never produce an offer row.
+    permit_offer_create: z.looseObject({
+        offer_id: Uuid.optional(),
+        role: z.string(),
+        scope_id: Uuid.nullish(),
+        to_account_id: Uuid,
+    }),
+    // `permit_grant` is emitted alongside on accept — two events per accept by
+    // design: offer-lifecycle audit + permit-lifecycle audit.
+    permit_offer_accept: z.looseObject({
+        offer_id: Uuid,
+        permit_id: Uuid,
+        role: z.string(),
+        scope_id: Uuid.nullish(),
+    }),
+    permit_offer_decline: z.looseObject({
+        offer_id: Uuid,
+        role: z.string(),
+        scope_id: Uuid.nullish(),
+        reason: z.string().optional(),
+    }),
+    permit_offer_retract: z.looseObject({
+        offer_id: Uuid,
+        role: z.string(),
+        scope_id: Uuid.nullish(),
+    }),
+    permit_offer_expire: z.looseObject({
+        offer_id: Uuid,
+        role: z.string(),
+        scope_id: Uuid.nullish(),
+    }),
+    // Emitted when an offer is obsoleted by an external event. `reason`
+    // distinguishes the trigger; `cause_id` points to the accepted offer
+    // (for `sibling_accepted`) or the revoked permit (for `permit_revoked`).
+    permit_offer_supersede: z.looseObject({
+        offer_id: Uuid,
+        role: z.string(),
+        scope_id: Uuid.nullish(),
+        reason: z.enum(['sibling_accepted', 'permit_revoked']),
+        cause_id: Uuid,
+    }),
     invite_create: z.looseObject({
-        invite_id: z.string(),
+        invite_id: Uuid,
         email: z.string().nullable(),
         username: z.string().nullable(),
     }),
-    invite_delete: z.looseObject({ invite_id: z.string() }),
+    invite_delete: z.looseObject({ invite_id: Uuid }),
     app_settings_update: z.looseObject({
         setting: z.string(),
         old_value: z.unknown(),
@@ -78,13 +150,13 @@ export const get_audit_metadata = (event) => {
 };
 /** Zod schema for client-safe audit log event. */
 export const AuditLogEventJson = z.strictObject({
-    id: z.string(),
+    id: Uuid,
     seq: z.number().int(),
     event_type: AuditEventType,
     outcome: AuditOutcome,
-    actor_id: z.string().nullable(),
-    account_id: z.string().nullable(),
-    target_account_id: z.string().nullable(),
+    actor_id: Uuid.nullable(),
+    account_id: Uuid.nullable(),
+    target_account_id: Uuid.nullable(),
     ip: z.string().nullable(),
     created_at: z.string(),
     metadata: z.record(z.string(), z.unknown()).nullable(),