@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/auth/auth_guard_resolver.js

@@ -0,0 +1,56 @@
+/**
+ * Auth guard resolver for the route spec system.
+ *
+ * Maps the four-axis `RouteAuth` (`account` / `actor` / `roles` /
+ * `credential_types`) to two-phase middleware sets that
+ * `apply_route_specs` weaves into the per-route pipeline:
+ *
+ * - `pre_validation` runs before input validation. `require_auth` lands
+ *   here whenever `auth.account === 'required'` or `auth.actor ===
+ *   'required'` (per registry-time invariant 3, `actor: 'required'`
+ *   today implies a credential — accountless actors are out of scope
+ *   for v1). Pre-validation 401 fires before any body parsing so
+ *   unauthenticated callers never see route-shape information from
+ *   parse failures.
+ * - `post_authorization` runs after the dispatcher's authorization
+ *   phase has populated `RequestContext`. `require_role(roles)` fires
+ *   whenever `auth.roles?.length`. `require_credential_types(types)`
+ *   fires whenever `auth.credential_types?.length`.
+ *
+ * Public routes (`auth.account === 'none' && auth.actor === 'none'`)
+ * yield empty guard arrays. `'optional'` axes contribute no
+ * pre-validation 401; the authorization phase sets `RequestContext`
+ * to whatever the credential supports and the post-authorization
+ * gates decide whether the actor's role_grants / credential type match.
+ *
+ * @module
+ */
+import { require_auth, require_credential_types, require_role } from './request_context.js';
+/**
+ * Standard auth guard resolver for fuz_app.
+ *
+ * Reads each axis of the four-axis `RouteAuth` shape and emits the
+ * corresponding middleware:
+ *
+ * - `account === 'required'` or `actor === 'required'` → pre-validation `require_auth`
+ * - `roles?.length` → post-authorization `require_role(roles)` (multi-role any-of)
+ * - `credential_types?.length` → post-authorization `require_credential_types(types)`
+ *
+ * Multiple post-authorization guards run in declaration order: credential
+ * type check first (since failing it implies the request can never
+ * resolve a usable identity), role check second.
+ */
+export const fuz_auth_guard_resolver = (auth) => {
+    const pre_validation = [];
+    const post_authorization = [];
+    if (auth.account === 'required' || auth.actor === 'required') {
+        pre_validation.push(require_auth);
+    }
+    if (auth.credential_types?.length) {
+        post_authorization.push(require_credential_types(auth.credential_types));
+    }
+    if (auth.roles?.length) {
+        post_authorization.push(require_role(auth.roles));
+    }
+    return { pre_validation, post_authorization };
+};

package/dist/auth/bearer_auth.d.ts

@@ -18,18 +18,20 @@ import { type RateLimiter } from '../rate_limiter.js';
  * Create middleware that authenticates via bearer token.
  *
  * Soft-fails for invalid, expired, or empty tokens — calls `next()` without
- * setting a request context, letting downstream auth enforcement (per-action
- * `check_action_auth` or `require_auth`) return a consistent JSON-RPC or
- * route-level error. This avoids leaking token-specific diagnostics
+ * setting account identity, letting downstream auth enforcement (the RPC
+ * dispatcher's pre-validation / post-authorization auth gates or
+ * `require_auth`) return a consistent JSON-RPC or route-level error. This
+ * avoids leaking token-specific diagnostics
  * (`invalid_token`, `account_not_found`) that could aid enumeration attacks,
  * and ensures public actions are not blocked by bad credentials.
  *
  * Rejects bearer tokens when an `Origin` or `Referer` header is present —
  * browsers must use cookie auth to reduce attack surface.
  * Auth scheme matching is case-insensitive per RFC 7235.
- * On success, builds the request context (`{ account, actor, permits }`)
- * and sets it on the Hono context. Skips if a request context is already set
- * (e.g. by session middleware).
+ * On success, sets `c.var.auth_account_id`, `CREDENTIAL_TYPE_KEY = 'api_token'`,
+ * and `AUTH_API_TOKEN_ID_KEY`. Skips when an account is already authenticated
+ * (e.g. by session middleware). Acting-actor resolution + `RequestContext`
+ * construction are deferred to the dispatcher's authorization phase.
  *
  * Rate limiting (429) is the only hard-fail — it's a throttling concern
  * independent of auth identity.
@@ -37,7 +39,7 @@ import { type RateLimiter } from '../rate_limiter.js';
  * @param deps - query dependencies (pool-level db for middleware)
  * @param ip_rate_limiter - per-IP rate limiter for bearer token attempts (null to disable)
  * @param log - the logger instance
- * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
+ * @mutates Hono context - sets `ACCOUNT_ID_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
  * @mutates `ip_rate_limiter` - records on attempt; resets on a valid token
  */
 export declare const create_bearer_auth_middleware: (deps: QueryDeps, ip_rate_limiter: RateLimiter | null, log: Logger) => MiddlewareHandler;

package/dist/auth/bearer_auth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAKpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBAsFF,CAAC"}
+{"version":3,"file":"bearer_auth.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bearer_auth.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAC5C,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAIpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF;;;;;;;;;;;;;;;;;;;;;;;;;;;GA2BG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,iBAAiB,WAAW,GAAG,IAAI,EACnC,KAAK,MAAM,KACT,iBA4EF,CAAC"}

package/dist/auth/bearer_auth.js

@@ -10,8 +10,7 @@
  *
  * @module
  */
-import { REQUEST_CONTEXT_KEY, build_request_context } from './request_context.js';
-import { AUTH_API_TOKEN_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
+import { AUTH_API_TOKEN_ID_KEY, ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY } from '../hono_context.js';
 import { query_validate_api_token } from './api_token_queries.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
@@ -19,18 +18,20 @@ import { rate_limit_exceeded_response } from '../rate_limiter.js';
  * Create middleware that authenticates via bearer token.
  *
  * Soft-fails for invalid, expired, or empty tokens — calls `next()` without
- * setting a request context, letting downstream auth enforcement (per-action
- * `check_action_auth` or `require_auth`) return a consistent JSON-RPC or
- * route-level error. This avoids leaking token-specific diagnostics
+ * setting account identity, letting downstream auth enforcement (the RPC
+ * dispatcher's pre-validation / post-authorization auth gates or
+ * `require_auth`) return a consistent JSON-RPC or route-level error. This
+ * avoids leaking token-specific diagnostics
  * (`invalid_token`, `account_not_found`) that could aid enumeration attacks,
  * and ensures public actions are not blocked by bad credentials.
  *
  * Rejects bearer tokens when an `Origin` or `Referer` header is present —
  * browsers must use cookie auth to reduce attack surface.
  * Auth scheme matching is case-insensitive per RFC 7235.
- * On success, builds the request context (`{ account, actor, permits }`)
- * and sets it on the Hono context. Skips if a request context is already set
- * (e.g. by session middleware).
+ * On success, sets `c.var.auth_account_id`, `CREDENTIAL_TYPE_KEY = 'api_token'`,
+ * and `AUTH_API_TOKEN_ID_KEY`. Skips when an account is already authenticated
+ * (e.g. by session middleware). Acting-actor resolution + `RequestContext`
+ * construction are deferred to the dispatcher's authorization phase.
  *
  * Rate limiting (429) is the only hard-fail — it's a throttling concern
  * independent of auth identity.
@@ -38,13 +39,13 @@ import { rate_limit_exceeded_response } from '../rate_limiter.js';
  * @param deps - query dependencies (pool-level db for middleware)
  * @param ip_rate_limiter - per-IP rate limiter for bearer token attempts (null to disable)
  * @param log - the logger instance
- * @mutates Hono context - sets `REQUEST_CONTEXT_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
+ * @mutates Hono context - sets `ACCOUNT_ID_KEY`, `CREDENTIAL_TYPE_KEY`, and `AUTH_API_TOKEN_ID_KEY` on success
  * @mutates `ip_rate_limiter` - records on attempt; resets on a valid token
  */
 export const create_bearer_auth_middleware = (deps, ip_rate_limiter, log) => {
     return async (c, next) => {
-        // Skip if already authenticated via session
-        if (c.get(REQUEST_CONTEXT_KEY)) {
+        // Skip if an account is already authenticated (e.g. by session middleware)
+        if (c.get(ACCOUNT_ID_KEY) != null) {
             await next();
             return;
         }
@@ -97,16 +98,7 @@ export const create_bearer_auth_middleware = (deps, ip_rate_limiter, log) => {
         // Valid token — reset rate limit counter
         if (ip_rate_limiter)
             ip_rate_limiter.reset(ip);
-        // Build request context from the token's account
-        const ctx = await build_request_context(deps, api_token.account_id);
-        if (!ctx) {
-            // Token exists but account/actor missing — soft-fail to avoid
-            // leaking account lifecycle information.
-            log.debug('bearer auth soft-fail: account or actor not found for token');
-            await next();
-            return;
-        }
-        c.set(REQUEST_CONTEXT_KEY, ctx);
+        c.set(ACCOUNT_ID_KEY, api_token.account_id);
         c.set(CREDENTIAL_TYPE_KEY, 'api_token');
         c.set(AUTH_API_TOKEN_ID_KEY, api_token.id);
         await next();

package/dist/auth/bootstrap_account.d.ts

@@ -9,7 +9,7 @@
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { PasswordHashDeps } from './password.js';
 import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING } from '../http/error_schemas.js';
-import type { Account, Actor, Permit } from './account_schema.js';
+import type { Account, Actor, RoleGrant } from './account_schema.js';
 import type { Db } from '../db/db.js';
 /** Input for the bootstrap account creation. */
 export interface BootstrapAccountInput {
@@ -21,9 +21,9 @@ export interface BootstrapAccountSuccess {
     ok: true;
     account: Account;
     actor: Actor;
-    permits: {
-        keeper: Permit;
-        admin: Permit;
+    role_grants: {
+        keeper: RoleGrant;
+        admin: RoleGrant;
     };
     /** Whether the bootstrap token file was successfully deleted after account creation. */
     token_file_deleted: boolean;
@@ -70,15 +70,15 @@ export interface BootstrapAccountDeps {
  * 2. Hash the password (CPU-intensive, before transaction)
  * 3. Acquire the bootstrap lock atomically (inside transaction)
  * 4. Create account + actor
- * 5. Grant keeper and admin permits (no expiry, `granted_by = null`)
+ * 5. Grant keeper and admin role_grants (no expiry, `granted_by = null`)
  * 6. Delete the token file (after commit, reported via `token_file_deleted`)
  *
  * @param deps - database, token path, filesystem callbacks, and password hashing
  * @param provided_token - the bootstrap token from the user
  * @param input - username and password
- * @returns the created account, actor, and permits — or a bootstrap failure
+ * @returns the created account, actor, and role_grants — or a bootstrap failure
  * @mutates `bootstrap_lock` row - flips `bootstrapped` to `true` atomically
- * @mutates `account` / `actor` / `permit` tables - inserts the bootstrap account, actor, and the keeper + admin permits
+ * @mutates `account` / `actor` / `role_grant` tables - inserts the bootstrap account, actor, and the keeper + admin role_grants
  * @mutates filesystem - deletes the bootstrap token file after commit (reported via `token_file_deleted`)
  */
 export declare const bootstrap_account: (deps: BootstrapAccountDeps, provided_token: string, input: BootstrapAccountInput) => Promise<BootstrapAccountResult>;

package/dist/auth/bootstrap_account.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAC,MAAM,qBAAqB,CAAC;AAGhE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,OAAO,EAAE;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAA;KAAC,CAAC;IACzC,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}
+{"version":3,"file":"bootstrap_account.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_account.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAGH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,eAAe,CAAC;AACpD,OAAO,EACN,mBAAmB,EACnB,0BAA0B,EAC1B,wBAAwB,EACxB,MAAM,0BAA0B,CAAC;AAElC,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnE,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,gDAAgD;AAChD,MAAM,WAAW,qBAAqB;IACrC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;CACjB;AAED,6DAA6D;AAC7D,MAAM,WAAW,uBAAuB;IACvC,EAAE,EAAE,IAAI,CAAC;IACT,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;IACb,WAAW,EAAE;QAAC,MAAM,EAAE,SAAS,CAAC;QAAC,KAAK,EAAE,SAAS,CAAA;KAAC,CAAC;IACnD,wFAAwF;IACxF,kBAAkB,EAAE,OAAO,CAAC;CAC5B;AAED,gCAAgC;AAChC,MAAM,MAAM,uBAAuB,GAChC;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,0BAA0B,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAClE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,wBAAwB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,GAChE;IAAC,EAAE,EAAE,KAAK,CAAC;IAAC,KAAK,EAAE,OAAO,mBAAmB,CAAC;IAAC,MAAM,EAAE,GAAG,CAAA;CAAC,CAAC;AAE/D,qFAAqF;AACrF,MAAM,MAAM,sBAAsB,GAAG,uBAAuB,GAAG,uBAAuB,CAAC;AAEvF;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACpC,EAAE,EAAE,EAAE,CAAC;IACP,gDAAgD;IAChD,UAAU,EAAE,MAAM,CAAC;IACnB,0CAA0C;IAC1C,cAAc,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,MAAM,CAAC,CAAC;IAClD,qBAAqB;IACrB,WAAW,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC7C,6EAA6E;IAC7E,QAAQ,EAAE,IAAI,CAAC,gBAAgB,EAAE,eAAe,CAAC,CAAC;IAClD,kCAAkC;IAClC,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,oBAAoB,EAC1B,gBAAgB,MAAM,EACtB,OAAO,qBAAqB,KAC1B,OAAO,CAAC,sBAAsB,CA4EhC,CAAC"}

package/dist/auth/bootstrap_account.js

@@ -10,7 +10,7 @@ import { timingSafeEqual } from 'node:crypto';
 import { ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, } from '../http/error_schemas.js';
 import { ROLE_ADMIN, ROLE_KEEPER } from './role_schema.js';
 import { query_create_account_with_actor, query_account_has_any } from './account_queries.js';
-import { query_grant_permit } from './permit_queries.js';
+import { query_create_role_grant } from './role_grant_queries.js';
 /**
  * Bootstrap the first account with keeper and admin privileges.
  *
@@ -21,15 +21,15 @@ import { query_grant_permit } from './permit_queries.js';
  * 2. Hash the password (CPU-intensive, before transaction)
  * 3. Acquire the bootstrap lock atomically (inside transaction)
  * 4. Create account + actor
- * 5. Grant keeper and admin permits (no expiry, `granted_by = null`)
+ * 5. Grant keeper and admin role_grants (no expiry, `granted_by = null`)
  * 6. Delete the token file (after commit, reported via `token_file_deleted`)
  *
  * @param deps - database, token path, filesystem callbacks, and password hashing
  * @param provided_token - the bootstrap token from the user
  * @param input - username and password
- * @returns the created account, actor, and permits — or a bootstrap failure
+ * @returns the created account, actor, and role_grants — or a bootstrap failure
  * @mutates `bootstrap_lock` row - flips `bootstrapped` to `true` atomically
- * @mutates `account` / `actor` / `permit` tables - inserts the bootstrap account, actor, and the keeper + admin permits
+ * @mutates `account` / `actor` / `role_grant` tables - inserts the bootstrap account, actor, and the keeper + admin role_grants
  * @mutates filesystem - deletes the bootstrap token file after commit (reported via `token_file_deleted`)
  */
 export const bootstrap_account = async (deps, provided_token, input) => {
@@ -66,13 +66,13 @@ export const bootstrap_account = async (deps, provided_token, input) => {
             username: input.username,
             password_hash,
         });
-        const keeper_permit = await query_grant_permit(tx_deps, {
+        const keeper_role_grant = await query_create_role_grant(tx_deps, {
             actor_id: actor.id,
             role: ROLE_KEEPER,
             granted_by: null,
             expires_at: null,
         });
-        const admin_permit = await query_grant_permit(tx_deps, {
+        const admin_role_grant = await query_create_role_grant(tx_deps, {
             actor_id: actor.id,
             role: ROLE_ADMIN,
             granted_by: null,
@@ -82,7 +82,7 @@ export const bootstrap_account = async (deps, provided_token, input) => {
             ok: true,
             account,
             actor,
-            permits: { keeper: keeper_permit, admin: admin_permit },
+            role_grants: { keeper: keeper_role_grant, admin: admin_role_grant },
         };
     });
     if (!tx_result.ok)

package/dist/auth/bootstrap_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAanD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;kBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAuHjB,CAAC"}
+{"version":3,"file":"bootstrap_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/bootstrap_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,KAAK,EAAC,OAAO,EAAC,MAAM,MAAM,CAAC;AAClC,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAExD,OAAO,EAAoB,KAAK,uBAAuB,EAAC,MAAM,wBAAwB,CAAC;AAGvF,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AACpC,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAClF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAChD,OAAO,KAAK,EAAC,UAAU,EAAC,MAAM,oBAAoB,CAAC;AAYnD,gFAAgF;AAChF,eAAO,MAAM,cAAc;;;;kBAIzB,CAAC;AACH,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,iFAAiF;AACjF,eAAO,MAAM,eAAe;;;kBAG1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D;;GAEG;AACH,MAAM,WAAW,eAAe;IAC/B,SAAS,EAAE,OAAO,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;CAC1B;AAED;;;;;GAKG;AACH,MAAM,WAAW,qBAAqB;IACrC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,8EAA8E;IAC9E,gBAAgB,EAAE,eAAe,CAAC;IAClC;;;OAGG;IACH,YAAY,CAAC,EAAE,CAAC,MAAM,EAAE,uBAAuB,EAAE,CAAC,EAAE,OAAO,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IAC9E,4EAA4E;IAC5E,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACxC,IAAI,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,OAAO,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC;IACnD,EAAE,EAAE,EAAE,CAAC;IACP,GAAG,EAAE,MAAM,CAAC;CACZ;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,wBAAwB,EAC9B,SAAS;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,KAClC,OAAO,CAAC,eAAe,CAwBzB,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,gBAAgB,EACtB,SAAS,qBAAqB,KAC5B,KAAK,CAAC,SAAS,CAiHjB,CAAC"}

package/dist/auth/bootstrap_routes.js

@@ -7,15 +7,14 @@
  * @module
  */
 import { z } from 'zod';
-import { create_session_and_set_cookie } from './session_lifecycle.js';
+import { create_session_and_set_cookie } from './session_middleware.js';
 import { bootstrap_account } from './bootstrap_account.js';
-import { Username } from './account_schema.js';
+import { Username } from '../primitive_schemas.js';
 import { Password } from './password.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
 import { ERROR_BOOTSTRAP_NOT_CONFIGURED, ERROR_INVALID_TOKEN, ERROR_ALREADY_BOOTSTRAPPED, ERROR_TOKEN_FILE_MISSING, ERROR_INVALID_JSON_BODY, ERROR_INVALID_REQUEST_BODY, } from '../http/error_schemas.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
 // -- Input/output schemas ---------------------------------------------------
 /** Input for `POST /bootstrap`. `token` is the one-shot token file contents. */
 export const BootstrapInput = z.strictObject({
@@ -74,7 +73,7 @@ export const create_bootstrap_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/bootstrap',
-            auth: { type: 'none' },
+            auth: { account: 'none', actor: 'none' },
             description: 'Create initial keeper account (one-shot)',
             transaction: false, // bootstrap_account manages its own transaction
             input: BootstrapInput,
@@ -107,8 +106,10 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 if (token_path === null) {
                     return c.json({ error: ERROR_BOOTSTRAP_NOT_CONFIGURED }, 404);
                 }
+                // `transaction: false` makes `route.db` the pool. `bootstrap_account`
+                // manages its own transaction internally.
                 const result = await bootstrap_account({
-                    db: route.background_db,
+                    db: route.db,
                     token_path,
                     read_text_file: deps.read_text_file,
                     delete_file: deps.delete_file,
@@ -118,12 +119,12 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 if (!result.ok) {
                     if (ip_rate_limiter && ip)
                         ip_rate_limiter.record(ip);
-                    void audit_log_fire_and_forget(route, {
+                    deps.audit.emit(route, {
                         event_type: 'bootstrap',
                         outcome: 'failure',
                         ip: get_client_ip(c),
                         metadata: { error: result.error },
-                    }, deps);
+                    });
                     return c.json({ error: result.error }, result.status);
                 }
                 // Successful bootstrap — update state immediately
@@ -132,7 +133,7 @@ export const create_bootstrap_route_specs = (deps, options) => {
                 bootstrap_status.available = false;
                 await create_session_and_set_cookie({
                     keyring,
-                    deps: { db: route.background_db },
+                    deps: { db: route.db },
                     c,
                     account_id: result.account.id,
                     session_options,
@@ -145,12 +146,12 @@ export const create_bootstrap_route_specs = (deps, options) => {
                         deps.log.error(`on_bootstrap callback failed: ${err instanceof Error ? err.message : String(err)}`);
                     }
                 }
-                void audit_log_fire_and_forget(route, {
+                deps.audit.emit(route, {
                     event_type: 'bootstrap',
                     actor_id: result.actor.id,
                     account_id: result.account.id,
                     ip: get_client_ip(c),
-                }, deps);
+                });
                 // CRITICAL: If token file deletion failed, throw to force operator attention.
                 // All success work (session, on_bootstrap, audit) has completed above.
                 // The error response alerts the operator to delete the token file manually.

package/dist/auth/cleanup.d.ts

@@ -1,17 +1,17 @@
 /**
- * Periodic auth cleanup — sweeps expired sessions and permit offers.
+ * Periodic auth cleanup — sweeps expired sessions and role_grant offers.
  *
  * Single entry point for consumers scheduling auth maintenance. Internally
  * runs every known sweep and emits the corresponding audit events so
  * consumer code only manages cadence, not per-task wiring.
  *
  * The per-task primitives remain exported from their home modules
- * (`query_session_cleanup_expired`, `query_permit_offer_sweep_expired`);
- * `cleanup_expired_permit_offers` here wraps the latter with the required
- * `permit_offer_expire` audit emission and is the piece most likely to be
+ * (`query_session_cleanup_expired`, `query_role_grant_offer_sweep_expired`);
+ * `cleanup_expired_role_grant_offers` here wraps the latter with the required
+ * `role_grant_offer_expire` audit emission and is the piece most likely to be
  * reused in a consumer's bespoke scheduler.
  *
- * Idempotency: the audit log has no tombstone on `permit_offer_expire`, so
+ * Idempotency: the audit log has no tombstone on `role_grant_offer_expire`, so
  * concurrent sweep runs double-audit. The expected deployment pattern is a
  * single scheduled invocation per instance — matching
  * `query_session_cleanup_expired`.
@@ -20,57 +20,51 @@
  */
 import type { Logger } from '@fuzdev/fuz_util/log.js';
 import type { QueryDeps } from '../db/query_deps.js';
-import type { AuditLogConfig, AuditLogEvent } from './audit_log_schema.js';
+import type { AuditEmitter } from './audit_emitter.js';
 /** Dependencies for the cleanup helpers. */
 export interface AuthCleanupDeps extends QueryDeps {
     log: Logger;
     /**
-     * Called after each audit event INSERT succeeds. Typically the same
-     * callback wired into `AppDeps.on_audit_event` (SSE broadcast). Omit
-     * to skip broadcast — the audit rows still land in the DB.
+     * Bound audit emitter. `cleanup_expired_role_grant_offers` writes via
+     * `audit.emit_pool` (the captured pool + config + listener chain), so
+     * one slot covers both row persistence and SSE/WS fan-out. Required —
+     * production wiring always has a bound emitter on `AppDeps.audit`, and
+     * tests that need a no-op pass `create_test_audit_emitter()`.
      */
-    on_audit_event?: ((event: AuditLogEvent) => void) | null;
-    /**
-     * Audit-log config. Only the builtin `permit_offer_expire` event type is
-     * emitted here, so omitting this is safe — the field exists so consumers
-     * threading the same `AppDeps` bundle to scheduled cleanup keep using
-     * their registered config (and consumer extensions to the
-     * `permit_offer_expire` metadata schema get validated).
-     */
-    audit_log_config?: AuditLogConfig;
+    audit: AuditEmitter;
 }
 /** Result of `run_auth_cleanup`. */
 export interface AuthCleanupResult {
     /** Number of expired session rows deleted. */
     expired_sessions: number;
-    /** Number of expired permit offer rows audit-stamped. */
+    /** Number of expired role_grant offer rows audit-stamped. */
     expired_offers: number;
 }
 /**
- * Sweep expired permit offers and emit one `permit_offer_expire` audit
+ * Sweep expired role_grant offers and emit one `role_grant_offer_expire` audit
  * event per row.
  *
  * Returns the count of offers audit-stamped. The offer rows themselves are
  * preserved — offers carry audit value for the history view even after
- * expiry, and accepted rows are the provenance for the resulting permit
+ * expiry, and accepted rows are the provenance for the resulting role_grant
  * (deleting expired rows would not threaten that, but keeping them uniform
  * with the retention policy for terminal rows is simpler).
  *
- * @mutates `audit_log` table - inserts one `permit_offer_expire` row per swept offer
+ * @mutates `audit_log` table - inserts one `role_grant_offer_expire` row per swept offer
  */
-export declare const cleanup_expired_permit_offers: (deps: AuthCleanupDeps) => Promise<number>;
+export declare const cleanup_expired_role_grant_offers: (deps: AuthCleanupDeps) => Promise<number>;
 /**
- * Run every auth cleanup sweep — expired sessions and expired permit
+ * Run every auth cleanup sweep — expired sessions and expired role_grant
  * offers — and return the counts.
  *
  * Consumers call this from a scheduled task (setInterval, cron, etc.)
  * alongside their own domain cleanup. Errors from individual sweeps are
  * re-thrown so the caller's scheduler can log/alert; use the per-task
- * helpers (`query_session_cleanup_expired`, `cleanup_expired_permit_offers`)
+ * helpers (`query_session_cleanup_expired`, `cleanup_expired_role_grant_offers`)
  * directly if you need finer error isolation.
  *
  * @mutates `auth_session` table - deletes expired sessions
- * @mutates `audit_log` table - emits `permit_offer_expire` rows for expired offers
+ * @mutates `audit_log` table - emits `role_grant_offer_expire` rows for expired offers
  * @throws Error re-thrown from any sweep that fails (no per-sweep isolation here)
  */
 export declare const run_auth_cleanup: (deps: AuthCleanupDeps) => Promise<AuthCleanupResult>;

package/dist/auth/cleanup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAInD,OAAO,KAAK,EAAC,cAAc,EAAE,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzE,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;OAIG;IACH,cAAc,CAAC,EAAE,CAAC,CAAC,KAAK,EAAE,aAAa,KAAK,IAAI,CAAC,GAAG,IAAI,CAAC;IACzD;;;;;;OAMG;IACH,gBAAgB,CAAC,EAAE,cAAc,CAAC;CAClC;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,yDAAyD;IACzD,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,6BAA6B,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAiCzF,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}
+{"version":3,"file":"cleanup.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cleanup.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,KAAK,EAAC,MAAM,EAAC,MAAM,yBAAyB,CAAC;AAEpD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAGnD,OAAO,KAAK,EAAC,YAAY,EAAC,MAAM,oBAAoB,CAAC;AAErD,4CAA4C;AAC5C,MAAM,WAAW,eAAgB,SAAQ,SAAS;IACjD,GAAG,EAAE,MAAM,CAAC;IACZ;;;;;;OAMG;IACH,KAAK,EAAE,YAAY,CAAC;CACpB;AAED,oCAAoC;AACpC,MAAM,WAAW,iBAAiB;IACjC,8CAA8C;IAC9C,gBAAgB,EAAE,MAAM,CAAC;IACzB,6DAA6D;IAC7D,cAAc,EAAE,MAAM,CAAC;CACvB;AAED;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,MAAM,CAuB7F,CAAC;AAEF;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,gBAAgB,GAAU,MAAM,eAAe,KAAG,OAAO,CAAC,iBAAiB,CAIvF,CAAC"}

package/dist/auth/cleanup.js

@@ -1,17 +1,17 @@
 /**
- * Periodic auth cleanup — sweeps expired sessions and permit offers.
+ * Periodic auth cleanup — sweeps expired sessions and role_grant offers.
  *
  * Single entry point for consumers scheduling auth maintenance. Internally
  * runs every known sweep and emits the corresponding audit events so
  * consumer code only manages cadence, not per-task wiring.
  *
  * The per-task primitives remain exported from their home modules
- * (`query_session_cleanup_expired`, `query_permit_offer_sweep_expired`);
- * `cleanup_expired_permit_offers` here wraps the latter with the required
- * `permit_offer_expire` audit emission and is the piece most likely to be
+ * (`query_session_cleanup_expired`, `query_role_grant_offer_sweep_expired`);
+ * `cleanup_expired_role_grant_offers` here wraps the latter with the required
+ * `role_grant_offer_expire` audit emission and is the piece most likely to be
  * reused in a consumer's bespoke scheduler.
  *
- * Idempotency: the audit log has no tombstone on `permit_offer_expire`, so
+ * Idempotency: the audit log has no tombstone on `role_grant_offer_expire`, so
  * concurrent sweep runs double-audit. The expected deployment pattern is a
  * single scheduled invocation per instance — matching
  * `query_session_cleanup_expired`.
@@ -19,68 +19,59 @@
  * @module
  */
 import { query_session_cleanup_expired } from './session_queries.js';
-import { query_permit_offer_sweep_expired } from './permit_offer_queries.js';
-import { query_audit_log } from './audit_log_queries.js';
+import { query_role_grant_offer_sweep_expired } from './role_grant_offer_queries.js';
 /**
- * Sweep expired permit offers and emit one `permit_offer_expire` audit
+ * Sweep expired role_grant offers and emit one `role_grant_offer_expire` audit
  * event per row.
  *
  * Returns the count of offers audit-stamped. The offer rows themselves are
  * preserved — offers carry audit value for the history view even after
- * expiry, and accepted rows are the provenance for the resulting permit
+ * expiry, and accepted rows are the provenance for the resulting role_grant
  * (deleting expired rows would not threaten that, but keeping them uniform
  * with the retention policy for terminal rows is simpler).
  *
- * @mutates `audit_log` table - inserts one `permit_offer_expire` row per swept offer
+ * @mutates `audit_log` table - inserts one `role_grant_offer_expire` row per swept offer
  */
-export const cleanup_expired_permit_offers = async (deps) => {
-    const expired = await query_permit_offer_sweep_expired(deps);
-    const { on_audit_event, audit_log_config } = deps;
+export const cleanup_expired_role_grant_offers = async (deps) => {
+    const expired = await query_role_grant_offer_sweep_expired(deps);
     for (const offer of expired) {
-        try {
-            const event = await query_audit_log(deps, {
-                event_type: 'permit_offer_expire',
-                actor_id: offer.from_actor_id,
-                target_account_id: offer.to_account_id,
-                ip: null,
-                metadata: {
-                    offer_id: offer.id,
-                    role: offer.role,
-                    scope_id: offer.scope_id,
-                },
-            }, audit_log_config);
-            if (on_audit_event) {
-                try {
-                    on_audit_event(event);
-                }
-                catch (callback_err) {
-                    deps.log.error('on_audit_event callback failed:', callback_err);
-                }
-            }
-        }
-        catch (err) {
-            // One failed audit write must not starve siblings — log and continue.
-            deps.log.error('permit_offer_expire audit write failed:', err);
-        }
+        // `role_grant_offer_expire` populates `target_actor_id` only when the
+        // offer was actor-targeted (`to_actor_id` set at create time).
+        // Account-grain offers (no `to_actor_id`) never bound to a
+        // specific actor and leave the field null.
+        // `emit_pool` swallows + logs both write errors and per-listener
+        // throws, so a single bad row never starves the rest of the sweep.
+        await deps.audit.emit_pool({
+            event_type: 'role_grant_offer_expire',
+            actor_id: offer.from_actor_id,
+            target_account_id: offer.to_account_id,
+            target_actor_id: offer.to_actor_id,
+            ip: null,
+            metadata: {
+                offer_id: offer.id,
+                role: offer.role,
+                scope_id: offer.scope_id,
+            },
+        });
     }
     return expired.length;
 };
 /**
- * Run every auth cleanup sweep — expired sessions and expired permit
+ * Run every auth cleanup sweep — expired sessions and expired role_grant
  * offers — and return the counts.
  *
  * Consumers call this from a scheduled task (setInterval, cron, etc.)
  * alongside their own domain cleanup. Errors from individual sweeps are
  * re-thrown so the caller's scheduler can log/alert; use the per-task
- * helpers (`query_session_cleanup_expired`, `cleanup_expired_permit_offers`)
+ * helpers (`query_session_cleanup_expired`, `cleanup_expired_role_grant_offers`)
  * directly if you need finer error isolation.
  *
  * @mutates `auth_session` table - deletes expired sessions
- * @mutates `audit_log` table - emits `permit_offer_expire` rows for expired offers
+ * @mutates `audit_log` table - emits `role_grant_offer_expire` rows for expired offers
  * @throws Error re-thrown from any sweep that fails (no per-sweep isolation here)
  */
 export const run_auth_cleanup = async (deps) => {
     const expired_sessions = await query_session_cleanup_expired(deps);
-    const expired_offers = await cleanup_expired_permit_offers(deps);
+    const expired_offers = await cleanup_expired_role_grant_offers(deps);
     return { expired_sessions, expired_offers };
 };