npm - @fuzdev/fuz_app - Versions diffs - 0.54.0 → 0.56.0 - Mend

@fuzdev/fuz_app 0.54.0 → 0.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (348) hide show

package/dist/actions/CLAUDE.md +214 -103
package/dist/actions/action_bridge.d.ts +8 -5
package/dist/actions/action_bridge.d.ts.map +1 -1
package/dist/actions/action_bridge.js +1 -11
package/dist/actions/action_codegen.d.ts +32 -0
package/dist/actions/action_codegen.d.ts.map +1 -1
package/dist/actions/action_codegen.js +35 -15
package/dist/actions/action_registry.d.ts.map +1 -1
package/dist/actions/action_registry.js +5 -2
package/dist/actions/action_rpc.d.ts +141 -22
package/dist/actions/action_rpc.d.ts.map +1 -1
package/dist/actions/action_rpc.js +106 -187
package/dist/actions/action_spec.d.ts +55 -16
package/dist/actions/action_spec.d.ts.map +1 -1
package/dist/actions/action_spec.js +16 -11
package/dist/actions/action_types.d.ts +28 -60
package/dist/actions/action_types.d.ts.map +1 -1
package/dist/actions/action_types.js +13 -5
package/dist/actions/broadcast_api.d.ts +2 -2
package/dist/actions/broadcast_api.js +2 -2
package/dist/actions/compile_action_registry.d.ts +50 -0
package/dist/actions/compile_action_registry.d.ts.map +1 -0
package/dist/actions/compile_action_registry.js +69 -0
package/dist/actions/heartbeat.d.ts +8 -4
package/dist/actions/heartbeat.d.ts.map +1 -1
package/dist/actions/heartbeat.js +5 -4
package/dist/actions/perform_action.d.ts +145 -0
package/dist/actions/perform_action.d.ts.map +1 -0
package/dist/actions/perform_action.js +258 -0
package/dist/actions/register_action_ws.d.ts +46 -40
package/dist/actions/register_action_ws.d.ts.map +1 -1
package/dist/actions/register_action_ws.js +101 -159
package/dist/actions/register_ws_endpoint.d.ts +15 -10
package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
package/dist/actions/register_ws_endpoint.js +54 -7
package/dist/actions/transports.d.ts.map +1 -1
package/dist/actions/transports.js +0 -4
package/dist/actions/transports_ws_auth_guard.d.ts +1 -1
package/dist/actions/transports_ws_auth_guard.js +1 -1
package/dist/actions/transports_ws_backend.d.ts +1 -1
package/dist/actions/transports_ws_backend.js +1 -1
package/dist/auth/CLAUDE.md +794 -410
package/dist/auth/account_action_specs.d.ts +28 -7
package/dist/auth/account_action_specs.d.ts.map +1 -1
package/dist/auth/account_action_specs.js +7 -7
package/dist/auth/account_actions.d.ts +7 -13
package/dist/auth/account_actions.d.ts.map +1 -1
package/dist/auth/account_actions.js +26 -35
package/dist/auth/account_queries.d.ts +52 -16
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +87 -38
package/dist/auth/account_routes.d.ts +9 -11
package/dist/auth/account_routes.d.ts.map +1 -1
package/dist/auth/account_routes.js +118 -46
package/dist/auth/account_schema.d.ts +46 -35
package/dist/auth/account_schema.d.ts.map +1 -1
package/dist/auth/account_schema.js +21 -28
package/dist/auth/admin_action_specs.d.ts +100 -32
package/dist/auth/admin_action_specs.d.ts.map +1 -1
package/dist/auth/admin_action_specs.js +64 -33
package/dist/auth/admin_actions.d.ts +13 -19
package/dist/auth/admin_actions.d.ts.map +1 -1
package/dist/auth/admin_actions.js +37 -41
package/dist/auth/audit_emitter.d.ts +160 -0
package/dist/auth/audit_emitter.d.ts.map +1 -0
package/dist/auth/audit_emitter.js +83 -0
package/dist/auth/audit_log_queries.d.ts +17 -48
package/dist/auth/audit_log_queries.d.ts.map +1 -1
package/dist/auth/audit_log_queries.js +20 -56
package/dist/auth/audit_log_routes.d.ts +1 -1
package/dist/auth/audit_log_routes.d.ts.map +1 -1
package/dist/auth/audit_log_routes.js +7 -3
package/dist/auth/audit_log_schema.d.ts +92 -32
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +75 -46
package/dist/auth/auth_guard_resolver.d.ts +44 -0
package/dist/auth/auth_guard_resolver.d.ts.map +1 -0
package/dist/auth/auth_guard_resolver.js +56 -0
package/dist/auth/bearer_auth.d.ts +9 -7
package/dist/auth/bearer_auth.d.ts.map +1 -1
package/dist/auth/bearer_auth.js +13 -21
package/dist/auth/bootstrap_account.d.ts +7 -7
package/dist/auth/bootstrap_account.d.ts.map +1 -1
package/dist/auth/bootstrap_account.js +7 -7
package/dist/auth/bootstrap_routes.d.ts.map +1 -1
package/dist/auth/bootstrap_routes.js +11 -10
package/dist/auth/cleanup.d.ts +20 -26
package/dist/auth/cleanup.d.ts.map +1 -1
package/dist/auth/cleanup.js +33 -42
package/dist/auth/credential_type_schema.d.ts +115 -0
package/dist/auth/credential_type_schema.d.ts.map +1 -0
package/dist/auth/credential_type_schema.js +127 -0
package/dist/auth/daemon_token_middleware.d.ts +23 -11
package/dist/auth/daemon_token_middleware.d.ts.map +1 -1
package/dist/auth/daemon_token_middleware.js +28 -22
package/dist/auth/ddl.d.ts +2 -2
package/dist/auth/ddl.d.ts.map +1 -1
package/dist/auth/ddl.js +6 -6
package/dist/auth/deps.d.ts +7 -18
package/dist/auth/deps.d.ts.map +1 -1
package/dist/auth/grant_path_schema.d.ts +117 -0
package/dist/auth/grant_path_schema.d.ts.map +1 -0
package/dist/auth/grant_path_schema.js +137 -0
package/dist/auth/invite_queries.d.ts +12 -1
package/dist/auth/invite_queries.d.ts.map +1 -1
package/dist/auth/invite_queries.js +12 -1
package/dist/auth/invite_schema.d.ts +1 -1
package/dist/auth/invite_schema.d.ts.map +1 -1
package/dist/auth/invite_schema.js +1 -1
package/dist/auth/middleware.d.ts.map +1 -1
package/dist/auth/middleware.js +9 -4
package/dist/auth/migrations.d.ts +37 -14
package/dist/auth/migrations.d.ts.map +1 -1
package/dist/auth/migrations.js +79 -32
package/dist/auth/request_context.d.ts +331 -61
package/dist/auth/request_context.d.ts.map +1 -1
package/dist/auth/request_context.js +378 -95
package/dist/auth/{permit_offer_action_specs.d.ts → role_grant_offer_action_specs.d.ts} +163 -94
package/dist/auth/role_grant_offer_action_specs.d.ts.map +1 -0
package/dist/auth/role_grant_offer_action_specs.js +262 -0
package/dist/auth/role_grant_offer_actions.d.ts +104 -0
package/dist/auth/role_grant_offer_actions.d.ts.map +1 -0
package/dist/auth/role_grant_offer_actions.js +473 -0
package/dist/auth/{permit_offer_notifications.d.ts → role_grant_offer_notifications.d.ts} +90 -70
package/dist/auth/role_grant_offer_notifications.d.ts.map +1 -0
package/dist/auth/role_grant_offer_notifications.js +182 -0
package/dist/auth/role_grant_offer_queries.d.ts +242 -0
package/dist/auth/role_grant_offer_queries.d.ts.map +1 -0
package/dist/auth/role_grant_offer_queries.js +533 -0
package/dist/auth/role_grant_offer_schema.d.ts +150 -0
package/dist/auth/role_grant_offer_schema.d.ts.map +1 -0
package/dist/auth/{permit_offer_schema.js → role_grant_offer_schema.js} +60 -36
package/dist/auth/role_grant_queries.d.ts +231 -0
package/dist/auth/role_grant_queries.d.ts.map +1 -0
package/dist/auth/role_grant_queries.js +320 -0
package/dist/auth/role_schema.d.ts +150 -40
package/dist/auth/role_schema.d.ts.map +1 -1
package/dist/auth/role_schema.js +144 -45
package/dist/auth/scope_kind_schema.d.ts +96 -0
package/dist/auth/scope_kind_schema.d.ts.map +1 -0
package/dist/auth/scope_kind_schema.js +94 -0
package/dist/auth/self_service_role_action_specs.d.ts +6 -1
package/dist/auth/self_service_role_action_specs.d.ts.map +1 -1
package/dist/auth/self_service_role_action_specs.js +3 -1
package/dist/auth/self_service_role_actions.d.ts +34 -27
package/dist/auth/self_service_role_actions.d.ts.map +1 -1
package/dist/auth/self_service_role_actions.js +68 -48
package/dist/auth/session_cookie.d.ts +43 -6
package/dist/auth/session_cookie.d.ts.map +1 -1
package/dist/auth/session_cookie.js +31 -5
package/dist/auth/session_middleware.d.ts +37 -3
package/dist/auth/session_middleware.d.ts.map +1 -1
package/dist/auth/session_middleware.js +33 -7
package/dist/auth/signup_routes.d.ts.map +1 -1
package/dist/auth/signup_routes.js +48 -19
package/dist/auth/standard_action_specs.d.ts +2 -2
package/dist/auth/standard_action_specs.js +4 -4
package/dist/auth/standard_rpc_actions.d.ts +23 -19
package/dist/auth/standard_rpc_actions.d.ts.map +1 -1
package/dist/auth/standard_rpc_actions.js +12 -12
package/dist/db/migrate.d.ts +12 -8
package/dist/db/migrate.d.ts.map +1 -1
package/dist/db/migrate.js +10 -7
package/dist/dev/setup.d.ts +2 -2
package/dist/dev/setup.d.ts.map +1 -1
package/dist/dev/setup.js +9 -7
package/dist/env/load.d.ts +1 -1
package/dist/env/load.js +1 -1
package/dist/hono_context.d.ts +64 -5
package/dist/hono_context.d.ts.map +1 -1
package/dist/hono_context.js +38 -2
package/dist/http/CLAUDE.md +264 -87
package/dist/http/auth_shape.d.ts +191 -0
package/dist/http/auth_shape.d.ts.map +1 -0
package/dist/http/auth_shape.js +237 -0
package/dist/http/common_routes.js +3 -3
package/dist/http/db_routes.d.ts +4 -0
package/dist/http/db_routes.d.ts.map +1 -1
package/dist/http/db_routes.js +44 -7
package/dist/http/error_schemas.d.ts +132 -19
package/dist/http/error_schemas.d.ts.map +1 -1
package/dist/http/error_schemas.js +132 -40
package/dist/http/jsonrpc_errors.d.ts +27 -2
package/dist/http/jsonrpc_errors.d.ts.map +1 -1
package/dist/http/jsonrpc_errors.js +26 -2
package/dist/http/pending_effects.d.ts +71 -18
package/dist/http/pending_effects.d.ts.map +1 -1
package/dist/http/pending_effects.js +87 -18
package/dist/http/proxy.d.ts +52 -5
package/dist/http/proxy.d.ts.map +1 -1
package/dist/http/proxy.js +92 -14
package/dist/http/route_spec.d.ts +113 -41
package/dist/http/route_spec.d.ts.map +1 -1
package/dist/http/route_spec.js +130 -52
package/dist/http/schema_helpers.d.ts +3 -2
package/dist/http/schema_helpers.d.ts.map +1 -1
package/dist/http/schema_helpers.js +9 -2
package/dist/http/surface.d.ts +2 -1
package/dist/http/surface.d.ts.map +1 -1
package/dist/http/surface.js +1 -2
package/dist/http/surface_query.d.ts +39 -35
package/dist/http/surface_query.d.ts.map +1 -1
package/dist/http/surface_query.js +79 -36
package/dist/primitive_schemas.d.ts +39 -0
package/dist/primitive_schemas.d.ts.map +1 -0
package/dist/primitive_schemas.js +40 -0
package/dist/realtime/sse_auth_guard.d.ts +5 -5
package/dist/realtime/sse_auth_guard.js +9 -9
package/dist/runtime/mock.d.ts +1 -1
package/dist/runtime/mock.js +1 -1
package/dist/server/app_backend.d.ts +14 -11
package/dist/server/app_backend.d.ts.map +1 -1
package/dist/server/app_backend.js +12 -8
package/dist/server/app_server.d.ts +7 -7
package/dist/server/app_server.d.ts.map +1 -1
package/dist/server/app_server.js +36 -31
package/dist/server/validate_nginx.d.ts +1 -1
package/dist/server/validate_nginx.js +1 -1
package/dist/testing/CLAUDE.md +73 -55
package/dist/testing/admin_integration.d.ts +5 -6
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +100 -96
package/dist/testing/adversarial_headers.js +1 -1
package/dist/testing/app_server.d.ts +11 -14
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/app_server.js +18 -17
package/dist/testing/assertions.d.ts.map +1 -1
package/dist/testing/assertions.js +2 -1
package/dist/testing/attack_surface.d.ts.map +1 -1
package/dist/testing/attack_surface.js +15 -9
package/dist/testing/audit_completeness.d.ts +2 -2
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +53 -39
package/dist/testing/auth_apps.d.ts +5 -4
package/dist/testing/auth_apps.d.ts.map +1 -1
package/dist/testing/auth_apps.js +28 -22
package/dist/testing/data_exposure.d.ts.map +1 -1
package/dist/testing/data_exposure.js +5 -5
package/dist/testing/db.d.ts +1 -1
package/dist/testing/db.d.ts.map +1 -1
package/dist/testing/db.js +4 -4
package/dist/testing/db_entities.d.ts +22 -0
package/dist/testing/db_entities.d.ts.map +1 -0
package/dist/testing/db_entities.js +28 -0
package/dist/testing/entities.d.ts +10 -8
package/dist/testing/entities.d.ts.map +1 -1
package/dist/testing/entities.js +22 -18
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +13 -14
package/dist/testing/integration_helpers.d.ts +8 -6
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +29 -23
package/dist/testing/middleware.d.ts +15 -11
package/dist/testing/middleware.d.ts.map +1 -1
package/dist/testing/middleware.js +75 -32
package/dist/testing/rpc_attack_surface.d.ts.map +1 -1
package/dist/testing/rpc_attack_surface.js +40 -24
package/dist/testing/rpc_helpers.d.ts.map +1 -1
package/dist/testing/rpc_helpers.js +3 -1
package/dist/testing/rpc_round_trip.d.ts +1 -1
package/dist/testing/rpc_round_trip.d.ts.map +1 -1
package/dist/testing/rpc_round_trip.js +14 -13
package/dist/testing/sse_round_trip.d.ts +3 -4
package/dist/testing/sse_round_trip.d.ts.map +1 -1
package/dist/testing/sse_round_trip.js +7 -11
package/dist/testing/standard.d.ts +1 -1
package/dist/testing/stubs.d.ts +25 -0
package/dist/testing/stubs.d.ts.map +1 -1
package/dist/testing/stubs.js +43 -2
package/dist/testing/surface_invariants.d.ts +2 -2
package/dist/testing/ws_round_trip.d.ts +12 -13
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/testing/ws_round_trip.js +24 -12
package/dist/ui/AdminAccounts.svelte +23 -20
package/dist/ui/AdminOverview.svelte +15 -13
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
package/dist/ui/{AdminPermitHistory.svelte → AdminRoleGrantHistory.svelte} +12 -12
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts +4 -0
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts.map +1 -0
package/dist/ui/BootstrapForm.svelte +1 -1
package/dist/ui/CLAUDE.md +65 -59
package/dist/ui/{PermitOfferForm.svelte → RoleGrantOfferForm.svelte} +37 -22
package/dist/ui/RoleGrantOfferForm.svelte.d.ts +20 -0
package/dist/ui/RoleGrantOfferForm.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferHistory.svelte → RoleGrantOfferHistory.svelte} +12 -12
package/dist/ui/{PermitOfferHistory.svelte.d.ts → RoleGrantOfferHistory.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferHistory.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferInbox.svelte → RoleGrantOfferInbox.svelte} +14 -14
package/dist/ui/{PermitOfferInbox.svelte.d.ts → RoleGrantOfferInbox.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferInbox.svelte.d.ts.map +1 -0
package/dist/ui/SignupForm.svelte +1 -1
package/dist/ui/SurfaceExplorer.svelte +35 -15
package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.d.ts +2 -3
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.js +2 -3
package/dist/ui/admin_accounts_state.svelte.d.ts +25 -18
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_accounts_state.svelte.js +28 -17
package/dist/ui/admin_rpc_adapters.d.ts +20 -20
package/dist/ui/admin_rpc_adapters.d.ts.map +1 -1
package/dist/ui/admin_rpc_adapters.js +17 -17
package/dist/ui/admin_sessions_state.svelte.d.ts +2 -2
package/dist/ui/admin_sessions_state.svelte.js +2 -2
package/dist/ui/audit_log_state.svelte.d.ts +7 -7
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +6 -6
package/dist/ui/auth_state.svelte.d.ts +3 -3
package/dist/ui/auth_state.svelte.d.ts.map +1 -1
package/dist/ui/auth_state.svelte.js +6 -6
package/dist/ui/format_scope.d.ts +2 -2
package/dist/ui/format_scope.js +2 -2
package/dist/ui/{permit_offers_state.svelte.d.ts → role_grant_offers_state.svelte.d.ts} +39 -31
package/dist/ui/role_grant_offers_state.svelte.d.ts.map +1 -0
package/dist/ui/{permit_offers_state.svelte.js → role_grant_offers_state.svelte.js} +25 -19
package/dist/ui/ui_format.js +2 -2
package/package.json +3 -3
package/dist/auth/permit_offer_action_specs.d.ts.map +0 -1
package/dist/auth/permit_offer_action_specs.js +0 -227
package/dist/auth/permit_offer_actions.d.ts +0 -110
package/dist/auth/permit_offer_actions.d.ts.map +0 -1
package/dist/auth/permit_offer_actions.js +0 -452
package/dist/auth/permit_offer_notifications.d.ts.map +0 -1
package/dist/auth/permit_offer_notifications.js +0 -182
package/dist/auth/permit_offer_queries.d.ts +0 -183
package/dist/auth/permit_offer_queries.d.ts.map +0 -1
package/dist/auth/permit_offer_queries.js +0 -408
package/dist/auth/permit_offer_schema.d.ts +0 -103
package/dist/auth/permit_offer_schema.d.ts.map +0 -1
package/dist/auth/permit_queries.d.ts +0 -210
package/dist/auth/permit_queries.d.ts.map +0 -1
package/dist/auth/permit_queries.js +0 -294
package/dist/auth/require_keeper.d.ts +0 -20
package/dist/auth/require_keeper.d.ts.map +0 -1
package/dist/auth/require_keeper.js +0 -35
package/dist/auth/route_guards.d.ts +0 -21
package/dist/auth/route_guards.d.ts.map +0 -1
package/dist/auth/route_guards.js +0 -32
package/dist/auth/session_lifecycle.d.ts +0 -37
package/dist/auth/session_lifecycle.d.ts.map +0 -1
package/dist/auth/session_lifecycle.js +0 -29
package/dist/ui/AdminPermitHistory.svelte.d.ts +0 -4
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferForm.svelte.d.ts +0 -14
package/dist/ui/PermitOfferForm.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferInbox.svelte.d.ts.map +0 -1
package/dist/ui/permit_offers_state.svelte.d.ts.map +0 -1

package/dist/auth/{permit_offer_action_specs.d.ts → role_grant_offer_action_specs.d.ts} RENAMED Viewed

@@ -1,96 +1,122 @@
 /**
- * Permit offer RPC action specs — declarative contract for the
- * consentful-permits surface (offer lifecycle + admin revoke).
+ * Role grant offer RPC action specs — declarative contract for the
+ * consentful-role-grants surface (offer lifecycle + admin revoke).
  *
- * Import this module for the specs, Input/Output schemas, `ERROR_OFFER_*`
- * reason constants, and the `all_permit_offer_action_specs` registry.
- * Handlers live in `auth/permit_offer_actions.ts`.
+ * Import this module for the specs, Input/Output schemas, `ERROR_ROLE_GRANT_OFFER_*`
+ * reason constants, and the `all_role_grant_offer_action_specs` registry.
+ * Handlers live in `auth/role_grant_offer_actions.ts`.
  *
- * Authorization enforcement: offer-lifecycle specs declare
- * `auth: 'authenticated'` and rely on `query_*` IDOR guards or in-handler
- * policy checks (e.g. `permit_offer_list`/`_history` elevate to admin only
+ * Authorization enforcement: offer-lifecycle specs declare account+actor
+ * required (no roles) and rely on `query_*` IDOR guards or in-handler
+ * policy checks (e.g. `role_grant_offer_list`/`_history` elevate to admin only
  * when inspecting another account — an input-dependent check that can't be
- * expressed at the spec level). `permit_revoke` declares
- * `auth: {role: 'admin'}` — the RPC dispatcher's per-spec `check_action_auth`
- * gates it before the handler runs even though the endpoint hosts non-admin
- * methods alongside.
+ * expressed at the spec level). `role_grant_revoke` adds `roles: ['admin']` —
+ * the RPC dispatcher's per-spec post-authorization auth gate
+ * (`check_action_auth_post_authorization`) rejects non-admin callers before
+ * the handler runs even though the endpoint hosts non-admin methods
+ * alongside.
  *
  * @module
  */
 import { z } from 'zod';
 import type { RequestResponseActionSpec } from '../actions/action_spec.js';
-/** Error reason — caller tried to offer themselves a permit. */
-export declare const ERROR_OFFER_SELF_TARGET: "offer_self_target";
+/** Error reason — caller tried to offer themselves a role_grant. */
+export declare const ERROR_ROLE_GRANT_OFFER_SELF_TARGET: "role_grant_offer_self_target";
 /** Error reason — offer is declined, retracted, or superseded. */
-export declare const ERROR_OFFER_TERMINAL: "offer_terminal";
+export declare const ERROR_ROLE_GRANT_OFFER_TERMINAL: "role_grant_offer_terminal";
 /** Error reason — offer's `expires_at` has passed. */
-export declare const ERROR_OFFER_EXPIRED: "offer_expired";
+export declare const ERROR_ROLE_GRANT_OFFER_EXPIRED: "role_grant_offer_expired";
 /** Error reason — offer does not exist or belongs to a different recipient (404-over-403 IDOR mask). */
-export declare const ERROR_OFFER_NOT_FOUND: "offer_not_found";
-/** Error reason — the offered role is not `web_grantable` (nobody may offer it via this surface). */
-export declare const ERROR_OFFER_ROLE_NOT_GRANTABLE: "offer_role_not_grantable";
+export declare const ERROR_ROLE_GRANT_OFFER_NOT_FOUND: "role_grant_offer_not_found";
+/** Error reason — the offered role does not include `'admin'` in its `RoleSpec.grant_paths` (nobody may offer it via this surface). */
+export declare const ERROR_ROLE_GRANT_OFFER_ROLE_NOT_GRANTABLE: "role_grant_offer_role_not_grantable";
 /** Error reason — caller is not authorized to offer this role (default policy: caller lacks the role; consumer `authorize` callback may add further policy). */
-export declare const ERROR_OFFER_NOT_AUTHORIZED: "offer_not_authorized";
-/** Input for `permit_offer_create`. */
-export declare const PermitOfferCreateInput: z.ZodObject<{
+export declare const ERROR_ROLE_GRANT_OFFER_NOT_AUTHORIZED: "role_grant_offer_not_authorized";
+/** Error reason — actor-targeted offer was accepted by an actor other than `to_actor_id`. */
+export declare const ERROR_ROLE_GRANT_OFFER_ACTOR_MISMATCH: "role_grant_offer_actor_mismatch";
+/** Error reason — `role_grant_offer_create` was called with a `to_actor_id` that does not belong to `to_account_id`. */
+export declare const ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH: "role_grant_offer_actor_account_mismatch";
+/**
+ * Input for `role_grant_offer_create`.
+ *
+ * `to_actor_id` (optional) narrows the offer to a specific actor on the
+ * recipient account. When supplied, `role_grant_offer_accept` will only admit
+ * the named actor — wrong-actor accepts reject with
+ * `role_grant_offer_actor_mismatch`. The audit envelope's `target_actor_id` is
+ * stamped from this column on the create / supersede / expire / retract
+ * events. Omit (or pass null) for the account-grain default — any actor
+ * on `to_account_id` may accept.
+ */
+export declare const RoleGrantOfferCreateInput: z.ZodObject<{
     to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    to_actor_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
     role: z.ZodString;
+    scope_kind: z.ZodOptional<z.ZodNullable<z.ZodString>>;
     scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
     message: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitOfferCreateInput = z.infer<typeof PermitOfferCreateInput>;
-/** Input for `permit_offer_accept`. */
-export declare const PermitOfferAcceptInput: z.ZodObject<{
+export type RoleGrantOfferCreateInput = z.infer<typeof RoleGrantOfferCreateInput>;
+/** Input for `role_grant_offer_accept`. */
+export declare const RoleGrantOfferAcceptInput: z.ZodObject<{
     offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitOfferAcceptInput = z.infer<typeof PermitOfferAcceptInput>;
-/** Input for `permit_offer_decline`. */
-export declare const PermitOfferDeclineInput: z.ZodObject<{
+export type RoleGrantOfferAcceptInput = z.infer<typeof RoleGrantOfferAcceptInput>;
+/** Input for `role_grant_offer_decline`. */
+export declare const RoleGrantOfferDeclineInput: z.ZodObject<{
     offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     reason: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitOfferDeclineInput = z.infer<typeof PermitOfferDeclineInput>;
-/** Input for `permit_offer_retract`. */
-export declare const PermitOfferRetractInput: z.ZodObject<{
+export type RoleGrantOfferDeclineInput = z.infer<typeof RoleGrantOfferDeclineInput>;
+/** Input for `role_grant_offer_retract`. */
+export declare const RoleGrantOfferRetractInput: z.ZodObject<{
     offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitOfferRetractInput = z.infer<typeof PermitOfferRetractInput>;
-/** Input for `permit_offer_list`. `account_id` is admin-only (inspect another account's inbox). */
-export declare const PermitOfferListInput: z.ZodObject<{
+export type RoleGrantOfferRetractInput = z.infer<typeof RoleGrantOfferRetractInput>;
+/** Input for `role_grant_offer_list`. `account_id` is admin-only (inspect another account's inbox). */
+export declare const RoleGrantOfferListInput: z.ZodObject<{
     account_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitOfferListInput = z.infer<typeof PermitOfferListInput>;
+export type RoleGrantOfferListInput = z.infer<typeof RoleGrantOfferListInput>;
 /**
- * Input for `permit_revoke`. Admin-only mutation that revokes an active
- * permit on a target actor. `actor_id` is the natural key — permits are
+ * Input for `role_grant_revoke`. Admin-only mutation that revokes an active
+ * role_grant on a target actor. `actor_id` is the natural key — role_grants are
  * actor-scoped, and the admin UI reads `row.actor.id` straight from the
  * listing. Deriving `actor_id` from `account_id` would collapse under
  * multi-actor accounts.
  */
-export declare const PermitRevokeInput: z.ZodObject<{
+export declare const RoleGrantRevokeInput: z.ZodObject<{
     actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    permit_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    role_grant_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     reason: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitRevokeInput = z.infer<typeof PermitRevokeInput>;
+export type RoleGrantRevokeInput = z.infer<typeof RoleGrantRevokeInput>;
 /**
- * Input for `permit_offer_history`. Returns every offer involving the account
+ * Input for `role_grant_offer_history`. Returns every offer involving the account
  * in either direction (recipient or grantor), including terminal rows, newest
  * first. `account_id` is admin-only.
  */
-export declare const PermitOfferHistoryInput: z.ZodObject<{
+export declare const RoleGrantOfferHistoryInput: z.ZodObject<{
     account_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
     limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
     offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitOfferHistoryInput = z.infer<typeof PermitOfferHistoryInput>;
-/** Output for `permit_offer_create`. */
-export declare const PermitOfferCreateOutput: z.ZodObject<{
+export type RoleGrantOfferHistoryInput = z.infer<typeof RoleGrantOfferHistoryInput>;
+/** Output for `role_grant_offer_create`. */
+export declare const RoleGrantOfferCreateOutput: z.ZodObject<{
     offer: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         message: z.ZodNullable<z.ZodString>;
         created_at: z.ZodString;
@@ -100,18 +126,20 @@ export declare const PermitOfferCreateOutput: z.ZodObject<{
         decline_reason: z.ZodNullable<z.ZodString>;
         retracted_at: z.ZodNullable<z.ZodString>;
         superseded_at: z.ZodNullable<z.ZodString>;
-        resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        resulting_role_grant_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
 }, z.core.$strict>;
-export type PermitOfferCreateOutput = z.infer<typeof PermitOfferCreateOutput>;
-/** Output for `permit_offer_accept`. */
-export declare const PermitOfferAcceptOutput: z.ZodObject<{
-    permit_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+export type RoleGrantOfferCreateOutput = z.infer<typeof RoleGrantOfferCreateOutput>;
+/** Output for `role_grant_offer_accept`. */
+export declare const RoleGrantOfferAcceptOutput: z.ZodObject<{
+    role_grant_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     offer: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         message: z.ZodNullable<z.ZodString>;
         created_at: z.ZodString;
@@ -121,23 +149,25 @@ export declare const PermitOfferAcceptOutput: z.ZodObject<{
         decline_reason: z.ZodNullable<z.ZodString>;
         retracted_at: z.ZodNullable<z.ZodString>;
         superseded_at: z.ZodNullable<z.ZodString>;
-        resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        resulting_role_grant_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     superseded_offer_ids: z.ZodArray<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitOfferAcceptOutput = z.infer<typeof PermitOfferAcceptOutput>;
-/** Output for `permit_offer_decline` / `permit_offer_retract`. */
-export declare const PermitOfferOkOutput: z.ZodObject<{
+export type RoleGrantOfferAcceptOutput = z.infer<typeof RoleGrantOfferAcceptOutput>;
+/** Output for `role_grant_offer_decline` / `role_grant_offer_retract`. */
+export declare const RoleGrantOfferOkOutput: z.ZodObject<{
     ok: z.ZodLiteral<true>;
 }, z.core.$strict>;
-export type PermitOfferOkOutput = z.infer<typeof PermitOfferOkOutput>;
-/** Output for `permit_offer_list`. */
-export declare const PermitOfferListOutput: z.ZodObject<{
+export type RoleGrantOfferOkOutput = z.infer<typeof RoleGrantOfferOkOutput>;
+/** Output for `role_grant_offer_list`. */
+export declare const RoleGrantOfferListOutput: z.ZodObject<{
     offers: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         message: z.ZodNullable<z.ZodString>;
         created_at: z.ZodString;
@@ -147,17 +177,19 @@ export declare const PermitOfferListOutput: z.ZodObject<{
         decline_reason: z.ZodNullable<z.ZodString>;
         retracted_at: z.ZodNullable<z.ZodString>;
         superseded_at: z.ZodNullable<z.ZodString>;
-        resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        resulting_role_grant_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>>;
 }, z.core.$strict>;
-export type PermitOfferListOutput = z.infer<typeof PermitOfferListOutput>;
-/** Output for `permit_offer_history`. */
-export declare const PermitOfferHistoryOutput: z.ZodObject<{
+export type RoleGrantOfferListOutput = z.infer<typeof RoleGrantOfferListOutput>;
+/** Output for `role_grant_offer_history`. */
+export declare const RoleGrantOfferHistoryOutput: z.ZodObject<{
     offers: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         message: z.ZodNullable<z.ZodString>;
         created_at: z.ZodString;
@@ -167,34 +199,42 @@ export declare const PermitOfferHistoryOutput: z.ZodObject<{
         decline_reason: z.ZodNullable<z.ZodString>;
         retracted_at: z.ZodNullable<z.ZodString>;
         superseded_at: z.ZodNullable<z.ZodString>;
-        resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        resulting_role_grant_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>>;
 }, z.core.$strict>;
-export type PermitOfferHistoryOutput = z.infer<typeof PermitOfferHistoryOutput>;
-/** Output for `permit_revoke`. */
-export declare const PermitRevokeOutput: z.ZodObject<{
+export type RoleGrantOfferHistoryOutput = z.infer<typeof RoleGrantOfferHistoryOutput>;
+/** Output for `role_grant_revoke`. */
+export declare const RoleGrantRevokeOutput: z.ZodObject<{
     ok: z.ZodLiteral<true>;
     revoked: z.ZodLiteral<true>;
 }, z.core.$strict>;
-export type PermitRevokeOutput = z.infer<typeof PermitRevokeOutput>;
-export declare const permit_offer_create_action_spec: {
+export type RoleGrantRevokeOutput = z.infer<typeof RoleGrantRevokeOutput>;
+export declare const role_grant_offer_create_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
     side_effects: true;
     input: z.ZodObject<{
         to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        to_actor_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
         role: z.ZodString;
+        scope_kind: z.ZodOptional<z.ZodNullable<z.ZodString>>;
         scope_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
         message: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
         offer: z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             role: z.ZodString;
+            scope_kind: z.ZodNullable<z.ZodString>;
             scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             message: z.ZodNullable<z.ZodString>;
             created_at: z.ZodString;
@@ -204,29 +244,35 @@ export declare const permit_offer_create_action_spec: {
             decline_reason: z.ZodNullable<z.ZodString>;
             retracted_at: z.ZodNullable<z.ZodString>;
             superseded_at: z.ZodNullable<z.ZodString>;
-            resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            resulting_role_grant_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         }, z.core.$strict>;
     }, z.core.$strict>;
     async: true;
     description: string;
-    error_reasons: ("offer_self_target" | "offer_role_not_grantable" | "offer_not_authorized")[];
+    error_reasons: ("role_grant_offer_self_target" | "role_grant_offer_role_not_grantable" | "role_grant_offer_not_authorized" | "role_grant_offer_actor_account_mismatch")[];
 };
-export declare const permit_offer_accept_action_spec: {
+export declare const role_grant_offer_accept_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
     side_effects: true;
     input: z.ZodObject<{
         offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
-        permit_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role_grant_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         offer: z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             role: z.ZodString;
+            scope_kind: z.ZodNullable<z.ZodString>;
             scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             message: z.ZodNullable<z.ZodString>;
             created_at: z.ZodString;
@@ -236,62 +282,76 @@ export declare const permit_offer_accept_action_spec: {
             decline_reason: z.ZodNullable<z.ZodString>;
             retracted_at: z.ZodNullable<z.ZodString>;
             superseded_at: z.ZodNullable<z.ZodString>;
-            resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            resulting_role_grant_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         }, z.core.$strict>;
         superseded_offer_ids: z.ZodArray<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     async: true;
     description: string;
-    error_reasons: ("offer_terminal" | "offer_expired" | "offer_not_found")[];
+    error_reasons: ("role_grant_offer_terminal" | "role_grant_offer_expired" | "role_grant_offer_not_found" | "role_grant_offer_actor_mismatch")[];
 };
-export declare const permit_offer_decline_action_spec: {
+export declare const role_grant_offer_decline_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
     side_effects: true;
     input: z.ZodObject<{
         offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         reason: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
         ok: z.ZodLiteral<true>;
     }, z.core.$strict>;
     async: true;
     description: string;
-    error_reasons: ("offer_terminal" | "offer_not_found")[];
+    error_reasons: ("role_grant_offer_terminal" | "role_grant_offer_not_found")[];
 };
-export declare const permit_offer_retract_action_spec: {
+export declare const role_grant_offer_retract_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
     side_effects: true;
     input: z.ZodObject<{
         offer_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
         ok: z.ZodLiteral<true>;
     }, z.core.$strict>;
     async: true;
     description: string;
-    error_reasons: ("offer_terminal" | "offer_not_found")[];
+    error_reasons: ("role_grant_offer_terminal" | "role_grant_offer_not_found")[];
 };
-export declare const permit_offer_list_action_spec: {
+export declare const role_grant_offer_list_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
     side_effects: false;
     input: z.ZodObject<{
         account_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
         offers: z.ZodArray<z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             role: z.ZodString;
+            scope_kind: z.ZodNullable<z.ZodString>;
             scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             message: z.ZodNullable<z.ZodString>;
             created_at: z.ZodString;
@@ -301,29 +361,35 @@ export declare const permit_offer_list_action_spec: {
             decline_reason: z.ZodNullable<z.ZodString>;
             retracted_at: z.ZodNullable<z.ZodString>;
             superseded_at: z.ZodNullable<z.ZodString>;
-            resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            resulting_role_grant_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         }, z.core.$strict>>;
     }, z.core.$strict>;
     async: true;
     description: string;
 };
-export declare const permit_offer_history_action_spec: {
+export declare const role_grant_offer_history_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
     side_effects: false;
     input: z.ZodObject<{
         account_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
         limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
         offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
         offers: z.ZodArray<z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
             to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            to_actor_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             role: z.ZodString;
+            scope_kind: z.ZodNullable<z.ZodString>;
             scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
             message: z.ZodNullable<z.ZodString>;
             created_at: z.ZodString;
@@ -333,24 +399,27 @@ export declare const permit_offer_history_action_spec: {
             decline_reason: z.ZodNullable<z.ZodString>;
             retracted_at: z.ZodNullable<z.ZodString>;
             superseded_at: z.ZodNullable<z.ZodString>;
-            resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            resulting_role_grant_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         }, z.core.$strict>>;
     }, z.core.$strict>;
     async: true;
     description: string;
 };
-export declare const permit_revoke_action_spec: {
+export declare const role_grant_revoke_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
     auth: {
-        role: string;
+        account: "required";
+        actor: "required";
+        roles: string[];
     };
     side_effects: true;
     input: z.ZodObject<{
         actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-        permit_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        role_grant_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         reason: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     }, z.core.$strict>;
     output: z.ZodObject<{
         ok: z.ZodLiteral<true>;
@@ -358,13 +427,13 @@ export declare const permit_revoke_action_spec: {
     }, z.core.$strict>;
     async: true;
     description: string;
-    error_reasons: ("account_not_found" | "role_not_web_grantable" | "permit_not_found")[];
+    error_reasons: ("role_not_web_grantable" | "role_grant_not_found")[];
     rate_limit: "account";
 };
 /**
- * All permit-offer action specs — a codegen-ready registry. Consumers spread
+ * All role-grant-offer action specs — a codegen-ready registry. Consumers spread
  * this into their own action-spec array to include offer lifecycle + revoke
  * methods in a typed client surface.
  */
-export declare const all_permit_offer_action_specs: Array<RequestResponseActionSpec>;
-//# sourceMappingURL=permit_offer_action_specs.d.ts.map
+export declare const all_role_grant_offer_action_specs: Array<RequestResponseActionSpec>;
+//# sourceMappingURL=role_grant_offer_action_specs.d.ts.map

package/dist/auth/role_grant_offer_action_specs.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"role_grant_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAUzE,oEAAoE;AACpE,eAAO,MAAM,kCAAkC,EAAG,8BAAuC,CAAC;AAC1F,kEAAkE;AAClE,eAAO,MAAM,+BAA+B,EAAG,2BAAoC,CAAC;AACpF,sDAAsD;AACtD,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,wGAAwG;AACxG,eAAO,MAAM,gCAAgC,EAAG,4BAAqC,CAAC;AACtF,uIAAuI;AACvI,eAAO,MAAM,yCAAyC,EACrD,qCAA8C,CAAC;AAChD,gKAAgK;AAChK,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,6FAA6F;AAC7F,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,wHAAwH;AACxH,eAAO,MAAM,6CAA6C,EACzD,yCAAkD,CAAC;AAIpD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;kBAoBpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;kBAQrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,uGAAuG;AACvG,eAAO,MAAM,uBAAuB;;;kBAKlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;;kBAWrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,0EAA0E;AAC1E,eAAO,MAAM,sBAAsB;;kBAAwC,CAAC;AAC5E,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AAC9F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AACjG,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;kBAGhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiBX,CAAC;AAEtC,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiBX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWT,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;CAaL,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,KAAK,CAAC,yBAAyB,CAQ9E,CAAC"}