@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/auth/account_action_specs.d.ts

@@ -90,7 +90,10 @@ export declare const account_verify_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "none";
+    };
     side_effects: false;
     input: z.ZodVoid;
     output: z.ZodObject<{
@@ -107,7 +110,10 @@ export declare const account_session_list_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "none";
+    };
     side_effects: false;
     input: z.ZodVoid;
     output: z.ZodObject<{
@@ -126,7 +132,10 @@ export declare const account_session_revoke_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "none";
+    };
     side_effects: true;
     input: z.ZodObject<{
         session_id: z.ZodString;
@@ -142,7 +151,10 @@ export declare const account_session_revoke_all_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "none";
+    };
     side_effects: true;
     input: z.ZodVoid;
     output: z.ZodObject<{
@@ -156,7 +168,10 @@ export declare const account_token_create_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "none";
+    };
     side_effects: true;
     input: z.ZodObject<{
         name: z.ZodDefault<z.ZodString>;
@@ -174,7 +189,10 @@ export declare const account_token_list_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "none";
+    };
     side_effects: false;
     input: z.ZodVoid;
     output: z.ZodObject<{
@@ -195,7 +213,10 @@ export declare const account_token_revoke_action_spec: {
     method: string;
     kind: "request_response";
     initiator: "frontend";
-    auth: "authenticated";
+    auth: {
+        account: "required";
+        actor: "none";
+    };
     side_effects: true;
     input: z.ZodObject<{
         token_id: z.ZodString;

package/dist/auth/account_action_specs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAMzE,6EAA6E;AAC7E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,WAAW,CAAC;AACzC,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,iBAAiB;;;;;;;;kBAE5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,iFAAiF;AACjF,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,6DAA6D;AAC7D,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,+CAA+C;AAC/C,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAK3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB;;;;;kBAK5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,qDAAqD;AACrD,eAAO,MAAM,cAAc,WAAW,CAAC;AACvC,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,4DAA4D;AAC5D,eAAO,MAAM,eAAe;;;;;;;;;;kBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAIlE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;CAUV,CAAC;AAEtC,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;CAUd,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,EAAE,KAAK,CAAC,yBAAyB,CAQrE,CAAC"}
+{"version":3,"file":"account_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAMzE,6EAA6E;AAC7E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,WAAW,CAAC;AACzC,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,iBAAiB;;;;;;;;kBAE5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,iFAAiF;AACjF,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,6DAA6D;AAC7D,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,+CAA+C;AAC/C,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAK3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB;;;;;kBAK5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,qDAAqD;AACrD,eAAO,MAAM,cAAc,WAAW,CAAC;AACvC,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,4DAA4D;AAC5D,eAAO,MAAM,eAAe;;;;;;;;;;kBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAIlE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;CAUV,CAAC;AAEtC,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;CAUd,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,EAAE,KAAK,CAAC,yBAAyB,CAQrE,CAAC"}

package/dist/auth/account_action_specs.js

@@ -70,7 +70,7 @@ export const account_verify_action_spec = {
     method: 'account_verify',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: 'authenticated',
+    auth: { account: 'required', actor: 'none' },
     side_effects: false,
     input: VerifyInput,
     output: SessionAccountJson,
@@ -81,7 +81,7 @@ export const account_session_list_action_spec = {
     method: 'account_session_list',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: 'authenticated',
+    auth: { account: 'required', actor: 'none' },
     side_effects: false,
     input: SessionListInput,
     output: SessionListOutput,
@@ -92,7 +92,7 @@ export const account_session_revoke_action_spec = {
     method: 'account_session_revoke',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: 'authenticated',
+    auth: { account: 'required', actor: 'none' },
     side_effects: true,
     input: SessionRevokeInput,
     output: SessionRevokeOutput,
@@ -103,7 +103,7 @@ export const account_session_revoke_all_action_spec = {
     method: 'account_session_revoke_all',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: 'authenticated',
+    auth: { account: 'required', actor: 'none' },
     side_effects: true,
     input: SessionRevokeAllInput,
     output: SessionRevokeAllOutput,
@@ -114,7 +114,7 @@ export const account_token_create_action_spec = {
     method: 'account_token_create',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: 'authenticated',
+    auth: { account: 'required', actor: 'none' },
     side_effects: true,
     input: TokenCreateInput,
     output: TokenCreateOutput,
@@ -125,7 +125,7 @@ export const account_token_list_action_spec = {
     method: 'account_token_list',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: 'authenticated',
+    auth: { account: 'required', actor: 'none' },
     side_effects: false,
     input: TokenListInput,
     output: TokenListOutput,
@@ -136,7 +136,7 @@ export const account_token_revoke_action_spec = {
     method: 'account_token_revoke',
     kind: 'request_response',
     initiator: 'frontend',
-    auth: 'authenticated',
+    auth: { account: 'required', actor: 'none' },
     side_effects: true,
     input: TokenRevokeInput,
     output: TokenRevokeOutput,

package/dist/auth/account_actions.d.ts

@@ -10,8 +10,9 @@
  *   `account_token_revoke`.
  *
  * The action specs themselves live in `auth/account_action_specs.ts`. Every spec
- * declares `auth: 'authenticated'` so the dispatcher enforces auth before the
- * handler runs. Revoke operations are account-scoped (via
+ * declares `auth: {account: 'required', actor: 'none'}` so the dispatcher
+ * enforces account-grain auth before the handler runs. Revoke operations are
+ * account-scoped (via
  * `query_session_revoke_for_account` / `query_revoke_api_token_for_account`)
  * so passing another account's session or token id returns `revoked: false`
  * rather than revealing whether the id exists.
@@ -33,21 +34,14 @@ export interface AccountActionOptions {
      */
     max_tokens?: number | null;
 }
-/**
- * Dependencies for `create_account_actions`.
- *
- * Shares shape with `AdminActionDeps` / `PermitOfferActionDeps` so consumers
- * can pass the same deps to every action factory. `audit_log_config` is
- * carried through `AppDeps` and consumed by `audit_log_fire_and_forget`;
- * absent → defaults to `BUILTIN_AUDIT_LOG_CONFIG`.
- */
-export type AccountActionDeps = Pick<RouteFactoryDeps, 'log' | 'on_audit_event' | 'audit_log_config'>;
 /**
  * Create the self-service account RPC actions.
  *
- * @param deps - `AccountActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
+ * @param deps - `RouteFactoryDeps` (`log`, `audit`, …). `audit.emit` writes
+ *   audit rows via the captured pool; the bound emitter encapsulates
+ *   `on_audit_event` fan-out and the optional `AuditLogConfig`.
  * @param options - per-factory configuration
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
  */
-export declare const create_account_actions: (deps: AccountActionDeps, options?: AccountActionOptions) => Array<RpcAction>;
+export declare const create_account_actions: (deps: Pick<RouteFactoryDeps, "log" | "audit">, options?: AccountActionOptions) => Array<RpcAction>;
 //# sourceMappingURL=account_actions.d.ts.map

package/dist/auth/account_actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAiC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAgBxF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;;;GAOG;AACH,MAAM,MAAM,iBAAiB,GAAG,IAAI,CACnC,gBAAgB,EAChB,KAAK,GAAG,gBAAgB,GAAG,kBAAkB,CAC7C,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,iBAAiB,EACvB,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CAyHjB,CAAC"}
+{"version":3,"file":"account_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AAEH,OAAO,EAAqC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAe5F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAwBhD,4CAA4C;AAC5C,MAAM,WAAW,oBAAoB;IACpC;;;;;OAKG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,oBAAyB,KAChC,KAAK,CAAC,SAAS,CAsGjB,CAAC"}

package/dist/auth/account_actions.js

@@ -10,8 +10,9 @@
  *   `account_token_revoke`.
  *
  * The action specs themselves live in `auth/account_action_specs.ts`. Every spec
- * declares `auth: 'authenticated'` so the dispatcher enforces auth before the
- * handler runs. Revoke operations are account-scoped (via
+ * declares `auth: {account: 'required', actor: 'none'}` so the dispatcher
+ * enforces account-grain auth before the handler runs. Revoke operations are
+ * account-scoped (via
  * `query_session_revoke_for_account` / `query_revoke_api_token_for_account`)
  * so passing another account's session or token id returns `revoked: false`
  * rather than revealing whether the id exists.
@@ -26,84 +27,74 @@ import { to_session_account } from './account_schema.js';
 import { query_session_list_for_account, query_session_revoke_for_account, query_session_revoke_all_for_account, } from './session_queries.js';
 import { query_api_token_enforce_limit, query_api_token_list_for_account, query_create_api_token, query_revoke_api_token_for_account, } from './api_token_queries.js';
 import { generate_api_token } from './api_token.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
 import { DEFAULT_MAX_TOKENS } from './account_routes.js';
 import { account_verify_action_spec, account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from './account_action_specs.js';
 /**
  * Create the self-service account RPC actions.
  *
- * @param deps - `AccountActionDeps` slice of `AppDeps` (`log`, `on_audit_event`, optional `audit_log_config`)
+ * @param deps - `RouteFactoryDeps` (`log`, `audit`, …). `audit.emit` writes
+ *   audit rows via the captured pool; the bound emitter encapsulates
+ *   `on_audit_event` fan-out and the optional `AuditLogConfig`.
  * @param options - per-factory configuration
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
  */
 export const create_account_actions = (deps, options = {}) => {
     const { max_tokens = DEFAULT_MAX_TOKENS } = options;
     const verify_handler = (_input, ctx) => {
-        const auth = ctx.auth;
-        return to_session_account(auth.account);
+        return to_session_account(ctx.auth.account);
     };
     const session_list_handler = async (_input, ctx) => {
-        const auth = ctx.auth;
-        const sessions = await query_session_list_for_account(ctx, auth.account.id);
+        const sessions = await query_session_list_for_account(ctx, ctx.auth.account.id);
         return { sessions };
     };
     const session_revoke_handler = async (input, ctx) => {
-        const auth = ctx.auth;
-        const revoked = await query_session_revoke_for_account(ctx, input.session_id, auth.account.id);
-        void audit_log_fire_and_forget(ctx, {
+        const revoked = await query_session_revoke_for_account(ctx, input.session_id, ctx.auth.account.id);
+        deps.audit.emit(ctx, {
             event_type: 'session_revoke',
             outcome: revoked ? 'success' : 'failure',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
+            account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
             metadata: { session_id: input.session_id },
-        }, deps);
+        });
         return { ok: true, revoked };
     };
     const session_revoke_all_handler = async (_input, ctx) => {
-        const auth = ctx.auth;
-        const count = await query_session_revoke_all_for_account(ctx, auth.account.id);
-        void audit_log_fire_and_forget(ctx, {
+        const count = await query_session_revoke_all_for_account(ctx, ctx.auth.account.id);
+        deps.audit.emit(ctx, {
             event_type: 'session_revoke_all',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
+            account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
             metadata: { count },
-        }, deps);
+        });
         return { ok: true, count };
     };
     const token_create_handler = async (input, ctx) => {
-        const auth = ctx.auth;
         const { token, id, token_hash } = generate_api_token();
-        await query_create_api_token(ctx, id, auth.account.id, input.name, token_hash);
+        await query_create_api_token(ctx, id, ctx.auth.account.id, input.name, token_hash);
         if (max_tokens != null) {
-            await query_api_token_enforce_limit(ctx, auth.account.id, max_tokens);
+            await query_api_token_enforce_limit(ctx, ctx.auth.account.id, max_tokens);
         }
-        void audit_log_fire_and_forget(ctx, {
+        deps.audit.emit(ctx, {
             event_type: 'token_create',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
+            account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
             metadata: { token_id: id, name: input.name },
-        }, deps);
+        });
         return { ok: true, token, id, name: input.name };
     };
     const token_list_handler = async (_input, ctx) => {
-        const auth = ctx.auth;
-        const tokens = await query_api_token_list_for_account(ctx, auth.account.id);
+        const tokens = await query_api_token_list_for_account(ctx, ctx.auth.account.id);
         return { tokens };
     };
     const token_revoke_handler = async (input, ctx) => {
-        const auth = ctx.auth;
-        const revoked = await query_revoke_api_token_for_account(ctx, input.token_id, auth.account.id);
-        void audit_log_fire_and_forget(ctx, {
+        const revoked = await query_revoke_api_token_for_account(ctx, input.token_id, ctx.auth.account.id);
+        deps.audit.emit(ctx, {
             event_type: 'token_revoke',
             outcome: revoked ? 'success' : 'failure',
-            actor_id: auth.actor.id,
-            account_id: auth.account.id,
+            account_id: ctx.auth.account.id,
             ip: ctx.client_ip,
             metadata: { token_id: input.token_id },
-        }, deps);
+        });
         return { ok: true, revoked };
     };
     return [

package/dist/auth/account_queries.d.ts

@@ -42,15 +42,30 @@ export declare const query_account_by_email: (deps: QueryDeps, email: string) =>
  */
 export declare const query_account_by_username_or_email: (deps: QueryDeps, input: string) => Promise<Account | undefined>;
 /**
- * Update the password hash for an account.
+ * Update the password hash for an account, conditional on the current
+ * stored hash matching `expected_hash` — the verify-write atomic guard.
  *
- * @mutates `account` row - updates `password_hash`, `updated_at`, and `updated_by`
+ * The condition closes the race where two concurrent password changes both
+ * verify against the pre-update hash (loaded by the authorization phase
+ * outside the route's transaction) and would otherwise both UPDATE,
+ * silently clobbering whichever lands first. With the conditional WHERE,
+ * the second UPDATE matches zero rows; the route reads the boolean
+ * return and surfaces 401 instead of pretending success.
+ *
+ * Pass the same hash the verify ran against — typically
+ * `ctx.account.password_hash` from the request context.
+ *
+ * @returns `true` if the row was updated, `false` if `expected_hash` no
+ *   longer matched (concurrent change won — caller should treat as a
+ *   stale-credential failure).
+ * @mutates `account` row - updates `password_hash`, `updated_at`, and
+ *   `updated_by` only when the stored hash equals `expected_hash`
  */
-export declare const query_update_account_password: (deps: QueryDeps, id: string, password_hash: string, updated_by: string | null) => Promise<void>;
+export declare const query_update_account_password: (deps: QueryDeps, id: string, password_hash: string, updated_by: string | null, expected_hash: string) => Promise<boolean>;
 /**
- * Delete an account. Cascades to actors, permits, sessions, and tokens.
+ * Delete an account. Cascades to actors, role_grants, sessions, and tokens.
  *
- * @mutates `account` table and downstream FK rows - DELETE cascades through actors/permits/sessions/tokens
+ * @mutates `account` table and downstream FK rows - DELETE cascades through actors/role_grants/sessions/tokens
  */
 export declare const query_delete_account: (deps: QueryDeps, id: string) => Promise<boolean>;
 /**
@@ -68,11 +83,14 @@ export declare const query_account_has_any: (deps: QueryDeps) => Promise<boolean
  */
 export declare const query_create_actor: (deps: QueryDeps, account_id: string, name: string) => Promise<Actor>;
 /**
- * Find the actor for an account.
+ * List every actor on an account, ordered by `created_at`.
  *
- * For v1, each account has exactly one actor.
+ * Used by `resolve_acting_actor` to resolve the acting actor for a
+ * request: 1 actor picks transparently, multiple require an explicit
+ * `acting` field on the request payload. For lookups by id, use
+ * `query_actor_by_id` instead.
  */
-export declare const query_actor_by_account: (deps: QueryDeps, account_id: string) => Promise<Actor | undefined>;
+export declare const query_actors_by_account: (deps: QueryDeps, account_id: string) => Promise<Array<Actor>>;
 /**
  * Find an actor by id.
  */
@@ -91,17 +109,35 @@ export declare const query_create_account_with_actor: (deps: QueryDeps, input: C
     account: Account;
     actor: Actor;
 }>;
+/** Options for `query_admin_account_list`. */
+export interface AdminAccountListOptions {
+    /**
+     * Max accounts to return. Defaults to `ADMIN_ACCOUNT_LIST_DEFAULT_LIMIT`
+     * when omitted; pass `null` explicitly to disable the limit (unbounded
+     * fetch — for trusted internal callers / scripts; the RPC schema bounds
+     * wire callers to `[1, ADMIN_ACCOUNT_LIST_LIMIT_MAX]`).
+     */
+    limit?: number | null;
+    /** Pagination offset. Defaults to 0. */
+    offset?: number | null;
+}
 /**
- * List all accounts with their actors, active permits, and pending inbound
- * permit offers for admin display.
+ * List accounts with their actors, active role_grants, and pending inbound
+ * role_grant offers for admin display.
  *
- * Uses 4 flat queries instead of N+1 per-account loops. Pending offers surface
- * the "offer pending — awaiting acceptance" UX without a second round-trip;
- * `message` is intentionally excluded (cross-admin visibility of grantor notes
- * would expand beyond what the audit log discloses).
+ * Pages the accounts query (one round-trip), then fans out three parallel
+ * lookups scoped to the page's `account_ids` (one round-trip). The role_grants
+ * and offers queries use a subquery on `actor.account_id` so the page bound
+ * pushes through to the DB without round-tripping `actor.id`s back to the
+ * application. Pending offers surface the "offer pending — awaiting
+ * acceptance" UX; `message` is intentionally excluded (cross-admin
+ * visibility of grantor notes would expand beyond what the audit log
+ * discloses).
  *
  * @param deps - query dependencies
- * @returns admin account entries sorted by creation date
+ * @param options - optional `{limit, offset}`. Default limit is
+ *   `ADMIN_ACCOUNT_LIST_DEFAULT_LIMIT`; pass `limit: null` to disable.
+ * @returns admin account entries sorted by creation date (oldest first)
  */
-export declare const query_admin_account_list: (deps: QueryDeps) => Promise<Array<AdminAccountEntryJson>>;
+export declare const query_admin_account_list: (deps: QueryDeps, options?: AdminAccountListOptions) => Promise<Array<AdminAccountEntryJson>>;
 //# sourceMappingURL=account_queries.d.ts.map

package/dist/auth/account_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAEN,KAAK,OAAO,EACZ,KAAK,KAAK,EACV,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,EAC1B,MAAM,qBAAqB,CAAC;AAE7B;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,GAAG,SAAS,CAE7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAS7B,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,EACV,eAAe,MAAM,EACrB,YAAY,MAAM,GAAG,IAAI,KACvB,OAAO,CAAC,IAAI,CAKd,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAU,MAAM,SAAS,EAAE,IAAI,MAAM,KAAG,OAAO,CAAC,OAAO,CAKvF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,OAAO,CAK5E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,KAAK,CAMf,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,KAAK,CAAA;CAAC,CAI1C,CAAC;AAyBF;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,KACb,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CA+EtC,CAAC"}
+{"version":3,"file":"account_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAIH,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AAEnD,OAAO,EAEN,KAAK,OAAO,EACZ,KAAK,KAAK,EACV,KAAK,kBAAkB,EACvB,KAAK,qBAAqB,EAC1B,MAAM,qBAAqB,CAAC;AAG7B;;;;;;;GAOG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,mBAAmB,GAC/B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,OAAO,GAAG,SAAS,CAE7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sBAAsB,GAClC,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAI7B,CAAC;AAEF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,kCAAkC,GAC9C,MAAM,SAAS,EACf,OAAO,MAAM,KACX,OAAO,CAAC,OAAO,GAAG,SAAS,CAS7B,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,IAAI,MAAM,EACV,eAAe,MAAM,EACrB,YAAY,MAAM,GAAG,IAAI,EACzB,eAAe,MAAM,KACnB,OAAO,CAAC,OAAO,CAQjB,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,GAAU,MAAM,SAAS,EAAE,IAAI,MAAM,KAAG,OAAO,CAAC,OAAO,CAKvF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAU,MAAM,SAAS,KAAG,OAAO,CAAC,OAAO,CAK5E,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,kBAAkB,GAC9B,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,KAAK,CAMf,CAAC;AAEF;;;;;;;GAOG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,YAAY,MAAM,KAChB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,CAKtB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB,GAC7B,MAAM,SAAS,EACf,IAAI,MAAM,KACR,OAAO,CAAC,KAAK,GAAG,SAAS,CAE3B,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,OAAO,kBAAkB,KACvB,OAAO,CAAC;IAAC,OAAO,EAAE,OAAO,CAAC;IAAC,KAAK,EAAE,KAAK,CAAA;CAAC,CAI1C,CAAC;AA2BF,8CAA8C;AAC9C,MAAM,WAAW,uBAAuB;IACvC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,wCAAwC;IACxC,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACvB;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,eAAO,MAAM,wBAAwB,GACpC,MAAM,SAAS,EACf,UAAU,uBAAuB,KAC/B,OAAO,CAAC,KAAK,CAAC,qBAAqB,CAAC,CAyGtC,CAAC"}

package/dist/auth/account_queries.js

@@ -8,6 +8,7 @@
  */
 import { assert_row } from '../db/assert_row.js';
 import { to_admin_account, } from './account_schema.js';
+import { ADMIN_ACCOUNT_LIST_DEFAULT_LIMIT } from './admin_action_specs.js';
 /**
  * Create a new account.
  *
@@ -62,17 +63,35 @@ export const query_account_by_username_or_email = async (deps, input) => {
     return ((await query_account_by_username(deps, input)) ?? (await query_account_by_email(deps, input)));
 };
 /**
- * Update the password hash for an account.
+ * Update the password hash for an account, conditional on the current
+ * stored hash matching `expected_hash` — the verify-write atomic guard.
  *
- * @mutates `account` row - updates `password_hash`, `updated_at`, and `updated_by`
+ * The condition closes the race where two concurrent password changes both
+ * verify against the pre-update hash (loaded by the authorization phase
+ * outside the route's transaction) and would otherwise both UPDATE,
+ * silently clobbering whichever lands first. With the conditional WHERE,
+ * the second UPDATE matches zero rows; the route reads the boolean
+ * return and surfaces 401 instead of pretending success.
+ *
+ * Pass the same hash the verify ran against — typically
+ * `ctx.account.password_hash` from the request context.
+ *
+ * @returns `true` if the row was updated, `false` if `expected_hash` no
+ *   longer matched (concurrent change won — caller should treat as a
+ *   stale-credential failure).
+ * @mutates `account` row - updates `password_hash`, `updated_at`, and
+ *   `updated_by` only when the stored hash equals `expected_hash`
  */
-export const query_update_account_password = async (deps, id, password_hash, updated_by) => {
-    await deps.db.query(`UPDATE account SET password_hash = $1, updated_at = NOW(), updated_by = $2 WHERE id = $3`, [password_hash, updated_by ?? null, id]);
+export const query_update_account_password = async (deps, id, password_hash, updated_by, expected_hash) => {
+    const rows = await deps.db.query(`UPDATE account SET password_hash = $1, updated_at = NOW(), updated_by = $2
+		 WHERE id = $3 AND password_hash = $4
+		 RETURNING id`, [password_hash, updated_by ?? null, id, expected_hash]);
+    return rows.length > 0;
 };
 /**
- * Delete an account. Cascades to actors, permits, sessions, and tokens.
+ * Delete an account. Cascades to actors, role_grants, sessions, and tokens.
  *
- * @mutates `account` table and downstream FK rows - DELETE cascades through actors/permits/sessions/tokens
+ * @mutates `account` table and downstream FK rows - DELETE cascades through actors/role_grants/sessions/tokens
  */
 export const query_delete_account = async (deps, id) => {
     const rows = await deps.db.query(`DELETE FROM account WHERE id = $1 RETURNING id`, [
@@ -101,12 +120,15 @@ export const query_create_actor = async (deps, account_id, name) => {
     return assert_row(row, 'INSERT INTO actor');
 };
 /**
- * Find the actor for an account.
+ * List every actor on an account, ordered by `created_at`.
  *
- * For v1, each account has exactly one actor.
+ * Used by `resolve_acting_actor` to resolve the acting actor for a
+ * request: 1 actor picks transparently, multiple require an explicit
+ * `acting` field on the request payload. For lookups by id, use
+ * `query_actor_by_id` instead.
  */
-export const query_actor_by_account = async (deps, account_id) => {
-    return deps.db.query_one(`SELECT * FROM actor WHERE account_id = $1`, [account_id]);
+export const query_actors_by_account = async (deps, account_id) => {
+    return deps.db.query(`SELECT * FROM actor WHERE account_id = $1 ORDER BY created_at ASC, id ASC`, [account_id]);
 };
 /**
  * Find an actor by id.
@@ -130,51 +152,76 @@ export const query_create_account_with_actor = async (deps, input) => {
     return { account, actor };
 };
 /**
- * List all accounts with their actors, active permits, and pending inbound
- * permit offers for admin display.
+ * List accounts with their actors, active role_grants, and pending inbound
+ * role_grant offers for admin display.
  *
- * Uses 4 flat queries instead of N+1 per-account loops. Pending offers surface
- * the "offer pending — awaiting acceptance" UX without a second round-trip;
- * `message` is intentionally excluded (cross-admin visibility of grantor notes
- * would expand beyond what the audit log discloses).
+ * Pages the accounts query (one round-trip), then fans out three parallel
+ * lookups scoped to the page's `account_ids` (one round-trip). The role_grants
+ * and offers queries use a subquery on `actor.account_id` so the page bound
+ * pushes through to the DB without round-tripping `actor.id`s back to the
+ * application. Pending offers surface the "offer pending — awaiting
+ * acceptance" UX; `message` is intentionally excluded (cross-admin
+ * visibility of grantor notes would expand beyond what the audit log
+ * discloses).
  *
  * @param deps - query dependencies
- * @returns admin account entries sorted by creation date
+ * @param options - optional `{limit, offset}`. Default limit is
+ *   `ADMIN_ACCOUNT_LIST_DEFAULT_LIMIT`; pass `limit: null` to disable.
+ * @returns admin account entries sorted by creation date (oldest first)
  */
-export const query_admin_account_list = async (deps) => {
-    const [accounts, actors, permits, pending_offers] = await Promise.all([
-        deps.db.query(`SELECT * FROM account ORDER BY created_at`),
-        deps.db.query(`SELECT * FROM actor`),
-        deps.db.query(`SELECT id, actor_id, role, scope_id, created_at, expires_at, granted_by
-			 FROM permit
-			 WHERE revoked_at IS NULL
-			   AND (expires_at IS NULL OR expires_at > NOW())`),
-        deps.db.query(`SELECT po.id, po.to_account_id, po.from_actor_id, po.role, po.scope_id,
+export const query_admin_account_list = async (deps, options) => {
+    const limit = options?.limit === null ? null : (options?.limit ?? ADMIN_ACCOUNT_LIST_DEFAULT_LIMIT);
+    const offset = options?.offset ?? 0;
+    const account_query = limit == null
+        ? deps.db.query(`SELECT * FROM account ORDER BY created_at OFFSET $1`, [offset])
+        : deps.db.query(`SELECT * FROM account ORDER BY created_at LIMIT $1 OFFSET $2`, [
+            limit,
+            offset,
+        ]);
+    const accounts = await account_query;
+    if (accounts.length === 0)
+        return [];
+    const account_ids = accounts.map((a) => a.id);
+    const [actors, role_grants, pending_offers] = await Promise.all([
+        deps.db.query(`SELECT * FROM actor WHERE account_id = ANY($1::uuid[])`, [account_ids]),
+        deps.db.query(`SELECT id, actor_id, role, scope_kind, scope_id, created_at, expires_at, granted_by
+			 FROM role_grant
+			 WHERE actor_id IN (SELECT id FROM actor WHERE account_id = ANY($1::uuid[]))
+			   AND revoked_at IS NULL
+			   AND (expires_at IS NULL OR expires_at > NOW())`, [account_ids]),
+        deps.db.query(`SELECT po.id, po.to_account_id, po.from_actor_id, po.role, po.scope_kind, po.scope_id,
 			        po.created_at, po.expires_at, a.username AS from_username
-			 FROM permit_offer po
+			 FROM role_grant_offer po
 			 JOIN actor act ON act.id = po.from_actor_id
 			 JOIN account a ON a.id = act.account_id
-			 WHERE po.accepted_at IS NULL
+			 WHERE po.to_account_id = ANY($1::uuid[])
+			   AND po.accepted_at IS NULL
 			   AND po.declined_at IS NULL
 			   AND po.retracted_at IS NULL
 			   AND po.superseded_at IS NULL
 			   AND po.expires_at > NOW()
-			 ORDER BY po.expires_at ASC`),
+			 ORDER BY po.expires_at ASC`, [account_ids]),
     ]);
-    // Index actors by account_id (1:1 in v1)
+    // Index actors by account_id. Multi-actor TODO: this Map keyed by
+    // account_id silently overwrites earlier actors when an account
+    // hosts more than one — when multi-actor lands, the admin row shape
+    // must change from "account → one actor" to "account → Array<Actor>"
+    // (or split into a separate per-actor row). The JSON shape change
+    // will ripple into the admin UI; bundle that with the multi-actor
+    // session-actor-selector work.
     const actor_by_account = new Map();
     for (const actor of actors) {
         actor_by_account.set(actor.account_id, actor);
     }
-    // Group permits by actor_id
-    const permits_by_actor = new Map();
-    for (const permit of permits) {
-        let list = permits_by_actor.get(permit.actor_id);
+    // Group role_grants by actor_id
+    const role_grants_by_actor = new Map();
+    for (const role_grant of role_grants) {
+        let list = role_grants_by_actor.get(role_grant.actor_id);
         if (!list) {
             list = [];
-            permits_by_actor.set(permit.actor_id, list);
+            role_grants_by_actor.set(role_grant.actor_id, list);
         }
-        list.push(permit);
+        list.push(role_grant);
     }
     // Group pending offers by recipient account_id
     const offers_by_account = new Map();
@@ -188,14 +235,15 @@ export const query_admin_account_list = async (deps) => {
     }
     return accounts.map((account) => {
         const actor = actor_by_account.get(account.id);
-        const actor_permits = actor ? (permits_by_actor.get(actor.id) ?? []) : [];
+        const actor_role_grants = actor ? (role_grants_by_actor.get(actor.id) ?? []) : [];
         const account_offers = offers_by_account.get(account.id) ?? [];
         return {
             account: to_admin_account(account),
             actor: actor ? { id: actor.id, name: actor.name } : null,
-            permits: actor_permits.map((p) => ({
+            role_grants: actor_role_grants.map((p) => ({
                 id: p.id,
                 role: p.role,
+                scope_kind: p.scope_kind,
                 scope_id: p.scope_id,
                 created_at: p.created_at,
                 expires_at: p.expires_at,
@@ -204,6 +252,7 @@ export const query_admin_account_list = async (deps) => {
             pending_offers: account_offers.map((o) => ({
                 id: o.id,
                 role: o.role,
+                scope_kind: o.scope_kind,
                 scope_id: o.scope_id,
                 from_actor_id: o.from_actor_id,
                 from_username: o.from_username,