@fuzdev/fuz_app 0.42.0 → 0.44.0

package/dist/auth/account_action_specs.js

@@ -13,9 +13,9 @@ import { AuthSessionJson, ClientApiTokenJson, SessionAccountJson } from './accou
 import { ApiTokenId } from './api_token.js';
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `account_verify`. No parameters — the caller is the subject. */
-export const VerifyInput = z.null();
+export const VerifyInput = z.void();
 /** Input for `account_session_list`. No parameters. */
-export const SessionListInput = z.null();
+export const SessionListInput = z.void();
 /** Output for `account_session_list`. */
 export const SessionListOutput = z.strictObject({
     sessions: z.array(AuthSessionJson),
@@ -30,7 +30,7 @@ export const SessionRevokeOutput = z.strictObject({
     revoked: z.boolean(),
 });
 /** Input for `account_session_revoke_all`. No parameters. */
-export const SessionRevokeAllInput = z.null();
+export const SessionRevokeAllInput = z.void();
 /** Output for `account_session_revoke_all`. */
 export const SessionRevokeAllOutput = z.strictObject({
     ok: z.literal(true),
@@ -51,7 +51,7 @@ export const TokenCreateOutput = z.strictObject({
     name: z.string(),
 });
 /** Input for `account_token_list`. No parameters. */
-export const TokenListInput = z.null();
+export const TokenListInput = z.void();
 /** Output for `account_token_list`. Hashes are excluded. */
 export const TokenListOutput = z.strictObject({
     tokens: z.array(ClientApiTokenJson),

package/dist/auth/admin_action_specs.d.ts

@@ -20,7 +20,7 @@ import type { RequestResponseActionSpec } from '../actions/action_spec.js';
 /** Max audit-log page size. Mirrors the former REST route's clamp. */
 export declare const AUDIT_LOG_LIST_LIMIT_MAX = 200;
 /** Input for `admin_account_list`. No parameters — the caller is the subject. */
-export declare const AdminAccountListInput: z.ZodNull;
+export declare const AdminAccountListInput: z.ZodVoid;
 export type AdminAccountListInput = z.infer<typeof AdminAccountListInput>;
 /** Output for `admin_account_list`. */
 export declare const AdminAccountListOutput: z.ZodObject<{
@@ -60,7 +60,7 @@ export declare const AdminAccountListOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type AdminAccountListOutput = z.infer<typeof AdminAccountListOutput>;
 /** Input for `admin_session_list`. No parameters — reads every active session. */
-export declare const AdminSessionListInput: z.ZodNull;
+export declare const AdminSessionListInput: z.ZodVoid;
 export type AdminSessionListInput = z.infer<typeof AdminSessionListInput>;
 /** Output for `admin_session_list`. Cross-account listing; fan-out already scoped by role auth. */
 export declare const AdminSessionListOutput: z.ZodObject<{
@@ -183,7 +183,7 @@ export declare const InviteCreateOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type InviteCreateOutput = z.infer<typeof InviteCreateOutput>;
 /** Input for `invite_list`. */
-export declare const InviteListInput: z.ZodNull;
+export declare const InviteListInput: z.ZodVoid;
 export type InviteListInput = z.infer<typeof InviteListInput>;
 /** Output for `invite_list`. Uses the enriched row including creator/claimer usernames. */
 export declare const InviteListOutput: z.ZodObject<{
@@ -211,7 +211,7 @@ export declare const InviteDeleteOutput: z.ZodObject<{
 }, z.core.$strict>;
 export type InviteDeleteOutput = z.infer<typeof InviteDeleteOutput>;
 /** Input for `app_settings_get`. No parameters. */
-export declare const AppSettingsGetInput: z.ZodNull;
+export declare const AppSettingsGetInput: z.ZodVoid;
 export type AppSettingsGetInput = z.infer<typeof AppSettingsGetInput>;
 /** Output for `app_settings_get`. */
 export declare const AppSettingsGetOutput: z.ZodObject<{
@@ -247,7 +247,7 @@ export declare const admin_account_list_action_spec: {
         role: string;
     };
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         accounts: z.ZodArray<z.ZodObject<{
             account: z.ZodObject<{
@@ -294,7 +294,7 @@ export declare const admin_session_list_action_spec: {
         role: string;
     };
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         sessions: z.ZodArray<z.ZodObject<{
             id: z.ZodString;
@@ -454,7 +454,7 @@ export declare const invite_list_action_spec: {
         role: string;
     };
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         invites: z.ZodArray<z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -496,7 +496,7 @@ export declare const app_settings_get_action_spec: {
         role: string;
     };
     side_effects: false;
-    input: z.ZodNull;
+    input: z.ZodVoid;
     output: z.ZodObject<{
         settings: z.ZodObject<{
             open_signup: z.ZodBoolean;

package/dist/auth/admin_action_specs.js

@@ -26,14 +26,14 @@ import { AppSettingsWithUsernameJson } from './app_settings_schema.js';
 export const AUDIT_LOG_LIST_LIMIT_MAX = 200;
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `admin_account_list`. No parameters — the caller is the subject. */
-export const AdminAccountListInput = z.null();
+export const AdminAccountListInput = z.void();
 /** Output for `admin_account_list`. */
 export const AdminAccountListOutput = z.strictObject({
     accounts: z.array(AdminAccountEntryJson),
     grantable_roles: z.array(RoleName),
 });
 /** Input for `admin_session_list`. No parameters — reads every active session. */
-export const AdminSessionListInput = z.null();
+export const AdminSessionListInput = z.void();
 /** Output for `admin_session_list`. Cross-account listing; fan-out already scoped by role auth. */
 export const AdminSessionListOutput = z.strictObject({
     sessions: z.array(AdminSessionJson),
@@ -116,7 +116,7 @@ export const InviteCreateOutput = z.strictObject({
     invite: InviteJson,
 });
 /** Input for `invite_list`. */
-export const InviteListInput = z.null();
+export const InviteListInput = z.void();
 /** Output for `invite_list`. Uses the enriched row including creator/claimer usernames. */
 export const InviteListOutput = z.strictObject({
     invites: z.array(InviteWithUsernamesJson),
@@ -130,7 +130,7 @@ export const InviteDeleteOutput = z.strictObject({
     ok: z.literal(true),
 });
 /** Input for `app_settings_get`. No parameters. */
-export const AppSettingsGetInput = z.null();
+export const AppSettingsGetInput = z.void();
 /** Output for `app_settings_get`. */
 export const AppSettingsGetOutput = z.strictObject({
     settings: AppSettingsWithUsernameJson,

package/dist/auth/self_service_role_action_specs.d.ts

@@ -1,5 +1,5 @@
 /**
- * Self-service role grant/revoke action specs — schemas, error reasons,
+ * Unified self-service role toggle action spec — schemas, error reasons,
  * and the codegen-ready registry.
  *
  * Client-safe: no query-layer or audit-write imports. Handler factory
@@ -11,54 +11,24 @@ import { z } from 'zod';
 import type { RequestResponseActionSpec } from '../actions/action_spec.js';
 /** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
 export declare const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE: "role_not_self_service_eligible";
-/** Input for `self_service_role_grant`. */
-export declare const SelfServiceRoleGrantInput: z.ZodObject<{
+/** Input for `self_service_role_set`. */
+export declare const SelfServiceRoleSetInput: z.ZodObject<{
     role: z.ZodString;
+    enabled: z.ZodBoolean;
 }, z.core.$strict>;
-export type SelfServiceRoleGrantInput = z.infer<typeof SelfServiceRoleGrantInput>;
+export type SelfServiceRoleSetInput = z.infer<typeof SelfServiceRoleSetInput>;
 /**
- * Output for `self_service_role_grant`. `granted` is `false` on idempotent
- * re-grant (caller already held the role globally); `permit_id` is set on
- * new grants only.
+ * Output for `self_service_role_set`. `enabled` echoes the post-call state
+ * (always equals the input `enabled` on success). `changed` is `true` only
+ * when the call mutated — re-grants / re-revokes return `false`.
  */
-export declare const SelfServiceRoleGrantOutput: z.ZodObject<{
+export declare const SelfServiceRoleSetOutput: z.ZodObject<{
     ok: z.ZodLiteral<true>;
-    granted: z.ZodBoolean;
-    permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    enabled: z.ZodBoolean;
+    changed: z.ZodBoolean;
 }, z.core.$strict>;
-export type SelfServiceRoleGrantOutput = z.infer<typeof SelfServiceRoleGrantOutput>;
-/** Input for `self_service_role_revoke`. */
-export declare const SelfServiceRoleRevokeInput: z.ZodObject<{
-    role: z.ZodString;
-}, z.core.$strict>;
-export type SelfServiceRoleRevokeInput = z.infer<typeof SelfServiceRoleRevokeInput>;
-/**
- * Output for `self_service_role_revoke`. `revoked` is `false` when the
- * caller held no active global permit for the role (idempotent).
- */
-export declare const SelfServiceRoleRevokeOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    revoked: z.ZodBoolean;
-}, z.core.$strict>;
-export type SelfServiceRoleRevokeOutput = z.infer<typeof SelfServiceRoleRevokeOutput>;
-export declare const self_service_role_grant_action_spec: {
-    method: string;
-    kind: "request_response";
-    initiator: "frontend";
-    auth: "authenticated";
-    side_effects: true;
-    input: z.ZodObject<{
-        role: z.ZodString;
-    }, z.core.$strict>;
-    output: z.ZodObject<{
-        ok: z.ZodLiteral<true>;
-        granted: z.ZodBoolean;
-        permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-    }, z.core.$strict>;
-    async: true;
-    description: string;
-};
-export declare const self_service_role_revoke_action_spec: {
+export type SelfServiceRoleSetOutput = z.infer<typeof SelfServiceRoleSetOutput>;
+export declare const self_service_role_set_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
@@ -66,18 +36,20 @@ export declare const self_service_role_revoke_action_spec: {
     side_effects: true;
     input: z.ZodObject<{
         role: z.ZodString;
+        enabled: z.ZodBoolean;
     }, z.core.$strict>;
     output: z.ZodObject<{
         ok: z.ZodLiteral<true>;
-        revoked: z.ZodBoolean;
+        enabled: z.ZodBoolean;
+        changed: z.ZodBoolean;
     }, z.core.$strict>;
     async: true;
     description: string;
 };
 /**
- * All self-service role action specs — a codegen-ready registry. Method
- * names are static, so consumer typed-client codegen picks them up the
- * same way it picks up `account_*_action_specs`.
+ * All self-service role action specs — a codegen-ready registry. Single-element
+ * post-unification, kept for symmetry with the other `all_*_action_specs`
+ * exports so codegen and frontend bundles import the same shape.
  */
-export declare const all_self_service_role_action_specs: Array<RequestResponseActionSpec>;
+export declare const all_self_service_role_action_specs: ReadonlyArray<RequestResponseActionSpec>;
 //# sourceMappingURL=self_service_role_action_specs.d.ts.map

package/dist/auth/self_service_role_action_specs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAGzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;CAWX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,KAAK,CAAC,yBAAyB,CAG/E,CAAC"}
+{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAGzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,yCAAyC;AACzC,eAAO,MAAM,uBAAuB;;;kBAMlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;kBAInC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;CAWT,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,aAAa,CAAC,yBAAyB,CAEvF,CAAC"}

package/dist/auth/self_service_role_action_specs.js

@@ -1,5 +1,5 @@
 /**
- * Self-service role grant/revoke action specs — schemas, error reasons,
+ * Unified self-service role toggle action spec — schemas, error reasons,
  * and the codegen-ready registry.
  *
  * Client-safe: no query-layer or audit-write imports. Handler factory
@@ -8,64 +8,42 @@
  * @module
  */
 import { z } from 'zod';
-import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { RoleName } from './role_schema.js';
 /** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
 export const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE = 'role_not_self_service_eligible';
-/** Input for `self_service_role_grant`. */
-export const SelfServiceRoleGrantInput = z.strictObject({
-    role: RoleName.meta({ description: 'Role to self-grant. Must be in the configured allowlist.' }),
+/** Input for `self_service_role_set`. */
+export const SelfServiceRoleSetInput = z.strictObject({
+    role: RoleName.meta({ description: 'Role to toggle. Must be in the configured allowlist.' }),
+    enabled: z.boolean().meta({
+        description: 'Desired post-call state. `true` grants if not held; `false` revokes if held. Idempotent in both directions.',
+    }),
 });
 /**
- * Output for `self_service_role_grant`. `granted` is `false` on idempotent
- * re-grant (caller already held the role globally); `permit_id` is set on
- * new grants only.
+ * Output for `self_service_role_set`. `enabled` echoes the post-call state
+ * (always equals the input `enabled` on success). `changed` is `true` only
+ * when the call mutated — re-grants / re-revokes return `false`.
  */
-export const SelfServiceRoleGrantOutput = z.strictObject({
+export const SelfServiceRoleSetOutput = z.strictObject({
     ok: z.literal(true),
-    granted: z.boolean(),
-    permit_id: Uuid.optional(),
+    enabled: z.boolean(),
+    changed: z.boolean(),
 });
-/** Input for `self_service_role_revoke`. */
-export const SelfServiceRoleRevokeInput = z.strictObject({
-    role: RoleName.meta({ description: 'Role to self-revoke. Must be in the configured allowlist.' }),
-});
-/**
- * Output for `self_service_role_revoke`. `revoked` is `false` when the
- * caller held no active global permit for the role (idempotent).
- */
-export const SelfServiceRoleRevokeOutput = z.strictObject({
-    ok: z.literal(true),
-    revoked: z.boolean(),
-});
-export const self_service_role_grant_action_spec = {
-    method: 'self_service_role_grant',
-    kind: 'request_response',
-    initiator: 'frontend',
-    auth: 'authenticated',
-    side_effects: true,
-    input: SelfServiceRoleGrantInput,
-    output: SelfServiceRoleGrantOutput,
-    async: true,
-    description: 'Self-grant an active permit for an allowlisted role. Idempotent — already-granted callers receive `granted: false`.',
-};
-export const self_service_role_revoke_action_spec = {
-    method: 'self_service_role_revoke',
+export const self_service_role_set_action_spec = {
+    method: 'self_service_role_set',
     kind: 'request_response',
     initiator: 'frontend',
     auth: 'authenticated',
     side_effects: true,
-    input: SelfServiceRoleRevokeInput,
-    output: SelfServiceRoleRevokeOutput,
+    input: SelfServiceRoleSetInput,
+    output: SelfServiceRoleSetOutput,
     async: true,
-    description: 'Self-revoke an active global permit for an allowlisted role. Idempotent — callers without an active permit receive `revoked: false`.',
+    description: 'Toggle a self-service role. Idempotent in both directions — `changed: false` when post-call state already matched the request.',
 };
 /**
- * All self-service role action specs — a codegen-ready registry. Method
- * names are static, so consumer typed-client codegen picks them up the
- * same way it picks up `account_*_action_specs`.
+ * All self-service role action specs — a codegen-ready registry. Single-element
+ * post-unification, kept for symmetry with the other `all_*_action_specs`
+ * exports so codegen and frontend bundles import the same shape.
  */
 export const all_self_service_role_action_specs = [
-    self_service_role_grant_action_spec,
-    self_service_role_revoke_action_spec,
+    self_service_role_set_action_spec,
 ];

package/dist/auth/self_service_role_actions.d.ts

@@ -1,11 +1,11 @@
 /**
- * Self-service role grant/revoke RPC actions.
+ * Unified self-service role toggle RPC action.
  *
- * Two static `request_response` actions — `self_service_role_grant` and
- * `self_service_role_revoke` — that take `{role}` as input and toggle a
- * permit on the caller for an allowlisted role. Idempotent in both
- * directions: re-granting an already-held role returns `granted: false`;
- * revoking a role the caller doesn't hold returns `revoked: false`.
+ * One static `request_response` action — `self_service_role_set` — that
+ * takes `{role, enabled}` and toggles a global permit on the caller for an
+ * allowlisted role. Idempotent in both directions: re-enabling an
+ * already-held role returns `changed: false`; disabling a role the caller
+ * doesn't hold returns `changed: false`.
  *
  * The factory takes an `eligible_roles` allowlist (validated against the
  * supplied `roles.role_options` at factory time so typos surface at startup
@@ -19,8 +19,8 @@
  * part of the documented schema surface and is round-trip-validated by
  * `query_audit_log`.
  *
- * Static method names — `role` lives in the input, not the method name —
- * so specs are codegen-compatible (`satisfies RequestResponseActionSpec`)
+ * Static method name — `role` lives in the input, not the method name —
+ * so the spec is codegen-compatible (`satisfies RequestResponseActionSpec`)
  * and the surface stays constant as consumers add eligible roles. Mirrors
  * the existing `permit_offer_create({role})` precedent rather than
  * generating per-role methods.
@@ -57,7 +57,7 @@ export interface SelfServiceRoleActionsOptions {
  */
 export type SelfServiceRoleActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>;
 /**
- * Build the self-service role grant/revoke RPC actions.
+ * Build the unified self-service role toggle RPC action.
  *
  * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
  * @param options - eligible-role allowlist plus optional role schema for typo-checking

package/dist/auth/self_service_role_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACvD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAmBhD,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CAqHjB,CAAC"}
+{"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACvD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAgBhD,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CA4GjB,CAAC"}

package/dist/auth/self_service_role_actions.js

@@ -1,11 +1,11 @@
 /**
- * Self-service role grant/revoke RPC actions.
+ * Unified self-service role toggle RPC action.
  *
- * Two static `request_response` actions — `self_service_role_grant` and
- * `self_service_role_revoke` — that take `{role}` as input and toggle a
- * permit on the caller for an allowlisted role. Idempotent in both
- * directions: re-granting an already-held role returns `granted: false`;
- * revoking a role the caller doesn't hold returns `revoked: false`.
+ * One static `request_response` action — `self_service_role_set` — that
+ * takes `{role, enabled}` and toggles a global permit on the caller for an
+ * allowlisted role. Idempotent in both directions: re-enabling an
+ * already-held role returns `changed: false`; disabling a role the caller
+ * doesn't hold returns `changed: false`.
  *
  * The factory takes an `eligible_roles` allowlist (validated against the
  * supplied `roles.role_options` at factory time so typos surface at startup
@@ -19,8 +19,8 @@
  * part of the documented schema surface and is round-trip-validated by
  * `query_audit_log`.
  *
- * Static method names — `role` lives in the input, not the method name —
- * so specs are codegen-compatible (`satisfies RequestResponseActionSpec`)
+ * Static method name — `role` lives in the input, not the method name —
+ * so the spec is codegen-compatible (`satisfies RequestResponseActionSpec`)
  * and the surface stays constant as consumers add eligible roles. Mirrors
  * the existing `permit_offer_create({role})` precedent rather than
  * generating per-role methods.
@@ -35,14 +35,14 @@ import { rpc_action } from '../actions/action_rpc.js';
 import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
 import { query_grant_permit, query_permit_find_active_for_actor, query_permit_has_role, query_revoke_permit, } from './permit_queries.js';
 import { audit_log_fire_and_forget } from './audit_log_queries.js';
-import { ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE, self_service_role_grant_action_spec, self_service_role_revoke_action_spec, } from './self_service_role_action_specs.js';
+import { ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE, self_service_role_set_action_spec, } from './self_service_role_action_specs.js';
 const require_request_auth = (auth) => {
     if (!auth)
         throw new Error('unreachable: action auth guard did not enforce authentication');
     return auth;
 };
 /**
- * Build the self-service role grant/revoke RPC actions.
+ * Build the unified self-service role toggle RPC action.
  *
  * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
  * @param options - eligible-role allowlist plus optional role schema for typo-checking
@@ -65,45 +65,43 @@ export const create_self_service_role_actions = (deps, options) => {
             });
         }
     };
-    const grant_handler = async (input, ctx) => {
+    const handler = async (input, ctx) => {
         const auth = require_request_auth(ctx.auth);
         reject_if_ineligible(input.role);
-        // Pre-check for idempotent re-grant. `query_grant_permit` is itself
-        // idempotent (returns the existing permit instead of inserting), but
-        // it doesn't signal "already existed" vs "newly inserted" — so we
-        // peek first. The TOCTOU window is benign for self-service: two
-        // concurrent grants both observe "no permit", both call
-        // `query_grant_permit`, and one collapses onto the other inside the
-        // query's `ON CONFLICT DO NOTHING`. Worst case both responses report
-        // `granted: true`; the DB still ends up with exactly one permit.
-        const already = await query_permit_has_role(ctx, auth.actor.id, input.role);
-        if (already) {
-            return { ok: true, granted: false };
+        if (input.enabled) {
+            // Pre-check for idempotent re-grant. `query_grant_permit` is itself
+            // idempotent (returns the existing permit instead of inserting), but
+            // it doesn't signal "already existed" vs "newly inserted" — so we
+            // peek first. The TOCTOU window is benign for self-service: two
+            // concurrent grants both observe "no permit", both call
+            // `query_grant_permit`, and one collapses onto the other inside the
+            // query's `ON CONFLICT DO NOTHING`. Worst case both responses report
+            // `changed: true`; the DB still ends up with exactly one permit.
+            const already = await query_permit_has_role(ctx, auth.actor.id, input.role);
+            if (already) {
+                return { ok: true, enabled: true, changed: false };
+            }
+            const permit = await query_grant_permit(ctx, {
+                actor_id: auth.actor.id,
+                role: input.role,
+                scope_id: null,
+                expires_at: null,
+                granted_by: auth.actor.id,
+            });
+            void audit_log_fire_and_forget(ctx, {
+                event_type: 'permit_grant',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                ip: ctx.client_ip,
+                metadata: {
+                    role: permit.role,
+                    permit_id: permit.id,
+                    scope_id: permit.scope_id,
+                    self_service: true,
+                },
+            }, deps);
+            return { ok: true, enabled: true, changed: true };
         }
-        const permit = await query_grant_permit(ctx, {
-            actor_id: auth.actor.id,
-            role: input.role,
-            scope_id: null,
-            expires_at: null,
-            granted_by: auth.actor.id,
-        });
-        void audit_log_fire_and_forget(ctx, {
-            event_type: 'permit_grant',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
-            ip: ctx.client_ip,
-            metadata: {
-                role: permit.role,
-                permit_id: permit.id,
-                scope_id: permit.scope_id,
-                self_service: true,
-            },
-        }, deps);
-        return { ok: true, granted: true, permit_id: permit.id };
-    };
-    const revoke_handler = async (input, ctx) => {
-        const auth = require_request_auth(ctx.auth);
-        reject_if_ineligible(input.role);
         // Find an active global permit for this (actor, role). No dedicated
         // query exists, but `query_permit_find_active_for_actor` returns the
         // short list of every active permit and we filter in JS — fewer
@@ -111,12 +109,12 @@ export const create_self_service_role_actions = (deps, options) => {
         const active = await query_permit_find_active_for_actor(ctx, auth.actor.id);
         const target = active.find((p) => p.role === input.role && p.scope_id === null);
         if (!target) {
-            return { ok: true, revoked: false };
+            return { ok: true, enabled: false, changed: false };
         }
         const result = await query_revoke_permit(ctx, target.id, auth.actor.id, auth.actor.id);
         if (!result) {
             // Raced with another revoker — treat as already revoked.
-            return { ok: true, revoked: false };
+            return { ok: true, enabled: false, changed: false };
         }
         void audit_log_fire_and_forget(ctx, {
             event_type: 'permit_revoke',
@@ -130,10 +128,7 @@ export const create_self_service_role_actions = (deps, options) => {
                 self_service: true,
             },
         }, deps);
-        return { ok: true, revoked: true };
+        return { ok: true, enabled: false, changed: true };
     };
-    return [
-        rpc_action(self_service_role_grant_action_spec, grant_handler),
-        rpc_action(self_service_role_revoke_action_spec, revoke_handler),
-    ];
+    return [rpc_action(self_service_role_set_action_spec, handler)];
 };

package/dist/auth/standard_action_specs.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Aggregate spec list mirroring `create_standard_rpc_actions` on the backend.
+ *
+ * `create_standard_rpc_actions` (in `./standard_rpc_actions.js`) bundles three
+ * action registries into one mounted RPC surface: admin + permit_offer +
+ * account. Frontends mounting that surface need the matching spec list to
+ * feed `create_rpc_client` so the typed Proxy knows about every standard
+ * method.
+ *
+ * Without this aggregate, every consumer spreads three (or four with
+ * self-service roles) `all_*_action_specs` imports at the typed-client
+ * site, the codegen-sources table, and any other registry construction —
+ * a triplicate that drifts silently on either side.
+ *
+ * Self-service role specs are **not** included — they're opt-in (require
+ * `eligible_roles` configuration) and not bundled into
+ * `create_standard_rpc_actions`. Consumers that mount them spread
+ * `all_self_service_role_action_specs` separately.
+ *
+ * @module
+ */
+import type { RequestResponseActionSpec } from '../actions/action_spec.js';
+/**
+ * Combined spec registry for the standard RPC surface (admin +
+ * permit_offer + account). Symmetric with `create_standard_rpc_actions`.
+ *
+ * Spec count is the sum of the three sub-registries. Adding a method to
+ * any sub-registry surfaces here automatically.
+ */
+export declare const all_standard_action_specs: ReadonlyArray<RequestResponseActionSpec>;
+//# sourceMappingURL=standard_action_specs.d.ts.map

package/dist/auth/standard_action_specs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"standard_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/standard_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAKzE;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB,EAAE,aAAa,CAAC,yBAAyB,CAI9E,CAAC"}

package/dist/auth/standard_action_specs.js

@@ -0,0 +1,36 @@
+/**
+ * Aggregate spec list mirroring `create_standard_rpc_actions` on the backend.
+ *
+ * `create_standard_rpc_actions` (in `./standard_rpc_actions.js`) bundles three
+ * action registries into one mounted RPC surface: admin + permit_offer +
+ * account. Frontends mounting that surface need the matching spec list to
+ * feed `create_rpc_client` so the typed Proxy knows about every standard
+ * method.
+ *
+ * Without this aggregate, every consumer spreads three (or four with
+ * self-service roles) `all_*_action_specs` imports at the typed-client
+ * site, the codegen-sources table, and any other registry construction —
+ * a triplicate that drifts silently on either side.
+ *
+ * Self-service role specs are **not** included — they're opt-in (require
+ * `eligible_roles` configuration) and not bundled into
+ * `create_standard_rpc_actions`. Consumers that mount them spread
+ * `all_self_service_role_action_specs` separately.
+ *
+ * @module
+ */
+import { all_admin_action_specs } from './admin_action_specs.js';
+import { all_permit_offer_action_specs } from './permit_offer_action_specs.js';
+import { all_account_action_specs } from './account_action_specs.js';
+/**
+ * Combined spec registry for the standard RPC surface (admin +
+ * permit_offer + account). Symmetric with `create_standard_rpc_actions`.
+ *
+ * Spec count is the sum of the three sub-registries. Adding a method to
+ * any sub-registry surfaces here automatically.
+ */
+export const all_standard_action_specs = [
+    ...all_admin_action_specs,
+    ...all_permit_offer_action_specs,
+    ...all_account_action_specs,
+];

package/dist/http/schema_helpers.d.ts

@@ -18,6 +18,15 @@ import { type RateLimitKey, type RouteErrorSchemas } from './error_schemas.js';
  * but also accept other values.
  */
 export declare const is_null_schema: (schema: z.ZodType) => boolean;
+/**
+ * Check if a schema is exactly `z.void()`.
+ *
+ * RPC action specs use `z.void()` to declare a parameterless method —
+ * JSON-RPC 2.0 forbids `params: null` (params must be omitted or be a
+ * Structured value), so `z.void()` is the correct schema for "no params"
+ * and the dispatcher maps absent params to `undefined` for these specs.
+ */
+export declare const is_void_schema: (schema: z.ZodType) => boolean;
 /**
  * Check if a schema is a strict object (`z.strictObject()`).
  *

package/dist/http/schema_helpers.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/schema_helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAuB,KAAK,YAAY,EAAE,KAAK,iBAAiB,EAAC,MAAM,oBAAoB,CAAC;AAEnG;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAAsC,CAAC;AAE1F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OACe,CAAC;AAE5E;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAQrD,CAAC;AAoBF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,MAAM,EAAE,YAAY,MAAM,KAAG,OAQxE,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM;IACL,IAAI,EAAE,SAAS,CAAC;IAChB,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACrB,KAAK,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC3B,EACD,oBAAoB,iBAAiB,GAAG,IAAI,KAC1C,iBAAiB,GAAG,IAUtB,CAAC"}
+{"version":3,"file":"schema_helpers.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/http/schema_helpers.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAuB,KAAK,YAAY,EAAE,KAAK,iBAAiB,EAAC,MAAM,oBAAoB,CAAC;AAEnG;;;;;;GAMG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAAsC,CAAC;AAE1F;;;;;;;GAOG;AACH,eAAO,MAAM,cAAc,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAAsC,CAAC;AAE1F;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OACe,CAAC;AAE5E;;;;GAIG;AACH,eAAO,MAAM,iBAAiB,GAAI,QAAQ,CAAC,CAAC,OAAO,KAAG,OAQrD,CAAC;AAoBF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,MAAM,EAAE,YAAY,MAAM,KAAG,OAQxE,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM;IACL,IAAI,EAAE,SAAS,CAAC;IAChB,KAAK,EAAE,CAAC,CAAC,OAAO,CAAC;IACjB,MAAM,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACrB,KAAK,CAAC,EAAE,CAAC,CAAC,SAAS,CAAC;IACpB,UAAU,CAAC,EAAE,YAAY,CAAC;IAC1B,MAAM,CAAC,EAAE,iBAAiB,CAAC;CAC3B,EACD,oBAAoB,iBAAiB,GAAG,IAAI,KAC1C,iBAAiB,GAAG,IAUtB,CAAC"}