@fuzdev/fuz_app 0.39.0 → 0.41.0

package/dist/auth/permit_offer_notifications.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit_offer_notifications.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_notifications.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAItB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,oBAAoB,CAAC;AAE5D,OAAO,EAAqB,KAAK,IAAI,EAAC,MAAM,YAAY,CAAC;AAKzD;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,kBAAkB;IAClC,eAAe,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,mBAAmB,KAAK,MAAM,CAAC;CAC5E;AAID,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,0CAA0C,2BAA2B,CAAC;AACnF,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,0CAA0C,2BAA2B,CAAC;AACnF,eAAO,MAAM,iCAAiC,kBAAkB,CAAC;AAIjE,6EAA6E;AAC7E,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,qEAAqE;AACrE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,yEAAyE;AACzE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;GAIG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB;;;;;kBAK7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUb,CAAC;AAEzC,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWb,CAAC;AAEzC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;CAUJ,CAAC;AAIzC;;;;;GAKG;AACH,eAAO,MAAM,+BAA+B,EAAE,KAAK,CAAC,SAAS,CAO5D,CAAC;AAIF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,yCAAyC,GACrD,QAAQ,0BAA0B,KAChC,mBAC6E,CAAC;AAEjF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,yCAAyC,GACrD,QAAQ,0BAA0B,KAChC,mBAC6E,CAAC;AAEjF,eAAO,MAAM,gCAAgC,GAAI,QAAQ,kBAAkB,KAAG,mBACP,CAAC"}
+{"version":3,"file":"permit_offer_notifications.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_notifications.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAqB,KAAK,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAIrE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,oBAAoB,CAAC;AAM5D;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,kBAAkB;IAClC,eAAe,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,mBAAmB,KAAK,MAAM,CAAC;CAC5E;AAID,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,0CAA0C,2BAA2B,CAAC;AACnF,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,0CAA0C,2BAA2B,CAAC;AACnF,eAAO,MAAM,iCAAiC,kBAAkB,CAAC;AAIjE,6EAA6E;AAC7E,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,qEAAqE;AACrE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,yEAAyE;AACzE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;GAIG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB;;;;;kBAK7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUb,CAAC;AAEzC,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWb,CAAC;AAEzC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;CAUJ,CAAC;AAIzC;;;;;GAKG;AACH,eAAO,MAAM,+BAA+B,EAAE,KAAK,CAAC,SAAS,CAO5D,CAAC;AAIF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,yCAAyC,GACrD,QAAQ,0BAA0B,KAChC,mBAC6E,CAAC;AAEjF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,yCAAyC,GACrD,QAAQ,0BAA0B,KAChC,mBAC6E,CAAC;AAEjF,eAAO,MAAM,gCAAgC,GAAI,QAAQ,kBAAkB,KAAG,mBACP,CAAC"}

package/dist/auth/permit_offer_notifications.js

@@ -10,8 +10,9 @@
  * - `permit_offer_retracted` → recipient's sockets when a grantor retracts
  * - `permit_offer_accepted` → grantor's sockets when the recipient accepts
  * - `permit_offer_declined` → grantor's sockets when the recipient declines
- * - `permit_offer_supersede` → grantor's sockets when a sibling accept or
- *   a revoke of the resulting permit obsoletes their pending offer
+ * - `permit_offer_supersede` → grantor's sockets when a sibling accept,
+ *   a revoke of the resulting permit, or destruction of the parent scope
+ *   row obsoletes their pending offer
  * - `permit_revoke` → revokee's sockets when one of their active permits
  *   is revoked (companion to the `permit_revoke` audit event)
  *
@@ -29,9 +30,9 @@
  * @module
  */
 import { z } from 'zod';
+import { Uuid as UuidSchema } from '@fuzdev/fuz_util/id.js';
 import { create_action_event_spec } from '../actions/action_bridge.js';
 import { create_jsonrpc_notification } from '../http/jsonrpc_helpers.js';
-import { Uuid as UuidSchema } from '../uuid.js';
 import { RoleName } from './role_schema.js';
 import { PermitOfferJson } from './permit_offer_schema.js';
 import { PERMIT_REVOKED_REASON_LENGTH_MAX } from './account_schema.js';
@@ -66,13 +67,15 @@ export const PermitOfferDeclinedParams = z.strictObject({
 /**
  * Params for `permit_offer_supersede`. Fires to the grantor's sockets when
  * their pending offer is obsoleted — either by a sibling accept
- * (`reason: 'sibling_accepted'`) or by revoke of the resulting permit
- * (`reason: 'permit_revoked'`). `cause_id` points at the accepted offer id
- * or the revoked permit id respectively.
+ * (`reason: 'sibling_accepted'`), by revoke of the resulting permit
+ * (`reason: 'permit_revoked'`), or by deletion of the parent scope row
+ * the offer was bound to (`reason: 'scope_destroyed'`). `cause_id` points
+ * at the accepted offer id, the revoked permit id, or the destroyed scope
+ * row id respectively.
  */
 export const PermitOfferSupersedeParams = z.strictObject({
     offer: PermitOfferJson,
-    reason: z.enum(['sibling_accepted', 'permit_revoked']),
+    reason: z.enum(['sibling_accepted', 'permit_revoked', 'scope_destroyed']),
     cause_id: UuidSchema,
 });
 /**
@@ -142,7 +145,7 @@ export const permit_offer_supersede_notification_spec = {
     input: PermitOfferSupersedeParams,
     output: z.void(),
     async: true,
-    description: 'A grantor’s pending permit offer was obsoleted by a sibling accept or by revoke of the resulting permit.',
+    description: 'A grantor’s pending permit offer was obsoleted by a sibling accept, by revoke of the resulting permit, or by destruction of the parent scope row.',
 };
 export const permit_revoke_notification_spec = {
     method: PERMIT_REVOKE_NOTIFICATION_METHOD,

package/dist/auth/permit_offer_queries.d.ts

@@ -11,8 +11,8 @@
  *
  * @module
  */
+import type { Uuid } from '@fuzdev/fuz_util/id.js';
 import type { QueryDeps } from '../db/query_deps.js';
-import type { Uuid } from '../uuid.js';
 import type { Permit } from './account_schema.js';
 import { type CreatePermitOfferInput, type PermitOffer, type SupersededOffer } from './permit_offer_schema.js';
 import type { AuditLogEvent } from './audit_log_schema.js';

package/dist/auth/permit_offer_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit_offer_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AACrC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAEhD,OAAO,EAEN,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,qBAAa,+BAAgC,SAAQ,KAAK;gBAC7C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;gBACrC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,wBAAyB,SAAQ,KAAK;gBACtC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;;CAKpD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,OAAO,sBAAsB,KAC3B,OAAO,CAAC,WAAW,CAyBrB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,EACrB,QAAQ,MAAM,GAAG,IAAI,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AA8BF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,MAAM,KACnB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAY5B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAW,EACX,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAS5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAY5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAU5B,CAAC;AAEF,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,mGAAmG;IACnG,aAAa,EAAE,IAAI,CAAC;IACpB,gDAAgD;IAChD,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnB;AAED,yHAAyH;AACzH,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,CAAC;IACnB,4IAA4I;IAC5I,OAAO,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1C,sLAAsL;IACtL,YAAY,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,iBAAiB,CAqK3B,CAAC"}
+{"version":3,"file":"permit_offer_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAEhD,OAAO,EAEN,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,qBAAa,+BAAgC,SAAQ,KAAK;gBAC7C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;gBACrC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,wBAAyB,SAAQ,KAAK;gBACtC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;;CAKpD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,OAAO,sBAAsB,KAC3B,OAAO,CAAC,WAAW,CAyBrB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,EACrB,QAAQ,MAAM,GAAG,IAAI,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AA8BF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,MAAM,KACnB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAY5B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAW,EACX,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAS5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAY5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAU5B,CAAC;AAEF,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,mGAAmG;IACnG,aAAa,EAAE,IAAI,CAAC;IACpB,gDAAgD;IAChD,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnB;AAED,yHAAyH;AACzH,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,CAAC;IACnB,4IAA4I;IAC5I,OAAO,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1C,sLAAsL;IACtL,YAAY,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,iBAAiB,CAqK3B,CAAC"}

package/dist/auth/permit_offer_schema.d.ts

@@ -10,7 +10,7 @@
  * @module
  */
 import { z } from 'zod';
-import { Uuid } from '../uuid.js';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
 /** Sentinel UUID used inside the partial unique indexes to collapse `scope_id IS NULL` into a comparable value. */
 export declare const PERMIT_OFFER_SCOPE_SENTINEL_UUID = "00000000-0000-0000-0000-000000000000";
 /** Maximum length of the optional message attached to an offer. */

package/dist/auth/permit_offer_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit_offer_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AAGhC,mHAAmH;AACnH,eAAO,MAAM,gCAAgC,yCAAyC,CAAC;AAEvF,mEAAmE;AACnE,eAAO,MAAM,+BAA+B,MAAM,CAAC;AAEnD,yFAAyF;AACzF,eAAO,MAAM,2BAA2B,QAA2B,CAAC;AAEpE,eAAO,MAAM,mBAAmB,6kCA6B9B,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iCAAiC,8UAWhB,CAAC;AAE/B,+EAA+E;AAC/E,eAAO,MAAM,wBAAwB,0NAMP,CAAC;AAE/B,oDAAoD;AACpD,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,IAAI,CAAC;IACT,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B;;;;;OAKG;IACH,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,mBAAmB,EAAE,IAAI,GAAG,IAAI,CAAC;CACjC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAgB,SAAQ,WAAW;IACnD,eAAe,EAAE,IAAI,CAAC;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,CAAC;CACjB;AAED,oDAAoD;AACpD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;kBA4CyD,CAAC;AACtF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,6DAA6D;AAC7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,WAAW,KAAG,eAexD,CAAC"}
+{"version":3,"file":"permit_offer_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C,mHAAmH;AACnH,eAAO,MAAM,gCAAgC,yCAAyC,CAAC;AAEvF,mEAAmE;AACnE,eAAO,MAAM,+BAA+B,MAAM,CAAC;AAEnD,yFAAyF;AACzF,eAAO,MAAM,2BAA2B,QAA2B,CAAC;AAEpE,eAAO,MAAM,mBAAmB,6kCA6B9B,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iCAAiC,8UAWhB,CAAC;AAE/B,+EAA+E;AAC/E,eAAO,MAAM,wBAAwB,0NAMP,CAAC;AAE/B,oDAAoD;AACpD,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,IAAI,CAAC;IACT,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B;;;;;OAKG;IACH,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,mBAAmB,EAAE,IAAI,GAAG,IAAI,CAAC;CACjC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAgB,SAAQ,WAAW;IACnD,eAAe,EAAE,IAAI,CAAC;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,CAAC;CACjB;AAED,oDAAoD;AACpD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;kBA4CyD,CAAC;AACtF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,6DAA6D;AAC7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,WAAW,KAAG,eAexD,CAAC"}

package/dist/auth/permit_offer_schema.js

@@ -10,7 +10,7 @@
  * @module
  */
 import { z } from 'zod';
-import { Uuid } from '../uuid.js';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { RoleName } from './role_schema.js';
 /** Sentinel UUID used inside the partial unique indexes to collapse `scope_id IS NULL` into a comparable value. */
 export const PERMIT_OFFER_SCOPE_SENTINEL_UUID = '00000000-0000-0000-0000-000000000000';

package/dist/auth/permit_queries.d.ts

@@ -6,8 +6,8 @@
  *
  * @module
  */
+import type { Uuid } from '@fuzdev/fuz_util/id.js';
 import type { QueryDeps } from '../db/query_deps.js';
-import type { Uuid } from '../uuid.js';
 import type { Permit, GrantPermitInput } from './account_schema.js';
 import { type SupersededOffer } from './permit_offer_schema.js';
 /**
@@ -110,6 +110,55 @@ export declare const query_permit_list_for_actor: (deps: QueryDeps, actor_id: st
  * @returns the account ID, or `null`
  */
 export declare const query_permit_find_account_id_for_role: (deps: QueryDeps, role: string) => Promise<string | null>;
+/** Result of `query_permit_revoke_for_scope` — every permit revoked plus every pending offer superseded by the scope-wide cascade. */
+export interface RevokeForScopeResult {
+    /**
+     * One entry per permit revoked by this call. Carries the revokee's
+     * `account_id` so callers can fan out a `permit_revoke` notification per
+     * permit. Empty array means no active permit was bound to the scope.
+     */
+    revoked: Array<{
+        permit_id: Uuid;
+        role: string;
+        scope_id: Uuid;
+        account_id: Uuid;
+    }>;
+    /**
+     * Every pending offer at the scope — tuple-matched and orphan, undifferentiated
+     * — superseded in the same cascade. Each entry carries its grantor's
+     * `from_account_id` for `permit_offer_supersede` notification fan-out.
+     *
+     * The caller is responsible for emitting `permit_offer_supersede` audit
+     * events with `reason: 'scope_destroyed'` and `cause_id: <destroyed scope row id>`
+     * per entry — the cause of every supersede here is the scope deletion,
+     * not any individual permit revoke (the revokes are themselves
+     * consequences of the scope going away).
+     */
+    superseded_offers: Array<SupersededOffer>;
+}
+/**
+ * Revoke every active permit bound to a scope and supersede every pending
+ * offer at the scope, in one cascade.
+ *
+ * Use this from a consumer's parent-scope delete handler (e.g., classroom
+ * deletion) — `permit.scope_id` and `permit_offer.scope_id` are polymorphic
+ * with no FK constraint by design, so a parent row deletion would otherwise
+ * orphan permits and offers. The cascade is **role-agnostic**: anything
+ * attached to the destroyed scope is cleaned up.
+ *
+ * Both updates run as separate statements inside the caller's transaction
+ * (mirrors `query_permit_revoke_role`'s shape). The two halves are
+ * independent — orphan pending offers can exist at a scope with no active
+ * permits, so the supersede half always runs even when no permit was
+ * revoked.
+ *
+ * @param deps - query dependencies
+ * @param scope_id - the scope whose permits and offers to terminate
+ * @param revoked_by - the actor performing the cascade (audit trail)
+ * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
+ * @returns the revoked permits (with `account_id` for fan-out) and superseded offers (with `from_account_id` for fan-out)
+ */
+export declare const query_permit_revoke_for_scope: (deps: QueryDeps, scope_id: Uuid, revoked_by: Uuid | null, reason?: string | null) => Promise<RevokeForScopeResult>;
 /** Result of `query_permit_revoke_role` — every permit revoked plus the pending offers superseded by the bulk revoke. */
 export interface RevokeRoleResult {
     /**

package/dist/auth/permit_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,YAAY,CAAC;AACrC,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAmC,KAAK,eAAe,EAAC,MAAM,0BAA0B,CAAC;AAEhG;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CA4BhB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAO/B,CAAC;AAEF,6GAA6G;AAC7G,MAAM,WAAW,kBAAkB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,IAAI,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAsCnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,yHAAyH;AACzH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;IAC/F;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA2C1B,CAAC"}
+{"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAmC,KAAK,eAAe,EAAC,MAAM,0BAA0B,CAAC;AAEhG;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CA4BhB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAO/B,CAAC;AAEF,6GAA6G;AAC7G,MAAM,WAAW,kBAAkB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,IAAI,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAsCnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,sIAAsI;AACtI,MAAM,WAAW,oBAAoB;IACpC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,IAAI,CAAC;QAAC,UAAU,EAAE,IAAI,CAAA;KAAC,CAAC,CAAC;IAClF;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA2C9B,CAAC;AAEF,yHAAyH;AACzH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;IAC/F;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA2C1B,CAAC"}

package/dist/auth/permit_queries.js

@@ -178,6 +178,61 @@ export const query_permit_find_account_id_for_role = async (deps, role) => {
 		 LIMIT 1`, [role]);
     return row?.account_id ?? null;
 };
+/**
+ * Revoke every active permit bound to a scope and supersede every pending
+ * offer at the scope, in one cascade.
+ *
+ * Use this from a consumer's parent-scope delete handler (e.g., classroom
+ * deletion) — `permit.scope_id` and `permit_offer.scope_id` are polymorphic
+ * with no FK constraint by design, so a parent row deletion would otherwise
+ * orphan permits and offers. The cascade is **role-agnostic**: anything
+ * attached to the destroyed scope is cleaned up.
+ *
+ * Both updates run as separate statements inside the caller's transaction
+ * (mirrors `query_permit_revoke_role`'s shape). The two halves are
+ * independent — orphan pending offers can exist at a scope with no active
+ * permits, so the supersede half always runs even when no permit was
+ * revoked.
+ *
+ * @param deps - query dependencies
+ * @param scope_id - the scope whose permits and offers to terminate
+ * @param revoked_by - the actor performing the cascade (audit trail)
+ * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
+ * @returns the revoked permits (with `account_id` for fan-out) and superseded offers (with `from_account_id` for fan-out)
+ */
+export const query_permit_revoke_for_scope = async (deps, scope_id, revoked_by, reason) => {
+    // Revoke every active permit at the scope. CTE pulls `account_id` via a
+    // join on `actor` so callers fan out `permit_revoke` notifications without
+    // an extra round-trip.
+    const revoked = await deps.db.query(`WITH updated AS (
+			UPDATE permit
+			SET revoked_at = NOW(), revoked_by = $2, revoked_reason = $3
+			WHERE scope_id = $1 AND revoked_at IS NULL
+			RETURNING id, role, scope_id, actor_id
+		)
+		SELECT u.id AS permit_id, u.role, u.scope_id, a.account_id
+		FROM updated u
+		JOIN actor a ON a.id = u.actor_id`, [scope_id, revoked_by ?? null, reason ?? null]);
+    // Supersede every pending offer at the scope — tuple-matched or orphan,
+    // no distinction. The cause of every supersede in this cascade is the
+    // scope deletion; offers tuple-matched to a revoked permit are not
+    // tagged separately because the revoke is itself a consequence of the
+    // scope going away.
+    const superseded_offers = await deps.db.query(`WITH updated AS (
+			UPDATE permit_offer o
+			SET superseded_at = NOW()
+			WHERE o.scope_id = $1
+			  AND o.accepted_at IS NULL
+			  AND o.declined_at IS NULL
+			  AND o.retracted_at IS NULL
+			  AND o.superseded_at IS NULL
+			RETURNING o.*
+		)
+		SELECT u.*, grantor.account_id AS from_account_id
+		FROM updated u
+		JOIN actor grantor ON grantor.id = u.from_actor_id`, [scope_id]);
+    return { revoked, superseded_offers };
+};
 /**
  * Revoke every active permit an actor holds for a given role.
  *

package/dist/auth/self_service_role_action_specs.d.ts

@@ -0,0 +1,83 @@
+/**
+ * Self-service role grant/revoke action specs — schemas, error reasons,
+ * and the codegen-ready registry.
+ *
+ * Client-safe: no query-layer or audit-write imports. Handler factory
+ * lives in `self_service_role_actions.ts`.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import type { RequestResponseActionSpec } from '../actions/action_spec.js';
+/** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
+export declare const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE: "role_not_self_service_eligible";
+/** Input for `self_service_role_grant`. */
+export declare const SelfServiceRoleGrantInput: z.ZodObject<{
+    role: z.ZodString;
+}, z.core.$strict>;
+export type SelfServiceRoleGrantInput = z.infer<typeof SelfServiceRoleGrantInput>;
+/**
+ * Output for `self_service_role_grant`. `granted` is `false` on idempotent
+ * re-grant (caller already held the role globally); `permit_id` is set on
+ * new grants only.
+ */
+export declare const SelfServiceRoleGrantOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    granted: z.ZodBoolean;
+    permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type SelfServiceRoleGrantOutput = z.infer<typeof SelfServiceRoleGrantOutput>;
+/** Input for `self_service_role_revoke`. */
+export declare const SelfServiceRoleRevokeInput: z.ZodObject<{
+    role: z.ZodString;
+}, z.core.$strict>;
+export type SelfServiceRoleRevokeInput = z.infer<typeof SelfServiceRoleRevokeInput>;
+/**
+ * Output for `self_service_role_revoke`. `revoked` is `false` when the
+ * caller held no active global permit for the role (idempotent).
+ */
+export declare const SelfServiceRoleRevokeOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    revoked: z.ZodBoolean;
+}, z.core.$strict>;
+export type SelfServiceRoleRevokeOutput = z.infer<typeof SelfServiceRoleRevokeOutput>;
+export declare const self_service_role_grant_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        granted: z.ZodBoolean;
+        permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const self_service_role_revoke_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: "authenticated";
+    side_effects: true;
+    input: z.ZodObject<{
+        role: z.ZodString;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        revoked: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+/**
+ * All self-service role action specs — a codegen-ready registry. Method
+ * names are static, so consumer typed-client codegen picks them up the
+ * same way it picks up `account_*_action_specs`.
+ */
+export declare const all_self_service_role_action_specs: Array<RequestResponseActionSpec>;
+//# sourceMappingURL=self_service_role_action_specs.d.ts.map

package/dist/auth/self_service_role_action_specs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAGzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;CAWX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,KAAK,CAAC,yBAAyB,CAG/E,CAAC"}

package/dist/auth/self_service_role_action_specs.js

@@ -0,0 +1,71 @@
+/**
+ * Self-service role grant/revoke action specs — schemas, error reasons,
+ * and the codegen-ready registry.
+ *
+ * Client-safe: no query-layer or audit-write imports. Handler factory
+ * lives in `self_service_role_actions.ts`.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
+import { RoleName } from './role_schema.js';
+/** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
+export const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE = 'role_not_self_service_eligible';
+/** Input for `self_service_role_grant`. */
+export const SelfServiceRoleGrantInput = z.strictObject({
+    role: RoleName.meta({ description: 'Role to self-grant. Must be in the configured allowlist.' }),
+});
+/**
+ * Output for `self_service_role_grant`. `granted` is `false` on idempotent
+ * re-grant (caller already held the role globally); `permit_id` is set on
+ * new grants only.
+ */
+export const SelfServiceRoleGrantOutput = z.strictObject({
+    ok: z.literal(true),
+    granted: z.boolean(),
+    permit_id: Uuid.optional(),
+});
+/** Input for `self_service_role_revoke`. */
+export const SelfServiceRoleRevokeInput = z.strictObject({
+    role: RoleName.meta({ description: 'Role to self-revoke. Must be in the configured allowlist.' }),
+});
+/**
+ * Output for `self_service_role_revoke`. `revoked` is `false` when the
+ * caller held no active global permit for the role (idempotent).
+ */
+export const SelfServiceRoleRevokeOutput = z.strictObject({
+    ok: z.literal(true),
+    revoked: z.boolean(),
+});
+export const self_service_role_grant_action_spec = {
+    method: 'self_service_role_grant',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: true,
+    input: SelfServiceRoleGrantInput,
+    output: SelfServiceRoleGrantOutput,
+    async: true,
+    description: 'Self-grant an active permit for an allowlisted role. Idempotent — already-granted callers receive `granted: false`.',
+};
+export const self_service_role_revoke_action_spec = {
+    method: 'self_service_role_revoke',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: 'authenticated',
+    side_effects: true,
+    input: SelfServiceRoleRevokeInput,
+    output: SelfServiceRoleRevokeOutput,
+    async: true,
+    description: 'Self-revoke an active global permit for an allowlisted role. Idempotent — callers without an active permit receive `revoked: false`.',
+};
+/**
+ * All self-service role action specs — a codegen-ready registry. Method
+ * names are static, so consumer typed-client codegen picks them up the
+ * same way it picks up `account_*_action_specs`.
+ */
+export const all_self_service_role_action_specs = [
+    self_service_role_grant_action_spec,
+    self_service_role_revoke_action_spec,
+];

package/dist/auth/self_service_role_actions.d.ts

@@ -0,0 +1,67 @@
+/**
+ * Self-service role grant/revoke RPC actions.
+ *
+ * Two static `request_response` actions — `self_service_role_grant` and
+ * `self_service_role_revoke` — that take `{role}` as input and toggle a
+ * permit on the caller for an allowlisted role. Idempotent in both
+ * directions: re-granting an already-held role returns `granted: false`;
+ * revoking a role the caller doesn't hold returns `revoked: false`.
+ *
+ * The factory takes an `eligible_roles` allowlist (validated against the
+ * supplied `roles.role_options` at factory time so typos surface at startup
+ * instead of at first call). Roles outside the allowlist are rejected
+ * with `forbidden` + reason `role_not_self_service_eligible`.
+ *
+ * Audit metadata carries `self_service: true` so admin reviewers can
+ * distinguish self-toggled permits from admin grants/offers. The
+ * `permit_grant` / `permit_revoke` metadata schemas declare
+ * `self_service: z.boolean().optional()` explicitly, so the field is
+ * part of the documented schema surface and is round-trip-validated by
+ * `query_audit_log`.
+ *
+ * Static method names — `role` lives in the input, not the method name —
+ * so specs are codegen-compatible (`satisfies RequestResponseActionSpec`)
+ * and the surface stays constant as consumers add eligible roles. Mirrors
+ * the existing `permit_offer_create({role})` precedent rather than
+ * generating per-role methods.
+ *
+ * Specs and schemas live in `self_service_role_action_specs.ts` so
+ * client-side codegen can import the surface without dragging in the
+ * query layer.
+ *
+ * @module
+ */
+import { type RpcAction } from '../actions/action_rpc.js';
+import type { RoleSchemaResult } from './role_schema.js';
+import type { RouteFactoryDeps } from './deps.js';
+/** Options for `create_self_service_role_actions`. */
+export interface SelfServiceRoleActionsOptions {
+    /**
+     * Allowlist of role strings eligible for self-service. Empty array
+     * effectively disables the surface — every call comes back as
+     * `forbidden` with reason `role_not_self_service_eligible`.
+     */
+    eligible_roles: ReadonlyArray<string>;
+    /**
+     * Optional role schema. When supplied, `eligible_roles` entries are
+     * checked against `roles.role_options` at factory time so typos throw
+     * at startup instead of at first call.
+     */
+    roles?: RoleSchemaResult;
+}
+/**
+ * Dependencies for `create_self_service_role_actions`. Same shape as the
+ * peer factories so consumers thread one deps object through all three.
+ * `audit_log_config` flows from `AppDeps` and is consumed by
+ * `audit_log_fire_and_forget`.
+ */
+export type SelfServiceRoleActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>;
+/**
+ * Build the self-service role grant/revoke RPC actions.
+ *
+ * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
+ * @param options - eligible-role allowlist plus optional role schema for typo-checking
+ * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
+ */
+export declare const create_self_service_role_actions: (deps: SelfServiceRoleActionDeps, options: SelfServiceRoleActionsOptions) => Array<RpcAction>;
+//# sourceMappingURL=self_service_role_actions.d.ts.map

package/dist/auth/self_service_role_actions.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACvD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAmBhD,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CAqHjB,CAAC"}

package/dist/auth/self_service_role_actions.js

@@ -0,0 +1,139 @@
+/**
+ * Self-service role grant/revoke RPC actions.
+ *
+ * Two static `request_response` actions — `self_service_role_grant` and
+ * `self_service_role_revoke` — that take `{role}` as input and toggle a
+ * permit on the caller for an allowlisted role. Idempotent in both
+ * directions: re-granting an already-held role returns `granted: false`;
+ * revoking a role the caller doesn't hold returns `revoked: false`.
+ *
+ * The factory takes an `eligible_roles` allowlist (validated against the
+ * supplied `roles.role_options` at factory time so typos surface at startup
+ * instead of at first call). Roles outside the allowlist are rejected
+ * with `forbidden` + reason `role_not_self_service_eligible`.
+ *
+ * Audit metadata carries `self_service: true` so admin reviewers can
+ * distinguish self-toggled permits from admin grants/offers. The
+ * `permit_grant` / `permit_revoke` metadata schemas declare
+ * `self_service: z.boolean().optional()` explicitly, so the field is
+ * part of the documented schema surface and is round-trip-validated by
+ * `query_audit_log`.
+ *
+ * Static method names — `role` lives in the input, not the method name —
+ * so specs are codegen-compatible (`satisfies RequestResponseActionSpec`)
+ * and the surface stays constant as consumers add eligible roles. Mirrors
+ * the existing `permit_offer_create({role})` precedent rather than
+ * generating per-role methods.
+ *
+ * Specs and schemas live in `self_service_role_action_specs.ts` so
+ * client-side codegen can import the surface without dragging in the
+ * query layer.
+ *
+ * @module
+ */
+import { rpc_action } from '../actions/action_rpc.js';
+import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
+import { query_grant_permit, query_permit_find_active_for_actor, query_permit_has_role, query_revoke_permit, } from './permit_queries.js';
+import { audit_log_fire_and_forget } from './audit_log_queries.js';
+import { ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE, self_service_role_grant_action_spec, self_service_role_revoke_action_spec, } from './self_service_role_action_specs.js';
+const require_request_auth = (auth) => {
+    if (!auth)
+        throw new Error('unreachable: action auth guard did not enforce authentication');
+    return auth;
+};
+/**
+ * Build the self-service role grant/revoke RPC actions.
+ *
+ * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
+ * @param options - eligible-role allowlist plus optional role schema for typo-checking
+ * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
+ */
+export const create_self_service_role_actions = (deps, options) => {
+    const eligible = new Set(options.eligible_roles);
+    if (options.roles) {
+        const role_options = options.roles.role_options;
+        for (const r of eligible) {
+            if (!role_options.has(r)) {
+                throw new Error(`create_self_service_role_actions: eligible_roles entry "${r}" is not registered in roles.role_options — typo or missing call to create_role_schema`);
+            }
+        }
+    }
+    const reject_if_ineligible = (role) => {
+        if (!eligible.has(role)) {
+            throw jsonrpc_errors.forbidden('role not eligible for self-service', {
+                reason: ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE,
+            });
+        }
+    };
+    const grant_handler = async (input, ctx) => {
+        const auth = require_request_auth(ctx.auth);
+        reject_if_ineligible(input.role);
+        // Pre-check for idempotent re-grant. `query_grant_permit` is itself
+        // idempotent (returns the existing permit instead of inserting), but
+        // it doesn't signal "already existed" vs "newly inserted" — so we
+        // peek first. The TOCTOU window is benign for self-service: two
+        // concurrent grants both observe "no permit", both call
+        // `query_grant_permit`, and one collapses onto the other inside the
+        // query's `ON CONFLICT DO NOTHING`. Worst case both responses report
+        // `granted: true`; the DB still ends up with exactly one permit.
+        const already = await query_permit_has_role(ctx, auth.actor.id, input.role);
+        if (already) {
+            return { ok: true, granted: false };
+        }
+        const permit = await query_grant_permit(ctx, {
+            actor_id: auth.actor.id,
+            role: input.role,
+            scope_id: null,
+            expires_at: null,
+            granted_by: auth.actor.id,
+        });
+        void audit_log_fire_and_forget(ctx, {
+            event_type: 'permit_grant',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: {
+                role: permit.role,
+                permit_id: permit.id,
+                scope_id: permit.scope_id,
+                self_service: true,
+            },
+        }, deps);
+        return { ok: true, granted: true, permit_id: permit.id };
+    };
+    const revoke_handler = async (input, ctx) => {
+        const auth = require_request_auth(ctx.auth);
+        reject_if_ineligible(input.role);
+        // Find an active global permit for this (actor, role). No dedicated
+        // query exists, but `query_permit_find_active_for_actor` returns the
+        // short list of every active permit and we filter in JS — fewer
+        // round-trips than a new helper for a one-call-per-revoke path.
+        const active = await query_permit_find_active_for_actor(ctx, auth.actor.id);
+        const target = active.find((p) => p.role === input.role && p.scope_id === null);
+        if (!target) {
+            return { ok: true, revoked: false };
+        }
+        const result = await query_revoke_permit(ctx, target.id, auth.actor.id, auth.actor.id);
+        if (!result) {
+            // Raced with another revoker — treat as already revoked.
+            return { ok: true, revoked: false };
+        }
+        void audit_log_fire_and_forget(ctx, {
+            event_type: 'permit_revoke',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: {
+                role: result.role,
+                permit_id: result.id,
+                scope_id: result.scope_id,
+                self_service: true,
+            },
+        }, deps);
+        return { ok: true, revoked: true };
+    };
+    return [
+        rpc_action(self_service_role_grant_action_spec, grant_handler),
+        rpc_action(self_service_role_revoke_action_spec, revoke_handler),
+    ];
+};

package/dist/auth/signup_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"signup_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAStB,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAE1D,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,qBAAqB,CAAC;AAEjE;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,uBAAuB;IAClE,6FAA6F;IAC7F,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,yFAAyF;IACzF,YAAY,EAAE,WAAW,CAAC;CAC1B;AAID,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,8EAA8E;AAC9E,eAAO,MAAM,YAAY;;kBAEvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,gBAAgB,EACtB,SAAS,kBAAkB,KACzB,KAAK,CAAC,SAAS,CA4HjB,CAAC"}
+{"version":3,"file":"signup_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/signup_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAStB,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAE1D,OAAO,KAAK,EAAC,uBAAuB,EAAC,MAAM,qBAAqB,CAAC;AAEjE;;GAEG;AACH,MAAM,WAAW,kBAAmB,SAAQ,uBAAuB;IAClE,6FAA6F;IAC7F,2BAA2B,EAAE,WAAW,GAAG,IAAI,CAAC;IAChD,yFAAyF;IACzF,YAAY,EAAE,WAAW,CAAC;CAC1B;AAID,0FAA0F;AAC1F,eAAO,MAAM,WAAW;;;;kBAItB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,8EAA8E;AAC9E,eAAO,MAAM,YAAY;;kBAEvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,gBAAgB,EACtB,SAAS,kBAAkB,KACzB,KAAK,CAAC,SAAS,CA2HjB,CAAC"}