@fuzdev/fuz_app 0.38.1 → 0.40.0

package/dist/auth/audit_log_schema.js

@@ -9,8 +9,13 @@
 import { z } from 'zod';
 import { Uuid } from '../uuid.js';
 import { AuthSessionJson } from './account_schema.js';
-/** All tracked auth event types. */
-export const AUDIT_EVENT_TYPES = [
+/**
+ * All tracked auth event types. Frozen to convert accidental in-process
+ * mutation (test cross-contamination, cast escapes) into loud TypeErrors.
+ * Not a security boundary — in-process code has many other paths to subvert
+ * audit logging.
+ */
+export const AUDIT_EVENT_TYPES = Object.freeze([
     'login',
     'logout',
     'bootstrap',
@@ -32,19 +37,29 @@ export const AUDIT_EVENT_TYPES = [
     'invite_create',
     'invite_delete',
     'app_settings_update',
-];
+]);
 /** Zod schema for audit event types. */
 export const AuditEventType = z.enum(AUDIT_EVENT_TYPES);
+/**
+ * Letter start, then letters, digits, `_`, `.`, `/`, `-`. Accepts snake_case,
+ * dotted, and namespaced consumer conventions; rejects empty strings, leading
+ * separators, whitespace, and control characters.
+ */
+export const AUDIT_EVENT_TYPE_NAME_REGEX = /^[A-Za-z][A-Za-z0-9_./-]*$/;
+/** Zod schema for valid audit event-type name strings. */
+export const AuditEventTypeName = z.string().regex(AUDIT_EVENT_TYPE_NAME_REGEX, {
+    message: 'must start with a letter; only letters, digits, _ . / - allowed',
+});
 /** Zod schema for audit event outcomes. */
 export const AuditOutcome = z.enum(['success', 'failure']);
 /**
- * Per-event-type metadata Zod schemas.
- *
- * Uses `z.looseObject` so consumers can add extra fields
- * (e.g. visiones `self_service`) while known fields are validated.
- * Events with outcome-dependent metadata use a union with `z.null()`.
+ * Per-event-type metadata Zod schemas. `z.looseObject` so consumers can
+ * add fields while known ones are validated. The record is frozen to
+ * catch mutation bugs at the key level (e.g. tests that try to swap in a
+ * stub schema); the Zod schemas themselves are reachable and mutable —
+ * freeze isn't a security boundary.
  */
-export const AUDIT_METADATA_SCHEMAS = {
+export const AUDIT_METADATA_SCHEMAS = Object.freeze({
     login: z.looseObject({ username: z.string() }).nullable(),
     logout: z.null(),
     bootstrap: z.looseObject({ error: z.string() }).nullable(),
@@ -74,17 +89,23 @@ export const AUDIT_METADATA_SCHEMAS = {
     }),
     // `permit_id` is optional on `permit_grant` because failed grants
     // (e.g. `web_grantable` denied) never produce a permit row.
+    // `self_service: true` is set by the self-service role toggle in
+    // `self_service_role_actions.ts` — declared explicitly rather than
+    // riding on `z.looseObject` permissiveness so the field is part of
+    // the documented schema surface.
     permit_grant: z.looseObject({
         role: z.string(),
         permit_id: Uuid.optional(),
         scope_id: Uuid.nullish(),
         source_offer_id: Uuid.optional(),
+        self_service: z.boolean().optional(),
     }),
     permit_revoke: z.looseObject({
         role: z.string(),
         permit_id: Uuid,
         scope_id: Uuid.nullish(),
         reason: z.string().optional(),
+        self_service: z.boolean().optional(),
     }),
     // `offer_id` is optional because failed creates (e.g. `web_grantable`
     // denied, `authorize` callback denied) never produce an offer row.
@@ -139,7 +160,7 @@ export const AUDIT_METADATA_SCHEMAS = {
         old_value: z.unknown(),
         new_value: z.unknown(),
     }),
-};
+});
 /**
  * Narrow metadata type for a known event type.
  *
@@ -148,11 +169,62 @@ export const AUDIT_METADATA_SCHEMAS = {
 export const get_audit_metadata = (event) => {
     return event.metadata;
 };
-/** Zod schema for client-safe audit log event. */
+/** Builtin fuz_app audit-log config — every existing event type and its metadata schema. */
+export const BUILTIN_AUDIT_LOG_CONFIG = Object.freeze({
+    event_types: AUDIT_EVENT_TYPES,
+    metadata_schemas: AUDIT_METADATA_SCHEMAS,
+});
+/**
+ * Build an `AuditLogConfig` by merging fuz_app builtins with consumer extras.
+ *
+ * Throws when an `extra_events` key collides with a builtin event type, or
+ * fails `AuditEventTypeName` format validation.
+ *
+ * Call once at startup; pass the result to consumer-emitted
+ * `audit_log_fire_and_forget` calls. Builtin handlers omit the argument and
+ * pick up `BUILTIN_AUDIT_LOG_CONFIG`.
+ */
+export const create_audit_log_config = (options) => {
+    const extras = options?.extra_events;
+    if (!extras)
+        return BUILTIN_AUDIT_LOG_CONFIG;
+    const extra_entries = Object.entries(extras);
+    if (extra_entries.length === 0)
+        return BUILTIN_AUDIT_LOG_CONFIG;
+    const builtin_set = new Set(AUDIT_EVENT_TYPES);
+    const extra_keys = [];
+    const metadata_schemas = { ...AUDIT_METADATA_SCHEMAS };
+    for (const [t, schema] of extra_entries) {
+        if (builtin_set.has(t)) {
+            throw new Error(`extra_events key "${t}" collides with a builtin event type — pick a distinct string (e.g. "app_${t}")`);
+        }
+        const name_check = AuditEventTypeName.safeParse(t);
+        if (!name_check.success) {
+            throw new Error(`extra_events key "${t}" has invalid format: ${name_check.error.issues[0].message}`);
+        }
+        extra_keys.push(t);
+        if (schema !== null)
+            metadata_schemas[t] = schema;
+    }
+    return Object.freeze({
+        event_types: Object.freeze([...AUDIT_EVENT_TYPES, ...extra_keys]),
+        metadata_schemas: Object.freeze(metadata_schemas),
+    });
+};
+/**
+ * Zod schema for client-safe audit log event.
+ *
+ * `event_type` is `AuditEventTypeName` (regex-validated string) — matches
+ * the `AuditLogEvent` row and the DB's `TEXT NOT NULL` column. Consumer
+ * types registered via `create_audit_log_config({extra_events})` round-trip
+ * through queries, `on_audit_event` callbacks, and JSON-RPC responses
+ * identically to builtins. `AuditLogInput<T>` stays parameterized on the
+ * write side so `AuditMetadataMap` narrowing via `get_audit_metadata` works.
+ */
 export const AuditLogEventJson = z.strictObject({
     id: Uuid,
     seq: z.number().int(),
-    event_type: AuditEventType,
+    event_type: AuditEventTypeName,
     outcome: AuditOutcome,
     actor_id: Uuid.nullable(),
     account_id: Uuid.nullable(),

package/dist/auth/bootstrap_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAanD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;kBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAyHjB,CAAC"}
+{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAanD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;kBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAuHjB,CAAC"}

package/dist/auth/bootstrap_routes.js

@@ -67,7 +67,7 @@ export const check_bootstrap_status = async (deps, options) => {
  * @returns route specs (not yet applied to Hono)
  */
 export const create_bootstrap_route_specs = (deps, options) => {
-    const { keyring, on_audit_event } = deps;
+    const { keyring } = deps;
     const { session_options, bootstrap_status, on_bootstrap, ip_rate_limiter } = options;
     const { token_path } = bootstrap_status;
     return [
@@ -123,7 +123,7 @@ export const create_bootstrap_route_specs = (deps, options) => {
                         outcome: 'failure',
                         ip: get_client_ip(c),
                         metadata: { error: result.error },
-                    }, deps.log, on_audit_event);
+                    }, deps);
                     return c.json({ error: result.error }, result.status);
                 }
                 // Successful bootstrap — update state immediately
@@ -150,7 +150,7 @@ export const create_bootstrap_route_specs = (deps, options) => {
                     actor_id: result.actor.id,
                     account_id: result.account.id,
                     ip: get_client_ip(c),
-                }, deps.log, on_audit_event);
+                }, deps);
                 // CRITICAL: If token file deletion failed, throw to force operator attention.
                 // All success work (session, on_bootstrap, audit) has completed above.
                 // The error response alerts the operator to delete the token file manually.

package/dist/auth/cleanup.d.ts

@@ -20,7 +20,7 @@
  */
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { QueryDeps } from '../db/query_deps.js';
-import type { AuditLogEvent } from './audit_log_schema.js';
+import type { AuditLogConfig, AuditLogEvent } from './audit_log_schema.js';
 /** Dependencies for the cleanup helpers. */
 export interface AuthCleanupDeps extends QueryDeps {
     log: Logger;
@@ -30,6 +30,14 @@ export interface AuthCleanupDeps extends QueryDeps {
      * to skip broadcast — the audit rows still land in the DB.
      */
     on_audit_event?: ((event: AuditLogEvent) => void) | null;
+    /**
+     * Audit-log config. Only the builtin `permit_offer_expire` event type is
+     * emitted here, so omitting this is safe — the field exists so consumers
+     * threading the same `AppDeps` bundle to scheduled cleanup keep using
+     * their registered config (and consumer extensions to the
+     * `permit_offer_expire` metadata schema get validated).
+     */
+    audit_log_config?: AuditLogConfig;
 }
 /** Result of `run_auth_cleanup`. */
 export interface AuthCleanupResult {

package/dist/auth/cleanup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;CACzD;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CA6BzF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}
+{"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAiCzF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}

package/dist/auth/cleanup.js

@@ -33,7 +33,7 @@ import { query_audit_log } from './audit_log_queries.js';
  */
 export const cleanup_expired_permit_offers = async (deps) => {
     const expired = await query_permit_offer_sweep_expired(deps);
-    const { on_audit_event } = deps;
+    const { on_audit_event, audit_log_config } = deps;
     for (const offer of expired) {
         try {
             const event = await query_audit_log(deps, {
@@ -46,7 +46,7 @@ export const cleanup_expired_permit_offers = async (deps) => {
                     role: offer.role,
                     scope_id: offer.scope_id,
                 },
-            });
+            }, audit_log_config);
             if (on_audit_event) {
                 try {
                     on_audit_event(event);

package/dist/auth/deps.d.ts

@@ -12,7 +12,7 @@ import type { Keyring } from './keyring.js';
 import type { PasswordHashDeps } from './password.js';
 import type { Db } from '../db/db.js';
 import type { StatResult } from '../runtime/deps.js';
-import type { AuditLogEvent } from './audit_log_schema.js';
+import type { AuditLogConfig, AuditLogEvent } from './audit_log_schema.js';
 /**
  * Stateless capabilities bundle for fuz_app backends.
  *
@@ -41,6 +41,18 @@ export interface AppDeps {
      * Defaults to a noop when not wired to SSE.
      */
     on_audit_event: (event: AuditLogEvent) => void;
+    /**
+     * Audit-log config for `audit_log_fire_and_forget` and `query_audit_log`.
+     * Built once at startup via `create_audit_log_config({extra_events})` to
+     * register consumer event types. Optional — defaults to
+     * `BUILTIN_AUDIT_LOG_CONFIG` when absent.
+     *
+     * Threaded through `AppDeps` (instead of a per-call positional arg) so
+     * consumer handlers cannot silently fall back to the builtin config by
+     * forgetting to pass theirs — the deps bundle carries it everywhere
+     * fuz_app emits an audit event.
+     */
+    audit_log_config?: AuditLogConfig;
 }
 /**
  * Capabilities for route spec factories.

package/dist/auth/deps.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"deps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/deps.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,MAAM,WAAW,OAAO;IACvB,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,6EAA6E;IAC7E,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,yBAAyB;IACzB,EAAE,EAAE,EAAE,CAAC;IACP,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;OAKG;IACH,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;CAC/C;AAED;;;;;GAKG;AACH,MAAM,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC"}
+{"version":3,"file":"deps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/deps.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE;;;;;GAKG;AACH,MAAM,WAAW,OAAO;IACvB,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0CAA0C;IAC1C,OAAO,EAAE,OAAO,CAAC;IACjB,6EAA6E;IAC7E,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,yBAAyB;IACzB,EAAE,EAAE,EAAE,CAAC;IACP,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;OAKG;IACH,cAAc,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAC/C;;;;;;;;;;OAUG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED;;;;;GAKG;AACH,MAAM,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC"}

package/dist/auth/permit_offer_actions.d.ts

@@ -72,6 +72,20 @@ export interface PermitOfferActionOptions {
      */
     authorize?: PermitOfferCreateAuthorize;
 }
+/**
+ * Authorization callback that admits any admin and otherwise falls back to
+ * the symmetric default (caller must hold the offered role globally).
+ *
+ * The `web_grantable` filter in `create_handler` runs **before** the
+ * `authorize` callback, so this never sees non-web-grantable roles. Drop
+ * into `create_permit_offer_actions({authorize: authorize_admin_or_holder})`
+ * (or any factory that forwards `authorize`, e.g. `create_standard_rpc_actions`)
+ * for the common "admins offer anything; users offer what they hold"
+ * pattern. Scope-aware policies (e.g. classroom_teacher offering
+ * classroom_student in their own scope) wrap this and short-circuit `true`
+ * before delegating.
+ */
+export declare const authorize_admin_or_holder: PermitOfferCreateAuthorize;
 /**
  * Dependencies for `create_permit_offer_actions`.
  *
@@ -80,7 +94,7 @@ export interface PermitOfferActionOptions {
  * directly (the transport's `send_to_account` signature accepts the broader
  * `JsonrpcMessageFromServerToClient`, which is contravariantly compatible).
  */
-export interface PermitOfferActionDeps extends Pick<RouteFactoryDeps, 'log' | 'on_audit_event'> {
+export interface PermitOfferActionDeps extends Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'> {
     /** Optional WS fan-out primitive. `null` or absent → notifications skipped. */
     notification_sender?: NotificationSender | null;
 }
@@ -88,7 +102,7 @@ export interface PermitOfferActionDeps extends Pick<RouteFactoryDeps, 'log' | 'o
  * Create the seven permit-offer RPC actions (six offer-lifecycle methods
  * plus `permit_revoke`).
  *
- * @param deps - stateless capabilities; needs `log` and `on_audit_event`; optional `notification_sender` for WS fan-out
+ * @param deps - `PermitOfferActionDeps` — `log`, `on_audit_event`, optional `audit_log_config` (slice of `AppDeps`); optional `notification_sender` for WS fan-out
  * @param options - role schema, default TTL, authorization override
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
  */

package/dist/auth/permit_offer_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit_offer_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,EAAa,KAAK,aAAa,EAAE,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxF,OAAO,EAAmC,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AAsBzF,OAAO,EAAW,KAAK,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACnE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,EAON,KAAK,kBAAkB,EACvB,MAAM,iCAAiC,CAAC;AAmCzC;;;;;;;;GAQG;AACH,MAAM,MAAM,0BAA0B,GAAG,CACxC,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EACrE,IAAI,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EACnC,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACxC;;;OAGG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,sFAAsF;IACtF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,0BAA0B,CAAC;CACvC;AAqCD;;;;;;;GAOG;AACH,MAAM,WAAW,qBAAsB,SAAQ,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,gBAAgB,CAAC;IAC9F,+EAA+E;IAC/E,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,qBAAqB,EAC3B,UAAS,wBAA6B,KACpC,KAAK,CAAC,SAAS,CA8djB,CAAC"}
+{"version":3,"file":"permit_offer_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AAEH,OAAO,EAAa,KAAK,aAAa,EAAE,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAGxF,OAAO,EAAmC,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AAsBzF,OAAO,EAAW,KAAK,cAAc,EAAC,MAAM,sBAAsB,CAAC;AACnE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,EAON,KAAK,kBAAkB,EACvB,MAAM,iCAAiC,CAAC;AAmCzC;;;;;;;;GAQG;AACH,MAAM,MAAM,0BAA0B,GAAG,CACxC,IAAI,EAAE,cAAc,EACpB,KAAK,EAAE;IAAC,aAAa,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EACrE,IAAI,EAAE,IAAI,CAAC,gBAAgB,EAAE,KAAK,CAAC,EACnC,GAAG,EAAE,aAAa,KACd,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,CAAC;AAEhC,iDAAiD;AACjD,MAAM,WAAW,wBAAwB;IACxC;;;OAGG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB,sFAAsF;IACtF,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB;;;;;OAKG;IACH,SAAS,CAAC,EAAE,0BAA0B,CAAC;CACvC;AAyBD;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB,EAAE,0BAQvC,CAAC;AAcF;;;;;;;GAOG;AACH,MAAM,WAAW,qBAAsB,SAAQ,IAAI,CAClD,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C;IACA,+EAA+E;IAC/E,mBAAmB,CAAC,EAAE,kBAAkB,GAAG,IAAI,CAAC;CAChD;AAED;;;;;;;GAOG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,qBAAqB,EAC3B,UAAS,wBAA6B,KACpC,KAAK,CAAC,SAAS,CAudjB,CAAC"}

package/dist/auth/permit_offer_actions.js

@@ -66,6 +66,24 @@ const default_authorize = async (auth, input, _deps, ctx) => {
     // check — the scope-aware "only in this classroom" policy is consumer-level.
     return query_permit_has_role(ctx, auth.actor.id, input.role);
 };
+/**
+ * Authorization callback that admits any admin and otherwise falls back to
+ * the symmetric default (caller must hold the offered role globally).
+ *
+ * The `web_grantable` filter in `create_handler` runs **before** the
+ * `authorize` callback, so this never sees non-web-grantable roles. Drop
+ * into `create_permit_offer_actions({authorize: authorize_admin_or_holder})`
+ * (or any factory that forwards `authorize`, e.g. `create_standard_rpc_actions`)
+ * for the common "admins offer anything; users offer what they hold"
+ * pattern. Scope-aware policies (e.g. classroom_teacher offering
+ * classroom_student in their own scope) wrap this and short-circuit `true`
+ * before delegating.
+ */
+export const authorize_admin_or_holder = async (auth, input, _deps, ctx) => {
+    if (has_role(auth, ROLE_ADMIN))
+        return true;
+    return query_permit_has_role(ctx, auth.actor.id, input.role);
+};
 /**
  * Narrow `ctx.auth` to non-null. The RPC dispatcher has already enforced
  * `auth: 'authenticated'` before the handler runs — this is a type narrow,
@@ -80,7 +98,7 @@ const require_request_auth = (auth) => {
  * Create the seven permit-offer RPC actions (six offer-lifecycle methods
  * plus `permit_revoke`).
  *
- * @param deps - stateless capabilities; needs `log` and `on_audit_event`; optional `notification_sender` for WS fan-out
+ * @param deps - `PermitOfferActionDeps` — `log`, `on_audit_event`, optional `audit_log_config` (slice of `AppDeps`); optional `notification_sender` for WS fan-out
  * @param options - role schema, default TTL, authorization override
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
  */
@@ -104,7 +122,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 scope_id: input.scope_id ?? null,
                 to_account_id: input.to_account_id,
             },
-        }, log, on_audit_event);
+        }, deps);
     };
     // Returns {offer} only — no auto-accept. Recipient must call
     // permit_offer_accept; admin tests materialize permits via
@@ -162,7 +180,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 scope_id: offer.scope_id,
                 to_account_id: offer.to_account_id,
             },
-        }, log, on_audit_event);
+        }, deps);
         const offer_json = to_permit_offer_json(offer);
         if (notification_sender) {
             emit_after_commit(ctx, () => {
@@ -258,7 +276,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 scope_id: declined.scope_id,
                 reason: input.reason ?? undefined,
             },
-        }, log, on_audit_event);
+        }, deps);
         if (notification_sender) {
             // Look up the grantor's account (SELECT by PK, same tx) for the
             // notification target. The decline reason rides along on
@@ -299,7 +317,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 role: retracted.role,
                 scope_id: retracted.scope_id,
             },
-        }, log, on_audit_event);
+        }, deps);
         if (notification_sender) {
             const offer_json = to_permit_offer_json(retracted);
             emit_after_commit(ctx, () => {
@@ -355,7 +373,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 target_account_id,
                 ip: ctx.client_ip,
                 metadata: { role: permit_row.role, permit_id: input.permit_id },
-            }, log, on_audit_event);
+            }, deps);
             throw jsonrpc_errors.forbidden('role not web-grantable', {
                 reason: ERROR_ROLE_NOT_WEB_GRANTABLE,
             });
@@ -378,7 +396,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 scope_id: result.scope_id,
                 reason: input.reason ?? undefined,
             },
-        }, log, on_audit_event);
+        }, deps);
         for (const offer of result.superseded_offers) {
             void audit_log_fire_and_forget(ctx, {
                 event_type: 'permit_offer_supersede',
@@ -392,7 +410,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                     reason: 'permit_revoked',
                     cause_id: result.id,
                 },
-            }, log, on_audit_event);
+            }, deps);
         }
         if (notification_sender) {
             const superseded = result.superseded_offers.map((o) => ({

package/dist/auth/role_schema.d.ts

@@ -35,7 +35,16 @@ export interface RoleOptions {
     /** If true, admins can grant this role via the web UI. Default `true`. */
     web_grantable?: boolean;
 }
-/** Builtin role configs. Not overridable by consumers. */
+/**
+ * Builtin role configs. Not overridable by consumers.
+ *
+ * Typed `ReadonlyMap` for the contract — but JS Maps don't honor
+ * `Object.freeze` for `.set` / `.delete` / `.clear` (they mutate internal
+ * slots, not own properties), so freeze adds no runtime guard here. Read
+ * once at startup by `create_role_schema` and the admin / permit-offer
+ * action factories; runtime mutation has no effect on already-built role
+ * schemas.
+ */
 export declare const BUILTIN_ROLE_OPTIONS: ReadonlyMap<string, Required<RoleOptions>>;
 /** The result of `create_role_schema` — a Zod schema and config map for all roles. */
 export interface RoleSchemaResult {

package/dist/auth/role_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"role_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,0FAA0F;AAC1F,eAAO,MAAM,QAAQ,aAKnB,CAAC;AACH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAIhD,sFAAsF;AACtF,eAAO,MAAM,WAAW,WAAW,CAAC;AAEpC,+EAA+E;AAC/E,eAAO,MAAM,UAAU,UAAU,CAAC;AAElC,+CAA+C;AAC/C,eAAO,MAAM,aAAa,8BAAqC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,WAAW;;;EAAwB,CAAC;AACjD,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAItD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,iGAAiG;IACjG,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,0EAA0E;IAC1E,aAAa,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,0DAA0D;AAC1D,eAAO,MAAM,oBAAoB,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,CAG1E,CAAC;AAEH,sFAAsF;AACtF,MAAM,WAAW,gBAAgB;IAChC,sGAAsG;IACtG,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACxB,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;CACzD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,MAAM,EAClD,WAAW,MAAM,CAAC,CAAC,EAAE,WAAW,CAAC,KAC/B,gBAwBF,CAAC"}
+{"version":3,"file":"role_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,0FAA0F;AAC1F,eAAO,MAAM,QAAQ,aAKnB,CAAC;AACH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAIhD,sFAAsF;AACtF,eAAO,MAAM,WAAW,WAAW,CAAC;AAEpC,+EAA+E;AAC/E,eAAO,MAAM,UAAU,UAAU,CAAC;AAElC,+CAA+C;AAC/C,eAAO,MAAM,aAAa,8BAAqC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,WAAW;;;EAAwB,CAAC;AACjD,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAItD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,iGAAiG;IACjG,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,0EAA0E;IAC1E,aAAa,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,CAG1E,CAAC;AAEH,sFAAsF;AACtF,MAAM,WAAW,gBAAgB;IAChC,sGAAsG;IACtG,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACxB,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;CACzD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,MAAM,EAClD,WAAW,MAAM,CAAC,CAAC,EAAE,WAAW,CAAC,KAC/B,gBAwBF,CAAC"}

package/dist/auth/role_schema.js

@@ -21,7 +21,16 @@ export const ROLE_ADMIN = 'admin';
 export const BUILTIN_ROLES = [ROLE_KEEPER, ROLE_ADMIN];
 /** Zod schema for builtin roles only. */
 export const BuiltinRole = z.enum(BUILTIN_ROLES);
-/** Builtin role configs. Not overridable by consumers. */
+/**
+ * Builtin role configs. Not overridable by consumers.
+ *
+ * Typed `ReadonlyMap` for the contract — but JS Maps don't honor
+ * `Object.freeze` for `.set` / `.delete` / `.clear` (they mutate internal
+ * slots, not own properties), so freeze adds no runtime guard here. Read
+ * once at startup by `create_role_schema` and the admin / permit-offer
+ * action factories; runtime mutation has no effect on already-built role
+ * schemas.
+ */
 export const BUILTIN_ROLE_OPTIONS = new Map([
     [ROLE_KEEPER, { requires_daemon_token: true, web_grantable: false }],
     [ROLE_ADMIN, { requires_daemon_token: false, web_grantable: true }],

package/dist/auth/self_service_role_actions.d.ts

@@ -0,0 +1,136 @@
+/**
+ * Self-service role grant/revoke RPC actions.
+ *
+ * Two static `request_response` actions — `self_service_role_grant` and
+ * `self_service_role_revoke` — that take `{role}` as input and toggle a
+ * permit on the caller for an allowlisted role. Idempotent in both
+ * directions: re-granting an already-held role returns `granted: false`;
+ * revoking a role the caller doesn't hold returns `revoked: false`.
+ *
+ * The factory takes an `eligible_roles` allowlist (validated against the
+ * supplied `roles.role_options` at factory time so typos surface at startup
+ * instead of at first call). Roles outside the allowlist are rejected
+ * with `forbidden` + reason `role_not_self_service_eligible`.
+ *
+ * Audit metadata carries `self_service: true` so admin reviewers can
+ * distinguish self-toggled permits from admin grants/offers. The
+ * `permit_grant` / `permit_revoke` metadata schemas declare
+ * `self_service: z.boolean().optional()` explicitly, so the field is
+ * part of the documented schema surface and is round-trip-validated by
+ * `query_audit_log`.
+ *
+ * Static method names — `role` lives in the input, not the method name —
+ * so specs are codegen-compatible (`satisfies RequestResponseActionSpec`)
+ * and the surface stays constant as consumers add eligible roles. Mirrors
+ * the existing `permit_offer_create({role})` precedent rather than
+ * generating per-role methods.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { type RpcAction } from '../actions/action_rpc.js';
+import type { RequestResponseActionSpec } from '../actions/action_spec.js';
+import { type RoleSchemaResult } from './role_schema.js';
+import type { RouteFactoryDeps } from './deps.js';
+/** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
+export declare const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE: "role_not_self_service_eligible";
+/** Input for `self_service_role_grant`. */
+export declare const SelfServiceRoleGrantInput: z.ZodObject<{
+    role: z.ZodString;
+}, z.core.$strict>;
+export type SelfServiceRoleGrantInput = z.infer<typeof SelfServiceRoleGrantInput>;
+/**
+ * Output for `self_service_role_grant`. `granted` is `false` on idempotent
+ * re-grant (caller already held the role globally); `permit_id` is set on
+ * new grants only.
+ */
+export declare const SelfServiceRoleGrantOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    granted: z.ZodBoolean;
+    permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type SelfServiceRoleGrantOutput = z.infer<typeof SelfServiceRoleGrantOutput>;
+/** Input for `self_service_role_revoke`. */
+export declare const SelfServiceRoleRevokeInput: z.ZodObject<{
+    role: z.ZodString;
+}, z.core.$strict>;
+export type SelfServiceRoleRevokeInput = z.infer<typeof SelfServiceRoleRevokeInput>;
+/**
+ * Output for `self_service_role_revoke`. `revoked` is `false` when the
+ * caller held no active global permit for the role (idempotent).
+ */
+export declare const SelfServiceRoleRevokeOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    revoked: z.ZodBoolean;
+}, z.core.$strict>;
+export type SelfServiceRoleRevokeOutput = z.infer<typeof SelfServiceRoleRevokeOutput>;
+export declare const self_service_role_grant_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        granted: z.ZodBoolean;
+        permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const self_service_role_revoke_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        revoked: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+/**
+ * All self-service role action specs — a codegen-ready registry. Method
+ * names are static, so consumer typed-client codegen picks them up the
+ * same way it picks up `account_*_action_specs`.
+ */
+export declare const all_self_service_role_action_specs: Array<RequestResponseActionSpec>;
+/** Options for `create_self_service_role_actions`. */
+export interface SelfServiceRoleActionsOptions {
+    /**
+     * Allowlist of role strings eligible for self-service. Empty array
+     * effectively disables the surface — every call comes back as
+     * `forbidden` with reason `role_not_self_service_eligible`.
+     */
+    eligible_roles: ReadonlyArray<string>;
+    /**
+     * Optional role schema. When supplied, `eligible_roles` entries are
+     * checked against `roles.role_options` at factory time so typos throw
+     * at startup instead of at first call.
+     */
+    roles?: RoleSchemaResult;
+}
+/**
+ * Dependencies for `create_self_service_role_actions`. Same shape as the
+ * peer factories so consumers thread one deps object through all three.
+ * `audit_log_config` flows from `AppDeps` and is consumed by
+ * `audit_log_fire_and_forget`.
+ */
+export type SelfServiceRoleActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>;
+/**
+ * Build the self-service role grant/revoke RPC actions.
+ *
+ * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
+ * @param options - eligible-role allowlist plus optional role schema for typo-checking
+ * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
+ */
+export declare const create_self_service_role_actions: (deps: SelfServiceRoleActionDeps, options: SelfServiceRoleActionsOptions) => Array<RpcAction>;
+//# sourceMappingURL=self_service_role_actions.d.ts.map

package/dist/auth/self_service_role_actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAEzE,OAAO,EAAW,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAUhD,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAI9F,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAItF,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;CAWX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,KAAK,CAAC,yBAAyB,CAG/E,CAAC;AAIF,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CAqHjB,CAAC"}