@fuzdev/fuz_app 0.55.0 → 0.56.0

package/dist/testing/attack_surface.js

@@ -23,7 +23,7 @@ import { assert_surface_matches_snapshot, assert_surface_deterministic, assert_o
 import { merge_error_schemas } from '../http/schema_helpers.js';
 import { collect_middleware_errors } from '../http/surface.js';
 import { filter_protected_routes, filter_role_routes, filter_keeper_routes, } from '../http/surface_query.js';
-import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INSUFFICIENT_PERMISSIONS, ERROR_KEEPER_REQUIRES_DAEMON_TOKEN, } from '../http/error_schemas.js';
+import { ERROR_AUTHENTICATION_REQUIRED, ERROR_INSUFFICIENT_PERMISSIONS, ERROR_CREDENTIAL_TYPE_REQUIRED, } from '../http/error_schemas.js';
 // --- Adversarial test runner ---
 /**
  * Build a lookup from `"METHOD /path"` to merged error schemas (auto-derived + middleware + explicit).
@@ -79,12 +79,17 @@ export const describe_adversarial_auth = (options) => {
                 });
             }
         });
-        if (role_routes.length > 0) {
+        // Role-only routes (no credential gate). Keeper routes have a credential
+        // gate that fires before the role gate, so they get tested separately
+        // in the keeper block below.
+        const role_only_routes = role_routes.filter((r) => !(r.auth.credential_types?.length ?? 0));
+        if (role_only_routes.length > 0) {
             describe('wrong role → 403', () => {
-                for (const route of role_routes) {
-                    const wrong_roles = roles.filter((r) => r !== route.auth.role);
+                for (const route of role_only_routes) {
+                    const required_roles = route.auth.roles ?? [];
+                    const wrong_roles = roles.filter((r) => !required_roles.includes(r));
                     for (const wrong_role of wrong_roles) {
-                        test(`${route.method} ${route.path} (${wrong_role} instead of ${route.auth.role})`, async () => {
+                        test(`${route.method} ${route.path} (${wrong_role} instead of ${required_roles.join('|')})`, async () => {
                             const app = apps.by_role.get(wrong_role);
                             if (!app)
                                 throw new Error(`No test app for role '${wrong_role}'`);
@@ -94,14 +99,14 @@ export const describe_adversarial_auth = (options) => {
                             assert.strictEqual(res.status, 403, `${route.method} ${route.path}`);
                             const body = await res.json();
                             assert.strictEqual(body.error, ERROR_INSUFFICIENT_PERMISSIONS);
-                            assert.strictEqual(body.required_role, route.auth.role);
+                            assert.deepStrictEqual(body.required_roles, required_roles);
                             assert_error_schema_valid(error_schema_lookup, route, 403, body);
                         });
                     }
                 }
             });
             describe('authenticated without role → 403', () => {
-                for (const route of role_routes) {
+                for (const route of role_only_routes) {
                     test(`${route.method} ${route.path}`, async () => {
                         const res = await apps.authed.request(resolve_test_path(route.path), {
                             method: route.method,
@@ -109,7 +114,7 @@ export const describe_adversarial_auth = (options) => {
                         assert.strictEqual(res.status, 403, `${route.method} ${route.path}`);
                         const body = await res.json();
                         assert.strictEqual(body.error, ERROR_INSUFFICIENT_PERMISSIONS);
-                        assert.strictEqual(body.required_role, route.auth.role);
+                        assert.deepStrictEqual(body.required_roles, route.auth.roles ?? []);
                         assert_error_schema_valid(error_schema_lookup, route, 403, body);
                     });
                 }
@@ -126,7 +131,8 @@ export const describe_adversarial_auth = (options) => {
                         });
                         assert.strictEqual(res.status, 403, `${route.method} ${route.path}`);
                         const body = await res.json();
-                        assert.strictEqual(body.error, ERROR_KEEPER_REQUIRES_DAEMON_TOKEN);
+                        assert.strictEqual(body.error, ERROR_CREDENTIAL_TYPE_REQUIRED);
+                        assert.deepStrictEqual(body.required_credential_types, route.auth.credential_types ?? []);
                         assert_error_schema_valid(error_schema_lookup, route, 403, body);
                     });
                 }

package/dist/testing/audit_completeness.d.ts

@@ -15,7 +15,7 @@ export interface AuditCompletenessTestOptions {
     create_route_specs: (ctx: AppServerContext) => Array<RouteSpec>;
     /**
      * RPC endpoint specs — the source `RpcAction` arrays. Required; the
-     * admin permit flow is RPC-only and the suite hard-fails without it.
+     * admin role_grant flow is RPC-only and the suite hard-fails without it.
      *
      * Accepts either an array (eager) or a factory
      * `(ctx: AppServerContext) => Array<RpcEndpointSpec>` — the factory form
@@ -39,7 +39,7 @@ export interface AuditCompletenessTestOptions {
  * database, then queries the `audit_log` table to verify events.
  *
  * @throws Error at setup time when `options.rpc_endpoints` is empty — the
- *   mutation-audit tests drive permit flow, session/token revoke-all, and
+ *   mutation-audit tests drive role_grant flow, session/token revoke-all, and
  *   invite create/delete through their RPC action specs. Hard-fails via
  *   `require_rpc_endpoint_path`.
  */

package/dist/testing/audit_completeness.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD,OAAO,EAGN,KAAK,eAAe,EAEpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAoDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IA8fzF,CAAC"}
+{"version":3,"file":"audit_completeness.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/audit_completeness.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAkB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAIrD,OAAO,EAGN,KAAK,eAAe,EAEpB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAKjB,OAAO,EAIN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,4BAA4B;IAC5C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE;;;;;;;;;;;OAWG;IACH,aAAa,EAAE,uBAAuB,CAAC;IACvC,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;CAChC;AAoDD;;;;;;;;;;;GAWG;AACH,eAAO,MAAM,iCAAiC,GAAI,SAAS,4BAA4B,KAAG,IAkgBzF,CAAC"}

package/dist/testing/audit_completeness.js

@@ -20,9 +20,9 @@ import { create_test_app, } from './app_server.js';
 import { create_pglite_factory, create_describe_db, AUTH_INTEGRATION_TRUNCATE_TABLES, } from './db.js';
 import { find_auth_route } from './integration_helpers.js';
 import { run_migrations } from '../db/migrate.js';
-import { query_accept_offer } from '../auth/permit_offer_queries.js';
+import { query_accept_offer } from '../auth/role_grant_offer_queries.js';
 import { rpc_call_for_spec, require_rpc_endpoint_path, resolve_rpc_endpoints_for_setup, } from './rpc_helpers.js';
-import { permit_offer_create_action_spec, permit_revoke_action_spec, } from '../auth/permit_offer_action_specs.js';
+import { role_grant_offer_create_action_spec, role_grant_revoke_action_spec, } from '../auth/role_grant_offer_action_specs.js';
 import { admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, app_settings_update_action_spec, invite_create_action_spec, invite_delete_action_spec, } from '../auth/admin_action_specs.js';
 import { account_session_list_action_spec, account_session_revoke_action_spec, account_session_revoke_all_action_spec, account_token_create_action_spec, account_token_list_action_spec, account_token_revoke_action_spec, } from '../auth/account_action_specs.js';
 /** Query audit log events from the database. */
@@ -63,7 +63,7 @@ const json_session_headers = (test_app, extra) => test_app.create_session_header
  * database, then queries the `audit_log` table to verify events.
  *
  * @throws Error at setup time when `options.rpc_endpoints` is empty — the
- *   mutation-audit tests drive permit flow, session/token revoke-all, and
+ *   mutation-audit tests drive role_grant flow, session/token revoke-all, and
  *   invite create/delete through their RPC action specs. Hard-fails via
  *   `require_rpc_endpoint_path`.
  */
@@ -231,23 +231,23 @@ export const describe_audit_completeness_tests = (options) => {
         });
         // --- Admin routes ---
         describe('admin mutation audit events', () => {
-            test('admin offer (RPC) + accept produces permit_offer_create and permit_grant events', async () => {
+            test('admin offer (RPC) + accept produces role_grant_offer_create and role_grant_create events', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
                 const target = await test_app.create_account({ username: 'audit_target' });
                 const offer_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_offer_create_action_spec,
+                    spec: role_grant_offer_create_action_spec,
                     params: { to_account_id: target.account.id, role: ROLE_ADMIN },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(offer_res.ok, `permit_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
+                assert.ok(offer_res.ok, `role_grant_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
                 const { offer } = offer_res.result;
-                // Admin offer emits `permit_offer_create` only — the permit doesn't
-                // exist yet. Drive the accept to confirm `permit_grant` fires on the
+                // Admin offer emits `role_grant_offer_create` only — the role_grant doesn't
+                // exist yet. Drive the accept to confirm `role_grant_create` fires on the
                 // downstream consent transition.
                 const events_after_offer = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events_after_offer, 'permit_offer_create', 'permit_offer_create RPC');
+                assert_has_event(events_after_offer, 'role_grant_offer_create', 'role_grant_offer_create RPC');
                 await get_db().transaction(async (tx) => {
                     await query_accept_offer({ db: tx }, {
                         offer_id: offer.id,
@@ -257,20 +257,20 @@ export const describe_audit_completeness_tests = (options) => {
                     });
                 });
                 const events_after_accept = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events_after_accept, 'permit_grant', 'offer accept');
+                assert_has_event(events_after_accept, 'role_grant_create', 'offer accept');
             });
-            test('permit revoke (RPC) produces permit_revoke event with both target columns', async () => {
+            test('role_grant revoke (RPC) produces role_grant_revoke event with both target columns', async () => {
                 const test_app = await create_test_app(build_options(options, get_db()));
                 const target = await test_app.create_account({ username: 'audit_revoke_target' });
-                // Offer + accept to materialize a permit we can revoke.
+                // Offer + accept to materialize a role_grant we can revoke.
                 const offer_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_offer_create_action_spec,
+                    spec: role_grant_offer_create_action_spec,
                     params: { to_account_id: target.account.id, role: ROLE_ADMIN },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(offer_res.ok, `permit_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
+                assert.ok(offer_res.ok, `role_grant_offer_create failed: ${offer_res.ok ? '' : JSON.stringify(offer_res.error)}`);
                 const { offer } = offer_res.result;
                 const accept_result = await get_db().transaction(async (tx) => {
                     return query_accept_offer({ db: tx }, {
@@ -284,17 +284,17 @@ export const describe_audit_completeness_tests = (options) => {
                 const revoke_res = await rpc_call_for_spec({
                     app: test_app.app,
                     path: rpc_path,
-                    spec: permit_revoke_action_spec,
-                    params: { actor_id: target.actor.id, permit_id: accept_result.permit.id },
+                    spec: role_grant_revoke_action_spec,
+                    params: { actor_id: target.actor.id, role_grant_id: accept_result.role_grant.id },
                     headers: test_app.create_session_headers(),
                 });
-                assert.ok(revoke_res.ok, `permit_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
+                assert.ok(revoke_res.ok, `role_grant_revoke failed: ${revoke_res.ok ? '' : JSON.stringify(revoke_res.error)}`);
                 const events = await query_audit_events(test_app.backend.deps.db);
-                assert_has_event(events, 'permit_revoke', 'permit_revoke RPC');
+                assert_has_event(events, 'role_grant_revoke', 'role_grant_revoke RPC');
                 // Audit envelope must populate both target columns —
-                // `permit_revoke` is the canonical actor-bound-subject event.
+                // `role_grant_revoke` is the canonical actor-bound-subject event.
                 const revoke_rows = await test_app.backend.deps.db.query(`SELECT target_account_id, target_actor_id FROM audit_log
-					 WHERE event_type = 'permit_revoke' ORDER BY seq DESC LIMIT 1`);
+					 WHERE event_type = 'role_grant_revoke' ORDER BY seq DESC LIMIT 1`);
                 const row = revoke_rows[0];
                 assert.strictEqual(row.target_account_id, target.account.id);
                 assert.strictEqual(row.target_actor_id, target.actor.id);
@@ -416,9 +416,9 @@ export const describe_audit_completeness_tests = (options) => {
                 'token_create',
                 'token_revoke',
                 'token_revoke_all',
-                'permit_offer_create',
-                'permit_grant',
-                'permit_revoke',
+                'role_grant_offer_create',
+                'role_grant_create',
+                'role_grant_revoke',
                 'invite_create',
                 'invite_delete',
                 'app_settings_update',
@@ -426,20 +426,20 @@ export const describe_audit_completeness_tests = (options) => {
             /** Event types excluded with justification. */
             const EXCLUDED_EVENT_TYPES = new Set([
                 'bootstrap', // requires filesystem token — tested in bootstrap_account.db.test.ts
-                // The remaining `permit_offer_*` events fire only via the RPC
-                // endpoint or via downstream effects of `permit_revoke`. Direct
-                // coverage lives in `permit_offer_queries.db.test.ts`,
-                // `permit_offer_actions.db.test.ts`,
-                // `permit_offer_actions.notifications.db.test.ts`, and
-                // `permit_offer_actions.notifications.revoke.db.test.ts`.
-                // `permit_offer_expire` fires from the cleanup sweep
-                // (`cleanup_expired_permit_offers` in `auth/cleanup.ts`) —
+                // The remaining `role_grant_offer_*` events fire only via the RPC
+                // endpoint or via downstream effects of `role_grant_revoke`. Direct
+                // coverage lives in `role_grant_offer_queries.db.test.ts`,
+                // `role_grant_offer_actions.db.test.ts`,
+                // `role_grant_offer_actions.notifications.db.test.ts`, and
+                // `role_grant_offer_actions.notifications.revoke.db.test.ts`.
+                // `role_grant_offer_expire` fires from the cleanup sweep
+                // (`cleanup_expired_role_grant_offers` in `auth/cleanup.ts`) —
                 // covered in `cleanup.db.test.ts`.
-                'permit_offer_accept',
-                'permit_offer_decline',
-                'permit_offer_retract',
-                'permit_offer_expire',
-                'permit_offer_supersede',
+                'role_grant_offer_accept',
+                'role_grant_offer_decline',
+                'role_grant_offer_retract',
+                'role_grant_offer_expire',
+                'role_grant_offer_supersede',
             ]);
             test('all audit event types are covered or explicitly excluded', () => {
                 const all_covered = new Set([...COVERED_EVENT_TYPES, ...EXCLUDED_EVENT_TYPES]);

package/dist/testing/auth_apps.d.ts

@@ -8,11 +8,12 @@ import './assert_dev_env.js';
  * @module
  */
 import { Hono } from 'hono';
-import { type RouteSpec, type RouteAuth } from '../http/route_spec.js';
+import { type RouteSpec } from '../http/route_spec.js';
+import { type RouteAuth } from '../http/auth_shape.js';
 import { type RequestContext } from '../auth/request_context.js';
 import { type CredentialType } from '../hono_context.js';
 /**
- * Create a mock `RequestContext` with optional role permit.
+ * Create a mock `RequestContext` with optional role role_grant.
  */
 export declare const create_test_request_context: (role?: string) => RequestContext;
 /**
@@ -40,8 +41,8 @@ export declare const create_auth_test_apps: (route_specs: Array<RouteSpec>, role
 /**
  * Select the Hono test app with correct auth for a route.
  *
- * @throws Error if `auth.type === 'role'` and `auth.role` is not present in
- *   `apps.by_role` — surfaces a missing entry in the `roles` array passed to
+ * @throws Error if `auth.roles` names a role not present in `apps.by_role` —
+ *   surfaces a missing entry in the `roles` array passed to
  *   `create_auth_test_apps`.
  */
 export declare const select_auth_app: (apps: AuthTestApps, auth: RouteAuth) => Hono;

package/dist/testing/auth_apps.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_apps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/auth_apps.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;GAOG;AAEH,OAAO,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG1B,OAAO,EAAoB,KAAK,SAAS,EAAE,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAExF,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAIN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAI5B;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,OAAO,MAAM,KAAG,cAI1D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B,GACtC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,WAAW,cAAc,EACzB,kBAAkB,cAAc,KAC9B,IAsBF,CAAC;AAEF,sFAAsF;AACtF,MAAM,WAAW,YAAY;IAC5B,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GACjC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,OAAO,KAAK,CAAC,MAAM,CAAC,KAClB,YAeF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,MAAM,YAAY,EAAE,MAAM,SAAS,KAAG,IAcrE,CAAC;AAEF,6EAA6E;AAC7E,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,KAAG,MAA4C,CAAC"}
+{"version":3,"file":"auth_apps.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/auth_apps.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAE7B;;;;;;;GAOG;AAEH,OAAO,EAAC,IAAI,EAAC,MAAM,MAAM,CAAC;AAG1B,OAAO,EAAoB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACxE,OAAO,EAAiB,KAAK,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErE,OAAO,EAGN,KAAK,cAAc,EACnB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAIN,KAAK,cAAc,EACnB,MAAM,oBAAoB,CAAC;AAI5B;;GAEG;AACH,eAAO,MAAM,2BAA2B,GAAI,OAAO,MAAM,KAAG,cAI1D,CAAC;AAEH;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B,GACtC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,WAAW,cAAc,EACzB,kBAAkB,cAAc,KAC9B,IAuBF,CAAC;AAEF,sFAAsF;AACtF,MAAM,WAAW,YAAY;IAC5B,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,MAAM,EAAE,IAAI,CAAC;IACb,OAAO,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;CAC3B;AAED;;;;;GAKG;AACH,eAAO,MAAM,qBAAqB,GACjC,aAAa,KAAK,CAAC,SAAS,CAAC,EAC7B,OAAO,KAAK,CAAC,MAAM,CAAC,KAClB,YAeF,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,eAAe,GAAI,MAAM,YAAY,EAAE,MAAM,SAAS,KAAG,IAarE,CAAC;AAEF,6EAA6E;AAC7E,eAAO,MAAM,iBAAiB,GAAI,MAAM,MAAM,KAAG,MAA4C,CAAC"}

package/dist/testing/auth_apps.js

@@ -10,18 +10,19 @@ import './assert_dev_env.js';
 import { Hono } from 'hono';
 import { Logger } from '@fuzdev/fuz_util/log.js';
 import { apply_route_specs } from '../http/route_spec.js';
-import { fuz_auth_guard_resolver } from '../auth/route_guards.js';
+import { is_public_auth } from '../http/auth_shape.js';
+import { fuz_auth_guard_resolver } from '../auth/auth_guard_resolver.js';
 import { REQUEST_CONTEXT_KEY, create_fuz_authorization_handler, } from '../auth/request_context.js';
 import { ACCOUNT_ID_KEY, CREDENTIAL_TYPE_KEY, TEST_CONTEXT_PRESET_KEY, } from '../hono_context.js';
 import { create_stub_db } from './stubs.js';
-import { create_test_account, create_test_actor, create_test_permit } from './entities.js';
+import { create_test_account, create_test_actor, create_test_role_grant } from './entities.js';
 /**
- * Create a mock `RequestContext` with optional role permit.
+ * Create a mock `RequestContext` with optional role role_grant.
  */
 export const create_test_request_context = (role) => ({
     account: create_test_account({ id: 'acc_1', username: 'testuser' }),
     actor: create_test_actor({ id: 'act_1', account_id: 'acc_1', name: 'testuser' }),
-    permits: role ? [create_test_permit({ id: 'perm_1', actor_id: 'act_1', role })] : [],
+    role_grants: role ? [create_test_role_grant({ id: 'perm_1', actor_id: 'act_1', role })] : [],
 });
 /**
  * Create a Hono test app from route specs with optional auth context.
@@ -35,6 +36,7 @@ export const create_test_app_from_specs = (route_specs, auth_ctx, credential_typ
     const db = create_stub_db();
     app.use('/*', async (c, next) => {
         c.set('pending_effects', []);
+        c.set('post_commit_effects', []);
         if (auth_ctx) {
             c.set(ACCOUNT_ID_KEY, auth_ctx.account.id);
             c.set(REQUEST_CONTEXT_KEY, auth_ctx);
@@ -67,25 +69,26 @@ export const create_auth_test_apps = (route_specs, roles) => {
 /**
  * Select the Hono test app with correct auth for a route.
  *
- * @throws Error if `auth.type === 'role'` and `auth.role` is not present in
- *   `apps.by_role` — surfaces a missing entry in the `roles` array passed to
+ * @throws Error if `auth.roles` names a role not present in `apps.by_role` —
+ *   surfaces a missing entry in the `roles` array passed to
  *   `create_auth_test_apps`.
  */
 export const select_auth_app = (apps, auth) => {
-    switch (auth.type) {
-        case 'none':
-            return apps.public;
-        case 'authenticated':
-            return apps.authed;
-        case 'keeper':
-            return apps.keeper;
-        case 'role': {
-            const app = apps.by_role.get(auth.role);
-            if (!app)
-                throw new Error(`No test app for role '${auth.role}' — is it in the roles array?`);
-            return app;
-        }
+    if (is_public_auth(auth))
+        return apps.public;
+    if (auth.credential_types?.includes('daemon_token'))
+        return apps.keeper;
+    if (auth.roles?.length) {
+        // Multi-role disjunction: any of the named roles admits the caller.
+        // Tests pick the first role's app; consumers wanting per-role coverage
+        // should hit each role's app explicitly.
+        const role = auth.roles[0];
+        const app = apps.by_role.get(role);
+        if (!app)
+            throw new Error(`No test app for role '${role}' — is it in the roles array?`);
+        return app;
     }
+    return apps.authed;
 };
 /** Replace Hono route params (`:foo`) with dummy values for HTTP testing. */
 export const resolve_test_path = (path) => path.replace(/:(\w+)/g, 'test_$1');

package/dist/testing/data_exposure.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"data_exposure.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/data_exposure.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgB7B,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG9D,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAe9D;;;;;GAKG;AACH,eAAO,MAAM,kCAAkC,GAAI,QAAQ,OAAO,KAAG,GAAG,CAAC,MAAM,CAuB9E,CAAC;AAIF;;GAEG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,UAAU,EACnB,mBAAkB,aAAa,CAAC,MAAM,CAA6B,KACjE,IAWF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wCAAwC,GACpD,SAAS,UAAU,EACnB,oBAAmB,aAAa,CAAC,MAAM,CAA8B,KACnE,IAcF,CAAC;AAIF,kDAAkD;AAClD,MAAM,WAAW,uBAAuB;IACvC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,wCAAwC;IACxC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4CAA4C;IAC5C,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,iGAAiG;IACjG,iBAAiB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IAmC/E,CAAC"}
+{"version":3,"file":"data_exposure.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/data_exposure.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAgB7B,OAAO,KAAK,EAAC,UAAU,EAAE,cAAc,EAAC,MAAM,oBAAoB,CAAC;AACnE,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AACrD,OAAO,KAAK,EAAC,gBAAgB,EAAE,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAChF,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAG9D,OAAO,EAAwB,KAAK,SAAS,EAAC,MAAM,SAAS,CAAC;AAgB9D;;;;;GAKG;AACH,eAAO,MAAM,kCAAkC,GAAI,QAAQ,OAAO,KAAG,GAAG,CAAC,MAAM,CAuB9E,CAAC;AAIF;;GAEG;AACH,eAAO,MAAM,yCAAyC,GACrD,SAAS,UAAU,EACnB,mBAAkB,aAAa,CAAC,MAAM,CAA6B,KACjE,IAWF,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,wCAAwC,GACpD,SAAS,UAAU,EACnB,oBAAmB,aAAa,CAAC,MAAM,CAA8B,KACnE,IAcF,CAAC;AAIF,kDAAkD;AAClD,MAAM,WAAW,uBAAuB;IACvC,4DAA4D;IAC5D,KAAK,EAAE,MAAM,cAAc,CAAC;IAC5B,wCAAwC;IACxC,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,4CAA4C;IAC5C,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,2FAA2F;IAC3F,gBAAgB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IACzC,iGAAiG;IACjG,iBAAiB,CAAC,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC1C,iDAAiD;IACjD,WAAW,CAAC,EAAE,OAAO,CACpB,IAAI,CAAC,gBAAgB,EAAE,SAAS,GAAG,iBAAiB,GAAG,oBAAoB,CAAC,CAC5E,CAAC;IACF,qEAAqE;IACrE,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC,kDAAkD;IAClD,WAAW,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;CAC5B;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B,GAAI,SAAS,uBAAuB,KAAG,IAmC/E,CAAC"}

package/dist/testing/data_exposure.js

@@ -18,6 +18,7 @@ import { resolve_valid_path, generate_valid_body } from './schema_generators.js'
 import { run_migrations } from '../db/migrate.js';
 import { AUTH_MIGRATION_NS } from '../auth/migrations.js';
 import { is_null_schema, is_strict_object_schema } from '../http/schema_helpers.js';
+import { is_keeper_auth, is_public_auth } from '../http/auth_shape.js';
 import { SENSITIVE_FIELD_BLOCKLIST, ADMIN_ONLY_FIELD_BLOCKLIST, assert_no_sensitive_fields_in_json, pick_auth_headers, } from './integration_helpers.js';
 // --- Schema introspection ---
 /**
@@ -71,7 +72,7 @@ export const assert_output_schemas_no_sensitive_fields = (surface, sensitive_fie
  * Assert that non-admin route output schemas don't contain admin-only fields.
  */
 export const assert_non_admin_schemas_no_admin_fields = (surface, admin_only_fields = ADMIN_ONLY_FIELD_BLOCKLIST) => {
-    const non_admin = surface.routes.filter((r) => r.auth.type !== 'keeper' && !(r.auth.type === 'role' && r.auth.role === 'admin'));
+    const non_admin = surface.routes.filter((r) => !is_keeper_auth(r.auth) && !(r.auth.roles?.includes('admin') ?? false));
     for (const route of non_admin) {
         if (route.output_schema === null)
             continue;
@@ -154,7 +155,7 @@ const describe_data_exposure_runtime_tests = (options) => {
             // Tests that don't fire authenticated requests run first — they don't
             // invalidate sessions and are independent of test order.
             test('unauthenticated error responses contain no sensitive fields', async () => {
-                const protected_specs = test_app.route_specs.filter((s) => s.auth.type !== 'none');
+                const protected_specs = test_app.route_specs.filter((s) => !is_public_auth(s.auth));
                 for (const spec of protected_specs) {
                     const route_key = `${spec.method} ${spec.path}`;
                     if (skip_set.has(route_key))
@@ -181,7 +182,7 @@ const describe_data_exposure_runtime_tests = (options) => {
             // Cross-privilege test runs before 2xx tests — admin routes reject
             // without calling handlers, so sessions stay intact.
             test('admin routes return 403 for non-admin user', async () => {
-                const admin_specs = test_app.route_specs.filter((s) => s.auth.type === 'role' && s.auth.role === 'admin');
+                const admin_specs = test_app.route_specs.filter((s) => s.auth.roles?.includes('admin') ?? false);
                 for (const spec of admin_specs) {
                     const route_key = `${spec.method} ${spec.path}`;
                     if (skip_set.has(route_key))
@@ -221,8 +222,7 @@ const describe_data_exposure_runtime_tests = (options) => {
                     if (skip_set.has(route_key))
                         continue;
                     // keeper auth (daemon token) is strictly more privileged than admin
-                    const is_elevated = spec.auth.type === 'keeper' ||
-                        (spec.auth.type === 'role' && spec.auth.role === 'admin');
+                    const is_elevated = is_keeper_auth(spec.auth) || (spec.auth.roles?.includes('admin') ?? false);
                     const url = resolve_valid_path(spec.path, spec.params);
                     const body = generate_valid_body(spec.input);
                     const headers = pick_auth_headers(spec, test_app, authed_account, admin_account);

package/dist/testing/db.d.ts

@@ -79,7 +79,7 @@ export declare const AUTH_INTEGRATION_TRUNCATE_TABLES: string[];
  *
  * When adding tables to `AUTH_MIGRATIONS`, add them here too.
  */
-export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "permit", "permit_offer", "actor", "account", "bootstrap_lock"];
+export declare const AUTH_DROP_TABLES: readonly ["app_settings", "invite", "audit_log", "api_token", "auth_session", "role_grant", "role_grant_offer", "actor", "account", "bootstrap_lock"];
 /**
  * Drop all auth tables and schema version tracking for a clean slate.
  *

package/dist/testing/db.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA6B7B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAKpC;;GAEG;AACH,eAAO,MAAM,KAAK,SAA4B,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAGvD,CAAC;AAMF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,GAAI,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,KAAG,SAkB7E,CAAC;AAEH;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACtC,WAAW,MAAM,KACf,SA2DF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,UAQhC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAAyC,CAAC;AAEvF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,+IAWnB,CAAC;AAEX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAK3D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,kBAAkB,GAC9B,WAAW,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EACvC,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,IAAI,KAAK,IAAI,CAwBzD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,KAAK,CAAC,SAAS,CAAC,KAAG,IAMnE,CAAC"}
+{"version":3,"file":"db.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AA6B7B,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAKpC;;GAEG;AACH,eAAO,MAAM,KAAK,SAA4B,CAAC;AAE/C;;GAEG;AACH,MAAM,WAAW,SAAS;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,OAAO,CAAC,EAAE,CAAC,CAAC;IAC1B,KAAK,EAAE,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACjC,IAAI,EAAE,OAAO,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACrB;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAGvD,CAAC;AAMF;;;;;;;;;;GAUG;AACH,eAAO,MAAM,qBAAqB,GAAI,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,KAAG,SAkB7E,CAAC;AAEH;;;;;;;;;;;;;;;;;;GAkBG;AACH,eAAO,MAAM,iBAAiB,GAC7B,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,OAAO,CAAC,IAAI,CAAC,EACtC,WAAW,MAAM,KACf,SA2DF,CAAC;AAEF;;;;GAIG;AACH,eAAO,MAAM,oBAAoB,UAQhC,CAAC;AAEF;;;;;;GAMG;AACH,eAAO,MAAM,gCAAgC,UAAyC,CAAC;AAEvF;;;;;;;;GAQG;AACH,eAAO,MAAM,gBAAgB,uJAWnB,CAAC;AAEX;;;;;;;;;;GAUG;AACH,eAAO,MAAM,gBAAgB,GAAU,IAAI,EAAE,KAAG,OAAO,CAAC,IAAI,CAK3D,CAAC;AAEF;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,kBAAkB,GAC9B,WAAW,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,EACvC,iBAAiB,KAAK,CAAC,MAAM,CAAC,KAC5B,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,IAAI,KAAK,IAAI,CAwBzD,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,qBAAqB,GAAI,WAAW,KAAK,CAAC,SAAS,CAAC,KAAG,IAMnE,CAAC"}

package/dist/testing/db.js

@@ -164,8 +164,8 @@ export const AUTH_TRUNCATE_TABLES = [
     'invite',
     'api_token',
     'auth_session',
-    'permit',
-    'permit_offer',
+    'role_grant',
+    'role_grant_offer',
     'actor',
     'account',
 ];
@@ -192,8 +192,8 @@ export const AUTH_DROP_TABLES = [
     'audit_log',
     'api_token',
     'auth_session',
-    'permit',
-    'permit_offer',
+    'role_grant',
+    'role_grant_offer',
     'actor',
     'account',
     'bootstrap_lock',

package/dist/testing/db_entities.d.ts

@@ -0,0 +1,22 @@
+import './assert_dev_env.js';
+import type { Account, Actor } from '../auth/account_schema.js';
+import type { Db } from '../db/db.js';
+/** The `{account, actor}` row pair returned by `create_test_account_with_actor`. */
+export interface TestAccountWithActor {
+    account: Account;
+    actor: Actor;
+}
+/**
+ * Create an `account` + `actor` row pair in the database for tests.
+ *
+ * Wraps `query_create_account_with_actor` with a default `password_hash`
+ * so suites that don't exercise password verification can stay terse.
+ * Replaces the per-file `create_user` / `create_test_actor` /
+ * `create_test_account` helpers that had accumulated across the auth
+ * test suite.
+ */
+export declare const create_test_account_with_actor: (db: Db, options: {
+    username: string;
+    password_hash?: string;
+}) => Promise<TestAccountWithActor>;
+//# sourceMappingURL=db_entities.d.ts.map

package/dist/testing/db_entities.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"db_entities.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/db_entities.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAoB7B,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,EAAE,EAAC,MAAM,aAAa,CAAC;AAEpC,oFAAoF;AACpF,MAAM,WAAW,oBAAoB;IACpC,OAAO,EAAE,OAAO,CAAC;IACjB,KAAK,EAAE,KAAK,CAAC;CACb;AAED;;;;;;;;GAQG;AACH,eAAO,MAAM,8BAA8B,GAC1C,IAAI,EAAE,EACN,SAAS;IAAC,QAAQ,EAAE,MAAM,CAAC;IAAC,aAAa,CAAC,EAAE,MAAM,CAAA;CAAC,KACjD,OAAO,CAAC,oBAAoB,CAI7B,CAAC"}

package/dist/testing/db_entities.js

@@ -0,0 +1,28 @@
+import './assert_dev_env.js';
+/**
+ * DB-backed entity factories for tests that need real `account` + `actor`
+ * rows in the database.
+ *
+ * Companion to `entities.ts` — that file ships in-memory factories
+ * (`create_test_account`, `create_test_actor`) for tests that mock the
+ * DB; this file ships factories that hit a real `Db` so query-level
+ * tests don't reimplement the same `query_create_account_with_actor`
+ * wrapper in every file.
+ *
+ * For full-fledged test accounts that also need an API token + signed
+ * session cookie + role_grants, use `bootstrap_test_account` from
+ * `app_server.ts` instead.
+ *
+ * @module
+ */
+import { query_create_account_with_actor } from '../auth/account_queries.js';
+/**
+ * Create an `account` + `actor` row pair in the database for tests.
+ *
+ * Wraps `query_create_account_with_actor` with a default `password_hash`
+ * so suites that don't exercise password verification can stay terse.
+ * Replaces the per-file `create_user` / `create_test_actor` /
+ * `create_test_account` helpers that had accumulated across the auth
+ * test suite.
+ */
+export const create_test_account_with_actor = async (db, options) => query_create_account_with_actor({ db }, { username: options.username, password_hash: options.password_hash ?? 'hash' });

package/dist/testing/entities.d.ts

@@ -1,5 +1,5 @@
 import './assert_dev_env.js';
-import type { Account, Actor, Permit } from '../auth/account_schema.js';
+import type { Account, Actor, RoleGrant } from '../auth/account_schema.js';
 import type { AuditLogEvent } from '../auth/audit_log_schema.js';
 import type { RequestContext } from '../auth/request_context.js';
 /** Override type for `create_test_account` — id-like fields accept plain `string`. */
@@ -18,19 +18,20 @@ export type TestActorOverrides = Partial<Omit<Actor, 'id' | 'account_id' | 'upda
 };
 /** Create a test `Actor` with sensible defaults. */
 export declare const create_test_actor: (overrides?: TestActorOverrides) => Actor;
-/** Override type for `create_test_permit` — id-like fields accept plain `string`. */
-export type TestPermitOverrides = Partial<Omit<Permit, 'id' | 'actor_id' | 'scope_id' | 'revoked_by' | 'granted_by' | 'source_offer_id'>> & {
+/** Override type for `create_test_role_grant` — id-like fields accept plain `string`. */
+export type TestRoleGrantOverrides = Partial<Omit<RoleGrant, 'id' | 'actor_id' | 'scope_kind' | 'scope_id' | 'revoked_by' | 'granted_by' | 'source_offer_id'>> & {
     id?: string;
     actor_id?: string;
+    scope_kind?: string | null;
     scope_id?: string | null;
     revoked_by?: string | null;
     granted_by?: string | null;
     source_offer_id?: string | null;
 };
-/** Create a test `Permit` with sensible defaults. */
-export declare const create_test_permit: (overrides?: TestPermitOverrides) => Permit;
-/** Create a test `RequestContext` with permits from partial overrides. */
-export declare const create_test_context: (permits?: Array<TestPermitOverrides>) => RequestContext;
+/** Create a test `RoleGrant` with sensible defaults. */
+export declare const create_test_role_grant: (overrides?: TestRoleGrantOverrides) => RoleGrant;
+/** Create a test `RequestContext` with role_grants from partial overrides. */
+export declare const create_test_context: (role_grants?: Array<TestRoleGrantOverrides>) => RequestContext;
 /** Override type for `create_test_audit_event` — id-like fields accept plain `string`. */
 export type TestAuditEventOverrides = Partial<Omit<AuditLogEvent, 'id' | 'actor_id' | 'account_id' | 'target_account_id' | 'target_actor_id'>> & {
     id?: string;

package/dist/testing/entities.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"entities.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/entities.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAiB7B,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,MAAM,EAAC,MAAM,2BAA2B,CAAC;AACtE,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE/D,sFAAsF;AACtF,MAAM,MAAM,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,GAAG,YAAY,GAAG,YAAY,CAAC,CAAC,GAAG;IAC/F,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAAC;AAEF,sDAAsD;AACtD,eAAO,MAAM,mBAAmB,GAAI,YAAY,oBAAoB,KAAG,OAWrE,CAAC;AAEH,oFAAoF;AACpF,MAAM,MAAM,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,GAAG,YAAY,GAAG,YAAY,CAAC,CAAC,GAAG;IAC3F,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAAC;AAEF,oDAAoD;AACpD,eAAO,MAAM,iBAAiB,GAAI,YAAY,kBAAkB,KAAG,KAQjE,CAAC;AAEH,qFAAqF;AACrF,MAAM,MAAM,mBAAmB,GAAG,OAAO,CACxC,IAAI,CAAC,MAAM,EAAE,IAAI,GAAG,UAAU,GAAG,UAAU,GAAG,YAAY,GAAG,YAAY,GAAG,iBAAiB,CAAC,CAC9F,GAAG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC,CAAC;AAEF,qDAAqD;AACrD,eAAO,MAAM,kBAAkB,GAAI,YAAY,mBAAmB,KAAG,MAanE,CAAC;AAEH,0EAA0E;AAC1E,eAAO,MAAM,mBAAmB,GAC/B,UAAS,KAAK,CAAC,mBAAmB,CAAQ,KACxC,cAID,CAAC;AAEH,0FAA0F;AAC1F,MAAM,MAAM,uBAAuB,GAAG,OAAO,CAC5C,IAAI,CAAC,aAAa,EAAE,IAAI,GAAG,UAAU,GAAG,YAAY,GAAG,mBAAmB,GAAG,iBAAiB,CAAC,CAC/F,GAAG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC,CAAC;AAEF,4DAA4D;AAC5D,eAAO,MAAM,uBAAuB,GAAI,YAAY,uBAAuB,KAAG,aAa5E,CAAC"}
+{"version":3,"file":"entities.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/entities.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAiB7B,OAAO,KAAK,EAAC,OAAO,EAAE,KAAK,EAAE,SAAS,EAAC,MAAM,2BAA2B,CAAC;AACzE,OAAO,KAAK,EAAC,aAAa,EAAC,MAAM,6BAA6B,CAAC;AAC/D,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,4BAA4B,CAAC;AAE/D,sFAAsF;AACtF,MAAM,MAAM,oBAAoB,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,IAAI,GAAG,YAAY,GAAG,YAAY,CAAC,CAAC,GAAG;IAC/F,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAAC;AAEF,sDAAsD;AACtD,eAAO,MAAM,mBAAmB,GAAI,YAAY,oBAAoB,KAAG,OAWrE,CAAC;AAEH,oFAAoF;AACpF,MAAM,MAAM,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,GAAG,YAAY,GAAG,YAAY,CAAC,CAAC,GAAG;IAC3F,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAC3B,CAAC;AAEF,oDAAoD;AACpD,eAAO,MAAM,iBAAiB,GAAI,YAAY,kBAAkB,KAAG,KAQjE,CAAC;AAEH,yFAAyF;AACzF,MAAM,MAAM,sBAAsB,GAAG,OAAO,CAC3C,IAAI,CACH,SAAS,EACT,IAAI,GAAG,UAAU,GAAG,YAAY,GAAG,UAAU,GAAG,YAAY,GAAG,YAAY,GAAG,iBAAiB,CAC/F,CACD,GAAG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC,CAAC;AAEF,wDAAwD;AACxD,eAAO,MAAM,sBAAsB,GAAI,YAAY,sBAAsB,KAAG,SAgB3E,CAAC;AAEF,8EAA8E;AAC9E,eAAO,MAAM,mBAAmB,GAC/B,cAAa,KAAK,CAAC,sBAAsB,CAAQ,KAC/C,cAID,CAAC;AAEH,0FAA0F;AAC1F,MAAM,MAAM,uBAAuB,GAAG,OAAO,CAC5C,IAAI,CAAC,aAAa,EAAE,IAAI,GAAG,UAAU,GAAG,YAAY,GAAG,mBAAmB,GAAG,iBAAiB,CAAC,CAC/F,GAAG;IACH,EAAE,CAAC,EAAE,MAAM,CAAC;IACZ,QAAQ,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACzB,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,iBAAiB,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAClC,eAAe,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CAChC,CAAC;AAEF,4DAA4D;AAC5D,eAAO,MAAM,uBAAuB,GAAI,YAAY,uBAAuB,KAAG,aAa5E,CAAC"}

package/dist/testing/entities.js

@@ -22,26 +22,29 @@ export const create_test_actor = (overrides) => ({
     updated_by: null,
     ...overrides,
 });
-/** Create a test `Permit` with sensible defaults. */
-export const create_test_permit = (overrides) => ({
-    id: 'permit-test',
-    actor_id: 'actor-test',
-    role: 'admin',
-    scope_id: null,
-    created_at: '2024-01-01T00:00:00Z',
-    expires_at: null,
-    revoked_at: null,
-    revoked_by: null,
-    revoked_reason: null,
-    granted_by: null,
-    source_offer_id: null,
-    ...overrides,
-});
-/** Create a test `RequestContext` with permits from partial overrides. */
-export const create_test_context = (permits = [{}]) => ({
+/** Create a test `RoleGrant` with sensible defaults. */
+export const create_test_role_grant = (overrides) => {
+    const base = {
+        id: 'role-grant-test',
+        actor_id: 'actor-test',
+        role: 'admin',
+        scope_kind: null,
+        scope_id: null,
+        created_at: '2024-01-01T00:00:00Z',
+        expires_at: null,
+        revoked_at: null,
+        revoked_by: null,
+        revoked_reason: null,
+        granted_by: null,
+        source_offer_id: null,
+    };
+    return overrides ? { ...base, ...overrides } : base;
+};
+/** Create a test `RequestContext` with role_grants from partial overrides. */
+export const create_test_context = (role_grants = [{}]) => ({
     account: create_test_account(),
     actor: create_test_actor(),
-    permits: permits.map((p) => create_test_permit(p)),
+    role_grants: role_grants.map((p) => create_test_role_grant(p)),
 });
 /** Create a test `AuditLogEvent` with sensible defaults. */
 export const create_test_audit_event = (overrides) => ({

package/dist/testing/integration.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAA6C,KAAK,eAAe,EAAC,MAAM,iBAAiB,CAAC;AACjG,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAOjB,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAqB1B;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC;;;;;;;;;;;;;;;;OAgBG;IACH,aAAa,EAAE,uBAAuB,CAAC;CACvC;AAsBD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IAg8CF,CAAC"}
+{"version":3,"file":"integration.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/testing/integration.ts"],"names":[],"mappings":"AAAA,OAAO,qBAAqB,CAAC;AAsB7B,OAAO,KAAK,EAAC,cAAc,EAAC,MAAM,2BAA2B,CAAC;AAC9D,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,yBAAyB,CAAC;AAC9D,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAA6C,KAAK,eAAe,EAAC,MAAM,iBAAiB,CAAC;AACjG,OAAO,EAIN,KAAK,SAAS,EACd,MAAM,SAAS,CAAC;AAOjB,OAAO,EAKN,KAAK,uBAAuB,EAC5B,MAAM,kBAAkB,CAAC;AAsB1B;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC9C,4CAA4C;IAC5C,eAAe,EAAE,cAAc,CAAC,MAAM,CAAC,CAAC;IACxC,wDAAwD;IACxD,kBAAkB,EAAE,CAAC,GAAG,EAAE,gBAAgB,KAAK,KAAK,CAAC,SAAS,CAAC,CAAC;IAChE,iDAAiD;IACjD,WAAW,CAAC,EAAE,eAAe,CAAC;IAC9B;;;OAGG;IACH,YAAY,CAAC,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC;IAChC;;;;;;;;;;;;;;;;OAgBG;IACH,aAAa,EAAE,uBAAuB,CAAC;CACvC;AAsBD;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,mCAAmC,GAC/C,SAAS,8BAA8B,KACrC,IA87CF,CAAC"}