@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/auth/permit_offer_actions.js

@@ -1,452 +0,0 @@
-/**
- * Permit offer RPC action handlers — the consentful-permits action surface.
- *
- * Seven actions: six offer-lifecycle methods (create / accept / decline /
- * retract / list / history) plus `permit_revoke` (admin-only). All mount
- * on a consumer's JSON-RPC endpoint via `create_rpc_endpoint`. The action
- * specs themselves live in `auth/permit_offer_action_specs.ts`. Mutations
- * declare `side_effects: true` so the RPC dispatcher wraps the handler in
- * a DB transaction; `permit_offer_list` and `permit_offer_history` declare
- * `side_effects: false` so they are addressable via GET.
- *
- * Authorization:
- * - `permit_offer_create` — the grantor must hold an active permit for the
- *   role being offered, and that role must be `web_grantable`. Consumers
- *   needing a richer policy (e.g., "teacher may offer student in *their*
- *   classroom") pass an `authorize` callback that overrides the default.
- * - `permit_offer_accept` / `permit_offer_decline` — keyed to the caller's
- *   account; `query_*` helpers enforce the IDOR guard.
- * - `permit_offer_retract` — keyed to the caller's actor.
- * - `permit_offer_list` / `permit_offer_history` — self by default;
- *   `{account_id}` is admin-only.
- * - `permit_revoke` — spec-level `auth: {role: 'admin'}`; the RPC
- *   dispatcher rejects non-admin callers before the handler runs.
- *   `web_grantable` gate prevents revoking keeper/daemon-scoped roles
- *   via this surface. Keys on `actor_id` to survive multi-actor accounts.
- *
- * Audit events are emitted in-transaction by the query layer (atomic with
- * the permit write on accept/revoke) or by the handler via
- * `audit_log_fire_and_forget` for single-event lifecycle transitions.
- * `on_audit_event` (SSE broadcast) fires post-commit in both paths.
- *
- * WS notifications fan out post-commit via `emit_after_commit` when a
- * `notification_sender` is wired: offer lifecycle transitions notify the
- * counterparty, `permit_revoke` notifies the revokee plus each superseded
- * pending offer's grantor.
- *
- * @module
- */
-import { rpc_action } from '../actions/action_rpc.js';
-import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
-import { emit_after_commit } from '../http/pending_effects.js';
-import { BUILTIN_ROLE_OPTIONS, ROLE_ADMIN } from './role_schema.js';
-import { PERMIT_OFFER_DEFAULT_TTL_MS, to_permit_offer_json } from './permit_offer_schema.js';
-import { query_permit_offer_create, query_permit_offer_decline, query_permit_offer_retract, query_permit_offer_list, query_permit_offer_history_for_account, query_accept_offer, PermitOfferAlreadyTerminalError, PermitOfferExpiredError, PermitOfferNotFoundError, PermitOfferSelfTargetError, } from './permit_offer_queries.js';
-import { query_permit_find_active_role_for_actor, query_revoke_permit } from './permit_queries.js';
-import { query_actor_by_id } from './account_queries.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
-import { has_role, has_scoped_role } from './request_context.js';
-import { build_permit_offer_accepted_notification, build_permit_offer_declined_notification, build_permit_offer_received_notification, build_permit_offer_retracted_notification, build_permit_offer_supersede_notification, build_permit_revoke_notification, } from './permit_offer_notifications.js';
-import { ERROR_ACCOUNT_NOT_FOUND, ERROR_PERMIT_NOT_FOUND, ERROR_ROLE_NOT_WEB_GRANTABLE, } from '../http/error_schemas.js';
-import { ERROR_OFFER_EXPIRED, ERROR_OFFER_NOT_AUTHORIZED, ERROR_OFFER_NOT_FOUND, ERROR_OFFER_ROLE_NOT_GRANTABLE, ERROR_OFFER_SELF_TARGET, ERROR_OFFER_TERMINAL, permit_offer_create_action_spec, permit_offer_accept_action_spec, permit_offer_decline_action_spec, permit_offer_retract_action_spec, permit_offer_list_action_spec, permit_offer_history_action_spec, permit_revoke_action_spec, } from './permit_offer_action_specs.js';
-// -- Helpers ----------------------------------------------------------------
-/** Fire `on_audit_event` for each event — used by accept, whose events were written in-transaction. */
-const fan_out_audit_events = (events, on_audit_event, log) => {
-    for (const event of events) {
-        try {
-            on_audit_event(event);
-        }
-        catch (err) {
-            log.error('on_audit_event callback failed:', err);
-        }
-    }
-};
-// eslint-disable-next-line @typescript-eslint/require-await
-const default_authorize = async (auth, input, _deps, _ctx) => {
-    // Caller must hold an active permit for the offered role. Global (no scope)
-    // check — the scope-aware "only in this classroom" policy is consumer-level.
-    // Reads from the in-memory `auth.permits` snapshot loaded once per request
-    // by `create_request_context_middleware`; no DB roundtrip needed.
-    return has_scoped_role(auth, input.role, null);
-};
-/**
- * Authorization callback that admits any admin and otherwise falls back to
- * the symmetric default (caller must hold the offered role globally).
- *
- * The `web_grantable` filter in `create_handler` runs **before** the
- * `authorize` callback, so this never sees non-web-grantable roles. Drop
- * into `create_permit_offer_actions({authorize: authorize_admin_or_holder})`
- * (or any factory that forwards `authorize`, e.g. `create_standard_rpc_actions`)
- * for the common "admins offer anything; users offer what they hold"
- * pattern. Scope-aware policies (e.g. classroom_teacher offering
- * classroom_student in their own scope) wrap this and short-circuit `true`
- * before delegating.
- */
-export const authorize_admin_or_holder = async (auth, input, _deps, _ctx) => {
-    if (has_role(auth, ROLE_ADMIN))
-        return true;
-    return has_scoped_role(auth, input.role, null);
-};
-/**
- * Narrow `ctx.auth` to non-null. The RPC dispatcher has already enforced
- * `auth: 'authenticated'` before the handler runs — this is a type narrow,
- * not a runtime check that would otherwise fail.
- */
-const require_request_auth = (auth) => {
-    if (!auth)
-        throw new Error('unreachable: action auth guard did not enforce authentication');
-    return auth;
-};
-/**
- * Create the seven permit-offer RPC actions (six offer-lifecycle methods
- * plus `permit_revoke`).
- *
- * @param deps - `PermitOfferActionDeps` — `log`, `on_audit_event`, optional `audit_log_config` (slice of `AppDeps`); optional `notification_sender` for WS fan-out
- * @param options - role schema, default TTL, authorization override
- * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
- */
-export const create_permit_offer_actions = (deps, options = {}) => {
-    const { on_audit_event, log, notification_sender = null } = deps;
-    const role_options = options.roles?.role_options ?? BUILTIN_ROLE_OPTIONS;
-    const default_ttl_ms = options.default_ttl_ms ?? PERMIT_OFFER_DEFAULT_TTL_MS;
-    const authorize = options.authorize ?? default_authorize;
-    // Three denial paths (web_grantable, authorize, self-target) all emit the
-    // same failure-outcome audit event. Local closure over `log` + `on_audit_event`.
-    const emit_create_failure_audit = (ctx, auth, input) => {
-        void audit_log_fire_and_forget(ctx, {
-            event_type: 'permit_offer_create',
-            outcome: 'failure',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
-            target_account_id: input.to_account_id,
-            ip: ctx.client_ip,
-            metadata: {
-                role: input.role,
-                scope_id: input.scope_id ?? null,
-                to_account_id: input.to_account_id,
-            },
-        }, deps);
-    };
-    // Returns {offer} only — no auto-accept. Recipient must call
-    // permit_offer_accept; admin tests materialize permits via
-    // query_accept_offer (see testing/admin_integration.ts `offer_and_accept`).
-    const create_handler = async (input, ctx) => {
-        const auth = require_request_auth(ctx.auth);
-        // Role must be web_grantable — same gate as admin direct-grant.
-        const rc = role_options.get(input.role);
-        if (!rc?.web_grantable) {
-            emit_create_failure_audit(ctx, auth, input);
-            throw jsonrpc_errors.forbidden('role not grantable', {
-                reason: ERROR_OFFER_ROLE_NOT_GRANTABLE,
-            });
-        }
-        const authorized = await authorize(auth, {
-            to_account_id: input.to_account_id,
-            role: input.role,
-            scope_id: input.scope_id ?? null,
-        }, { log }, ctx);
-        if (!authorized) {
-            emit_create_failure_audit(ctx, auth, input);
-            throw jsonrpc_errors.forbidden('not authorized to offer this role', {
-                reason: ERROR_OFFER_NOT_AUTHORIZED,
-            });
-        }
-        let offer;
-        try {
-            offer = await query_permit_offer_create(ctx, {
-                from_actor_id: auth.actor.id,
-                to_account_id: input.to_account_id,
-                role: input.role,
-                scope_id: input.scope_id ?? null,
-                message: input.message ?? null,
-                expires_at: new Date(Date.now() + default_ttl_ms),
-            });
-        }
-        catch (err) {
-            if (err instanceof PermitOfferSelfTargetError) {
-                emit_create_failure_audit(ctx, auth, input);
-                throw jsonrpc_errors.invalid_params('cannot offer to self', {
-                    reason: ERROR_OFFER_SELF_TARGET,
-                });
-            }
-            throw err;
-        }
-        void audit_log_fire_and_forget(ctx, {
-            event_type: 'permit_offer_create',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
-            target_account_id: input.to_account_id,
-            ip: ctx.client_ip,
-            metadata: {
-                offer_id: offer.id,
-                role: offer.role,
-                scope_id: offer.scope_id,
-                to_account_id: offer.to_account_id,
-            },
-        }, deps);
-        const offer_json = to_permit_offer_json(offer);
-        if (notification_sender) {
-            emit_after_commit(ctx, () => {
-                notification_sender.send_to_account(offer.to_account_id, build_permit_offer_received_notification({ offer: offer_json }));
-            });
-        }
-        return { offer: offer_json };
-    };
-    const accept_handler = async (input, ctx) => {
-        const auth = require_request_auth(ctx.auth);
-        let result;
-        try {
-            result = await query_accept_offer(ctx, {
-                offer_id: input.offer_id,
-                to_account_id: auth.account.id,
-                ip: ctx.client_ip,
-            });
-        }
-        catch (err) {
-            if (err instanceof PermitOfferNotFoundError) {
-                throw jsonrpc_errors.not_found('offer', { reason: ERROR_OFFER_NOT_FOUND });
-            }
-            if (err instanceof PermitOfferAlreadyTerminalError) {
-                throw jsonrpc_errors.invalid_request({ reason: ERROR_OFFER_TERMINAL });
-            }
-            if (err instanceof PermitOfferExpiredError) {
-                throw jsonrpc_errors.invalid_request({ reason: ERROR_OFFER_EXPIRED });
-            }
-            throw err;
-        }
-        // Look up the grantor's account_id inside the transaction so the
-        // post-commit notification has a valid target. One cheap SELECT by
-        // PK — the alternative (widening `query_accept_offer` again) would
-        // bleed transport concerns into the query layer.
-        const grantor_actor = notification_sender
-            ? await query_actor_by_id(ctx, result.offer.from_actor_id)
-            : null;
-        const grantor_account_id = grantor_actor?.account_id ?? null;
-        const offer_json = to_permit_offer_json(result.offer);
-        const supersede_payloads = result.superseded_offers.map((sib) => ({
-            offer: to_permit_offer_json(sib),
-            from_account_id: sib.from_account_id,
-        }));
-        // Audit events are written in-transaction by query_accept_offer; wire
-        // them through on_audit_event post-commit so SSE broadcasts fire.
-        // WS notifications piggyback on the same post-commit microtask so the
-        // grantor sees "accepted" and each superseded grantor sees
-        // "supersede" only once the accept has durably committed.
-        emit_after_commit(ctx, () => {
-            fan_out_audit_events(result.audit_events, on_audit_event, ctx.log);
-            if (notification_sender && grantor_account_id) {
-                notification_sender.send_to_account(grantor_account_id, build_permit_offer_accepted_notification({ offer: offer_json }));
-            }
-            if (notification_sender) {
-                for (const sib of supersede_payloads) {
-                    notification_sender.send_to_account(sib.from_account_id, build_permit_offer_supersede_notification({
-                        offer: sib.offer,
-                        reason: 'sibling_accepted',
-                        cause_id: result.offer.id,
-                    }));
-                }
-            }
-        });
-        return {
-            permit_id: result.permit.id,
-            offer: offer_json,
-            superseded_offer_ids: result.superseded_offers.map((o) => o.id),
-        };
-    };
-    const decline_handler = async (input, ctx) => {
-        const auth = require_request_auth(ctx.auth);
-        let declined;
-        try {
-            declined = await query_permit_offer_decline(ctx, input.offer_id, auth.account.id, input.reason ?? null);
-        }
-        catch (err) {
-            if (err instanceof PermitOfferAlreadyTerminalError) {
-                throw jsonrpc_errors.invalid_request({ reason: ERROR_OFFER_TERMINAL });
-            }
-            throw err;
-        }
-        if (!declined) {
-            throw jsonrpc_errors.not_found('offer', { reason: ERROR_OFFER_NOT_FOUND });
-        }
-        void audit_log_fire_and_forget(ctx, {
-            event_type: 'permit_offer_decline',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
-            ip: ctx.client_ip,
-            metadata: {
-                offer_id: declined.id,
-                role: declined.role,
-                scope_id: declined.scope_id,
-                reason: input.reason ?? undefined,
-            },
-        }, deps);
-        if (notification_sender) {
-            // Look up the grantor's account (SELECT by PK, same tx) for the
-            // notification target. The decline reason rides along on
-            // `offer.decline_reason` — the DB set it in the RETURNING above.
-            const grantor_actor = await query_actor_by_id(ctx, declined.from_actor_id);
-            const grantor_account_id = grantor_actor?.account_id ?? null;
-            if (grantor_account_id) {
-                const offer_json = to_permit_offer_json(declined);
-                emit_after_commit(ctx, () => {
-                    notification_sender.send_to_account(grantor_account_id, build_permit_offer_declined_notification({ offer: offer_json }));
-                });
-            }
-        }
-        return { ok: true };
-    };
-    const retract_handler = async (input, ctx) => {
-        const auth = require_request_auth(ctx.auth);
-        let retracted;
-        try {
-            retracted = await query_permit_offer_retract(ctx, input.offer_id, auth.actor.id);
-        }
-        catch (err) {
-            if (err instanceof PermitOfferAlreadyTerminalError) {
-                throw jsonrpc_errors.invalid_request({ reason: ERROR_OFFER_TERMINAL });
-            }
-            throw err;
-        }
-        if (!retracted) {
-            throw jsonrpc_errors.not_found('offer', { reason: ERROR_OFFER_NOT_FOUND });
-        }
-        void audit_log_fire_and_forget(ctx, {
-            event_type: 'permit_offer_retract',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
-            ip: ctx.client_ip,
-            metadata: {
-                offer_id: retracted.id,
-                role: retracted.role,
-                scope_id: retracted.scope_id,
-            },
-        }, deps);
-        if (notification_sender) {
-            const offer_json = to_permit_offer_json(retracted);
-            emit_after_commit(ctx, () => {
-                notification_sender.send_to_account(retracted.to_account_id, build_permit_offer_retracted_notification({ offer: offer_json }));
-            });
-        }
-        return { ok: true };
-    };
-    const list_handler = async (input, ctx) => {
-        const auth = require_request_auth(ctx.auth);
-        const target = input.account_id ?? auth.account.id;
-        if (target !== auth.account.id && !has_role(auth, ROLE_ADMIN)) {
-            throw jsonrpc_errors.forbidden('admin required to inspect another account');
-        }
-        const offers = await query_permit_offer_list(ctx, target);
-        return { offers: offers.map(to_permit_offer_json) };
-    };
-    const history_handler = async (input, ctx) => {
-        const auth = require_request_auth(ctx.auth);
-        const target = input.account_id ?? auth.account.id;
-        if (target !== auth.account.id && !has_role(auth, ROLE_ADMIN)) {
-            throw jsonrpc_errors.forbidden('admin required to inspect another account');
-        }
-        const offers = await query_permit_offer_history_for_account(ctx, target, input.limit ?? undefined, input.offset ?? undefined);
-        return { offers: offers.map(to_permit_offer_json) };
-    };
-    const revoke_handler = async (input, ctx) => {
-        const auth = require_request_auth(ctx.auth);
-        // IDOR guard + role lookup. One SELECT — returns null when the
-        // permit is revoked, missing, or belongs to a different actor.
-        const permit_row = await query_permit_find_active_role_for_actor(ctx, input.permit_id, input.actor_id);
-        if (!permit_row) {
-            throw jsonrpc_errors.not_found('permit', { reason: ERROR_PERMIT_NOT_FOUND });
-        }
-        // Resolve the target actor's account once — drives both the audit
-        // `target_account_id` and the post-commit notification target.
-        const target_actor = await query_actor_by_id(ctx, input.actor_id);
-        if (!target_actor) {
-            // The IDOR guard above already matched, so a missing actor here
-            // indicates a race (account deleted between the two SELECTs).
-            // Treat as account-not-found for the caller.
-            throw jsonrpc_errors.not_found('account', { reason: ERROR_ACCOUNT_NOT_FOUND });
-        }
-        const target_account_id = target_actor.account_id;
-        // web_grantable gate — keeper/daemon-scoped roles stay CLI-only.
-        const rc = role_options.get(permit_row.role);
-        if (!rc?.web_grantable) {
-            void audit_log_fire_and_forget(ctx, {
-                event_type: 'permit_revoke',
-                outcome: 'failure',
-                actor_id: auth.actor.id,
-                account_id: auth.account.id,
-                target_account_id,
-                ip: ctx.client_ip,
-                metadata: { role: permit_row.role, permit_id: input.permit_id },
-            }, deps);
-            throw jsonrpc_errors.forbidden('role not web-grantable', {
-                reason: ERROR_ROLE_NOT_WEB_GRANTABLE,
-            });
-        }
-        const result = await query_revoke_permit(ctx, input.permit_id, input.actor_id, auth.actor.id, input.reason ?? null);
-        if (!result) {
-            // Raced with another revoker or the permit was revoked between
-            // the IDOR check and the UPDATE.
-            throw jsonrpc_errors.not_found('permit', { reason: ERROR_PERMIT_NOT_FOUND });
-        }
-        void audit_log_fire_and_forget(ctx, {
-            event_type: 'permit_revoke',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
-            target_account_id,
-            ip: ctx.client_ip,
-            metadata: {
-                role: result.role,
-                permit_id: result.id,
-                scope_id: result.scope_id,
-                reason: input.reason ?? undefined,
-            },
-        }, deps);
-        for (const offer of result.superseded_offers) {
-            void audit_log_fire_and_forget(ctx, {
-                event_type: 'permit_offer_supersede',
-                actor_id: auth.actor.id,
-                account_id: offer.to_account_id,
-                ip: ctx.client_ip,
-                metadata: {
-                    offer_id: offer.id,
-                    role: offer.role,
-                    scope_id: offer.scope_id,
-                    reason: 'permit_revoked',
-                    cause_id: result.id,
-                },
-            }, deps);
-        }
-        if (notification_sender) {
-            const superseded = result.superseded_offers.map((o) => ({
-                offer: to_permit_offer_json(o),
-                from_account_id: o.from_account_id,
-            }));
-            const cause_id = result.id;
-            const reason = input.reason ?? null;
-            emit_after_commit(ctx, () => {
-                notification_sender.send_to_account(target_account_id, build_permit_revoke_notification({
-                    permit_id: result.id,
-                    role: result.role,
-                    scope_id: result.scope_id,
-                    reason,
-                }));
-                for (const sib of superseded) {
-                    notification_sender.send_to_account(sib.from_account_id, build_permit_offer_supersede_notification({
-                        offer: sib.offer,
-                        reason: 'permit_revoked',
-                        cause_id,
-                    }));
-                }
-            });
-        }
-        return { ok: true, revoked: true };
-    };
-    return [
-        rpc_action(permit_offer_create_action_spec, create_handler),
-        rpc_action(permit_offer_accept_action_spec, accept_handler),
-        rpc_action(permit_offer_decline_action_spec, decline_handler),
-        rpc_action(permit_offer_retract_action_spec, retract_handler),
-        rpc_action(permit_offer_list_action_spec, list_handler),
-        rpc_action(permit_offer_history_action_spec, history_handler),
-        rpc_action(permit_revoke_action_spec, revoke_handler),
-    ];
-};

package/dist/auth/permit_offer_notifications.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"permit_offer_notifications.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_notifications.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA8BG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAqB,KAAK,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAIrE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,oBAAoB,CAAC;AAClD,OAAO,KAAK,EAAC,mBAAmB,EAAC,MAAM,oBAAoB,CAAC;AAM5D;;;;;;;;;;;;;GAaG;AACH,MAAM,WAAW,kBAAkB;IAClC,eAAe,EAAE,CAAC,UAAU,EAAE,IAAI,EAAE,OAAO,EAAE,mBAAmB,KAAK,MAAM,CAAC;CAC5E;AAID,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,0CAA0C,2BAA2B,CAAC;AACnF,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,yCAAyC,0BAA0B,CAAC;AACjF,eAAO,MAAM,0CAA0C,2BAA2B,CAAC;AACnF,eAAO,MAAM,iCAAiC,kBAAkB,CAAC;AAIjE,6EAA6E;AAC7E,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,qEAAqE;AACrE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,yEAAyE;AACzE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;GAIG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAEpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;;;;GAQG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB;;;;;kBAK7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUb,CAAC;AAEzC,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,uCAAuC;;;;;;;;;;;;;;;;;;;;;;;;;;;CAUZ,CAAC;AAEzC,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWb,CAAC;AAEzC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;CAUJ,CAAC;AAIzC;;;;;GAKG;AACH,eAAO,MAAM,+BAA+B,EAAE,KAAK,CAAC,SAAS,CAO5D,CAAC;AAIF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,yCAAyC,GACrD,QAAQ,0BAA0B,KAChC,mBAC6E,CAAC;AAEjF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,wCAAwC,GACpD,QAAQ,yBAAyB,KAC/B,mBAC4E,CAAC;AAEhF,eAAO,MAAM,yCAAyC,GACrD,QAAQ,0BAA0B,KAChC,mBAC6E,CAAC;AAEjF,eAAO,MAAM,gCAAgC,GAAI,QAAQ,kBAAkB,KAAG,mBACP,CAAC"}

package/dist/auth/permit_offer_notifications.js

@@ -1,182 +0,0 @@
-/**
- * Permit offer WebSocket notification specs, builders, and the narrow
- * `NotificationSender` interface that decouples offer/revoke send sites
- * from `BackendWebsocketTransport`.
- *
- * Six `RemoteNotificationActionSpec`s cover the consentful-permits
- * lifecycle events the server pushes to affected accounts:
- *
- * - `permit_offer_received` → recipient's sockets when an offer is created
- * - `permit_offer_retracted` → recipient's sockets when a grantor retracts
- * - `permit_offer_accepted` → grantor's sockets when the recipient accepts
- * - `permit_offer_declined` → grantor's sockets when the recipient declines
- * - `permit_offer_supersede` → grantor's sockets when a sibling accept,
- *   a revoke of the resulting permit, or destruction of the parent scope
- *   row obsoletes their pending offer
- * - `permit_revoke` → revokee's sockets when one of their active permits
- *   is revoked (companion to the `permit_revoke` audit event)
- *
- * Payloads are flat and normalized — `PermitOfferJson` for the offer-lifecycle
- * notifications (decline reason rides on `offer.decline_reason`, not a
- * sibling field), and `{permit_id, role, scope_id, reason?}` for `permit_revoke`. The
- * revokee/grantor/recipient account id travels via the send target (the
- * `NotificationSender.send_to_account` argument), not in the payload.
- *
- * The specs surface as `EventSpec`s via `create_action_event_spec` — callers
- * append `PERMIT_OFFER_NOTIFICATION_SPECS` to their `event_specs` on
- * `create_app_server` so the surface reflects them and DEV-mode broadcast
- * validation catches payload drift.
- *
- * @module
- */
-import { z } from 'zod';
-import { Uuid as UuidSchema } from '@fuzdev/fuz_util/id.js';
-import { create_action_event_spec } from '../actions/action_bridge.js';
-import { create_jsonrpc_notification } from '../http/jsonrpc_helpers.js';
-import { RoleName } from './role_schema.js';
-import { PermitOfferJson } from './permit_offer_schema.js';
-import { PERMIT_REVOKED_REASON_LENGTH_MAX } from './account_schema.js';
-// -- Method constants -------------------------------------------------------
-export const PERMIT_OFFER_RECEIVED_NOTIFICATION_METHOD = 'permit_offer_received';
-export const PERMIT_OFFER_RETRACTED_NOTIFICATION_METHOD = 'permit_offer_retracted';
-export const PERMIT_OFFER_ACCEPTED_NOTIFICATION_METHOD = 'permit_offer_accepted';
-export const PERMIT_OFFER_DECLINED_NOTIFICATION_METHOD = 'permit_offer_declined';
-export const PERMIT_OFFER_SUPERSEDE_NOTIFICATION_METHOD = 'permit_offer_supersede';
-export const PERMIT_REVOKE_NOTIFICATION_METHOD = 'permit_revoke';
-// -- Params schemas ---------------------------------------------------------
-/** Params for `permit_offer_received` — offer delivered to its recipient. */
-export const PermitOfferReceivedParams = z.strictObject({
-    offer: PermitOfferJson,
-});
-/** Params for `permit_offer_retracted` — grantor-side retraction. */
-export const PermitOfferRetractedParams = z.strictObject({
-    offer: PermitOfferJson,
-});
-/** Params for `permit_offer_accepted` — recipient accepted the offer. */
-export const PermitOfferAcceptedParams = z.strictObject({
-    offer: PermitOfferJson,
-});
-/**
- * Params for `permit_offer_declined`. The decline reason (if any) rides along
- * inside `offer.decline_reason` — the DB stamps it on the offer row during
- * decline, so a sibling `reason` field would just duplicate it.
- */
-export const PermitOfferDeclinedParams = z.strictObject({
-    offer: PermitOfferJson,
-});
-/**
- * Params for `permit_offer_supersede`. Fires to the grantor's sockets when
- * their pending offer is obsoleted — either by a sibling accept
- * (`reason: 'sibling_accepted'`), by revoke of the resulting permit
- * (`reason: 'permit_revoked'`), or by deletion of the parent scope row
- * the offer was bound to (`reason: 'scope_destroyed'`). `cause_id` points
- * at the accepted offer id, the revoked permit id, or the destroyed scope
- * row id respectively.
- */
-export const PermitOfferSupersedeParams = z.strictObject({
-    offer: PermitOfferJson,
-    reason: z.enum(['sibling_accepted', 'permit_revoked', 'scope_destroyed']),
-    cause_id: UuidSchema,
-});
-/**
- * Params for `permit_revoke`. Delivered to the revokee's sockets when one
- * of their active permits is revoked. Flat wire shape — `revoked_by` is
- * admin-UI-visible but deliberately omitted here (the revokee doesn't need
- * to learn the admin's identity). Target account is implicit in the send
- * target.
- */
-export const PermitRevokeParams = z.strictObject({
-    permit_id: UuidSchema,
-    role: RoleName,
-    scope_id: UuidSchema.nullable(),
-    reason: z.string().max(PERMIT_REVOKED_REASON_LENGTH_MAX).nullable(),
-});
-// -- Action specs -----------------------------------------------------------
-export const permit_offer_received_notification_spec = {
-    method: PERMIT_OFFER_RECEIVED_NOTIFICATION_METHOD,
-    kind: 'remote_notification',
-    initiator: 'backend',
-    auth: null,
-    side_effects: true,
-    input: PermitOfferReceivedParams,
-    output: z.void(),
-    async: true,
-    description: 'A new permit offer arrived in the recipient’s inbox.',
-};
-export const permit_offer_retracted_notification_spec = {
-    method: PERMIT_OFFER_RETRACTED_NOTIFICATION_METHOD,
-    kind: 'remote_notification',
-    initiator: 'backend',
-    auth: null,
-    side_effects: true,
-    input: PermitOfferRetractedParams,
-    output: z.void(),
-    async: true,
-    description: 'A pending permit offer was retracted by its grantor.',
-};
-export const permit_offer_accepted_notification_spec = {
-    method: PERMIT_OFFER_ACCEPTED_NOTIFICATION_METHOD,
-    kind: 'remote_notification',
-    initiator: 'backend',
-    auth: null,
-    side_effects: true,
-    input: PermitOfferAcceptedParams,
-    output: z.void(),
-    async: true,
-    description: 'A pending permit offer was accepted by its recipient.',
-};
-export const permit_offer_declined_notification_spec = {
-    method: PERMIT_OFFER_DECLINED_NOTIFICATION_METHOD,
-    kind: 'remote_notification',
-    initiator: 'backend',
-    auth: null,
-    side_effects: true,
-    input: PermitOfferDeclinedParams,
-    output: z.void(),
-    async: true,
-    description: 'A pending permit offer was declined by its recipient.',
-};
-export const permit_offer_supersede_notification_spec = {
-    method: PERMIT_OFFER_SUPERSEDE_NOTIFICATION_METHOD,
-    kind: 'remote_notification',
-    initiator: 'backend',
-    auth: null,
-    side_effects: true,
-    input: PermitOfferSupersedeParams,
-    output: z.void(),
-    async: true,
-    description: 'A grantor’s pending permit offer was obsoleted by a sibling accept, by revoke of the resulting permit, or by destruction of the parent scope row.',
-};
-export const permit_revoke_notification_spec = {
-    method: PERMIT_REVOKE_NOTIFICATION_METHOD,
-    kind: 'remote_notification',
-    initiator: 'backend',
-    auth: null,
-    side_effects: true,
-    input: PermitRevokeParams,
-    output: z.void(),
-    async: true,
-    description: 'An active permit on the revokee’s account was revoked.',
-};
-// -- EventSpec surface ------------------------------------------------------
-/**
- * SSE/WS event specs for the consentful-permits notification surface.
- *
- * Pass to `create_app_server`'s `event_specs` so the attack surface reflects
- * them and DEV-mode `create_validated_broadcaster` catches payload drift.
- */
-export const PERMIT_OFFER_NOTIFICATION_SPECS = [
-    create_action_event_spec(permit_offer_received_notification_spec),
-    create_action_event_spec(permit_offer_retracted_notification_spec),
-    create_action_event_spec(permit_offer_accepted_notification_spec),
-    create_action_event_spec(permit_offer_declined_notification_spec),
-    create_action_event_spec(permit_offer_supersede_notification_spec),
-    create_action_event_spec(permit_revoke_notification_spec),
-];
-// -- Notification builders --------------------------------------------------
-export const build_permit_offer_received_notification = (params) => create_jsonrpc_notification(PERMIT_OFFER_RECEIVED_NOTIFICATION_METHOD, params);
-export const build_permit_offer_retracted_notification = (params) => create_jsonrpc_notification(PERMIT_OFFER_RETRACTED_NOTIFICATION_METHOD, params);
-export const build_permit_offer_accepted_notification = (params) => create_jsonrpc_notification(PERMIT_OFFER_ACCEPTED_NOTIFICATION_METHOD, params);
-export const build_permit_offer_declined_notification = (params) => create_jsonrpc_notification(PERMIT_OFFER_DECLINED_NOTIFICATION_METHOD, params);
-export const build_permit_offer_supersede_notification = (params) => create_jsonrpc_notification(PERMIT_OFFER_SUPERSEDE_NOTIFICATION_METHOD, params);
-export const build_permit_revoke_notification = (params) => create_jsonrpc_notification(PERMIT_REVOKE_NOTIFICATION_METHOD, params);