@fuzdev/fuz_app 0.39.0 → 0.40.0

package/dist/auth/permit_offer_actions.js

@@ -66,6 +66,24 @@ const default_authorize = async (auth, input, _deps, ctx) => {
     // check — the scope-aware "only in this classroom" policy is consumer-level.
     return query_permit_has_role(ctx, auth.actor.id, input.role);
 };
+/**
+ * Authorization callback that admits any admin and otherwise falls back to
+ * the symmetric default (caller must hold the offered role globally).
+ *
+ * The `web_grantable` filter in `create_handler` runs **before** the
+ * `authorize` callback, so this never sees non-web-grantable roles. Drop
+ * into `create_permit_offer_actions({authorize: authorize_admin_or_holder})`
+ * (or any factory that forwards `authorize`, e.g. `create_standard_rpc_actions`)
+ * for the common "admins offer anything; users offer what they hold"
+ * pattern. Scope-aware policies (e.g. classroom_teacher offering
+ * classroom_student in their own scope) wrap this and short-circuit `true`
+ * before delegating.
+ */
+export const authorize_admin_or_holder = async (auth, input, _deps, ctx) => {
+    if (has_role(auth, ROLE_ADMIN))
+        return true;
+    return query_permit_has_role(ctx, auth.actor.id, input.role);
+};
 /**
  * Narrow `ctx.auth` to non-null. The RPC dispatcher has already enforced
  * `auth: 'authenticated'` before the handler runs — this is a type narrow,
@@ -80,7 +98,7 @@ const require_request_auth = (auth) => {
  * Create the seven permit-offer RPC actions (six offer-lifecycle methods
  * plus `permit_revoke`).
  *
- * @param deps - stateless capabilities; needs `log` and `on_audit_event`; optional `notification_sender` for WS fan-out
+ * @param deps - `PermitOfferActionDeps` — `log`, `on_audit_event`, optional `audit_log_config` (slice of `AppDeps`); optional `notification_sender` for WS fan-out
  * @param options - role schema, default TTL, authorization override
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
  */
@@ -104,7 +122,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 scope_id: input.scope_id ?? null,
                 to_account_id: input.to_account_id,
             },
-        }, log, on_audit_event);
+        }, deps);
     };
     // Returns {offer} only — no auto-accept. Recipient must call
     // permit_offer_accept; admin tests materialize permits via
@@ -162,7 +180,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 scope_id: offer.scope_id,
                 to_account_id: offer.to_account_id,
             },
-        }, log, on_audit_event);
+        }, deps);
         const offer_json = to_permit_offer_json(offer);
         if (notification_sender) {
             emit_after_commit(ctx, () => {
@@ -258,7 +276,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 scope_id: declined.scope_id,
                 reason: input.reason ?? undefined,
             },
-        }, log, on_audit_event);
+        }, deps);
         if (notification_sender) {
             // Look up the grantor's account (SELECT by PK, same tx) for the
             // notification target. The decline reason rides along on
@@ -299,7 +317,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 role: retracted.role,
                 scope_id: retracted.scope_id,
             },
-        }, log, on_audit_event);
+        }, deps);
         if (notification_sender) {
             const offer_json = to_permit_offer_json(retracted);
             emit_after_commit(ctx, () => {
@@ -355,7 +373,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 target_account_id,
                 ip: ctx.client_ip,
                 metadata: { role: permit_row.role, permit_id: input.permit_id },
-            }, log, on_audit_event);
+            }, deps);
             throw jsonrpc_errors.forbidden('role not web-grantable', {
                 reason: ERROR_ROLE_NOT_WEB_GRANTABLE,
             });
@@ -378,7 +396,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                 scope_id: result.scope_id,
                 reason: input.reason ?? undefined,
             },
-        }, log, on_audit_event);
+        }, deps);
         for (const offer of result.superseded_offers) {
             void audit_log_fire_and_forget(ctx, {
                 event_type: 'permit_offer_supersede',
@@ -392,7 +410,7 @@ export const create_permit_offer_actions = (deps, options = {}) => {
                     reason: 'permit_revoked',
                     cause_id: result.id,
                 },
-            }, log, on_audit_event);
+            }, deps);
         }
         if (notification_sender) {
             const superseded = result.superseded_offers.map((o) => ({

package/dist/auth/self_service_role_actions.d.ts

@@ -0,0 +1,136 @@
+/**
+ * Self-service role grant/revoke RPC actions.
+ *
+ * Two static `request_response` actions — `self_service_role_grant` and
+ * `self_service_role_revoke` — that take `{role}` as input and toggle a
+ * permit on the caller for an allowlisted role. Idempotent in both
+ * directions: re-granting an already-held role returns `granted: false`;
+ * revoking a role the caller doesn't hold returns `revoked: false`.
+ *
+ * The factory takes an `eligible_roles` allowlist (validated against the
+ * supplied `roles.role_options` at factory time so typos surface at startup
+ * instead of at first call). Roles outside the allowlist are rejected
+ * with `forbidden` + reason `role_not_self_service_eligible`.
+ *
+ * Audit metadata carries `self_service: true` so admin reviewers can
+ * distinguish self-toggled permits from admin grants/offers. The
+ * `permit_grant` / `permit_revoke` metadata schemas declare
+ * `self_service: z.boolean().optional()` explicitly, so the field is
+ * part of the documented schema surface and is round-trip-validated by
+ * `query_audit_log`.
+ *
+ * Static method names — `role` lives in the input, not the method name —
+ * so specs are codegen-compatible (`satisfies RequestResponseActionSpec`)
+ * and the surface stays constant as consumers add eligible roles. Mirrors
+ * the existing `permit_offer_create({role})` precedent rather than
+ * generating per-role methods.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { type RpcAction } from '../actions/action_rpc.js';
+import type { RequestResponseActionSpec } from '../actions/action_spec.js';
+import { type RoleSchemaResult } from './role_schema.js';
+import type { RouteFactoryDeps } from './deps.js';
+/** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
+export declare const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE: "role_not_self_service_eligible";
+/** Input for `self_service_role_grant`. */
+export declare const SelfServiceRoleGrantInput: z.ZodObject<{
+    role: z.ZodString;
+}, z.core.$strict>;
+export type SelfServiceRoleGrantInput = z.infer<typeof SelfServiceRoleGrantInput>;
+/**
+ * Output for `self_service_role_grant`. `granted` is `false` on idempotent
+ * re-grant (caller already held the role globally); `permit_id` is set on
+ * new grants only.
+ */
+export declare const SelfServiceRoleGrantOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    granted: z.ZodBoolean;
+    permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type SelfServiceRoleGrantOutput = z.infer<typeof SelfServiceRoleGrantOutput>;
+/** Input for `self_service_role_revoke`. */
+export declare const SelfServiceRoleRevokeInput: z.ZodObject<{
+    role: z.ZodString;
+}, z.core.$strict>;
+export type SelfServiceRoleRevokeInput = z.infer<typeof SelfServiceRoleRevokeInput>;
+/**
+ * Output for `self_service_role_revoke`. `revoked` is `false` when the
+ * caller held no active global permit for the role (idempotent).
+ */
+export declare const SelfServiceRoleRevokeOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    revoked: z.ZodBoolean;
+}, z.core.$strict>;
+export type SelfServiceRoleRevokeOutput = z.infer<typeof SelfServiceRoleRevokeOutput>;
+export declare const self_service_role_grant_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        granted: z.ZodBoolean;
+        permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const self_service_role_revoke_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        revoked: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+/**
+ * All self-service role action specs — a codegen-ready registry. Method
+ * names are static, so consumer typed-client codegen picks them up the
+ * same way it picks up `account_*_action_specs`.
+ */
+export declare const all_self_service_role_action_specs: Array<RequestResponseActionSpec>;
+/** Options for `create_self_service_role_actions`. */
+export interface SelfServiceRoleActionsOptions {
+    /**
+     * Allowlist of role strings eligible for self-service. Empty array
+     * effectively disables the surface — every call comes back as
+     * `forbidden` with reason `role_not_self_service_eligible`.
+     */
+    eligible_roles: ReadonlyArray<string>;
+    /**
+     * Optional role schema. When supplied, `eligible_roles` entries are
+     * checked against `roles.role_options` at factory time so typos throw
+     * at startup instead of at first call.
+     */
+    roles?: RoleSchemaResult;
+}
+/**
+ * Dependencies for `create_self_service_role_actions`. Same shape as the
+ * peer factories so consumers thread one deps object through all three.
+ * `audit_log_config` flows from `AppDeps` and is consumed by
+ * `audit_log_fire_and_forget`.
+ */
+export type SelfServiceRoleActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>;
+/**
+ * Build the self-service role grant/revoke RPC actions.
+ *
+ * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
+ * @param options - eligible-role allowlist plus optional role schema for typo-checking
+ * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
+ */
+export declare const create_self_service_role_actions: (deps: SelfServiceRoleActionDeps, options: SelfServiceRoleActionsOptions) => Array<RpcAction>;
+//# sourceMappingURL=self_service_role_actions.d.ts.map

package/dist/auth/self_service_role_actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAEzE,OAAO,EAAW,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACjE,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAUhD,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAI9F,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAItF,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;CAWX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,KAAK,CAAC,yBAAyB,CAG/E,CAAC;AAIF,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CAqHjB,CAAC"}

package/dist/auth/self_service_role_actions.js

@@ -0,0 +1,198 @@
+/**
+ * Self-service role grant/revoke RPC actions.
+ *
+ * Two static `request_response` actions — `self_service_role_grant` and
+ * `self_service_role_revoke` — that take `{role}` as input and toggle a
+ * permit on the caller for an allowlisted role. Idempotent in both
+ * directions: re-granting an already-held role returns `granted: false`;
+ * revoking a role the caller doesn't hold returns `revoked: false`.
+ *
+ * The factory takes an `eligible_roles` allowlist (validated against the
+ * supplied `roles.role_options` at factory time so typos surface at startup
+ * instead of at first call). Roles outside the allowlist are rejected
+ * with `forbidden` + reason `role_not_self_service_eligible`.
+ *
+ * Audit metadata carries `self_service: true` so admin reviewers can
+ * distinguish self-toggled permits from admin grants/offers. The
+ * `permit_grant` / `permit_revoke` metadata schemas declare
+ * `self_service: z.boolean().optional()` explicitly, so the field is
+ * part of the documented schema surface and is round-trip-validated by
+ * `query_audit_log`.
+ *
+ * Static method names — `role` lives in the input, not the method name —
+ * so specs are codegen-compatible (`satisfies RequestResponseActionSpec`)
+ * and the surface stays constant as consumers add eligible roles. Mirrors
+ * the existing `permit_offer_create({role})` precedent rather than
+ * generating per-role methods.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { rpc_action } from '../actions/action_rpc.js';
+import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
+import { Uuid } from '../uuid.js';
+import { RoleName } from './role_schema.js';
+import { query_grant_permit, query_permit_find_active_for_actor, query_permit_has_role, query_revoke_permit, } from './permit_queries.js';
+import { audit_log_fire_and_forget } from './audit_log_queries.js';
+/** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
+export const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE = 'role_not_self_service_eligible';
+// -- Input/output schemas ---------------------------------------------------
+/** Input for `self_service_role_grant`. */
+export const SelfServiceRoleGrantInput = z.strictObject({
+    role: RoleName.meta({ description: 'Role to self-grant. Must be in the configured allowlist.' }),
+});
+/**
+ * Output for `self_service_role_grant`. `granted` is `false` on idempotent
+ * re-grant (caller already held the role globally); `permit_id` is set on
+ * new grants only.
+ */
+export const SelfServiceRoleGrantOutput = z.strictObject({
+    ok: z.literal(true),
+    granted: z.boolean(),
+    permit_id: Uuid.optional(),
+});
+/** Input for `self_service_role_revoke`. */
+export const SelfServiceRoleRevokeInput = z.strictObject({
+    role: RoleName.meta({ description: 'Role to self-revoke. Must be in the configured allowlist.' }),
+});
+/**
+ * Output for `self_service_role_revoke`. `revoked` is `false` when the
+ * caller held no active global permit for the role (idempotent).
+ */
+export const SelfServiceRoleRevokeOutput = z.strictObject({
+    ok: z.literal(true),
+    revoked: z.boolean(),
+});
+// -- Action specs -----------------------------------------------------------
+export const self_service_role_grant_action_spec = {
+    method: 'self_service_role_grant',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: true,
+    input: SelfServiceRoleGrantInput,
+    output: SelfServiceRoleGrantOutput,
+    async: true,
+    description: 'Self-grant an active permit for an allowlisted role. Idempotent — already-granted callers receive `granted: false`.',
+};
+export const self_service_role_revoke_action_spec = {
+    method: 'self_service_role_revoke',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: true,
+    input: SelfServiceRoleRevokeInput,
+    output: SelfServiceRoleRevokeOutput,
+    async: true,
+    description: 'Self-revoke an active global permit for an allowlisted role. Idempotent — callers without an active permit receive `revoked: false`.',
+};
+/**
+ * All self-service role action specs — a codegen-ready registry. Method
+ * names are static, so consumer typed-client codegen picks them up the
+ * same way it picks up `account_*_action_specs`.
+ */
+export const all_self_service_role_action_specs = [
+    self_service_role_grant_action_spec,
+    self_service_role_revoke_action_spec,
+];
+const require_request_auth = (auth) => {
+    if (!auth)
+        throw new Error('unreachable: action auth guard did not enforce authentication');
+    return auth;
+};
+/**
+ * Build the self-service role grant/revoke RPC actions.
+ *
+ * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
+ * @param options - eligible-role allowlist plus optional role schema for typo-checking
+ * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
+ */
+export const create_self_service_role_actions = (deps, options) => {
+    const eligible = new Set(options.eligible_roles);
+    if (options.roles) {
+        const role_options = options.roles.role_options;
+        for (const r of eligible) {
+            if (!role_options.has(r)) {
+                throw new Error(`create_self_service_role_actions: eligible_roles entry "${r}" is not registered in roles.role_options — typo or missing call to create_role_schema`);
+            }
+        }
+    }
+    const reject_if_ineligible = (role) => {
+        if (!eligible.has(role)) {
+            throw jsonrpc_errors.forbidden('role not eligible for self-service', {
+                reason: ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE,
+            });
+        }
+    };
+    const grant_handler = async (input, ctx) => {
+        const auth = require_request_auth(ctx.auth);
+        reject_if_ineligible(input.role);
+        // Pre-check for idempotent re-grant. `query_grant_permit` is itself
+        // idempotent (returns the existing permit instead of inserting), but
+        // it doesn't signal "already existed" vs "newly inserted" — so we
+        // peek first. The TOCTOU window is benign for self-service: two
+        // concurrent grants both observe "no permit", both call
+        // `query_grant_permit`, and one collapses onto the other inside the
+        // query's `ON CONFLICT DO NOTHING`. Worst case both responses report
+        // `granted: true`; the DB still ends up with exactly one permit.
+        const already = await query_permit_has_role(ctx, auth.actor.id, input.role);
+        if (already) {
+            return { ok: true, granted: false };
+        }
+        const permit = await query_grant_permit(ctx, {
+            actor_id: auth.actor.id,
+            role: input.role,
+            scope_id: null,
+            expires_at: null,
+            granted_by: auth.actor.id,
+        });
+        void audit_log_fire_and_forget(ctx, {
+            event_type: 'permit_grant',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: {
+                role: permit.role,
+                permit_id: permit.id,
+                scope_id: permit.scope_id,
+                self_service: true,
+            },
+        }, deps);
+        return { ok: true, granted: true, permit_id: permit.id };
+    };
+    const revoke_handler = async (input, ctx) => {
+        const auth = require_request_auth(ctx.auth);
+        reject_if_ineligible(input.role);
+        // Find an active global permit for this (actor, role). No dedicated
+        // query exists, but `query_permit_find_active_for_actor` returns the
+        // short list of every active permit and we filter in JS — fewer
+        // round-trips than a new helper for a one-call-per-revoke path.
+        const active = await query_permit_find_active_for_actor(ctx, auth.actor.id);
+        const target = active.find((p) => p.role === input.role && p.scope_id === null);
+        if (!target) {
+            return { ok: true, revoked: false };
+        }
+        const result = await query_revoke_permit(ctx, target.id, auth.actor.id, auth.actor.id);
+        if (!result) {
+            // Raced with another revoker — treat as already revoked.
+            return { ok: true, revoked: false };
+        }
+        void audit_log_fire_and_forget(ctx, {
+            event_type: 'permit_revoke',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: {
+                role: result.role,
+                permit_id: result.id,
+                scope_id: result.scope_id,
+                self_service: true,
+            },
+        }, deps);
+        return { ok: true, revoked: true };
+    };
+    return [
+        rpc_action(self_service_role_grant_action_spec, grant_handler),
+        rpc_action(self_service_role_revoke_action_spec, revoke_handler),
+    ];
+};

package/dist/auth/signup_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signup_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAStB,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAE1D,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,qBAAqB,CAAC;AAEjE;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,uBAAuB;IAClE,6FAA6F;IAC7F,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,yFAAyF;IACzF,YAAY,EAAE,WAAW,CAAC;CAC1B;AAID,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,8EAA8E;AAC9E,eAAO,MAAM,YAAY;;kBAEvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,gBAAgB,EACtB,SAAS,kBAAkB,KACzB,KAAK,CAAC,SAAS,CA4HjB,CAAC"}
+{"version":3,"file":"signup_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAStB,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAE1D,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,qBAAqB,CAAC;AAEjE;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,uBAAuB;IAClE,6FAA6F;IAC7F,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,yFAAyF;IACzF,YAAY,EAAE,WAAW,CAAC;CAC1B;AAID,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,8EAA8E;AAC9E,eAAO,MAAM,YAAY;;kBAEvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,gBAAgB,EACtB,SAAS,kBAAkB,KACzB,KAAK,CAAC,SAAS,CA2HjB,CAAC"}

package/dist/auth/signup_routes.js

@@ -38,7 +38,7 @@ export const SignupOutput = z.strictObject({
  * @returns route specs (not yet applied to Hono)
  */
 export const create_signup_route_specs = (deps, options) => {
-    const { keyring, password, on_audit_event } = deps;
+    const { keyring, password } = deps;
     const { session_options, ip_rate_limiter, signup_account_rate_limiter, app_settings } = options;
     return [
         {
@@ -144,7 +144,7 @@ export const create_signup_route_specs = (deps, options) => {
                     account_id: result.id,
                     ip: get_client_ip(c),
                     metadata: invite ? { invite_id: invite.id, username } : { open_signup: true, username },
-                }, deps.log, on_audit_event);
+                }, deps);
                 return c.json({ ok: true });
             },
         },

package/dist/auth/standard_rpc_actions.d.ts

@@ -49,7 +49,7 @@ export type StandardRpcActionsDeps = PermitOfferActionDeps;
  * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
  * option flows to admin + permit-offer.
  *
- * @param deps - stateless capabilities (log, on_audit_event, optional notification_sender)
+ * @param deps - `StandardRpcActionsDeps` (`log`, `on_audit_event`, optional `audit_log_config` from `AppDeps`; optional `notification_sender` for WS fan-out)
  * @param options - role schema, optional app-settings ref, permit-offer config, account config
  * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
  */

package/dist/auth/standard_rpc_actions.js

@@ -28,7 +28,7 @@ import { create_account_actions } from './account_actions.js';
  * and `create_account_actions(deps, {max_tokens})`. The shared `roles`
  * option flows to admin + permit-offer.
  *
- * @param deps - stateless capabilities (log, on_audit_event, optional notification_sender)
+ * @param deps - `StandardRpcActionsDeps` (`log`, `on_audit_event`, optional `audit_log_config` from `AppDeps`; optional `notification_sender` for WS fan-out)
  * @param options - role schema, optional app-settings ref, permit-offer config, account config
  * @returns RPC actions to pass as `rpc_endpoints` or spread into `create_rpc_endpoint`
  */

package/dist/server/app_backend.d.ts

@@ -12,7 +12,7 @@
  */
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import type { AppDeps } from '../auth/deps.js';
-import type { AuditLogEvent } from '../auth/audit_log_schema.js';
+import type { AuditLogConfig, AuditLogEvent } from '../auth/audit_log_schema.js';
 import type { DbType } from '../db/db.js';
 import type { Keyring } from '../auth/keyring.js';
 import type { PasswordHashDeps } from '../auth/password.js';
@@ -60,6 +60,14 @@ export interface CreateAppBackendOptions {
      * to all route factories automatically. Defaults to a noop.
      */
     on_audit_event?: (event: AuditLogEvent) => void;
+    /**
+     * Audit-log config for consumer event-type extensions. Built once at
+     * startup via `create_audit_log_config({extra_events})` and threaded
+     * through `AppDeps.audit_log_config` to every fuz_app emit site so
+     * consumer handlers cannot silently fall back to the builtin config.
+     * Omit to use `BUILTIN_AUDIT_LOG_CONFIG` (no extra events).
+     */
+    audit_log_config?: AuditLogConfig;
     /**
      * Additional migration namespaces to run after the builtin auth namespace.
      * Each namespace's own `schema_version` row tracks progress; order is

package/dist/server/app_backend.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"app_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAE/C,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAiB,KAAK,kBAAkB,EAAE,KAAK,eAAe,EAAC,MAAM,kBAAkB,CAAC;AAI/F;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IAC1B,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,oIAAoI;IACpI,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC3D,iEAAiE;IACjE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,iFAAiF;IACjF,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,6EAA6E;IAC7E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;CACzD;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,GAAU,SAAS,uBAAuB,KAAG,OAAO,CAAC,UAAU,CAyB7F,CAAC"}
+{"version":3,"file":"app_backend.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/server/app_backend.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAE/C,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,iBAAiB,CAAC;AAC7C,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/E,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,aAAa,CAAC;AACxC,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,oBAAoB,CAAC;AAChD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAC1D,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AACnD,OAAO,EAAiB,KAAK,kBAAkB,EAAE,KAAK,eAAe,EAAC,MAAM,kBAAkB,CAAC;AAI/F;;;;;GAKG;AACH,MAAM,WAAW,UAAU;IAC1B,IAAI,EAAE,OAAO,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,oIAAoI;IACpI,QAAQ,CAAC,iBAAiB,EAAE,aAAa,CAAC,eAAe,CAAC,CAAC;IAC3D,iEAAiE;IACjE,KAAK,EAAE,MAAM,OAAO,CAAC,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,+DAA+D;IAC/D,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,2BAA2B;IAC3B,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,0EAA0E;IAC1E,YAAY,EAAE,MAAM,CAAC;IACrB,wCAAwC;IACxC,OAAO,EAAE,OAAO,CAAC;IACjB,iFAAiF;IACjF,QAAQ,EAAE,gBAAgB,CAAC;IAC3B,6EAA6E;IAC7E,GAAG,CAAC,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC;IAChD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;IAClC;;;;;;;;OAQG;IACH,oBAAoB,CAAC,EAAE,aAAa,CAAC,kBAAkB,CAAC,CAAC;CACzD;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,kBAAkB,GAAU,SAAS,uBAAuB,KAAG,OAAO,CAAC,UAAU,CAoC7F,CAAC"}

package/dist/server/app_backend.js

@@ -28,6 +28,7 @@ export const create_app_backend = async (options) => {
     const { database_url, keyring, password, stat, read_text_file, delete_file } = options;
     const log = options.log ?? new Logger('server');
     const on_audit_event = options.on_audit_event ?? (() => { }); // eslint-disable-line @typescript-eslint/no-empty-function
+    const { audit_log_config } = options;
     const { db, close, db_type, db_name } = await create_db(database_url);
     if (options.migration_namespaces?.length) {
         for (const ns of options.migration_namespaces) {
@@ -45,6 +46,16 @@ export const create_app_backend = async (options) => {
         db_name,
         migration_results,
         close,
-        deps: { keyring, password, db, stat, read_text_file, delete_file, log, on_audit_event },
+        deps: {
+            keyring,
+            password,
+            db,
+            stat,
+            read_text_file,
+            delete_file,
+            log,
+            on_audit_event,
+            audit_log_config,
+        },
     };
 };

package/dist/ui/ui_format.d.ts

@@ -6,7 +6,6 @@
  *
  * @module
  */
-import type { AuditEventType } from '../auth/audit_log_schema.js';
 /**
  * Format a timestamp as a relative time string.
  *
@@ -55,9 +54,9 @@ export declare const format_datetime_local: (timestamp: string | number | Date)
 /**
  * Format audit event metadata for display based on event type.
  *
- * @param event_type - the audit event type
+ * @param event_type - the audit event type (builtin or consumer-registered)
  * @param metadata - the metadata object (may be null)
  * @returns human-readable summary string
  */
-export declare const format_audit_metadata: (event_type: AuditEventType, metadata: Record<string, unknown> | null) => string;
+export declare const format_audit_metadata: (event_type: string, metadata: Record<string, unknown> | null) => string;
 //# sourceMappingURL=ui_format.d.ts.map

package/dist/ui/ui_format.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"ui_format.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/ui_format.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,6BAA6B,CAAC;AAEhE;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,WAAW,MAAM,GAAG,MAAM,GAAG,IAAI,EACjC,MAAK,MAAmB,KACtB,MA2BF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,aAAa,GAAI,IAAI,MAAM,KAAG,MAY1C,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe,GAAI,KAAK,MAAM,EAAE,YAAY,MAAM,EAAE,kBAAe,KAAG,MAOlF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,MAAmC,CAAC;AAEjF;;;;;GAKG;AACH,eAAO,MAAM,YAAY,GAAI,OAAO,OAAO,KAAG,MAS7C,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,MAAM,GAAG,MAAM,GAAG,IAAI,KAAG,MAOzE,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,YAAY,cAAc,EAC1B,UAAU,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,KACtC,MAuDF,CAAC"}
+{"version":3,"file":"ui_format.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/ui_format.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,WAAW,MAAM,GAAG,MAAM,GAAG,IAAI,EACjC,MAAK,MAAmB,KACtB,MA2BF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,aAAa,GAAI,IAAI,MAAM,KAAG,MAY1C,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,eAAe,GAAI,KAAK,MAAM,EAAE,YAAY,MAAM,EAAE,kBAAe,KAAG,MAOlF,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,aAAa,GAAI,MAAM,MAAM,KAAG,MAAmC,CAAC;AAEjF;;;;;GAKG;AACH,eAAO,MAAM,YAAY,GAAI,OAAO,OAAO,KAAG,MAS7C,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,MAAM,GAAG,MAAM,GAAG,IAAI,KAAG,MAOzE,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,qBAAqB,GACjC,YAAY,MAAM,EAClB,UAAU,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,KACtC,MAuDF,CAAC"}

package/dist/ui/ui_format.js

@@ -133,7 +133,7 @@ export const format_datetime_local = (timestamp) => {
 /**
  * Format audit event metadata for display based on event type.
  *
- * @param event_type - the audit event type
+ * @param event_type - the audit event type (builtin or consumer-registered)
  * @param metadata - the metadata object (may be null)
  * @returns human-readable summary string
  */

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fuzdev/fuz_app",
-  "version": "0.39.0",
+  "version": "0.40.0",
   "description": "fullstack app library",
   "glyph": "🗝",
   "logo": "logo.svg",