@fuzdev/fuz_app 0.51.0 → 0.52.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (320) hide show
  1. package/dist/actions/CLAUDE.md +14 -1
  2. package/dist/actions/action_bridge.d.ts +3 -1
  3. package/dist/actions/action_bridge.d.ts.map +1 -1
  4. package/dist/actions/action_bridge.js +3 -1
  5. package/dist/actions/action_codegen.d.ts +18 -8
  6. package/dist/actions/action_codegen.d.ts.map +1 -1
  7. package/dist/actions/action_codegen.js +18 -8
  8. package/dist/actions/action_event.d.ts +44 -1
  9. package/dist/actions/action_event.d.ts.map +1 -1
  10. package/dist/actions/action_event.js +44 -1
  11. package/dist/actions/action_event_helpers.d.ts +26 -0
  12. package/dist/actions/action_event_helpers.d.ts.map +1 -1
  13. package/dist/actions/action_event_helpers.js +26 -1
  14. package/dist/actions/action_peer.d.ts +17 -0
  15. package/dist/actions/action_peer.d.ts.map +1 -1
  16. package/dist/actions/action_peer.js +8 -0
  17. package/dist/actions/action_registry.d.ts +1 -1
  18. package/dist/actions/action_registry.js +1 -1
  19. package/dist/actions/action_rpc.d.ts +4 -0
  20. package/dist/actions/action_rpc.d.ts.map +1 -1
  21. package/dist/actions/action_rpc.js +4 -0
  22. package/dist/actions/action_spec.d.ts +22 -2
  23. package/dist/actions/action_spec.d.ts.map +1 -1
  24. package/dist/actions/action_spec.js +16 -2
  25. package/dist/actions/register_action_ws.d.ts +3 -0
  26. package/dist/actions/register_action_ws.d.ts.map +1 -1
  27. package/dist/actions/register_action_ws.js +3 -0
  28. package/dist/actions/register_ws_endpoint.d.ts +3 -0
  29. package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
  30. package/dist/actions/register_ws_endpoint.js +3 -0
  31. package/dist/actions/request_tracker.svelte.d.ts +14 -1
  32. package/dist/actions/request_tracker.svelte.d.ts.map +1 -1
  33. package/dist/actions/request_tracker.svelte.js +14 -1
  34. package/dist/actions/socket.svelte.d.ts +35 -15
  35. package/dist/actions/socket.svelte.d.ts.map +1 -1
  36. package/dist/actions/socket.svelte.js +33 -13
  37. package/dist/actions/transports.d.ts +12 -3
  38. package/dist/actions/transports.d.ts.map +1 -1
  39. package/dist/actions/transports.js +16 -7
  40. package/dist/actions/transports_http.d.ts +7 -0
  41. package/dist/actions/transports_http.d.ts.map +1 -1
  42. package/dist/actions/transports_http.js +7 -0
  43. package/dist/actions/transports_ws.d.ts +13 -0
  44. package/dist/actions/transports_ws.d.ts.map +1 -1
  45. package/dist/actions/transports_ws.js +13 -0
  46. package/dist/actions/transports_ws_auth_guard.d.ts +6 -2
  47. package/dist/actions/transports_ws_auth_guard.d.ts.map +1 -1
  48. package/dist/actions/transports_ws_auth_guard.js +6 -2
  49. package/dist/actions/transports_ws_backend.d.ts +14 -1
  50. package/dist/actions/transports_ws_backend.d.ts.map +1 -1
  51. package/dist/actions/transports_ws_backend.js +14 -1
  52. package/dist/auth/CLAUDE.md +40 -4
  53. package/dist/auth/account_queries.d.ts +10 -0
  54. package/dist/auth/account_queries.d.ts.map +1 -1
  55. package/dist/auth/account_queries.js +10 -0
  56. package/dist/auth/admin_actions.d.ts +1 -0
  57. package/dist/auth/admin_actions.d.ts.map +1 -1
  58. package/dist/auth/admin_actions.js +1 -0
  59. package/dist/auth/api_token_queries.d.ts +7 -0
  60. package/dist/auth/api_token_queries.d.ts.map +1 -1
  61. package/dist/auth/api_token_queries.js +7 -0
  62. package/dist/auth/app_settings_queries.d.ts +4 -0
  63. package/dist/auth/app_settings_queries.d.ts.map +1 -1
  64. package/dist/auth/app_settings_queries.js +4 -0
  65. package/dist/auth/audit_log_queries.d.ts +6 -0
  66. package/dist/auth/audit_log_queries.d.ts.map +1 -1
  67. package/dist/auth/audit_log_queries.js +6 -0
  68. package/dist/auth/audit_log_schema.d.ts +2 -0
  69. package/dist/auth/audit_log_schema.d.ts.map +1 -1
  70. package/dist/auth/audit_log_schema.js +134 -55
  71. package/dist/auth/bearer_auth.d.ts +2 -0
  72. package/dist/auth/bearer_auth.d.ts.map +1 -1
  73. package/dist/auth/bearer_auth.js +2 -0
  74. package/dist/auth/bootstrap_account.d.ts +3 -0
  75. package/dist/auth/bootstrap_account.d.ts.map +1 -1
  76. package/dist/auth/bootstrap_account.js +3 -0
  77. package/dist/auth/cleanup.d.ts +6 -0
  78. package/dist/auth/cleanup.d.ts.map +1 -1
  79. package/dist/auth/cleanup.js +6 -0
  80. package/dist/auth/daemon_token_middleware.d.ts +4 -0
  81. package/dist/auth/daemon_token_middleware.d.ts.map +1 -1
  82. package/dist/auth/daemon_token_middleware.js +4 -0
  83. package/dist/auth/invite_queries.d.ts +4 -0
  84. package/dist/auth/invite_queries.d.ts.map +1 -1
  85. package/dist/auth/invite_queries.js +4 -0
  86. package/dist/auth/permit_offer_action_specs.d.ts +5 -0
  87. package/dist/auth/permit_offer_action_specs.d.ts.map +1 -1
  88. package/dist/auth/permit_offer_action_specs.js +10 -0
  89. package/dist/auth/permit_offer_queries.d.ts +19 -0
  90. package/dist/auth/permit_offer_queries.d.ts.map +1 -1
  91. package/dist/auth/permit_offer_queries.js +19 -0
  92. package/dist/auth/permit_queries.d.ts +8 -0
  93. package/dist/auth/permit_queries.d.ts.map +1 -1
  94. package/dist/auth/permit_queries.js +8 -0
  95. package/dist/auth/request_context.d.ts +1 -0
  96. package/dist/auth/request_context.d.ts.map +1 -1
  97. package/dist/auth/request_context.js +1 -0
  98. package/dist/auth/role_schema.d.ts +2 -0
  99. package/dist/auth/role_schema.d.ts.map +1 -1
  100. package/dist/auth/role_schema.js +2 -0
  101. package/dist/auth/self_service_role_actions.d.ts +1 -0
  102. package/dist/auth/self_service_role_actions.d.ts.map +1 -1
  103. package/dist/auth/self_service_role_actions.js +1 -0
  104. package/dist/auth/session_lifecycle.d.ts +3 -0
  105. package/dist/auth/session_lifecycle.d.ts.map +1 -1
  106. package/dist/auth/session_lifecycle.js +3 -0
  107. package/dist/auth/session_middleware.d.ts +5 -0
  108. package/dist/auth/session_middleware.d.ts.map +1 -1
  109. package/dist/auth/session_middleware.js +5 -0
  110. package/dist/auth/session_queries.d.ts +9 -0
  111. package/dist/auth/session_queries.d.ts.map +1 -1
  112. package/dist/auth/session_queries.js +9 -0
  113. package/dist/cli/config.d.ts +2 -0
  114. package/dist/cli/config.d.ts.map +1 -1
  115. package/dist/cli/config.js +2 -0
  116. package/dist/cli/daemon.d.ts +6 -1
  117. package/dist/cli/daemon.d.ts.map +1 -1
  118. package/dist/cli/daemon.js +6 -1
  119. package/dist/db/assert_row.d.ts +2 -1
  120. package/dist/db/assert_row.d.ts.map +1 -1
  121. package/dist/db/assert_row.js +2 -1
  122. package/dist/db/create_db.d.ts +3 -0
  123. package/dist/db/create_db.d.ts.map +1 -1
  124. package/dist/db/create_db.js +3 -0
  125. package/dist/db/db.d.ts +19 -4
  126. package/dist/db/db.d.ts.map +1 -1
  127. package/dist/db/db.js +18 -3
  128. package/dist/db/db_pg.d.ts +2 -1
  129. package/dist/db/db_pg.d.ts.map +1 -1
  130. package/dist/db/db_pg.js +5 -3
  131. package/dist/db/db_pglite.d.ts +3 -2
  132. package/dist/db/db_pglite.d.ts.map +1 -1
  133. package/dist/db/db_pglite.js +3 -2
  134. package/dist/db/migrate.d.ts +8 -4
  135. package/dist/db/migrate.d.ts.map +1 -1
  136. package/dist/db/migrate.js +6 -2
  137. package/dist/db/sql_identifier.d.ts +2 -1
  138. package/dist/db/sql_identifier.d.ts.map +1 -1
  139. package/dist/db/sql_identifier.js +2 -1
  140. package/dist/db/status.d.ts +4 -1
  141. package/dist/db/status.d.ts.map +1 -1
  142. package/dist/db/status.js +5 -2
  143. package/dist/dev/setup.d.ts +18 -2
  144. package/dist/dev/setup.d.ts.map +1 -1
  145. package/dist/dev/setup.js +18 -2
  146. package/dist/env/dotenv.d.ts +2 -1
  147. package/dist/env/dotenv.d.ts.map +1 -1
  148. package/dist/env/dotenv.js +2 -1
  149. package/dist/env/load.d.ts +1 -1
  150. package/dist/env/load.js +1 -1
  151. package/dist/env/resolve.d.ts +1 -1
  152. package/dist/env/resolve.js +1 -1
  153. package/dist/env/update_env_variable.d.ts +2 -0
  154. package/dist/env/update_env_variable.d.ts.map +1 -1
  155. package/dist/env/update_env_variable.js +2 -0
  156. package/dist/http/pending_effects.d.ts +4 -0
  157. package/dist/http/pending_effects.d.ts.map +1 -1
  158. package/dist/http/pending_effects.js +4 -0
  159. package/dist/http/proxy.d.ts +3 -0
  160. package/dist/http/proxy.d.ts.map +1 -1
  161. package/dist/http/proxy.js +3 -0
  162. package/dist/http/route_spec.d.ts +1 -0
  163. package/dist/http/route_spec.d.ts.map +1 -1
  164. package/dist/http/route_spec.js +7 -0
  165. package/dist/rate_limiter.d.ts +14 -1
  166. package/dist/rate_limiter.d.ts.map +1 -1
  167. package/dist/rate_limiter.js +14 -1
  168. package/dist/realtime/sse.d.ts +7 -1
  169. package/dist/realtime/sse.d.ts.map +1 -1
  170. package/dist/realtime/sse.js +3 -1
  171. package/dist/realtime/sse_auth_guard.d.ts +21 -21
  172. package/dist/realtime/sse_auth_guard.d.ts.map +1 -1
  173. package/dist/realtime/sse_auth_guard.js +24 -24
  174. package/dist/realtime/subscriber_registry.d.ts +4 -2
  175. package/dist/realtime/subscriber_registry.d.ts.map +1 -1
  176. package/dist/realtime/subscriber_registry.js +4 -2
  177. package/dist/runtime/fs.d.ts +5 -0
  178. package/dist/runtime/fs.d.ts.map +1 -1
  179. package/dist/runtime/fs.js +5 -0
  180. package/dist/runtime/mock.d.ts +6 -0
  181. package/dist/runtime/mock.d.ts.map +1 -1
  182. package/dist/runtime/mock.js +6 -0
  183. package/dist/server/app_backend.d.ts +1 -0
  184. package/dist/server/app_backend.d.ts.map +1 -1
  185. package/dist/server/app_backend.js +1 -0
  186. package/dist/server/app_server.d.ts +4 -0
  187. package/dist/server/app_server.d.ts.map +1 -1
  188. package/dist/server/app_server.js +4 -0
  189. package/dist/server/validate_nginx.d.ts +3 -0
  190. package/dist/server/validate_nginx.d.ts.map +1 -1
  191. package/dist/testing/admin_integration.d.ts +5 -0
  192. package/dist/testing/admin_integration.d.ts.map +1 -1
  193. package/dist/testing/admin_integration.js +5 -0
  194. package/dist/testing/adversarial_headers.d.ts +5 -3
  195. package/dist/testing/adversarial_headers.d.ts.map +1 -1
  196. package/dist/testing/adversarial_headers.js +5 -3
  197. package/dist/testing/adversarial_input.d.ts +4 -0
  198. package/dist/testing/adversarial_input.d.ts.map +1 -1
  199. package/dist/testing/adversarial_input.js +4 -0
  200. package/dist/testing/app_server.d.ts +3 -0
  201. package/dist/testing/app_server.d.ts.map +1 -1
  202. package/dist/testing/app_server.js +11 -0
  203. package/dist/testing/assertions.d.ts +23 -7
  204. package/dist/testing/assertions.d.ts.map +1 -1
  205. package/dist/testing/assertions.js +23 -7
  206. package/dist/testing/audit_completeness.d.ts +4 -0
  207. package/dist/testing/audit_completeness.d.ts.map +1 -1
  208. package/dist/testing/audit_completeness.js +4 -0
  209. package/dist/testing/auth_apps.d.ts +3 -0
  210. package/dist/testing/auth_apps.d.ts.map +1 -1
  211. package/dist/testing/auth_apps.js +3 -0
  212. package/dist/testing/db.d.ts +9 -1
  213. package/dist/testing/db.d.ts.map +1 -1
  214. package/dist/testing/db.js +9 -1
  215. package/dist/testing/error_coverage.d.ts +9 -0
  216. package/dist/testing/error_coverage.d.ts.map +1 -1
  217. package/dist/testing/error_coverage.js +9 -0
  218. package/dist/testing/integration.d.ts +4 -0
  219. package/dist/testing/integration.d.ts.map +1 -1
  220. package/dist/testing/integration.js +4 -0
  221. package/dist/testing/integration_helpers.d.ts +10 -4
  222. package/dist/testing/integration_helpers.d.ts.map +1 -1
  223. package/dist/testing/integration_helpers.js +10 -4
  224. package/dist/testing/middleware.d.ts +5 -0
  225. package/dist/testing/middleware.d.ts.map +1 -1
  226. package/dist/testing/middleware.js +5 -0
  227. package/dist/testing/rate_limiting.d.ts +3 -0
  228. package/dist/testing/rate_limiting.d.ts.map +1 -1
  229. package/dist/testing/rate_limiting.js +3 -0
  230. package/dist/testing/rpc_helpers.d.ts +21 -8
  231. package/dist/testing/rpc_helpers.d.ts.map +1 -1
  232. package/dist/testing/rpc_helpers.js +21 -8
  233. package/dist/testing/schema_generators.d.ts +7 -2
  234. package/dist/testing/schema_generators.d.ts.map +1 -1
  235. package/dist/testing/schema_generators.js +7 -2
  236. package/dist/testing/sse_round_trip.d.ts +3 -0
  237. package/dist/testing/sse_round_trip.d.ts.map +1 -1
  238. package/dist/testing/sse_round_trip.js +3 -0
  239. package/dist/testing/stubs.d.ts +7 -0
  240. package/dist/testing/stubs.d.ts.map +1 -1
  241. package/dist/testing/stubs.js +7 -0
  242. package/dist/testing/surface_invariants.d.ts +14 -0
  243. package/dist/testing/surface_invariants.d.ts.map +1 -1
  244. package/dist/testing/surface_invariants.js +14 -0
  245. package/dist/testing/ws_round_trip.d.ts +13 -1
  246. package/dist/testing/ws_round_trip.d.ts.map +1 -1
  247. package/dist/ui/AccountSessions.svelte +9 -0
  248. package/dist/ui/AccountSessions.svelte.d.ts.map +1 -1
  249. package/dist/ui/AdminAccounts.svelte +10 -0
  250. package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -1
  251. package/dist/ui/AdminAuditLog.svelte +10 -0
  252. package/dist/ui/AdminAuditLog.svelte.d.ts.map +1 -1
  253. package/dist/ui/AdminInvites.svelte +9 -0
  254. package/dist/ui/AdminInvites.svelte.d.ts.map +1 -1
  255. package/dist/ui/AdminOverview.svelte +10 -0
  256. package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
  257. package/dist/ui/AdminPermitHistory.svelte +9 -0
  258. package/dist/ui/AdminPermitHistory.svelte.d.ts.map +1 -1
  259. package/dist/ui/AdminSessions.svelte +10 -0
  260. package/dist/ui/AdminSessions.svelte.d.ts.map +1 -1
  261. package/dist/ui/AdminSettings.svelte +9 -0
  262. package/dist/ui/AdminSettings.svelte.d.ts.map +1 -1
  263. package/dist/ui/AdminSurface.svelte +9 -0
  264. package/dist/ui/AdminSurface.svelte.d.ts.map +1 -1
  265. package/dist/ui/AppShell.svelte +24 -0
  266. package/dist/ui/AppShell.svelte.d.ts +23 -0
  267. package/dist/ui/AppShell.svelte.d.ts.map +1 -1
  268. package/dist/ui/BootstrapForm.svelte +17 -0
  269. package/dist/ui/BootstrapForm.svelte.d.ts +4 -0
  270. package/dist/ui/BootstrapForm.svelte.d.ts.map +1 -1
  271. package/dist/ui/ColumnLayout.svelte +11 -0
  272. package/dist/ui/ColumnLayout.svelte.d.ts +10 -0
  273. package/dist/ui/ColumnLayout.svelte.d.ts.map +1 -1
  274. package/dist/ui/Datatable.svelte +18 -0
  275. package/dist/ui/Datatable.svelte.d.ts +17 -0
  276. package/dist/ui/Datatable.svelte.d.ts.map +1 -1
  277. package/dist/ui/LoginForm.svelte +18 -0
  278. package/dist/ui/LoginForm.svelte.d.ts +9 -0
  279. package/dist/ui/LoginForm.svelte.d.ts.map +1 -1
  280. package/dist/ui/LogoutButton.svelte +9 -0
  281. package/dist/ui/LogoutButton.svelte.d.ts +8 -0
  282. package/dist/ui/LogoutButton.svelte.d.ts.map +1 -1
  283. package/dist/ui/MenuLink.svelte +10 -0
  284. package/dist/ui/MenuLink.svelte.d.ts +9 -0
  285. package/dist/ui/MenuLink.svelte.d.ts.map +1 -1
  286. package/dist/ui/OpenSignupToggle.svelte +9 -0
  287. package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -1
  288. package/dist/ui/SignupForm.svelte +16 -0
  289. package/dist/ui/SignupForm.svelte.d.ts +4 -0
  290. package/dist/ui/SignupForm.svelte.d.ts.map +1 -1
  291. package/dist/ui/SurfaceExplorer.svelte +9 -0
  292. package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -1
  293. package/dist/ui/audit_log_state.svelte.d.ts +6 -1
  294. package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
  295. package/dist/ui/audit_log_state.svelte.js +6 -1
  296. package/dist/ui/auth_state.svelte.d.ts +16 -4
  297. package/dist/ui/auth_state.svelte.d.ts.map +1 -1
  298. package/dist/ui/auth_state.svelte.js +16 -4
  299. package/dist/ui/form_state.svelte.d.ts +9 -0
  300. package/dist/ui/form_state.svelte.d.ts.map +1 -1
  301. package/dist/ui/form_state.svelte.js +9 -0
  302. package/dist/ui/loadable.svelte.d.ts +6 -1
  303. package/dist/ui/loadable.svelte.d.ts.map +1 -1
  304. package/dist/ui/loadable.svelte.js +6 -1
  305. package/dist/ui/permit_offers_state.svelte.d.ts +2 -0
  306. package/dist/ui/permit_offers_state.svelte.d.ts.map +1 -1
  307. package/dist/ui/permit_offers_state.svelte.js +2 -0
  308. package/dist/ui/popover.svelte.d.ts +17 -4
  309. package/dist/ui/popover.svelte.d.ts.map +1 -1
  310. package/dist/ui/popover.svelte.js +17 -4
  311. package/dist/ui/position_helpers.d.ts +1 -0
  312. package/dist/ui/position_helpers.d.ts.map +1 -1
  313. package/dist/ui/position_helpers.js +1 -0
  314. package/dist/ui/sidebar_state.svelte.d.ts +22 -9
  315. package/dist/ui/sidebar_state.svelte.d.ts.map +1 -1
  316. package/dist/ui/sidebar_state.svelte.js +17 -2
  317. package/dist/ui/table_state.svelte.d.ts +14 -0
  318. package/dist/ui/table_state.svelte.d.ts.map +1 -1
  319. package/dist/ui/table_state.svelte.js +14 -0
  320. package/package.json +1 -1
package/dist/auth/permit_offer_action_specs.d.ts CHANGED
@@ -209,6 +209,7 @@ export declare const permit_offer_create_action_spec: {
209
209
  }, z.core.$strict>;
210
210
  async: true;
211
211
  description: string;
212
+ error_reasons: ("offer_self_target" | "offer_role_not_grantable" | "offer_not_authorized")[];
212
213
  };
213
214
  export declare const permit_offer_accept_action_spec: {
214
215
  method: string;
@@ -241,6 +242,7 @@ export declare const permit_offer_accept_action_spec: {
241
242
  }, z.core.$strict>;
242
243
  async: true;
243
244
  description: string;
245
+ error_reasons: ("offer_terminal" | "offer_expired" | "offer_not_found")[];
244
246
  };
245
247
  export declare const permit_offer_decline_action_spec: {
246
248
  method: string;
@@ -257,6 +259,7 @@ export declare const permit_offer_decline_action_spec: {
257
259
  }, z.core.$strict>;
258
260
  async: true;
259
261
  description: string;
262
+ error_reasons: ("offer_terminal" | "offer_not_found")[];
260
263
  };
261
264
  export declare const permit_offer_retract_action_spec: {
262
265
  method: string;
@@ -272,6 +275,7 @@ export declare const permit_offer_retract_action_spec: {
272
275
  }, z.core.$strict>;
273
276
  async: true;
274
277
  description: string;
278
+ error_reasons: ("offer_terminal" | "offer_not_found")[];
275
279
  };
276
280
  export declare const permit_offer_list_action_spec: {
277
281
  method: string;
@@ -354,6 +358,7 @@ export declare const permit_revoke_action_spec: {
354
358
  }, z.core.$strict>;
355
359
  async: true;
356
360
  description: string;
361
+ error_reasons: ("account_not_found" | "role_not_web_grantable" | "permit_not_found")[];
357
362
  };
358
363
  /**
359
364
  * All permit-offer action specs — a codegen-ready registry. Consumers spread
package/dist/auth/permit_offer_action_specs.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"permit_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAKzE,gEAAgE;AAChE,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AACpE,kEAAkE;AAClE,eAAO,MAAM,oBAAoB,EAAG,gBAAyB,CAAC;AAC9D,sDAAsD;AACtD,eAAO,MAAM,mBAAmB,EAAG,eAAwB,CAAC;AAC5D,wGAAwG;AACxG,eAAO,MAAM,qBAAqB,EAAG,iBAA0B,CAAC;AAChE,qGAAqG;AACrG,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,gKAAgK;AAChK,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAI1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;kBAWjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;kBAOlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;kBAElC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,mGAAmG;AACnG,eAAO,MAAM,oBAAoB;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB;;;;kBAO5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE;;;;GAIG;AACH,eAAO,MAAM,uBAAuB;;;;kBAUlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;kBAElC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;kBAIlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,kEAAkE;AAClE,eAAO,MAAM,mBAAmB;;kBAAwC,CAAC;AACzE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;kBAAqD,CAAC;AACxF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,yCAAyC;AACzC,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;kBAAqD,CAAC;AAC3F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWP,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWP,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWL,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,EAAE,KAAK,CAAC,yBAAyB,CAQ1E,CAAC"}
1
+ {"version":3,"file":"permit_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;GAkBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAUzE,gEAAgE;AAChE,eAAO,MAAM,uBAAuB,EAAG,mBAA4B,CAAC;AACpE,kEAAkE;AAClE,eAAO,MAAM,oBAAoB,EAAG,gBAAyB,CAAC;AAC9D,sDAAsD;AACtD,eAAO,MAAM,mBAAmB,EAAG,eAAwB,CAAC;AAC5D,wGAAwG;AACxG,eAAO,MAAM,qBAAqB,EAAG,iBAA0B,CAAC;AAChE,qGAAqG;AACrG,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,gKAAgK;AAChK,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAI1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;kBAWjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;kBAOlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;kBAElC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,mGAAmG;AACnG,eAAO,MAAM,oBAAoB;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;GAMG;AACH,eAAO,MAAM,iBAAiB;;;;kBAO5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE;;;;GAIG;AACH,eAAO,MAAM,uBAAuB;;;;kBAUlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;kBAElC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;kBAIlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,kEAAkE;AAClE,eAAO,MAAM,mBAAmB;;kBAAwC,CAAC;AACzE,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;kBAAqD,CAAC;AACxF,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,yCAAyC;AACzC,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;kBAAqD,CAAC;AAC3F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAgBP,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAYP,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWL,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;CAYD,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,EAAE,KAAK,CAAC,yBAAyB,CAQ1E,CAAC"}
package/dist/auth/permit_offer_action_specs.js CHANGED
@@ -19,6 +19,7 @@
19
19
  */
20
20
  import { z } from 'zod';
21
21
  import { Uuid } from '@fuzdev/fuz_util/id.js';
22
+ import { ERROR_ACCOUNT_NOT_FOUND, ERROR_PERMIT_NOT_FOUND, ERROR_ROLE_NOT_WEB_GRANTABLE, } from '../http/error_schemas.js';
22
23
  import { RoleName } from './role_schema.js';
23
24
  import { PERMIT_OFFER_MESSAGE_LENGTH_MAX, PermitOfferJson } from './permit_offer_schema.js';
24
25
  import { PERMIT_REVOKED_REASON_LENGTH_MAX } from './account_schema.js';
@@ -133,6 +134,11 @@ export const permit_offer_create_action_spec = {
133
134
  output: PermitOfferCreateOutput,
134
135
  async: true,
135
136
  description: 'Offer a permit to another account. Grantor must hold the offered role (or pass a consumer authorize callback); role must be web_grantable.',
137
+ error_reasons: [
138
+ ERROR_OFFER_SELF_TARGET,
139
+ ERROR_OFFER_ROLE_NOT_GRANTABLE,
140
+ ERROR_OFFER_NOT_AUTHORIZED,
141
+ ],
136
142
  };
137
143
  export const permit_offer_accept_action_spec = {
138
144
  method: 'permit_offer_accept',
@@ -144,6 +150,7 @@ export const permit_offer_accept_action_spec = {
144
150
  output: PermitOfferAcceptOutput,
145
151
  async: true,
146
152
  description: 'Accept an offer. Atomically marks the offer accepted, inserts the permit, and supersedes sibling pending offers for the same (account, role, scope).',
153
+ error_reasons: [ERROR_OFFER_NOT_FOUND, ERROR_OFFER_TERMINAL, ERROR_OFFER_EXPIRED],
147
154
  };
148
155
  export const permit_offer_decline_action_spec = {
149
156
  method: 'permit_offer_decline',
@@ -155,6 +162,7 @@ export const permit_offer_decline_action_spec = {
155
162
  output: PermitOfferOkOutput,
156
163
  async: true,
157
164
  description: 'Decline an offer. Recipient-only.',
165
+ error_reasons: [ERROR_OFFER_NOT_FOUND, ERROR_OFFER_TERMINAL],
158
166
  };
159
167
  export const permit_offer_retract_action_spec = {
160
168
  method: 'permit_offer_retract',
@@ -166,6 +174,7 @@ export const permit_offer_retract_action_spec = {
166
174
  output: PermitOfferOkOutput,
167
175
  async: true,
168
176
  description: 'Retract an offer. Grantor-only, pre-decision.',
177
+ error_reasons: [ERROR_OFFER_NOT_FOUND, ERROR_OFFER_TERMINAL],
169
178
  };
170
179
  export const permit_offer_list_action_spec = {
171
180
  method: 'permit_offer_list',
@@ -199,6 +208,7 @@ export const permit_revoke_action_spec = {
199
208
  output: PermitRevokeOutput,
200
209
  async: true,
201
210
  description: 'Revoke an active permit on a target actor. Admin-only. Supersedes any pending offers for the same (account, role, scope). Fires permit_revoke + permit_offer_supersede notifications.',
211
+ error_reasons: [ERROR_PERMIT_NOT_FOUND, ERROR_ACCOUNT_NOT_FOUND, ERROR_ROLE_NOT_WEB_GRANTABLE],
202
212
  };
203
213
  /**
204
214
  * All permit-offer action specs — a codegen-ready registry. Consumers spread
package/dist/auth/permit_offer_queries.d.ts CHANGED
@@ -66,6 +66,10 @@ export declare class PermitOfferSelfTargetError extends Error {
66
66
  *
67
67
  * Self-offer rejection: throws `PermitOfferSelfTargetError` if the offering
68
68
  * actor belongs to the recipient account.
69
+ *
70
+ * @mutates `permit_offer` table - inserts a new offer or upserts the matching pending row
71
+ * @throws PermitOfferSelfTargetError if the offering actor belongs to `to_account_id`
72
+ * @throws Error if the INSERT/UPSERT does not return a row (failed `assert_row` invariant)
69
73
  */
70
74
  export declare const query_permit_offer_create: (deps: QueryDeps, input: CreatePermitOfferInput) => Promise<PermitOffer>;
71
75
  /**
@@ -75,6 +79,9 @@ export declare const query_permit_offer_create: (deps: QueryDeps, input: CreateP
75
79
  * exist or belongs to a different account. Throws
76
80
  * `PermitOfferAlreadyTerminalError` if the offer exists for the caller but
77
81
  * is already in a terminal state.
82
+ *
83
+ * @mutates `permit_offer` row - sets `declined_at` and `decline_reason`
84
+ * @throws PermitOfferAlreadyTerminalError if the offer is already accepted, declined, retracted, or superseded
78
85
  */
79
86
  export declare const query_permit_offer_decline: (deps: QueryDeps, offer_id: string, to_account_id: string, reason: string | null) => Promise<PermitOffer | null>;
80
87
  /**
@@ -84,6 +91,9 @@ export declare const query_permit_offer_decline: (deps: QueryDeps, offer_id: str
84
91
  * exist or was issued by a different actor. Throws
85
92
  * `PermitOfferAlreadyTerminalError` if the offer exists for this grantor
86
93
  * but is already in a terminal state.
94
+ *
95
+ * @mutates `permit_offer` row - sets `retracted_at`
96
+ * @throws PermitOfferAlreadyTerminalError if the offer is already accepted, declined, retracted, or superseded
87
97
  */
88
98
  export declare const query_permit_offer_retract: (deps: QueryDeps, offer_id: string, from_actor_id: string) => Promise<PermitOffer | null>;
89
99
  /**
@@ -160,6 +170,15 @@ export interface AcceptOfferResult {
160
170
  * Sibling supersede is what closes the "accept a pre-revoke sibling offer
161
171
  * to bypass a revoke" path: once A is accepted, B/C/... can no longer be
162
172
  * accepted even if the resulting permit is later revoked.
173
+ *
174
+ * @mutates `permit_offer` row - stamps `accepted_at` and `resulting_permit_id`
175
+ * @mutates `permit` table - inserts the resulting permit (idempotent on race)
176
+ * @mutates `permit_offer` siblings - stamps `superseded_at` on every other pending offer for the tuple
177
+ * @mutates `audit_log` table - emits `permit_offer_accept` + `permit_grant` + one `permit_offer_supersede` per sibling
178
+ * @throws PermitOfferNotFoundError if the offer is missing or belongs to another recipient
179
+ * @throws PermitOfferAlreadyTerminalError if the offer is declined, retracted, or superseded
180
+ * @throws PermitOfferExpiredError if the offer is pending but past `expires_at`
181
+ * @throws Error if the accepting account has no actor (1:1 invariant) or invariant assertions fail
163
182
  */
164
183
  export declare const query_accept_offer: (deps: QueryDeps, input: AcceptOfferInput) => Promise<AcceptOfferResult>;
165
184
  //# sourceMappingURL=permit_offer_queries.d.ts.map
package/dist/auth/permit_offer_queries.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"permit_offer_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAEhD,OAAO,EAEN,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,qBAAa,+BAAgC,SAAQ,KAAK;gBAC7C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;gBACrC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,wBAAyB,SAAQ,KAAK;gBACtC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;;CAKpD;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,OAAO,sBAAsB,KAC3B,OAAO,CAAC,WAAW,CAyBrB,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,EACrB,QAAQ,MAAM,GAAG,IAAI,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AA8BF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,MAAM,KACnB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAY5B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAW,EACX,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAS5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAY5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAU5B,CAAC;AAEF,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,mGAAmG;IACnG,aAAa,EAAE,IAAI,CAAC;IACpB,gDAAgD;IAChD,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnB;AAED,yHAAyH;AACzH,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,CAAC;IACnB,4IAA4I;IAC5I,OAAO,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1C,sLAAsL;IACtL,YAAY,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,iBAAiB,CAqK3B,CAAC"}
1
+ {"version":3,"file":"permit_offer_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAEhD,OAAO,EAEN,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,qBAAa,+BAAgC,SAAQ,KAAK;gBAC7C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;gBACrC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,wBAAyB,SAAQ,KAAK;gBACtC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;;CAKpD;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,OAAO,sBAAsB,KAC3B,OAAO,CAAC,WAAW,CAyBrB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,EACrB,QAAQ,MAAM,GAAG,IAAI,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AA8BF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,MAAM,KACnB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAY5B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAW,EACX,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAS5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAY5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAU5B,CAAC;AAEF,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,mGAAmG;IACnG,aAAa,EAAE,IAAI,CAAC;IACpB,gDAAgD;IAChD,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnB;AAED,yHAAyH;AACzH,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,CAAC;IACnB,4IAA4I;IAC5I,OAAO,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1C,sLAAsL;IACtL,YAAY,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,iBAAiB,CAqK3B,CAAC"}
package/dist/auth/permit_offer_queries.js CHANGED
@@ -77,6 +77,10 @@ export class PermitOfferSelfTargetError extends Error {
77
77
  *
78
78
  * Self-offer rejection: throws `PermitOfferSelfTargetError` if the offering
79
79
  * actor belongs to the recipient account.
80
+ *
81
+ * @mutates `permit_offer` table - inserts a new offer or upserts the matching pending row
82
+ * @throws PermitOfferSelfTargetError if the offering actor belongs to `to_account_id`
83
+ * @throws Error if the INSERT/UPSERT does not return a row (failed `assert_row` invariant)
80
84
  */
81
85
  export const query_permit_offer_create = async (deps, input) => {
82
86
  const actor = await query_actor_by_account(deps, input.to_account_id);
@@ -108,6 +112,9 @@ export const query_permit_offer_create = async (deps, input) => {
108
112
  * exist or belongs to a different account. Throws
109
113
  * `PermitOfferAlreadyTerminalError` if the offer exists for the caller but
110
114
  * is already in a terminal state.
115
+ *
116
+ * @mutates `permit_offer` row - sets `declined_at` and `decline_reason`
117
+ * @throws PermitOfferAlreadyTerminalError if the offer is already accepted, declined, retracted, or superseded
111
118
  */
112
119
  export const query_permit_offer_decline = async (deps, offer_id, to_account_id, reason) => {
113
120
  const updated = await deps.db.query_one(`UPDATE permit_offer
@@ -130,6 +137,9 @@ export const query_permit_offer_decline = async (deps, offer_id, to_account_id,
130
137
  * exist or was issued by a different actor. Throws
131
138
  * `PermitOfferAlreadyTerminalError` if the offer exists for this grantor
132
139
  * but is already in a terminal state.
140
+ *
141
+ * @mutates `permit_offer` row - sets `retracted_at`
142
+ * @throws PermitOfferAlreadyTerminalError if the offer is already accepted, declined, retracted, or superseded
133
143
  */
134
144
  export const query_permit_offer_retract = async (deps, offer_id, from_actor_id) => {
135
145
  const updated = await deps.db.query_one(`UPDATE permit_offer
@@ -248,6 +258,15 @@ export const query_permit_offer_sweep_expired = async (deps) => {
248
258
  * Sibling supersede is what closes the "accept a pre-revoke sibling offer
249
259
  * to bypass a revoke" path: once A is accepted, B/C/... can no longer be
250
260
  * accepted even if the resulting permit is later revoked.
261
+ *
262
+ * @mutates `permit_offer` row - stamps `accepted_at` and `resulting_permit_id`
263
+ * @mutates `permit` table - inserts the resulting permit (idempotent on race)
264
+ * @mutates `permit_offer` siblings - stamps `superseded_at` on every other pending offer for the tuple
265
+ * @mutates `audit_log` table - emits `permit_offer_accept` + `permit_grant` + one `permit_offer_supersede` per sibling
266
+ * @throws PermitOfferNotFoundError if the offer is missing or belongs to another recipient
267
+ * @throws PermitOfferAlreadyTerminalError if the offer is declined, retracted, or superseded
268
+ * @throws PermitOfferExpiredError if the offer is pending but past `expires_at`
269
+ * @throws Error if the accepting account has no actor (1:1 invariant) or invariant assertions fail
251
270
  */
252
271
  export const query_accept_offer = async (deps, input) => {
253
272
  const { offer_id, to_account_id, ip } = input;
package/dist/auth/permit_queries.d.ts CHANGED
@@ -24,6 +24,8 @@ import { type SupersededOffer } from './permit_offer_schema.js';
24
24
  * @param deps - query dependencies
25
25
  * @param input - the permit fields
26
26
  * @returns the created or existing active permit
27
+ * @mutates `permit` table - inserts a row when no active permit matches `(actor_id, role, scope_id)`
28
+ * @throws Error if the idempotent fallback `SELECT` does not return a row (failed `assert_row` invariant)
27
29
  */
28
30
  export declare const query_grant_permit: (deps: QueryDeps, input: GrantPermitInput) => Promise<Permit>;
29
31
  /**
@@ -79,6 +81,8 @@ export interface RevokePermitResult {
79
81
  * @param actor_id - the actor that must own the permit
80
82
  * @param revoked_by - the actor who revoked it (for audit trail)
81
83
  * @param reason - optional free-form reason, stamped on `permit.revoked_reason` and surfaced to the revokee notification.
84
+ * @mutates `permit` row - sets `revoked_at`, `revoked_by`, and `revoked_reason`
85
+ * @mutates `permit_offer` rows - stamps `superseded_at` on every pending sibling for the same `(account, role, scope)`
82
86
  */
83
87
  export declare const query_revoke_permit: (deps: QueryDeps, permit_id: Uuid, actor_id: Uuid, revoked_by: Uuid | null, reason?: string | null) => Promise<RevokePermitResult | null>;
84
88
  /**
@@ -157,6 +161,8 @@ export interface RevokeForScopeResult {
157
161
  * @param revoked_by - the actor performing the cascade (audit trail)
158
162
  * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
159
163
  * @returns the revoked permits (with `account_id` for fan-out) and superseded offers (with `from_account_id` for fan-out)
164
+ * @mutates `permit` table - sets `revoked_at`/`revoked_by`/`revoked_reason` on every active row at `scope_id`
165
+ * @mutates `permit_offer` table - stamps `superseded_at` on every pending row at `scope_id`
160
166
  */
161
167
  export declare const query_permit_revoke_for_scope: (deps: QueryDeps, scope_id: Uuid, revoked_by: Uuid | null, reason?: string | null) => Promise<RevokeForScopeResult>;
162
168
  /** Result of `query_permit_revoke_role` — every permit revoked plus the pending offers superseded by the bulk revoke. */
@@ -198,6 +204,8 @@ export interface RevokeRoleResult {
198
204
  * @param revoked_by - the actor who revoked it (for audit trail)
199
205
  * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
200
206
  * @returns the list of revoked permits (empty if none were active) and superseded pending offers
207
+ * @mutates `permit` table - sets `revoked_at`/`revoked_by`/`revoked_reason` on every active row for `(actor, role)`
208
+ * @mutates `permit_offer` table - stamps `superseded_at` on every matching pending offer
201
209
  */
202
210
  export declare const query_permit_revoke_role: (deps: QueryDeps, actor_id: string, role: string, revoked_by: string | null, reason?: string | null) => Promise<RevokeRoleResult>;
203
211
  //# sourceMappingURL=permit_queries.d.ts.map
package/dist/auth/permit_queries.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAmC,KAAK,eAAe,EAAC,MAAM,0BAA0B,CAAC;AAEhG;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CA4BhB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAO/B,CAAC;AAEF,6GAA6G;AAC7G,MAAM,WAAW,kBAAkB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,IAAI,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAsCnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,sIAAsI;AACtI,MAAM,WAAW,oBAAoB;IACpC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,IAAI,CAAC;QAAC,UAAU,EAAE,IAAI,CAAA;KAAC,CAAC,CAAC;IAClF;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA2C9B,CAAC;AAEF,yHAAyH;AACzH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;IAC/F;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA2C1B,CAAC"}
1
+ {"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAmC,KAAK,eAAe,EAAC,MAAM,0BAA0B,CAAC;AAEhG;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CA4BhB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAO/B,CAAC;AAEF,6GAA6G;AAC7G,MAAM,WAAW,kBAAkB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,IAAI,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAsCnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,sIAAsI;AACtI,MAAM,WAAW,oBAAoB;IACpC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,IAAI,CAAC;QAAC,UAAU,EAAE,IAAI,CAAA;KAAC,CAAC,CAAC;IAClF;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA2C9B,CAAC;AAEF,yHAAyH;AACzH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;IAC/F;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA2C1B,CAAC"}
package/dist/auth/permit_queries.js CHANGED
@@ -22,6 +22,8 @@ import { PERMIT_OFFER_SCOPE_SENTINEL_UUID } from './permit_offer_schema.js';
22
22
  * @param deps - query dependencies
23
23
  * @param input - the permit fields
24
24
  * @returns the created or existing active permit
25
+ * @mutates `permit` table - inserts a row when no active permit matches `(actor_id, role, scope_id)`
26
+ * @throws Error if the idempotent fallback `SELECT` does not return a row (failed `assert_row` invariant)
25
27
  */
26
28
  export const query_grant_permit = async (deps, input) => {
27
29
  const inserted = await deps.db.query_one(`INSERT INTO permit (actor_id, role, scope_id, expires_at, granted_by, source_offer_id)
@@ -86,6 +88,8 @@ export const query_permit_find_active_role_for_actor = async (deps, permit_id, a
86
88
  * @param actor_id - the actor that must own the permit
87
89
  * @param revoked_by - the actor who revoked it (for audit trail)
88
90
  * @param reason - optional free-form reason, stamped on `permit.revoked_reason` and surfaced to the revokee notification.
91
+ * @mutates `permit` row - sets `revoked_at`, `revoked_by`, and `revoked_reason`
92
+ * @mutates `permit_offer` rows - stamps `superseded_at` on every pending sibling for the same `(account, role, scope)`
89
93
  */
90
94
  export const query_revoke_permit = async (deps, permit_id, actor_id, revoked_by, reason) => {
91
95
  const rows = await deps.db.query(`UPDATE permit SET revoked_at = NOW(), revoked_by = $3, revoked_reason = $4
@@ -199,6 +203,8 @@ export const query_permit_find_account_id_for_role = async (deps, role) => {
199
203
  * @param revoked_by - the actor performing the cascade (audit trail)
200
204
  * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
201
205
  * @returns the revoked permits (with `account_id` for fan-out) and superseded offers (with `from_account_id` for fan-out)
206
+ * @mutates `permit` table - sets `revoked_at`/`revoked_by`/`revoked_reason` on every active row at `scope_id`
207
+ * @mutates `permit_offer` table - stamps `superseded_at` on every pending row at `scope_id`
202
208
  */
203
209
  export const query_permit_revoke_for_scope = async (deps, scope_id, revoked_by, reason) => {
204
210
  // Revoke every active permit at the scope. CTE pulls `account_id` via a
@@ -251,6 +257,8 @@ export const query_permit_revoke_for_scope = async (deps, scope_id, revoked_by,
251
257
  * @param revoked_by - the actor who revoked it (for audit trail)
252
258
  * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
253
259
  * @returns the list of revoked permits (empty if none were active) and superseded pending offers
260
+ * @mutates `permit` table - sets `revoked_at`/`revoked_by`/`revoked_reason` on every active row for `(actor, role)`
261
+ * @mutates `permit_offer` table - stamps `superseded_at` on every matching pending offer
254
262
  */
255
263
  export const query_permit_revoke_role = async (deps, actor_id, role, revoked_by, reason) => {
256
264
  // CTE pulls the revokee's `account_id` via a join on `actor` so callers
package/dist/auth/request_context.d.ts CHANGED
@@ -77,6 +77,7 @@ export declare const has_role: (ctx: RequestContext, role: string, now?: Date) =
77
77
  * @param deps - query dependencies (pool-level db for middleware)
78
78
  * @param log - the logger instance
79
79
  * @param session_context_key - the Hono context key where session middleware stored the session token
80
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, `AUTH_SESSION_TOKEN_HASH_KEY`, and `AUTH_API_TOKEN_ID_KEY`
80
81
  */
81
82
  export declare const create_request_context_middleware: (deps: QueryDeps, log: Logger, session_context_key?: string) => MiddlewareHandler;
82
83
  /**
package/dist/auth/request_context.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"request_context.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/request_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACrD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,OAAO,EAAE,KAAK,KAAK,EAAoB,KAAK,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAQ5F,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAOnD,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvB;AAED,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD;;;;;;;;GAQG;AACH,eAAO,MAAM,2BAA2B,4BAA4B,CAAC;AAErE;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,GAAI,GAAG,OAAO,KAAG,cAAc,GAAG,IAEjE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,GAAI,GAAG,OAAO,KAAG,cAMpD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,KAAK,cAAc,EAAE,MAAM,MAAM,EAAE,MAAK,IAAiB,KAAG,OAChB,CAAC;AAEtE;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,KAAK,MAAM,EACX,4BAAuC,KACrC,iBA6CF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,iBAM1B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,KAAG,iBAW3C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,KAAK,cAAc,EACnB,MAAM,SAAS,KACb,OAAO,CAAC,cAAc,CAGxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAS/B,CAAC"}
1
+ {"version":3,"file":"request_context.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/request_context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AACrD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,EAAC,KAAK,OAAO,EAAE,KAAK,KAAK,EAAoB,KAAK,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAQ5F,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAOnD,kEAAkE;AAClE,MAAM,WAAW,cAAc;IAC9B,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACvB;AAED,0DAA0D;AAC1D,eAAO,MAAM,mBAAmB,oBAAoB,CAAC;AAErD;;;;;;;;GAQG;AACH,eAAO,MAAM,2BAA2B,4BAA4B,CAAC;AAErE;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB,GAAI,GAAG,OAAO,KAAG,cAAc,GAAG,IAEjE,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,uBAAuB,GAAI,GAAG,OAAO,KAAG,cAMpD,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ,GAAI,KAAK,cAAc,EAAE,MAAM,MAAM,EAAE,MAAK,IAAiB,KAAG,OAChB,CAAC;AAEtE;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,KAAK,MAAM,EACX,4BAAuC,KACrC,iBA6CF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,YAAY,EAAE,iBAM1B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,YAAY,GAAI,MAAM,MAAM,KAAG,iBAW3C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,eAAe,GAC3B,KAAK,cAAc,EACnB,MAAM,SAAS,KACb,OAAO,CAAC,cAAc,CAGxB,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,cAAc,GAAG,IAAI,CAS/B,CAAC"}
package/dist/auth/request_context.js CHANGED
@@ -81,6 +81,7 @@ export const has_role = (ctx, role, now = new Date()) => ctx.permits.some((p) =>
81
81
  * @param deps - query dependencies (pool-level db for middleware)
82
82
  * @param log - the logger instance
83
83
  * @param session_context_key - the Hono context key where session middleware stored the session token
84
+ * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, `AUTH_SESSION_TOKEN_HASH_KEY`, and `AUTH_API_TOKEN_ID_KEY`
84
85
  */
85
86
  export const create_request_context_middleware = (deps, log, session_context_key = 'auth_session_id') => {
86
87
  return async (c, next) => {
package/dist/auth/role_schema.d.ts CHANGED
@@ -64,6 +64,8 @@ export interface RoleSchemaResult {
64
64
  * @param app_roles - app-defined roles with optional config overrides
65
65
  * @returns `{Role, role_options}` — Zod schema and full config map
66
66
  *
67
+ * @throws Error if any `app_roles` key fails the `RoleName` regex or collides with a builtin role
68
+ *
67
69
  * @example
68
70
  * ```ts
69
71
  * // visiones
package/dist/auth/role_schema.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"role_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,0FAA0F;AAC1F,eAAO,MAAM,QAAQ,aAKnB,CAAC;AACH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAIhD,sFAAsF;AACtF,eAAO,MAAM,WAAW,WAAW,CAAC;AAEpC,+EAA+E;AAC/E,eAAO,MAAM,UAAU,UAAU,CAAC;AAElC,+CAA+C;AAC/C,eAAO,MAAM,aAAa,8BAAqC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,WAAW;;;EAAwB,CAAC;AACjD,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAItD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,iGAAiG;IACjG,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,0EAA0E;IAC1E,aAAa,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,CAG1E,CAAC;AAEH,sFAAsF;AACtF,MAAM,WAAW,gBAAgB;IAChC,sGAAsG;IACtG,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACxB,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;CACzD;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,MAAM,EAClD,WAAW,MAAM,CAAC,CAAC,EAAE,WAAW,CAAC,KAC/B,gBAwBF,CAAC"}
1
+ {"version":3,"file":"role_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,0FAA0F;AAC1F,eAAO,MAAM,QAAQ,aAKnB,CAAC;AACH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAIhD,sFAAsF;AACtF,eAAO,MAAM,WAAW,WAAW,CAAC;AAEpC,+EAA+E;AAC/E,eAAO,MAAM,UAAU,UAAU,CAAC;AAElC,+CAA+C;AAC/C,eAAO,MAAM,aAAa,8BAAqC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,WAAW;;;EAAwB,CAAC;AACjD,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAItD;;;;;GAKG;AACH,MAAM,WAAW,WAAW;IAC3B,iGAAiG;IACjG,qBAAqB,CAAC,EAAE,OAAO,CAAC;IAChC,0EAA0E;IAC1E,aAAa,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,CAG1E,CAAC;AAEH,sFAAsF;AACtF,MAAM,WAAW,gBAAgB;IAChC,sGAAsG;IACtG,IAAI,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACxB,2EAA2E;IAC3E,YAAY,EAAE,WAAW,CAAC,MAAM,EAAE,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC;CACzD;AAED;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,MAAM,EAClD,WAAW,MAAM,CAAC,CAAC,EAAE,WAAW,CAAC,KAC/B,gBAwBF,CAAC"}
package/dist/auth/role_schema.js CHANGED
@@ -46,6 +46,8 @@ export const BUILTIN_ROLE_OPTIONS = new Map([
46
46
  * @param app_roles - app-defined roles with optional config overrides
47
47
  * @returns `{Role, role_options}` — Zod schema and full config map
48
48
  *
49
+ * @throws Error if any `app_roles` key fails the `RoleName` regex or collides with a builtin role
50
+ *
49
51
  * @example
50
52
  * ```ts
51
53
  * // visiones
package/dist/auth/self_service_role_actions.d.ts CHANGED
@@ -62,6 +62,7 @@ export type SelfServiceRoleActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit
62
62
  * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
63
63
  * @param options - eligible-role allowlist plus optional role schema for typo-checking
64
64
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
65
+ * @throws Error at factory time if any `eligible_roles` entry is missing from `options.roles.role_options`
65
66
  */
66
67
  export declare const create_self_service_role_actions: (deps: SelfServiceRoleActionDeps, options: SelfServiceRoleActionsOptions) => Array<RpcAction>;
67
68
  //# sourceMappingURL=self_service_role_actions.d.ts.map
package/dist/auth/self_service_role_actions.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACvD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAgBhD,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CA4GjB,CAAC"}
1
+ {"version":3,"file":"self_service_role_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AACvD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAgBhD,sDAAsD;AACtD,MAAM,WAAW,6BAA6B;IAC7C;;;;OAIG;IACH,cAAc,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACtC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;CACzB;AAED;;;;;GAKG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAOF;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,yBAAyB,EAC/B,SAAS,6BAA6B,KACpC,KAAK,CAAC,SAAS,CA4GjB,CAAC"}
package/dist/auth/self_service_role_actions.js CHANGED
@@ -47,6 +47,7 @@ const require_request_auth = (auth) => {
47
47
  * @param deps - `SelfServiceRoleActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
48
48
  * @param options - eligible-role allowlist plus optional role schema for typo-checking
49
49
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
50
+ * @throws Error at factory time if any `eligible_roles` entry is missing from `options.roles.role_options`
50
51
  */
51
52
  export const create_self_service_role_actions = (deps, options) => {
52
53
  const eligible = new Set(options.eligible_roles);
package/dist/auth/session_lifecycle.d.ts CHANGED
@@ -30,6 +30,9 @@ export interface CreateSessionAndSetCookieOptions {
30
30
  * Shared by login and bootstrap — generates a token, hashes it, persists
31
31
  * the session row, optionally enforces a per-account session limit, and
32
32
  * sets the signed cookie.
33
+ *
34
+ * @mutates `auth_session` table - inserts the new session row (and evicts older rows when `max_sessions` is set)
35
+ * @mutates `options.c` - writes the signed session cookie via `Set-Cookie`
33
36
  */
34
37
  export declare const create_session_and_set_cookie: (options: CreateSessionAndSetCookieOptions) => Promise<void>;
35
38
  //# sourceMappingURL=session_lifecycle.d.ts.map
package/dist/auth/session_lifecycle.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"session_lifecycle.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/session_lifecycle.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,qBAAqB,CAAC;AASrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAChD,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,IAAI,EAAE,SAAS,CAAC;IAChB,2CAA2C;IAC3C,CAAC,EAAE,OAAO,CAAC;IACX,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED;;;;;;GAMG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,IAAI,CAad,CAAC"}
1
+ {"version":3,"file":"session_lifecycle.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/session_lifecycle.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,EAA8B,KAAK,cAAc,EAAC,MAAM,qBAAqB,CAAC;AASrF,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD;;GAEG;AACH,MAAM,WAAW,gCAAgC;IAChD,kCAAkC;IAClC,OAAO,EAAE,OAAO,CAAC;IACjB,kDAAkD;IAClD,IAAI,EAAE,SAAS,CAAC;IAChB,2CAA2C;IAC3C,CAAC,EAAE,OAAO,CAAC;IACX,2CAA2C;IAC3C,UAAU,EAAE,MAAM,CAAC;IACnB,oCAAoC;IACpC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4DAA4D;IAC5D,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC7B;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,6BAA6B,GACzC,SAAS,gCAAgC,KACvC,OAAO,CAAC,IAAI,CAad,CAAC"}
package/dist/auth/session_lifecycle.js CHANGED
@@ -12,6 +12,9 @@ import { generate_session_token, hash_session_token, AUTH_SESSION_LIFETIME_MS, q
12
12
  * Shared by login and bootstrap — generates a token, hashes it, persists
13
13
  * the session row, optionally enforces a per-account session limit, and
14
14
  * sets the signed cookie.
15
+ *
16
+ * @mutates `auth_session` table - inserts the new session row (and evicts older rows when `max_sessions` is set)
17
+ * @mutates `options.c` - writes the signed session cookie via `Set-Cookie`
15
18
  */
16
19
  export const create_session_and_set_cookie = async (options) => {
17
20
  const { keyring, deps, c, account_id, session_options, max_sessions } = options;
package/dist/auth/session_middleware.d.ts CHANGED
@@ -14,10 +14,14 @@ import { type SessionOptions } from './session_cookie.js';
14
14
  export declare const get_session_cookie: <T>(c: Context, options: SessionOptions<T>) => string | undefined;
15
15
  /**
16
16
  * Set the session cookie on a response.
17
+ *
18
+ * @mutates `c` - writes the `Set-Cookie` header
17
19
  */
18
20
  export declare const set_session_cookie: <T>(c: Context, value: string, options: SessionOptions<T>) => void;
19
21
  /**
20
22
  * Clear the session cookie on a response.
23
+ *
24
+ * @mutates `c` - writes a cookie-clearing `Set-Cookie` header
21
25
  */
22
26
  export declare const clear_session_cookie: <T>(c: Context, options: SessionOptions<T>) => void;
23
27
  /**
@@ -28,6 +32,7 @@ export declare const clear_session_cookie: <T>(c: Context, options: SessionOptio
28
32
  *
29
33
  * @param keyring - key ring for cookie verification
30
34
  * @param options - session configuration
35
+ * @mutates Hono context - sets `options.context_key` and may refresh or clear the session cookie
31
36
  */
32
37
  export declare const create_session_middleware: <TIdentity>(keyring: Keyring, options: SessionOptions<TIdentity>) => MiddlewareHandler;
33
38
  //# sourceMappingURL=session_middleware.d.ts.map
package/dist/auth/session_middleware.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"session_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/session_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAGrD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,EACN,KAAK,cAAc,EAInB,MAAM,qBAAqB,CAAC;AAE7B;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,EACnC,GAAG,OAAO,EACV,SAAS,cAAc,CAAC,CAAC,CAAC,KACxB,MAAM,GAAG,SAEX,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,EACnC,GAAG,OAAO,EACV,OAAO,MAAM,EACb,SAAS,cAAc,CAAC,CAAC,CAAC,KACxB,IASF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,oBAAoB,GAAI,CAAC,EAAE,GAAG,OAAO,EAAE,SAAS,cAAc,CAAC,CAAC,CAAC,KAAG,IAMhF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,EAClD,SAAS,OAAO,EAChB,SAAS,cAAc,CAAC,SAAS,CAAC,KAChC,iBAgBF,CAAC"}
1
+ {"version":3,"file":"session_middleware.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/session_middleware.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,KAAK,EAAC,OAAO,EAAE,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAGrD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,cAAc,CAAC;AAC1C,OAAO,EACN,KAAK,cAAc,EAInB,MAAM,qBAAqB,CAAC;AAE7B;;GAEG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,EACnC,GAAG,OAAO,EACV,SAAS,cAAc,CAAC,CAAC,CAAC,KACxB,MAAM,GAAG,SAEX,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,EACnC,GAAG,OAAO,EACV,OAAO,MAAM,EACb,SAAS,cAAc,CAAC,CAAC,CAAC,KACxB,IASF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAI,CAAC,EAAE,GAAG,OAAO,EAAE,SAAS,cAAc,CAAC,CAAC,CAAC,KAAG,IAMhF,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,EAClD,SAAS,OAAO,EAChB,SAAS,cAAc,CAAC,SAAS,CAAC,KAChC,iBAgBF,CAAC"}
package/dist/auth/session_middleware.js CHANGED
@@ -15,6 +15,8 @@ export const get_session_cookie = (c, options) => {
15
15
  };
16
16
  /**
17
17
  * Set the session cookie on a response.
18
+ *
19
+ * @mutates `c` - writes the `Set-Cookie` header
18
20
  */
19
21
  export const set_session_cookie = (c, value, options) => {
20
22
  const cookie_options = {
@@ -28,6 +30,8 @@ export const set_session_cookie = (c, value, options) => {
28
30
  };
29
31
  /**
30
32
  * Clear the session cookie on a response.
33
+ *
34
+ * @mutates `c` - writes a cookie-clearing `Set-Cookie` header
31
35
  */
32
36
  export const clear_session_cookie = (c, options) => {
33
37
  const cookie_options = {
@@ -44,6 +48,7 @@ export const clear_session_cookie = (c, options) => {
44
48
  *
45
49
  * @param keyring - key ring for cookie verification
46
50
  * @param options - session configuration
51
+ * @mutates Hono context - sets `options.context_key` and may refresh or clear the session cookie
47
52
  */
48
53
  export const create_session_middleware = (keyring, options) => {
49
54
  return async (c, next) => {
package/dist/auth/session_queries.d.ts CHANGED
@@ -33,6 +33,7 @@ export declare const generate_session_token: () => string;
33
33
  * @param token_hash - blake3 hash of the session token (use `hash_session_token`)
34
34
  * @param account_id - the account this session belongs to
35
35
  * @param expires_at - when the session expires
36
+ * @mutates `auth_session` table - inserts a row keyed by `token_hash`
36
37
  */
37
38
  export declare const query_create_session: (deps: QueryDeps, token_hash: string, account_id: string, expires_at: Date) => Promise<void>;
38
39
  /**
@@ -49,6 +50,7 @@ export declare const query_session_get_valid: (deps: QueryDeps, token_hash: stri
49
50
  *
50
51
  * @param deps - query dependencies
51
52
  * @param token_hash - blake3 hash of the session token
53
+ * @mutates `auth_session` row - updates `last_seen_at` and conditionally `expires_at`
52
54
  */
53
55
  export declare const query_session_touch: (deps: QueryDeps, token_hash: string) => Promise<void>;
54
56
  /**
@@ -60,6 +62,8 @@ export declare const query_session_touch: (deps: QueryDeps, token_hash: string)
60
62
  * caller — see `auth/account_routes.ts` `/logout`). For user-facing revocation
61
63
  * of a specific session by ID, use `query_session_revoke_for_account`
62
64
  * (IDOR-guarded).
65
+ *
66
+ * @mutates `auth_session` table - deletes the row keyed by `token_hash`
63
67
  */
64
68
  export declare const query_session_revoke_by_hash_unscoped: (deps: QueryDeps, token_hash: string) => Promise<void>;
65
69
  /**
@@ -71,12 +75,14 @@ export declare const query_session_revoke_by_hash_unscoped: (deps: QueryDeps, to
71
75
  * @param token_hash - blake3 hash of the session token
72
76
  * @param account_id - the account that must own the session
73
77
  * @returns `true` if a session was revoked, `false` if not found or wrong account
78
+ * @mutates `auth_session` table - deletes the row when account ownership matches
74
79
  */
75
80
  export declare const query_session_revoke_for_account: (deps: QueryDeps, token_hash: string, account_id: string) => Promise<boolean>;
76
81
  /**
77
82
  * Revoke all sessions for an account.
78
83
  *
79
84
  * @returns the number of sessions revoked
85
+ * @mutates `auth_session` table - deletes every row for `account_id`
80
86
  */
81
87
  export declare const query_session_revoke_all_for_account: (deps: QueryDeps, account_id: string) => Promise<number>;
82
88
  /**
@@ -104,6 +110,7 @@ export declare const query_session_list_for_account: (deps: QueryDeps, account_i
104
110
  * @param account_id - the account to enforce the limit for
105
111
  * @param max_sessions - maximum number of sessions to keep
106
112
  * @returns the number of sessions evicted
113
+ * @mutates `auth_session` table - deletes the oldest rows past the cap
107
114
  */
108
115
  export declare const query_session_enforce_limit: (deps: QueryDeps, account_id: string, max_sessions: number) => Promise<number>;
109
116
  /**
@@ -120,6 +127,7 @@ export declare const query_session_list_all_active: (deps: QueryDeps, limit?: nu
120
127
  * Delete expired sessions.
121
128
  *
122
129
  * @returns the number of sessions cleaned up
130
+ * @mutates `auth_session` table - deletes every row past `expires_at`
123
131
  */
124
132
  export declare const query_session_cleanup_expired: (deps: QueryDeps) => Promise<number>;
125
133
  /**
@@ -134,6 +142,7 @@ export declare const query_session_cleanup_expired: (deps: QueryDeps) => Promise
134
142
  * @param pending_effects - optional array to register the effect for later awaiting
135
143
  * @param log - the logger instance
136
144
  * @returns the settled promise (callers may ignore it — fire-and-forget semantics preserved)
145
+ * @mutates `pending_effects` - pushes the in-flight settled promise when provided
137
146
  */
138
147
  export declare const session_touch_fire_and_forget: (deps: QueryDeps, token_hash: string, pending_effects: Array<Promise<void>> | undefined, log: Logger) => Promise<void>;
139
148
  //# sourceMappingURL=session_queries.d.ts.map
package/dist/auth/session_queries.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"session_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/session_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAGpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,qBAAqB,CAAC;AAErD,kDAAkD;AAClD,eAAO,MAAM,wBAAwB,QAA2B,CAAC;AAEjE,yEAAyE;AACzE,eAAO,MAAM,gCAAgC,QAAsB,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,OAAO,MAAM,KAAG,MAElD,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,QAAO,MAEzC,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,YAAY,MAAM,EAClB,YAAY,IAAI,KACd,OAAO,CAAC,IAAI,CAMd,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,WAAW,GAAG,SAAS,CAKjC,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,mBAAmB,GAAU,MAAM,SAAS,EAAE,YAAY,MAAM,KAAG,OAAO,CAAC,IAAI,CAY3F,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,IAAI,CAEd,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,YAAY,MAAM,KAChB,OAAO,CAAC,OAAO,CAMjB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,MAAM,CAMhB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAK5B,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAc,MAAM,KAClB,OAAO,CAAC,MAAM,CAYhB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,cAAW,KACT,OAAO,CAAC,KAAK,CAAC,WAAW,GAAG;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAC,CAAC,CASjD,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,CAKnF,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,iBAAiB,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,SAAS,EACjD,KAAK,MAAM,KACT,OAAO,CAAC,IAAI,CAMd,CAAC"}
1
+ {"version":3,"file":"session_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/session_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAGpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,WAAW,EAAC,MAAM,qBAAqB,CAAC;AAErD,kDAAkD;AAClD,eAAO,MAAM,wBAAwB,QAA2B,CAAC;AAEjE,yEAAyE;AACzE,eAAO,MAAM,gCAAgC,QAAsB,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,OAAO,MAAM,KAAG,MAElD,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,QAAO,MAEzC,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,YAAY,MAAM,EAClB,YAAY,IAAI,KACd,OAAO,CAAC,IAAI,CAMd,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,WAAW,GAAG,SAAS,CAKjC,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB,GAAU,MAAM,SAAS,EAAE,YAAY,MAAM,KAAG,OAAO,CAAC,IAAI,CAY3F,CAAC;AAEF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,IAAI,CAEd,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,YAAY,MAAM,KAChB,OAAO,CAAC,OAAO,CAMjB,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,MAAM,CAMhB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAK5B,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;GAsBG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAc,MAAM,KAClB,OAAO,CAAC,MAAM,CAYhB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,cAAW,KACT,OAAO,CAAC,KAAK,CAAC,WAAW,GAAG;IAAC,QAAQ,EAAE,MAAM,CAAA;CAAC,CAAC,CASjD,CAAC;AAEF;;;;;GAKG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,MAAM,CAKnF,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,iBAAiB,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,GAAG,SAAS,EACjD,KAAK,MAAM,KACT,OAAO,CAAC,IAAI,CAMd,CAAC"}
package/dist/auth/session_queries.js CHANGED
@@ -36,6 +36,7 @@ export const generate_session_token = () => {
36
36
  * @param token_hash - blake3 hash of the session token (use `hash_session_token`)
37
37
  * @param account_id - the account this session belongs to
38
38
  * @param expires_at - when the session expires
39
+ * @mutates `auth_session` table - inserts a row keyed by `token_hash`
39
40
  */
40
41
  export const query_create_session = async (deps, token_hash, account_id, expires_at) => {
41
42
  await deps.db.query(`INSERT INTO auth_session (id, account_id, expires_at) VALUES ($1, $2, $3)`, [
@@ -60,6 +61,7 @@ export const query_session_get_valid = async (deps, token_hash) => {
60
61
  *
61
62
  * @param deps - query dependencies
62
63
  * @param token_hash - blake3 hash of the session token
64
+ * @mutates `auth_session` row - updates `last_seen_at` and conditionally `expires_at`
63
65
  */
64
66
  export const query_session_touch = async (deps, token_hash) => {
65
67
  const new_expires = new Date(Date.now() + AUTH_SESSION_LIFETIME_MS);
@@ -80,6 +82,8 @@ export const query_session_touch = async (deps, token_hash) => {
80
82
  * caller — see `auth/account_routes.ts` `/logout`). For user-facing revocation
81
83
  * of a specific session by ID, use `query_session_revoke_for_account`
82
84
  * (IDOR-guarded).
85
+ *
86
+ * @mutates `auth_session` table - deletes the row keyed by `token_hash`
83
87
  */
84
88
  export const query_session_revoke_by_hash_unscoped = async (deps, token_hash) => {
85
89
  await deps.db.query(`DELETE FROM auth_session WHERE id = $1`, [token_hash]);
@@ -93,6 +97,7 @@ export const query_session_revoke_by_hash_unscoped = async (deps, token_hash) =>
93
97
  * @param token_hash - blake3 hash of the session token
94
98
  * @param account_id - the account that must own the session
95
99
  * @returns `true` if a session was revoked, `false` if not found or wrong account
100
+ * @mutates `auth_session` table - deletes the row when account ownership matches
96
101
  */
97
102
  export const query_session_revoke_for_account = async (deps, token_hash, account_id) => {
98
103
  const rows = await deps.db.query(`DELETE FROM auth_session WHERE id = $1 AND account_id = $2 RETURNING id`, [token_hash, account_id]);
@@ -102,6 +107,7 @@ export const query_session_revoke_for_account = async (deps, token_hash, account
102
107
  * Revoke all sessions for an account.
103
108
  *
104
109
  * @returns the number of sessions revoked
110
+ * @mutates `auth_session` table - deletes every row for `account_id`
105
111
  */
106
112
  export const query_session_revoke_all_for_account = async (deps, account_id) => {
107
113
  const rows = await deps.db.query(`DELETE FROM auth_session WHERE account_id = $1 RETURNING id`, [account_id]);
@@ -134,6 +140,7 @@ export const query_session_list_for_account = async (deps, account_id, limit = 5
134
140
  * @param account_id - the account to enforce the limit for
135
141
  * @param max_sessions - maximum number of sessions to keep
136
142
  * @returns the number of sessions evicted
143
+ * @mutates `auth_session` table - deletes the oldest rows past the cap
137
144
  */
138
145
  export const query_session_enforce_limit = async (deps, account_id, max_sessions) => {
139
146
  const rows = await deps.db.query(`DELETE FROM auth_session
@@ -163,6 +170,7 @@ export const query_session_list_all_active = async (deps, limit = 200) => {
163
170
  * Delete expired sessions.
164
171
  *
165
172
  * @returns the number of sessions cleaned up
173
+ * @mutates `auth_session` table - deletes every row past `expires_at`
166
174
  */
167
175
  export const query_session_cleanup_expired = async (deps) => {
168
176
  const rows = await deps.db.query(`DELETE FROM auth_session WHERE expires_at <= NOW() RETURNING id`);
@@ -180,6 +188,7 @@ export const query_session_cleanup_expired = async (deps) => {
180
188
  * @param pending_effects - optional array to register the effect for later awaiting
181
189
  * @param log - the logger instance
182
190
  * @returns the settled promise (callers may ignore it — fire-and-forget semantics preserved)
191
+ * @mutates `pending_effects` - pushes the in-flight settled promise when provided
183
192
  */
184
193
  export const session_touch_fire_and_forget = (deps, token_hash, pending_effects, log) => {
185
194
  const p = query_session_touch(deps, token_hash).catch((err) => {
package/dist/cli/config.d.ts CHANGED
@@ -43,6 +43,8 @@ export declare const load_config: <T>(runtime: Pick<FsReadDeps, "stat" | "read_t
43
43
  * @param path - path to the config JSON file
44
44
  * @param dir - directory containing the config file (created if missing)
45
45
  * @param config - configuration to save
46
+ * @mutates filesystem - creates `dir` (recursive) and writes JSON to `path`
47
+ * @throws Error if `mkdir` or `write_text_file` fails
46
48
  */
47
49
  export declare const save_config: <T>(runtime: Pick<FsWriteDeps, "mkdir" | "write_text_file">, path: string, dir: string, config: T) => Promise<void>;
48
50
  //# sourceMappingURL=config.d.ts.map