@fuzdev/fuz_app 0.43.0 → 0.45.0

package/dist/actions/rpc_client.js

@@ -5,7 +5,8 @@
  * - **Tier 1** (simple, for tx): transport send/receive, Result return. No `environment`.
  * - **Tier 2** (full, for zzz): ActionEvent lifecycle with `environment`.
  *
- * Consumers cast the return to their generated `ActionsApi` interface for full type safety.
+ * Pass the consumer's generated `ActionsApi` interface as `<TApi>` to flow
+ * full type safety through without an explicit cast at the call site.
  *
  * @module
  */
@@ -20,18 +21,35 @@ import { jsonrpc_error_messages } from '../http/jsonrpc_errors.js';
  * - `remote_notification` → send notification, return Result
  * - `local_call` → execute locally (sync or async), return Result or throw
  *
- * @param options - client options (peer, environment, optional action history)
- * @returns a Proxy that responds to any method name found in the environment's specs
+ * Generic `TApi` is the consumer's typed Proxy interface (typically a
+ * codegen-derived `ActionsApi`). Required — no default, so forgetting it
+ * is a type error rather than a silent slide into `any`. The `as unknown
+ * as TApi` coercion lives inside this function so call sites get a typed
+ * return without a cast at the seam. `TApi` is a type-layer promise about
+ * what the Proxy responds to; the runtime walks `specs` (kept in sync by
+ * the consumer, codegen recommended).
+ *
+ * ```ts
+ * const api_result = create_rpc_client<MyActionsApi>({peer, environment});
+ * ```
+ *
+ * @param options - client options (peer, environment, optional callbacks)
+ * @returns a Proxy typed as `TApi` that responds to any method name found in the environment's specs
  */
 export const create_rpc_client = (options) => {
-    const { peer, environment, actions, transport_for_method } = options;
+    const { peer, environment, on_action_event, transport_for_method } = options;
+    // Internal factories construct broadly-typed `ActionEvent` instances; the
+    // public callback narrows `event.spec.method` to `keyof TApi & string`.
+    // Cast once here — function parameters are contravariant, so the narrow
+    // callback isn't directly assignable to the broad slot the helpers take.
+    const broad_on_action_event = on_action_event;
     return new Proxy({}, {
         get(_target, method) {
             const spec = environment.lookup_action_spec(method);
             if (!spec) {
                 return undefined;
             }
-            return create_action_method(peer, environment, spec, actions, transport_for_method);
+            return create_action_method(peer, environment, spec, broad_on_action_event, transport_for_method);
         },
         has(_target, method) {
             return environment.lookup_action_spec(method) !== undefined;
@@ -41,30 +59,26 @@ export const create_rpc_client = (options) => {
 /**
  * Creates a method that executes an action through its complete lifecycle.
  */
-const create_action_method = (peer, environment, spec, actions, transport_for_method) => {
+const create_action_method = (peer, environment, spec, on_action_event, transport_for_method) => {
     switch (spec.kind) {
         case 'local_call':
             return spec.async
-                ? create_async_local_call_method(environment, spec, actions)
-                : create_sync_local_call_method(environment, spec, actions);
+                ? create_async_local_call_method(environment, spec, on_action_event)
+                : create_sync_local_call_method(environment, spec, on_action_event);
         case 'request_response':
-            return create_request_response_method(peer, environment, spec, actions, transport_for_method);
+            return create_request_response_method(peer, environment, spec, on_action_event, transport_for_method);
         case 'remote_notification':
-            return create_remote_notification_method(peer, environment, spec, actions, transport_for_method);
+            return create_remote_notification_method(peer, environment, spec, on_action_event, transport_for_method);
     }
 };
 /**
  * Creates a synchronous local call method.
  * Returns value directly - can throw on error (sync methods cannot return Result).
  */
-const create_sync_local_call_method = (environment, spec, actions) => {
+const create_sync_local_call_method = (environment, spec, on_action_event) => {
     return (input) => {
         const event = create_action_event(environment, spec, input);
-        const action = actions?.add_from_json({
-            method: spec.method,
-            action_event_data: event.toJSON(),
-        });
-        action?.listen_to_action_event(event);
+        on_action_event?.(event);
         event.parse().handle_sync();
         const result = extract_action_result(event);
         if (result.ok) {
@@ -84,7 +98,7 @@ const create_sync_local_call_method = (environment, spec, actions) => {
  * `signal` can only short-circuit before the synchronous handler runs (no
  * cooperative interrupt mid-handler).
  */
-const create_async_local_call_method = (environment, spec, actions) => {
+const create_async_local_call_method = (environment, spec, on_action_event) => {
     return async (input, options) => {
         if (options?.signal?.aborted) {
             return {
@@ -93,11 +107,7 @@ const create_async_local_call_method = (environment, spec, actions) => {
             };
         }
         const event = create_action_event(environment, spec, input);
-        const action = actions?.add_from_json({
-            method: spec.method,
-            action_event_data: event.toJSON(),
-        });
-        action?.listen_to_action_event(event);
+        on_action_event?.(event);
         await event.parse().handle_async();
         return extract_action_result(event);
     };
@@ -105,14 +115,10 @@ const create_async_local_call_method = (environment, spec, actions) => {
 /**
  * Creates a request/response method that communicates over the network.
  */
-const create_request_response_method = (peer, environment, spec, actions, transport_for_method) => {
+const create_request_response_method = (peer, environment, spec, on_action_event, transport_for_method) => {
     return async (input, options) => {
         const event = create_action_event(environment, spec, input);
-        const action = actions?.add_from_json({
-            method: spec.method,
-            action_event_data: event.toJSON(),
-        });
-        action?.listen_to_action_event(event);
+        on_action_event?.(event);
         await event.parse().handle_async();
         // Check if we're in send_error phase before type narrowing
         if (event.data.kind === 'request_response' && event.data.phase === 'send_error') {
@@ -141,14 +147,10 @@ const create_request_response_method = (peer, environment, spec, actions, transp
  * Creates a remote notification method (fire and forget).
  * Returns Result<{value: void}> for consistency.
  */
-const create_remote_notification_method = (peer, environment, spec, actions, transport_for_method) => {
+const create_remote_notification_method = (peer, environment, spec, on_action_event, transport_for_method) => {
     return async (input, options) => {
         const event = create_action_event(environment, spec, input);
-        const action = actions?.add_from_json({
-            method: spec.method,
-            action_event_data: event.toJSON(),
-        });
-        action?.listen_to_action_event(event);
+        on_action_event?.(event);
         await event.parse().handle_async();
         if (!is_notification_send(event.data))
             throw Error(); // TODO @many maybe make this an assertion helper?
@@ -169,56 +171,76 @@ const create_remote_notification_method = (peer, environment, spec, actions, tra
     };
 };
 /**
- * Wrap a typed RPC client so every call returns its unwrapped value or throws.
+ * Wrap a typed RPC client so every call resolves to its unwrapped value or
+ * throws an `Error` carrying the JSON-RPC `{code, message, data?}` shape.
+ *
+ * Implementation is a Proxy because the underlying `create_rpc_client`
+ * return is itself a Proxy with no concrete keys — a key-by-key wrap would
+ * need to enumerate the typed surface, which only the consumer's generated
+ * `ActionsApi` interface knows.
+ *
+ * Pass-through on non-Result returns is deliberate: sync `local_call`
+ * Proxy methods return values directly (see `create_sync_local_call_method`
+ * above). The Proxy can't distinguish those at get-time, so the wrapper
+ * inspects `result` shape at call-time and only unwraps when it sees a
+ * Result. Non-object returns pass through unchanged.
  *
- * On `{ok: false}`, throws an `Error` whose `message` comes from the
- * JSON-RPC error object, plus `{code, data}` as own properties — so
- * catch blocks reading `err.message` / `err.code` / `err.data?.reason`
- * all work. On unknown method, throws a clear "rpc method not found"
- * error instead of the cryptic `undefined is not a function` that
- * would otherwise surface.
+ * Only `{code, data}` cross onto the thrown Error — `name` / `stack` are
+ * left as the Error's own properties so attacker-shaped `result.error`
+ * payloads cannot overwrite them.
  *
- * Invariant upheld by `create_rpc_client`: every `{ok: false}` return
- * carries a well-formed `JsonrpcErrorObject` with `code` + `message`.
- * Callers must still use optional chaining on `err.data` because the
- * JSON-RPC `data` field is spec-level optional — a handler that throws
- * `jsonrpc_errors.forbidden()` without a `data` argument produces
- * `err.data === undefined`.
+ * Recommended consumer convention: `create_frontend_rpc_client` ships
+ * both shapes by default — `api` (throwing) for hot-path call sites and
+ * `api_result` (Result) for sites that inspect `error.data.reason`
+ * without try/catch. Result is the protocol primitive; this wrapper is
+ * the ergonomic layer over it. Picking is per call site — both Proxies
+ * share the same underlying transport.
  *
- * Only `{code, data}` cross onto the thrown Error — `message` flows
- * through the `Error` constructor argument, and `name` / `stack` are
- * left as the Error's own so attacker-shaped `result.error` payloads
- * cannot overwrite them.
+ * Catch blocks read `err.data?.reason` — optional chaining required
+ * because JSON-RPC `data` is spec-level optional.
  *
- * The mapped-type generic constraint accepts both shapes without a cast:
- * a codegen-derived typed `ActionsApi` (named-method interface, e.g.
- * `{account_verify: (input) => Promise<Result<...>>, ...}`) and a loose
- * `Record<string, (input?: any) => Promise<any> | void>`. Using `keyof TApi`
- * in the constraint avoids the index-signature requirement that would
- * otherwise force consumers to `as unknown as Record<string, …>` their
- * generated client. The `| void` arm tolerates `remote_notification`
- * methods, whose `ActionsApi` signature is `(input) => void` even though
- * `create_remote_notification_method` returns a Promise at runtime — the
- * throwing wrapper is intended for `request_response` calls but must
- * accept mixed `ActionsApi` shapes without forcing a cast at the seam.
+ * On unknown string-keyed methods, the get trap returns a function that
+ * throws `"rpc method not found: <prop>"` on invocation — clearer than
+ * the JS default `"api.foo is not a function"`. Symbol props and `then`
+ * stay undefined so the Proxy isn't accidentally treated as a thenable
+ * (`await api` would otherwise probe `then` and trip the thrower).
  *
- * @param api - typed RPC client from `create_rpc_client` (or any object
- *   whose values are all `(input?) => Promise<...> | void` functions —
- *   notably the consumer's generated `ActionsApi` interface)
+ * @param api_result - typed Result-returning RPC client from
+ *   `create_rpc_client<ActionsApi>(...)`. The "_result" suffix names
+ *   what the underlying calls return (`Result<{value}, {error}>`).
  */
-export const create_throwing_rpc_call = (api) => {
-    const rec = api;
-    return async (method, input) => {
-        const fn = rec[method];
-        if (!fn)
-            throw new Error(`rpc method not found: ${method}`);
-        const result = await fn(input);
-        if (!result.ok) {
-            throw Object.assign(new Error(result.error?.message ?? 'rpc error'), {
-                code: result.error?.code,
-                data: result.error?.data,
-            });
-        }
-        return result.value;
-    };
+export const create_throwing_api = (api_result) => {
+    return new Proxy(api_result, {
+        get(target, prop) {
+            const fn = target[prop];
+            if (typeof fn === 'function') {
+                return async (...args) => {
+                    const result = await fn.apply(target, args);
+                    if (result === null || typeof result !== 'object')
+                        return result;
+                    const r = result;
+                    if (r.ok === true)
+                        return r.value;
+                    if (r.ok === false && r.error && typeof r.error === 'object') {
+                        const e = r.error;
+                        throw Object.assign(new Error(e.message), {
+                            code: e.code,
+                            data: e.data,
+                        });
+                    }
+                    return result;
+                };
+            }
+            if (fn !== undefined)
+                return fn;
+            // Underlying api has no member by this name. Symbol props and
+            // `then` must stay undefined — `await tapi` reads `then` and
+            // would otherwise trip the thrower.
+            if (typeof prop !== 'string' || prop === 'then')
+                return undefined;
+            return () => {
+                throw new Error(`rpc method not found: ${prop}`);
+            };
+        },
+    });
 };

package/dist/auth/CLAUDE.md

@@ -1039,6 +1039,14 @@ the admin integration suite exercises `account_token_create` /
 consumer wiring the admin surface without account actions will hit
 `method not found` on first admin-suite run.
 
+Frontend mirror: `all_standard_action_specs` (in
+`./standard_action_specs.ts`) bundles `all_admin_action_specs +
+all_permit_offer_action_specs + all_account_action_specs` into one
+`ReadonlyArray<RequestResponseActionSpec>` for typed-client codegen
+and `create_frontend_rpc_client({specs})` wiring. Self-service role
+specs are not included (opt-in, app-specific `eligible_roles`) —
+spread `all_self_service_role_action_specs` separately when needed.
+
 ### `account_action_specs.ts` + `account_actions.ts` — seven self-service RPC actions
 
 Counterpart to `account_routes.ts`. Cookie-lifecycle flows (`login`,
@@ -1084,15 +1092,17 @@ registry of all seven specs.
 ### `self_service_role_action_specs.ts` + `self_service_role_actions.ts` — opt-in self-service role toggle
 
 Same split as the other registries: `*_action_specs.ts` holds the input/output
-Zod schemas, the two `satisfies RequestResponseActionSpec` literals, the
+Zod schemas, the `satisfies RequestResponseActionSpec` literal, the
 `ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE` reason constant, and the
 `all_self_service_role_action_specs` registry — all client-safe. The
-`*_actions.ts` factory imports the specs and pairs them with handlers.
-
-Two static `request_response` actions — `self_service_role_grant` and
-`self_service_role_revoke` — that take `{role}` as input and toggle a
-global permit on the caller. Both are idempotent: `granted: false` when
-the caller already holds the role, `revoked: false` when they don't.
+`*_actions.ts` factory imports the spec and pairs it with the handler.
+
+One static `request_response` action — `self_service_role_set` — that
+takes `{role, enabled: boolean}` and toggles a global permit on the
+caller. Idempotent in both directions: `changed: false` when the
+post-call state already matched the request (already-held when
+enabling; not-held when disabling). Output is `{ok, enabled, changed}` —
+`enabled` echoes the post-call state for self-describing responses.
 Audit metadata carries `self_service: true` so admin reviewers can
 distinguish self-toggled permits from admin grants/offers. The
 `permit_grant` / `permit_revoke` metadata schemas declare
@@ -1100,7 +1110,7 @@ distinguish self-toggled permits from admin grants/offers. The
 part of the documented surface rather than riding on `z.looseObject`
 permissiveness.
 
-Method names are static — `role` lives in the input, not the method
+Method name is static — `role` lives in the input, not the method
 name. Mirrors the `permit_offer_create({role})` precedent. Per-role
 parameterized methods would break the `satisfies RequestResponseActionSpec`
 codegen invariant and grow the surface linearly per role.
@@ -1110,14 +1120,15 @@ codegen invariant and grow the surface linearly per role.
 - `eligible_roles: ReadonlyArray<string>` — required allowlist. Roles
   outside the list are rejected with `forbidden` + reason
   `role_not_self_service_eligible` (exported as
-  `ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE`).
+  `ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE`). The eligibility check fires
+  before the `enabled` branch — same rejection regardless of direction.
 - `roles?: RoleSchemaResult` — optional. When supplied, every entry in
   `eligible_roles` is checked against `roles.role_options` at factory
   time so typos throw at startup instead of at first call.
 
-Grant path uses `query_permit_has_role` for a benign-TOCTOU pre-check
+Grant branch uses `query_permit_has_role` for a benign-TOCTOU pre-check
 (distinguishes new grant from idempotent re-grant), then
-`query_grant_permit` for the actual insert. Revoke path filters
+`query_grant_permit` for the actual insert. Revoke branch filters
 `query_permit_find_active_for_actor` in JS for the matching
 `(actor, role, scope_id IS NULL)` row before calling
 `query_revoke_permit`. Bundle is **not** included in
@@ -1126,8 +1137,8 @@ spread alongside the standard bundle when needed.
 
 Deps: `SelfServiceRoleActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>`.
 
-`all_self_service_role_action_specs: Array<RequestResponseActionSpec>` —
-codegen-ready registry of both specs.
+`all_self_service_role_action_specs: ReadonlyArray<RequestResponseActionSpec>` —
+codegen-ready registry of the single unified spec.
 
 ## Cleanup
 

package/dist/auth/self_service_role_action_specs.d.ts

@@ -1,5 +1,5 @@
 /**
- * Self-service role grant/revoke action specs — schemas, error reasons,
+ * Unified self-service role toggle action spec — schemas, error reasons,
  * and the codegen-ready registry.
  *
  * Client-safe: no query-layer or audit-write imports. Handler factory
@@ -11,54 +11,24 @@ import { z } from 'zod';
 import type { RequestResponseActionSpec } from '../actions/action_spec.js';
 /** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
 export declare const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE: "role_not_self_service_eligible";
-/** Input for `self_service_role_grant`. */
-export declare const SelfServiceRoleGrantInput: z.ZodObject<{
+/** Input for `self_service_role_set`. */
+export declare const SelfServiceRoleSetInput: z.ZodObject<{
     role: z.ZodString;
+    enabled: z.ZodBoolean;
 }, z.core.$strict>;
-export type SelfServiceRoleGrantInput = z.infer<typeof SelfServiceRoleGrantInput>;
+export type SelfServiceRoleSetInput = z.infer<typeof SelfServiceRoleSetInput>;
 /**
- * Output for `self_service_role_grant`. `granted` is `false` on idempotent
- * re-grant (caller already held the role globally); `permit_id` is set on
- * new grants only.
+ * Output for `self_service_role_set`. `enabled` echoes the post-call state
+ * (always equals the input `enabled` on success). `changed` is `true` only
+ * when the call mutated — re-grants / re-revokes return `false`.
  */
-export declare const SelfServiceRoleGrantOutput: z.ZodObject<{
+export declare const SelfServiceRoleSetOutput: z.ZodObject<{
     ok: z.ZodLiteral<true>;
-    granted: z.ZodBoolean;
-    permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    enabled: z.ZodBoolean;
+    changed: z.ZodBoolean;
 }, z.core.$strict>;
-export type SelfServiceRoleGrantOutput = z.infer<typeof SelfServiceRoleGrantOutput>;
-/** Input for `self_service_role_revoke`. */
-export declare const SelfServiceRoleRevokeInput: z.ZodObject<{
-    role: z.ZodString;
-}, z.core.$strict>;
-export type SelfServiceRoleRevokeInput = z.infer<typeof SelfServiceRoleRevokeInput>;
-/**
- * Output for `self_service_role_revoke`. `revoked` is `false` when the
- * caller held no active global permit for the role (idempotent).
- */
-export declare const SelfServiceRoleRevokeOutput: z.ZodObject<{
-    ok: z.ZodLiteral<true>;
-    revoked: z.ZodBoolean;
-}, z.core.$strict>;
-export type SelfServiceRoleRevokeOutput = z.infer<typeof SelfServiceRoleRevokeOutput>;
-export declare const self_service_role_grant_action_spec: {
-    method: string;
-    kind: "request_response";
-    initiator: "frontend";
-    auth: "authenticated";
-    side_effects: true;
-    input: z.ZodObject<{
-        role: z.ZodString;
-    }, z.core.$strict>;
-    output: z.ZodObject<{
-        ok: z.ZodLiteral<true>;
-        granted: z.ZodBoolean;
-        permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-    }, z.core.$strict>;
-    async: true;
-    description: string;
-};
-export declare const self_service_role_revoke_action_spec: {
+export type SelfServiceRoleSetOutput = z.infer<typeof SelfServiceRoleSetOutput>;
+export declare const self_service_role_set_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
@@ -66,18 +36,20 @@ export declare const self_service_role_revoke_action_spec: {
     side_effects: true;
     input: z.ZodObject<{
         role: z.ZodString;
+        enabled: z.ZodBoolean;
     }, z.core.$strict>;
     output: z.ZodObject<{
         ok: z.ZodLiteral<true>;
-        revoked: z.ZodBoolean;
+        enabled: z.ZodBoolean;
+        changed: z.ZodBoolean;
     }, z.core.$strict>;
     async: true;
     description: string;
 };
 /**
- * All self-service role action specs — a codegen-ready registry. Method
- * names are static, so consumer typed-client codegen picks them up the
- * same way it picks up `account_*_action_specs`.
+ * All self-service role action specs — a codegen-ready registry. Single-element
+ * post-unification, kept for symmetry with the other `all_*_action_specs`
+ * exports so codegen and frontend bundles import the same shape.
  */
-export declare const all_self_service_role_action_specs: Array<RequestResponseActionSpec>;
+export declare const all_self_service_role_action_specs: ReadonlyArray<RequestResponseActionSpec>;
 //# sourceMappingURL=self_service_role_action_specs.d.ts.map

package/dist/auth/self_service_role_action_specs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAGzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;GAGG;AACH,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;CAWX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,KAAK,CAAC,yBAAyB,CAG/E,CAAC"}
+{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAGzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,yCAAyC;AACzC,eAAO,MAAM,uBAAuB;;;kBAMlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;kBAInC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;CAWT,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,aAAa,CAAC,yBAAyB,CAEvF,CAAC"}

package/dist/auth/self_service_role_action_specs.js

@@ -1,5 +1,5 @@
 /**
- * Self-service role grant/revoke action specs — schemas, error reasons,
+ * Unified self-service role toggle action spec — schemas, error reasons,
  * and the codegen-ready registry.
  *
  * Client-safe: no query-layer or audit-write imports. Handler factory
@@ -8,64 +8,42 @@
  * @module
  */
 import { z } from 'zod';
-import { Uuid } from '@fuzdev/fuz_util/id.js';
 import { RoleName } from './role_schema.js';
 /** Error reason — caller asked to self-toggle a role outside the configured allowlist. */
 export const ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE = 'role_not_self_service_eligible';
-/** Input for `self_service_role_grant`. */
-export const SelfServiceRoleGrantInput = z.strictObject({
-    role: RoleName.meta({ description: 'Role to self-grant. Must be in the configured allowlist.' }),
+/** Input for `self_service_role_set`. */
+export const SelfServiceRoleSetInput = z.strictObject({
+    role: RoleName.meta({ description: 'Role to toggle. Must be in the configured allowlist.' }),
+    enabled: z.boolean().meta({
+        description: 'Desired post-call state. `true` grants if not held; `false` revokes if held. Idempotent in both directions.',
+    }),
 });
 /**
- * Output for `self_service_role_grant`. `granted` is `false` on idempotent
- * re-grant (caller already held the role globally); `permit_id` is set on
- * new grants only.
+ * Output for `self_service_role_set`. `enabled` echoes the post-call state
+ * (always equals the input `enabled` on success). `changed` is `true` only
+ * when the call mutated — re-grants / re-revokes return `false`.
  */
-export const SelfServiceRoleGrantOutput = z.strictObject({
+export const SelfServiceRoleSetOutput = z.strictObject({
     ok: z.literal(true),
-    granted: z.boolean(),
-    permit_id: Uuid.optional(),
+    enabled: z.boolean(),
+    changed: z.boolean(),
 });
-/** Input for `self_service_role_revoke`. */
-export const SelfServiceRoleRevokeInput = z.strictObject({
-    role: RoleName.meta({ description: 'Role to self-revoke. Must be in the configured allowlist.' }),
-});
-/**
- * Output for `self_service_role_revoke`. `revoked` is `false` when the
- * caller held no active global permit for the role (idempotent).
- */
-export const SelfServiceRoleRevokeOutput = z.strictObject({
-    ok: z.literal(true),
-    revoked: z.boolean(),
-});
-export const self_service_role_grant_action_spec = {
-    method: 'self_service_role_grant',
-    kind: 'request_response',
-    initiator: 'frontend',
-    auth: 'authenticated',
-    side_effects: true,
-    input: SelfServiceRoleGrantInput,
-    output: SelfServiceRoleGrantOutput,
-    async: true,
-    description: 'Self-grant an active permit for an allowlisted role. Idempotent — already-granted callers receive `granted: false`.',
-};
-export const self_service_role_revoke_action_spec = {
-    method: 'self_service_role_revoke',
+export const self_service_role_set_action_spec = {
+    method: 'self_service_role_set',
     kind: 'request_response',
     initiator: 'frontend',
     auth: 'authenticated',
     side_effects: true,
-    input: SelfServiceRoleRevokeInput,
-    output: SelfServiceRoleRevokeOutput,
+    input: SelfServiceRoleSetInput,
+    output: SelfServiceRoleSetOutput,
     async: true,
-    description: 'Self-revoke an active global permit for an allowlisted role. Idempotent — callers without an active permit receive `revoked: false`.',
+    description: 'Toggle a self-service role. Idempotent in both directions — `changed: false` when post-call state already matched the request.',
 };
 /**
- * All self-service role action specs — a codegen-ready registry. Method
- * names are static, so consumer typed-client codegen picks them up the
- * same way it picks up `account_*_action_specs`.
+ * All self-service role action specs — a codegen-ready registry. Single-element
+ * post-unification, kept for symmetry with the other `all_*_action_specs`
+ * exports so codegen and frontend bundles import the same shape.
  */
 export const all_self_service_role_action_specs = [
-    self_service_role_grant_action_spec,
-    self_service_role_revoke_action_spec,
+    self_service_role_set_action_spec,
 ];

package/dist/auth/self_service_role_actions.d.ts

@@ -1,11 +1,11 @@
 /**
- * Self-service role grant/revoke RPC actions.
+ * Unified self-service role toggle RPC action.
  *
- * Two static `request_response` actions — `self_service_role_grant` and
- * `self_service_role_revoke` — that take `{role}` as input and toggle a
- * permit on the caller for an allowlisted role. Idempotent in both
- * directions: re-granting an already-held role returns `granted: false`;
- * revoking a role the caller doesn't hold returns `revoked: false`.
+ * One static `request_response` action — `self_service_role_set` — that
+ * takes `{role, enabled}` and toggles a global permit on the caller for an
+ * allowlisted role. Idempotent in both directions: re-enabling an
+ * already-held role returns `changed: false`; disabling a role the caller
+ * doesn't hold returns `changed: false`.
  *
  * The factory takes an `eligible_roles` allowlist (validated against the
  * supplied `roles.role_options` at factory time so typos surface at startup
@@ -19,8 +19,8 @@
  * part of the documented schema surface and is round-trip-validated by
  * `query_audit_log`.
  *
- * Static method names — `role` lives in the input, not the method name —
- * so specs are codegen-compatible (`satisfies RequestResponseActionSpec`)
+ * Static method name — `role` lives in the input, not the method name —
+ * so the spec is codegen-compatible (`satisfies RequestResponseActionSpec`)
  * and the surface stays constant as consumers add eligible roles. Mirrors
  * the existing `permit_offer_create({role})` precedent rather than
  * generating per-role methods.
@@ -57,7 +57,7 @@ export interface SelfServiceRoleActionsOptions {
  */
 export type SelfServiceRoleActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>;
 /**
- * Build the self-service role grant/revoke RPC actions.
+ * Build the unified self-service role toggle RPC action.
  *
  * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
  * @param options - eligible-role allowlist plus optional role schema for typo-checking

package/dist/auth/self_service_role_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACvD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAmBhD,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CAqHjB,CAAC"}
+{"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACvD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAgBhD,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CA4GjB,CAAC"}