@fuzdev/fuz_app 0.54.0 → 0.56.0

package/dist/auth/account_routes.d.ts

@@ -32,14 +32,11 @@ export type AccountStatusInput = z.infer<typeof AccountStatusInput>;
 /**
  * Output for `GET /api/account/status` on the authenticated path.
  *
- * `account` and `actor` are the caller's own identity entities (v1 is 1:1
- * account/actor, but `actor` is first-class so consumers don't have to
- * derive `actor_id` from the permit list). Permits are already
- * active-filtered by `build_request_context` via
- * `query_permit_find_active_for_actor` — `revoked_at` / `revoked_by` /
- * `revoked_reason` are never populated here, so `PermitSummaryJson`
- * carries the fields a client actually needs (including `scope_id` for
- * per-scope auth decisions).
+ * `account` is always populated for authenticated callers. `actor` and
+ * `role_grants` are populated when the caller's account has a unique actor or
+ * the request supplies `?acting=<actor_id>`; on multi-actor accounts
+ * without an `acting` query, `actor` is `null` and `role_grants` is empty so
+ * the frontend can show a persona picker without a separate roundtrip.
  */
 export declare const AccountStatusOutput: z.ZodObject<{
     account: z.ZodObject<{
@@ -49,13 +46,14 @@ export declare const AccountStatusOutput: z.ZodObject<{
         email_verified: z.ZodBoolean;
         created_at: z.ZodString;
     }, z.core.$strict>;
-    actor: z.ZodObject<{
+    actor: z.ZodNullable<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         name: z.ZodString;
-    }, z.core.$strict>;
-    permits: z.ZodArray<z.ZodObject<{
+    }, z.core.$strict>>;
+    role_grants: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         created_at: z.ZodString;
         expires_at: z.ZodNullable<z.ZodString>;

package/dist/auth/account_routes.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AAsBxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmChF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CAgPjB,CAAC"}
+{"version":3,"file":"account_routes.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_routes.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;GAsBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,qBAAqB,CAAC;AA2BxD,OAAO,EAAkB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAEtE,OAAO,EAA+B,KAAK,WAAW,EAAC,MAAM,oBAAoB,CAAC;AAElF,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AAQhD,kFAAkF;AAClF,eAAO,MAAM,kBAAkB,WAAW,CAAC;AAC3C,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;;;;GAQG;AACH,eAAO,MAAM,mBAAmB;;;;;;;;;;;;;;;;;;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,4EAA4E;AAC5E,eAAO,MAAM,iCAAiC;;;iBAG5C,CAAC;AACH,MAAM,MAAM,iCAAiC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iCAAiC,CAAC,CAAC;AAElG;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,gCAAgC,GAAI,UAAU,oBAAoB,KAAG,SAmFhF,CAAC;AAEH,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACpC,yDAAyD;IACzD,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,8FAA8F;IAC9F,gBAAgB,CAAC,EAAE;QAAC,SAAS,EAAE,OAAO,CAAA;KAAC,CAAC;CACxC;AAED,4CAA4C;AAC5C,eAAO,MAAM,oBAAoB,IAAI,CAAC;AAEtC,8CAA8C;AAC9C,eAAO,MAAM,kBAAkB,KAAK,CAAC;AAErC;;;;;;;;;GASG;AACH,eAAO,MAAM,2BAA2B,MAAM,CAAC;AAE/C;;;;;;GAMG;AACH,eAAO,MAAM,4BAA4B,KAAK,CAAC;AAQ/C;;;;;GAKG;AACH,MAAM,WAAW,uBAAuB;IACvC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,kFAAkF;IAClF,eAAe,EAAE,WAAW,GAAG,IAAI,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,mBAAoB,SAAQ,uBAAuB;IACnE,4FAA4F;IAC5F,0BAA0B,EAAE,WAAW,GAAG,IAAI,CAAC;IAC/C,2FAA2F;IAC3F,YAAY,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC7B;;;;OAIG;IACH,mBAAmB,CAAC,EAAE,MAAM,CAAC;IAC7B;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAID,oFAAoF;AACpF,eAAO,MAAM,UAAU;;;kBAGrB,CAAC;AACH,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,UAAU,CAAC,CAAC;AAEpD,wFAAwF;AACxF,eAAO,MAAM,WAAW;;kBAEtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,2EAA2E;AAC3E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,wFAAwF;AACxF,eAAO,MAAM,YAAY;;;kBAGvB,CAAC;AACH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD,sHAAsH;AACtH,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,uGAAuG;AACvG,eAAO,MAAM,oBAAoB;;;;kBAI/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,0BAA0B,GACtC,MAAM,gBAAgB,EACtB,SAAS,mBAAmB,KAC1B,KAAK,CAAC,SAAS,CA0PjB,CAAC"}

package/dist/auth/account_routes.js

@@ -22,14 +22,14 @@
  * @module
  */
 import { z } from 'zod';
-import { clear_session_cookie } from './session_middleware.js';
-import { create_session_and_set_cookie } from './session_lifecycle.js';
-import { ActorSummaryJson, PermitSummaryJson, SessionAccountJson, to_session_account, UsernameProvided, } from './account_schema.js';
+import { clear_session_cookie, create_session_and_set_cookie } from './session_middleware.js';
+import { ActorSummaryJson, RoleGrantSummaryJson, SessionAccountJson, to_session_account, } from './account_schema.js';
+import { UsernameProvided } from '../primitive_schemas.js';
 import { hash_session_token, query_session_revoke_all_for_account, query_session_revoke_by_hash_unscoped, } from './session_queries.js';
 import { query_account_by_username_or_email, query_update_account_password, } from './account_queries.js';
 import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
-import { get_request_context, require_request_context } from './request_context.js';
+import { build_account_context, build_request_context, get_request_context, require_request_context, resolve_acting_actor, } from './request_context.js';
+import { ACCOUNT_ID_KEY } from '../hono_context.js';
 import { get_route_input } from '../http/route_spec.js';
 import { get_client_ip } from '../http/proxy.js';
 import { rate_limit_exceeded_response } from '../rate_limiter.js';
@@ -40,19 +40,16 @@ export const AccountStatusInput = z.null();
 /**
  * Output for `GET /api/account/status` on the authenticated path.
  *
- * `account` and `actor` are the caller's own identity entities (v1 is 1:1
- * account/actor, but `actor` is first-class so consumers don't have to
- * derive `actor_id` from the permit list). Permits are already
- * active-filtered by `build_request_context` via
- * `query_permit_find_active_for_actor` — `revoked_at` / `revoked_by` /
- * `revoked_reason` are never populated here, so `PermitSummaryJson`
- * carries the fields a client actually needs (including `scope_id` for
- * per-scope auth decisions).
+ * `account` is always populated for authenticated callers. `actor` and
+ * `role_grants` are populated when the caller's account has a unique actor or
+ * the request supplies `?acting=<actor_id>`; on multi-actor accounts
+ * without an `acting` query, `actor` is `null` and `role_grants` is empty so
+ * the frontend can show a persona picker without a separate roundtrip.
  */
 export const AccountStatusOutput = z.strictObject({
     account: SessionAccountJson,
-    actor: ActorSummaryJson,
-    permits: z.array(PermitSummaryJson),
+    actor: ActorSummaryJson.nullable(),
+    role_grants: z.array(RoleGrantSummaryJson),
 });
 /** Error body for `GET /api/account/status` on the unauthenticated path. */
 export const AccountStatusUnauthenticatedError = z.looseObject({
@@ -75,34 +72,79 @@ export const AccountStatusUnauthenticatedError = z.looseObject({
 export const create_account_status_route_spec = (options) => ({
     method: 'GET',
     path: options?.path ?? '/api/account/status',
-    auth: { type: 'none' },
+    auth: { account: 'none', actor: 'none' },
     description: 'Current account info (unauthenticated: 401 with bootstrap status)',
     input: AccountStatusInput,
     output: AccountStatusOutput,
     errors: {
         401: AccountStatusUnauthenticatedError,
     },
-    handler: (c) => {
-        const ctx = get_request_context(c);
-        if (ctx) {
-            const permits = ctx.permits.map((p) => ({
+    handler: async (c, route) => {
+        const account_id = c.get(ACCOUNT_ID_KEY) ?? null;
+        if (!account_id) {
+            return c.json({
+                error: ERROR_AUTHENTICATION_REQUIRED,
+                ...(options?.bootstrap_status?.available ? { bootstrap_available: true } : {}),
+            }, 401);
+        }
+        // Honor a pre-populated request context. The dispatcher's authorization
+        // phase doesn't run for `auth: 'none'` routes, but a caller (test
+        // harness, or future middleware) may still populate the context — use
+        // it directly to avoid redundant lookups.
+        const existing = get_request_context(c);
+        if (existing && existing.account.id === account_id) {
+            const role_grants = existing.role_grants.map((p) => ({
                 id: p.id,
                 role: p.role,
+                scope_kind: p.scope_kind,
                 scope_id: p.scope_id,
                 created_at: p.created_at,
                 expires_at: p.expires_at,
                 granted_by: p.granted_by,
             }));
             return c.json({
-                account: to_session_account(ctx.account),
-                actor: { id: ctx.actor.id, name: ctx.actor.name },
-                permits,
+                account: to_session_account(existing.account),
+                actor: existing.actor ? { id: existing.actor.id, name: existing.actor.name } : null,
+                role_grants,
             });
         }
+        // Resolve actor + role_grants when the caller is unambiguous (single-actor
+        // account, or supplied `?acting=<uuid>`). On multi-actor accounts
+        // without `acting`, fall back to account-only so the frontend can
+        // surface a persona picker.
+        const acting = c.req.query('acting') ?? undefined;
+        const acting_result = await resolve_acting_actor(route, account_id, acting);
+        if (acting_result.ok) {
+            const ctx = await build_request_context(route, account_id, acting_result.actor_id);
+            if (ctx) {
+                const role_grants = ctx.role_grants.map((p) => ({
+                    id: p.id,
+                    role: p.role,
+                    scope_kind: p.scope_kind,
+                    scope_id: p.scope_id,
+                    created_at: p.created_at,
+                    expires_at: p.expires_at,
+                    granted_by: p.granted_by,
+                }));
+                return c.json({
+                    account: to_session_account(ctx.account),
+                    actor: { id: ctx.actor.id, name: ctx.actor.name },
+                    role_grants,
+                });
+            }
+        }
+        const account_ctx = await build_account_context(route, account_id);
+        if (!account_ctx) {
+            return c.json({
+                error: ERROR_AUTHENTICATION_REQUIRED,
+                ...(options?.bootstrap_status?.available ? { bootstrap_available: true } : {}),
+            }, 401);
+        }
         return c.json({
-            error: ERROR_AUTHENTICATION_REQUIRED,
-            ...(options?.bootstrap_status?.available ? { bootstrap_available: true } : {}),
-        }, 401);
+            account: to_session_account(account_ctx.account),
+            actor: null,
+            role_grants: [],
+        });
     },
 });
 /** Default maximum sessions per account. */
@@ -180,7 +222,7 @@ export const create_account_route_specs = (deps, options) => {
         {
             method: 'GET',
             path: '/verify',
-            auth: { type: 'authenticated' },
+            auth: { account: 'required', actor: 'none' },
             description: 'Session-validity probe for nginx auth_request (empty body, 200 or 401)',
             input: z.null(),
             output: z.null(),
@@ -192,7 +234,7 @@ export const create_account_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/login',
-            auth: { type: 'none' },
+            auth: { account: 'none', actor: 'none' },
             description: 'Exchange credentials for session',
             input: LoginInput,
             output: LoginOutput,
@@ -238,12 +280,12 @@ export const create_account_route_specs = (deps, options) => {
                         ip_rate_limiter.record(ip);
                     if (login_account_rate_limiter)
                         login_account_rate_limiter.record(account_rate_key);
-                    void audit_log_fire_and_forget(route, {
+                    deps.audit.emit(route, {
                         event_type: 'login',
                         outcome: 'failure',
                         ip: get_client_ip(c),
                         metadata: { username },
-                    }, deps);
+                    });
                     await delay;
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
@@ -253,13 +295,13 @@ export const create_account_route_specs = (deps, options) => {
                         ip_rate_limiter.record(ip);
                     if (login_account_rate_limiter)
                         login_account_rate_limiter.record(account_rate_key);
-                    void audit_log_fire_and_forget(route, {
+                    deps.audit.emit(route, {
                         event_type: 'login',
                         outcome: 'failure',
                         account_id: account.id,
                         ip: get_client_ip(c),
                         metadata: { username },
-                    }, deps);
+                    });
                     await delay;
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
@@ -276,18 +318,18 @@ export const create_account_route_specs = (deps, options) => {
                     session_options,
                     max_sessions,
                 });
-                void audit_log_fire_and_forget(route, {
+                deps.audit.emit(route, {
                     event_type: 'login',
                     account_id: account.id,
                     ip: get_client_ip(c),
-                }, deps);
+                });
                 return c.json({ ok: true });
             },
         },
         {
             method: 'POST',
             path: '/logout',
-            auth: { type: 'authenticated' },
+            auth: { account: 'required', actor: 'none' },
             description: 'Revoke current session and clear cookie',
             input: LogoutInput,
             output: LogoutOutput,
@@ -299,19 +341,21 @@ export const create_account_route_specs = (deps, options) => {
                     await query_session_revoke_by_hash_unscoped(route, token_hash);
                 }
                 clear_session_cookie(c, session_options);
-                void audit_log_fire_and_forget(route, {
+                // Account-grain operation — no `actor_id` (which actor was
+                // resolved per-request is incidental to "this account ended
+                // its session"). Mirrors `login`.
+                deps.audit.emit(route, {
                     event_type: 'logout',
-                    actor_id: ctx.actor.id,
                     account_id: ctx.account.id,
                     ip: get_client_ip(c),
-                }, deps);
+                });
                 return c.json({ ok: true, username: ctx.account.username });
             },
         },
         {
             method: 'POST',
             path: '/password',
-            auth: { type: 'authenticated' },
+            auth: { account: 'required', actor: 'none' },
             description: 'Change password (revokes all sessions and API tokens)',
             input: PasswordChangeInput,
             output: PasswordChangeOutput,
@@ -345,13 +389,12 @@ export const create_account_route_specs = (deps, options) => {
                         ip_rate_limiter.record(ip);
                     if (login_account_rate_limiter)
                         login_account_rate_limiter.record(ctx.account.id);
-                    void audit_log_fire_and_forget(route, {
+                    deps.audit.emit(route, {
                         event_type: 'password_change',
                         outcome: 'failure',
-                        actor_id: ctx.actor.id,
                         account_id: ctx.account.id,
                         ip: get_client_ip(c),
-                    }, deps);
+                    });
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
                 // successful verification — reset rate limiters
@@ -360,18 +403,47 @@ export const create_account_route_specs = (deps, options) => {
                 if (login_account_rate_limiter)
                     login_account_rate_limiter.reset(ctx.account.id);
                 const new_hash = await password.hash_password(new_password);
-                await query_update_account_password(route, ctx.account.id, new_hash, ctx.actor.id);
+                // Conditional UPDATE keyed on the verified hash: closes the
+                // verify-write race with a concurrent password change that
+                // already committed against the same starting hash. Account-grain
+                // operation — `updated_by` stays null (the per-request actor is
+                // incidental; password is account-level state).
+                const updated = await query_update_account_password(route, ctx.account.id, new_hash, null, ctx.account.password_hash);
+                if (!updated) {
+                    // A concurrent password change committed first — our
+                    // `current_password` was correct at read-time but the row's
+                    // `password_hash` no longer matches. Mirrors the wrong-password
+                    // 401 shape; tag the failure metadata so admins reading the
+                    // audit log can distinguish "user typoed" from "two clients
+                    // raced." Sessions/tokens were already revoked by the winner;
+                    // no cookie clear here either.
+                    if (ip_rate_limiter && ip)
+                        ip_rate_limiter.record(ip);
+                    if (login_account_rate_limiter)
+                        login_account_rate_limiter.record(ctx.account.id);
+                    deps.audit.emit(route, {
+                        event_type: 'password_change',
+                        outcome: 'failure',
+                        account_id: ctx.account.id,
+                        ip: get_client_ip(c),
+                        metadata: { reason: 'concurrent_change' },
+                    });
+                    return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
+                }
                 // revoke all sessions and API tokens (force re-auth everywhere)
                 const sessions_revoked = await query_session_revoke_all_for_account(route, ctx.account.id);
                 const tokens_revoked = await query_revoke_all_api_tokens_for_account(route, ctx.account.id);
                 clear_session_cookie(c, session_options);
-                void audit_log_fire_and_forget(route, {
+                // Account-grain operation — no `actor_id`. The password is
+                // account-level state; which per-request actor was resolved
+                // has no semantic bearing on "this account changed its
+                // password". Mirrors `login`/`logout`.
+                deps.audit.emit(route, {
                     event_type: 'password_change',
-                    actor_id: ctx.actor.id,
                     account_id: ctx.account.id,
                     ip: get_client_ip(c),
                     metadata: { sessions_revoked, tokens_revoked },
-                }, deps);
+                });
                 return c.json({ ok: true, sessions_revoked, tokens_revoked });
             },
         },

package/dist/auth/account_schema.d.ts

@@ -2,7 +2,14 @@
  * Auth entity types and client-safe schemas.
  *
  * Defines the runtime types for the fuz identity system:
- * `Account`, `Actor`, `Permit`, `AuthSession`, and `ApiToken`.
+ * `Account`, `Actor`, `RoleGrant`, `AuthSession`, and `ApiToken`.
+ *
+ * Identifier primitives (`Username`, `UsernameProvided`, `Email`) live
+ * in `../primitive_schemas.ts` — they're general validator shapes that
+ * don't depend on the auth domain. The auth-shape request-contract
+ * primitive `ActingActor` lives in `../http/auth_shape.ts` next to
+ * `RouteAuth` (the two pair: `auth.actor !== 'none'` ⟺ input declares
+ * `acting?: ActingActor`).
  *
  * DDL lives in `auth/ddl.ts`; role system in `auth/role_schema.ts`.
  * See docs/identity.md for design rationale.
@@ -11,21 +18,7 @@
  */
 import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
-/** Minimum username length (must have start + middle + end characters). */
-export declare const USERNAME_LENGTH_MIN = 3;
-/** Maximum username length (matches GitHub's limit). */
-export declare const USERNAME_LENGTH_MAX = 39;
-/** Maximum length for username input on login/lookup — more permissive than `USERNAME_LENGTH_MAX` for forward-compatibility if the creation limit is raised. */
-export declare const USERNAME_PROVIDED_LENGTH_MAX = 255;
-/** Username for account creation — starts with letter, alphanumeric/dash/underscore middle, ends with alphanumeric. No @ or . allowed. */
-export declare const Username: z.ZodString;
-export type Username = z.infer<typeof Username>;
-/** Username submitted for login or lookup — minimal validation for forward-compatibility if format rules change. */
-export declare const UsernameProvided: z.ZodString;
-export type UsernameProvided = z.infer<typeof UsernameProvided>;
-/** Email validation. */
-export declare const Email: z.ZodEmail;
-export type Email = z.infer<typeof Email>;
+import { Username, Email } from '../primitive_schemas.js';
 /** Account — authentication identity. You log in as an account. */
 export interface Account {
     id: Uuid;
@@ -46,7 +39,7 @@ export interface SessionAccount {
     email_verified: boolean;
     created_at: string;
 }
-/** Actor — the entity that acts. Owns cells, holds permits, appears in audit trails. */
+/** Actor — the entity that acts. Owns cells, holds role_grants, appears in audit trails. */
 export interface Actor {
     id: Uuid;
     account_id: Uuid;
@@ -57,17 +50,25 @@ export interface Actor {
 }
 /**
  * Maximum length of the optional free-form `revoked_reason` attached to a
- * revoked permit. Bounds the value at the schema layer so both the admin
+ * revoked role_grant. Bounds the value at the schema layer so both the admin
  * input (when the route surfaces a reason field) and the revokee-facing
- * `permit_revoke` WS notification validate against the same ceiling.
+ * `role_grant_revoke` WS notification validate against the same ceiling.
  */
-export declare const PERMIT_REVOKED_REASON_LENGTH_MAX = 500;
-/** Permit — time-bounded, revocable grant of a role to an actor. */
-export interface Permit {
+export declare const ROLE_GRANT_REVOKED_REASON_LENGTH_MAX = 500;
+/** Role grant — time-bounded, revocable grant of a role to an actor. */
+export interface RoleGrant {
     id: Uuid;
     actor_id: Uuid;
     role: string;
-    /** Resource scope this grant applies to (e.g. a classroom id). `null` for global permits. */
+    /**
+     * Machine-readable kind tag for the polymorphic `scope_id`. Paired-null
+     * with `scope_id` per the `role_grant_scope_kind_paired` CHECK: both null
+     * (global) or both non-null (scoped). Consumer-declared via
+     * `create_scope_kind_schema(...)`; v1 keeps validation registry-membership
+     * only, with no INSERT-time `(role, scope_kind)` enforcement.
+     */
+    scope_kind: string | null;
+    /** Resource scope this grant applies to (e.g. a classroom id). `null` for global role_grants. */
     scope_id: Uuid | null;
     created_at: string;
     expires_at: string | null;
@@ -76,10 +77,10 @@ export interface Permit {
     /** Optional free-form reason attached on revoke (surfaced in the revokee WS notification once it lands). */
     revoked_reason: string | null;
     granted_by: Uuid | null;
-    /** Offer that produced this permit (set by `query_accept_offer`). `null` for direct grants. */
+    /** Offer that produced this role_grant (set by `query_accept_offer`). `null` for direct grants. */
     source_offer_id: Uuid | null;
 }
-export declare const is_permit_active: (p: {
+export declare const is_role_grant_active: (p: {
     revoked_at?: string | null;
     expires_at: string | null;
 }, now?: Date) => boolean;
@@ -131,16 +132,17 @@ export declare const ClientApiTokenJson: z.ZodObject<{
     created_at: z.ZodString;
 }, z.core.$strict>;
 export type ClientApiTokenJson = z.infer<typeof ClientApiTokenJson>;
-/** Zod schema for the permit summary returned in admin account listings. */
-export declare const PermitSummaryJson: z.ZodObject<{
+/** Zod schema for the role_grant summary returned in admin account listings. */
+export declare const RoleGrantSummaryJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     role: z.ZodString;
+    scope_kind: z.ZodNullable<z.ZodString>;
     scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     created_at: z.ZodString;
     expires_at: z.ZodNullable<z.ZodString>;
     granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitSummaryJson = z.infer<typeof PermitSummaryJson>;
+export type RoleGrantSummaryJson = z.infer<typeof RoleGrantSummaryJson>;
 /** Zod schema for the actor summary returned in admin account listings. */
 export declare const ActorSummaryJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -159,9 +161,9 @@ export declare const AdminAccountJson: z.ZodObject<{
 }, z.core.$strict>;
 export type AdminAccountJson = z.infer<typeof AdminAccountJson>;
 /**
- * Zod schema for a pending permit offer surfaced in admin account listings.
+ * Zod schema for a pending role_grant offer surfaced in admin account listings.
  *
- * Deliberately narrower than `PermitOfferJson`: omits `message` and
+ * Deliberately narrower than `RoleGrantOfferJson`: omits `message` and
  * `decline_reason` so cross-admin visibility of the listing does not expose
  * grantor-authored text that the audit log also withholds. Full offer
  * payloads remain available through the offer-specific RPC surface and the
@@ -174,6 +176,7 @@ export type AdminAccountJson = z.infer<typeof AdminAccountJson>;
 export declare const PendingOfferSummaryJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     role: z.ZodString;
+    scope_kind: z.ZodNullable<z.ZodString>;
     scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     from_username: z.ZodString;
@@ -181,7 +184,7 @@ export declare const PendingOfferSummaryJson: z.ZodObject<{
     expires_at: z.ZodString;
 }, z.core.$strict>;
 export type PendingOfferSummaryJson = z.infer<typeof PendingOfferSummaryJson>;
-/** Zod schema for an admin account listing entry (account + actor + permits + pending offers). */
+/** Zod schema for an admin account listing entry (account + actor + role_grants + pending offers). */
 export declare const AdminAccountEntryJson: z.ZodObject<{
     account: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -196,9 +199,10 @@ export declare const AdminAccountEntryJson: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         name: z.ZodString;
     }, z.core.$strict>>;
-    permits: z.ZodArray<z.ZodObject<{
+    role_grants: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         created_at: z.ZodString;
         expires_at: z.ZodNullable<z.ZodString>;
@@ -207,6 +211,7 @@ export declare const AdminAccountEntryJson: z.ZodObject<{
     pending_offers: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         from_username: z.ZodString;
@@ -220,14 +225,20 @@ export interface CreateAccountInput {
     password_hash: string;
     email?: Email | null;
 }
-export interface GrantPermitInput {
+export interface CreateRoleGrantInput {
     actor_id: Uuid;
     role: string;
-    /** Scope the grant applies to. `null` / omitted grants a global permit. */
+    /**
+     * Machine-readable kind for the `scope_id`. Required iff `scope_id` is
+     * set; must be null/omitted when `scope_id` is null. The DB-level
+     * `role_grant_scope_kind_paired` CHECK rejects mismatched pairs.
+     */
+    scope_kind?: string | null;
+    /** Scope the grant applies to. `null` / omitted grants a global role_grant. */
     scope_id?: Uuid | null;
     expires_at?: Date | null;
     granted_by: Uuid | null;
-    /** Offer id that produced this permit. Set by `query_accept_offer`; leave unset for direct grants. */
+    /** Offer id that produced this role_grant. Set by `query_accept_offer`; leave unset for direct grants. */
     source_offer_id?: Uuid | null;
 }
 /**

package/dist/auth/account_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C,2EAA2E;AAC3E,eAAO,MAAM,mBAAmB,IAAI,CAAC;AAErC,wDAAwD;AACxD,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC,gKAAgK;AAChK,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD,0IAA0I;AAC1I,eAAO,MAAM,QAAQ,aAIyB,CAAC;AAC/C,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD,oHAAoH;AACpH,eAAO,MAAM,gBAAgB,aAAsD,CAAC;AACpF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,wBAAwB;AACxB,eAAO,MAAM,KAAK,YAAY,CAAC;AAC/B,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,KAAK,CAAC,CAAC;AAI1C,mEAAmE;AACnE,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,wFAAwF;AACxF,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,wFAAwF;AACxF,MAAM,WAAW,KAAK;IACrB,EAAE,EAAE,IAAI,CAAC;IACT,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,MAAM,CAAC;AAEpD,oEAAoE;AACpE,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,6FAA6F;IAC7F,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,4GAA4G;IAC5G,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,+FAA+F;IAC/F,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,eAAO,MAAM,gBAAgB,GAC5B,GAAG;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EAC1D,MAAK,IAAiB,KACpB,OAA2E,CAAC;AAE/E,uEAAuE;AACvE,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACrB;AAED,6CAA6C;AAC7C,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACnB;AAID,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB;;;;;;kBAM7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,6EAA6E;AAC7E,eAAO,MAAM,eAAe;;;;;;kBAM1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,4EAA4E;AAC5E,eAAO,MAAM,kBAAkB;;;;;;;;kBAQ7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,4EAA4E;AAC5E,eAAO,MAAM,iBAAiB;;;;;;;kBAO5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iGAAiG;AACjG,eAAO,MAAM,gBAAgB;;;;;;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;kBAQlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,kGAAkG;AAClG,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAKhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,MAAM,WAAW,kBAAkB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,sGAAsG;IACtG,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,OAAO,KAAG,cAMpD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,SAAS,OAAO,KAAG,gBAIlD,CAAC"}
+{"version":3,"file":"account_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE5C,OAAO,EAAC,QAAQ,EAAE,KAAK,EAAC,MAAM,yBAAyB,CAAC;AAIxD,mEAAmE;AACnE,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,wFAAwF;AACxF,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,4FAA4F;AAC5F,MAAM,WAAW,KAAK;IACrB,EAAE,EAAE,IAAI,CAAC;IACT,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,MAAM,CAAC;AAExD,wEAAwE;AACxE,MAAM,WAAW,SAAS;IACzB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,iGAAiG;IACjG,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,4GAA4G;IAC5G,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,mGAAmG;IACnG,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,eAAO,MAAM,oBAAoB,GAChC,GAAG;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EAC1D,MAAK,IAAiB,KACpB,OAA2E,CAAC;AAE/E,uEAAuE;AACvE,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACrB;AAED,6CAA6C;AAC7C,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACnB;AAID,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB;;;;;;kBAM7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,6EAA6E;AAC7E,eAAO,MAAM,eAAe;;;;;;kBAM1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,4EAA4E;AAC5E,eAAO,MAAM,kBAAkB;;;;;;;;kBAQ7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,gFAAgF;AAChF,eAAO,MAAM,oBAAoB;;;;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iGAAiG;AACjG,eAAO,MAAM,gBAAgB;;;;;;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;kBASlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,sGAAsG;AACtG,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAKhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,MAAM,WAAW,kBAAkB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACpC,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,0GAA0G;IAC1G,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,OAAO,KAAG,cAMpD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,SAAS,OAAO,KAAG,gBAIlD,CAAC"}