@fuzdev/fuz_app 0.54.0 → 0.55.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/actions/CLAUDE.md +68 -13
- package/dist/actions/action_codegen.d.ts +13 -0
- package/dist/actions/action_codegen.d.ts.map +1 -1
- package/dist/actions/action_codegen.js +15 -1
- package/dist/actions/action_rpc.d.ts +60 -7
- package/dist/actions/action_rpc.d.ts.map +1 -1
- package/dist/actions/action_rpc.js +158 -44
- package/dist/actions/register_action_ws.d.ts +4 -4
- package/dist/actions/register_action_ws.js +6 -6
- package/dist/actions/register_ws_endpoint.d.ts +20 -7
- package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
- package/dist/actions/register_ws_endpoint.js +30 -5
- package/dist/actions/transports.d.ts.map +1 -1
- package/dist/actions/transports.js +0 -4
- package/dist/auth/CLAUDE.md +219 -66
- package/dist/auth/account_actions.d.ts +6 -6
- package/dist/auth/account_actions.d.ts.map +1 -1
- package/dist/auth/account_actions.js +8 -11
- package/dist/auth/account_queries.d.ts +6 -3
- package/dist/auth/account_queries.d.ts.map +1 -1
- package/dist/auth/account_queries.js +14 -5
- package/dist/auth/account_routes.d.ts +7 -10
- package/dist/auth/account_routes.d.ts.map +1 -1
- package/dist/auth/account_routes.js +70 -23
- package/dist/auth/account_schema.d.ts +19 -0
- package/dist/auth/account_schema.d.ts.map +1 -1
- package/dist/auth/account_schema.js +20 -0
- package/dist/auth/admin_action_specs.d.ts +45 -11
- package/dist/auth/admin_action_specs.d.ts.map +1 -1
- package/dist/auth/admin_action_specs.js +23 -8
- package/dist/auth/admin_actions.d.ts +8 -7
- package/dist/auth/admin_actions.d.ts.map +1 -1
- package/dist/auth/admin_actions.js +11 -18
- package/dist/auth/audit_log_queries.d.ts +53 -14
- package/dist/auth/audit_log_queries.d.ts.map +1 -1
- package/dist/auth/audit_log_queries.js +45 -2
- package/dist/auth/audit_log_schema.d.ts +55 -1
- package/dist/auth/audit_log_schema.d.ts.map +1 -1
- package/dist/auth/audit_log_schema.js +19 -3
- package/dist/auth/bearer_auth.d.ts +9 -7
- package/dist/auth/bearer_auth.d.ts.map +1 -1
- package/dist/auth/bearer_auth.js +13 -21
- package/dist/auth/cleanup.d.ts.map +1 -1
- package/dist/auth/cleanup.js +5 -0
- package/dist/auth/daemon_token_middleware.d.ts +23 -11
- package/dist/auth/daemon_token_middleware.d.ts.map +1 -1
- package/dist/auth/daemon_token_middleware.js +26 -20
- package/dist/auth/deps.d.ts +14 -0
- package/dist/auth/deps.d.ts.map +1 -1
- package/dist/auth/middleware.d.ts.map +1 -1
- package/dist/auth/middleware.js +4 -2
- package/dist/auth/migrations.d.ts +15 -7
- package/dist/auth/migrations.d.ts.map +1 -1
- package/dist/auth/migrations.js +15 -7
- package/dist/auth/permit_offer_action_specs.d.ts +45 -6
- package/dist/auth/permit_offer_action_specs.d.ts.map +1 -1
- package/dist/auth/permit_offer_action_specs.js +38 -7
- package/dist/auth/permit_offer_actions.d.ts +2 -2
- package/dist/auth/permit_offer_actions.d.ts.map +1 -1
- package/dist/auth/permit_offer_actions.js +98 -90
- package/dist/auth/permit_offer_notifications.d.ts +10 -0
- package/dist/auth/permit_offer_notifications.d.ts.map +1 -1
- package/dist/auth/permit_offer_queries.d.ts +68 -9
- package/dist/auth/permit_offer_queries.d.ts.map +1 -1
- package/dist/auth/permit_offer_queries.js +147 -35
- package/dist/auth/permit_offer_schema.d.ts +23 -1
- package/dist/auth/permit_offer_schema.d.ts.map +1 -1
- package/dist/auth/permit_offer_schema.js +5 -0
- package/dist/auth/permit_queries.d.ts +17 -5
- package/dist/auth/permit_queries.d.ts.map +1 -1
- package/dist/auth/permit_queries.js +19 -8
- package/dist/auth/request_context.d.ts +321 -38
- package/dist/auth/request_context.d.ts.map +1 -1
- package/dist/auth/request_context.js +393 -66
- package/dist/auth/route_guards.d.ts +10 -4
- package/dist/auth/route_guards.d.ts.map +1 -1
- package/dist/auth/route_guards.js +14 -8
- package/dist/auth/self_service_role_action_specs.d.ts +2 -0
- package/dist/auth/self_service_role_action_specs.d.ts.map +1 -1
- package/dist/auth/self_service_role_action_specs.js +2 -0
- package/dist/auth/self_service_role_actions.d.ts +6 -5
- package/dist/auth/self_service_role_actions.d.ts.map +1 -1
- package/dist/auth/self_service_role_actions.js +18 -8
- package/dist/db/migrate.d.ts +11 -7
- package/dist/db/migrate.d.ts.map +1 -1
- package/dist/db/migrate.js +9 -6
- package/dist/dev/setup.d.ts.map +1 -1
- package/dist/dev/setup.js +5 -3
- package/dist/hono_context.d.ts +77 -0
- package/dist/hono_context.d.ts.map +1 -1
- package/dist/hono_context.js +50 -0
- package/dist/http/CLAUDE.md +80 -17
- package/dist/http/error_schemas.d.ts +92 -1
- package/dist/http/error_schemas.d.ts.map +1 -1
- package/dist/http/error_schemas.js +73 -16
- package/dist/http/jsonrpc_errors.d.ts +27 -2
- package/dist/http/jsonrpc_errors.d.ts.map +1 -1
- package/dist/http/jsonrpc_errors.js +26 -2
- package/dist/http/route_spec.d.ts +62 -4
- package/dist/http/route_spec.d.ts.map +1 -1
- package/dist/http/route_spec.js +117 -21
- package/dist/http/schema_helpers.d.ts +13 -1
- package/dist/http/schema_helpers.d.ts.map +1 -1
- package/dist/http/schema_helpers.js +21 -2
- package/dist/http/surface.d.ts +10 -1
- package/dist/http/surface.d.ts.map +1 -1
- package/dist/http/surface.js +2 -2
- package/dist/server/app_server.d.ts.map +1 -1
- package/dist/server/app_server.js +11 -1
- package/dist/testing/CLAUDE.md +23 -17
- package/dist/testing/admin_integration.d.ts.map +1 -1
- package/dist/testing/admin_integration.js +15 -13
- package/dist/testing/adversarial_headers.js +1 -1
- package/dist/testing/app_server.js +2 -2
- package/dist/testing/audit_completeness.d.ts.map +1 -1
- package/dist/testing/audit_completeness.js +21 -7
- package/dist/testing/auth_apps.d.ts.map +1 -1
- package/dist/testing/auth_apps.js +6 -3
- package/dist/testing/entities.d.ts +2 -1
- package/dist/testing/entities.d.ts.map +1 -1
- package/dist/testing/entities.js +1 -0
- package/dist/testing/integration_helpers.d.ts +4 -2
- package/dist/testing/integration_helpers.d.ts.map +1 -1
- package/dist/testing/integration_helpers.js +9 -5
- package/dist/testing/middleware.d.ts +12 -8
- package/dist/testing/middleware.d.ts.map +1 -1
- package/dist/testing/middleware.js +67 -25
- package/dist/testing/rpc_helpers.d.ts.map +1 -1
- package/dist/testing/rpc_helpers.js +3 -1
- package/dist/testing/ws_round_trip.d.ts.map +1 -1
- package/dist/testing/ws_round_trip.js +5 -1
- package/dist/ui/CLAUDE.md +16 -10
- package/dist/ui/PermitOfferForm.svelte +14 -0
- package/dist/ui/PermitOfferForm.svelte.d.ts +6 -0
- package/dist/ui/PermitOfferForm.svelte.d.ts.map +1 -1
- package/dist/ui/admin_accounts_state.svelte.d.ts +8 -1
- package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
- package/dist/ui/admin_accounts_state.svelte.js +14 -3
- package/dist/ui/permit_offers_state.svelte.d.ts +9 -1
- package/dist/ui/permit_offers_state.svelte.d.ts.map +1 -1
- package/dist/ui/permit_offers_state.svelte.js +7 -1
- package/package.json +1 -1
|
@@ -32,14 +32,11 @@ export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
|
|
|
32
32
|
/**
|
|
33
33
|
* Output for `GET /api/account/status` on the authenticated path.
|
|
34
34
|
*
|
|
35
|
-
* `account`
|
|
36
|
-
*
|
|
37
|
-
*
|
|
38
|
-
*
|
|
39
|
-
*
|
|
40
|
-
* `revoked_reason` are never populated here, so `PermitSummaryJson`
|
|
41
|
-
* carries the fields a client actually needs (including `scope_id` for
|
|
42
|
-
* per-scope auth decisions).
|
|
35
|
+
* `account` is always populated for authenticated callers. `actor` and
|
|
36
|
+
* `permits` are populated when the caller's account has a unique actor or
|
|
37
|
+
* the request supplies `?acting=<actor_id>`; on multi-actor accounts
|
|
38
|
+
* without an `acting` query, `actor` is `null` and `permits` is empty so
|
|
39
|
+
* the frontend can show a persona picker without a separate roundtrip.
|
|
43
40
|
*/
|
|
44
41
|
export declare const AccountStatusOutput: z.ZodObject<{
|
|
45
42
|
account: z.ZodObject<{
|
|
@@ -49,10 +46,10 @@ export declare const AccountStatusOutput: z.ZodObject<{
|
|
|
49
46
|
email_verified: z.ZodBoolean;
|
|
50
47
|
created_at: z.ZodString;
|
|
51
48
|
}, z.core.$strict>;
|
|
52
|
-
actor: z.ZodObject<{
|
|
49
|
+
actor: z.ZodNullable<z.ZodObject<{
|
|
53
50
|
id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
54
51
|
name: z.ZodString;
|
|
55
|
-
}, z.core.$strict
|
|
52
|
+
}, z.core.$strict>>;
|
|
56
53
|
permits: z.ZodArray<z.ZodObject<{
|
|
57
54
|
id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
58
55
|
role: z.ZodString;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;
|
|
1
|
+
{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA6BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAiFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAsPjB,CAAC"}
|
|
@@ -29,7 +29,8 @@ import { hash_session_token, query_session_revoke_all_for_account, query_session
|
|
|
29
29
|
import { query_account_by_username_or_email, query_update_account_password, } from './account_queries.js';
|
|
30
30
|
import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
|
|
31
31
|
import { audit_log_fire_and_forget } from './audit_log_queries.js';
|
|
32
|
-
import { get_request_context, require_request_context } from './request_context.js';
|
|
32
|
+
import { build_account_context, build_request_context, get_request_context, require_request_context, resolve_acting_actor, } from './request_context.js';
|
|
33
|
+
import { ACCOUNT_ID_KEY } from '../hono_context.js';
|
|
33
34
|
import { get_route_input } from '../http/route_spec.js';
|
|
34
35
|
import { get_client_ip } from '../http/proxy.js';
|
|
35
36
|
import { rate_limit_exceeded_response } from '../rate_limiter.js';
|
|
@@ -40,18 +41,15 @@ export const AccountStatusInput = z.null();
|
|
|
40
41
|
/**
|
|
41
42
|
* Output for `GET /api/account/status` on the authenticated path.
|
|
42
43
|
*
|
|
43
|
-
* `account`
|
|
44
|
-
*
|
|
45
|
-
*
|
|
46
|
-
*
|
|
47
|
-
*
|
|
48
|
-
* `revoked_reason` are never populated here, so `PermitSummaryJson`
|
|
49
|
-
* carries the fields a client actually needs (including `scope_id` for
|
|
50
|
-
* per-scope auth decisions).
|
|
44
|
+
* `account` is always populated for authenticated callers. `actor` and
|
|
45
|
+
* `permits` are populated when the caller's account has a unique actor or
|
|
46
|
+
* the request supplies `?acting=<actor_id>`; on multi-actor accounts
|
|
47
|
+
* without an `acting` query, `actor` is `null` and `permits` is empty so
|
|
48
|
+
* the frontend can show a persona picker without a separate roundtrip.
|
|
51
49
|
*/
|
|
52
50
|
export const AccountStatusOutput = z.strictObject({
|
|
53
51
|
account: SessionAccountJson,
|
|
54
|
-
actor: ActorSummaryJson,
|
|
52
|
+
actor: ActorSummaryJson.nullable(),
|
|
55
53
|
permits: z.array(PermitSummaryJson),
|
|
56
54
|
});
|
|
57
55
|
/** Error body for `GET /api/account/status` on the unauthenticated path. */
|
|
@@ -82,10 +80,21 @@ export const create_account_status_route_spec = (options) => ({
|
|
|
82
80
|
errors: {
|
|
83
81
|
401: AccountStatusUnauthenticatedError,
|
|
84
82
|
},
|
|
85
|
-
handler: (c) => {
|
|
86
|
-
const
|
|
87
|
-
if (
|
|
88
|
-
|
|
83
|
+
handler: async (c, route) => {
|
|
84
|
+
const account_id = c.get(ACCOUNT_ID_KEY) ?? null;
|
|
85
|
+
if (!account_id) {
|
|
86
|
+
return c.json({
|
|
87
|
+
error: ERROR_AUTHENTICATION_REQUIRED,
|
|
88
|
+
...(options?.bootstrap_status?.available ? { bootstrap_available: true } : {}),
|
|
89
|
+
}, 401);
|
|
90
|
+
}
|
|
91
|
+
// Honor a pre-populated request context. The dispatcher's authorization
|
|
92
|
+
// phase doesn't run for `auth: 'none'` routes, but a caller (test
|
|
93
|
+
// harness, or future middleware) may still populate the context — use
|
|
94
|
+
// it directly to avoid redundant lookups.
|
|
95
|
+
const existing = get_request_context(c);
|
|
96
|
+
if (existing && existing.account.id === account_id) {
|
|
97
|
+
const permits = existing.permits.map((p) => ({
|
|
89
98
|
id: p.id,
|
|
90
99
|
role: p.role,
|
|
91
100
|
scope_id: p.scope_id,
|
|
@@ -94,15 +103,47 @@ export const create_account_status_route_spec = (options) => ({
|
|
|
94
103
|
granted_by: p.granted_by,
|
|
95
104
|
}));
|
|
96
105
|
return c.json({
|
|
97
|
-
account: to_session_account(
|
|
98
|
-
actor: { id:
|
|
106
|
+
account: to_session_account(existing.account),
|
|
107
|
+
actor: existing.actor ? { id: existing.actor.id, name: existing.actor.name } : null,
|
|
99
108
|
permits,
|
|
100
109
|
});
|
|
101
110
|
}
|
|
111
|
+
// Resolve actor + permits when the caller is unambiguous (single-actor
|
|
112
|
+
// account, or supplied `?acting=<uuid>`). On multi-actor accounts
|
|
113
|
+
// without `acting`, fall back to account-only so the frontend can
|
|
114
|
+
// surface a persona picker.
|
|
115
|
+
const acting = c.req.query('acting') ?? undefined;
|
|
116
|
+
const acting_result = await resolve_acting_actor(route, account_id, acting);
|
|
117
|
+
if (acting_result.ok) {
|
|
118
|
+
const ctx = await build_request_context(route, account_id, acting_result.actor_id);
|
|
119
|
+
if (ctx) {
|
|
120
|
+
const permits = ctx.permits.map((p) => ({
|
|
121
|
+
id: p.id,
|
|
122
|
+
role: p.role,
|
|
123
|
+
scope_id: p.scope_id,
|
|
124
|
+
created_at: p.created_at,
|
|
125
|
+
expires_at: p.expires_at,
|
|
126
|
+
granted_by: p.granted_by,
|
|
127
|
+
}));
|
|
128
|
+
return c.json({
|
|
129
|
+
account: to_session_account(ctx.account),
|
|
130
|
+
actor: { id: ctx.actor.id, name: ctx.actor.name },
|
|
131
|
+
permits,
|
|
132
|
+
});
|
|
133
|
+
}
|
|
134
|
+
}
|
|
135
|
+
const account_ctx = await build_account_context(route, account_id);
|
|
136
|
+
if (!account_ctx) {
|
|
137
|
+
return c.json({
|
|
138
|
+
error: ERROR_AUTHENTICATION_REQUIRED,
|
|
139
|
+
...(options?.bootstrap_status?.available ? { bootstrap_available: true } : {}),
|
|
140
|
+
}, 401);
|
|
141
|
+
}
|
|
102
142
|
return c.json({
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
143
|
+
account: to_session_account(account_ctx.account),
|
|
144
|
+
actor: null,
|
|
145
|
+
permits: [],
|
|
146
|
+
});
|
|
106
147
|
},
|
|
107
148
|
});
|
|
108
149
|
/** Default maximum sessions per account. */
|
|
@@ -299,9 +340,11 @@ export const create_account_route_specs = (deps, options) => {
|
|
|
299
340
|
await query_session_revoke_by_hash_unscoped(route, token_hash);
|
|
300
341
|
}
|
|
301
342
|
clear_session_cookie(c, session_options);
|
|
343
|
+
// Account-grain operation — no `actor_id` (which actor was
|
|
344
|
+
// resolved per-request is incidental to "this account ended
|
|
345
|
+
// its session"). Mirrors `login`.
|
|
302
346
|
void audit_log_fire_and_forget(route, {
|
|
303
347
|
event_type: 'logout',
|
|
304
|
-
actor_id: ctx.actor.id,
|
|
305
348
|
account_id: ctx.account.id,
|
|
306
349
|
ip: get_client_ip(c),
|
|
307
350
|
}, deps);
|
|
@@ -348,7 +391,6 @@ export const create_account_route_specs = (deps, options) => {
|
|
|
348
391
|
void audit_log_fire_and_forget(route, {
|
|
349
392
|
event_type: 'password_change',
|
|
350
393
|
outcome: 'failure',
|
|
351
|
-
actor_id: ctx.actor.id,
|
|
352
394
|
account_id: ctx.account.id,
|
|
353
395
|
ip: get_client_ip(c),
|
|
354
396
|
}, deps);
|
|
@@ -360,14 +402,19 @@ export const create_account_route_specs = (deps, options) => {
|
|
|
360
402
|
if (login_account_rate_limiter)
|
|
361
403
|
login_account_rate_limiter.reset(ctx.account.id);
|
|
362
404
|
const new_hash = await password.hash_password(new_password);
|
|
363
|
-
|
|
405
|
+
// Account-grain operation — `updated_by` stays null (the per-request
|
|
406
|
+
// actor is incidental; password is account-level state).
|
|
407
|
+
await query_update_account_password(route, ctx.account.id, new_hash, null);
|
|
364
408
|
// revoke all sessions and API tokens (force re-auth everywhere)
|
|
365
409
|
const sessions_revoked = await query_session_revoke_all_for_account(route, ctx.account.id);
|
|
366
410
|
const tokens_revoked = await query_revoke_all_api_tokens_for_account(route, ctx.account.id);
|
|
367
411
|
clear_session_cookie(c, session_options);
|
|
412
|
+
// Account-grain operation — no `actor_id`. The password is
|
|
413
|
+
// account-level state; which per-request actor was resolved
|
|
414
|
+
// has no semantic bearing on "this account changed its
|
|
415
|
+
// password". Mirrors `login`/`logout`.
|
|
368
416
|
void audit_log_fire_and_forget(route, {
|
|
369
417
|
event_type: 'password_change',
|
|
370
|
-
actor_id: ctx.actor.id,
|
|
371
418
|
account_id: ctx.account.id,
|
|
372
419
|
ip: get_client_ip(c),
|
|
373
420
|
metadata: { sessions_revoked, tokens_revoked },
|
|
@@ -26,6 +26,25 @@ export type UsernameProvided = z.infer<typeof UsernameProvided>;
|
|
|
26
26
|
/** Email validation. */
|
|
27
27
|
export declare const Email: z.ZodEmail;
|
|
28
28
|
export type Email = z.infer<typeof Email>;
|
|
29
|
+
/**
|
|
30
|
+
* `acting` field shared by every action input that needs the caller's
|
|
31
|
+
* acting actor. Declaring `acting: ActingActor` on an action's input
|
|
32
|
+
* is the signal to the RPC dispatcher / route-spec wrapper to resolve
|
|
33
|
+
* an actor against the authenticated account: the authorization phase
|
|
34
|
+
* runs `resolve_acting_actor`, builds the actor-bound `RequestContext`,
|
|
35
|
+
* and loads permits before auth guards fire.
|
|
36
|
+
*
|
|
37
|
+
* Resolution rules: omitted + 1 actor → use it; omitted + multiple
|
|
38
|
+
* actors → `actor_required` with the available list; supplied + on
|
|
39
|
+
* the account → use it; supplied + foreign actor → `actor_not_on_account`.
|
|
40
|
+
*
|
|
41
|
+
* Account-grain routes — input doesn't declare `acting` and auth
|
|
42
|
+
* doesn't require permits (`role` / `keeper`) — skip resolution
|
|
43
|
+
* entirely; their `RequestContext.actor` is `null` and the audit
|
|
44
|
+
* envelope's `actor_id` stays null.
|
|
45
|
+
*/
|
|
46
|
+
export declare const ActingActor: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
47
|
+
export type ActingActor = z.infer<typeof ActingActor>;
|
|
29
48
|
/** Account — authentication identity. You log in as an account. */
|
|
30
49
|
export interface Account {
|
|
31
50
|
id: Uuid;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C,2EAA2E;AAC3E,eAAO,MAAM,mBAAmB,IAAI,CAAC;AAErC,wDAAwD;AACxD,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC,gKAAgK;AAChK,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD,0IAA0I;AAC1I,eAAO,MAAM,QAAQ,aAIyB,CAAC;AAC/C,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD,oHAAoH;AACpH,eAAO,MAAM,gBAAgB,aAAsD,CAAC;AACpF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,wBAAwB;AACxB,eAAO,MAAM,KAAK,YAAY,CAAC;AAC/B,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,KAAK,CAAC,CAAC;
|
|
1
|
+
{"version":3,"file":"account_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C,2EAA2E;AAC3E,eAAO,MAAM,mBAAmB,IAAI,CAAC;AAErC,wDAAwD;AACxD,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC,gKAAgK;AAChK,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD,0IAA0I;AAC1I,eAAO,MAAM,QAAQ,aAIyB,CAAC;AAC/C,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD,oHAAoH;AACpH,eAAO,MAAM,gBAAgB,aAAsD,CAAC;AACpF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,wBAAwB;AACxB,eAAO,MAAM,KAAK,YAAY,CAAC;AAC/B,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,KAAK,CAAC,CAAC;AAE1C;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,WAAW,6DAGtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAItD,mEAAmE;AACnE,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,wFAAwF;AACxF,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,wFAAwF;AACxF,MAAM,WAAW,KAAK;IACrB,EAAE,EAAE,IAAI,CAAC;IACT,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,MAAM,CAAC;AAEpD,oEAAoE;AACpE,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,6FAA6F;IAC7F,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,4GAA4G;IAC5G,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,+FAA+F;IAC/F,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,eAAO,MAAM,gBAAgB,GAC5B,GAAG;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EAC1D,MAAK,IAAiB,KACpB,OAA2E,CAAC;AAE/E,uEAAuE;AACvE,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACrB;AAED,6CAA6C;AAC7C,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACnB;AAID,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB;;;;;;kBAM7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,6EAA6E;AAC7E,eAAO,MAAM,eAAe;;;;;;kBAM1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,4EAA4E;AAC5E,eAAO,MAAM,kBAAkB;;;;;;;;kBAQ7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,4EAA4E;AAC5E,eAAO,MAAM,iBAAiB;;;;;;;kBAO5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iGAAiG;AACjG,eAAO,MAAM,gBAAgB;;;;;;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;kBAQlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,kGAAkG;AAClG,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAKhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,MAAM,WAAW,kBAAkB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,sGAAsG;IACtG,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,OAAO,KAAG,cAMpD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,SAAS,OAAO,KAAG,gBAIlD,CAAC"}
|
|
@@ -28,6 +28,26 @@ export const Username = z
|
|
|
28
28
|
export const UsernameProvided = z.string().min(1).max(USERNAME_PROVIDED_LENGTH_MAX);
|
|
29
29
|
/** Email validation. */
|
|
30
30
|
export const Email = z.email();
|
|
31
|
+
/**
|
|
32
|
+
* `acting` field shared by every action input that needs the caller's
|
|
33
|
+
* acting actor. Declaring `acting: ActingActor` on an action's input
|
|
34
|
+
* is the signal to the RPC dispatcher / route-spec wrapper to resolve
|
|
35
|
+
* an actor against the authenticated account: the authorization phase
|
|
36
|
+
* runs `resolve_acting_actor`, builds the actor-bound `RequestContext`,
|
|
37
|
+
* and loads permits before auth guards fire.
|
|
38
|
+
*
|
|
39
|
+
* Resolution rules: omitted + 1 actor → use it; omitted + multiple
|
|
40
|
+
* actors → `actor_required` with the available list; supplied + on
|
|
41
|
+
* the account → use it; supplied + foreign actor → `actor_not_on_account`.
|
|
42
|
+
*
|
|
43
|
+
* Account-grain routes — input doesn't declare `acting` and auth
|
|
44
|
+
* doesn't require permits (`role` / `keeper`) — skip resolution
|
|
45
|
+
* entirely; their `RequestContext.actor` is `null` and the audit
|
|
46
|
+
* envelope's `actor_id` stays null.
|
|
47
|
+
*/
|
|
48
|
+
export const ActingActor = Uuid.optional().meta({
|
|
49
|
+
description: 'Actor on the authenticated account that this request acts as. Omit on single-actor accounts; required on multi-actor.',
|
|
50
|
+
});
|
|
31
51
|
/**
|
|
32
52
|
* Maximum length of the optional free-form `revoked_reason` attached to a
|
|
33
53
|
* revoked permit. Bounds the value at the schema layer so both the admin
|
|
@@ -19,8 +19,10 @@ import { z } from 'zod';
|
|
|
19
19
|
import type { RequestResponseActionSpec } from '../actions/action_spec.js';
|
|
20
20
|
/** Max audit-log page size. Mirrors the former REST route's clamp. */
|
|
21
21
|
export declare const AUDIT_LOG_LIST_LIMIT_MAX = 200;
|
|
22
|
-
/** Input for `admin_account_list`.
|
|
23
|
-
export declare const AdminAccountListInput: z.
|
|
22
|
+
/** Input for `admin_account_list`. */
|
|
23
|
+
export declare const AdminAccountListInput: z.ZodObject<{
|
|
24
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
25
|
+
}, z.core.$strict>;
|
|
24
26
|
export type AdminAccountListInput = z.infer<typeof AdminAccountListInput>;
|
|
25
27
|
/** Output for `admin_account_list`. */
|
|
26
28
|
export declare const AdminAccountListOutput: z.ZodObject<{
|
|
@@ -59,8 +61,10 @@ export declare const AdminAccountListOutput: z.ZodObject<{
|
|
|
59
61
|
grantable_roles: z.ZodArray<z.ZodString>;
|
|
60
62
|
}, z.core.$strict>;
|
|
61
63
|
export type AdminAccountListOutput = z.infer<typeof AdminAccountListOutput>;
|
|
62
|
-
/** Input for `admin_session_list`.
|
|
63
|
-
export declare const AdminSessionListInput: z.
|
|
64
|
+
/** Input for `admin_session_list`. */
|
|
65
|
+
export declare const AdminSessionListInput: z.ZodObject<{
|
|
66
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
67
|
+
}, z.core.$strict>;
|
|
64
68
|
export type AdminSessionListInput = z.infer<typeof AdminSessionListInput>;
|
|
65
69
|
/** Output for `admin_session_list`. Cross-account listing; fan-out already scoped by role auth. */
|
|
66
70
|
export declare const AdminSessionListOutput: z.ZodObject<{
|
|
@@ -77,6 +81,7 @@ export type AdminSessionListOutput = z.infer<typeof AdminSessionListOutput>;
|
|
|
77
81
|
/** Input for `admin_session_revoke_all`. */
|
|
78
82
|
export declare const AdminSessionRevokeAllInput: z.ZodObject<{
|
|
79
83
|
account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
84
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
80
85
|
}, z.core.$strict>;
|
|
81
86
|
export type AdminSessionRevokeAllInput = z.infer<typeof AdminSessionRevokeAllInput>;
|
|
82
87
|
/** Output for `admin_session_revoke_all`. */
|
|
@@ -88,6 +93,7 @@ export type AdminSessionRevokeAllOutput = z.infer<typeof AdminSessionRevokeAllOu
|
|
|
88
93
|
/** Input for `admin_token_revoke_all`. */
|
|
89
94
|
export declare const AdminTokenRevokeAllInput: z.ZodObject<{
|
|
90
95
|
account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
96
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
91
97
|
}, z.core.$strict>;
|
|
92
98
|
export type AdminTokenRevokeAllInput = z.infer<typeof AdminTokenRevokeAllInput>;
|
|
93
99
|
/** Output for `admin_token_revoke_all`. */
|
|
@@ -112,6 +118,7 @@ export declare const AuditLogListInput: z.ZodObject<{
|
|
|
112
118
|
limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
113
119
|
offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
114
120
|
since_seq: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
121
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
115
122
|
}, z.core.$strict>;
|
|
116
123
|
export type AuditLogListInput = z.infer<typeof AuditLogListInput>;
|
|
117
124
|
/** Output for `audit_log_list`. */
|
|
@@ -127,6 +134,7 @@ export declare const AuditLogListOutput: z.ZodObject<{
|
|
|
127
134
|
actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
128
135
|
account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
129
136
|
target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
137
|
+
target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
130
138
|
ip: z.ZodNullable<z.ZodString>;
|
|
131
139
|
created_at: z.ZodString;
|
|
132
140
|
metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
@@ -139,6 +147,7 @@ export type AuditLogListOutput = z.infer<typeof AuditLogListOutput>;
|
|
|
139
147
|
export declare const AuditLogPermitHistoryInput: z.ZodObject<{
|
|
140
148
|
limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
141
149
|
offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
150
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
142
151
|
}, z.core.$strict>;
|
|
143
152
|
export type AuditLogPermitHistoryInput = z.infer<typeof AuditLogPermitHistoryInput>;
|
|
144
153
|
/** Output for `audit_log_permit_history`. */
|
|
@@ -154,6 +163,7 @@ export declare const AuditLogPermitHistoryOutput: z.ZodObject<{
|
|
|
154
163
|
actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
155
164
|
account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
156
165
|
target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
166
|
+
target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
157
167
|
ip: z.ZodNullable<z.ZodString>;
|
|
158
168
|
created_at: z.ZodString;
|
|
159
169
|
metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
@@ -166,6 +176,7 @@ export type AuditLogPermitHistoryOutput = z.infer<typeof AuditLogPermitHistoryOu
|
|
|
166
176
|
export declare const InviteCreateInput: z.ZodObject<{
|
|
167
177
|
email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
|
|
168
178
|
username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
179
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
169
180
|
}, z.core.$strict>;
|
|
170
181
|
export type InviteCreateInput = z.infer<typeof InviteCreateInput>;
|
|
171
182
|
/** Output for `invite_create`. */
|
|
@@ -183,7 +194,9 @@ export declare const InviteCreateOutput: z.ZodObject<{
|
|
|
183
194
|
}, z.core.$strict>;
|
|
184
195
|
export type InviteCreateOutput = z.infer<typeof InviteCreateOutput>;
|
|
185
196
|
/** Input for `invite_list`. */
|
|
186
|
-
export declare const InviteListInput: z.
|
|
197
|
+
export declare const InviteListInput: z.ZodObject<{
|
|
198
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
199
|
+
}, z.core.$strict>;
|
|
187
200
|
export type InviteListInput = z.infer<typeof InviteListInput>;
|
|
188
201
|
/** Output for `invite_list`. Uses the enriched row including creator/claimer usernames. */
|
|
189
202
|
export declare const InviteListOutput: z.ZodObject<{
|
|
@@ -203,6 +216,7 @@ export type InviteListOutput = z.infer<typeof InviteListOutput>;
|
|
|
203
216
|
/** Input for `invite_delete`. */
|
|
204
217
|
export declare const InviteDeleteInput: z.ZodObject<{
|
|
205
218
|
invite_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
219
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
206
220
|
}, z.core.$strict>;
|
|
207
221
|
export type InviteDeleteInput = z.infer<typeof InviteDeleteInput>;
|
|
208
222
|
/** Output for `invite_delete`. */
|
|
@@ -210,8 +224,10 @@ export declare const InviteDeleteOutput: z.ZodObject<{
|
|
|
210
224
|
ok: z.ZodLiteral<true>;
|
|
211
225
|
}, z.core.$strict>;
|
|
212
226
|
export type InviteDeleteOutput = z.infer<typeof InviteDeleteOutput>;
|
|
213
|
-
/** Input for `app_settings_get`.
|
|
214
|
-
export declare const AppSettingsGetInput: z.
|
|
227
|
+
/** Input for `app_settings_get`. */
|
|
228
|
+
export declare const AppSettingsGetInput: z.ZodObject<{
|
|
229
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
230
|
+
}, z.core.$strict>;
|
|
215
231
|
export type AppSettingsGetInput = z.infer<typeof AppSettingsGetInput>;
|
|
216
232
|
/** Output for `app_settings_get`. */
|
|
217
233
|
export declare const AppSettingsGetOutput: z.ZodObject<{
|
|
@@ -226,6 +242,7 @@ export type AppSettingsGetOutput = z.infer<typeof AppSettingsGetOutput>;
|
|
|
226
242
|
/** Input for `app_settings_update`. */
|
|
227
243
|
export declare const AppSettingsUpdateInput: z.ZodObject<{
|
|
228
244
|
open_signup: z.ZodBoolean;
|
|
245
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
229
246
|
}, z.core.$strict>;
|
|
230
247
|
export type AppSettingsUpdateInput = z.infer<typeof AppSettingsUpdateInput>;
|
|
231
248
|
/** Output for `app_settings_update`. */
|
|
@@ -247,7 +264,9 @@ export declare const admin_account_list_action_spec: {
|
|
|
247
264
|
role: string;
|
|
248
265
|
};
|
|
249
266
|
side_effects: false;
|
|
250
|
-
input: z.
|
|
267
|
+
input: z.ZodObject<{
|
|
268
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
269
|
+
}, z.core.$strict>;
|
|
251
270
|
output: z.ZodObject<{
|
|
252
271
|
accounts: z.ZodArray<z.ZodObject<{
|
|
253
272
|
account: z.ZodObject<{
|
|
@@ -294,7 +313,9 @@ export declare const admin_session_list_action_spec: {
|
|
|
294
313
|
role: string;
|
|
295
314
|
};
|
|
296
315
|
side_effects: false;
|
|
297
|
-
input: z.
|
|
316
|
+
input: z.ZodObject<{
|
|
317
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
318
|
+
}, z.core.$strict>;
|
|
298
319
|
output: z.ZodObject<{
|
|
299
320
|
sessions: z.ZodArray<z.ZodObject<{
|
|
300
321
|
id: z.ZodString;
|
|
@@ -318,6 +339,7 @@ export declare const admin_session_revoke_all_action_spec: {
|
|
|
318
339
|
side_effects: true;
|
|
319
340
|
input: z.ZodObject<{
|
|
320
341
|
account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
342
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
321
343
|
}, z.core.$strict>;
|
|
322
344
|
output: z.ZodObject<{
|
|
323
345
|
ok: z.ZodLiteral<true>;
|
|
@@ -337,6 +359,7 @@ export declare const admin_token_revoke_all_action_spec: {
|
|
|
337
359
|
side_effects: true;
|
|
338
360
|
input: z.ZodObject<{
|
|
339
361
|
account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
362
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
340
363
|
}, z.core.$strict>;
|
|
341
364
|
output: z.ZodObject<{
|
|
342
365
|
ok: z.ZodLiteral<true>;
|
|
@@ -364,6 +387,7 @@ export declare const audit_log_list_action_spec: {
|
|
|
364
387
|
limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
365
388
|
offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
366
389
|
since_seq: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
390
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
367
391
|
}, z.core.$strict>;
|
|
368
392
|
output: z.ZodObject<{
|
|
369
393
|
events: z.ZodArray<z.ZodObject<{
|
|
@@ -377,6 +401,7 @@ export declare const audit_log_list_action_spec: {
|
|
|
377
401
|
actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
378
402
|
account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
379
403
|
target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
404
|
+
target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
380
405
|
ip: z.ZodNullable<z.ZodString>;
|
|
381
406
|
created_at: z.ZodString;
|
|
382
407
|
metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
@@ -398,6 +423,7 @@ export declare const audit_log_permit_history_action_spec: {
|
|
|
398
423
|
input: z.ZodObject<{
|
|
399
424
|
limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
400
425
|
offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
|
|
426
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
401
427
|
}, z.core.$strict>;
|
|
402
428
|
output: z.ZodObject<{
|
|
403
429
|
events: z.ZodArray<z.ZodObject<{
|
|
@@ -411,6 +437,7 @@ export declare const audit_log_permit_history_action_spec: {
|
|
|
411
437
|
actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
412
438
|
account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
413
439
|
target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
440
|
+
target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
414
441
|
ip: z.ZodNullable<z.ZodString>;
|
|
415
442
|
created_at: z.ZodString;
|
|
416
443
|
metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
|
|
@@ -432,6 +459,7 @@ export declare const invite_create_action_spec: {
|
|
|
432
459
|
input: z.ZodObject<{
|
|
433
460
|
email: z.ZodOptional<z.ZodNullable<z.ZodEmail>>;
|
|
434
461
|
username: z.ZodOptional<z.ZodNullable<z.ZodString>>;
|
|
462
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
435
463
|
}, z.core.$strict>;
|
|
436
464
|
output: z.ZodObject<{
|
|
437
465
|
ok: z.ZodLiteral<true>;
|
|
@@ -457,7 +485,9 @@ export declare const invite_list_action_spec: {
|
|
|
457
485
|
role: string;
|
|
458
486
|
};
|
|
459
487
|
side_effects: false;
|
|
460
|
-
input: z.
|
|
488
|
+
input: z.ZodObject<{
|
|
489
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
490
|
+
}, z.core.$strict>;
|
|
461
491
|
output: z.ZodObject<{
|
|
462
492
|
invites: z.ZodArray<z.ZodObject<{
|
|
463
493
|
id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
@@ -484,6 +514,7 @@ export declare const invite_delete_action_spec: {
|
|
|
484
514
|
side_effects: true;
|
|
485
515
|
input: z.ZodObject<{
|
|
486
516
|
invite_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
|
|
517
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
487
518
|
}, z.core.$strict>;
|
|
488
519
|
output: z.ZodObject<{
|
|
489
520
|
ok: z.ZodLiteral<true>;
|
|
@@ -500,7 +531,9 @@ export declare const app_settings_get_action_spec: {
|
|
|
500
531
|
role: string;
|
|
501
532
|
};
|
|
502
533
|
side_effects: false;
|
|
503
|
-
input: z.
|
|
534
|
+
input: z.ZodObject<{
|
|
535
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
536
|
+
}, z.core.$strict>;
|
|
504
537
|
output: z.ZodObject<{
|
|
505
538
|
settings: z.ZodObject<{
|
|
506
539
|
open_signup: z.ZodBoolean;
|
|
@@ -522,6 +555,7 @@ export declare const app_settings_update_action_spec: {
|
|
|
522
555
|
side_effects: true;
|
|
523
556
|
input: z.ZodObject<{
|
|
524
557
|
open_signup: z.ZodBoolean;
|
|
558
|
+
acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
|
|
525
559
|
}, z.core.$strict>;
|
|
526
560
|
output: z.ZodObject<{
|
|
527
561
|
ok: z.ZodLiteral<true>;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"admin_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAczE,sEAAsE;AACtE,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAI5C,
|
|
1
|
+
{"version":3,"file":"admin_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAczE,sEAAsE;AACtE,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAI5C,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;kBAEhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;kBAEhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,mGAAmG;AACnG,eAAO,MAAM,sBAAsB;;;;;;;;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;kBAGnC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;kBAuB5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,mCAAmC;AACnC,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;kBAYrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;kBAEtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,wFAAwF;AACxF,eAAO,MAAM,iBAAiB;;;;kBAI5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;;;;;;;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,+BAA+B;AAC/B,eAAO,MAAM,eAAe;;kBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;;;;;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iCAAiC;AACjC,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,oCAAoC;AACpC,eAAO,MAAM,mBAAmB;;kBAE9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,qCAAqC;AACrC,eAAO,MAAM,oBAAoB;;;;;;;kBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;kBAGlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAI9E,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;;CAWV,CAAC;AAEtC,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;CAUC,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;CAUJ,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;CAWP,CAAC;AAEtC;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,EAAE,KAAK,CAAC,yBAAyB,CAYnE,CAAC"}
|
|
@@ -18,22 +18,26 @@
|
|
|
18
18
|
import { z } from 'zod';
|
|
19
19
|
import { Uuid } from '@fuzdev/fuz_util/id.js';
|
|
20
20
|
import { ROLE_ADMIN, RoleName } from './role_schema.js';
|
|
21
|
-
import { AdminAccountEntryJson, Email, Username } from './account_schema.js';
|
|
21
|
+
import { ActingActor, AdminAccountEntryJson, Email, Username } from './account_schema.js';
|
|
22
22
|
import { AdminSessionJson, AUDIT_LOG_DEFAULT_LIMIT, AuditEventTypeName, AuditLogEventWithUsernamesJson, AuditOutcome, PermitHistoryEventJson, } from './audit_log_schema.js';
|
|
23
23
|
import { InviteJson, InviteWithUsernamesJson } from './invite_schema.js';
|
|
24
24
|
import { AppSettingsWithUsernameJson } from './app_settings_schema.js';
|
|
25
25
|
/** Max audit-log page size. Mirrors the former REST route's clamp. */
|
|
26
26
|
export const AUDIT_LOG_LIST_LIMIT_MAX = 200;
|
|
27
27
|
// -- Input/output schemas ---------------------------------------------------
|
|
28
|
-
/** Input for `admin_account_list`.
|
|
29
|
-
export const AdminAccountListInput = z.
|
|
28
|
+
/** Input for `admin_account_list`. */
|
|
29
|
+
export const AdminAccountListInput = z.strictObject({
|
|
30
|
+
acting: ActingActor,
|
|
31
|
+
});
|
|
30
32
|
/** Output for `admin_account_list`. */
|
|
31
33
|
export const AdminAccountListOutput = z.strictObject({
|
|
32
34
|
accounts: z.array(AdminAccountEntryJson),
|
|
33
35
|
grantable_roles: z.array(RoleName),
|
|
34
36
|
});
|
|
35
|
-
/** Input for `admin_session_list`.
|
|
36
|
-
export const AdminSessionListInput = z.
|
|
37
|
+
/** Input for `admin_session_list`. */
|
|
38
|
+
export const AdminSessionListInput = z.strictObject({
|
|
39
|
+
acting: ActingActor,
|
|
40
|
+
});
|
|
37
41
|
/** Output for `admin_session_list`. Cross-account listing; fan-out already scoped by role auth. */
|
|
38
42
|
export const AdminSessionListOutput = z.strictObject({
|
|
39
43
|
sessions: z.array(AdminSessionJson),
|
|
@@ -41,6 +45,7 @@ export const AdminSessionListOutput = z.strictObject({
|
|
|
41
45
|
/** Input for `admin_session_revoke_all`. */
|
|
42
46
|
export const AdminSessionRevokeAllInput = z.strictObject({
|
|
43
47
|
account_id: Uuid.meta({ description: 'Account whose sessions to revoke.' }),
|
|
48
|
+
acting: ActingActor,
|
|
44
49
|
});
|
|
45
50
|
/** Output for `admin_session_revoke_all`. */
|
|
46
51
|
export const AdminSessionRevokeAllOutput = z.strictObject({
|
|
@@ -50,6 +55,7 @@ export const AdminSessionRevokeAllOutput = z.strictObject({
|
|
|
50
55
|
/** Input for `admin_token_revoke_all`. */
|
|
51
56
|
export const AdminTokenRevokeAllInput = z.strictObject({
|
|
52
57
|
account_id: Uuid.meta({ description: 'Account whose API tokens to revoke.' }),
|
|
58
|
+
acting: ActingActor,
|
|
53
59
|
});
|
|
54
60
|
/** Output for `admin_token_revoke_all`. */
|
|
55
61
|
export const AdminTokenRevokeAllOutput = z.strictObject({
|
|
@@ -83,6 +89,7 @@ export const AuditLogListInput = z.strictObject({
|
|
|
83
89
|
since_seq: z.number().int().min(0).nullish().meta({
|
|
84
90
|
description: 'Gap-fill from this seq forward. Used for SSE reconnection.',
|
|
85
91
|
}),
|
|
92
|
+
acting: ActingActor,
|
|
86
93
|
});
|
|
87
94
|
/** Output for `audit_log_list`. */
|
|
88
95
|
export const AuditLogListOutput = z.strictObject({
|
|
@@ -100,6 +107,7 @@ export const AuditLogPermitHistoryInput = z.strictObject({
|
|
|
100
107
|
description: `Max rows to return (default ${AUDIT_LOG_DEFAULT_LIMIT}, max ${AUDIT_LOG_LIST_LIMIT_MAX}).`,
|
|
101
108
|
}),
|
|
102
109
|
offset: z.number().int().min(0).nullish().meta({ description: 'Pagination offset.' }),
|
|
110
|
+
acting: ActingActor,
|
|
103
111
|
});
|
|
104
112
|
/** Output for `audit_log_permit_history`. */
|
|
105
113
|
export const AuditLogPermitHistoryOutput = z.strictObject({
|
|
@@ -109,6 +117,7 @@ export const AuditLogPermitHistoryOutput = z.strictObject({
|
|
|
109
117
|
export const InviteCreateInput = z.strictObject({
|
|
110
118
|
email: Email.nullish().meta({ description: 'Invitee email.' }),
|
|
111
119
|
username: Username.nullish().meta({ description: 'Invitee username.' }),
|
|
120
|
+
acting: ActingActor,
|
|
112
121
|
});
|
|
113
122
|
/** Output for `invite_create`. */
|
|
114
123
|
export const InviteCreateOutput = z.strictObject({
|
|
@@ -116,7 +125,9 @@ export const InviteCreateOutput = z.strictObject({
|
|
|
116
125
|
invite: InviteJson,
|
|
117
126
|
});
|
|
118
127
|
/** Input for `invite_list`. */
|
|
119
|
-
export const InviteListInput = z.
|
|
128
|
+
export const InviteListInput = z.strictObject({
|
|
129
|
+
acting: ActingActor,
|
|
130
|
+
});
|
|
120
131
|
/** Output for `invite_list`. Uses the enriched row including creator/claimer usernames. */
|
|
121
132
|
export const InviteListOutput = z.strictObject({
|
|
122
133
|
invites: z.array(InviteWithUsernamesJson),
|
|
@@ -124,13 +135,16 @@ export const InviteListOutput = z.strictObject({
|
|
|
124
135
|
/** Input for `invite_delete`. */
|
|
125
136
|
export const InviteDeleteInput = z.strictObject({
|
|
126
137
|
invite_id: Uuid.meta({ description: 'Invite to delete. Must be unclaimed.' }),
|
|
138
|
+
acting: ActingActor,
|
|
127
139
|
});
|
|
128
140
|
/** Output for `invite_delete`. */
|
|
129
141
|
export const InviteDeleteOutput = z.strictObject({
|
|
130
142
|
ok: z.literal(true),
|
|
131
143
|
});
|
|
132
|
-
/** Input for `app_settings_get`.
|
|
133
|
-
export const AppSettingsGetInput = z.
|
|
144
|
+
/** Input for `app_settings_get`. */
|
|
145
|
+
export const AppSettingsGetInput = z.strictObject({
|
|
146
|
+
acting: ActingActor,
|
|
147
|
+
});
|
|
134
148
|
/** Output for `app_settings_get`. */
|
|
135
149
|
export const AppSettingsGetOutput = z.strictObject({
|
|
136
150
|
settings: AppSettingsWithUsernameJson,
|
|
@@ -138,6 +152,7 @@ export const AppSettingsGetOutput = z.strictObject({
|
|
|
138
152
|
/** Input for `app_settings_update`. */
|
|
139
153
|
export const AppSettingsUpdateInput = z.strictObject({
|
|
140
154
|
open_signup: z.boolean().meta({ description: 'New value for the open signup toggle.' }),
|
|
155
|
+
acting: ActingActor,
|
|
141
156
|
});
|
|
142
157
|
/** Output for `app_settings_update`. */
|
|
143
158
|
export const AppSettingsUpdateOutput = z.strictObject({
|