@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/testing/app_server.js

@@ -5,12 +5,13 @@ import { ROLE_KEEPER } from '../auth/role_schema.js';
 import { create_validated_keyring } from '../auth/keyring.js';
 import { generate_api_token } from '../auth/api_token.js';
 import { query_create_account_with_actor } from '../auth/account_queries.js';
-import { query_grant_permit } from '../auth/permit_queries.js';
+import { query_create_role_grant } from '../auth/role_grant_queries.js';
 import { generate_session_token, hash_session_token, AUTH_SESSION_LIFETIME_MS, query_create_session, } from '../auth/session_queries.js';
 import { query_create_api_token } from '../auth/api_token_queries.js';
 import { create_session_cookie_value } from '../auth/session_cookie.js';
 import { run_migrations } from '../db/migrate.js';
 import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
+import { create_audit_emitter } from '../auth/audit_emitter.js';
 import { create_app_server, } from '../server/app_server.js';
 import { generate_daemon_token, DAEMON_TOKEN_HEADER, } from '../auth/daemon_token.js';
 import { create_pglite_factory } from './db.js';
@@ -42,7 +43,7 @@ const fallback_pglite_factory = create_pglite_factory(async (db) => {
  * `create_test_app_server` and `TestApp.create_account`.
  *
  * @mutates the underlying `options.db` — inserts rows into `account`, `actor`,
- *   `permit` (one per role), `api_token`, and `auth_session`.
+ *   `role_grant` (one per role), `api_token`, and `auth_session`.
  */
 export const bootstrap_test_account = async (options) => {
     const { db, keyring, session_options, password, username = 'keeper', password_value = 'test-password-123', roles = [], } = options;
@@ -54,12 +55,12 @@ export const bootstrap_test_account = async (options) => {
     });
     // Grant roles
     for (const role of roles) {
-        await query_grant_permit(deps, { actor_id: actor.id, role, granted_by: null });
+        await query_create_role_grant(deps, { actor_id: actor.id, role, granted_by: null });
     }
-    // Create API token
+    // Create API token (account-scoped — acting actor is per-request)
     const { token: api_token, id: token_id, token_hash } = generate_api_token();
     await query_create_api_token(deps, token_id, account.id, 'test-cli', token_hash);
-    // Create session + cookie
+    // Create session (account-scoped — acting actor is per-request)
     const session_token = generate_session_token();
     const session_hash = hash_session_token(session_token);
     const expires_at = new Date(Date.now() + AUTH_SESSION_LIFETIME_MS);
@@ -80,7 +81,7 @@ const test_log = new Logger('test', { level: 'off' });
  * Sets up:
  * - Auth tables (via cached PGlite factory, or reuses existing `db`)
  * - A keeper account with hashed password
- * - Role permits for each role in `options.roles`
+ * - Role role_grants for each role in `options.roles`
  * - An API token for Bearer auth
  * - A session with a signed cookie value
  *
@@ -91,10 +92,8 @@ const test_log = new Logger('test', { level: 'off' });
  * @returns a `TestAppServer` ready for HTTP testing
  * @mutates the underlying database — when `db` is supplied, resets singleton
  *   state (`bootstrap_lock.bootstrapped`, `app_settings.open_signup`) before
- *   bootstrapping; in either branch inserts an account, actor, role permits,
- *   API token, and session row. When `audit_log_config` is provided, also
- *   sets `backend.deps.audit_log_config` so `create_app_server`'s shallow
- *   spread picks it up.
+ *   bootstrapping; in either branch inserts an account, actor, role role_grants,
+ *   API token, and session row.
  */
 export const create_test_app_server = async (options) => {
     const { session_options, db: existing_db, db_type = 'pglite-memory', password = stub_password_deps, username = 'keeper', password_value = 'test-password-123', roles = [ROLE_KEEPER], on_audit_event = () => { }, // eslint-disable-line @typescript-eslint/no-empty-function
@@ -117,6 +116,12 @@ export const create_test_app_server = async (options) => {
         await existing_db.query('UPDATE app_settings SET open_signup = false, updated_at = NULL, updated_by = NULL WHERE open_signup = true OR updated_at IS NOT NULL');
         // Use the caller's database — tables already created by the factory's init_schema.
         // Caller owns the DB lifecycle — close is a no-op.
+        const audit = create_audit_emitter({
+            db: existing_db,
+            log: test_log,
+            on_audit_event,
+            audit_log_config,
+        });
         backend = {
             db_type,
             db_name: 'test',
@@ -127,7 +132,7 @@ export const create_test_app_server = async (options) => {
                 password,
                 db: existing_db,
                 log: test_log,
-                on_audit_event,
+                audit,
                 ...fs_stubs,
             },
         };
@@ -137,6 +142,7 @@ export const create_test_app_server = async (options) => {
         // instead of creating a new PGlite each time. Schema is reset and migrations re-run
         // on each call, but the expensive WASM cold start only happens once per worker thread.
         const db = await fallback_pglite_factory.create();
+        const audit = create_audit_emitter({ db, log: test_log, on_audit_event, audit_log_config });
         backend = {
             db_type: 'pglite-memory',
             db_name: '(memory)',
@@ -147,7 +153,7 @@ export const create_test_app_server = async (options) => {
                 password,
                 db,
                 log: test_log,
-                on_audit_event,
+                audit,
                 ...fs_stubs,
             },
         };
@@ -161,11 +167,6 @@ export const create_test_app_server = async (options) => {
         password_value,
         roles,
     });
-    // Land before `create_app_server`'s shallow-spread of `backend.deps` so
-    // the SSE branch's snapshot picks it up alongside the no-SSE alias branch.
-    if (audit_log_config !== undefined) {
-        backend.deps.audit_log_config = audit_log_config;
-    }
     return {
         ...backend,
         ...bootstrapped,

package/dist/testing/assertions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"assertions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/assertions.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAe7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,UAAU,EAAE,eAAe,EAAC,MAAM,oBAAoB,CAAC;AACpE,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,0BAA0B,CAAC;AAEhE;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAI,UAAU,MAAM,EAAE,iBAAiB,MAAM,KAAG,MACtB,CAAC;AAE5D;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,+BAA+B,GAC3C,SAAS,UAAU,EACnB,eAAe,MAAM,KACnB,IAOF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B,GAAI,eAAe,MAAM,UAAU,KAAG,IAE9E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kCAAkC,GAC9C,SAAS,UAAU,EACnB,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,IAWF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,KACZ,CAAC,CAAC,OAAO,GAAG,SAGd,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB,GACrC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,EACd,MAAM,OAAO,KACX,IAIF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,UAAU,EACnB,aAAa,MAAM,EACnB,qBAAqB,KAAK,CAAC,MAAM,CAAC,KAChC,IAUF,CAAC"}
+{"version":3,"file":"assertions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/assertions.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAe7B,OAAO,KAAK,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAE3B,OAAO,KAAK,EAAC,UAAU,EAAE,eAAe,EAAC,MAAM,oBAAoB,CAAC;AACpE,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,0BAA0B,CAAC;AAGhE;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAI,UAAU,MAAM,EAAE,iBAAiB,MAAM,KAAG,MACtB,CAAC;AAE5D;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,+BAA+B,GAC3C,SAAS,UAAU,EACnB,eAAe,MAAM,KACnB,IAOF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,4BAA4B,GAAI,eAAe,MAAM,UAAU,KAAG,IAE9E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kCAAkC,GAC9C,SAAS,UAAU,EACnB,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,IAWF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,KACZ,CAAC,CAAC,OAAO,GAAG,SAGd,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,yBAAyB,GACrC,QAAQ,GAAG,CAAC,MAAM,EAAE,iBAAiB,CAAC,EACtC,OAAO,eAAe,EACtB,QAAQ,MAAM,EACd,MAAM,OAAO,KACX,IAIF,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GACxC,SAAS,UAAU,EACnB,aAAa,MAAM,EACnB,qBAAqB,KAAK,CAAC,MAAM,CAAC,KAChC,IAUF,CAAC"}

package/dist/testing/assertions.js

@@ -11,6 +11,7 @@ import { readFileSync } from 'node:fs';
 import { resolve, dirname } from 'node:path';
 import { fileURLToPath } from 'node:url';
 import { assert } from 'vitest';
+import { is_public_auth } from '../http/auth_shape.js';
 /**
  * Resolve an absolute path relative to the caller's module.
  *
@@ -52,7 +53,7 @@ export const assert_surface_deterministic = (build_surface) => {
 export const assert_only_expected_public_routes = (surface, expected_public) => {
     const expected = new Set(expected_public);
     const actual_public = surface.routes
-        .filter((r) => r.auth.type === 'none')
+        .filter((r) => is_public_auth(r.auth))
         .map((r) => `${r.method} ${r.path}`);
     const unexpected = actual_public.filter((r) => !expected.has(r));
     const missing = expected_public.filter((r) => !actual_public.includes(r));

package/dist/testing/attack_surface.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAON,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IAkH3E,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,uCAAuC,GACnD,UAAU,2BAA2B,GAAG,IAAI,GAAG,SAAS,KACtD,2BAA2B,GAAG,IAWhC,CAAC;AAEF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;CAC5D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IAuEF,CAAC"}
+{"version":3,"file":"attack_surface.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/attack_surface.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,EAON,KAAK,4BAA4B,EACjC,KAAK,2BAA2B,EAChC,MAAM,yBAAyB,CAAC;AAoBjC,OAAO,EAA4B,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAsClF,oFAAoF;AACpF,MAAM,WAAW,sBAAsB;IACtC,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,yBAAyB,GAAI,SAAS,sBAAsB,KAAG,IA4H3E,CAAC;AAIF;;;;;;;;;;;;;;GAcG;AACH,eAAO,MAAM,uCAAuC,GACnD,UAAU,2BAA2B,GAAG,IAAI,GAAG,SAAS,KACtD,2BAA2B,GAAG,IAWhC,CAAC;AAEF,0DAA0D;AAC1D,MAAM,WAAW,4BAA4B;IAC5C,+EAA+E;IAC/E,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,yDAAyD;IACzD,aAAa,EAAE,MAAM,CAAC;IACtB,iFAAiF;IACjF,sBAAsB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACtC,gHAAgH;IAChH,uBAAuB,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACvC,yDAAyD;IACzD,KAAK,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IACrB,qEAAqE;IACrE,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,iEAAiE;IACjE,eAAe,CAAC,EAAE,4BAA4B,CAAC;IAC/C;;;;;;;;;;;OAWG;IACH,sBAAsB,CAAC,EAAE,2BAA2B,GAAG,IAAI,CAAC;CAC5D;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,sCAAsC,GAClD,SAAS,4BAA4B,KACnC,IAuEF,CAAC"}

package/dist/testing/attack_surface.js

@@ -23,7 +23,7 @@ import { assert_surface_matches_snapshot, assert_surface_deterministic, assert_o
 import { merge_error_schemas } from '../http/schema_helpers.js';
 import { collect_middleware_errors } from '../http/surface.js';
 import { filter_protected_routes, filter_role_routes, filter_keeper_routes, } from '../http/surface_query.js';
-import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INSUFFICIENT_PERMISSIONS, ERROR_KEEPER_REQUIRES_DAEMON_TOKEN, } from '../http/error_schemas.js';
+import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INSUFFICIENT_PERMISSIONS, ERROR_CREDENTIAL_TYPE_REQUIRED, } from '../http/error_schemas.js';
 // --- Adversarial test runner ---
 /**
  * Build a lookup from `"METHOD /path"` to merged error schemas (auto-derived + middleware + explicit).
@@ -79,12 +79,17 @@ export const describe_adversarial_auth = (options) => {
                 });
             }
         });
-        if (role_routes.length > 0) {
+        // Role-only routes (no credential gate). Keeper routes have a credential
+        // gate that fires before the role gate, so they get tested separately
+        // in the keeper block below.
+        const role_only_routes = role_routes.filter((r) => !(r.auth.credential_types?.length ?? 0));
+        if (role_only_routes.length > 0) {
             describe('wrong role → 403', () => {
-                for (const route of role_routes) {
-                    const wrong_roles = roles.filter((r) => r !== route.auth.role);
+                for (const route of role_only_routes) {
+                    const required_roles = route.auth.roles ?? [];
+                    const wrong_roles = roles.filter((r) => !required_roles.includes(r));
                     for (const wrong_role of wrong_roles) {
-                        test(`${route.method} ${route.path} (${wrong_role} instead of ${route.auth.role})`, async () => {
+                        test(`${route.method} ${route.path} (${wrong_role} instead of ${required_roles.join('|')})`, async () => {
                             const app = apps.by_role.get(wrong_role);
                             if (!app)
                                 throw new Error(`No test app for role '${wrong_role}'`);
@@ -94,14 +99,14 @@ export const describe_adversarial_auth = (options) => {
                             assert.strictEqual(res.status, 403, `${route.method} ${route.path}`);
                             const body = await res.json();
                             assert.strictEqual(body.error, ERROR_INSUFFICIENT_PERMISSIONS);
-                            assert.strictEqual(body.required_role, route.auth.role);
+                            assert.deepStrictEqual(body.required_roles, required_roles);
                             assert_error_schema_valid(error_schema_lookup, route, 403, body);
                         });
                     }
                 }
             });
             describe('authenticated without role → 403', () => {
-                for (const route of role_routes) {
+                for (const route of role_only_routes) {
                     test(`${route.method} ${route.path}`, async () => {
                         const res = await apps.authed.request(resolve_test_path(route.path), {
                             method: route.method,
@@ -109,7 +114,7 @@ export const describe_adversarial_auth = (options) => {
                         assert.strictEqual(res.status, 403, `${route.method} ${route.path}`);
                         const body = await res.json();
                         assert.strictEqual(body.error, ERROR_INSUFFICIENT_PERMISSIONS);
-                        assert.strictEqual(body.required_role, route.auth.role);
+                        assert.deepStrictEqual(body.required_roles, route.auth.roles ?? []);
                         assert_error_schema_valid(error_schema_lookup, route, 403, body);
                     });
                 }
@@ -126,7 +131,8 @@ export const describe_adversarial_auth = (options) => {
                         });
                         assert.strictEqual(res.status, 403, `${route.method} ${route.path}`);
                         const body = await res.json();
-                        assert.strictEqual(body.error, ERROR_KEEPER_REQUIRES_DAEMON_TOKEN);
+                        assert.strictEqual(body.error, ERROR_CREDENTIAL_TYPE_REQUIRED);
+                        assert.deepStrictEqual(body.required_credential_types, route.auth.credential_types ?? []);
                         assert_error_schema_valid(error_schema_lookup, route, 403, body);
                     });
                 }

package/dist/testing/audit_completeness.d.ts

@@ -15,7 +15,7 @@ export interface AuditCompletenessTestOptions {
     create_route_specs: (ctx: AppServerContext) => Array<RouteSpec>;
     /**
      * RPC endpoint specs — the source `RpcAction` arrays. Required; the
-     * admin permit flow is RPC-only and the suite hard-fails without it.
+     * admin role_grant flow is RPC-only and the suite hard-fails without it.
      *
      * Accepts either an array (eager) or a factory
      * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` — the factory form
@@ -39,7 +39,7 @@ export interface AuditCompletenessTestOptions {
  * database, then queries the `audit_log` table to verify events.
  *
  * @throws Error at setup time when `options.rpc_endpoints` is empty — the
- *   mutation-audit tests drive permit flow, session/token revoke-all, and
+ *   mutation-audit tests drive role_grant flow, session/token revoke-all, and
  *   invite create/delete through their RPC action specs. Hard-fails via
  *   `require_rpc_endpoint_path`.
  */

package/dist/testing/audit_completeness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD,OAAO,EAGN,KAAK,eAAe,EAEpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAsB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAoDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAyezF,CAAC"}
+{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD,OAAO,EAGN,KAAK,eAAe,EAEpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAoDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAkgBzF,CAAC"}

package/dist/testing/audit_completeness.js

@@ -20,12 +20,11 @@ import { create_test_app, } from './app_server.js';
 import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
 import { find_auth_route } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
-import { query_accept_offer } from '../auth/permit_offer_queries.js';
+import { query_accept_offer } from '../auth/role_grant_offer_queries.js';
 import { rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
-import { permit_offer_create_action_spec, permit_revoke_action_spec, } from '../auth/permit_offer_action_specs.js';
+import { role_grant_offer_create_action_spec, role_grant_revoke_action_spec, } from '../auth/role_grant_offer_action_specs.js';
 import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, app_settings_update_action_spec, invite_create_action_spec, invite_delete_action_spec, } from '../auth/admin_action_specs.js';
 import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
-import { query_actor_by_account } from '../auth/account_queries.js';
 /** Query audit log events from the database. */
 const query_audit_events = async (db) => {
     return db.query('SELECT event_type, seq FROM audit_log ORDER BY seq');
@@ -64,7 +63,7 @@ const json_session_headers = (test_app, extra) => test_app.create_session_header
  * database, then queries the `audit_log` table to verify events.
  *
  * @throws Error at setup time when `options.rpc_endpoints` is empty — the
- *   mutation-audit tests drive permit flow, session/token revoke-all, and
+ *   mutation-audit tests drive role_grant flow, session/token revoke-all, and
  *   invite create/delete through their RPC action specs. Hard-fails via
  *   `require_rpc_endpoint_path`.
  */
@@ -232,58 +231,73 @@ export const describe_audit_completeness_tests = (options) => {
         });
         // --- Admin routes ---
         describe('admin mutation audit events', () => {
-            test('admin offer (RPC) + accept produces permit_offer_create and permit_grant events', async () => {
+            test('admin offer (RPC) + accept produces role_grant_offer_create and role_grant_create events', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
                 const target = await test_app.create_account({ username: 'audit_target' });
                 const offer_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_offer_create_action_spec,
+                    spec: role_grant_offer_create_action_spec,
                     params: { to_account_id: target.account.id, role: ROLE_ADMIN },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(offer_res.ok, `permit_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
+                assert.ok(offer_res.ok, `role_grant_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
                 const { offer } = offer_res.result;
-                // Admin offer emits `permit_offer_create` only — the permit doesn't
-                // exist yet. Drive the accept to confirm `permit_grant` fires on the
+                // Admin offer emits `role_grant_offer_create` only — the role_grant doesn't
+                // exist yet. Drive the accept to confirm `role_grant_create` fires on the
                 // downstream consent transition.
                 const events_after_offer = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events_after_offer, 'permit_offer_create', 'permit_offer_create RPC');
+                assert_has_event(events_after_offer, 'role_grant_offer_create', 'role_grant_offer_create RPC');
                 await get_db().transaction(async (tx) => {
-                    await query_accept_offer({ db: tx }, { offer_id: offer.id, to_account_id: target.account.id, ip: null });
+                    await query_accept_offer({ db: tx }, {
+                        offer_id: offer.id,
+                        to_account_id: target.account.id,
+                        actor_id: target.actor.id,
+                        ip: null,
+                    });
                 });
                 const events_after_accept = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events_after_accept, 'permit_grant', 'offer accept');
+                assert_has_event(events_after_accept, 'role_grant_create', 'offer accept');
             });
-            test('permit revoke (RPC) produces permit_revoke event', async () => {
+            test('role_grant revoke (RPC) produces role_grant_revoke event with both target columns', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
                 const target = await test_app.create_account({ username: 'audit_revoke_target' });
-                const target_actor = await query_actor_by_account({ db: get_db() }, target.account.id);
-                assert.ok(target_actor);
-                // Offer + accept to materialize a permit we can revoke.
+                // Offer + accept to materialize a role_grant we can revoke.
                 const offer_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_offer_create_action_spec,
+                    spec: role_grant_offer_create_action_spec,
                     params: { to_account_id: target.account.id, role: ROLE_ADMIN },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(offer_res.ok, `permit_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
+                assert.ok(offer_res.ok, `role_grant_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
                 const { offer } = offer_res.result;
                 const accept_result = await get_db().transaction(async (tx) => {
-                    return query_accept_offer({ db: tx }, { offer_id: offer.id, to_account_id: target.account.id, ip: null });
+                    return query_accept_offer({ db: tx }, {
+                        offer_id: offer.id,
+                        to_account_id: target.account.id,
+                        actor_id: target.actor.id,
+                        ip: null,
+                    });
                 });
                 // Revoke via RPC.
                 const revoke_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_revoke_action_spec,
-                    params: { actor_id: target_actor.id, permit_id: accept_result.permit.id },
+                    spec: role_grant_revoke_action_spec,
+                    params: { actor_id: target.actor.id, role_grant_id: accept_result.role_grant.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
+                assert.ok(revoke_res.ok, `role_grant_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'permit_revoke', 'permit_revoke RPC');
+                assert_has_event(events, 'role_grant_revoke', 'role_grant_revoke RPC');
+                // Audit envelope must populate both target columns —
+                // `role_grant_revoke` is the canonical actor-bound-subject event.
+                const revoke_rows = await test_app.backend.deps.db.query(`SELECT target_account_id, target_actor_id FROM audit_log
+					 WHERE event_type = 'role_grant_revoke' ORDER BY seq DESC LIMIT 1`);
+                const row = revoke_rows[0];
+                assert.strictEqual(row.target_account_id, target.account.id);
+                assert.strictEqual(row.target_actor_id, target.actor.id);
             });
             test('admin session revoke-all produces session_revoke_all event', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
@@ -402,9 +416,9 @@ export const describe_audit_completeness_tests = (options) => {
                 'token_create',
                 'token_revoke',
                 'token_revoke_all',
-                'permit_offer_create',
-                'permit_grant',
-                'permit_revoke',
+                'role_grant_offer_create',
+                'role_grant_create',
+                'role_grant_revoke',
                 'invite_create',
                 'invite_delete',
                 'app_settings_update',
@@ -412,20 +426,20 @@ export const describe_audit_completeness_tests = (options) => {
             /** Event types excluded with justification. */
             const EXCLUDED_EVENT_TYPES = new Set([
                 'bootstrap', // requires filesystem token — tested in bootstrap_account.db.test.ts
-                // The remaining `permit_offer_*` events fire only via the RPC
-                // endpoint or via downstream effects of `permit_revoke`. Direct
-                // coverage lives in `permit_offer_queries.db.test.ts`,
-                // `permit_offer_actions.db.test.ts`,
-                // `permit_offer_actions.notifications.db.test.ts`, and
-                // `permit_offer_actions.notifications.revoke.db.test.ts`.
-                // `permit_offer_expire` fires from the cleanup sweep
-                // (`cleanup_expired_permit_offers` in `auth/cleanup.ts`) —
+                // The remaining `role_grant_offer_*` events fire only via the RPC
+                // endpoint or via downstream effects of `role_grant_revoke`. Direct
+                // coverage lives in `role_grant_offer_queries.db.test.ts`,
+                // `role_grant_offer_actions.db.test.ts`,
+                // `role_grant_offer_actions.notifications.db.test.ts`, and
+                // `role_grant_offer_actions.notifications.revoke.db.test.ts`.
+                // `role_grant_offer_expire` fires from the cleanup sweep
+                // (`cleanup_expired_role_grant_offers` in `auth/cleanup.ts`) —
                 // covered in `cleanup.db.test.ts`.
-                'permit_offer_accept',
-                'permit_offer_decline',
-                'permit_offer_retract',
-                'permit_offer_expire',
-                'permit_offer_supersede',
+                'role_grant_offer_accept',
+                'role_grant_offer_decline',
+                'role_grant_offer_retract',
+                'role_grant_offer_expire',
+                'role_grant_offer_supersede',
             ]);
             test('all audit event types are covered or explicitly excluded', () => {
                 const all_covered = new Set([...COVERED_EVENT_TYPES, ...EXCLUDED_EVENT_TYPES]);

package/dist/testing/auth_apps.d.ts

@@ -8,11 +8,12 @@ import './assert_dev_env.js';
  * @module
  */
 import { Hono } from 'hono';
-import { type RouteSpec, type RouteAuth } from '../http/route_spec.js';
+import { type RouteSpec } from '../http/route_spec.js';
+import { type RouteAuth } from '../http/auth_shape.js';
 import { type RequestContext } from '../auth/request_context.js';
 import { type CredentialType } from '../hono_context.js';
 /**
- * Create a mock `RequestContext` with optional role permit.
+ * Create a mock `RequestContext` with optional role role_grant.
  */
 export declare const create_test_request_context: (role?: string) => RequestContext;
 /**
@@ -40,8 +41,8 @@ export declare const create_auth_test_apps: (route_specs: Array<RouteSpec>, role
 /**
  * Select the Hono test app with correct auth for a route.
  *
- * @throws Error if `auth.type === 'role'` and `auth.role` is not present in
- *   `apps.by_role` — surfaces a missing entry in the `roles` array passed to
+ * @throws Error if `auth.roles` names a role not present in `apps.by_role` —
+ *   surfaces a missing entry in the `roles` array passed to
  *   `create_auth_test_apps`.
  */
 export declare const select_auth_app: (apps: AuthTestApps, auth: RouteAuth) => Hono;

package/dist/testing/auth_apps.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_apps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/auth_apps.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;GAOG;AAEH,OAAO,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG1B,OAAO,EAAoB,KAAK,SAAS,EAAE,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExF,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,4BAA4B,CAAC;AACpF,OAAO,EAAsB,KAAK,cAAc,EAAC,MAAM,oBAAoB,CAAC;AAI5E;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,OAAO,MAAM,KAAG,cAI1D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B,GACtC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,WAAW,cAAc,EACzB,kBAAkB,cAAc,KAC9B,IAkBF,CAAC;AAEF,sFAAsF;AACtF,MAAM,WAAW,YAAY;IAC5B,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GACjC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,OAAO,KAAK,CAAC,MAAM,CAAC,KAClB,YAeF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,MAAM,YAAY,EAAE,MAAM,SAAS,KAAG,IAcrE,CAAC;AAEF,6EAA6E;AAC7E,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,KAAG,MAA4C,CAAC"}
+{"version":3,"file":"auth_apps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/auth_apps.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;GAOG;AAEH,OAAO,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG1B,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACxE,OAAO,EAAiB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErE,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAIN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAI5B;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,OAAO,MAAM,KAAG,cAI1D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B,GACtC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,WAAW,cAAc,EACzB,kBAAkB,cAAc,KAC9B,IAuBF,CAAC;AAEF,sFAAsF;AACtF,MAAM,WAAW,YAAY;IAC5B,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GACjC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,OAAO,KAAK,CAAC,MAAM,CAAC,KAClB,YAeF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,MAAM,YAAY,EAAE,MAAM,SAAS,KAAG,IAarE,CAAC;AAEF,6EAA6E;AAC7E,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,KAAG,MAA4C,CAAC"}

package/dist/testing/auth_apps.js

@@ -10,18 +10,19 @@ import './assert_dev_env.js';
 import { Hono } from 'hono';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { apply_route_specs } from '../http/route_spec.js';
-import { fuz_auth_guard_resolver } from '../auth/route_guards.js';
-import { REQUEST_CONTEXT_KEY } from '../auth/request_context.js';
-import { CREDENTIAL_TYPE_KEY } from '../hono_context.js';
+import { is_public_auth } from '../http/auth_shape.js';
+import { fuz_auth_guard_resolver } from '../auth/auth_guard_resolver.js';
+import { REQUEST_CONTEXT_KEY, create_fuz_authorization_handler, } from '../auth/request_context.js';
+import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY, TEST_CONTEXT_PRESET_KEY, } from '../hono_context.js';
 import { create_stub_db } from './stubs.js';
-import { create_test_account, create_test_actor, create_test_permit } from './entities.js';
+import { create_test_account, create_test_actor, create_test_role_grant } from './entities.js';
 /**
- * Create a mock `RequestContext` with optional role permit.
+ * Create a mock `RequestContext` with optional role role_grant.
  */
 export const create_test_request_context = (role) => ({
     account: create_test_account({ id: 'acc_1', username: 'testuser' }),
     actor: create_test_actor({ id: 'act_1', account_id: 'acc_1', name: 'testuser' }),
-    permits: role ? [create_test_permit({ id: 'perm_1', actor_id: 'act_1', role })] : [],
+    role_grants: role ? [create_test_role_grant({ id: 'perm_1', actor_id: 'act_1', role })] : [],
 });
 /**
  * Create a Hono test app from route specs with optional auth context.
@@ -32,15 +33,19 @@ export const create_test_request_context = (role) => ({
  */
 export const create_test_app_from_specs = (route_specs, auth_ctx, credential_type) => {
     const app = new Hono();
+    const db = create_stub_db();
     app.use('/*', async (c, next) => {
         c.set('pending_effects', []);
+        c.set('post_commit_effects', []);
         if (auth_ctx) {
+            c.set(ACCOUNT_ID_KEY, auth_ctx.account.id);
             c.set(REQUEST_CONTEXT_KEY, auth_ctx);
             c.set(CREDENTIAL_TYPE_KEY, credential_type ?? 'session');
+            c.set(TEST_CONTEXT_PRESET_KEY, true);
         }
         await next();
     });
-    apply_route_specs(app, route_specs, fuz_auth_guard_resolver, new Logger('test', { level: 'off' }), create_stub_db());
+    apply_route_specs(app, route_specs, fuz_auth_guard_resolver, new Logger('test', { level: 'off' }), db, create_fuz_authorization_handler({ db }));
     return app;
 };
 /**
@@ -64,25 +69,26 @@ export const create_auth_test_apps = (route_specs, roles) => {
 /**
  * Select the Hono test app with correct auth for a route.
  *
- * @throws Error if `auth.type === 'role'` and `auth.role` is not present in
- *   `apps.by_role` — surfaces a missing entry in the `roles` array passed to
+ * @throws Error if `auth.roles` names a role not present in `apps.by_role` —
+ *   surfaces a missing entry in the `roles` array passed to
  *   `create_auth_test_apps`.
  */
 export const select_auth_app = (apps, auth) => {
-    switch (auth.type) {
-        case 'none':
-            return apps.public;
-        case 'authenticated':
-            return apps.authed;
-        case 'keeper':
-            return apps.keeper;
-        case 'role': {
-            const app = apps.by_role.get(auth.role);
-            if (!app)
-                throw new Error(`No test app for role '${auth.role}' — is it in the roles array?`);
-            return app;
-        }
+    if (is_public_auth(auth))
+        return apps.public;
+    if (auth.credential_types?.includes('daemon_token'))
+        return apps.keeper;
+    if (auth.roles?.length) {
+        // Multi-role disjunction: any of the named roles admits the caller.
+        // Tests pick the first role's app; consumers wanting per-role coverage
+        // should hit each role's app explicitly.
+        const role = auth.roles[0];
+        const app = apps.by_role.get(role);
+        if (!app)
+            throw new Error(`No test app for role '${role}' — is it in the roles array?`);
+        return app;
     }
+    return apps.authed;
 };
 /** Replace Hono route params (`:foo`) with dummy values for HTTP testing. */
 export const resolve_test_path = (path) => path.replace(/:(\w+)/g, 'test_$1');

package/dist/testing/data_exposure.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"data_exposure.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/data_exposure.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgB7B,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG9D,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAe9D;;;;;GAKG;AACH,eAAO,MAAM,kCAAkC,GAAI,QAAQ,OAAO,KAAG,GAAG,CAAC,MAAM,CAuB9E,CAAC;AAIF;;GAEG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,UAAU,EACnB,mBAAkB,aAAa,CAAC,MAAM,CAA6B,KACjE,IAWF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wCAAwC,GACpD,SAAS,UAAU,EACnB,oBAAmB,aAAa,CAAC,MAAM,CAA8B,KACnE,IAcF,CAAC;AAIF,kDAAkD;AAClD,MAAM,WAAW,uBAAuB;IACvC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,wCAAwC;IACxC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4CAA4C;IAC5C,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,iGAAiG;IACjG,iBAAiB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IAmC/E,CAAC"}
+{"version":3,"file":"data_exposure.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/data_exposure.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgB7B,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG9D,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAgB9D;;;;;GAKG;AACH,eAAO,MAAM,kCAAkC,GAAI,QAAQ,OAAO,KAAG,GAAG,CAAC,MAAM,CAuB9E,CAAC;AAIF;;GAEG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,UAAU,EACnB,mBAAkB,aAAa,CAAC,MAAM,CAA6B,KACjE,IAWF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wCAAwC,GACpD,SAAS,UAAU,EACnB,oBAAmB,aAAa,CAAC,MAAM,CAA8B,KACnE,IAcF,CAAC;AAIF,kDAAkD;AAClD,MAAM,WAAW,uBAAuB;IACvC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,wCAAwC;IACxC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4CAA4C;IAC5C,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,iGAAiG;IACjG,iBAAiB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IAmC/E,CAAC"}

package/dist/testing/data_exposure.js

@@ -18,6 +18,7 @@ import { resolve_valid_path, generate_valid_body } from './schema_generators.js'
 import { run_migrations } from '../db/migrate.js';
 import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
 import { is_null_schema, is_strict_object_schema } from '../http/schema_helpers.js';
+import { is_keeper_auth, is_public_auth } from '../http/auth_shape.js';
 import { SENSITIVE_FIELD_BLOCKLIST, ADMIN_ONLY_FIELD_BLOCKLIST, assert_no_sensitive_fields_in_json, pick_auth_headers, } from './integration_helpers.js';
 // --- Schema introspection ---
 /**
@@ -71,7 +72,7 @@ export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fie
  * Assert that non-admin route output schemas don't contain admin-only fields.
  */
 export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST) => {
-    const non_admin = surface.routes.filter((r) => r.auth.type !== 'keeper' && !(r.auth.type === 'role' && r.auth.role === 'admin'));
+    const non_admin = surface.routes.filter((r) => !is_keeper_auth(r.auth) && !(r.auth.roles?.includes('admin') ?? false));
     for (const route of non_admin) {
         if (route.output_schema === null)
             continue;
@@ -154,7 +155,7 @@ const describe_data_exposure_runtime_tests = (options) => {
             // Tests that don't fire authenticated requests run first — they don't
             // invalidate sessions and are independent of test order.
             test('unauthenticated error responses contain no sensitive fields', async () => {
-                const protected_specs = test_app.route_specs.filter((s) => s.auth.type !== 'none');
+                const protected_specs = test_app.route_specs.filter((s) => !is_public_auth(s.auth));
                 for (const spec of protected_specs) {
                     const route_key = `${spec.method} ${spec.path}`;
                     if (skip_set.has(route_key))
@@ -181,7 +182,7 @@ const describe_data_exposure_runtime_tests = (options) => {
             // Cross-privilege test runs before 2xx tests — admin routes reject
             // without calling handlers, so sessions stay intact.
             test('admin routes return 403 for non-admin user', async () => {
-                const admin_specs = test_app.route_specs.filter((s) => s.auth.type === 'role' && s.auth.role === 'admin');
+                const admin_specs = test_app.route_specs.filter((s) => s.auth.roles?.includes('admin') ?? false);
                 for (const spec of admin_specs) {
                     const route_key = `${spec.method} ${spec.path}`;
                     if (skip_set.has(route_key))
@@ -221,8 +222,7 @@ const describe_data_exposure_runtime_tests = (options) => {
                     if (skip_set.has(route_key))
                         continue;
                     // keeper auth (daemon token) is strictly more privileged than admin
-                    const is_elevated = spec.auth.type === 'keeper' ||
-                        (spec.auth.type === 'role' && spec.auth.role === 'admin');
+                    const is_elevated = is_keeper_auth(spec.auth) || (spec.auth.roles?.includes('admin') ?? false);
                     const url = resolve_valid_path(spec.path, spec.params);
                     const body = generate_valid_body(spec.input);
                     const headers = pick_auth_headers(spec, test_app, authed_account, admin_account);

package/dist/testing/db.d.ts

@@ -79,7 +79,7 @@ export declare const AUTH_INTEGRATION_TRUNCATE_TABLES: string[];
  *
  * When adding tables to `AUTH_MIGRATIONS`, add them here too.
  */
-export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "permit", "permit_offer", "actor", "account", "bootstrap_lock"];
+export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "role_grant", "role_grant_offer", "actor", "account", "bootstrap_lock"];
 /**
  * Drop all auth tables and schema version tracking for a clean slate.
  *

package/dist/testing/db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA6B7B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAKpC;;GAEG;AACH,eAAO,MAAM,KAAK,SAA4B,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAGvD,CAAC;AAMF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,GAAI,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,KAAG,SAkB7E,CAAC;AAEH;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACtC,WAAW,MAAM,KACf,SA2DF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,UAQhC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAAyC,CAAC;AAEvF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,+IAWnB,CAAC;AAEX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAK3D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,kBAAkB,GAC9B,WAAW,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EACvC,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,IAAI,KAAK,IAAI,CAwBzD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,KAAK,CAAC,SAAS,CAAC,KAAG,IAMnE,CAAC"}
+{"version":3,"file":"db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA6B7B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAKpC;;GAEG;AACH,eAAO,MAAM,KAAK,SAA4B,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAGvD,CAAC;AAMF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,GAAI,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,KAAG,SAkB7E,CAAC;AAEH;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACtC,WAAW,MAAM,KACf,SA2DF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,UAQhC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAAyC,CAAC;AAEvF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,uJAWnB,CAAC;AAEX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAK3D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,kBAAkB,GAC9B,WAAW,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EACvC,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,IAAI,KAAK,IAAI,CAwBzD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,KAAK,CAAC,SAAS,CAAC,KAAG,IAMnE,CAAC"}