@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/auth/audit_log_schema.d.ts

@@ -14,12 +14,12 @@ import { Uuid } from '@fuzdev/fuz_util/id.js';
  * Not a security boundary — in-process code has many other paths to subvert
  * audit logging.
  */
-export declare const AUDIT_EVENT_TYPES: readonly ["login", "logout", "bootstrap", "signup", "password_change", "session_revoke", "session_revoke_all", "token_create", "token_revoke", "token_revoke_all", "permit_grant", "permit_revoke", "permit_offer_create", "permit_offer_accept", "permit_offer_decline", "permit_offer_retract", "permit_offer_expire", "permit_offer_supersede", "invite_create", "invite_delete", "app_settings_update"];
+export declare const AUDIT_EVENT_TYPES: readonly ["login", "logout", "bootstrap", "signup", "password_change", "session_revoke", "session_revoke_all", "token_create", "token_revoke", "token_revoke_all", "role_grant_create", "role_grant_revoke", "role_grant_offer_create", "role_grant_offer_accept", "role_grant_offer_decline", "role_grant_offer_retract", "role_grant_offer_expire", "role_grant_offer_supersede", "invite_create", "invite_delete", "app_settings_update"];
 /** Zod schema for audit event types. */
 export declare const AuditEventType: z.ZodEnum<{
+    bootstrap: "bootstrap";
     login: "login";
     logout: "logout";
-    bootstrap: "bootstrap";
     signup: "signup";
     password_change: "password_change";
     session_revoke: "session_revoke";
@@ -27,14 +27,14 @@ export declare const AuditEventType: z.ZodEnum<{
     token_create: "token_create";
     token_revoke: "token_revoke";
     token_revoke_all: "token_revoke_all";
-    permit_grant: "permit_grant";
-    permit_revoke: "permit_revoke";
-    permit_offer_create: "permit_offer_create";
-    permit_offer_accept: "permit_offer_accept";
-    permit_offer_decline: "permit_offer_decline";
-    permit_offer_retract: "permit_offer_retract";
-    permit_offer_expire: "permit_offer_expire";
-    permit_offer_supersede: "permit_offer_supersede";
+    role_grant_create: "role_grant_create";
+    role_grant_revoke: "role_grant_revoke";
+    role_grant_offer_create: "role_grant_offer_create";
+    role_grant_offer_accept: "role_grant_offer_accept";
+    role_grant_offer_decline: "role_grant_offer_decline";
+    role_grant_offer_retract: "role_grant_offer_retract";
+    role_grant_offer_expire: "role_grant_offer_expire";
+    role_grant_offer_supersede: "role_grant_offer_supersede";
     invite_create: "invite_create";
     invite_delete: "invite_delete";
     app_settings_update: "app_settings_update";
@@ -74,9 +74,15 @@ export declare const AUDIT_METADATA_SCHEMAS: Readonly<{
         username: z.ZodString;
         invite_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         open_signup: z.ZodOptional<z.ZodBoolean>;
+        reason: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodEmail>;
     }, z.core.$loose>;
     password_change: z.ZodNullable<z.ZodObject<{
-        sessions_revoked: z.ZodNumber;
+        sessions_revoked: z.ZodOptional<z.ZodNumber>;
+        tokens_revoked: z.ZodOptional<z.ZodNumber>;
+        reason: z.ZodOptional<z.ZodEnum<{
+            concurrent_change: "concurrent_change";
+        }>>;
     }, z.core.$loose>>;
     session_revoke: z.ZodObject<{
         session_id: z.ZodString;
@@ -98,55 +104,55 @@ export declare const AUDIT_METADATA_SCHEMAS: Readonly<{
         reason: z.ZodOptional<z.ZodString>;
         attempted_account_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$loose>;
-    permit_grant: z.ZodObject<{
+    role_grant_create: z.ZodObject<{
         role: z.ZodString;
-        permit_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        role_grant_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
         source_offer_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         self_service: z.ZodOptional<z.ZodBoolean>;
     }, z.core.$loose>;
-    permit_revoke: z.ZodObject<{
+    role_grant_revoke: z.ZodObject<{
         role: z.ZodString;
-        permit_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role_grant_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
         reason: z.ZodOptional<z.ZodString>;
         self_service: z.ZodOptional<z.ZodBoolean>;
     }, z.core.$loose>;
-    permit_offer_create: z.ZodObject<{
+    role_grant_offer_create: z.ZodObject<{
         offer_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         role: z.ZodString;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
         to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     }, z.core.$loose>;
-    permit_offer_accept: z.ZodObject<{
+    role_grant_offer_accept: z.ZodObject<{
         offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        permit_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role_grant_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
     }, z.core.$loose>;
-    permit_offer_decline: z.ZodObject<{
+    role_grant_offer_decline: z.ZodObject<{
         offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
         reason: z.ZodOptional<z.ZodString>;
     }, z.core.$loose>;
-    permit_offer_retract: z.ZodObject<{
+    role_grant_offer_retract: z.ZodObject<{
         offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
     }, z.core.$loose>;
-    permit_offer_expire: z.ZodObject<{
+    role_grant_offer_expire: z.ZodObject<{
         offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
     }, z.core.$loose>;
-    permit_offer_supersede: z.ZodObject<{
+    role_grant_offer_supersede: z.ZodObject<{
         offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
         reason: z.ZodEnum<{
             sibling_accepted: "sibling_accepted";
-            permit_revoked: "permit_revoked";
+            role_grant_revoked: "role_grant_revoked";
             scope_destroyed: "scope_destroyed";
         }>;
         cause_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -175,9 +181,59 @@ export interface AuditLogEvent {
     seq: number;
     event_type: AuditEventTypeName;
     outcome: AuditOutcome;
+    /**
+     * Operator (the actor that initiated the event) — populated when the
+     * request resolved an acting actor.
+     *
+     * Resolution is driven per-request by the route-spec wrapper / RPC
+     * dispatcher; a route gets an acting actor when its input schema
+     * declares `acting?: ActingActor` or its auth requires role_grants
+     * (`role` / `keeper`). Account-grain operations declare neither,
+     * so no actor is resolved and `actor_id` is null: login (also
+     * pre-credential), logout, signup, bootstrap, password_change,
+     * session/token revoke, app_settings_update, invite events.
+     * Role grant events, admin actions, and actor-targeted offers
+     * populate this with the initiator's actor.
+     */
     actor_id: Uuid | null;
     account_id: Uuid | null;
     target_account_id: Uuid | null;
+    /**
+     * Actor-grain target — populated when the event subject is bound to
+     * a specific actor.
+     *
+     * Concretely:
+     * - Always populated: `role_grant_revoke` and `role_grant_create`
+     *   (admin direct-grant, self-service toggle, and in-tx
+     *   `role_grant_offer_accept` all populate both target columns — the
+     *   role_grant's grantee is the actor-grain subject regardless of who
+     *   initiated the grant), `role_grant_offer_accept` on accept (the
+     *   accept binds the actor deterministically), `role_grant_offer_decline`
+     *   (the grantor actor — decline is *to* the offering actor).
+     * - Conditionally populated: offer-shape events
+     *   (`role_grant_offer_create`, `_expire`, `_retract`, `_supersede`)
+     *   carry the actor when the offer was actor-targeted at create time
+     *   (`role_grant_offer.to_actor_id` set), null when the offer was
+     *   account-grain (any actor on `to_account_id` may accept).
+     * - Not populated: admin actions, account-shape events (login,
+     *   logout, signup, bootstrap, password_change, session/token
+     *   revoke, app_settings_update, invite events) — subject is the
+     *   account or no specific resource, not an actor-bound role_grant.
+     * - Not populated: events whose principal isn't an actor-bound
+     *   resource (e.g. consumer events that name a non-actor scope in
+     *   metadata).
+     *
+     * Multi-actor invariants this column relies on: when both
+     * `target_actor_id` and `target_account_id` are populated they refer
+     * to the same account (`actor.account_id`-derivable). The invariant
+     * holds uniformly across every populated event including decline
+     * (the grantor's account is joined into the decline RETURNING) and
+     * the supersede cascade (the recipient account is known on
+     * `role_grant_offer.to_account_id`). `target_account_id` stays the
+     * SSE/WS socket-close key because sessions remain account-grain
+     * after multi-actor lands.
+     */
+    target_actor_id: Uuid | null;
     ip: string | null;
     created_at: string;
     metadata: Record<string, unknown> | null;
@@ -197,6 +253,7 @@ export interface AuditLogInput<T extends string = AuditEventType> {
     actor_id?: Uuid | null;
     account_id?: Uuid | null;
     target_account_id?: Uuid | null;
+    target_actor_id?: Uuid | null;
     ip?: string | null;
     /**
      * Per-event-type metadata. Builtin `T` narrows to `AuditMetadataMap[T]`;
@@ -210,8 +267,8 @@ export interface AuditLogInput<T extends string = AuditEventType> {
  *
  * Lets consumers extend the closed `AUDIT_EVENT_TYPES` enum with their own
  * event strings (and metadata Zod schemas) without forking. Pass to
- * `audit_log_fire_and_forget` / `query_audit_log` as the optional `config`
- * argument; both default to `BUILTIN_AUDIT_LOG_CONFIG`.
+ * `create_audit_emitter` (or `query_audit_log` for in-tx call sites) as the
+ * optional `config` argument; both default to `BUILTIN_AUDIT_LOG_CONFIG`.
  *
  * The DB column is `TEXT NOT NULL` and never enforced an enum, so consumer
  * event types round-trip through `query_audit_log_list` and SSE identically
@@ -252,9 +309,9 @@ export interface CreateAuditLogConfigOptions {
  * Throws when an `extra_events` key collides with a builtin event type, or
  * fails `AuditEventTypeName` format validation.
  *
- * Call once at startup; pass the result to consumer-emitted
- * `audit_log_fire_and_forget` calls. Builtin handlers omit the argument and
- * pick up `BUILTIN_AUDIT_LOG_CONFIG`.
+ * Call once at startup; pass the result to `create_app_backend` (which
+ * threads it into `AppDeps.audit`). Builtin handlers omit the
+ * `audit_log_config` slot and pick up `BUILTIN_AUDIT_LOG_CONFIG`.
  *
  * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */
@@ -298,6 +355,7 @@ export declare const AuditLogEventJson: z.ZodObject<{
     actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
@@ -315,6 +373,7 @@ export declare const AuditLogEventWithUsernamesJson: z.ZodObject<{
     actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
@@ -322,8 +381,8 @@ export declare const AuditLogEventWithUsernamesJson: z.ZodObject<{
     target_username: z.ZodNullable<z.ZodString>;
 }, z.core.$strict>;
 export type AuditLogEventWithUsernamesJson = z.infer<typeof AuditLogEventWithUsernamesJson>;
-/** Zod schema for permit history events with resolved usernames. */
-export declare const PermitHistoryEventJson: z.ZodObject<{
+/** Zod schema for role_grant history events with resolved usernames. */
+export declare const RoleGrantHistoryEventJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     seq: z.ZodNumber;
     event_type: z.ZodString;
@@ -334,13 +393,14 @@ export declare const PermitHistoryEventJson: z.ZodObject<{
     actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     target_account_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    target_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     ip: z.ZodNullable<z.ZodString>;
     created_at: z.ZodString;
     metadata: z.ZodNullable<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
     username: z.ZodNullable<z.ZodString>;
     target_username: z.ZodNullable<z.ZodString>;
 }, z.core.$strict>;
-export type PermitHistoryEventJson = z.infer<typeof PermitHistoryEventJson>;
+export type RoleGrantHistoryEventJson = z.infer<typeof RoleGrantHistoryEventJson>;
 /** Zod schema for admin session listing (session + username). */
 export declare const AdminSessionJson: z.ZodObject<{
     id: z.ZodString;
@@ -351,6 +411,6 @@ export declare const AdminSessionJson: z.ZodObject<{
     username: z.ZodString;
 }, z.core.$strict>;
 export type AdminSessionJson = z.infer<typeof AdminSessionJson>;
-export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq SERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
+export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq SERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
 export declare const AUDIT_LOG_INDEXES: string[];
 //# sourceMappingURL=audit_log_schema.d.ts.map

package/dist/auth/audit_log_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,6YAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA2LW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;kBAW5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,oEAAoE;AACpE,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAIhE,eAAO,MAAM,gBAAgB,gdAY3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAK7B,CAAC"}
+{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAO5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,8aAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EA6MW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAehE,eAAO,MAAM,gBAAgB,ihBAa3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAM7B,CAAC"}

package/dist/auth/audit_log_schema.js

@@ -8,7 +8,10 @@
  */
 import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
+import { Blake3Hash } from '@fuzdev/fuz_util/hash_blake3.js';
 import { AuthSessionJson } from './account_schema.js';
+import { Email } from '../primitive_schemas.js';
+import { ApiTokenId } from './api_token.js';
 /**
  * All tracked auth event types. Frozen to convert accidental in-process
  * mutation (test cross-contamination, cast escapes) into loud TypeErrors.
@@ -26,14 +29,14 @@ export const AUDIT_EVENT_TYPES = Object.freeze([
     'token_create',
     'token_revoke',
     'token_revoke_all',
-    'permit_grant',
-    'permit_revoke',
-    'permit_offer_create',
-    'permit_offer_accept',
-    'permit_offer_decline',
-    'permit_offer_retract',
-    'permit_offer_expire',
-    'permit_offer_supersede',
+    'role_grant_create',
+    'role_grant_revoke',
+    'role_grant_offer_create',
+    'role_grant_offer_accept',
+    'role_grant_offer_decline',
+    'role_grant_offer_retract',
+    'role_grant_offer_expire',
+    'role_grant_offer_supersede',
     'invite_create',
     'invite_delete',
     'app_settings_update',
@@ -72,23 +75,35 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
     })
         .nullable(),
     signup: z.looseObject({
-        username: z.string().meta({ description: 'Username chosen at signup.' }),
+        username: z.string().meta({ description: 'Username submitted at signup.' }),
         invite_id: Uuid.optional().meta({
-            description: 'Invite consumed by this signup, when one was matched.',
+            description: 'Invite consumed by this signup. Set on success and on `race_lost` / `signup_conflict` failure rows when an invite was matched at attempt time.',
         }),
         open_signup: z.boolean().optional().meta({
-            description: 'True when the signup occurred via the `open_signup` setting (no invite required).',
+            description: 'True when the signup occurred via the `open_signup` setting (no invite required). Set on success rows under `open_signup` and on failure rows when the attempt was made under `open_signup`.',
+        }),
+        reason: z.string().optional().meta({
+            description: 'Failure category: `no_match` (no unclaimed invite matched), `race_lost` (invite was claimed between find and claim), `signup_conflict` (username/email already exists). Set only on `outcome=failure`.',
+        }),
+        email: Email.optional().meta({
+            description: 'Email submitted at signup — recorded on failure rows for forensic correlation. Omitted on success rows because the email is already tied to the resulting account.',
         }),
     }),
     password_change: z
         .looseObject({
-        sessions_revoked: z
-            .number()
-            .meta({ description: 'Number of sessions revoked as a side effect of the password change.' }),
+        sessions_revoked: z.number().optional().meta({
+            description: 'Number of sessions revoked as a side effect of the password change. Present on `outcome=success`.',
+        }),
+        tokens_revoked: z.number().optional().meta({
+            description: 'Number of API tokens revoked as a side effect of the password change. Present on `outcome=success`.',
+        }),
+        reason: z.enum(['concurrent_change']).optional().meta({
+            description: 'Failure category. `concurrent_change` indicates another password change committed first against the same starting hash (verify-write race loser). Absent for typed-wrong-password failures.',
+        }),
     })
         .nullable(),
     session_revoke: z.looseObject({
-        session_id: z.string().meta({ description: 'Blake3 hash identifying the revoked session row.' }),
+        session_id: Blake3Hash.meta({ description: 'Blake3 hash identifying the revoked session row.' }),
     }),
     session_revoke_all: z.looseObject({
         // Omitted on `outcome='failure'` (no revocation attempted — e.g. target
@@ -107,11 +122,11 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
         }),
     }),
     token_create: z.looseObject({
-        token_id: z.string().meta({ description: 'Public id of the created API token (`tok_…`).' }),
+        token_id: ApiTokenId.meta({ description: 'Public id of the created API token (`tok_…`).' }),
         name: z.string().meta({ description: 'Operator-supplied label for the token.' }),
     }),
     token_revoke: z.looseObject({
-        token_id: z.string().meta({ description: 'Public id of the revoked API token (`tok_…`).' }),
+        token_id: ApiTokenId.meta({ description: 'Public id of the revoked API token (`tok_…`).' }),
     }),
     token_revoke_all: z.looseObject({
         // Same shape as `session_revoke_all` for failures.
@@ -126,19 +141,19 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
             description: 'Probed account id when the target lookup missed (FK constraint forces `target_account_id` to null).',
         }),
     }),
-    // `permit_id` is optional on `permit_grant` because failed grants
-    // (e.g. `web_grantable` denied) never produce a permit row.
+    // `role_grant_id` is optional on `role_grant_create` because failed grants
+    // (e.g. admin-grant-path denied) never produce a role_grant row.
     // `self_service: true` is set by the self-service role toggle in
     // `self_service_role_actions.ts` — declared explicitly rather than
     // riding on `z.looseObject` permissiveness so the field is part of
     // the documented schema surface.
-    permit_grant: z.looseObject({
+    role_grant_create: z.looseObject({
         role: z.string().meta({ description: 'Role being granted.' }),
-        permit_id: Uuid.optional().meta({
-            description: 'Id of the resulting permit row. Omitted when the grant failed (e.g. `web_grantable` denial).',
+        role_grant_id: Uuid.optional().meta({
+            description: 'Id of the resulting role_grant row. Omitted when the grant failed (e.g. admin-grant-path denial).',
         }),
         scope_id: Uuid.nullish().meta({
-            description: 'Scope of the granted permit; null for global permits.',
+            description: 'Scope of the granted role_grant; null for global role_grants.',
         }),
         source_offer_id: Uuid.optional().meta({
             description: 'Offer this grant resolved, when the grant originated from an accepted offer.',
@@ -147,11 +162,11 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
             description: 'True when the grant came from the self-service role toggle.',
         }),
     }),
-    permit_revoke: z.looseObject({
+    role_grant_revoke: z.looseObject({
         role: z.string().meta({ description: 'Role being revoked.' }),
-        permit_id: Uuid.meta({ description: 'Id of the revoked permit row.' }),
+        role_grant_id: Uuid.meta({ description: 'Id of the revoked role_grant row.' }),
         scope_id: Uuid.nullish().meta({
-            description: 'Scope of the revoked permit; null for global permits.',
+            description: 'Scope of the revoked role_grant; null for global role_grants.',
         }),
         reason: z
             .string()
@@ -161,9 +176,9 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
             description: 'True when the revoke came from the self-service role toggle.',
         }),
     }),
-    // `offer_id` is optional because failed creates (e.g. `web_grantable`
+    // `offer_id` is optional because failed creates (e.g. admin-grant-path
     // denied, `authorize` callback denied) never produce an offer row.
-    permit_offer_create: z.looseObject({
+    role_grant_offer_create: z.looseObject({
         offer_id: Uuid.optional().meta({
             description: 'Id of the created offer row. Omitted when the create failed before insert.',
         }),
@@ -173,17 +188,17 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
         }),
         to_account_id: Uuid.meta({ description: 'Account the offer is directed to.' }),
     }),
-    // `permit_grant` is emitted alongside on accept — two events per accept by
-    // design: offer-lifecycle audit + permit-lifecycle audit.
-    permit_offer_accept: z.looseObject({
+    // `role_grant_create` is emitted alongside on accept — two events per accept by
+    // design: offer-lifecycle audit + role-grant-lifecycle audit.
+    role_grant_offer_accept: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the accepted offer.' }),
-        permit_id: Uuid.meta({ description: 'Id of the resulting permit row.' }),
+        role_grant_id: Uuid.meta({ description: 'Id of the resulting role_grant row.' }),
         role: z.string().meta({ description: 'Role granted by the offer.' }),
         scope_id: Uuid.nullish().meta({
-            description: 'Scope of the resulting permit; null for global permits.',
+            description: 'Scope of the resulting role_grant; null for global role_grants.',
         }),
     }),
-    permit_offer_decline: z.looseObject({
+    role_grant_offer_decline: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the declined offer.' }),
         role: z.string().meta({ description: 'Role that was offered.' }),
         scope_id: Uuid.nullish().meta({
@@ -194,14 +209,14 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
             .optional()
             .meta({ description: 'Optional decline reason text from the recipient.' }),
     }),
-    permit_offer_retract: z.looseObject({
+    role_grant_offer_retract: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the retracted offer.' }),
         role: z.string().meta({ description: 'Role that was offered.' }),
         scope_id: Uuid.nullish().meta({
             description: 'Scope of the offered role; null for global offers.',
         }),
     }),
-    permit_offer_expire: z.looseObject({
+    role_grant_offer_expire: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the expired offer.' }),
         role: z.string().meta({ description: 'Role that was offered.' }),
         scope_id: Uuid.nullish().meta({
@@ -210,19 +225,19 @@ export const AUDIT_METADATA_SCHEMAS = Object.freeze({
     }),
     // Emitted when an offer is obsoleted by an external event. `reason`
     // distinguishes the trigger; `cause_id` points to the accepted offer
-    // (for `sibling_accepted`), the revoked permit (for `permit_revoked`),
+    // (for `sibling_accepted`), the revoked role_grant (for `role_grant_revoked`),
     // or the destroyed parent scope row (for `scope_destroyed`).
-    permit_offer_supersede: z.looseObject({
+    role_grant_offer_supersede: z.looseObject({
         offer_id: Uuid.meta({ description: 'Id of the superseded offer.' }),
         role: z.string().meta({ description: 'Role that was offered.' }),
         scope_id: Uuid.nullish().meta({
             description: 'Scope of the offered role; null for global offers.',
         }),
-        reason: z.enum(['sibling_accepted', 'permit_revoked', 'scope_destroyed']).meta({
-            description: 'Trigger that obsoleted the offer: a sibling offer was accepted, the resulting permit was revoked, or the parent scope row was destroyed.',
+        reason: z.enum(['sibling_accepted', 'role_grant_revoked', 'scope_destroyed']).meta({
+            description: 'Trigger that obsoleted the offer: a sibling offer was accepted, the resulting role_grant was revoked, or the parent scope row was destroyed.',
         }),
         cause_id: Uuid.meta({
-            description: 'Row that caused the supersede: accepted offer (`sibling_accepted`), revoked permit (`permit_revoked`), or destroyed parent scope row (`scope_destroyed`).',
+            description: 'Row that caused the supersede: accepted offer (`sibling_accepted`), revoked role_grant (`role_grant_revoked`), or destroyed parent scope row (`scope_destroyed`).',
         }),
     }),
     invite_create: z.looseObject({
@@ -258,9 +273,9 @@ export const BUILTIN_AUDIT_LOG_CONFIG = Object.freeze({
  * Throws when an `extra_events` key collides with a builtin event type, or
  * fails `AuditEventTypeName` format validation.
  *
- * Call once at startup; pass the result to consumer-emitted
- * `audit_log_fire_and_forget` calls. Builtin handlers omit the argument and
- * pick up `BUILTIN_AUDIT_LOG_CONFIG`.
+ * Call once at startup; pass the result to `create_app_backend` (which
+ * threads it into `AppDeps.audit`). Builtin handlers omit the
+ * `audit_log_config` slot and pick up `BUILTIN_AUDIT_LOG_CONFIG`.
  *
  * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */
@@ -311,6 +326,7 @@ export const AuditLogEventJson = z.strictObject({
     actor_id: Uuid.nullable(),
     account_id: Uuid.nullable(),
     target_account_id: Uuid.nullable(),
+    target_actor_id: Uuid.nullable(),
     ip: z.string().nullable(),
     created_at: z.string(),
     metadata: z.record(z.string(), z.unknown()).nullable(),
@@ -320,8 +336,8 @@ export const AuditLogEventWithUsernamesJson = AuditLogEventJson.extend({
     username: z.string().nullable(),
     target_username: z.string().nullable(),
 });
-/** Zod schema for permit history events with resolved usernames. */
-export const PermitHistoryEventJson = AuditLogEventJson.extend({
+/** Zod schema for role_grant history events with resolved usernames. */
+export const RoleGrantHistoryEventJson = AuditLogEventJson.extend({
     username: z.string().nullable(),
     target_username: z.string().nullable(),
 });
@@ -330,6 +346,17 @@ export const AdminSessionJson = AuthSessionJson.extend({
     username: z.string(),
 });
 // Schema DDL
+//
+// Multi-actor invariants the envelope columns assume:
+// - `actor_id` + `account_id`, when both populated, refer to the same
+//   account (derivable via `actor.account_id`). Denormalized for
+//   indexed audit queries; do not let them disagree.
+// - `target_actor_id` + `target_account_id`, same rule when both populated.
+// - `target_account_id` is the SSE/WS socket-close key — sessions stay
+//   account-grain after multi-actor lands, so this column carries
+//   the routing identity even on actor-bound events.
+// - `target_actor_id` is populated iff the event subject is actor-bound
+//   (see `AuditLogEvent.target_actor_id` doc-comment for the rule).
 export const AUDIT_LOG_SCHEMA = `
 CREATE TABLE IF NOT EXISTS audit_log (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
@@ -339,6 +366,7 @@ CREATE TABLE IF NOT EXISTS audit_log (
   actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,
   account_id UUID REFERENCES account(id) ON DELETE SET NULL,
   target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,
+  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,
   ip TEXT,
   created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
   metadata JSONB
@@ -348,4 +376,5 @@ export const AUDIT_LOG_INDEXES = [
     `CREATE INDEX IF NOT EXISTS idx_audit_log_account ON audit_log(account_id)`,
     `CREATE INDEX IF NOT EXISTS idx_audit_log_event_type ON audit_log(event_type)`,
     `CREATE INDEX IF NOT EXISTS idx_audit_log_target_account ON audit_log(target_account_id)`,
+    `CREATE INDEX IF NOT EXISTS idx_audit_log_target_actor ON audit_log(target_actor_id)`,
 ];

package/dist/auth/auth_guard_resolver.d.ts

@@ -0,0 +1,44 @@
+/**
+ * Auth guard resolver for the route spec system.
+ *
+ * Maps the four-axis `RouteAuth` (`account` / `actor` / `roles` /
+ * `credential_types`) to two-phase middleware sets that
+ * `apply_route_specs` weaves into the per-route pipeline:
+ *
+ * - `pre_validation` runs before input validation. `require_auth` lands
+ *   here whenever `auth.account === 'required'` or `auth.actor ===
+ *   'required'` (per registry-time invariant 3, `actor: 'required'`
+ *   today implies a credential — accountless actors are out of scope
+ *   for v1). Pre-validation 401 fires before any body parsing so
+ *   unauthenticated callers never see route-shape information from
+ *   parse failures.
+ * - `post_authorization` runs after the dispatcher's authorization
+ *   phase has populated `RequestContext`. `require_role(roles)` fires
+ *   whenever `auth.roles?.length`. `require_credential_types(types)`
+ *   fires whenever `auth.credential_types?.length`.
+ *
+ * Public routes (`auth.account === 'none' && auth.actor === 'none'`)
+ * yield empty guard arrays. `'optional'` axes contribute no
+ * pre-validation 401; the authorization phase sets `RequestContext`
+ * to whatever the credential supports and the post-authorization
+ * gates decide whether the actor's role_grants / credential type match.
+ *
+ * @module
+ */
+import type { AuthGuardResolver } from '../http/route_spec.js';
+/**
+ * Standard auth guard resolver for fuz_app.
+ *
+ * Reads each axis of the four-axis `RouteAuth` shape and emits the
+ * corresponding middleware:
+ *
+ * - `account === 'required'` or `actor === 'required'` → pre-validation `require_auth`
+ * - `roles?.length` → post-authorization `require_role(roles)` (multi-role any-of)
+ * - `credential_types?.length` → post-authorization `require_credential_types(types)`
+ *
+ * Multiple post-authorization guards run in declaration order: credential
+ * type check first (since failing it implies the request can never
+ * resolve a usable identity), role check second.
+ */
+export declare const fuz_auth_guard_resolver: AuthGuardResolver;
+//# sourceMappingURL=auth_guard_resolver.d.ts.map

package/dist/auth/auth_guard_resolver.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth_guard_resolver.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/auth_guard_resolver.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AAGH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,uBAAuB,CAAC;AAE7D;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,uBAAuB,EAAE,iBAerC,CAAC"}