@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/auth/permit_offer_schema.d.ts

@@ -1,103 +0,0 @@
-/**
- * Permit offer DDL, types, and client-safe schemas.
- *
- * An offer is a pending grant awaiting recipient consent. Lifecycle states
- * are mutually exclusive via a CHECK constraint (`permit_offer_single_terminal`):
- * at most one of `accepted_at` / `declined_at` / `retracted_at` may be set.
- * On accept, the offer's `resulting_permit_id` links to the permit row
- * produced by `query_accept_offer`.
- *
- * @module
- */
-import { z } from 'zod';
-import { Uuid } from '@fuzdev/fuz_util/id.js';
-/** Sentinel UUID used inside the partial unique indexes to collapse `scope_id IS NULL` into a comparable value. */
-export declare const PERMIT_OFFER_SCOPE_SENTINEL_UUID = "00000000-0000-0000-0000-000000000000";
-/** Maximum length of the optional message attached to an offer. */
-export declare const PERMIT_OFFER_MESSAGE_LENGTH_MAX = 500;
-/** Default TTL for a newly created offer — 30 days. Matches GitHub org-invite expiry. */
-export declare const PERMIT_OFFER_DEFAULT_TTL_MS: number;
-export declare const PERMIT_OFFER_SCHEMA = "\nCREATE TABLE IF NOT EXISTS permit_offer (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  from_actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n  to_account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  role TEXT NOT NULL,\n  scope_id UUID NULL,\n  message TEXT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ NOT NULL,\n  accepted_at TIMESTAMPTZ NULL,\n  declined_at TIMESTAMPTZ NULL,\n  decline_reason TEXT NULL,\n  retracted_at TIMESTAMPTZ NULL,\n  superseded_at TIMESTAMPTZ NULL,\n  resulting_permit_id UUID NULL REFERENCES permit(id) ON DELETE SET NULL,\n  CONSTRAINT permit_offer_single_terminal CHECK (\n    (accepted_at IS NOT NULL)::int\n    + (declined_at IS NOT NULL)::int\n    + (retracted_at IS NOT NULL)::int\n    + (superseded_at IS NOT NULL)::int\n    <= 1\n  ),\n  CONSTRAINT permit_offer_permit_iff_accepted CHECK (\n    (accepted_at IS NOT NULL) = (resulting_permit_id IS NOT NULL)\n  ),\n  CONSTRAINT permit_offer_reason_iff_declined CHECK (\n    decline_reason IS NULL OR declined_at IS NOT NULL\n  )\n)";
-/**
- * At most one pending offer per (to_account, role, scope, from_actor).
- *
- * Including `from_actor_id` in the tuple lets multiple grantors coexist —
- * teacher A and teacher B can each have a pending `classroom_student` offer
- * for the same student and scope. A same-grantor re-offer upserts the
- * existing pending row. `COALESCE` collapses `NULL` scopes into the
- * sentinel UUID so Postgres's NULL-in-unique-index quirk does not allow
- * duplicate global pending offers. The ON CONFLICT target in
- * `query_permit_offer_create` must match this expression literally.
- */
-export declare const PERMIT_OFFER_PENDING_UNIQUE_INDEX = "\nCREATE UNIQUE INDEX IF NOT EXISTS permit_offer_pending_unique\n  ON permit_offer (\n    to_account_id,\n    role,\n    COALESCE(scope_id, '00000000-0000-0000-0000-000000000000'::uuid),\n    from_actor_id\n  )\n  WHERE accepted_at IS NULL\n    AND declined_at IS NULL\n    AND retracted_at IS NULL\n    AND superseded_at IS NULL";
-/** Inbox lookup — pending offers for an account, ordered by soonest expiry. */
-export declare const PERMIT_OFFER_INBOX_INDEX = "\nCREATE INDEX IF NOT EXISTS permit_offer_inbox\n  ON permit_offer (to_account_id, expires_at)\n  WHERE accepted_at IS NULL\n    AND declined_at IS NULL\n    AND retracted_at IS NULL\n    AND superseded_at IS NULL";
-/** Permit offer row as returned by the database. */
-export interface PermitOffer {
-    id: Uuid;
-    from_actor_id: Uuid;
-    to_account_id: Uuid;
-    role: string;
-    scope_id: Uuid | null;
-    message: string | null;
-    created_at: string;
-    expires_at: string;
-    accepted_at: string | null;
-    declined_at: string | null;
-    decline_reason: string | null;
-    retracted_at: string | null;
-    /**
-     * Set when the offer was obsoleted by an external event — a sibling
-     * offer was accepted (yielding the permit this offer's role+scope maps to)
-     * or the resulting permit for this (to_account, role, scope) was revoked.
-     * Closes the "accept a pre-revoke offer to bypass the revoke" path.
-     */
-    superseded_at: string | null;
-    resulting_permit_id: Uuid | null;
-}
-/**
- * A superseded offer row annotated with the grantor's `account_id`.
- *
- * Carried by `superseded_offers` in accept/revoke query results so callers
- * can fan out `permit_offer_supersede` notifications to the grantor's
- * sockets without a second round-trip. Populated via a CTE join on `actor`
- * in the supersede UPDATE.
- */
-export interface SupersededOffer extends PermitOffer {
-    from_account_id: Uuid;
-}
-/**
- * Input for `query_permit_offer_create`.
- *
- * `expires_at` must be supplied — the query layer does not apply a default,
- * so callers can thread their own TTL (typically `PERMIT_OFFER_DEFAULT_TTL_MS`).
- */
-export interface CreatePermitOfferInput {
-    from_actor_id: Uuid;
-    to_account_id: Uuid;
-    role: string;
-    scope_id?: Uuid | null;
-    message?: string | null;
-    expires_at: Date;
-}
-/** Zod schema for client-safe permit offer data. */
-export declare const PermitOfferJson: z.ZodObject<{
-    id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    to_account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
-    role: z.ZodString;
-    scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-    message: z.ZodNullable<z.ZodString>;
-    created_at: z.ZodString;
-    expires_at: z.ZodString;
-    accepted_at: z.ZodNullable<z.ZodString>;
-    declined_at: z.ZodNullable<z.ZodString>;
-    decline_reason: z.ZodNullable<z.ZodString>;
-    retracted_at: z.ZodNullable<z.ZodString>;
-    superseded_at: z.ZodNullable<z.ZodString>;
-    resulting_permit_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-}, z.core.$strict>;
-export type PermitOfferJson = z.infer<typeof PermitOfferJson>;
-/** Convert a `PermitOffer` row to its JSON payload shape. */
-export declare const to_permit_offer_json: (offer: PermitOffer) => PermitOfferJson;
-//# sourceMappingURL=permit_offer_schema.d.ts.map

package/dist/auth/permit_offer_schema.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"permit_offer_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_offer_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C,mHAAmH;AACnH,eAAO,MAAM,gCAAgC,yCAAyC,CAAC;AAEvF,mEAAmE;AACnE,eAAO,MAAM,+BAA+B,MAAM,CAAC;AAEnD,yFAAyF;AACzF,eAAO,MAAM,2BAA2B,QAA2B,CAAC;AAEpE,eAAO,MAAM,mBAAmB,6kCA6B9B,CAAC;AAEH;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iCAAiC,8UAWhB,CAAC;AAE/B,+EAA+E;AAC/E,eAAO,MAAM,wBAAwB,0NAMP,CAAC;AAE/B,oDAAoD;AACpD,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,IAAI,CAAC;IACT,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,OAAO,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B;;;;;OAKG;IACH,aAAa,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B,mBAAmB,EAAE,IAAI,GAAG,IAAI,CAAC;CACjC;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAgB,SAAQ,WAAW;IACnD,eAAe,EAAE,IAAI,CAAC;CACtB;AAED;;;;;GAKG;AACH,MAAM,WAAW,sBAAsB;IACtC,aAAa,EAAE,IAAI,CAAC;IACpB,aAAa,EAAE,IAAI,CAAC;IACpB,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,IAAI,CAAC;CACjB;AAED,oDAAoD;AACpD,eAAO,MAAM,eAAe;;;;;;;;;;;;;;;kBA4CyD,CAAC;AACtF,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,6DAA6D;AAC7D,eAAO,MAAM,oBAAoB,GAAI,OAAO,WAAW,KAAG,eAexD,CAAC"}

package/dist/auth/permit_queries.d.ts

@@ -1,210 +0,0 @@
-/**
- * Permit database queries.
- *
- * Permits are time-bounded, revocable grants of a role to an actor.
- * The system is safe by default — no permit, no capability.
- *
- * @module
- */
-import type { Uuid } from '@fuzdev/fuz_util/id.js';
-import type { QueryDeps } from '../db/query_deps.js';
-import type { Permit, GrantPermitInput } from './account_schema.js';
-import { type SupersededOffer } from './permit_offer_schema.js';
-/**
- * Grant a permit to an actor.
- * Idempotent — if an active permit already exists for this actor, role, and
- * scope, returns the existing permit instead of creating a duplicate.
- *
- * The `ON CONFLICT` target and the fallback `SELECT` both collapse `NULL`
- * scopes via the same sentinel used by the partial unique index
- * (`permit_actor_role_scope_active_unique`). The `IS NOT DISTINCT FROM`
- * form on the fallback is deliberate — plain `=` would miss the
- * NULL-scope case where the conflict fired.
- *
- * @param deps - query dependencies
- * @param input - the permit fields
- * @returns the created or existing active permit
- * @mutates `permit` table - inserts a row when no active permit matches `(actor_id, role, scope_id)`
- */
-export declare const query_grant_permit: (deps: QueryDeps, input: GrantPermitInput) => Promise<Permit>;
-/**
- * Look up the role of an active permit, constrained to a specific actor.
- *
- * Used by admin routes to inspect the permit's role before acting
- * (e.g., enforcing `web_grantable` on revoke). The actor constraint
- * mirrors `query_revoke_permit` so IDOR protection is consistent:
- * a caller can only see permits belonging to the target actor.
- *
- * Returns `null` if the permit is not found, already revoked, or
- * belongs to a different actor.
- *
- * @param deps - query dependencies
- * @param permit_id - the permit id to look up
- * @param actor_id - the actor that must own the permit
- * @returns `{role}` on a match, or `null`
- */
-export declare const query_permit_find_active_role_for_actor: (deps: QueryDeps, permit_id: string, actor_id: string) => Promise<{
-    role: string;
-} | null>;
-/** Result of `query_revoke_permit` — the revoked permit plus any pending offers superseded by the revoke. */
-export interface RevokePermitResult {
-    id: Uuid;
-    role: string;
-    scope_id: Uuid | null;
-    /**
-     * Pending offers for the revoked permit's `(account, role, scope)` that
-     * were marked superseded as a side effect. Each entry carries its
-     * grantor's `from_account_id` so callers can fan out
-     * `permit_offer_supersede` notifications without a second round-trip.
-     * The caller is responsible for emitting a `permit_offer_supersede`
-     * audit event per entry (with `reason: 'permit_revoked'` and
-     * `cause_id: <revoked permit id>`).
-     */
-    superseded_offers: Array<SupersededOffer>;
-}
-/**
- * Revoke a permit by id, constrained to a specific actor.
- *
- * Requires `actor_id` to prevent cross-account revocation (IDOR guard).
- * Returns `null` if the permit is not found, already revoked, or belongs
- * to a different actor.
- *
- * Supersedes any pending offers for the revoked permit's
- * `(to_account, role, scope)` in the same transaction. Prevents the
- * "accept a pre-revoke offer to bypass the revoke" path — any stale
- * offer becomes terminal at revoke time. A fresh post-revoke grant
- * requires the grantor to call `query_permit_offer_create` again.
- *
- * @param deps - query dependencies
- * @param permit_id - the permit to revoke
- * @param actor_id - the actor that must own the permit
- * @param revoked_by - the actor who revoked it (for audit trail)
- * @param reason - optional free-form reason, stamped on `permit.revoked_reason` and surfaced to the revokee notification.
- * @mutates `permit` row - sets `revoked_at`, `revoked_by`, and `revoked_reason`
- * @mutates `permit_offer` rows - stamps `superseded_at` on every pending sibling for the same `(account, role, scope)`
- */
-export declare const query_revoke_permit: (deps: QueryDeps, permit_id: Uuid, actor_id: Uuid, revoked_by: Uuid | null, reason?: string | null) => Promise<RevokePermitResult | null>;
-/**
- * Find all active (non-revoked, non-expired) permits for an actor.
- */
-export declare const query_permit_find_active_for_actor: (deps: QueryDeps, actor_id: string) => Promise<Array<Permit>>;
-/**
- * Check if an actor has an active permit for a given role.
- *
- * The `scope_id` parameter selects between global and scoped checks:
- * - Omitted or `null` — matches a global permit (`scope_id IS NULL`).
- *   Pre-scope callers keep their existing semantics.
- * - A scope uuid — matches a permit bound to that exact scope.
- *
- * The `IS NOT DISTINCT FROM` comparison handles the NULL case uniformly.
- */
-export declare const query_permit_has_role: (deps: QueryDeps, actor_id: string, role: string, scope_id?: string | null) => Promise<boolean>;
-/**
- * List all permits for an actor (including revoked/expired).
- */
-export declare const query_permit_list_for_actor: (deps: QueryDeps, actor_id: string) => Promise<Array<Permit>>;
-/**
- * Find the account ID of an account that holds an active permit for a given role.
- *
- * Joins permit → actor → account. Returns the first match, or `null` if none.
- *
- * @param deps - query dependencies
- * @param role - the role to search for
- * @returns the account ID, or `null`
- */
-export declare const query_permit_find_account_id_for_role: (deps: QueryDeps, role: string) => Promise<string | null>;
-/** Result of `query_permit_revoke_for_scope` — every permit revoked plus every pending offer superseded by the scope-wide cascade. */
-export interface RevokeForScopeResult {
-    /**
-     * One entry per permit revoked by this call. Carries the revokee's
-     * `account_id` so callers can fan out a `permit_revoke` notification per
-     * permit. Empty array means no active permit was bound to the scope.
-     */
-    revoked: Array<{
-        permit_id: Uuid;
-        role: string;
-        scope_id: Uuid;
-        account_id: Uuid;
-    }>;
-    /**
-     * Every pending offer at the scope — tuple-matched and orphan, undifferentiated
-     * — superseded in the same cascade. Each entry carries its grantor's
-     * `from_account_id` for `permit_offer_supersede` notification fan-out.
-     *
-     * The caller is responsible for emitting `permit_offer_supersede` audit
-     * events with `reason: 'scope_destroyed'` and `cause_id: <destroyed scope row id>`
-     * per entry — the cause of every supersede here is the scope deletion,
-     * not any individual permit revoke (the revokes are themselves
-     * consequences of the scope going away).
-     */
-    superseded_offers: Array<SupersededOffer>;
-}
-/**
- * Revoke every active permit bound to a scope and supersede every pending
- * offer at the scope, in one cascade.
- *
- * Use this from a consumer's parent-scope delete handler (e.g., classroom
- * deletion) — `permit.scope_id` and `permit_offer.scope_id` are polymorphic
- * with no FK constraint by design, so a parent row deletion would otherwise
- * orphan permits and offers. The cascade is **role-agnostic**: anything
- * attached to the destroyed scope is cleaned up.
- *
- * Both updates run as separate statements inside the caller's transaction
- * (mirrors `query_permit_revoke_role`'s shape). The two halves are
- * independent — orphan pending offers can exist at a scope with no active
- * permits, so the supersede half always runs even when no permit was
- * revoked.
- *
- * @param deps - query dependencies
- * @param scope_id - the scope whose permits and offers to terminate
- * @param revoked_by - the actor performing the cascade (audit trail)
- * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
- * @returns the revoked permits (with `account_id` for fan-out) and superseded offers (with `from_account_id` for fan-out)
- * @mutates `permit` table - sets `revoked_at`/`revoked_by`/`revoked_reason` on every active row at `scope_id`
- * @mutates `permit_offer` table - stamps `superseded_at` on every pending row at `scope_id`
- */
-export declare const query_permit_revoke_for_scope: (deps: QueryDeps, scope_id: Uuid, revoked_by: Uuid | null, reason?: string | null) => Promise<RevokeForScopeResult>;
-/** Result of `query_permit_revoke_role` — every permit revoked plus the pending offers superseded by the bulk revoke. */
-export interface RevokeRoleResult {
-    /**
-     * One entry per permit revoked by this call. Carries the revokee's
-     * `account_id` so callers can fan out a `permit_revoke` notification per
-     * scope-instance. Empty array means nothing was active for `(actor, role)`.
-     */
-    revoked: Array<{
-        permit_id: string;
-        role: string;
-        scope_id: string | null;
-        account_id: string;
-    }>;
-    /**
-     * Pending offers for the actor's account+role (all scopes) superseded by
-     * the bulk revoke. Each entry carries its grantor's `from_account_id` so
-     * callers can fan out `permit_offer_supersede` notifications without a
-     * second round-trip.
-     */
-    superseded_offers: Array<SupersededOffer>;
-}
-/**
- * Revoke every active permit an actor holds for a given role.
- *
- * With scoped permits a single actor+role tuple can hold several active
- * permits (one per scope), so this revokes all of them. Pass
- * `query_revoke_permit(permit_id, ...)` when a single scoped permit
- * is the target.
- *
- * Also supersedes pending offers for the actor's account across every
- * scope of this role (the actor can no longer hold the role, so any
- * pending offer of the same role is a bypass vector).
- *
- * @param deps - query dependencies
- * @param actor_id - the actor whose permits to revoke
- * @param role - the role to revoke
- * @param revoked_by - the actor who revoked it (for audit trail)
- * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
- * @returns the list of revoked permits (empty if none were active) and superseded pending offers
- * @mutates `permit` table - sets `revoked_at`/`revoked_by`/`revoked_reason` on every active row for `(actor, role)`
- * @mutates `permit_offer` table - stamps `superseded_at` on every matching pending offer
- */
-export declare const query_permit_revoke_role: (deps: QueryDeps, actor_id: string, role: string, revoked_by: string | null, reason?: string | null) => Promise<RevokeRoleResult>;
-//# sourceMappingURL=permit_queries.d.ts.map

package/dist/auth/permit_queries.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"permit_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/permit_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,MAAM,EAAE,gBAAgB,EAAC,MAAM,qBAAqB,CAAC;AAElE,OAAO,EAAmC,KAAK,eAAe,EAAC,MAAM,0BAA0B,CAAC;AAEhG;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,OAAO,gBAAgB,KACrB,OAAO,CAAC,MAAM,CA4BhB,CAAC;AAEF;;;;;;;;;;;;;;;GAeG;AACH,eAAO,MAAM,uCAAuC,GACnD,MAAM,SAAS,EACf,WAAW,MAAM,EACjB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAC,GAAG,IAAI,CAO/B,CAAC;AAEF,6GAA6G;AAC7G,MAAM,WAAW,kBAAkB;IAClC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,WAAW,IAAI,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAsCnC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CASvB,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,qBAAqB,GACjC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,2BAA2B,GACvC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,CAKvB,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,qCAAqC,GACjD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,sIAAsI;AACtI,MAAM,WAAW,oBAAoB;IACpC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,IAAI,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,IAAI,CAAC;QAAC,UAAU,EAAE,IAAI,CAAA;KAAC,CAAC,CAAC;IAClF;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA2C9B,CAAC;AAEF,yHAAyH;AACzH,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QAAC,SAAS,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAC,CAAC,CAAC;IAC/F;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA2C1B,CAAC"}

package/dist/auth/permit_queries.js

@@ -1,294 +0,0 @@
-/**
- * Permit database queries.
- *
- * Permits are time-bounded, revocable grants of a role to an actor.
- * The system is safe by default — no permit, no capability.
- *
- * @module
- */
-import { assert_row } from '../db/assert_row.js';
-import { PERMIT_OFFER_SCOPE_SENTINEL_UUID } from './permit_offer_schema.js';
-/**
- * Grant a permit to an actor.
- * Idempotent — if an active permit already exists for this actor, role, and
- * scope, returns the existing permit instead of creating a duplicate.
- *
- * The `ON CONFLICT` target and the fallback `SELECT` both collapse `NULL`
- * scopes via the same sentinel used by the partial unique index
- * (`permit_actor_role_scope_active_unique`). The `IS NOT DISTINCT FROM`
- * form on the fallback is deliberate — plain `=` would miss the
- * NULL-scope case where the conflict fired.
- *
- * @param deps - query dependencies
- * @param input - the permit fields
- * @returns the created or existing active permit
- * @mutates `permit` table - inserts a row when no active permit matches `(actor_id, role, scope_id)`
- */
-export const query_grant_permit = async (deps, input) => {
-    const inserted = await deps.db.query_one(`INSERT INTO permit (actor_id, role, scope_id, expires_at, granted_by, source_offer_id)
-		 VALUES ($1, $2, $3, $4, $5, $6)
-		 ON CONFLICT (actor_id, role, COALESCE(scope_id, '${PERMIT_OFFER_SCOPE_SENTINEL_UUID}'::uuid))
-		   WHERE revoked_at IS NULL
-		 DO NOTHING
-		 RETURNING *`, [
-        input.actor_id,
-        input.role,
-        input.scope_id ?? null,
-        input.expires_at?.toISOString() ?? null,
-        input.granted_by ?? null,
-        input.source_offer_id ?? null,
-    ]);
-    if (inserted)
-        return inserted;
-    // Active permit already exists — return it (idempotent grant).
-    const existing = await deps.db.query_one(`SELECT * FROM permit
-		 WHERE actor_id = $1
-		   AND role = $2
-		   AND scope_id IS NOT DISTINCT FROM $3
-		   AND revoked_at IS NULL`, [input.actor_id, input.role, input.scope_id ?? null]);
-    return assert_row(existing, 'idempotent permit grant');
-};
-/**
- * Look up the role of an active permit, constrained to a specific actor.
- *
- * Used by admin routes to inspect the permit's role before acting
- * (e.g., enforcing `web_grantable` on revoke). The actor constraint
- * mirrors `query_revoke_permit` so IDOR protection is consistent:
- * a caller can only see permits belonging to the target actor.
- *
- * Returns `null` if the permit is not found, already revoked, or
- * belongs to a different actor.
- *
- * @param deps - query dependencies
- * @param permit_id - the permit id to look up
- * @param actor_id - the actor that must own the permit
- * @returns `{role}` on a match, or `null`
- */
-export const query_permit_find_active_role_for_actor = async (deps, permit_id, actor_id) => {
-    const row = await deps.db.query_one(`SELECT role FROM permit
-		 WHERE id = $1 AND actor_id = $2 AND revoked_at IS NULL`, [permit_id, actor_id]);
-    return row ?? null;
-};
-/**
- * Revoke a permit by id, constrained to a specific actor.
- *
- * Requires `actor_id` to prevent cross-account revocation (IDOR guard).
- * Returns `null` if the permit is not found, already revoked, or belongs
- * to a different actor.
- *
- * Supersedes any pending offers for the revoked permit's
- * `(to_account, role, scope)` in the same transaction. Prevents the
- * "accept a pre-revoke offer to bypass the revoke" path — any stale
- * offer becomes terminal at revoke time. A fresh post-revoke grant
- * requires the grantor to call `query_permit_offer_create` again.
- *
- * @param deps - query dependencies
- * @param permit_id - the permit to revoke
- * @param actor_id - the actor that must own the permit
- * @param revoked_by - the actor who revoked it (for audit trail)
- * @param reason - optional free-form reason, stamped on `permit.revoked_reason` and surfaced to the revokee notification.
- * @mutates `permit` row - sets `revoked_at`, `revoked_by`, and `revoked_reason`
- * @mutates `permit_offer` rows - stamps `superseded_at` on every pending sibling for the same `(account, role, scope)`
- */
-export const query_revoke_permit = async (deps, permit_id, actor_id, revoked_by, reason) => {
-    const rows = await deps.db.query(`UPDATE permit SET revoked_at = NOW(), revoked_by = $3, revoked_reason = $4
-		 WHERE id = $1 AND actor_id = $2 AND revoked_at IS NULL
-		 RETURNING id, role, scope_id`, [permit_id, actor_id, revoked_by ?? null, reason ?? null]);
-    const revoked = rows[0];
-    if (!revoked)
-        return null;
-    // CTE joins `actor` after the UPDATE so each superseded row carries the
-    // grantor's `account_id` — callers fan out `permit_offer_supersede`
-    // notifications to that account without a second round-trip.
-    const superseded_offers = await deps.db.query(`WITH updated AS (
-			UPDATE permit_offer o
-			SET superseded_at = NOW()
-			FROM actor a
-			WHERE a.id = $1
-			  AND o.to_account_id = a.account_id
-			  AND o.role = $2
-			  AND o.scope_id IS NOT DISTINCT FROM $3
-			  AND o.accepted_at IS NULL
-			  AND o.declined_at IS NULL
-			  AND o.retracted_at IS NULL
-			  AND o.superseded_at IS NULL
-			RETURNING o.*
-		)
-		SELECT u.*, grantor.account_id AS from_account_id
-		FROM updated u
-		JOIN actor grantor ON grantor.id = u.from_actor_id`, [actor_id, revoked.role, revoked.scope_id]);
-    return {
-        id: revoked.id,
-        role: revoked.role,
-        scope_id: revoked.scope_id,
-        superseded_offers,
-    };
-};
-/**
- * Find all active (non-revoked, non-expired) permits for an actor.
- */
-export const query_permit_find_active_for_actor = async (deps, actor_id) => {
-    return deps.db.query(`SELECT * FROM permit
-		 WHERE actor_id = $1
-		   AND revoked_at IS NULL
-		   AND (expires_at IS NULL OR expires_at > NOW())
-		 ORDER BY created_at`, [actor_id]);
-};
-/**
- * Check if an actor has an active permit for a given role.
- *
- * The `scope_id` parameter selects between global and scoped checks:
- * - Omitted or `null` — matches a global permit (`scope_id IS NULL`).
- *   Pre-scope callers keep their existing semantics.
- * - A scope uuid — matches a permit bound to that exact scope.
- *
- * The `IS NOT DISTINCT FROM` comparison handles the NULL case uniformly.
- */
-export const query_permit_has_role = async (deps, actor_id, role, scope_id) => {
-    const row = await deps.db.query_one(`SELECT EXISTS(
-			SELECT 1 FROM permit
-			WHERE actor_id = $1
-			  AND role = $2
-			  AND scope_id IS NOT DISTINCT FROM $3
-			  AND revoked_at IS NULL
-			  AND (expires_at IS NULL OR expires_at > NOW())
-		 ) AS exists`, [actor_id, role, scope_id ?? null]);
-    return row?.exists ?? false;
-};
-/**
- * List all permits for an actor (including revoked/expired).
- */
-export const query_permit_list_for_actor = async (deps, actor_id) => {
-    return deps.db.query(`SELECT * FROM permit WHERE actor_id = $1 ORDER BY created_at DESC`, [actor_id]);
-};
-/**
- * Find the account ID of an account that holds an active permit for a given role.
- *
- * Joins permit → actor → account. Returns the first match, or `null` if none.
- *
- * @param deps - query dependencies
- * @param role - the role to search for
- * @returns the account ID, or `null`
- */
-export const query_permit_find_account_id_for_role = async (deps, role) => {
-    const row = await deps.db.query_one(`SELECT a.id AS account_id
-		 FROM permit p
-		 JOIN actor act ON act.id = p.actor_id
-		 JOIN account a ON a.id = act.account_id
-		 WHERE p.role = $1
-		   AND p.revoked_at IS NULL
-		   AND (p.expires_at IS NULL OR p.expires_at > NOW())
-		 LIMIT 1`, [role]);
-    return row?.account_id ?? null;
-};
-/**
- * Revoke every active permit bound to a scope and supersede every pending
- * offer at the scope, in one cascade.
- *
- * Use this from a consumer's parent-scope delete handler (e.g., classroom
- * deletion) — `permit.scope_id` and `permit_offer.scope_id` are polymorphic
- * with no FK constraint by design, so a parent row deletion would otherwise
- * orphan permits and offers. The cascade is **role-agnostic**: anything
- * attached to the destroyed scope is cleaned up.
- *
- * Both updates run as separate statements inside the caller's transaction
- * (mirrors `query_permit_revoke_role`'s shape). The two halves are
- * independent — orphan pending offers can exist at a scope with no active
- * permits, so the supersede half always runs even when no permit was
- * revoked.
- *
- * @param deps - query dependencies
- * @param scope_id - the scope whose permits and offers to terminate
- * @param revoked_by - the actor performing the cascade (audit trail)
- * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
- * @returns the revoked permits (with `account_id` for fan-out) and superseded offers (with `from_account_id` for fan-out)
- * @mutates `permit` table - sets `revoked_at`/`revoked_by`/`revoked_reason` on every active row at `scope_id`
- * @mutates `permit_offer` table - stamps `superseded_at` on every pending row at `scope_id`
- */
-export const query_permit_revoke_for_scope = async (deps, scope_id, revoked_by, reason) => {
-    // Revoke every active permit at the scope. CTE pulls `account_id` via a
-    // join on `actor` so callers fan out `permit_revoke` notifications without
-    // an extra round-trip.
-    const revoked = await deps.db.query(`WITH updated AS (
-			UPDATE permit
-			SET revoked_at = NOW(), revoked_by = $2, revoked_reason = $3
-			WHERE scope_id = $1 AND revoked_at IS NULL
-			RETURNING id, role, scope_id, actor_id
-		)
-		SELECT u.id AS permit_id, u.role, u.scope_id, a.account_id
-		FROM updated u
-		JOIN actor a ON a.id = u.actor_id`, [scope_id, revoked_by ?? null, reason ?? null]);
-    // Supersede every pending offer at the scope — tuple-matched or orphan,
-    // no distinction. The cause of every supersede in this cascade is the
-    // scope deletion; offers tuple-matched to a revoked permit are not
-    // tagged separately because the revoke is itself a consequence of the
-    // scope going away.
-    const superseded_offers = await deps.db.query(`WITH updated AS (
-			UPDATE permit_offer o
-			SET superseded_at = NOW()
-			WHERE o.scope_id = $1
-			  AND o.accepted_at IS NULL
-			  AND o.declined_at IS NULL
-			  AND o.retracted_at IS NULL
-			  AND o.superseded_at IS NULL
-			RETURNING o.*
-		)
-		SELECT u.*, grantor.account_id AS from_account_id
-		FROM updated u
-		JOIN actor grantor ON grantor.id = u.from_actor_id`, [scope_id]);
-    return { revoked, superseded_offers };
-};
-/**
- * Revoke every active permit an actor holds for a given role.
- *
- * With scoped permits a single actor+role tuple can hold several active
- * permits (one per scope), so this revokes all of them. Pass
- * `query_revoke_permit(permit_id, ...)` when a single scoped permit
- * is the target.
- *
- * Also supersedes pending offers for the actor's account across every
- * scope of this role (the actor can no longer hold the role, so any
- * pending offer of the same role is a bypass vector).
- *
- * @param deps - query dependencies
- * @param actor_id - the actor whose permits to revoke
- * @param role - the role to revoke
- * @param revoked_by - the actor who revoked it (for audit trail)
- * @param reason - optional free-form reason, stamped on `permit.revoked_reason`.
- * @returns the list of revoked permits (empty if none were active) and superseded pending offers
- * @mutates `permit` table - sets `revoked_at`/`revoked_by`/`revoked_reason` on every active row for `(actor, role)`
- * @mutates `permit_offer` table - stamps `superseded_at` on every matching pending offer
- */
-export const query_permit_revoke_role = async (deps, actor_id, role, revoked_by, reason) => {
-    // CTE pulls the revokee's `account_id` via a join on `actor` so callers
-    // can address the revokee without an extra round-trip.
-    const revoked = await deps.db.query(`WITH updated AS (
-			UPDATE permit
-			SET revoked_at = NOW(), revoked_by = $3, revoked_reason = $4
-			WHERE actor_id = $1 AND role = $2 AND revoked_at IS NULL
-			RETURNING id, role, scope_id, actor_id
-		)
-		SELECT u.id AS permit_id, u.role, u.scope_id, a.account_id
-		FROM updated u
-		JOIN actor a ON a.id = u.actor_id`, [actor_id, role, revoked_by ?? null, reason ?? null]);
-    if (revoked.length === 0) {
-        return { revoked: [], superseded_offers: [] };
-    }
-    const superseded_offers = await deps.db.query(`WITH updated AS (
-			UPDATE permit_offer o
-			SET superseded_at = NOW()
-			FROM actor a
-			WHERE a.id = $1
-			  AND o.to_account_id = a.account_id
-			  AND o.role = $2
-			  AND o.accepted_at IS NULL
-			  AND o.declined_at IS NULL
-			  AND o.retracted_at IS NULL
-			  AND o.superseded_at IS NULL
-			RETURNING o.*
-		)
-		SELECT u.*, grantor.account_id AS from_account_id
-		FROM updated u
-		JOIN actor grantor ON grantor.id = u.from_actor_id`, [actor_id, role]);
-    return { revoked, superseded_offers };
-};

package/dist/auth/require_keeper.d.ts

@@ -1,20 +0,0 @@
-/**
- * Keeper credential type guard.
- *
- * Two-part check:
- * 1. Credential type must be `daemon_token` (not session cookie, not API token).
- * 2. Account must hold active keeper permit.
- *
- * Both must pass. A session cookie from the bootstrap account still fails check #1.
- *
- * @module
- */
-import type { MiddlewareHandler } from 'hono';
-/**
- * Middleware that requires keeper credentials.
- *
- * Returns 401 if unauthenticated, 403 if credential type is not
- * `daemon_token` or if the keeper role is missing.
- */
-export declare const require_keeper: MiddlewareHandler;
-//# sourceMappingURL=require_keeper.d.ts.map

package/dist/auth/require_keeper.d.ts.map

@@ -1 +0,0 @@
-{"version":3,"file":"require_keeper.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/require_keeper.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,KAAK,EAAC,iBAAiB,EAAC,MAAM,MAAM,CAAC;AAW5C;;;;;GAKG;AACH,eAAO,MAAM,cAAc,EAAE,iBAmB5B,CAAC"}