@fuzdev/fuz_app 0.53.0 → 0.55.0

package/dist/auth/permit_offer_queries.d.ts

@@ -46,31 +46,72 @@ export declare class PermitOfferNotFoundError extends Error {
 /**
  * Error thrown when a grantor attempts to offer a permit to their own account.
  *
- * Enforced here (rather than via a CHECK constraint) so the constraint can
- * be expressed as a cross-row JOIN on `actor.account_id` without requiring
- * denormalized columns.
+ * Enforced via a single SELECT on the grantor's `actor.account_id` (rather
+ * than via a CHECK constraint or a denormalized column). Resolving from the
+ * grantor side keeps the check multi-actor-correct: under multi-actor the
+ * recipient account may host many actors, but the grantor → account binding
+ * remains 1:1 by definition of `actor`.
  */
 export declare class PermitOfferSelfTargetError extends Error {
     constructor();
 }
+/**
+ * Error thrown when an actor-targeted offer is being accepted by an actor
+ * other than `offer.to_actor_id`. Distinct from `PermitOfferNotFoundError`
+ * (the IDOR mask): once an offer has been resolved to the recipient account,
+ * a wrong-actor accept on a same-account actor is a contract violation, not
+ * a privacy boundary — surface a specific error so the client UI can
+ * distinguish "this offer isn't for you" from "no such offer".
+ */
+export declare class PermitOfferActorMismatchError extends Error {
+    constructor(offer_id: string);
+}
+/**
+ * Error thrown when `query_permit_offer_create` is called with a
+ * `to_actor_id` that does not exist or does not belong to `to_account_id`.
+ * Surfaces the actor↔account binding mismatch at the boundary instead of
+ * letting the FK silently disagree with the recipient field.
+ */
+export declare class PermitOfferActorAccountMismatchError extends Error {
+    constructor();
+}
 /**
  * Create a new permit offer, or refresh an existing pending offer for the
  * same `(to_account_id, role, scope_id, from_actor_id)` tuple.
  *
  * Re-offer semantics: a second call by the same grantor with the same
  * `(to_account, role, scope)` while pending upserts the existing row,
- * refreshing `message` and `expires_at`. A different grantor offering the
- * same `(to_account, role, scope)` creates a distinct row — multiple
- * pending grantors coexist. After a terminal state, a re-offer is a fresh
- * INSERT.
+ * refreshing `message` and `expires_at` (and `to_actor_id` — supplying
+ * a different `to_actor_id` on re-offer narrows the existing row to the
+ * named actor; supplying null widens it back to account-grain). A
+ * different grantor offering the same `(to_account, role, scope)` creates
+ * a distinct row — multiple pending grantors coexist. After a terminal
+ * state, a re-offer is a fresh INSERT.
  *
  * Self-offer rejection: throws `PermitOfferSelfTargetError` if the offering
  * actor belongs to the recipient account.
  *
+ * Actor-targeted offers: when `to_actor_id` is supplied,
+ * `query_accept_offer` rejects any actor other than the named one. Closes
+ * the audit hole where offer-shape events would otherwise leave
+ * `target_actor_id` null even when the recipient binding is known at
+ * offer time. The actor↔account binding is verified here in one SELECT.
+ *
  * @mutates `permit_offer` table - inserts a new offer or upserts the matching pending row
  * @throws PermitOfferSelfTargetError if the offering actor belongs to `to_account_id`
+ * @throws PermitOfferActorAccountMismatchError if `to_actor_id` is set but does not belong to `to_account_id`
  */
 export declare const query_permit_offer_create: (deps: QueryDeps, input: CreatePermitOfferInput) => Promise<PermitOffer>;
+/** Result of `query_permit_offer_decline` — the declined offer plus the grantor's `account_id`. */
+export interface DeclinedOffer extends PermitOffer {
+    /**
+     * Grantor's `account_id`, resolved via a join on `actor` so the audit
+     * envelope's `target_account_id` (decline is *to* the grantor) and the
+     * post-commit notification target are both addressable without a
+     * second round-trip.
+     */
+    from_account_id: Uuid;
+}
 /**
  * Mark an offer declined.
  *
@@ -79,10 +120,16 @@ export declare const query_permit_offer_create: (deps: QueryDeps, input: CreateP
  * `PermitOfferAlreadyTerminalError` if the offer exists for the caller but
  * is already in a terminal state.
  *
+ * Returns the declined offer with the grantor's `from_account_id` joined
+ * in via CTE — the decline audit envelope populates **both**
+ * `target_actor_id` (the grantor actor) and `target_account_id` (the
+ * grantor account), satisfying the "both populated → same account"
+ * invariant the audit-log column comments describe.
+ *
  * @mutates `permit_offer` row - sets `declined_at` and `decline_reason`
  * @throws PermitOfferAlreadyTerminalError if the offer is already accepted, declined, retracted, or superseded
  */
-export declare const query_permit_offer_decline: (deps: QueryDeps, offer_id: string, to_account_id: string, reason: string | null) => Promise<PermitOffer | null>;
+export declare const query_permit_offer_decline: (deps: QueryDeps, offer_id: string, to_account_id: string, reason: string | null) => Promise<DeclinedOffer | null>;
 /**
  * Mark an offer retracted by the grantor.
  *
@@ -128,6 +175,18 @@ export interface AcceptOfferInput {
     offer_id: Uuid;
     /** Account of the accepting recipient — IDOR guard against another account accepting the offer. */
     to_account_id: Uuid;
+    /**
+     * Accepting actor — the actor that will hold the resulting permit.
+     * Must belong to `to_account_id`; the query verifies and throws if not
+     * (defense-in-depth — the action handler passes `auth.actor.id` which
+     * is session-bound, but the query enforces the invariant for all
+     * callers including tests and future direct consumers).
+     *
+     * Required because under multi-actor an account may host many actors;
+     * the resulting permit must bind to the actor that actually accepted,
+     * not "an" actor on the account picked by query order.
+     */
+    actor_id: Uuid;
     /** Optional IP to stamp on the audit events. */
     ip?: string | null;
 }
@@ -177,7 +236,7 @@ export interface AcceptOfferResult {
  * @throws PermitOfferNotFoundError if the offer is missing or belongs to another recipient
  * @throws PermitOfferAlreadyTerminalError if the offer is declined, retracted, or superseded
  * @throws PermitOfferExpiredError if the offer is pending but past `expires_at`
- * @throws Error if the accepting account has no actor (1:1 invariant) or invariant assertions fail
+ * @throws Error if the accepting `actor_id` does not belong to `to_account_id`, or invariant assertions fail
  */
 export declare const query_accept_offer: (deps: QueryDeps, input: AcceptOfferInput) => Promise<AcceptOfferResult>;
 //# sourceMappingURL=permit_offer_queries.d.ts.map

package/dist/auth/permit_offer_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit_offer_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAEhD,OAAO,EAEN,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,qBAAa,+BAAgC,SAAQ,KAAK;gBAC7C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;gBACrC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,wBAAyB,SAAQ,KAAK;gBACtC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;;GAMG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;;CAKpD;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,OAAO,sBAAsB,KAC3B,OAAO,CAAC,WAAW,CAyBrB,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,EACrB,QAAQ,MAAM,GAAG,IAAI,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AA8BF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,MAAM,KACnB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAY5B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAW,EACX,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAS5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAY5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAU5B,CAAC;AAEF,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,mGAAmG;IACnG,aAAa,EAAE,IAAI,CAAC;IACpB,gDAAgD;IAChD,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnB;AAED,yHAAyH;AACzH,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,CAAC;IACnB,4IAA4I;IAC5I,OAAO,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1C,sLAAsL;IACtL,YAAY,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,iBAAiB,CAqK3B,CAAC"}
+{"version":3,"file":"permit_offer_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAChD,OAAO,EAEN,KAAK,sBAAsB,EAC3B,KAAK,WAAW,EAChB,KAAK,eAAe,EACpB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,qBAAa,+BAAgC,SAAQ,KAAK;gBAC7C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,uBAAwB,SAAQ,KAAK;gBACrC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,wBAAyB,SAAQ,KAAK;gBACtC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;;;;GAQG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;;CAKpD;AAED;;;;;;;GAOG;AACH,qBAAa,6BAA8B,SAAQ,KAAK;gBAC3C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,oCAAqC,SAAQ,KAAK;;CAK9D;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,OAAO,sBAAsB,KAC3B,OAAO,CAAC,WAAW,CAgDrB,CAAC;AAEF,mGAAmG;AACnG,MAAM,WAAW,aAAc,SAAQ,WAAW;IACjD;;;;;OAKG;IACH,eAAe,EAAE,IAAI,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,EACrB,QAAQ,MAAM,GAAG,IAAI,KACnB,OAAO,CAAC,aAAa,GAAG,IAAI,CAoB9B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,KACnB,OAAO,CAAC,WAAW,GAAG,IAAI,CAe5B,CAAC;AA8BF;;;;;;GAMG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,MAAM,KACnB,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAY5B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAW,EACX,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAS5B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,WAAW,GAAG,IAAI,CAY5B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC,GAC5C,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,CAU5B,CAAC;AAEF,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,mGAAmG;IACnG,aAAa,EAAE,IAAI,CAAC;IACpB;;;;;;;;;;OAUG;IACH,QAAQ,EAAE,IAAI,CAAC;IACf,gDAAgD;IAChD,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnB;AAED,yHAAyH;AACzH,MAAM,WAAW,iBAAiB;IACjC,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,CAAC;IACnB,4IAA4I;IAC5I,OAAO,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1C,sLAAsL;IACtL,YAAY,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,iBAAiB,CA8N3B,CAAC"}

package/dist/auth/permit_offer_queries.js

@@ -12,7 +12,6 @@
  * @module
  */
 import { assert_row } from '../db/assert_row.js';
-import { query_actor_by_account } from './account_queries.js';
 import { PERMIT_OFFER_SCOPE_SENTINEL_UUID, } from './permit_offer_schema.js';
 import { query_audit_log } from './audit_log_queries.js';
 /**
@@ -54,9 +53,11 @@ export class PermitOfferNotFoundError extends Error {
 /**
  * Error thrown when a grantor attempts to offer a permit to their own account.
  *
- * Enforced here (rather than via a CHECK constraint) so the constraint can
- * be expressed as a cross-row JOIN on `actor.account_id` without requiring
- * denormalized columns.
+ * Enforced via a single SELECT on the grantor's `actor.account_id` (rather
+ * than via a CHECK constraint or a denormalized column). Resolving from the
+ * grantor side keeps the check multi-actor-correct: under multi-actor the
+ * recipient account may host many actors, but the grantor → account binding
+ * remains 1:1 by definition of `actor`.
  */
 export class PermitOfferSelfTargetError extends Error {
     constructor() {
@@ -64,39 +65,91 @@ export class PermitOfferSelfTargetError extends Error {
         this.name = 'PermitOfferSelfTargetError';
     }
 }
+/**
+ * Error thrown when an actor-targeted offer is being accepted by an actor
+ * other than `offer.to_actor_id`. Distinct from `PermitOfferNotFoundError`
+ * (the IDOR mask): once an offer has been resolved to the recipient account,
+ * a wrong-actor accept on a same-account actor is a contract violation, not
+ * a privacy boundary — surface a specific error so the client UI can
+ * distinguish "this offer isn't for you" from "no such offer".
+ */
+export class PermitOfferActorMismatchError extends Error {
+    constructor(offer_id) {
+        super(`Offer ${offer_id} is targeted to a different actor on this account`);
+        this.name = 'PermitOfferActorMismatchError';
+    }
+}
+/**
+ * Error thrown when `query_permit_offer_create` is called with a
+ * `to_actor_id` that does not exist or does not belong to `to_account_id`.
+ * Surfaces the actor↔account binding mismatch at the boundary instead of
+ * letting the FK silently disagree with the recipient field.
+ */
+export class PermitOfferActorAccountMismatchError extends Error {
+    constructor() {
+        super('to_actor_id does not belong to to_account_id');
+        this.name = 'PermitOfferActorAccountMismatchError';
+    }
+}
 /**
  * Create a new permit offer, or refresh an existing pending offer for the
  * same `(to_account_id, role, scope_id, from_actor_id)` tuple.
  *
  * Re-offer semantics: a second call by the same grantor with the same
  * `(to_account, role, scope)` while pending upserts the existing row,
- * refreshing `message` and `expires_at`. A different grantor offering the
- * same `(to_account, role, scope)` creates a distinct row — multiple
- * pending grantors coexist. After a terminal state, a re-offer is a fresh
- * INSERT.
+ * refreshing `message` and `expires_at` (and `to_actor_id` — supplying
+ * a different `to_actor_id` on re-offer narrows the existing row to the
+ * named actor; supplying null widens it back to account-grain). A
+ * different grantor offering the same `(to_account, role, scope)` creates
+ * a distinct row — multiple pending grantors coexist. After a terminal
+ * state, a re-offer is a fresh INSERT.
  *
  * Self-offer rejection: throws `PermitOfferSelfTargetError` if the offering
  * actor belongs to the recipient account.
  *
+ * Actor-targeted offers: when `to_actor_id` is supplied,
+ * `query_accept_offer` rejects any actor other than the named one. Closes
+ * the audit hole where offer-shape events would otherwise leave
+ * `target_actor_id` null even when the recipient binding is known at
+ * offer time. The actor↔account binding is verified here in one SELECT.
+ *
  * @mutates `permit_offer` table - inserts a new offer or upserts the matching pending row
  * @throws PermitOfferSelfTargetError if the offering actor belongs to `to_account_id`
+ * @throws PermitOfferActorAccountMismatchError if `to_actor_id` is set but does not belong to `to_account_id`
  */
 export const query_permit_offer_create = async (deps, input) => {
-    const actor = await query_actor_by_account(deps, input.to_account_id);
-    if (actor && actor.id === input.from_actor_id) {
+    // Self-target check resolves the **grantor** actor's account and
+    // compares against to_account_id. This is multi-actor-correct:
+    // a single account may host many actors, and self-target means
+    // "the offering actor's account == the recipient account",
+    // regardless of how many other actors live on either account.
+    // (The earlier shape — "look up an actor on to_account_id, compare
+    // to from_actor_id" — silently picked one actor on a multi-actor
+    // recipient account, missing the self-target case when the picked
+    // actor wasn't the offering one.)
+    const grantor = await deps.db.query_one(`SELECT account_id FROM actor WHERE id = $1`, [input.from_actor_id]);
+    if (grantor && grantor.account_id === input.to_account_id) {
         throw new PermitOfferSelfTargetError();
     }
+    if (input.to_actor_id != null) {
+        const target = await deps.db.query_one(`SELECT account_id FROM actor WHERE id = $1`, [input.to_actor_id]);
+        if (!target || target.account_id !== input.to_account_id) {
+            throw new PermitOfferActorAccountMismatchError();
+        }
+    }
     const row = await deps.db.query_one(`INSERT INTO permit_offer
-			 (from_actor_id, to_account_id, role, scope_id, message, expires_at)
-		 VALUES ($1, $2, $3, $4, $5, $6)
+			 (from_actor_id, to_account_id, to_actor_id, role, scope_id, message, expires_at)
+		 VALUES ($1, $2, $3, $4, $5, $6, $7)
 		 ON CONFLICT (to_account_id, role, COALESCE(scope_id, '${PERMIT_OFFER_SCOPE_SENTINEL_UUID}'::uuid), from_actor_id)
 		   WHERE accepted_at IS NULL AND declined_at IS NULL AND retracted_at IS NULL AND superseded_at IS NULL
 		 DO UPDATE SET
+			 to_actor_id = EXCLUDED.to_actor_id,
 			 message = EXCLUDED.message,
 			 expires_at = EXCLUDED.expires_at
 		 RETURNING *`, [
         input.from_actor_id,
         input.to_account_id,
+        input.to_actor_id ?? null,
         input.role,
         input.scope_id ?? null,
         input.message ?? null,
@@ -112,19 +165,30 @@ export const query_permit_offer_create = async (deps, input) => {
  * `PermitOfferAlreadyTerminalError` if the offer exists for the caller but
  * is already in a terminal state.
  *
+ * Returns the declined offer with the grantor's `from_account_id` joined
+ * in via CTE — the decline audit envelope populates **both**
+ * `target_actor_id` (the grantor actor) and `target_account_id` (the
+ * grantor account), satisfying the "both populated → same account"
+ * invariant the audit-log column comments describe.
+ *
  * @mutates `permit_offer` row - sets `declined_at` and `decline_reason`
  * @throws PermitOfferAlreadyTerminalError if the offer is already accepted, declined, retracted, or superseded
  */
 export const query_permit_offer_decline = async (deps, offer_id, to_account_id, reason) => {
-    const updated = await deps.db.query_one(`UPDATE permit_offer
-		 SET declined_at = NOW(), decline_reason = $3
-		 WHERE id = $1
-		   AND to_account_id = $2
-		   AND accepted_at IS NULL
-		   AND declined_at IS NULL
-		   AND retracted_at IS NULL
-		   AND superseded_at IS NULL
-		 RETURNING *`, [offer_id, to_account_id, reason ?? null]);
+    const updated = await deps.db.query_one(`WITH updated AS (
+			UPDATE permit_offer
+			SET declined_at = NOW(), decline_reason = $3
+			WHERE id = $1
+			  AND to_account_id = $2
+			  AND accepted_at IS NULL
+			  AND declined_at IS NULL
+			  AND retracted_at IS NULL
+			  AND superseded_at IS NULL
+			RETURNING *
+		)
+		SELECT u.*, grantor.account_id AS from_account_id
+		FROM updated u
+		JOIN actor grantor ON grantor.id = u.from_actor_id`, [offer_id, to_account_id, reason ?? null]);
     if (updated)
         return updated;
     return resolve_terminal_or_missing(deps, offer_id, { to_account_id });
@@ -265,10 +329,10 @@ export const query_permit_offer_sweep_expired = async (deps) => {
  * @throws PermitOfferNotFoundError if the offer is missing or belongs to another recipient
  * @throws PermitOfferAlreadyTerminalError if the offer is declined, retracted, or superseded
  * @throws PermitOfferExpiredError if the offer is pending but past `expires_at`
- * @throws Error if the accepting account has no actor (1:1 invariant) or invariant assertions fail
+ * @throws Error if the accepting `actor_id` does not belong to `to_account_id`, or invariant assertions fail
  */
 export const query_accept_offer = async (deps, input) => {
-    const { offer_id, to_account_id, ip } = input;
+    const { offer_id, to_account_id, actor_id, ip } = input;
     // Claim the offer with a row-level lock. Subsequent concurrent callers
     // block on the lock until this transaction commits/rolls back; after commit
     // they see the new state (accepted or terminal) and branch idempotently.
@@ -284,11 +348,19 @@ export const query_accept_offer = async (deps, input) => {
     if (locked.accepted_at) {
         // Race winner already committed; return the pre-existing permit.
         // `permit_offer_permit_iff_accepted` CHECK guarantees resulting_permit_id is non-null.
-        const permit = await deps.db.query_one(`SELECT * FROM permit WHERE id = $1`, [
+        const permit = assert_row(await deps.db.query_one(`SELECT * FROM permit WHERE id = $1`, [
             locked.resulting_permit_id,
-        ]);
+        ]), 'resulting_permit lookup');
+        // Multi-actor guard: two actors on the same recipient account may
+        // both race an account-grain offer — the loser must not silently
+        // receive the winner's permit (which would tell them "you got it"
+        // while the actor on the permit is someone else). Treat the offer
+        // as terminal for the loser.
+        if (permit.actor_id !== actor_id) {
+            throw new PermitOfferAlreadyTerminalError(offer_id);
+        }
         return {
-            permit: assert_row(permit, 'resulting_permit lookup'),
+            permit,
             offer: locked,
             created: false,
             superseded_offers: [],
@@ -304,10 +376,33 @@ export const query_accept_offer = async (deps, input) => {
     if (new Date(locked.expires_at) <= new Date()) {
         throw new PermitOfferExpiredError(offer_id);
     }
-    // Resolve the accepting actor (1:1 account→actor in v1).
-    const actor = await query_actor_by_account(deps, to_account_id);
-    if (!actor) {
-        throw new Error(`No actor for account ${to_account_id} accepting offer ${offer_id}`);
+    // Actor-targeted offer gate. When the offer is account-grain
+    // (`to_actor_id IS NULL`) any actor on `to_account_id` may accept and
+    // the existing actor↔account check below applies. When actor-grain
+    // (`to_actor_id IS NOT NULL`) the accepting actor must match —
+    // reject otherwise, even when the actor is on the same account, so
+    // teacher-A's offer cannot be claimed by teacher-B's actor.
+    //
+    // Ordering contract: this check fires *before* the cross-account
+    // `actor_check` SELECT below. A wrong-actor accept on an actor-grain
+    // offer surfaces as `PermitOfferActorMismatchError` regardless of
+    // whether the supplied `actor_id` belongs to `to_account_id` — the
+    // actor-grain binding is the tighter constraint and dominates. The
+    // cross-account `Error` only fires for account-grain offers (or
+    // matching actor-grain offers where `to_actor_id === actor_id` but
+    // the actor turns out not to be on the account, which is unreachable
+    // under the FK invariant but stays as defense-in-depth).
+    if (locked.to_actor_id != null && locked.to_actor_id !== actor_id) {
+        throw new PermitOfferActorMismatchError(offer_id);
+    }
+    // Verify the accepting actor belongs to the recipient account.
+    // Defense-in-depth: the action handler passes `auth.actor.id` which is
+    // already session-bound, but enforcing the invariant here protects
+    // direct callers (tests, future consumers) from cross-account binding
+    // bugs that would silently grant a permit to the wrong actor.
+    const actor_check = await deps.db.query_one(`SELECT id FROM actor WHERE id = $1 AND account_id = $2`, [actor_id, to_account_id]);
+    if (!actor_check) {
+        throw new Error(`Accepting actor ${actor_id} does not belong to account ${to_account_id} (offer ${offer_id})`);
     }
     // Insert the permit. Uses the normal grant idempotency — if another
     // code path already granted the same (actor, role, scope), reuse it.
@@ -316,7 +411,7 @@ export const query_accept_offer = async (deps, input) => {
 		 ON CONFLICT (actor_id, role, COALESCE(scope_id, '${PERMIT_OFFER_SCOPE_SENTINEL_UUID}'::uuid))
 		   WHERE revoked_at IS NULL
 		 DO NOTHING
-		 RETURNING *`, [actor.id, locked.role, locked.scope_id, locked.from_actor_id, locked.id]);
+		 RETURNING *`, [actor_id, locked.role, locked.scope_id, locked.from_actor_id, locked.id]);
     let permit;
     if (granted_permit) {
         permit = granted_permit;
@@ -326,7 +421,7 @@ export const query_accept_offer = async (deps, input) => {
 			 WHERE actor_id = $1
 			   AND role = $2
 			   AND scope_id IS NOT DISTINCT FROM $3
-			   AND revoked_at IS NULL`, [actor.id, locked.role, locked.scope_id]);
+			   AND revoked_at IS NULL`, [actor_id, locked.role, locked.scope_id]);
         permit = assert_row(existing, 'query_accept_offer idempotent permit lookup');
     }
     // Single UPDATE sets both sides of the CHECK constraint at once.
@@ -358,10 +453,15 @@ export const query_accept_offer = async (deps, input) => {
 		JOIN actor grantor ON grantor.id = u.from_actor_id`, [to_account_id, offer.role, offer.scope_id, offer.id]);
     // Emit audit events in-transaction (atomic with the permit insert).
     // `RETURNING *` after the SET guarantees `offer.resulting_permit_id === permit.id`.
+    // Accept binds the actor deterministically — populate both target
+    // columns to mirror `permit_grant` (the in-tx pair) so forensic
+    // queries don't have to split between the two events.
     const offer_accept_event = await query_audit_log(deps, {
         event_type: 'permit_offer_accept',
-        actor_id: actor.id,
+        actor_id,
         account_id: to_account_id,
+        target_account_id: to_account_id,
+        target_actor_id: actor_id,
         ip: ip ?? null,
         metadata: {
             offer_id: offer.id,
@@ -370,10 +470,17 @@ export const query_accept_offer = async (deps, input) => {
             scope_id: offer.scope_id,
         },
     });
+    // `permit_grant` is the canonical actor-bound-subject event — the
+    // permit just bound to this actor. On self-accept the actor and the
+    // target are the same identity; on admin direct-grant (separate code
+    // path) they differ. Either way `target_actor_id` carries the
+    // grantee for actor-grain forensics.
     const permit_grant_event = await query_audit_log(deps, {
         event_type: 'permit_grant',
-        actor_id: actor.id,
+        actor_id,
         account_id: to_account_id,
+        target_account_id: to_account_id,
+        target_actor_id: actor_id,
         ip: ip ?? null,
         metadata: {
             role: offer.role,
@@ -384,10 +491,15 @@ export const query_accept_offer = async (deps, input) => {
     });
     const supersede_events = [];
     for (const sibling of superseded) {
+        // Supersede inherits the sibling's actor-grain target — actor-grain
+        // when the sibling was actor-targeted, account-grain (null) when it
+        // was account-level.
         supersede_events.push(await query_audit_log(deps, {
             event_type: 'permit_offer_supersede',
-            actor_id: actor.id,
+            actor_id,
             account_id: to_account_id,
+            target_account_id: to_account_id,
+            target_actor_id: sibling.to_actor_id,
             ip: ip ?? null,
             metadata: {
                 offer_id: sibling.id,

package/dist/auth/permit_offer_schema.d.ts

@@ -17,7 +17,7 @@ export declare const PERMIT_OFFER_SCOPE_SENTINEL_UUID = "00000000-0000-0000-0000
 export declare const PERMIT_OFFER_MESSAGE_LENGTH_MAX = 500;
 /** Default TTL for a newly created offer — 30 days. Matches GitHub org-invite expiry. */
 export declare const PERMIT_OFFER_DEFAULT_TTL_MS: number;
-export declare const PERMIT_OFFER_SCHEMA = "\nCREATE TABLE IF NOT EXISTS permit_offer (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  from_actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n  to_account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  role TEXT NOT NULL,\n  scope_id UUID NULL,\n  message TEXT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ NOT NULL,\n  accepted_at TIMESTAMPTZ NULL,\n  declined_at TIMESTAMPTZ NULL,\n  decline_reason TEXT NULL,\n  retracted_at TIMESTAMPTZ NULL,\n  superseded_at TIMESTAMPTZ NULL,\n  resulting_permit_id UUID NULL REFERENCES permit(id) ON DELETE SET NULL,\n  CONSTRAINT permit_offer_single_terminal CHECK (\n    (accepted_at IS NOT NULL)::int\n    + (declined_at IS NOT NULL)::int\n    + (retracted_at IS NOT NULL)::int\n    + (superseded_at IS NOT NULL)::int\n    <= 1\n  ),\n  CONSTRAINT permit_offer_permit_iff_accepted CHECK (\n    (accepted_at IS NOT NULL) = (resulting_permit_id IS NOT NULL)\n  ),\n  CONSTRAINT permit_offer_reason_iff_declined CHECK (\n    decline_reason IS NULL OR declined_at IS NOT NULL\n  )\n)";
+export declare const PERMIT_OFFER_SCHEMA = "\nCREATE TABLE IF NOT EXISTS permit_offer (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  from_actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n  to_account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  to_actor_id UUID NULL REFERENCES actor(id) ON DELETE CASCADE,\n  role TEXT NOT NULL,\n  scope_id UUID NULL,\n  message TEXT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ NOT NULL,\n  accepted_at TIMESTAMPTZ NULL,\n  declined_at TIMESTAMPTZ NULL,\n  decline_reason TEXT NULL,\n  retracted_at TIMESTAMPTZ NULL,\n  superseded_at TIMESTAMPTZ NULL,\n  resulting_permit_id UUID NULL REFERENCES permit(id) ON DELETE SET NULL,\n  CONSTRAINT permit_offer_single_terminal CHECK (\n    (accepted_at IS NOT NULL)::int\n    + (declined_at IS NOT NULL)::int\n    + (retracted_at IS NOT NULL)::int\n    + (superseded_at IS NOT NULL)::int\n    <= 1\n  ),\n  CONSTRAINT permit_offer_permit_iff_accepted CHECK (\n    (accepted_at IS NOT NULL) = (resulting_permit_id IS NOT NULL)\n  ),\n  CONSTRAINT permit_offer_reason_iff_declined CHECK (\n    decline_reason IS NULL OR declined_at IS NOT NULL\n  )\n)";
 /**
  * At most one pending offer per (to_account, role, scope, from_actor).
  *
@@ -37,6 +37,19 @@ export interface PermitOffer {
     id: Uuid;
     from_actor_id: Uuid;
     to_account_id: Uuid;
+    /**
+     * Optional actor-grain target on the recipient account. When set, accept
+     * is gated to this specific actor — `query_accept_offer` rejects any
+     * other actor with `permit_offer_actor_mismatch` even when they belong
+     * to `to_account_id`. When null the offer is account-grain and any
+     * actor on `to_account_id` may accept (the v1 default).
+     *
+     * Drives the audit envelope's `target_actor_id` on offer-shape events
+     * (`permit_offer_create` / `_expire` / `_retract` / `_supersede`) — when
+     * set, the actor-grain forensic field carries the named actor; when
+     * null the offer-shape events leave it null by design.
+     */
+    to_actor_id: Uuid | null;
     role: string;
     scope_id: Uuid | null;
     message: string | null;
@@ -75,6 +88,14 @@ export interface SupersededOffer extends PermitOffer {
 export interface CreatePermitOfferInput {
     from_actor_id: Uuid;
     to_account_id: Uuid;
+    /**
+     * Optional actor-grain target on the recipient account. When set,
+     * `query_permit_offer_create` validates that the actor belongs to
+     * `to_account_id` and stamps the column; accept then matches against
+     * this specific actor. Omit (or pass null) for the account-grain
+     * default — any actor on `to_account_id` may accept.
+     */
+    to_actor_id?: Uuid | null;
     role: string;
     scope_id?: Uuid | null;
     message?: string | null;
@@ -85,6 +106,7 @@ export declare const PermitOfferJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     role: z.ZodString;
     scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     message: z.ZodNullable<z.ZodString>;

package/dist/auth/permit_offer_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit_offer_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C,mHAAmH;AACnH,eAAO,MAAM,gCAAgC,yCAAyC,CAAC;AAEvF,mEAAmE;AACnE,eAAO,MAAM,+BAA+B,MAAM,CAAC;AAEnD,yFAAyF;AACzF,eAAO,MAAM,2BAA2B,QAA2B,CAAC;AAEpE,eAAO,MAAM,mBAAmB,6kCA6B9B,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iCAAiC,8UAWhB,CAAC;AAE/B,+EAA+E;AAC/E,eAAO,MAAM,wBAAwB,0NAMP,CAAC;AAE/B,oDAAoD;AACpD,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,IAAI,CAAC;IACT,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B;;;;;OAKG;IACH,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,mBAAmB,EAAE,IAAI,GAAG,IAAI,CAAC;CACjC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAgB,SAAQ,WAAW;IACnD,eAAe,EAAE,IAAI,CAAC;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,CAAC;CACjB;AAED,oDAAoD;AACpD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;kBA4CyD,CAAC;AACtF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,6DAA6D;AAC7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,WAAW,KAAG,eAexD,CAAC"}
+{"version":3,"file":"permit_offer_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C,mHAAmH;AACnH,eAAO,MAAM,gCAAgC,yCAAyC,CAAC;AAEvF,mEAAmE;AACnE,eAAO,MAAM,+BAA+B,MAAM,CAAC;AAEnD,yFAAyF;AACzF,eAAO,MAAM,2BAA2B,QAA2B,CAAC;AAEpE,eAAO,MAAM,mBAAmB,8oCA8B9B,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iCAAiC,8UAWhB,CAAC;AAE/B,+EAA+E;AAC/E,eAAO,MAAM,wBAAwB,0NAMP,CAAC;AAQ/B,oDAAoD;AACpD,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,IAAI,CAAC;IACT,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB;;;;;;;;;;;OAWG;IACH,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B;;;;;OAKG;IACH,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,mBAAmB,EAAE,IAAI,GAAG,IAAI,CAAC;CACjC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAgB,SAAQ,WAAW;IACnD,eAAe,EAAE,IAAI,CAAC;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB;;;;;;OAMG;IACH,WAAW,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,CAAC;CACjB;AAED,oDAAoD;AACpD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;;kBAgDyD,CAAC;AACtF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,6DAA6D;AAC7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,WAAW,KAAG,eAgBxD,CAAC"}

package/dist/auth/permit_offer_schema.js

@@ -23,6 +23,7 @@ CREATE TABLE IF NOT EXISTS permit_offer (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
   from_actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,
   to_account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,
+  to_actor_id UUID NULL REFERENCES actor(id) ON DELETE CASCADE,
   role TEXT NOT NULL,
   scope_id UUID NULL,
   message TEXT NULL,
@@ -85,6 +86,9 @@ export const PermitOfferJson = z
     id: Uuid.meta({ description: 'Offer id.' }),
     from_actor_id: Uuid.meta({ description: 'Actor that issued the offer.' }),
     to_account_id: Uuid.meta({ description: 'Account the offer is directed to.' }),
+    to_actor_id: Uuid.nullable().meta({
+        description: 'Optional actor-grain target on the recipient account. When set, only this actor may accept; when null any actor on `to_account_id` may accept.',
+    }),
     role: RoleName.meta({ description: 'Role being offered.' }),
     scope_id: Uuid.nullable().meta({
         description: 'Scope the offered permit applies to (e.g. a classroom id). `null` for global permits.',
@@ -128,6 +132,7 @@ export const to_permit_offer_json = (offer) => ({
     id: offer.id,
     from_actor_id: offer.from_actor_id,
     to_account_id: offer.to_account_id,
+    to_actor_id: offer.to_actor_id,
     role: offer.role,
     scope_id: offer.scope_id,
     message: offer.message,

package/dist/auth/permit_queries.d.ts

@@ -28,23 +28,32 @@ import { type SupersededOffer } from './permit_offer_schema.js';
  */
 export declare const query_grant_permit: (deps: QueryDeps, input: GrantPermitInput) => Promise<Permit>;
 /**
- * Look up the role of an active permit, constrained to a specific actor.
+ * Look up the role of an active permit (constrained to a specific
+ * actor) plus the actor's `account_id`.
  *
  * Used by admin routes to inspect the permit's role before acting
  * (e.g., enforcing `web_grantable` on revoke). The actor constraint
  * mirrors `query_revoke_permit` so IDOR protection is consistent:
  * a caller can only see permits belonging to the target actor.
  *
+ * The JOIN to `actor` collapses what used to be a second
+ * `query_actor_by_id` round-trip in the revoke handler into one read,
+ * which closes the small TOCTOU window where the actor row could be
+ * deleted between the IDOR check and the actor lookup. The `account_id`
+ * is needed by the audit envelope's `target_account_id` field and the
+ * SSE/WS socket-close fan-out targeting.
+ *
  * Returns `null` if the permit is not found, already revoked, or
  * belongs to a different actor.
  *
  * @param deps - query dependencies
  * @param permit_id - the permit id to look up
  * @param actor_id - the actor that must own the permit
- * @returns `{role}` on a match, or `null`
+ * @returns `{role, account_id}` on a match, or `null`
  */
 export declare const query_permit_find_active_role_for_actor: (deps: QueryDeps, permit_id: string, actor_id: string) => Promise<{
     role: string;
+    account_id: Uuid;
 } | null>;
 /** Result of `query_revoke_permit` — the revoked permit plus any pending offers superseded by the revoke. */
 export interface RevokePermitResult {
@@ -116,14 +125,17 @@ export declare const query_permit_find_account_id_for_role: (deps: QueryDeps, ro
 /** Result of `query_permit_revoke_for_scope` — every permit revoked plus every pending offer superseded by the scope-wide cascade. */
 export interface RevokeForScopeResult {
     /**
-     * One entry per permit revoked by this call. Carries the revokee's
-     * `account_id` so callers can fan out a `permit_revoke` notification per
-     * permit. Empty array means no active permit was bound to the scope.
+     * One entry per permit revoked by this call. Carries both the revokee's
+     * `actor_id` (the permit's grantee — drives `target_actor_id` audit
+     * envelopes) and `account_id` (the actor's account — drives
+     * `target_account_id` for SSE/WS socket-close fan-out). Empty array
+     * means no active permit was bound to the scope.
      */
     revoked: Array<{
         permit_id: Uuid;
         role: string;
         scope_id: Uuid;
+        actor_id: Uuid;
         account_id: Uuid;
     }>;
     /**

package/dist/auth/permit_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAmC,KAAK,eAAe,EAAC,MAAM,0BAA0B,CAAC;AAEhG;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CA4BhB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAO/B,CAAC;AAEF,6GAA6G;AAC7G,MAAM,WAAW,kBAAkB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,IAAI,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAsCnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,sIAAsI;AACtI,MAAM,WAAW,oBAAoB;IACpC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,IAAI,CAAC;QAAC,UAAU,EAAE,IAAI,CAAA;KAAC,CAAC,CAAC;IAClF;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA2C9B,CAAC;AAEF,yHAAyH;AACzH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;IAC/F;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA2C1B,CAAC"}
+{"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAmC,KAAK,eAAe,EAAC,MAAM,0BAA0B,CAAC;AAEhG;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CA4BhB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,IAAI,CAAA;CAAC,GAAG,IAAI,CASjD,CAAC;AAEF,6GAA6G;AAC7G,MAAM,WAAW,kBAAkB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,IAAI,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAsCnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,sIAAsI;AACtI,MAAM,WAAW,oBAAoB;IACpC;;;;;;OAMG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,SAAS,EAAE,IAAI,CAAC;QAChB,IAAI,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,IAAI,CAAC;QACf,QAAQ,EAAE,IAAI,CAAC;QACf,UAAU,EAAE,IAAI,CAAC;KACjB,CAAC,CAAC;IACH;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA6C9B,CAAC;AAEF,yHAAyH;AACzH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;IAC/F;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA2C1B,CAAC"}