@fuzdev/fuz_app 0.53.0 → 0.55.0

package/dist/auth/admin_actions.d.ts

@@ -30,7 +30,7 @@
 import { type RpcAction } from '../actions/action_rpc.js';
 import { type RoleSchemaResult } from './role_schema.js';
 import { type AppSettings } from './app_settings_schema.js';
-import type { RouteFactoryDeps } from './deps.js';
+import type { AuditEmitDeps } from './deps.js';
 /** Options for `create_admin_actions`. */
 export interface AdminActionOptions {
     /**
@@ -52,13 +52,14 @@ export interface AdminActionOptions {
 /**
  * Dependencies for `create_admin_actions`.
  *
- * Shares shape with `PermitOfferActionDeps` so consumers can pass the same
- * deps to both factories. `log` drives RPC-internal error logging;
- * `on_audit_event` is wired by the two revoke-all mutations so SSE fan-out
- * mirrors the former REST-route behavior. `audit_log_config` flows from
- * `AppDeps` and is consumed by `audit_log_fire_and_forget`.
+ * Aliases the shared `AuditEmitDeps` (the `log` / `on_audit_event` /
+ * optional `audit_log_config` slice every audit-emitting site picks).
+ * `log` drives RPC-internal error logging; `on_audit_event` is wired by
+ * the two revoke-all mutations so SSE fan-out mirrors the former
+ * REST-route behavior; `audit_log_config` is consumed by
+ * `audit_log_fire_and_forget`.
  */
-export type AdminActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>;
+export type AdminActionDeps = AuditEmitDeps;
 /**
  * Create the admin-only RPC actions.
  *

package/dist/auth/admin_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"admin_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAExF,OAAO,EAAuB,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AAuB7E,OAAO,EAAC,KAAK,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAK1D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AA8ChD,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,WAAW,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,MAAM,MAAM,eAAe,GAAG,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAAC,CAAC;AAEpG;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,eAAe,EACrB,UAAS,kBAAuB,KAC9B,KAAK,CAAC,SAAS,CAmSjB,CAAC"}
+{"version":3,"file":"admin_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,OAAO,EAA4C,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAEnG,OAAO,EAAuB,KAAK,gBAAgB,EAAC,MAAM,kBAAkB,CAAC;AAuB7E,OAAO,EAAC,KAAK,WAAW,EAAC,MAAM,0BAA0B,CAAC;AAK1D,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,WAAW,CAAC;AA8C7C,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;;OAIG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,WAAW,CAAC;CAC3B;AAED;;;;;;;;;GASG;AACH,MAAM,MAAM,eAAe,GAAG,aAAa,CAAC;AAE5C;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,eAAe,EACrB,UAAS,kBAAuB,KAC9B,KAAK,CAAC,SAAS,CA4RjB,CAAC"}

package/dist/auth/admin_actions.js

@@ -27,7 +27,7 @@
  *
  * @module
  */
-import { rpc_action } from '../actions/action_rpc.js';
+import { rpc_actor_action } from '../actions/action_rpc.js';
 import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
 import { BUILTIN_ROLE_OPTIONS } from './role_schema.js';
 import { query_account_by_email, query_account_by_id, query_account_by_username, query_admin_account_list, } from './account_queries.js';
@@ -71,7 +71,6 @@ export const create_admin_actions = (deps, options = {}) => {
             void audit_log_fire_and_forget(ctx, {
                 event_type: 'session_revoke_all',
                 outcome: 'failure',
-                actor_id: auth.actor.id,
                 account_id: auth.account.id,
                 // `target_account_id` is null: the FK to `account` would reject
                 // a probe for a non-existent id. The probed value is preserved
@@ -88,7 +87,6 @@ export const create_admin_actions = (deps, options = {}) => {
         const count = await query_session_revoke_all_for_account(ctx, input.account_id);
         void audit_log_fire_and_forget(ctx, {
             event_type: 'session_revoke_all',
-            actor_id: auth.actor.id,
             account_id: auth.account.id,
             target_account_id: input.account_id,
             ip: ctx.client_ip,
@@ -103,7 +101,6 @@ export const create_admin_actions = (deps, options = {}) => {
             void audit_log_fire_and_forget(ctx, {
                 event_type: 'token_revoke_all',
                 outcome: 'failure',
-                actor_id: auth.actor.id,
                 account_id: auth.account.id,
                 // See `session_revoke_all_handler` — FK forces null here; the
                 // probed id lives under `metadata.attempted_account_id`.
@@ -119,7 +116,6 @@ export const create_admin_actions = (deps, options = {}) => {
         const count = await query_revoke_all_api_tokens_for_account(ctx, input.account_id);
         void audit_log_fire_and_forget(ctx, {
             event_type: 'token_revoke_all',
-            actor_id: auth.actor.id,
             account_id: auth.account.id,
             target_account_id: input.account_id,
             ip: ctx.client_ip,
@@ -185,7 +181,6 @@ export const create_admin_actions = (deps, options = {}) => {
         }
         void audit_log_fire_and_forget(ctx, {
             event_type: 'invite_create',
-            actor_id: auth.actor.id,
             account_id: auth.account.id,
             ip: ctx.client_ip,
             metadata: { invite_id: invite.id, email, username },
@@ -204,7 +199,6 @@ export const create_admin_actions = (deps, options = {}) => {
         }
         void audit_log_fire_and_forget(ctx, {
             event_type: 'invite_delete',
-            actor_id: auth.actor.id,
             account_id: auth.account.id,
             ip: ctx.client_ip,
             metadata: { invite_id: input.invite_id },
@@ -212,15 +206,15 @@ export const create_admin_actions = (deps, options = {}) => {
         return { ok: true };
     };
     const actions = [
-        rpc_action(admin_account_list_action_spec, account_list_handler),
-        rpc_action(admin_session_list_action_spec, session_list_handler),
-        rpc_action(admin_session_revoke_all_action_spec, session_revoke_all_handler),
-        rpc_action(admin_token_revoke_all_action_spec, token_revoke_all_handler),
-        rpc_action(audit_log_list_action_spec, audit_log_list_handler),
-        rpc_action(audit_log_permit_history_action_spec, audit_log_permit_history_handler),
-        rpc_action(invite_create_action_spec, invite_create_handler),
-        rpc_action(invite_list_action_spec, invite_list_handler),
-        rpc_action(invite_delete_action_spec, invite_delete_handler),
+        rpc_actor_action(admin_account_list_action_spec, account_list_handler),
+        rpc_actor_action(admin_session_list_action_spec, session_list_handler),
+        rpc_actor_action(admin_session_revoke_all_action_spec, session_revoke_all_handler),
+        rpc_actor_action(admin_token_revoke_all_action_spec, token_revoke_all_handler),
+        rpc_actor_action(audit_log_list_action_spec, audit_log_list_handler),
+        rpc_actor_action(audit_log_permit_history_action_spec, audit_log_permit_history_handler),
+        rpc_actor_action(invite_create_action_spec, invite_create_handler),
+        rpc_actor_action(invite_list_action_spec, invite_list_handler),
+        rpc_actor_action(invite_delete_action_spec, invite_delete_handler),
     ];
     const { app_settings } = options;
     if (app_settings) {
@@ -239,7 +233,6 @@ export const create_admin_actions = (deps, options = {}) => {
             app_settings.updated_by = updated.updated_by;
             void audit_log_fire_and_forget(ctx, {
                 event_type: 'app_settings_update',
-                actor_id: auth.actor.id,
                 account_id: auth.account.id,
                 ip: ctx.client_ip,
                 metadata: {
@@ -251,7 +244,7 @@ export const create_admin_actions = (deps, options = {}) => {
             const settings = await query_app_settings_load_with_username(ctx);
             return { ok: true, settings };
         };
-        actions.push(rpc_action(app_settings_get_action_spec, app_settings_get_handler), rpc_action(app_settings_update_action_spec, app_settings_update_handler));
+        actions.push(rpc_actor_action(app_settings_get_action_spec, app_settings_get_handler), rpc_actor_action(app_settings_update_action_spec, app_settings_update_handler));
     }
     return actions;
 };

package/dist/auth/audit_log_queries.d.ts

@@ -13,7 +13,9 @@
  */
 import type { QueryDeps } from '../db/query_deps.js';
 import type { RouteContext } from '../http/route_spec.js';
-import type { AppDeps } from './deps.js';
+import type { Uuid } from '@fuzdev/fuz_util/id.js';
+import type { AuditEmitDeps } from './deps.js';
+import type { RequestActorContext } from './request_context.js';
 import { type AuditLogConfig, type AuditLogEvent, type AuditLogInput, type AuditLogListOptions, type AuditLogEventWithUsernamesJson, type PermitHistoryEventJson } from './audit_log_schema.js';
 /** Number of audit metadata validation failures observed since process start. */
 export declare const get_audit_metadata_validation_failures: () => number;
@@ -82,18 +84,6 @@ export declare const query_audit_log_list_permit_history: (deps: QueryDeps, limi
  * @mutates `audit_log` table - deletes every row with `created_at < before`
  */
 export declare const query_audit_log_cleanup_before: (deps: QueryDeps, before: Date) => Promise<number>;
-/**
- * Capabilities required by `audit_log_fire_and_forget`.
- *
- * Defined as a slice of `AppDeps` so call sites can pass the surrounding deps
- * bundle directly without a structural-compatibility coincidence. The bundled
- * shape replaces the prior `(log, on_audit_event, config?)` positional args
- * — consumers that forgot the trailing `config` would silently fall back to
- * `BUILTIN_AUDIT_LOG_CONFIG` and skip metadata validation for their own
- * event types. `audit_log_config` is optional on `AppDeps` and defaults to
- * `BUILTIN_AUDIT_LOG_CONFIG` inside `audit_log_fire_and_forget` when absent.
- */
-export type AuditLogFireAndForgetDeps = Pick<AppDeps, 'log' | 'on_audit_event' | 'audit_log_config'>;
 /**
  * Log an audit event without blocking the caller.
  *
@@ -101,6 +91,13 @@ export type AuditLogFireAndForgetDeps = Pick<AppDeps, 'log' | 'on_audit_event' |
  * `background_db` so entries persist even when the request transaction
  * rolls back. Write and `on_audit_event` callback failures are logged separately.
  *
+ * `deps` is the shared `AuditEmitDeps` bundle (`log`, `on_audit_event`,
+ * optional `audit_log_config`) so call sites pass the surrounding deps
+ * object directly. The bundled shape replaces the prior `(log,
+ * on_audit_event, config?)` positional args — consumers that forgot the
+ * trailing `config` would silently fall back to `BUILTIN_AUDIT_LOG_CONFIG`
+ * and skip metadata validation for their own event types.
+ *
  * @param route - `background_db` and `pending_effects` from the route context
  * @param input - the audit event to record
  * @param deps - logger, `on_audit_event` callback, and optional `audit_log_config`
@@ -108,5 +105,47 @@ export type AuditLogFireAndForgetDeps = Pick<AppDeps, 'log' | 'on_audit_event' |
  * @mutates `audit_log` table - inserts a row via `background_db` (independent of the request transaction)
  * @mutates `route.pending_effects` - pushes the in-flight settled promise for test flushing
  */
-export declare const audit_log_fire_and_forget: <T extends string>(route: Pick<RouteContext, "background_db" | "pending_effects">, input: AuditLogInput<T>, deps: AuditLogFireAndForgetDeps) => Promise<void>;
+export declare const audit_log_fire_and_forget: <T extends string>(route: Pick<RouteContext, "background_db" | "pending_effects">, input: AuditLogInput<T>, deps: AuditEmitDeps) => Promise<void>;
+/**
+ * Per-request context required by `emit_permit_target_event` —
+ * `RouteContext` plus the resolved `client_ip` (lives on `ActionContext`
+ * for RPC handlers and on the route's Hono context for REST). Declared
+ * locally rather than reaching into `actions/action_rpc.ts` so the helper
+ * stays usable from REST handlers that haven't promoted to RPC yet.
+ */
+export type EmitPermitTargetEventContext = Pick<RouteContext, 'background_db' | 'pending_effects'> & {
+    client_ip: string;
+};
+/**
+ * Stamp a permit-shape audit event with both `target_account_id` (drives
+ * SSE/WS socket-close — sessions are account-grain) and `target_actor_id`
+ * (the actor-grain forensic field). Both target fields nullable so emit
+ * sites without a recipient binding (e.g. `permit_revoke` on a missing
+ * account, offer-shape events with no `to_actor_id`) can call through
+ * uniformly.
+ *
+ * Lifts the six-site `{actor_id: auth.actor.id, account_id: auth.account.id,
+ * ip: ctx.client_ip, ...}` boilerplate around `audit_log_fire_and_forget`
+ * so callers thread auth + ctx + deps once and the event metadata once,
+ * without re-derivable plumbing.
+ *
+ * Outcome defaults to `'success'`; pass `'failure'` for denial-shape
+ * events. Other audit envelope shapes (target_*-by-actor-id-only events,
+ * non-permit-shape events) should call `audit_log_fire_and_forget`
+ * directly — this helper deliberately narrows to the permit-target shape.
+ *
+ * @param ctx - request context with `background_db`, `pending_effects`, `client_ip`
+ * @param auth - the resolved `RequestActorContext` for the current handler — actor invariant captured in the type so the helper stops needing `auth.actor!`
+ * @param deps - `log`, `on_audit_event`, optional `audit_log_config`
+ * @param input - event type, target columns, metadata, optional outcome
+ * @returns the settled promise (callers may ignore it)
+ * @mutates `audit_log` table - inserts a row via `background_db`
+ */
+export declare const emit_permit_target_event: <T extends string>(ctx: EmitPermitTargetEventContext, auth: RequestActorContext, deps: AuditEmitDeps, input: {
+    event_type: T;
+    target_account_id: Uuid | null;
+    target_actor_id: Uuid | null;
+    metadata: AuditLogInput<T>["metadata"];
+    outcome?: "success" | "failure";
+}) => Promise<void>;
 //# sourceMappingURL=audit_log_queries.d.ts.map

package/dist/auth/audit_log_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,uBAAuB,CAAC;AACxD,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,WAAW,CAAC;AACvC,OAAO,EAGN,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EACxB,KAAK,8BAA8B,EACnC,KAAK,sBAAsB,EAC3B,MAAM,uBAAuB,CAAC;AAa/B,iFAAiF;AACjF,eAAO,MAAM,sCAAsC,QAAO,MACvB,CAAC;AAEpC,0CAA0C;AAC1C,eAAO,MAAM,wCAAwC,QAAO,IAE3D,CAAC;AAYF,gFAAgF;AAChF,eAAO,MAAM,qCAAqC,QAAO,MACvB,CAAC;AAEnC,0CAA0C;AAC1C,eAAO,MAAM,uCAAuC,QAAO,IAE1D,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,eAAe,GAAU,CAAC,SAAS,MAAM,EACrD,MAAM,SAAS,EACf,OAAO,aAAa,CAAC,CAAC,CAAC,EACvB,SAAQ,cAAyC,KAC/C,OAAO,CAAC,aAAa,CAmCvB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,UAAU,mBAAmB,KAC3B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAwC9B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,UAAU,mBAAmB,KAC3B,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CA8C/C,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAA+B,KAC7B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAO9B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,cAA+B,EAC/B,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAYvC,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,SAAS,EACf,QAAQ,IAAI,KACV,OAAO,CAAC,MAAM,CAMhB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,MAAM,MAAM,yBAAyB,GAAG,IAAI,CAC3C,OAAO,EACP,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,yBAAyB,GAAI,CAAC,SAAS,MAAM,EACzD,OAAO,IAAI,CAAC,YAAY,EAAE,eAAe,GAAG,iBAAiB,CAAC,EAC9D,OAAO,aAAa,CAAC,CAAC,CAAC,EACvB,MAAM,yBAAyB,KAC7B,OAAO,CAAC,IAAI,CAed,CAAC"}
+{"version":3,"file":"audit_log_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,uBAAuB,CAAC;AACxD,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AACjD,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,WAAW,CAAC;AAC7C,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,sBAAsB,CAAC;AAC9D,OAAO,EAGN,KAAK,cAAc,EACnB,KAAK,aAAa,EAClB,KAAK,aAAa,EAClB,KAAK,mBAAmB,EACxB,KAAK,8BAA8B,EACnC,KAAK,sBAAsB,EAC3B,MAAM,uBAAuB,CAAC;AAa/B,iFAAiF;AACjF,eAAO,MAAM,sCAAsC,QAAO,MACvB,CAAC;AAEpC,0CAA0C;AAC1C,eAAO,MAAM,wCAAwC,QAAO,IAE3D,CAAC;AAYF,gFAAgF;AAChF,eAAO,MAAM,qCAAqC,QAAO,MACvB,CAAC;AAEnC,0CAA0C;AAC1C,eAAO,MAAM,uCAAuC,QAAO,IAE1D,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,eAAe,GAAU,CAAC,SAAS,MAAM,EACrD,MAAM,SAAS,EACf,OAAO,aAAa,CAAC,CAAC,CAAC,EACvB,SAAQ,cAAyC,KAC/C,OAAO,CAAC,aAAa,CAoCvB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,UAAU,mBAAmB,KAC3B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAwC9B,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,UAAU,mBAAmB,KAC3B,OAAO,CAAC,KAAK,CAAC,8BAA8B,CAAC,CA8C/C,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAA+B,KAC7B,OAAO,CAAC,KAAK,CAAC,aAAa,CAAC,CAO9B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,cAA+B,EAC/B,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,sBAAsB,CAAC,CAYvC,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,SAAS,EACf,QAAQ,IAAI,KACV,OAAO,CAAC,MAAM,CAMhB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,yBAAyB,GAAI,CAAC,SAAS,MAAM,EACzD,OAAO,IAAI,CAAC,YAAY,EAAE,eAAe,GAAG,iBAAiB,CAAC,EAC9D,OAAO,aAAa,CAAC,CAAC,CAAC,EACvB,MAAM,aAAa,KACjB,OAAO,CAAC,IAAI,CAed,CAAC;AAEF;;;;;;GAMG;AACH,MAAM,MAAM,4BAA4B,GAAG,IAAI,CAC9C,YAAY,EACZ,eAAe,GAAG,iBAAiB,CACnC,GAAG;IACH,SAAS,EAAE,MAAM,CAAC;CAClB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,eAAO,MAAM,wBAAwB,GAAI,CAAC,SAAS,MAAM,EACxD,KAAK,4BAA4B,EACjC,MAAM,mBAAmB,EACzB,MAAM,aAAa,EACnB,OAAO;IACN,UAAU,EAAE,CAAC,CAAC;IACd,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC;IACvC,OAAO,CAAC,EAAE,SAAS,GAAG,SAAS,CAAC;CAChC,KACC,OAAO,CAAC,IAAI,CAcb,CAAC"}

package/dist/auth/audit_log_queries.js

@@ -75,14 +75,15 @@ export const query_audit_log = async (deps, input, config = BUILTIN_AUDIT_LOG_CO
             }
         }
     }
-    const rows = await deps.db.query(`INSERT INTO audit_log (event_type, outcome, actor_id, account_id, target_account_id, ip, metadata)
-		 VALUES ($1, $2, $3, $4, $5, $6, $7)
+    const rows = await deps.db.query(`INSERT INTO audit_log (event_type, outcome, actor_id, account_id, target_account_id, target_actor_id, ip, metadata)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7, $8)
 		 RETURNING *`, [
         input.event_type,
         input.outcome ?? 'success',
         input.actor_id ?? null,
         input.account_id ?? null,
         input.target_account_id ?? null,
+        input.target_actor_id ?? null,
         input.ip ?? null,
         input.metadata ? JSON.stringify(input.metadata) : null,
     ]);
@@ -219,6 +220,13 @@ export const query_audit_log_cleanup_before = async (deps, before) => {
  * `background_db` so entries persist even when the request transaction
  * rolls back. Write and `on_audit_event` callback failures are logged separately.
  *
+ * `deps` is the shared `AuditEmitDeps` bundle (`log`, `on_audit_event`,
+ * optional `audit_log_config`) so call sites pass the surrounding deps
+ * object directly. The bundled shape replaces the prior `(log,
+ * on_audit_event, config?)` positional args — consumers that forgot the
+ * trailing `config` would silently fall back to `BUILTIN_AUDIT_LOG_CONFIG`
+ * and skip metadata validation for their own event types.
+ *
  * @param route - `background_db` and `pending_effects` from the route context
  * @param input - the audit event to record
  * @param deps - logger, `on_audit_event` callback, and optional `audit_log_config`
@@ -243,3 +251,38 @@ export const audit_log_fire_and_forget = (route, input, deps) => {
     route.pending_effects.push(p);
     return p;
 };
+/**
+ * Stamp a permit-shape audit event with both `target_account_id` (drives
+ * SSE/WS socket-close — sessions are account-grain) and `target_actor_id`
+ * (the actor-grain forensic field). Both target fields nullable so emit
+ * sites without a recipient binding (e.g. `permit_revoke` on a missing
+ * account, offer-shape events with no `to_actor_id`) can call through
+ * uniformly.
+ *
+ * Lifts the six-site `{actor_id: auth.actor.id, account_id: auth.account.id,
+ * ip: ctx.client_ip, ...}` boilerplate around `audit_log_fire_and_forget`
+ * so callers thread auth + ctx + deps once and the event metadata once,
+ * without re-derivable plumbing.
+ *
+ * Outcome defaults to `'success'`; pass `'failure'` for denial-shape
+ * events. Other audit envelope shapes (target_*-by-actor-id-only events,
+ * non-permit-shape events) should call `audit_log_fire_and_forget`
+ * directly — this helper deliberately narrows to the permit-target shape.
+ *
+ * @param ctx - request context with `background_db`, `pending_effects`, `client_ip`
+ * @param auth - the resolved `RequestActorContext` for the current handler — actor invariant captured in the type so the helper stops needing `auth.actor!`
+ * @param deps - `log`, `on_audit_event`, optional `audit_log_config`
+ * @param input - event type, target columns, metadata, optional outcome
+ * @returns the settled promise (callers may ignore it)
+ * @mutates `audit_log` table - inserts a row via `background_db`
+ */
+export const emit_permit_target_event = (ctx, auth, deps, input) => audit_log_fire_and_forget(ctx, {
+    event_type: input.event_type,
+    actor_id: auth.actor.id,
+    account_id: auth.account.id,
+    outcome: input.outcome,
+    target_account_id: input.target_account_id,
+    target_actor_id: input.target_actor_id,
+    ip: ctx.client_ip,
+    metadata: input.metadata,
+}, deps);

package/dist/auth/audit_log_schema.d.ts

@@ -175,9 +175,59 @@ export interface AuditLogEvent {
     seq: number;
     event_type: AuditEventTypeName;
     outcome: AuditOutcome;
+    /**
+     * Operator (the actor that initiated the event) — populated when the
+     * request resolved an acting actor.
+     *
+     * Resolution is driven per-request by the route-spec wrapper / RPC
+     * dispatcher; a route gets an acting actor when its input schema
+     * declares `acting?: ActingActor` or its auth requires permits
+     * (`role` / `keeper`). Account-grain operations declare neither,
+     * so no actor is resolved and `actor_id` is null: login (also
+     * pre-credential), logout, signup, bootstrap, password_change,
+     * session/token revoke, app_settings_update, invite events.
+     * Permit events, admin actions, and actor-targeted offers
+     * populate this with the initiator's actor.
+     */
     actor_id: Uuid | null;
     account_id: Uuid | null;
     target_account_id: Uuid | null;
+    /**
+     * Actor-grain target — populated when the event subject is bound to
+     * a specific actor.
+     *
+     * Concretely:
+     * - Always populated: `permit_revoke` and `permit_grant`
+     *   (admin direct-grant, self-service toggle, and in-tx
+     *   `permit_offer_accept` all populate both target columns — the
+     *   permit's grantee is the actor-grain subject regardless of who
+     *   initiated the grant), `permit_offer_accept` on accept (the
+     *   accept binds the actor deterministically), `permit_offer_decline`
+     *   (the grantor actor — decline is *to* the offering actor).
+     * - Conditionally populated: offer-shape events
+     *   (`permit_offer_create`, `_expire`, `_retract`, `_supersede`)
+     *   carry the actor when the offer was actor-targeted at create time
+     *   (`permit_offer.to_actor_id` set), null when the offer was
+     *   account-grain (any actor on `to_account_id` may accept).
+     * - Not populated: admin actions, account-shape events (login,
+     *   logout, signup, bootstrap, password_change, session/token
+     *   revoke, app_settings_update, invite events) — subject is the
+     *   account or no specific resource, not an actor-bound permit.
+     * - Not populated: events whose principal isn't an actor-bound
+     *   resource (e.g. consumer events that name a non-actor scope in
+     *   metadata).
+     *
+     * Multi-actor invariants this column relies on: when both
+     * `target_actor_id` and `target_account_id` are populated they refer
+     * to the same account (`actor.account_id`-derivable). The invariant
+     * holds uniformly across every populated event including decline
+     * (the grantor's account is joined into the decline RETURNING) and
+     * the supersede cascade (the recipient account is known on
+     * `permit_offer.to_account_id`). `target_account_id` stays the
+     * SSE/WS socket-close key because sessions remain account-grain
+     * after multi-actor lands.
+     */
+    target_actor_id: Uuid | null;
     ip: string | null;
     created_at: string;
     metadata: Record<string, unknown> | null;
@@ -197,6 +247,7 @@ export interface AuditLogInput<T extends string = AuditEventType> {
     actor_id?: Uuid | null;
     account_id?: Uuid | null;
     target_account_id?: Uuid | null;
+    target_actor_id?: Uuid | null;
     ip?: string | null;
     /**
      * Per-event-type metadata. Builtin `T` narrows to `AuditMetadataMap[T]`;
@@ -298,6 +349,7 @@ export declare const AuditLogEventJson: z.ZodObject<{
     actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
@@ -315,6 +367,7 @@ export declare const AuditLogEventWithUsernamesJson: z.ZodObject<{
     actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
@@ -334,6 +387,7 @@ export declare const PermitHistoryEventJson: z.ZodObject<{
     actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
@@ -351,6 +405,6 @@ export declare const AdminSessionJson: z.ZodObject<{
     username: z.ZodString;
 }, z.core.$strict>;
 export type AdminSessionJson = z.infer<typeof AdminSessionJson>;
-export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq SERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
+export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq SERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
 export declare const AUDIT_LOG_INDEXES: string[];
 //# sourceMappingURL=audit_log_schema.d.ts.map

package/dist/auth/audit_log_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,6YAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2LW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}
+{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAM5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,6YAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2LW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAehE,eAAO,MAAM,gBAAgB,ihBAa3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAM7B,CAAC"}

package/dist/auth/audit_log_schema.js

@@ -8,7 +8,9 @@
  */
 import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
+import { Blake3Hash } from '@fuzdev/fuz_util/hash_blake3.js';
 import { AuthSessionJson } from './account_schema.js';
+import { ApiTokenId } from './api_token.js';
 /**
  * All tracked auth event types. Frozen to convert accidental in-process
  * mutation (test cross-contamination, cast escapes) into loud TypeErrors.
@@ -88,7 +90,7 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
     })
         .nullable(),
     session_revoke: z.looseObject({
-        session_id: z.string().meta({ description: 'Blake3 hash identifying the revoked session row.' }),
+        session_id: Blake3Hash.meta({ description: 'Blake3 hash identifying the revoked session row.' }),
     }),
     session_revoke_all: z.looseObject({
         // Omitted on `outcome='failure'` (no revocation attempted — e.g. target
@@ -107,11 +109,11 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
         }),
     }),
     token_create: z.looseObject({
-        token_id: z.string().meta({ description: 'Public id of the created API token (`tok_…`).' }),
+        token_id: ApiTokenId.meta({ description: 'Public id of the created API token (`tok_…`).' }),
         name: z.string().meta({ description: 'Operator-supplied label for the token.' }),
     }),
     token_revoke: z.looseObject({
-        token_id: z.string().meta({ description: 'Public id of the revoked API token (`tok_…`).' }),
+        token_id: ApiTokenId.meta({ description: 'Public id of the revoked API token (`tok_…`).' }),
     }),
     token_revoke_all: z.looseObject({
         // Same shape as `session_revoke_all` for failures.
@@ -311,6 +313,7 @@ export const AuditLogEventJson = z.strictObject({
     actor_id: Uuid.nullable(),
     account_id: Uuid.nullable(),
     target_account_id: Uuid.nullable(),
+    target_actor_id: Uuid.nullable(),
     ip: z.string().nullable(),
     created_at: z.string(),
     metadata: z.record(z.string(), z.unknown()).nullable(),
@@ -330,6 +333,17 @@ export const AdminSessionJson = AuthSessionJson.extend({
     username: z.string(),
 });
 // Schema DDL
+//
+// Multi-actor invariants the envelope columns assume:
+// - `actor_id` + `account_id`, when both populated, refer to the same
+//   account (derivable via `actor.account_id`). Denormalized for
+//   indexed audit queries; do not let them disagree.
+// - `target_actor_id` + `target_account_id`, same rule when both populated.
+// - `target_account_id` is the SSE/WS socket-close key — sessions stay
+//   account-grain after multi-actor lands, so this column carries
+//   the routing identity even on actor-bound events.
+// - `target_actor_id` is populated iff the event subject is actor-bound
+//   (see `AuditLogEvent.target_actor_id` doc-comment for the rule).
 export const AUDIT_LOG_SCHEMA = `
 CREATE TABLE IF NOT EXISTS audit_log (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
@@ -339,6 +353,7 @@ CREATE TABLE IF NOT EXISTS audit_log (
   actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,
   account_id UUID REFERENCES account(id) ON DELETE SET NULL,
   target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,
+  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,
   ip TEXT,
   created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
   metadata JSONB
@@ -348,4 +363,5 @@ export const AUDIT_LOG_INDEXES = [
     `CREATE INDEX IF NOT EXISTS idx_audit_log_account ON audit_log(account_id)`,
     `CREATE INDEX IF NOT EXISTS idx_audit_log_event_type ON audit_log(event_type)`,
     `CREATE INDEX IF NOT EXISTS idx_audit_log_target_account ON audit_log(target_account_id)`,
+    `CREATE INDEX IF NOT EXISTS idx_audit_log_target_actor ON audit_log(target_actor_id)`,
 ];

package/dist/auth/bearer_auth.d.ts

@@ -18,18 +18,20 @@ import { type RateLimiter } from '../rate_limiter.js';
  * Create middleware that authenticates via bearer token.
  *
  * Soft-fails for invalid, expired, or empty tokens — calls `next()` without
- * setting a request context, letting downstream auth enforcement (per-action
- * `check_action_auth` or `require_auth`) return a consistent JSON-RPC or
- * route-level error. This avoids leaking token-specific diagnostics
+ * setting account identity, letting downstream auth enforcement (the RPC
+ * dispatcher's pre-validation / post-authorization auth gates or
+ * `require_auth`) return a consistent JSON-RPC or route-level error. This
+ * avoids leaking token-specific diagnostics
  * (`invalid_token`, `account_not_found`) that could aid enumeration attacks,
  * and ensures public actions are not blocked by bad credentials.
  *
  * Rejects bearer tokens when an `Origin` or `Referer` header is present —
  * browsers must use cookie auth to reduce attack surface.
  * Auth scheme matching is case-insensitive per RFC 7235.
- * On success, builds the request context (`{ account, actor, permits }`)
- * and sets it on the Hono context. Skips if a request context is already set
- * (e.g. by session middleware).
+ * On success, sets `c.var.auth_account_id`, `CREDENTIAL_TYPE_KEY = 'api_token'`,
+ * and `AUTH_API_TOKEN_ID_KEY`. Skips when an account is already authenticated
+ * (e.g. by session middleware). Acting-actor resolution + `RequestContext`
+ * construction are deferred to the dispatcher's authorization phase.
  *
  * Rate limiting (429) is the only hard-fail — it's a throttling concern
  * independent of auth identity.
@@ -37,7 +39,7 @@ import { type RateLimiter } from '../rate_limiter.js';
  * @param deps - query dependencies (pool-level db for middleware)
  * @param ip_rate_limiter - per-IP rate limiter for bearer token attempts (null to disable)
  * @param log - the logger instance
- * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
+ * @mutates Hono context - sets `ACCOUNT_ID_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
  * @mutates `ip_rate_limiter` - records on attempt; resets on a valid token
  */
 export declare const create_bearer_auth_middleware: (deps: QueryDeps, ip_rate_limiter: RateLimiter | null, log: Logger) => MiddlewareHandler;

package/dist/auth/bearer_auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAKpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBAsFF,CAAC"}
+{"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAIpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBA4EF,CAAC"}

package/dist/auth/bearer_auth.js

@@ -10,8 +10,7 @@
  *
  * @module
  */
-import { REQUEST_CONTEXT_KEY, build_request_context } from './request_context.js';
-import { AUTH_API_TOKEN_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
+import { AUTH_API_TOKEN_ID_KEY, ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { query_validate_api_token } from './api_token_queries.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
@@ -19,18 +18,20 @@ import { rate_limit_exceeded_response } from '../rate_limiter.js';
  * Create middleware that authenticates via bearer token.
  *
  * Soft-fails for invalid, expired, or empty tokens — calls `next()` without
- * setting a request context, letting downstream auth enforcement (per-action
- * `check_action_auth` or `require_auth`) return a consistent JSON-RPC or
- * route-level error. This avoids leaking token-specific diagnostics
+ * setting account identity, letting downstream auth enforcement (the RPC
+ * dispatcher's pre-validation / post-authorization auth gates or
+ * `require_auth`) return a consistent JSON-RPC or route-level error. This
+ * avoids leaking token-specific diagnostics
  * (`invalid_token`, `account_not_found`) that could aid enumeration attacks,
  * and ensures public actions are not blocked by bad credentials.
  *
  * Rejects bearer tokens when an `Origin` or `Referer` header is present —
  * browsers must use cookie auth to reduce attack surface.
  * Auth scheme matching is case-insensitive per RFC 7235.
- * On success, builds the request context (`{ account, actor, permits }`)
- * and sets it on the Hono context. Skips if a request context is already set
- * (e.g. by session middleware).
+ * On success, sets `c.var.auth_account_id`, `CREDENTIAL_TYPE_KEY = 'api_token'`,
+ * and `AUTH_API_TOKEN_ID_KEY`. Skips when an account is already authenticated
+ * (e.g. by session middleware). Acting-actor resolution + `RequestContext`
+ * construction are deferred to the dispatcher's authorization phase.
  *
  * Rate limiting (429) is the only hard-fail — it's a throttling concern
  * independent of auth identity.
@@ -38,13 +39,13 @@ import { rate_limit_exceeded_response } from '../rate_limiter.js';
  * @param deps - query dependencies (pool-level db for middleware)
  * @param ip_rate_limiter - per-IP rate limiter for bearer token attempts (null to disable)
  * @param log - the logger instance
- * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
+ * @mutates Hono context - sets `ACCOUNT_ID_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
  * @mutates `ip_rate_limiter` - records on attempt; resets on a valid token
  */
 export const create_bearer_auth_middleware = (deps, ip_rate_limiter, log) => {
     return async (c, next) => {
-        // Skip if already authenticated via session
-        if (c.get(REQUEST_CONTEXT_KEY)) {
+        // Skip if an account is already authenticated (e.g. by session middleware)
+        if (c.get(ACCOUNT_ID_KEY) != null) {
             await next();
             return;
         }
@@ -97,16 +98,7 @@ export const create_bearer_auth_middleware = (deps, ip_rate_limiter, log) => {
         // Valid token — reset rate limit counter
         if (ip_rate_limiter)
             ip_rate_limiter.reset(ip);
-        // Build request context from the token's account
-        const ctx = await build_request_context(deps, api_token.account_id);
-        if (!ctx) {
-            // Token exists but account/actor missing — soft-fail to avoid
-            // leaking account lifecycle information.
-            log.debug('bearer auth soft-fail: account or actor not found for token');
-            await next();
-            return;
-        }
-        c.set(REQUEST_CONTEXT_KEY, ctx);
+        c.set(ACCOUNT_ID_KEY, api_token.account_id);
         c.set(CREDENTIAL_TYPE_KEY, 'api_token');
         c.set(AUTH_API_TOKEN_ID_KEY, api_token.id);
         await next();

package/dist/auth/cleanup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAiCzF,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}
+{"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAsCzF,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}