npm - @fuzdev/fuz_app - Versions diffs - 0.30.0 → 0.32.0 - Mend

@fuzdev/fuz_app 0.30.0 → 0.32.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (222) hide show

package/dist/actions/CLAUDE.md +630 -0
package/dist/actions/action_rpc.d.ts +29 -0
package/dist/actions/action_rpc.d.ts.map +1 -1
package/dist/actions/action_rpc.js +42 -6
package/dist/actions/action_types.d.ts +2 -2
package/dist/actions/cancel.d.ts +12 -13
package/dist/actions/cancel.d.ts.map +1 -1
package/dist/actions/cancel.js +10 -13
package/dist/actions/heartbeat.d.ts +8 -13
package/dist/actions/heartbeat.d.ts.map +1 -1
package/dist/actions/heartbeat.js +5 -8
package/dist/actions/register_action_ws.d.ts +3 -3
package/dist/actions/register_action_ws.js +2 -2
package/dist/actions/register_ws_endpoint.d.ts +4 -4
package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
package/dist/actions/register_ws_endpoint.js +3 -3
package/dist/actions/rpc_client.d.ts +29 -0
package/dist/actions/rpc_client.d.ts.map +1 -1
package/dist/actions/rpc_client.js +31 -0
package/dist/actions/socket.svelte.d.ts +16 -16
package/dist/actions/socket.svelte.d.ts.map +1 -1
package/dist/actions/socket.svelte.js +15 -15
package/dist/actions/transports_ws_auth_guard.d.ts.map +1 -1
package/dist/auth/CLAUDE.md +945 -0
package/dist/auth/account_action_specs.d.ts +216 -0
package/dist/auth/account_action_specs.d.ts.map +1 -0
package/dist/auth/account_action_specs.js +159 -0
package/dist/auth/account_actions.d.ts +51 -0
package/dist/auth/account_actions.d.ts.map +1 -0
package/dist/auth/account_actions.js +119 -0
package/dist/auth/account_queries.d.ts +6 -2
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +40 -4
package/dist/auth/account_routes.d.ts +94 -16
package/dist/auth/account_routes.d.ts.map +1 -1
package/dist/auth/account_routes.js +108 -180
package/dist/auth/account_schema.d.ts +85 -30
package/dist/auth/account_schema.d.ts.map +1 -1
package/dist/auth/account_schema.js +40 -8
package/dist/auth/admin_action_specs.d.ts +674 -0
package/dist/auth/admin_action_specs.d.ts.map +1 -0
package/dist/auth/admin_action_specs.js +287 -0
package/dist/auth/admin_actions.d.ts +69 -0
package/dist/auth/admin_actions.d.ts.map +1 -0
package/dist/auth/admin_actions.js +256 -0
package/dist/auth/admin_rpc_actions.d.ts +49 -0
package/dist/auth/admin_rpc_actions.d.ts.map +1 -0
package/dist/auth/admin_rpc_actions.js +32 -0
package/dist/auth/api_token.d.ts +10 -0
package/dist/auth/api_token.d.ts.map +1 -1
package/dist/auth/api_token.js +9 -0
package/dist/auth/api_token_queries.d.ts +3 -3
package/dist/auth/api_token_queries.js +3 -3
package/dist/auth/app_settings_schema.d.ts +4 -3
package/dist/auth/app_settings_schema.d.ts.map +1 -1
package/dist/auth/app_settings_schema.js +2 -1
package/dist/auth/audit_log_routes.d.ts +14 -6
package/dist/auth/audit_log_routes.d.ts.map +1 -1
package/dist/auth/audit_log_routes.js +22 -79
package/dist/auth/audit_log_schema.d.ts +100 -29
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +83 -11
package/dist/auth/bootstrap_routes.d.ts +14 -0
package/dist/auth/bootstrap_routes.d.ts.map +1 -1
package/dist/auth/bootstrap_routes.js +10 -3
package/dist/auth/cleanup.d.ts +63 -0
package/dist/auth/cleanup.d.ts.map +1 -0
package/dist/auth/cleanup.js +80 -0
package/dist/auth/invite_schema.d.ts +11 -10
package/dist/auth/invite_schema.d.ts.map +1 -1
package/dist/auth/invite_schema.js +4 -3
package/dist/auth/migrations.d.ts +6 -0
package/dist/auth/migrations.d.ts.map +1 -1
package/dist/auth/migrations.js +28 -0
package/dist/auth/permit_offer_action_specs.d.ts +364 -0
package/dist/auth/permit_offer_action_specs.d.ts.map +1 -0
package/dist/auth/permit_offer_action_specs.js +216 -0
package/dist/auth/permit_offer_actions.d.ts +96 -0
package/dist/auth/permit_offer_actions.d.ts.map +1 -0
package/dist/auth/permit_offer_actions.js +428 -0
package/dist/auth/permit_offer_notifications.d.ts +361 -0
package/dist/auth/permit_offer_notifications.d.ts.map +1 -0
package/dist/auth/permit_offer_notifications.js +179 -0
package/dist/auth/permit_offer_queries.d.ts +165 -0
package/dist/auth/permit_offer_queries.d.ts.map +1 -0
package/dist/auth/permit_offer_queries.js +390 -0
package/dist/auth/permit_offer_schema.d.ts +103 -0
package/dist/auth/permit_offer_schema.d.ts.map +1 -0
package/dist/auth/permit_offer_schema.js +142 -0
package/dist/auth/permit_queries.d.ts +77 -14
package/dist/auth/permit_queries.d.ts.map +1 -1
package/dist/auth/permit_queries.js +119 -24
package/dist/auth/session_queries.d.ts +4 -2
package/dist/auth/session_queries.d.ts.map +1 -1
package/dist/auth/session_queries.js +4 -2
package/dist/auth/signup_routes.d.ts +13 -0
package/dist/auth/signup_routes.d.ts.map +1 -1
package/dist/auth/signup_routes.js +14 -7
package/dist/http/CLAUDE.md +584 -0
package/dist/http/pending_effects.d.ts +29 -0
package/dist/http/pending_effects.d.ts.map +1 -0
package/dist/http/pending_effects.js +31 -0
package/dist/http/route_spec.d.ts.map +1 -1
package/dist/http/route_spec.js +4 -3
package/dist/rate_limiter.d.ts +30 -0
package/dist/rate_limiter.d.ts.map +1 -1
package/dist/rate_limiter.js +25 -2
package/dist/realtime/sse_auth_guard.d.ts +2 -0
package/dist/realtime/sse_auth_guard.d.ts.map +1 -1
package/dist/realtime/sse_auth_guard.js +5 -3
package/dist/server/app_server.d.ts +13 -2
package/dist/server/app_server.d.ts.map +1 -1
package/dist/server/app_server.js +12 -1
package/dist/testing/CLAUDE.md +668 -1
package/dist/testing/admin_integration.d.ts +10 -7
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +382 -482
package/dist/testing/app_server.d.ts +7 -6
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/attack_surface.d.ts +9 -3
package/dist/testing/attack_surface.d.ts.map +1 -1
package/dist/testing/attack_surface.js +4 -4
package/dist/testing/audit_completeness.d.ts +11 -0
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +169 -134
package/dist/testing/auth_apps.d.ts.map +1 -1
package/dist/testing/auth_apps.js +4 -33
package/dist/testing/db.d.ts +1 -1
package/dist/testing/db.d.ts.map +1 -1
package/dist/testing/db.js +2 -0
package/dist/testing/entities.d.ts +35 -13
package/dist/testing/entities.d.ts.map +1 -1
package/dist/testing/entities.js +17 -0
package/dist/testing/integration.d.ts +10 -0
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +352 -340
package/dist/testing/integration_helpers.d.ts +16 -5
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +24 -4
package/dist/testing/rate_limiting.d.ts +7 -0
package/dist/testing/rate_limiting.d.ts.map +1 -1
package/dist/testing/rate_limiting.js +41 -10
package/dist/testing/rpc_helpers.d.ts +153 -1
package/dist/testing/rpc_helpers.d.ts.map +1 -1
package/dist/testing/rpc_helpers.js +184 -8
package/dist/testing/sse_round_trip.d.ts +8 -0
package/dist/testing/sse_round_trip.d.ts.map +1 -1
package/dist/testing/sse_round_trip.js +10 -3
package/dist/testing/standard.d.ts +9 -1
package/dist/testing/standard.d.ts.map +1 -1
package/dist/testing/standard.js +6 -2
package/dist/testing/stubs.d.ts +10 -2
package/dist/testing/stubs.d.ts.map +1 -1
package/dist/testing/stubs.js +17 -2
package/dist/testing/surface_invariants.d.ts +7 -3
package/dist/testing/surface_invariants.d.ts.map +1 -1
package/dist/testing/surface_invariants.js +5 -4
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/testing/ws_round_trip.js +9 -38
package/dist/ui/AccountSessions.svelte +8 -4
package/dist/ui/AccountSessions.svelte.d.ts.map +1 -1
package/dist/ui/AdminAccounts.svelte +61 -33
package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -1
package/dist/ui/AdminAuditLog.svelte +3 -2
package/dist/ui/AdminAuditLog.svelte.d.ts.map +1 -1
package/dist/ui/AdminInvites.svelte +3 -2
package/dist/ui/AdminInvites.svelte.d.ts.map +1 -1
package/dist/ui/AdminOverview.svelte +14 -9
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
package/dist/ui/AdminPermitHistory.svelte +3 -2
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +1 -1
package/dist/ui/AdminSessions.svelte +29 -25
package/dist/ui/AdminSessions.svelte.d.ts.map +1 -1
package/dist/ui/CLAUDE.md +363 -0
package/dist/ui/OpenSignupToggle.svelte +6 -3
package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -1
package/dist/ui/PermitOfferForm.svelte +141 -0
package/dist/ui/PermitOfferForm.svelte.d.ts +14 -0
package/dist/ui/PermitOfferForm.svelte.d.ts.map +1 -0
package/dist/ui/PermitOfferHistory.svelte +109 -0
package/dist/ui/PermitOfferHistory.svelte.d.ts +11 -0
package/dist/ui/PermitOfferHistory.svelte.d.ts.map +1 -0
package/dist/ui/PermitOfferInbox.svelte +121 -0
package/dist/ui/PermitOfferInbox.svelte.d.ts +12 -0
package/dist/ui/PermitOfferInbox.svelte.d.ts.map +1 -0
package/dist/ui/account_sessions_state.svelte.d.ts +53 -3
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.js +39 -16
package/dist/ui/admin_accounts_state.svelte.d.ts +118 -2
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_accounts_state.svelte.js +99 -23
package/dist/ui/admin_invites_state.svelte.d.ts +47 -1
package/dist/ui/admin_invites_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_invites_state.svelte.js +38 -26
package/dist/ui/admin_rpc_adapters.d.ts +94 -0
package/dist/ui/admin_rpc_adapters.d.ts.map +1 -0
package/dist/ui/admin_rpc_adapters.js +100 -0
package/dist/ui/admin_sessions_state.svelte.d.ts +26 -0
package/dist/ui/admin_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_sessions_state.svelte.js +35 -21
package/dist/ui/app_settings_state.svelte.d.ts +39 -0
package/dist/ui/app_settings_state.svelte.d.ts.map +1 -1
package/dist/ui/app_settings_state.svelte.js +34 -18
package/dist/ui/audit_log_state.svelte.d.ts +40 -3
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +36 -42
package/dist/ui/auth_state.svelte.d.ts +4 -3
package/dist/ui/auth_state.svelte.d.ts.map +1 -1
package/dist/ui/auth_state.svelte.js +4 -1
package/dist/ui/permit_offers_state.svelte.d.ts +125 -0
package/dist/ui/permit_offers_state.svelte.d.ts.map +1 -0
package/dist/ui/permit_offers_state.svelte.js +197 -0
package/package.json +3 -3
package/dist/auth/admin_routes.d.ts +0 -29
package/dist/auth/admin_routes.d.ts.map +0 -1
package/dist/auth/admin_routes.js +0 -226
package/dist/auth/app_settings_routes.d.ts +0 -27
package/dist/auth/app_settings_routes.d.ts.map +0 -1
package/dist/auth/app_settings_routes.js +0 -66
package/dist/auth/invite_routes.d.ts +0 -18
package/dist/auth/invite_routes.d.ts.map +0 -1
package/dist/auth/invite_routes.js +0 -129

package/dist/auth/permit_offer_queries.d.ts ADDED Viewed

@@ -0,0 +1,165 @@
+/**
+ * Permit offer database queries.
+ *
+ * Covers the offer side of the consentful-permits flow: create (with
+ * re-offer upsert), decline, retract, list, find-pending, sweep-expired,
+ * and the atomic `query_accept_offer` that bridges offer → permit.
+ *
+ * IDOR guards are expressed in each helper's signature — decline/accept
+ * require the recipient's `to_account_id`, retract requires the grantor's
+ * `from_actor_id`.
+ *
+ * @module
+ */
+import type { QueryDeps } from '../db/query_deps.js';
+import type { Uuid } from '../uuid.js';
+import type { Permit } from './account_schema.js';
+import { type CreatePermitOfferInput, type PermitOffer, type SupersededOffer } from './permit_offer_schema.js';
+import type { AuditLogEvent } from './audit_log_schema.js';
+/**
+ * Error thrown by offer-lifecycle queries when the offer is in a non-pending
+ * state (accepted / declined / retracted / superseded) and therefore not
+ * actionable. Distinct from `PermitOfferExpiredError` — expiry has its own
+ * user-facing story ("ask the grantor to re-send") so it travels separately.
+ */
+export declare class PermitOfferAlreadyTerminalError extends Error {
+    constructor(offer_id: string);
+}
+/**
+ * Error thrown when an offer's `expires_at` has passed. The accept path
+ * enforces this independently of the sweep — a stale offer past its expiry
+ * must not be accepted, even in the race window between expiry and the
+ * sweep stamping the audit event.
+ */
+export declare class PermitOfferExpiredError extends Error {
+    constructor(offer_id: string);
+}
+/**
+ * Error thrown when an offer cannot be located for the caller. Covers both
+ * "offer does not exist" and "offer belongs to a different recipient"
+ * (IDOR guard) — the standard 404-over-403 pattern that avoids disclosing
+ * whether an offer id exists.
+ */
+export declare class PermitOfferNotFoundError extends Error {
+    constructor(offer_id: string);
+}
+/**
+ * Error thrown when a grantor attempts to offer a permit to their own account.
+ *
+ * Enforced here (rather than via a CHECK constraint) so the constraint can
+ * be expressed as a cross-row JOIN on `actor.account_id` without requiring
+ * denormalized columns.
+ */
+export declare class PermitOfferSelfTargetError extends Error {
+    constructor();
+}
+/**
+ * Create a new permit offer, or refresh an existing pending offer for the
+ * same `(to_account_id, role, scope_id, from_actor_id)` tuple.
+ *
+ * Re-offer semantics: a second call by the same grantor with the same
+ * `(to_account, role, scope)` while pending upserts the existing row,
+ * refreshing `message` and `expires_at`. A different grantor offering the
+ * same `(to_account, role, scope)` creates a distinct row — multiple
+ * pending grantors coexist. After a terminal state, a re-offer is a fresh
+ * INSERT.
+ *
+ * Self-offer rejection: throws `PermitOfferSelfTargetError` if the offering
+ * actor belongs to the recipient account.
+ */
+export declare const query_permit_offer_create: (deps: QueryDeps, input: CreatePermitOfferInput) => Promise<PermitOffer>;
+/**
+ * Mark an offer declined.
+ *
+ * Guarded by `to_account_id` (IDOR). Returns `null` if the offer does not
+ * exist or belongs to a different account. Throws
+ * `PermitOfferAlreadyTerminalError` if the offer exists for the caller but
+ * is already in a terminal state.
+ */
+export declare const query_permit_offer_decline: (deps: QueryDeps, offer_id: string, to_account_id: string, reason: string | null) => Promise<PermitOffer | null>;
+/**
+ * Mark an offer retracted by the grantor.
+ *
+ * Guarded by `from_actor_id` (IDOR). Returns `null` if the offer does not
+ * exist or was issued by a different actor. Throws
+ * `PermitOfferAlreadyTerminalError` if the offer exists for this grantor
+ * but is already in a terminal state.
+ */
+export declare const query_permit_offer_retract: (deps: QueryDeps, offer_id: string, from_actor_id: string) => Promise<PermitOffer | null>;
+/**
+ * List pending, non-expired offers for an account, soonest expiry first.
+ *
+ * Expired offers are filtered server-side (`expires_at > NOW()`) so the
+ * inbox never surfaces a row that can no longer be accepted. The periodic
+ * sweep (`query_permit_offer_sweep_expired`) handles audit tombstoning.
+ */
+export declare const query_permit_offer_list: (deps: QueryDeps, to_account_id: string) => Promise<Array<PermitOffer>>;
+/**
+ * List every offer involving an account (either direction), newest first.
+ *
+ * Includes terminal offers — used by the grantor-side admin / history view.
+ */
+export declare const query_permit_offer_history_for_account: (deps: QueryDeps, account_id: string, limit?: number, offset?: number) => Promise<Array<PermitOffer>>;
+/**
+ * Look up a pending offer by id. Returns `null` if the offer is terminal,
+ * expired (server-side filter), or missing.
+ */
+export declare const query_permit_offer_find_pending: (deps: QueryDeps, offer_id: string) => Promise<PermitOffer | null>;
+/**
+ * Return pending offers whose `expires_at` has passed.
+ *
+ * Callers fire `permit_offer_expire` audit events for each row. The schema
+ * does not tombstone the row, so callers are responsible for their own
+ * idempotency (e.g. check whether a `permit_offer_expire` audit event
+ * already exists for the offer id).
+ */
+export declare const query_permit_offer_sweep_expired: (deps: QueryDeps) => Promise<Array<PermitOffer>>;
+/** Input for `query_accept_offer`. */
+export interface AcceptOfferInput {
+    offer_id: Uuid;
+    /** Account of the accepting recipient — IDOR guard against another account accepting the offer. */
+    to_account_id: Uuid;
+    /** Optional IP to stamp on the audit events. */
+    ip?: string | null;
+}
+/** Result of `query_accept_offer` — the permit produced (new or pre-existing on race), plus the (now-accepted) offer. */
+export interface AcceptOfferResult {
+    permit: Permit;
+    offer: PermitOffer;
+    /** `true` if this call is the one that accepted the offer (new permit inserted); `false` on a race returning the already-created permit. */
+    created: boolean;
+    /**
+     * Sibling offers superseded by this accept — empty on the race-loser path.
+     * Each entry carries its grantor's `from_account_id` so the caller can
+     * fan out `permit_offer_supersede` notifications without a second
+     * round-trip.
+     */
+    superseded_offers: Array<SupersededOffer>;
+    /** Audit events emitted in-transaction — fed back through the normal `on_audit_event` broadcast chain by the caller. Includes one `permit_offer_supersede` per superseded sibling. */
+    audit_events: Array<AuditLogEvent>;
+}
+/**
+ * Accept an offer atomically: mark accepted, insert the permit, stamp
+ * `resulting_permit_id`, supersede sibling pending offers for the same
+ * `(to_account, role, scope)`, and emit `permit_offer_accept` +
+ * `permit_grant` + one `permit_offer_supersede` per sibling. Must run
+ * inside a transaction — the caller's route spec should declare
+ * `transaction: true` (or wrap explicitly).
+ *
+ * Idempotent on race: if a second concurrent call observes the offer
+ * already accepted, returns the existing permit rather than creating a
+ * duplicate or throwing.
+ *
+ * Error map:
+ * - `PermitOfferNotFoundError` — offer does not exist, or belongs to a
+ *   different recipient (IDOR guard). The offer row is untouched.
+ * - `PermitOfferAlreadyTerminalError` — offer is declined, retracted, or
+ *   superseded.
+ * - `PermitOfferExpiredError` — offer is pending but past `expires_at`.
+ *
+ * Sibling supersede is what closes the "accept a pre-revoke sibling offer
+ * to bypass a revoke" path: once A is accepted, B/C/... can no longer be
+ * accepted even if the resulting permit is later revoked.
+ */
+export declare const query_accept_offer: (deps: QueryDeps, input: AcceptOfferInput) => Promise<AcceptOfferResult>;
+//# sourceMappingURL=permit_offer_queries.d.ts.map

package/dist/auth/permit_offer_queries.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permit_offer_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AACrC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAEhD,OAAO,EAEN,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,qBAAa,+BAAgC,SAAQ,KAAK;gBAC7C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;gBACrC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,wBAAyB,SAAQ,KAAK;gBACtC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;;CAKpD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,OAAO,sBAAsB,KAC3B,OAAO,CAAC,WAAW,CAyBrB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,EACrB,QAAQ,MAAM,GAAG,IAAI,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AA8BF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,MAAM,KACnB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAY5B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAW,EACX,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAS5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAY5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAU5B,CAAC;AAEF,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,mGAAmG;IACnG,aAAa,EAAE,IAAI,CAAC;IACpB,gDAAgD;IAChD,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnB;AAED,yHAAyH;AACzH,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,CAAC;IACnB,4IAA4I;IAC5I,OAAO,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1C,sLAAsL;IACtL,YAAY,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,iBAAiB,CAqK3B,CAAC"}

package/dist/auth/permit_offer_queries.js ADDED Viewed

@@ -0,0 +1,390 @@
+/**
+ * Permit offer database queries.
+ *
+ * Covers the offer side of the consentful-permits flow: create (with
+ * re-offer upsert), decline, retract, list, find-pending, sweep-expired,
+ * and the atomic `query_accept_offer` that bridges offer → permit.
+ *
+ * IDOR guards are expressed in each helper's signature — decline/accept
+ * require the recipient's `to_account_id`, retract requires the grantor's
+ * `from_actor_id`.
+ *
+ * @module
+ */
+import { assert_row } from '../db/assert_row.js';
+import { query_actor_by_account } from './account_queries.js';
+import { PERMIT_OFFER_SCOPE_SENTINEL_UUID, } from './permit_offer_schema.js';
+import { query_audit_log } from './audit_log_queries.js';
+/**
+ * Error thrown by offer-lifecycle queries when the offer is in a non-pending
+ * state (accepted / declined / retracted / superseded) and therefore not
+ * actionable. Distinct from `PermitOfferExpiredError` — expiry has its own
+ * user-facing story ("ask the grantor to re-send") so it travels separately.
+ */
+export class PermitOfferAlreadyTerminalError extends Error {
+    constructor(offer_id) {
+        super(`Offer ${offer_id} is already in a terminal state`);
+        this.name = 'PermitOfferAlreadyTerminalError';
+    }
+}
+/**
+ * Error thrown when an offer's `expires_at` has passed. The accept path
+ * enforces this independently of the sweep — a stale offer past its expiry
+ * must not be accepted, even in the race window between expiry and the
+ * sweep stamping the audit event.
+ */
+export class PermitOfferExpiredError extends Error {
+    constructor(offer_id) {
+        super(`Offer ${offer_id} has expired`);
+        this.name = 'PermitOfferExpiredError';
+    }
+}
+/**
+ * Error thrown when an offer cannot be located for the caller. Covers both
+ * "offer does not exist" and "offer belongs to a different recipient"
+ * (IDOR guard) — the standard 404-over-403 pattern that avoids disclosing
+ * whether an offer id exists.
+ */
+export class PermitOfferNotFoundError extends Error {
+    constructor(offer_id) {
+        super(`Offer ${offer_id} not found`);
+        this.name = 'PermitOfferNotFoundError';
+    }
+}
+/**
+ * Error thrown when a grantor attempts to offer a permit to their own account.
+ *
+ * Enforced here (rather than via a CHECK constraint) so the constraint can
+ * be expressed as a cross-row JOIN on `actor.account_id` without requiring
+ * denormalized columns.
+ */
+export class PermitOfferSelfTargetError extends Error {
+    constructor() {
+        super('Cannot offer a permit to your own account');
+        this.name = 'PermitOfferSelfTargetError';
+    }
+}
+/**
+ * Create a new permit offer, or refresh an existing pending offer for the
+ * same `(to_account_id, role, scope_id, from_actor_id)` tuple.
+ *
+ * Re-offer semantics: a second call by the same grantor with the same
+ * `(to_account, role, scope)` while pending upserts the existing row,
+ * refreshing `message` and `expires_at`. A different grantor offering the
+ * same `(to_account, role, scope)` creates a distinct row — multiple
+ * pending grantors coexist. After a terminal state, a re-offer is a fresh
+ * INSERT.
+ *
+ * Self-offer rejection: throws `PermitOfferSelfTargetError` if the offering
+ * actor belongs to the recipient account.
+ */
+export const query_permit_offer_create = async (deps, input) => {
+    const actor = await query_actor_by_account(deps, input.to_account_id);
+    if (actor && actor.id === input.from_actor_id) {
+        throw new PermitOfferSelfTargetError();
+    }
+    const row = await deps.db.query_one(`INSERT INTO permit_offer
+			 (from_actor_id, to_account_id, role, scope_id, message, expires_at)
+		 VALUES ($1, $2, $3, $4, $5, $6)
+		 ON CONFLICT (to_account_id, role, COALESCE(scope_id, '${PERMIT_OFFER_SCOPE_SENTINEL_UUID}'::uuid), from_actor_id)
+		   WHERE accepted_at IS NULL AND declined_at IS NULL AND retracted_at IS NULL AND superseded_at IS NULL
+		 DO UPDATE SET
+			 message = EXCLUDED.message,
+			 expires_at = EXCLUDED.expires_at
+		 RETURNING *`, [
+        input.from_actor_id,
+        input.to_account_id,
+        input.role,
+        input.scope_id ?? null,
+        input.message ?? null,
+        input.expires_at.toISOString(),
+    ]);
+    return assert_row(row, 'INSERT INTO permit_offer');
+};
+/**
+ * Mark an offer declined.
+ *
+ * Guarded by `to_account_id` (IDOR). Returns `null` if the offer does not
+ * exist or belongs to a different account. Throws
+ * `PermitOfferAlreadyTerminalError` if the offer exists for the caller but
+ * is already in a terminal state.
+ */
+export const query_permit_offer_decline = async (deps, offer_id, to_account_id, reason) => {
+    const updated = await deps.db.query_one(`UPDATE permit_offer
+		 SET declined_at = NOW(), decline_reason = $3
+		 WHERE id = $1
+		   AND to_account_id = $2
+		   AND accepted_at IS NULL
+		   AND declined_at IS NULL
+		   AND retracted_at IS NULL
+		   AND superseded_at IS NULL
+		 RETURNING *`, [offer_id, to_account_id, reason ?? null]);
+    if (updated)
+        return updated;
+    return resolve_terminal_or_missing(deps, offer_id, { to_account_id });
+};
+/**
+ * Mark an offer retracted by the grantor.
+ *
+ * Guarded by `from_actor_id` (IDOR). Returns `null` if the offer does not
+ * exist or was issued by a different actor. Throws
+ * `PermitOfferAlreadyTerminalError` if the offer exists for this grantor
+ * but is already in a terminal state.
+ */
+export const query_permit_offer_retract = async (deps, offer_id, from_actor_id) => {
+    const updated = await deps.db.query_one(`UPDATE permit_offer
+		 SET retracted_at = NOW()
+		 WHERE id = $1
+		   AND from_actor_id = $2
+		   AND accepted_at IS NULL
+		   AND declined_at IS NULL
+		   AND retracted_at IS NULL
+		   AND superseded_at IS NULL
+		 RETURNING *`, [offer_id, from_actor_id]);
+    if (updated)
+        return updated;
+    return resolve_terminal_or_missing(deps, offer_id, { from_actor_id });
+};
+/** Helper: distinguish "not found / different owner" from "already terminal". */
+const resolve_terminal_or_missing = async (deps, offer_id, scope) => {
+    const conditions = ['id = $1'];
+    const params = [offer_id];
+    let idx = 2;
+    if (scope.to_account_id) {
+        conditions.push(`to_account_id = $${idx++}`);
+        params.push(scope.to_account_id);
+    }
+    if (scope.from_actor_id) {
+        conditions.push(`from_actor_id = $${idx++}`);
+        params.push(scope.from_actor_id);
+    }
+    const row = await deps.db.query_one(`SELECT * FROM permit_offer WHERE ${conditions.join(' AND ')}`, params);
+    if (!row)
+        return null;
+    if (row.accepted_at || row.declined_at || row.retracted_at || row.superseded_at) {
+        throw new PermitOfferAlreadyTerminalError(offer_id);
+    }
+    return null;
+};
+/**
+ * List pending, non-expired offers for an account, soonest expiry first.
+ *
+ * Expired offers are filtered server-side (`expires_at > NOW()`) so the
+ * inbox never surfaces a row that can no longer be accepted. The periodic
+ * sweep (`query_permit_offer_sweep_expired`) handles audit tombstoning.
+ */
+export const query_permit_offer_list = async (deps, to_account_id) => {
+    return deps.db.query(`SELECT * FROM permit_offer
+		 WHERE to_account_id = $1
+		   AND accepted_at IS NULL
+		   AND declined_at IS NULL
+		   AND retracted_at IS NULL
+		   AND superseded_at IS NULL
+		   AND expires_at > NOW()
+		 ORDER BY expires_at ASC`, [to_account_id]);
+};
+/**
+ * List every offer involving an account (either direction), newest first.
+ *
+ * Includes terminal offers — used by the grantor-side admin / history view.
+ */
+export const query_permit_offer_history_for_account = async (deps, account_id, limit = 100, offset = 0) => {
+    return deps.db.query(`SELECT o.* FROM permit_offer o
+		 LEFT JOIN actor a ON a.id = o.from_actor_id
+		 WHERE o.to_account_id = $1 OR a.account_id = $1
+		 ORDER BY o.created_at DESC
+		 LIMIT $2 OFFSET $3`, [account_id, limit, offset]);
+};
+/**
+ * Look up a pending offer by id. Returns `null` if the offer is terminal,
+ * expired (server-side filter), or missing.
+ */
+export const query_permit_offer_find_pending = async (deps, offer_id) => {
+    const row = await deps.db.query_one(`SELECT * FROM permit_offer
+		 WHERE id = $1
+		   AND accepted_at IS NULL
+		   AND declined_at IS NULL
+		   AND retracted_at IS NULL
+		   AND superseded_at IS NULL
+		   AND expires_at > NOW()`, [offer_id]);
+    return row ?? null;
+};
+/**
+ * Return pending offers whose `expires_at` has passed.
+ *
+ * Callers fire `permit_offer_expire` audit events for each row. The schema
+ * does not tombstone the row, so callers are responsible for their own
+ * idempotency (e.g. check whether a `permit_offer_expire` audit event
+ * already exists for the offer id).
+ */
+export const query_permit_offer_sweep_expired = async (deps) => {
+    return deps.db.query(`SELECT * FROM permit_offer
+		 WHERE accepted_at IS NULL
+		   AND declined_at IS NULL
+		   AND retracted_at IS NULL
+		   AND superseded_at IS NULL
+		   AND expires_at <= NOW()
+		 ORDER BY expires_at ASC`);
+};
+/**
+ * Accept an offer atomically: mark accepted, insert the permit, stamp
+ * `resulting_permit_id`, supersede sibling pending offers for the same
+ * `(to_account, role, scope)`, and emit `permit_offer_accept` +
+ * `permit_grant` + one `permit_offer_supersede` per sibling. Must run
+ * inside a transaction — the caller's route spec should declare
+ * `transaction: true` (or wrap explicitly).
+ *
+ * Idempotent on race: if a second concurrent call observes the offer
+ * already accepted, returns the existing permit rather than creating a
+ * duplicate or throwing.
+ *
+ * Error map:
+ * - `PermitOfferNotFoundError` — offer does not exist, or belongs to a
+ *   different recipient (IDOR guard). The offer row is untouched.
+ * - `PermitOfferAlreadyTerminalError` — offer is declined, retracted, or
+ *   superseded.
+ * - `PermitOfferExpiredError` — offer is pending but past `expires_at`.
+ *
+ * Sibling supersede is what closes the "accept a pre-revoke sibling offer
+ * to bypass a revoke" path: once A is accepted, B/C/... can no longer be
+ * accepted even if the resulting permit is later revoked.
+ */
+export const query_accept_offer = async (deps, input) => {
+    const { offer_id, to_account_id, ip } = input;
+    // Claim the offer with a row-level lock. Subsequent concurrent callers
+    // block on the lock until this transaction commits/rolls back; after commit
+    // they see the new state (accepted or terminal) and branch idempotently.
+    // We defer writing `accepted_at` until the permit row exists — the
+    // `permit_offer_permit_iff_accepted` CHECK constraint demands both be set
+    // (or neither) at row-visibility time.
+    const locked = await deps.db.query_one(`SELECT * FROM permit_offer
+		 WHERE id = $1 AND to_account_id = $2
+		 FOR UPDATE`, [offer_id, to_account_id]);
+    if (!locked) {
+        throw new PermitOfferNotFoundError(offer_id);
+    }
+    if (locked.accepted_at) {
+        // Race winner already committed; return the pre-existing permit.
+        // `permit_offer_permit_iff_accepted` CHECK guarantees resulting_permit_id is non-null.
+        const permit = await deps.db.query_one(`SELECT * FROM permit WHERE id = $1`, [
+            locked.resulting_permit_id,
+        ]);
+        return {
+            permit: assert_row(permit, 'resulting_permit lookup'),
+            offer: locked,
+            created: false,
+            superseded_offers: [],
+            audit_events: [],
+        };
+    }
+    if (locked.declined_at || locked.retracted_at || locked.superseded_at) {
+        throw new PermitOfferAlreadyTerminalError(offer_id);
+    }
+    // Expiry check AFTER the accepted-path: a validly-accepted offer past its
+    // expires_at still returns the permit idempotently. Only pending offers
+    // past expiry reach this branch.
+    if (new Date(locked.expires_at) <= new Date()) {
+        throw new PermitOfferExpiredError(offer_id);
+    }
+    // Resolve the accepting actor (1:1 account→actor in v1).
+    const actor = await query_actor_by_account(deps, to_account_id);
+    if (!actor) {
+        throw new Error(`No actor for account ${to_account_id} accepting offer ${offer_id}`);
+    }
+    // Insert the permit. Uses the normal grant idempotency — if another
+    // code path already granted the same (actor, role, scope), reuse it.
+    const granted_permit = await deps.db.query_one(`INSERT INTO permit (actor_id, role, scope_id, granted_by, source_offer_id)
+		 VALUES ($1, $2, $3, $4, $5)
+		 ON CONFLICT (actor_id, role, COALESCE(scope_id, '${PERMIT_OFFER_SCOPE_SENTINEL_UUID}'::uuid))
+		   WHERE revoked_at IS NULL
+		 DO NOTHING
+		 RETURNING *`, [actor.id, locked.role, locked.scope_id, locked.from_actor_id, locked.id]);
+    let permit;
+    if (granted_permit) {
+        permit = granted_permit;
+    }
+    else {
+        const existing = await deps.db.query_one(`SELECT * FROM permit
+			 WHERE actor_id = $1
+			   AND role = $2
+			   AND scope_id IS NOT DISTINCT FROM $3
+			   AND revoked_at IS NULL`, [actor.id, locked.role, locked.scope_id]);
+        permit = assert_row(existing, 'query_accept_offer idempotent permit lookup');
+    }
+    // Single UPDATE sets both sides of the CHECK constraint at once.
+    const offer_accepted = await deps.db.query_one(`UPDATE permit_offer
+		 SET accepted_at = NOW(), resulting_permit_id = $2
+		 WHERE id = $1
+		 RETURNING *`, [locked.id, permit.id]);
+    const offer = assert_row(offer_accepted, 'mark offer accepted');
+    // Supersede sibling pending offers for the same (to_account, role, scope).
+    // Forecloses the "accept this other sibling later to get the role back
+    // after a revoke" path — any pending offer for this tuple at accept time
+    // is obsoleted by the accept. CTE joins `actor` to surface each sibling's
+    // grantor `account_id` for the caller's notification fan-out.
+    const superseded = await deps.db.query(`WITH updated AS (
+			UPDATE permit_offer
+			SET superseded_at = NOW()
+			WHERE to_account_id = $1
+			  AND role = $2
+			  AND scope_id IS NOT DISTINCT FROM $3
+			  AND id <> $4
+			  AND accepted_at IS NULL
+			  AND declined_at IS NULL
+			  AND retracted_at IS NULL
+			  AND superseded_at IS NULL
+			RETURNING *
+		)
+		SELECT u.*, grantor.account_id AS from_account_id
+		FROM updated u
+		JOIN actor grantor ON grantor.id = u.from_actor_id`, [to_account_id, offer.role, offer.scope_id, offer.id]);
+    // Emit audit events in-transaction (atomic with the permit insert).
+    // `RETURNING *` after the SET guarantees `offer.resulting_permit_id === permit.id`.
+    const offer_accept_event = await query_audit_log(deps, {
+        event_type: 'permit_offer_accept',
+        actor_id: actor.id,
+        account_id: to_account_id,
+        ip: ip ?? null,
+        metadata: {
+            offer_id: offer.id,
+            permit_id: permit.id,
+            role: offer.role,
+            scope_id: offer.scope_id,
+        },
+    });
+    const permit_grant_event = await query_audit_log(deps, {
+        event_type: 'permit_grant',
+        actor_id: actor.id,
+        account_id: to_account_id,
+        ip: ip ?? null,
+        metadata: {
+            role: offer.role,
+            permit_id: permit.id,
+            scope_id: offer.scope_id,
+            source_offer_id: offer.id,
+        },
+    });
+    const supersede_events = [];
+    for (const sibling of superseded) {
+        supersede_events.push(await query_audit_log(deps, {
+            event_type: 'permit_offer_supersede',
+            actor_id: actor.id,
+            account_id: to_account_id,
+            ip: ip ?? null,
+            metadata: {
+                offer_id: sibling.id,
+                role: sibling.role,
+                scope_id: sibling.scope_id,
+                reason: 'sibling_accepted',
+                cause_id: offer.id,
+            },
+        }));
+    }
+    return {
+        permit,
+        offer,
+        created: true,
+        superseded_offers: superseded,
+        audit_events: [offer_accept_event, permit_grant_event, ...supersede_events],
+    };
+};

package/dist/auth/permit_offer_schema.d.ts ADDED Viewed

@@ -0,0 +1,103 @@
+/**
+ * Permit offer DDL, types, and client-safe schemas.
+ *
+ * An offer is a pending grant awaiting recipient consent. Lifecycle states
+ * are mutually exclusive via a CHECK constraint (`permit_offer_single_terminal`):
+ * at most one of `accepted_at` / `declined_at` / `retracted_at` may be set.
+ * On accept, the offer's `resulting_permit_id` links to the permit row
+ * produced by `query_accept_offer`.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Uuid } from '../uuid.js';
+/** Sentinel UUID used inside the partial unique indexes to collapse `scope_id IS NULL` into a comparable value. */
+export declare const PERMIT_OFFER_SCOPE_SENTINEL_UUID = "00000000-0000-0000-0000-000000000000";
+/** Maximum length of the optional message attached to an offer. */
+export declare const PERMIT_OFFER_MESSAGE_LENGTH_MAX = 500;
+/** Default TTL for a newly created offer — 30 days. Matches GitHub org-invite expiry. */
+export declare const PERMIT_OFFER_DEFAULT_TTL_MS: number;
+export declare const PERMIT_OFFER_SCHEMA = "\nCREATE TABLE IF NOT EXISTS permit_offer (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  from_actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n  to_account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  role TEXT NOT NULL,\n  scope_id UUID NULL,\n  message TEXT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ NOT NULL,\n  accepted_at TIMESTAMPTZ NULL,\n  declined_at TIMESTAMPTZ NULL,\n  decline_reason TEXT NULL,\n  retracted_at TIMESTAMPTZ NULL,\n  superseded_at TIMESTAMPTZ NULL,\n  resulting_permit_id UUID NULL REFERENCES permit(id) ON DELETE SET NULL,\n  CONSTRAINT permit_offer_single_terminal CHECK (\n    (accepted_at IS NOT NULL)::int\n    + (declined_at IS NOT NULL)::int\n    + (retracted_at IS NOT NULL)::int\n    + (superseded_at IS NOT NULL)::int\n    <= 1\n  ),\n  CONSTRAINT permit_offer_permit_iff_accepted CHECK (\n    (accepted_at IS NOT NULL) = (resulting_permit_id IS NOT NULL)\n  ),\n  CONSTRAINT permit_offer_reason_iff_declined CHECK (\n    decline_reason IS NULL OR declined_at IS NOT NULL\n  )\n)";
+/**
+ * At most one pending offer per (to_account, role, scope, from_actor).
+ *
+ * Including `from_actor_id` in the tuple lets multiple grantors coexist —
+ * teacher A and teacher B can each have a pending `classroom_student` offer
+ * for the same student and scope. A same-grantor re-offer upserts the
+ * existing pending row. `COALESCE` collapses `NULL` scopes into the
+ * sentinel UUID so Postgres's NULL-in-unique-index quirk does not allow
+ * duplicate global pending offers. The ON CONFLICT target in
+ * `query_permit_offer_create` must match this expression literally.
+ */
+export declare const PERMIT_OFFER_PENDING_UNIQUE_INDEX = "\nCREATE UNIQUE INDEX IF NOT EXISTS permit_offer_pending_unique\n  ON permit_offer (\n    to_account_id,\n    role,\n    COALESCE(scope_id, '00000000-0000-0000-0000-000000000000'::uuid),\n    from_actor_id\n  )\n  WHERE accepted_at IS NULL\n    AND declined_at IS NULL\n    AND retracted_at IS NULL\n    AND superseded_at IS NULL";
+/** Inbox lookup — pending offers for an account, ordered by soonest expiry. */
+export declare const PERMIT_OFFER_INBOX_INDEX = "\nCREATE INDEX IF NOT EXISTS permit_offer_inbox\n  ON permit_offer (to_account_id, expires_at)\n  WHERE accepted_at IS NULL\n    AND declined_at IS NULL\n    AND retracted_at IS NULL\n    AND superseded_at IS NULL";
+/** Permit offer row as returned by the database. */
+export interface PermitOffer {
+    id: Uuid;
+    from_actor_id: Uuid;
+    to_account_id: Uuid;
+    role: string;
+    scope_id: Uuid | null;
+    message: string | null;
+    created_at: string;
+    expires_at: string;
+    accepted_at: string | null;
+    declined_at: string | null;
+    decline_reason: string | null;
+    retracted_at: string | null;
+    /**
+     * Set when the offer was obsoleted by an external event — a sibling
+     * offer was accepted (yielding the permit this offer's role+scope maps to)
+     * or the resulting permit for this (to_account, role, scope) was revoked.
+     * Closes the "accept a pre-revoke offer to bypass the revoke" path.
+     */
+    superseded_at: string | null;
+    resulting_permit_id: Uuid | null;
+}
+/**
+ * A superseded offer row annotated with the grantor's `account_id`.
+ *
+ * Carried by `superseded_offers` in accept/revoke query results so callers
+ * can fan out `permit_offer_supersede` notifications to the grantor's
+ * sockets without a second round-trip. Populated via a CTE join on `actor`
+ * in the supersede UPDATE.
+ */
+export interface SupersededOffer extends PermitOffer {
+    from_account_id: Uuid;
+}
+/**
+ * Input for `query_permit_offer_create`.
+ *
+ * `expires_at` must be supplied — the query layer does not apply a default,
+ * so callers can thread their own TTL (typically `PERMIT_OFFER_DEFAULT_TTL_MS`).
+ */
+export interface CreatePermitOfferInput {
+    from_actor_id: Uuid;
+    to_account_id: Uuid;
+    role: string;
+    scope_id?: Uuid | null;
+    message?: string | null;
+    expires_at: Date;
+}
+/** Zod schema for client-safe permit offer data. */
+export declare const PermitOfferJson: z.ZodObject<{
+    id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    role: z.ZodString;
+    scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    message: z.ZodNullable<z.ZodString>;
+    created_at: z.ZodString;
+    expires_at: z.ZodString;
+    accepted_at: z.ZodNullable<z.ZodString>;
+    declined_at: z.ZodNullable<z.ZodString>;
+    decline_reason: z.ZodNullable<z.ZodString>;
+    retracted_at: z.ZodNullable<z.ZodString>;
+    superseded_at: z.ZodNullable<z.ZodString>;
+    resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type PermitOfferJson = z.infer<typeof PermitOfferJson>;
+/** Convert a `PermitOffer` row to its JSON payload shape. */
+export declare const to_permit_offer_json: (offer: PermitOffer) => PermitOfferJson;
+//# sourceMappingURL=permit_offer_schema.d.ts.map

package/dist/auth/permit_offer_schema.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"permit_offer_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AAGhC,mHAAmH;AACnH,eAAO,MAAM,gCAAgC,yCAAyC,CAAC;AAEvF,mEAAmE;AACnE,eAAO,MAAM,+BAA+B,MAAM,CAAC;AAEnD,yFAAyF;AACzF,eAAO,MAAM,2BAA2B,QAA2B,CAAC;AAEpE,eAAO,MAAM,mBAAmB,6kCA6B9B,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iCAAiC,8UAWhB,CAAC;AAE/B,+EAA+E;AAC/E,eAAO,MAAM,wBAAwB,0NAMP,CAAC;AAE/B,oDAAoD;AACpD,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,IAAI,CAAC;IACT,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B;;;;;OAKG;IACH,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,mBAAmB,EAAE,IAAI,GAAG,IAAI,CAAC;CACjC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAgB,SAAQ,WAAW;IACnD,eAAe,EAAE,IAAI,CAAC;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,CAAC;CACjB;AAED,oDAAoD;AACpD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;kBA4CyD,CAAC;AACtF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,6DAA6D;AAC7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,WAAW,KAAG,eAexD,CAAC"}