npm - @fuzdev/fuz_app - Versions diffs - 0.54.0 → 0.56.0 - Mend

@fuzdev/fuz_app 0.54.0 → 0.56.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (348) hide show

package/dist/actions/CLAUDE.md +214 -103
package/dist/actions/action_bridge.d.ts +8 -5
package/dist/actions/action_bridge.d.ts.map +1 -1
package/dist/actions/action_bridge.js +1 -11
package/dist/actions/action_codegen.d.ts +32 -0
package/dist/actions/action_codegen.d.ts.map +1 -1
package/dist/actions/action_codegen.js +35 -15
package/dist/actions/action_registry.d.ts.map +1 -1
package/dist/actions/action_registry.js +5 -2
package/dist/actions/action_rpc.d.ts +141 -22
package/dist/actions/action_rpc.d.ts.map +1 -1
package/dist/actions/action_rpc.js +106 -187
package/dist/actions/action_spec.d.ts +55 -16
package/dist/actions/action_spec.d.ts.map +1 -1
package/dist/actions/action_spec.js +16 -11
package/dist/actions/action_types.d.ts +28 -60
package/dist/actions/action_types.d.ts.map +1 -1
package/dist/actions/action_types.js +13 -5
package/dist/actions/broadcast_api.d.ts +2 -2
package/dist/actions/broadcast_api.js +2 -2
package/dist/actions/compile_action_registry.d.ts +50 -0
package/dist/actions/compile_action_registry.d.ts.map +1 -0
package/dist/actions/compile_action_registry.js +69 -0
package/dist/actions/heartbeat.d.ts +8 -4
package/dist/actions/heartbeat.d.ts.map +1 -1
package/dist/actions/heartbeat.js +5 -4
package/dist/actions/perform_action.d.ts +145 -0
package/dist/actions/perform_action.d.ts.map +1 -0
package/dist/actions/perform_action.js +258 -0
package/dist/actions/register_action_ws.d.ts +46 -40
package/dist/actions/register_action_ws.d.ts.map +1 -1
package/dist/actions/register_action_ws.js +101 -159
package/dist/actions/register_ws_endpoint.d.ts +15 -10
package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
package/dist/actions/register_ws_endpoint.js +54 -7
package/dist/actions/transports.d.ts.map +1 -1
package/dist/actions/transports.js +0 -4
package/dist/actions/transports_ws_auth_guard.d.ts +1 -1
package/dist/actions/transports_ws_auth_guard.js +1 -1
package/dist/actions/transports_ws_backend.d.ts +1 -1
package/dist/actions/transports_ws_backend.js +1 -1
package/dist/auth/CLAUDE.md +794 -410
package/dist/auth/account_action_specs.d.ts +28 -7
package/dist/auth/account_action_specs.d.ts.map +1 -1
package/dist/auth/account_action_specs.js +7 -7
package/dist/auth/account_actions.d.ts +7 -13
package/dist/auth/account_actions.d.ts.map +1 -1
package/dist/auth/account_actions.js +26 -35
package/dist/auth/account_queries.d.ts +52 -16
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +87 -38
package/dist/auth/account_routes.d.ts +9 -11
package/dist/auth/account_routes.d.ts.map +1 -1
package/dist/auth/account_routes.js +118 -46
package/dist/auth/account_schema.d.ts +46 -35
package/dist/auth/account_schema.d.ts.map +1 -1
package/dist/auth/account_schema.js +21 -28
package/dist/auth/admin_action_specs.d.ts +100 -32
package/dist/auth/admin_action_specs.d.ts.map +1 -1
package/dist/auth/admin_action_specs.js +64 -33
package/dist/auth/admin_actions.d.ts +13 -19
package/dist/auth/admin_actions.d.ts.map +1 -1
package/dist/auth/admin_actions.js +37 -41
package/dist/auth/audit_emitter.d.ts +160 -0
package/dist/auth/audit_emitter.d.ts.map +1 -0
package/dist/auth/audit_emitter.js +83 -0
package/dist/auth/audit_log_queries.d.ts +17 -48
package/dist/auth/audit_log_queries.d.ts.map +1 -1
package/dist/auth/audit_log_queries.js +20 -56
package/dist/auth/audit_log_routes.d.ts +1 -1
package/dist/auth/audit_log_routes.d.ts.map +1 -1
package/dist/auth/audit_log_routes.js +7 -3
package/dist/auth/audit_log_schema.d.ts +92 -32
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +75 -46
package/dist/auth/auth_guard_resolver.d.ts +44 -0
package/dist/auth/auth_guard_resolver.d.ts.map +1 -0
package/dist/auth/auth_guard_resolver.js +56 -0
package/dist/auth/bearer_auth.d.ts +9 -7
package/dist/auth/bearer_auth.d.ts.map +1 -1
package/dist/auth/bearer_auth.js +13 -21
package/dist/auth/bootstrap_account.d.ts +7 -7
package/dist/auth/bootstrap_account.d.ts.map +1 -1
package/dist/auth/bootstrap_account.js +7 -7
package/dist/auth/bootstrap_routes.d.ts.map +1 -1
package/dist/auth/bootstrap_routes.js +11 -10
package/dist/auth/cleanup.d.ts +20 -26
package/dist/auth/cleanup.d.ts.map +1 -1
package/dist/auth/cleanup.js +33 -42
package/dist/auth/credential_type_schema.d.ts +115 -0
package/dist/auth/credential_type_schema.d.ts.map +1 -0
package/dist/auth/credential_type_schema.js +127 -0
package/dist/auth/daemon_token_middleware.d.ts +23 -11
package/dist/auth/daemon_token_middleware.d.ts.map +1 -1
package/dist/auth/daemon_token_middleware.js +28 -22
package/dist/auth/ddl.d.ts +2 -2
package/dist/auth/ddl.d.ts.map +1 -1
package/dist/auth/ddl.js +6 -6
package/dist/auth/deps.d.ts +7 -18
package/dist/auth/deps.d.ts.map +1 -1
package/dist/auth/grant_path_schema.d.ts +117 -0
package/dist/auth/grant_path_schema.d.ts.map +1 -0
package/dist/auth/grant_path_schema.js +137 -0
package/dist/auth/invite_queries.d.ts +12 -1
package/dist/auth/invite_queries.d.ts.map +1 -1
package/dist/auth/invite_queries.js +12 -1
package/dist/auth/invite_schema.d.ts +1 -1
package/dist/auth/invite_schema.d.ts.map +1 -1
package/dist/auth/invite_schema.js +1 -1
package/dist/auth/middleware.d.ts.map +1 -1
package/dist/auth/middleware.js +9 -4
package/dist/auth/migrations.d.ts +37 -14
package/dist/auth/migrations.d.ts.map +1 -1
package/dist/auth/migrations.js +79 -32
package/dist/auth/request_context.d.ts +331 -61
package/dist/auth/request_context.d.ts.map +1 -1
package/dist/auth/request_context.js +378 -95
package/dist/auth/{permit_offer_action_specs.d.ts → role_grant_offer_action_specs.d.ts} +163 -94
package/dist/auth/role_grant_offer_action_specs.d.ts.map +1 -0
package/dist/auth/role_grant_offer_action_specs.js +262 -0
package/dist/auth/role_grant_offer_actions.d.ts +104 -0
package/dist/auth/role_grant_offer_actions.d.ts.map +1 -0
package/dist/auth/role_grant_offer_actions.js +473 -0
package/dist/auth/{permit_offer_notifications.d.ts → role_grant_offer_notifications.d.ts} +90 -70
package/dist/auth/role_grant_offer_notifications.d.ts.map +1 -0
package/dist/auth/role_grant_offer_notifications.js +182 -0
package/dist/auth/role_grant_offer_queries.d.ts +242 -0
package/dist/auth/role_grant_offer_queries.d.ts.map +1 -0
package/dist/auth/role_grant_offer_queries.js +533 -0
package/dist/auth/role_grant_offer_schema.d.ts +150 -0
package/dist/auth/role_grant_offer_schema.d.ts.map +1 -0
package/dist/auth/{permit_offer_schema.js → role_grant_offer_schema.js} +60 -36
package/dist/auth/role_grant_queries.d.ts +231 -0
package/dist/auth/role_grant_queries.d.ts.map +1 -0
package/dist/auth/role_grant_queries.js +320 -0
package/dist/auth/role_schema.d.ts +150 -40
package/dist/auth/role_schema.d.ts.map +1 -1
package/dist/auth/role_schema.js +144 -45
package/dist/auth/scope_kind_schema.d.ts +96 -0
package/dist/auth/scope_kind_schema.d.ts.map +1 -0
package/dist/auth/scope_kind_schema.js +94 -0
package/dist/auth/self_service_role_action_specs.d.ts +6 -1
package/dist/auth/self_service_role_action_specs.d.ts.map +1 -1
package/dist/auth/self_service_role_action_specs.js +3 -1
package/dist/auth/self_service_role_actions.d.ts +34 -27
package/dist/auth/self_service_role_actions.d.ts.map +1 -1
package/dist/auth/self_service_role_actions.js +68 -48
package/dist/auth/session_cookie.d.ts +43 -6
package/dist/auth/session_cookie.d.ts.map +1 -1
package/dist/auth/session_cookie.js +31 -5
package/dist/auth/session_middleware.d.ts +37 -3
package/dist/auth/session_middleware.d.ts.map +1 -1
package/dist/auth/session_middleware.js +33 -7
package/dist/auth/signup_routes.d.ts.map +1 -1
package/dist/auth/signup_routes.js +48 -19
package/dist/auth/standard_action_specs.d.ts +2 -2
package/dist/auth/standard_action_specs.js +4 -4
package/dist/auth/standard_rpc_actions.d.ts +23 -19
package/dist/auth/standard_rpc_actions.d.ts.map +1 -1
package/dist/auth/standard_rpc_actions.js +12 -12
package/dist/db/migrate.d.ts +12 -8
package/dist/db/migrate.d.ts.map +1 -1
package/dist/db/migrate.js +10 -7
package/dist/dev/setup.d.ts +2 -2
package/dist/dev/setup.d.ts.map +1 -1
package/dist/dev/setup.js +9 -7
package/dist/env/load.d.ts +1 -1
package/dist/env/load.js +1 -1
package/dist/hono_context.d.ts +64 -5
package/dist/hono_context.d.ts.map +1 -1
package/dist/hono_context.js +38 -2
package/dist/http/CLAUDE.md +264 -87
package/dist/http/auth_shape.d.ts +191 -0
package/dist/http/auth_shape.d.ts.map +1 -0
package/dist/http/auth_shape.js +237 -0
package/dist/http/common_routes.js +3 -3
package/dist/http/db_routes.d.ts +4 -0
package/dist/http/db_routes.d.ts.map +1 -1
package/dist/http/db_routes.js +44 -7
package/dist/http/error_schemas.d.ts +132 -19
package/dist/http/error_schemas.d.ts.map +1 -1
package/dist/http/error_schemas.js +132 -40
package/dist/http/jsonrpc_errors.d.ts +27 -2
package/dist/http/jsonrpc_errors.d.ts.map +1 -1
package/dist/http/jsonrpc_errors.js +26 -2
package/dist/http/pending_effects.d.ts +71 -18
package/dist/http/pending_effects.d.ts.map +1 -1
package/dist/http/pending_effects.js +87 -18
package/dist/http/proxy.d.ts +52 -5
package/dist/http/proxy.d.ts.map +1 -1
package/dist/http/proxy.js +92 -14
package/dist/http/route_spec.d.ts +113 -41
package/dist/http/route_spec.d.ts.map +1 -1
package/dist/http/route_spec.js +130 -52
package/dist/http/schema_helpers.d.ts +3 -2
package/dist/http/schema_helpers.d.ts.map +1 -1
package/dist/http/schema_helpers.js +9 -2
package/dist/http/surface.d.ts +2 -1
package/dist/http/surface.d.ts.map +1 -1
package/dist/http/surface.js +1 -2
package/dist/http/surface_query.d.ts +39 -35
package/dist/http/surface_query.d.ts.map +1 -1
package/dist/http/surface_query.js +79 -36
package/dist/primitive_schemas.d.ts +39 -0
package/dist/primitive_schemas.d.ts.map +1 -0
package/dist/primitive_schemas.js +40 -0
package/dist/realtime/sse_auth_guard.d.ts +5 -5
package/dist/realtime/sse_auth_guard.js +9 -9
package/dist/runtime/mock.d.ts +1 -1
package/dist/runtime/mock.js +1 -1
package/dist/server/app_backend.d.ts +14 -11
package/dist/server/app_backend.d.ts.map +1 -1
package/dist/server/app_backend.js +12 -8
package/dist/server/app_server.d.ts +7 -7
package/dist/server/app_server.d.ts.map +1 -1
package/dist/server/app_server.js +36 -31
package/dist/server/validate_nginx.d.ts +1 -1
package/dist/server/validate_nginx.js +1 -1
package/dist/testing/CLAUDE.md +73 -55
package/dist/testing/admin_integration.d.ts +5 -6
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +100 -96
package/dist/testing/adversarial_headers.js +1 -1
package/dist/testing/app_server.d.ts +11 -14
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/app_server.js +18 -17
package/dist/testing/assertions.d.ts.map +1 -1
package/dist/testing/assertions.js +2 -1
package/dist/testing/attack_surface.d.ts.map +1 -1
package/dist/testing/attack_surface.js +15 -9
package/dist/testing/audit_completeness.d.ts +2 -2
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +53 -39
package/dist/testing/auth_apps.d.ts +5 -4
package/dist/testing/auth_apps.d.ts.map +1 -1
package/dist/testing/auth_apps.js +28 -22
package/dist/testing/data_exposure.d.ts.map +1 -1
package/dist/testing/data_exposure.js +5 -5
package/dist/testing/db.d.ts +1 -1
package/dist/testing/db.d.ts.map +1 -1
package/dist/testing/db.js +4 -4
package/dist/testing/db_entities.d.ts +22 -0
package/dist/testing/db_entities.d.ts.map +1 -0
package/dist/testing/db_entities.js +28 -0
package/dist/testing/entities.d.ts +10 -8
package/dist/testing/entities.d.ts.map +1 -1
package/dist/testing/entities.js +22 -18
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +13 -14
package/dist/testing/integration_helpers.d.ts +8 -6
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +29 -23
package/dist/testing/middleware.d.ts +15 -11
package/dist/testing/middleware.d.ts.map +1 -1
package/dist/testing/middleware.js +75 -32
package/dist/testing/rpc_attack_surface.d.ts.map +1 -1
package/dist/testing/rpc_attack_surface.js +40 -24
package/dist/testing/rpc_helpers.d.ts.map +1 -1
package/dist/testing/rpc_helpers.js +3 -1
package/dist/testing/rpc_round_trip.d.ts +1 -1
package/dist/testing/rpc_round_trip.d.ts.map +1 -1
package/dist/testing/rpc_round_trip.js +14 -13
package/dist/testing/sse_round_trip.d.ts +3 -4
package/dist/testing/sse_round_trip.d.ts.map +1 -1
package/dist/testing/sse_round_trip.js +7 -11
package/dist/testing/standard.d.ts +1 -1
package/dist/testing/stubs.d.ts +25 -0
package/dist/testing/stubs.d.ts.map +1 -1
package/dist/testing/stubs.js +43 -2
package/dist/testing/surface_invariants.d.ts +2 -2
package/dist/testing/ws_round_trip.d.ts +12 -13
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/testing/ws_round_trip.js +24 -12
package/dist/ui/AdminAccounts.svelte +23 -20
package/dist/ui/AdminOverview.svelte +15 -13
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
package/dist/ui/{AdminPermitHistory.svelte → AdminRoleGrantHistory.svelte} +12 -12
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts +4 -0
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts.map +1 -0
package/dist/ui/BootstrapForm.svelte +1 -1
package/dist/ui/CLAUDE.md +65 -59
package/dist/ui/{PermitOfferForm.svelte → RoleGrantOfferForm.svelte} +37 -22
package/dist/ui/RoleGrantOfferForm.svelte.d.ts +20 -0
package/dist/ui/RoleGrantOfferForm.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferHistory.svelte → RoleGrantOfferHistory.svelte} +12 -12
package/dist/ui/{PermitOfferHistory.svelte.d.ts → RoleGrantOfferHistory.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferHistory.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferInbox.svelte → RoleGrantOfferInbox.svelte} +14 -14
package/dist/ui/{PermitOfferInbox.svelte.d.ts → RoleGrantOfferInbox.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferInbox.svelte.d.ts.map +1 -0
package/dist/ui/SignupForm.svelte +1 -1
package/dist/ui/SurfaceExplorer.svelte +35 -15
package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.d.ts +2 -3
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.js +2 -3
package/dist/ui/admin_accounts_state.svelte.d.ts +25 -18
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_accounts_state.svelte.js +28 -17
package/dist/ui/admin_rpc_adapters.d.ts +20 -20
package/dist/ui/admin_rpc_adapters.d.ts.map +1 -1
package/dist/ui/admin_rpc_adapters.js +17 -17
package/dist/ui/admin_sessions_state.svelte.d.ts +2 -2
package/dist/ui/admin_sessions_state.svelte.js +2 -2
package/dist/ui/audit_log_state.svelte.d.ts +7 -7
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +6 -6
package/dist/ui/auth_state.svelte.d.ts +3 -3
package/dist/ui/auth_state.svelte.d.ts.map +1 -1
package/dist/ui/auth_state.svelte.js +6 -6
package/dist/ui/format_scope.d.ts +2 -2
package/dist/ui/format_scope.js +2 -2
package/dist/ui/{permit_offers_state.svelte.d.ts → role_grant_offers_state.svelte.d.ts} +39 -31
package/dist/ui/role_grant_offers_state.svelte.d.ts.map +1 -0
package/dist/ui/{permit_offers_state.svelte.js → role_grant_offers_state.svelte.js} +25 -19
package/dist/ui/ui_format.js +2 -2
package/package.json +3 -3
package/dist/auth/permit_offer_action_specs.d.ts.map +0 -1
package/dist/auth/permit_offer_action_specs.js +0 -227
package/dist/auth/permit_offer_actions.d.ts +0 -110
package/dist/auth/permit_offer_actions.d.ts.map +0 -1
package/dist/auth/permit_offer_actions.js +0 -452
package/dist/auth/permit_offer_notifications.d.ts.map +0 -1
package/dist/auth/permit_offer_notifications.js +0 -182
package/dist/auth/permit_offer_queries.d.ts +0 -183
package/dist/auth/permit_offer_queries.d.ts.map +0 -1
package/dist/auth/permit_offer_queries.js +0 -408
package/dist/auth/permit_offer_schema.d.ts +0 -103
package/dist/auth/permit_offer_schema.d.ts.map +0 -1
package/dist/auth/permit_queries.d.ts +0 -210
package/dist/auth/permit_queries.d.ts.map +0 -1
package/dist/auth/permit_queries.js +0 -294
package/dist/auth/require_keeper.d.ts +0 -20
package/dist/auth/require_keeper.d.ts.map +0 -1
package/dist/auth/require_keeper.js +0 -35
package/dist/auth/route_guards.d.ts +0 -21
package/dist/auth/route_guards.d.ts.map +0 -1
package/dist/auth/route_guards.js +0 -32
package/dist/auth/session_lifecycle.d.ts +0 -37
package/dist/auth/session_lifecycle.d.ts.map +0 -1
package/dist/auth/session_lifecycle.js +0 -29
package/dist/ui/AdminPermitHistory.svelte.d.ts +0 -4
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferForm.svelte.d.ts +0 -14
package/dist/ui/PermitOfferForm.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferInbox.svelte.d.ts.map +0 -1
package/dist/ui/permit_offers_state.svelte.d.ts.map +0 -1

package/dist/auth/role_grant_offer_queries.d.ts ADDED Viewed

@@ -0,0 +1,242 @@
+/**
+ * Role grant offer database queries.
+ *
+ * Covers the offer side of the consentful-role-grants flow: create (with
+ * re-offer upsert), decline, retract, list, find-pending, sweep-expired,
+ * and the atomic `query_accept_offer` that bridges offer → role_grant.
+ *
+ * IDOR guards are expressed in each helper's signature — decline/accept
+ * require the recipient's `to_account_id`, retract requires the grantor's
+ * `from_actor_id`.
+ *
+ * @module
+ */
+import type { Uuid } from '@fuzdev/fuz_util/id.js';
+import type { QueryDeps } from '../db/query_deps.js';
+import type { RoleGrant } from './account_schema.js';
+import { type CreateRoleGrantOfferInput, type RoleGrantOffer, type SupersededOffer } from './role_grant_offer_schema.js';
+import type { AuditLogEvent } from './audit_log_schema.js';
+/**
+ * Error thrown by offer-lifecycle queries when the offer is in a non-pending
+ * state (accepted / declined / retracted / superseded) and therefore not
+ * actionable. Distinct from `RoleGrantOfferExpiredError` — expiry has its own
+ * user-facing story ("ask the grantor to re-send") so it travels separately.
+ */
+export declare class RoleGrantOfferAlreadyTerminalError extends Error {
+    constructor(offer_id: string);
+}
+/**
+ * Error thrown when an offer's `expires_at` has passed. The accept path
+ * enforces this independently of the sweep — a stale offer past its expiry
+ * must not be accepted, even in the race window between expiry and the
+ * sweep stamping the audit event.
+ */
+export declare class RoleGrantOfferExpiredError extends Error {
+    constructor(offer_id: string);
+}
+/**
+ * Error thrown when an offer cannot be located for the caller. Covers both
+ * "offer does not exist" and "offer belongs to a different recipient"
+ * (IDOR guard) — the standard 404-over-403 pattern that avoids disclosing
+ * whether an offer id exists.
+ */
+export declare class RoleGrantOfferNotFoundError extends Error {
+    constructor(offer_id: string);
+}
+/**
+ * Error thrown when a grantor attempts to offer a role_grant to their own account.
+ *
+ * Enforced via a single SELECT on the grantor's `actor.account_id` (rather
+ * than via a CHECK constraint or a denormalized column). Resolving from the
+ * grantor side keeps the check multi-actor-correct: under multi-actor the
+ * recipient account may host many actors, but the grantor → account binding
+ * remains 1:1 by definition of `actor`.
+ */
+export declare class RoleGrantOfferSelfTargetError extends Error {
+    constructor();
+}
+/**
+ * Error thrown when an actor-targeted offer is being accepted by an actor
+ * other than `offer.to_actor_id`. Distinct from `RoleGrantOfferNotFoundError`
+ * (the IDOR mask): once an offer has been resolved to the recipient account,
+ * a wrong-actor accept on a same-account actor is a contract violation, not
+ * a privacy boundary — surface a specific error so the client UI can
+ * distinguish "this offer isn't for you" from "no such offer".
+ */
+export declare class RoleGrantOfferActorMismatchError extends Error {
+    constructor(offer_id: string);
+}
+/**
+ * Error thrown when `query_role_grant_offer_create` is called with a
+ * `to_actor_id` that does not exist or does not belong to `to_account_id`.
+ * Surfaces the actor↔account binding mismatch at the boundary instead of
+ * letting the FK silently disagree with the recipient field.
+ */
+export declare class RoleGrantOfferActorAccountMismatchError extends Error {
+    constructor();
+}
+/**
+ * Create a new role_grant offer, or refresh an existing pending offer for the
+ * same `(to_account_id, role, scope_id, from_actor_id)` tuple.
+ *
+ * Re-offer semantics: a second call by the same grantor with the same
+ * `(to_account, role, scope)` while pending upserts the existing row,
+ * refreshing `message` and `expires_at` (and `to_actor_id` — supplying
+ * a different `to_actor_id` on re-offer narrows the existing row to the
+ * named actor; supplying null widens it back to account-grain). A
+ * different grantor offering the same `(to_account, role, scope)` creates
+ * a distinct row — multiple pending grantors coexist. After a terminal
+ * state, a re-offer is a fresh INSERT.
+ *
+ * Self-offer rejection: throws `RoleGrantOfferSelfTargetError` if the offering
+ * actor belongs to the recipient account.
+ *
+ * Actor-targeted offers: when `to_actor_id` is supplied,
+ * `query_accept_offer` rejects any actor other than the named one. Closes
+ * the audit hole where offer-shape events would otherwise leave
+ * `target_actor_id` null even when the recipient binding is known at
+ * offer time. The actor↔account binding is verified here in one SELECT.
+ *
+ * @mutates `role_grant_offer` table - inserts a new offer or upserts the matching pending row
+ * @throws RoleGrantOfferSelfTargetError if the offering actor belongs to `to_account_id`
+ * @throws RoleGrantOfferActorAccountMismatchError if `to_actor_id` is set but does not belong to `to_account_id`
+ */
+export declare const query_role_grant_offer_create: (deps: QueryDeps, input: CreateRoleGrantOfferInput) => Promise<RoleGrantOffer>;
+/** Result of `query_role_grant_offer_decline` — the declined offer plus the grantor's `account_id`. */
+export interface DeclinedOffer extends RoleGrantOffer {
+    /**
+     * Grantor's `account_id`, resolved via a join on `actor` so the audit
+     * envelope's `target_account_id` (decline is *to* the grantor) and the
+     * post-commit notification target are both addressable without a
+     * second round-trip.
+     */
+    from_account_id: Uuid;
+}
+/**
+ * Mark an offer declined.
+ *
+ * Guarded by `to_account_id` (IDOR). Returns `null` if the offer does not
+ * exist or belongs to a different account. Throws
+ * `RoleGrantOfferAlreadyTerminalError` if the offer exists for the caller but
+ * is already in a terminal state.
+ *
+ * Returns the declined offer with the grantor's `from_account_id` joined
+ * in via CTE — the decline audit envelope populates **both**
+ * `target_actor_id` (the grantor actor) and `target_account_id` (the
+ * grantor account), satisfying the "both populated → same account"
+ * invariant the audit-log column comments describe.
+ *
+ * @mutates `role_grant_offer` row - sets `declined_at` and `decline_reason`
+ * @throws RoleGrantOfferAlreadyTerminalError if the offer is already accepted, declined, retracted, or superseded
+ */
+export declare const query_role_grant_offer_decline: (deps: QueryDeps, offer_id: string, to_account_id: string, reason: string | null) => Promise<DeclinedOffer | null>;
+/**
+ * Mark an offer retracted by the grantor.
+ *
+ * Guarded by `from_actor_id` (IDOR). Returns `null` if the offer does not
+ * exist or was issued by a different actor. Throws
+ * `RoleGrantOfferAlreadyTerminalError` if the offer exists for this grantor
+ * but is already in a terminal state.
+ *
+ * @mutates `role_grant_offer` row - sets `retracted_at`
+ * @throws RoleGrantOfferAlreadyTerminalError if the offer is already accepted, declined, retracted, or superseded
+ */
+export declare const query_role_grant_offer_retract: (deps: QueryDeps, offer_id: string, from_actor_id: string) => Promise<RoleGrantOffer | null>;
+/**
+ * List pending, non-expired offers for an account, soonest expiry first.
+ *
+ * Expired offers are filtered server-side (`expires_at > NOW()`) so the
+ * inbox never surfaces a row that can no longer be accepted. The periodic
+ * sweep (`query_role_grant_offer_sweep_expired`) handles audit tombstoning.
+ */
+export declare const query_role_grant_offer_list: (deps: QueryDeps, to_account_id: string) => Promise<Array<RoleGrantOffer>>;
+/**
+ * List every offer involving an account (either direction), newest first.
+ *
+ * Includes terminal offers — used by the grantor-side admin / history view.
+ */
+export declare const query_role_grant_offer_history_for_account: (deps: QueryDeps, account_id: string, limit?: number, offset?: number) => Promise<Array<RoleGrantOffer>>;
+/**
+ * Look up a pending offer by id. Returns `null` if the offer is terminal,
+ * expired (server-side filter), or missing.
+ */
+export declare const query_role_grant_offer_find_pending: (deps: QueryDeps, offer_id: string) => Promise<RoleGrantOffer | null>;
+/**
+ * Return pending offers whose `expires_at` has passed.
+ *
+ * Callers fire `role_grant_offer_expire` audit events for each row. The schema
+ * does not tombstone the row, so callers are responsible for their own
+ * idempotency (e.g. check whether a `role_grant_offer_expire` audit event
+ * already exists for the offer id).
+ */
+export declare const query_role_grant_offer_sweep_expired: (deps: QueryDeps) => Promise<Array<RoleGrantOffer>>;
+/** Input for `query_accept_offer`. */
+export interface AcceptOfferInput {
+    offer_id: Uuid;
+    /** Account of the accepting recipient — IDOR guard against another account accepting the offer. */
+    to_account_id: Uuid;
+    /**
+     * Accepting actor — the actor that will hold the resulting role_grant.
+     * Must belong to `to_account_id`; the query verifies and throws if not
+     * (defense-in-depth — the action handler passes `auth.actor.id` which
+     * is session-bound, but the query enforces the invariant for all
+     * callers including tests and future direct consumers).
+     *
+     * Required because under multi-actor an account may host many actors;
+     * the resulting role_grant must bind to the actor that actually accepted,
+     * not "an" actor on the account picked by query order.
+     */
+    actor_id: Uuid;
+    /** Optional IP to stamp on the audit events. */
+    ip?: string | null;
+}
+/** Result of `query_accept_offer` — the role_grant produced (new or pre-existing on race), plus the (now-accepted) offer. */
+export interface AcceptOfferResult {
+    role_grant: RoleGrant;
+    offer: RoleGrantOffer;
+    /** `true` if this call is the one that accepted the offer (new role_grant inserted); `false` on a race returning the already-created role_grant. */
+    created: boolean;
+    /**
+     * Sibling offers superseded by this accept — empty on the race-loser path.
+     * Each entry carries its grantor's `from_account_id` so the caller can
+     * fan out `role_grant_offer_supersede` notifications without a second
+     * round-trip.
+     */
+    superseded_offers: Array<SupersededOffer>;
+    /** Audit events emitted in-transaction — fed back through `audit.notify` by the caller, which fans out to `audit.on_event_chain`. Includes one `role_grant_offer_supersede` per superseded sibling. */
+    audit_events: Array<AuditLogEvent>;
+}
+/**
+ * Accept an offer atomically: mark accepted, insert the role_grant, stamp
+ * `resulting_role_grant_id`, supersede sibling pending offers for the same
+ * `(to_account, role, scope)`, and emit `role_grant_offer_accept` +
+ * `role_grant_create` + one `role_grant_offer_supersede` per sibling. Must run
+ * inside a transaction — the caller's route spec should declare
+ * `transaction: true` (or wrap explicitly).
+ *
+ * Idempotent on race: if a second concurrent call observes the offer
+ * already accepted, returns the existing role_grant rather than creating a
+ * duplicate or throwing.
+ *
+ * Error map:
+ * - `RoleGrantOfferNotFoundError` — offer does not exist, or belongs to a
+ *   different recipient (IDOR guard). The offer row is untouched.
+ * - `RoleGrantOfferAlreadyTerminalError` — offer is declined, retracted, or
+ *   superseded.
+ * - `RoleGrantOfferExpiredError` — offer is pending but past `expires_at`.
+ *
+ * Sibling supersede is what closes the "accept a pre-revoke sibling offer
+ * to bypass a revoke" path: once A is accepted, B/C/... can no longer be
+ * accepted even if the resulting role_grant is later revoked.
+ *
+ * @mutates `role_grant_offer` row - stamps `accepted_at` and `resulting_role_grant_id`
+ * @mutates `role_grant` table - inserts the resulting role_grant (idempotent on race)
+ * @mutates `role_grant_offer` siblings - stamps `superseded_at` on every other pending offer for the tuple
+ * @mutates `audit_log` table - emits `role_grant_offer_accept` + `role_grant_create` + one `role_grant_offer_supersede` per sibling
+ * @throws RoleGrantOfferNotFoundError if the offer is missing or belongs to another recipient
+ * @throws RoleGrantOfferAlreadyTerminalError if the offer is declined, retracted, or superseded
+ * @throws RoleGrantOfferExpiredError if the offer is pending but past `expires_at`
+ * @throws Error if the accepting `actor_id` does not belong to `to_account_id`, or invariant assertions fail
+ */
+export declare const query_accept_offer: (deps: QueryDeps, input: AcceptOfferInput) => Promise<AcceptOfferResult>;
+//# sourceMappingURL=role_grant_offer_queries.d.ts.map

package/dist/auth/role_grant_offer_queries.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"role_grant_offer_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,EAGN,KAAK,yBAAyB,EAC9B,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,MAAM,8BAA8B,CAAC;AAEtC,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,uBAAuB,CAAC;AAEzD;;;;;GAKG;AACH,qBAAa,kCAAmC,SAAQ,KAAK;gBAChD,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,0BAA2B,SAAQ,KAAK;gBACxC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,2BAA4B,SAAQ,KAAK;gBACzC,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;;;;GAQG;AACH,qBAAa,6BAA8B,SAAQ,KAAK;;CAKvD;AAED;;;;;;;GAOG;AACH,qBAAa,gCAAiC,SAAQ,KAAK;gBAC9C,QAAQ,EAAE,MAAM;CAI5B;AAED;;;;;GAKG;AACH,qBAAa,uCAAwC,SAAQ,KAAK;;CAKjE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,OAAO,yBAAyB,KAC9B,OAAO,CAAC,cAAc,CAuDxB,CAAC;AAEF,uGAAuG;AACvG,MAAM,WAAW,aAAc,SAAQ,cAAc;IACpD;;;;;OAKG;IACH,eAAe,EAAE,IAAI,CAAC;CACtB;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,EACrB,QAAQ,MAAM,GAAG,IAAI,KACnB,OAAO,CAAC,aAAa,GAAG,IAAI,CAoB9B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,8BAA8B,GAC1C,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,eAAe,MAAM,KACnB,OAAO,CAAC,cAAc,GAAG,IAAI,CAe/B,CAAC;AA8BF;;;;;;GAMG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,eAAe,MAAM,KACnB,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAY/B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,0CAA0C,GACtD,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,cAAW,EACX,eAAU,KACR,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAS/B,CAAC;AAEF;;;GAGG;AACH,eAAO,MAAM,mCAAmC,GAC/C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,cAAc,GAAG,IAAI,CAY/B,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,oCAAoC,GAChD,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,cAAc,CAAC,CAU/B,CAAC;AAEF,sCAAsC;AACtC,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,mGAAmG;IACnG,aAAa,EAAE,IAAI,CAAC;IACpB;;;;;;;;;;OAUG;IACH,QAAQ,EAAE,IAAI,CAAC;IACf,gDAAgD;IAChD,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACnB;AAED,6HAA6H;AAC7H,MAAM,WAAW,iBAAiB;IACjC,UAAU,EAAE,SAAS,CAAC;IACtB,KAAK,EAAE,cAAc,CAAC;IACtB,oJAAoJ;IACpJ,OAAO,EAAE,OAAO,CAAC;IACjB;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;IAC1C,uMAAuM;IACvM,YAAY,EAAE,KAAK,CAAC,aAAa,CAAC,CAAC;CACnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+BG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,iBAAiB,CAoO3B,CAAC"}