@fuzdev/fuz_app 0.55.0 → 0.56.0

package/dist/auth/account_routes.js

@@ -22,13 +22,12 @@
  * @module
  */
 import { z } from 'zod';
-import { clear_session_cookie } from './session_middleware.js';
-import { create_session_and_set_cookie } from './session_lifecycle.js';
-import { ActorSummaryJson, PermitSummaryJson, SessionAccountJson, to_session_account, UsernameProvided, } from './account_schema.js';
+import { clear_session_cookie, create_session_and_set_cookie } from './session_middleware.js';
+import { ActorSummaryJson, RoleGrantSummaryJson, SessionAccountJson, to_session_account, } from './account_schema.js';
+import { UsernameProvided } from '../primitive_schemas.js';
 import { hash_session_token, query_session_revoke_all_for_account, query_session_revoke_by_hash_unscoped, } from './session_queries.js';
 import { query_account_by_username_or_email, query_update_account_password, } from './account_queries.js';
 import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
-import { audit_log_fire_and_forget } from './audit_log_queries.js';
 import { build_account_context, build_request_context, get_request_context, require_request_context, resolve_acting_actor, } from './request_context.js';
 import { ACCOUNT_ID_KEY } from '../hono_context.js';
 import { get_route_input } from '../http/route_spec.js';
@@ -42,15 +41,15 @@ export const AccountStatusInput = z.null();
  * Output for `GET /api/account/status` on the authenticated path.
  *
  * `account` is always populated for authenticated callers. `actor` and
- * `permits` are populated when the caller's account has a unique actor or
+ * `role_grants` are populated when the caller's account has a unique actor or
  * the request supplies `?acting=<actor_id>`; on multi-actor accounts
- * without an `acting` query, `actor` is `null` and `permits` is empty so
+ * without an `acting` query, `actor` is `null` and `role_grants` is empty so
  * the frontend can show a persona picker without a separate roundtrip.
  */
 export const AccountStatusOutput = z.strictObject({
     account: SessionAccountJson,
     actor: ActorSummaryJson.nullable(),
-    permits: z.array(PermitSummaryJson),
+    role_grants: z.array(RoleGrantSummaryJson),
 });
 /** Error body for `GET /api/account/status` on the unauthenticated path. */
 export const AccountStatusUnauthenticatedError = z.looseObject({
@@ -73,7 +72,7 @@ export const AccountStatusUnauthenticatedError = z.looseObject({
 export const create_account_status_route_spec = (options) => ({
     method: 'GET',
     path: options?.path ?? '/api/account/status',
-    auth: { type: 'none' },
+    auth: { account: 'none', actor: 'none' },
     description: 'Current account info (unauthenticated: 401 with bootstrap status)',
     input: AccountStatusInput,
     output: AccountStatusOutput,
@@ -94,9 +93,10 @@ export const create_account_status_route_spec = (options) => ({
         // it directly to avoid redundant lookups.
         const existing = get_request_context(c);
         if (existing && existing.account.id === account_id) {
-            const permits = existing.permits.map((p) => ({
+            const role_grants = existing.role_grants.map((p) => ({
                 id: p.id,
                 role: p.role,
+                scope_kind: p.scope_kind,
                 scope_id: p.scope_id,
                 created_at: p.created_at,
                 expires_at: p.expires_at,
@@ -105,10 +105,10 @@ export const create_account_status_route_spec = (options) => ({
             return c.json({
                 account: to_session_account(existing.account),
                 actor: existing.actor ? { id: existing.actor.id, name: existing.actor.name } : null,
-                permits,
+                role_grants,
             });
         }
-        // Resolve actor + permits when the caller is unambiguous (single-actor
+        // Resolve actor + role_grants when the caller is unambiguous (single-actor
         // account, or supplied `?acting=<uuid>`). On multi-actor accounts
         // without `acting`, fall back to account-only so the frontend can
         // surface a persona picker.
@@ -117,9 +117,10 @@ export const create_account_status_route_spec = (options) => ({
         if (acting_result.ok) {
             const ctx = await build_request_context(route, account_id, acting_result.actor_id);
             if (ctx) {
-                const permits = ctx.permits.map((p) => ({
+                const role_grants = ctx.role_grants.map((p) => ({
                     id: p.id,
                     role: p.role,
+                    scope_kind: p.scope_kind,
                     scope_id: p.scope_id,
                     created_at: p.created_at,
                     expires_at: p.expires_at,
@@ -128,7 +129,7 @@ export const create_account_status_route_spec = (options) => ({
                 return c.json({
                     account: to_session_account(ctx.account),
                     actor: { id: ctx.actor.id, name: ctx.actor.name },
-                    permits,
+                    role_grants,
                 });
             }
         }
@@ -142,7 +143,7 @@ export const create_account_status_route_spec = (options) => ({
         return c.json({
             account: to_session_account(account_ctx.account),
             actor: null,
-            permits: [],
+            role_grants: [],
         });
     },
 });
@@ -221,7 +222,7 @@ export const create_account_route_specs = (deps, options) => {
         {
             method: 'GET',
             path: '/verify',
-            auth: { type: 'authenticated' },
+            auth: { account: 'required', actor: 'none' },
             description: 'Session-validity probe for nginx auth_request (empty body, 200 or 401)',
             input: z.null(),
             output: z.null(),
@@ -233,7 +234,7 @@ export const create_account_route_specs = (deps, options) => {
         {
             method: 'POST',
             path: '/login',
-            auth: { type: 'none' },
+            auth: { account: 'none', actor: 'none' },
             description: 'Exchange credentials for session',
             input: LoginInput,
             output: LoginOutput,
@@ -279,12 +280,12 @@ export const create_account_route_specs = (deps, options) => {
                         ip_rate_limiter.record(ip);
                     if (login_account_rate_limiter)
                         login_account_rate_limiter.record(account_rate_key);
-                    void audit_log_fire_and_forget(route, {
+                    deps.audit.emit(route, {
                         event_type: 'login',
                         outcome: 'failure',
                         ip: get_client_ip(c),
                         metadata: { username },
-                    }, deps);
+                    });
                     await delay;
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
@@ -294,13 +295,13 @@ export const create_account_route_specs = (deps, options) => {
                         ip_rate_limiter.record(ip);
                     if (login_account_rate_limiter)
                         login_account_rate_limiter.record(account_rate_key);
-                    void audit_log_fire_and_forget(route, {
+                    deps.audit.emit(route, {
                         event_type: 'login',
                         outcome: 'failure',
                         account_id: account.id,
                         ip: get_client_ip(c),
                         metadata: { username },
-                    }, deps);
+                    });
                     await delay;
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
@@ -317,18 +318,18 @@ export const create_account_route_specs = (deps, options) => {
                     session_options,
                     max_sessions,
                 });
-                void audit_log_fire_and_forget(route, {
+                deps.audit.emit(route, {
                     event_type: 'login',
                     account_id: account.id,
                     ip: get_client_ip(c),
-                }, deps);
+                });
                 return c.json({ ok: true });
             },
         },
         {
             method: 'POST',
             path: '/logout',
-            auth: { type: 'authenticated' },
+            auth: { account: 'required', actor: 'none' },
             description: 'Revoke current session and clear cookie',
             input: LogoutInput,
             output: LogoutOutput,
@@ -343,18 +344,18 @@ export const create_account_route_specs = (deps, options) => {
                 // Account-grain operation — no `actor_id` (which actor was
                 // resolved per-request is incidental to "this account ended
                 // its session"). Mirrors `login`.
-                void audit_log_fire_and_forget(route, {
+                deps.audit.emit(route, {
                     event_type: 'logout',
                     account_id: ctx.account.id,
                     ip: get_client_ip(c),
-                }, deps);
+                });
                 return c.json({ ok: true, username: ctx.account.username });
             },
         },
         {
             method: 'POST',
             path: '/password',
-            auth: { type: 'authenticated' },
+            auth: { account: 'required', actor: 'none' },
             description: 'Change password (revokes all sessions and API tokens)',
             input: PasswordChangeInput,
             output: PasswordChangeOutput,
@@ -388,12 +389,12 @@ export const create_account_route_specs = (deps, options) => {
                         ip_rate_limiter.record(ip);
                     if (login_account_rate_limiter)
                         login_account_rate_limiter.record(ctx.account.id);
-                    void audit_log_fire_and_forget(route, {
+                    deps.audit.emit(route, {
                         event_type: 'password_change',
                         outcome: 'failure',
                         account_id: ctx.account.id,
                         ip: get_client_ip(c),
-                    }, deps);
+                    });
                     return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
                 }
                 // successful verification — reset rate limiters
@@ -402,9 +403,33 @@ export const create_account_route_specs = (deps, options) => {
                 if (login_account_rate_limiter)
                     login_account_rate_limiter.reset(ctx.account.id);
                 const new_hash = await password.hash_password(new_password);
-                // Account-grain operation — `updated_by` stays null (the per-request
-                // actor is incidental; password is account-level state).
-                await query_update_account_password(route, ctx.account.id, new_hash, null);
+                // Conditional UPDATE keyed on the verified hash: closes the
+                // verify-write race with a concurrent password change that
+                // already committed against the same starting hash. Account-grain
+                // operation — `updated_by` stays null (the per-request actor is
+                // incidental; password is account-level state).
+                const updated = await query_update_account_password(route, ctx.account.id, new_hash, null, ctx.account.password_hash);
+                if (!updated) {
+                    // A concurrent password change committed first — our
+                    // `current_password` was correct at read-time but the row's
+                    // `password_hash` no longer matches. Mirrors the wrong-password
+                    // 401 shape; tag the failure metadata so admins reading the
+                    // audit log can distinguish "user typoed" from "two clients
+                    // raced." Sessions/tokens were already revoked by the winner;
+                    // no cookie clear here either.
+                    if (ip_rate_limiter && ip)
+                        ip_rate_limiter.record(ip);
+                    if (login_account_rate_limiter)
+                        login_account_rate_limiter.record(ctx.account.id);
+                    deps.audit.emit(route, {
+                        event_type: 'password_change',
+                        outcome: 'failure',
+                        account_id: ctx.account.id,
+                        ip: get_client_ip(c),
+                        metadata: { reason: 'concurrent_change' },
+                    });
+                    return c.json({ error: ERROR_INVALID_CREDENTIALS }, 401);
+                }
                 // revoke all sessions and API tokens (force re-auth everywhere)
                 const sessions_revoked = await query_session_revoke_all_for_account(route, ctx.account.id);
                 const tokens_revoked = await query_revoke_all_api_tokens_for_account(route, ctx.account.id);
@@ -413,12 +438,12 @@ export const create_account_route_specs = (deps, options) => {
                 // account-level state; which per-request actor was resolved
                 // has no semantic bearing on "this account changed its
                 // password". Mirrors `login`/`logout`.
-                void audit_log_fire_and_forget(route, {
+                deps.audit.emit(route, {
                     event_type: 'password_change',
                     account_id: ctx.account.id,
                     ip: get_client_ip(c),
                     metadata: { sessions_revoked, tokens_revoked },
-                }, deps);
+                });
                 return c.json({ ok: true, sessions_revoked, tokens_revoked });
             },
         },

package/dist/auth/account_schema.d.ts

@@ -2,7 +2,14 @@
  * Auth entity types and client-safe schemas.
  *
  * Defines the runtime types for the fuz identity system:
- * `Account`, `Actor`, `Permit`, `AuthSession`, and `ApiToken`.
+ * `Account`, `Actor`, `RoleGrant`, `AuthSession`, and `ApiToken`.
+ *
+ * Identifier primitives (`Username`, `UsernameProvided`, `Email`) live
+ * in `../primitive_schemas.ts` — they're general validator shapes that
+ * don't depend on the auth domain. The auth-shape request-contract
+ * primitive `ActingActor` lives in `../http/auth_shape.ts` next to
+ * `RouteAuth` (the two pair: `auth.actor !== 'none'` ⟺ input declares
+ * `acting?: ActingActor`).
  *
  * DDL lives in `auth/ddl.ts`; role system in `auth/role_schema.ts`.
  * See docs/identity.md for design rationale.
@@ -11,40 +18,7 @@
  */
 import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
-/** Minimum username length (must have start + middle + end characters). */
-export declare const USERNAME_LENGTH_MIN = 3;
-/** Maximum username length (matches GitHub's limit). */
-export declare const USERNAME_LENGTH_MAX = 39;
-/** Maximum length for username input on login/lookup — more permissive than `USERNAME_LENGTH_MAX` for forward-compatibility if the creation limit is raised. */
-export declare const USERNAME_PROVIDED_LENGTH_MAX = 255;
-/** Username for account creation — starts with letter, alphanumeric/dash/underscore middle, ends with alphanumeric. No @ or . allowed. */
-export declare const Username: z.ZodString;
-export type Username = z.infer<typeof Username>;
-/** Username submitted for login or lookup — minimal validation for forward-compatibility if format rules change. */
-export declare const UsernameProvided: z.ZodString;
-export type UsernameProvided = z.infer<typeof UsernameProvided>;
-/** Email validation. */
-export declare const Email: z.ZodEmail;
-export type Email = z.infer<typeof Email>;
-/**
- * `acting` field shared by every action input that needs the caller's
- * acting actor. Declaring `acting: ActingActor` on an action's input
- * is the signal to the RPC dispatcher / route-spec wrapper to resolve
- * an actor against the authenticated account: the authorization phase
- * runs `resolve_acting_actor`, builds the actor-bound `RequestContext`,
- * and loads permits before auth guards fire.
- *
- * Resolution rules: omitted + 1 actor → use it; omitted + multiple
- * actors → `actor_required` with the available list; supplied + on
- * the account → use it; supplied + foreign actor → `actor_not_on_account`.
- *
- * Account-grain routes — input doesn't declare `acting` and auth
- * doesn't require permits (`role` / `keeper`) — skip resolution
- * entirely; their `RequestContext.actor` is `null` and the audit
- * envelope's `actor_id` stays null.
- */
-export declare const ActingActor: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
-export type ActingActor = z.infer<typeof ActingActor>;
+import { Username, Email } from '../primitive_schemas.js';
 /** Account — authentication identity. You log in as an account. */
 export interface Account {
     id: Uuid;
@@ -65,7 +39,7 @@ export interface SessionAccount {
     email_verified: boolean;
     created_at: string;
 }
-/** Actor — the entity that acts. Owns cells, holds permits, appears in audit trails. */
+/** Actor — the entity that acts. Owns cells, holds role_grants, appears in audit trails. */
 export interface Actor {
     id: Uuid;
     account_id: Uuid;
@@ -76,17 +50,25 @@ export interface Actor {
 }
 /**
  * Maximum length of the optional free-form `revoked_reason` attached to a
- * revoked permit. Bounds the value at the schema layer so both the admin
+ * revoked role_grant. Bounds the value at the schema layer so both the admin
  * input (when the route surfaces a reason field) and the revokee-facing
- * `permit_revoke` WS notification validate against the same ceiling.
+ * `role_grant_revoke` WS notification validate against the same ceiling.
  */
-export declare const PERMIT_REVOKED_REASON_LENGTH_MAX = 500;
-/** Permit — time-bounded, revocable grant of a role to an actor. */
-export interface Permit {
+export declare const ROLE_GRANT_REVOKED_REASON_LENGTH_MAX = 500;
+/** Role grant — time-bounded, revocable grant of a role to an actor. */
+export interface RoleGrant {
     id: Uuid;
     actor_id: Uuid;
     role: string;
-    /** Resource scope this grant applies to (e.g. a classroom id). `null` for global permits. */
+    /**
+     * Machine-readable kind tag for the polymorphic `scope_id`. Paired-null
+     * with `scope_id` per the `role_grant_scope_kind_paired` CHECK: both null
+     * (global) or both non-null (scoped). Consumer-declared via
+     * `create_scope_kind_schema(...)`; v1 keeps validation registry-membership
+     * only, with no INSERT-time `(role, scope_kind)` enforcement.
+     */
+    scope_kind: string | null;
+    /** Resource scope this grant applies to (e.g. a classroom id). `null` for global role_grants. */
     scope_id: Uuid | null;
     created_at: string;
     expires_at: string | null;
@@ -95,10 +77,10 @@ export interface Permit {
     /** Optional free-form reason attached on revoke (surfaced in the revokee WS notification once it lands). */
     revoked_reason: string | null;
     granted_by: Uuid | null;
-    /** Offer that produced this permit (set by `query_accept_offer`). `null` for direct grants. */
+    /** Offer that produced this role_grant (set by `query_accept_offer`). `null` for direct grants. */
     source_offer_id: Uuid | null;
 }
-export declare const is_permit_active: (p: {
+export declare const is_role_grant_active: (p: {
     revoked_at?: string | null;
     expires_at: string | null;
 }, now?: Date) => boolean;
@@ -150,16 +132,17 @@ export declare const ClientApiTokenJson: z.ZodObject<{
     created_at: z.ZodString;
 }, z.core.$strict>;
 export type ClientApiTokenJson = z.infer<typeof ClientApiTokenJson>;
-/** Zod schema for the permit summary returned in admin account listings. */
-export declare const PermitSummaryJson: z.ZodObject<{
+/** Zod schema for the role_grant summary returned in admin account listings. */
+export declare const RoleGrantSummaryJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     role: z.ZodString;
+    scope_kind: z.ZodNullable<z.ZodString>;
     scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     created_at: z.ZodString;
     expires_at: z.ZodNullable<z.ZodString>;
     granted_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
 }, z.core.$strict>;
-export type PermitSummaryJson = z.infer<typeof PermitSummaryJson>;
+export type RoleGrantSummaryJson = z.infer<typeof RoleGrantSummaryJson>;
 /** Zod schema for the actor summary returned in admin account listings. */
 export declare const ActorSummaryJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -178,9 +161,9 @@ export declare const AdminAccountJson: z.ZodObject<{
 }, z.core.$strict>;
 export type AdminAccountJson = z.infer<typeof AdminAccountJson>;
 /**
- * Zod schema for a pending permit offer surfaced in admin account listings.
+ * Zod schema for a pending role_grant offer surfaced in admin account listings.
  *
- * Deliberately narrower than `PermitOfferJson`: omits `message` and
+ * Deliberately narrower than `RoleGrantOfferJson`: omits `message` and
  * `decline_reason` so cross-admin visibility of the listing does not expose
  * grantor-authored text that the audit log also withholds. Full offer
  * payloads remain available through the offer-specific RPC surface and the
@@ -193,6 +176,7 @@ export type AdminAccountJson = z.infer<typeof AdminAccountJson>;
 export declare const PendingOfferSummaryJson: z.ZodObject<{
     id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     role: z.ZodString;
+    scope_kind: z.ZodNullable<z.ZodString>;
     scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     from_username: z.ZodString;
@@ -200,7 +184,7 @@ export declare const PendingOfferSummaryJson: z.ZodObject<{
     expires_at: z.ZodString;
 }, z.core.$strict>;
 export type PendingOfferSummaryJson = z.infer<typeof PendingOfferSummaryJson>;
-/** Zod schema for an admin account listing entry (account + actor + permits + pending offers). */
+/** Zod schema for an admin account listing entry (account + actor + role_grants + pending offers). */
 export declare const AdminAccountEntryJson: z.ZodObject<{
     account: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -215,9 +199,10 @@ export declare const AdminAccountEntryJson: z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         name: z.ZodString;
     }, z.core.$strict>>;
-    permits: z.ZodArray<z.ZodObject<{
+    role_grants: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         created_at: z.ZodString;
         expires_at: z.ZodNullable<z.ZodString>;
@@ -226,6 +211,7 @@ export declare const AdminAccountEntryJson: z.ZodObject<{
     pending_offers: z.ZodArray<z.ZodObject<{
         id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         role: z.ZodString;
+        scope_kind: z.ZodNullable<z.ZodString>;
         scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         from_actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
         from_username: z.ZodString;
@@ -239,14 +225,20 @@ export interface CreateAccountInput {
     password_hash: string;
     email?: Email | null;
 }
-export interface GrantPermitInput {
+export interface CreateRoleGrantInput {
     actor_id: Uuid;
     role: string;
-    /** Scope the grant applies to. `null` / omitted grants a global permit. */
+    /**
+     * Machine-readable kind for the `scope_id`. Required iff `scope_id` is
+     * set; must be null/omitted when `scope_id` is null. The DB-level
+     * `role_grant_scope_kind_paired` CHECK rejects mismatched pairs.
+     */
+    scope_kind?: string | null;
+    /** Scope the grant applies to. `null` / omitted grants a global role_grant. */
     scope_id?: Uuid | null;
     expires_at?: Date | null;
     granted_by: Uuid | null;
-    /** Offer id that produced this permit. Set by `query_accept_offer`; leave unset for direct grants. */
+    /** Offer id that produced this role_grant. Set by `query_accept_offer`; leave unset for direct grants. */
     source_offer_id?: Uuid | null;
 }
 /**

package/dist/auth/account_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAI5C,2EAA2E;AAC3E,eAAO,MAAM,mBAAmB,IAAI,CAAC;AAErC,wDAAwD;AACxD,eAAO,MAAM,mBAAmB,KAAK,CAAC;AAEtC,gKAAgK;AAChK,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAEhD,0IAA0I;AAC1I,eAAO,MAAM,QAAQ,aAIyB,CAAC;AAC/C,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAEhD,oHAAoH;AACpH,eAAO,MAAM,gBAAgB,aAAsD,CAAC;AACpF,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,wBAAwB;AACxB,eAAO,MAAM,KAAK,YAAY,CAAC;AAC/B,MAAM,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,KAAK,CAAC,CAAC;AAE1C;;;;;;;;;;;;;;;;GAgBG;AACH,eAAO,MAAM,WAAW,6DAGtB,CAAC;AACH,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAItD,mEAAmE;AACnE,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,wFAAwF;AACxF,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,wFAAwF;AACxF,MAAM,WAAW,KAAK;IACrB,EAAE,EAAE,IAAI,CAAC;IACT,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,gCAAgC,MAAM,CAAC;AAEpD,oEAAoE;AACpE,MAAM,WAAW,MAAM;IACtB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,6FAA6F;IAC7F,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,4GAA4G;IAC5G,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,+FAA+F;IAC/F,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,eAAO,MAAM,gBAAgB,GAC5B,GAAG;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EAC1D,MAAK,IAAiB,KACpB,OAA2E,CAAC;AAE/E,uEAAuE;AACvE,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACrB;AAED,6CAA6C;AAC7C,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACnB;AAID,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB;;;;;;kBAM7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,6EAA6E;AAC7E,eAAO,MAAM,eAAe;;;;;;kBAM1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,4EAA4E;AAC5E,eAAO,MAAM,kBAAkB;;;;;;;;kBAQ7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,4EAA4E;AAC5E,eAAO,MAAM,iBAAiB;;;;;;;kBAO5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iGAAiG;AACjG,eAAO,MAAM,gBAAgB;;;;;;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;kBAQlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,kGAAkG;AAClG,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAKhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,MAAM,WAAW,kBAAkB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAChC,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,2EAA2E;IAC3E,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,sGAAsG;IACtG,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,OAAO,KAAG,cAMpD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,SAAS,OAAO,KAAG,gBAIlD,CAAC"}
+{"version":3,"file":"account_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;GAiBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAE5C,OAAO,EAAC,QAAQ,EAAE,KAAK,EAAC,MAAM,yBAAyB,CAAC;AAIxD,mEAAmE;AACnE,MAAM,WAAW,OAAO;IACvB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,aAAa,EAAE,MAAM,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED,wFAAwF;AACxF,MAAM,WAAW,cAAc;IAC9B,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,KAAK,GAAG,IAAI,CAAC;IACpB,cAAc,EAAE,OAAO,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;CACnB;AAED,4FAA4F;AAC5F,MAAM,WAAW,KAAK;IACrB,EAAE,EAAE,IAAI,CAAC;IACT,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;CACxB;AAED;;;;;GAKG;AACH,eAAO,MAAM,oCAAoC,MAAM,CAAC;AAExD,wEAAwE;AACxE,MAAM,WAAW,SAAS;IACzB,EAAE,EAAE,IAAI,CAAC;IACT,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;;;;;OAMG;IACH,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,iGAAiG;IACjG,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,4GAA4G;IAC5G,cAAc,EAAE,MAAM,GAAG,IAAI,CAAC;IAC9B,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,mGAAmG;IACnG,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;CAC7B;AAED,eAAO,MAAM,oBAAoB,GAChC,GAAG;IAAC,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAAC,UAAU,EAAE,MAAM,GAAG,IAAI,CAAA;CAAC,EAC1D,MAAK,IAAiB,KACpB,OAA2E,CAAC;AAE/E,uEAAuE;AACvE,MAAM,WAAW,WAAW;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,MAAM,CAAC;CACrB;AAED,6CAA6C;AAC7C,MAAM,WAAW,QAAQ;IACxB,EAAE,EAAE,MAAM,CAAC;IACX,UAAU,EAAE,IAAI,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,YAAY,EAAE,MAAM,GAAG,IAAI,CAAC;IAC5B,UAAU,EAAE,MAAM,CAAC;CACnB;AAID,0EAA0E;AAC1E,eAAO,MAAM,kBAAkB;;;;;;kBAM7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,6EAA6E;AAC7E,eAAO,MAAM,eAAe;;;;;;kBAM1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,4EAA4E;AAC5E,eAAO,MAAM,kBAAkB;;;;;;;;kBAQ7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,gFAAgF;AAChF,eAAO,MAAM,oBAAoB;;;;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,2EAA2E;AAC3E,eAAO,MAAM,gBAAgB;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iGAAiG;AACjG,eAAO,MAAM,gBAAgB;;;;;;;;kBAG3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;;;;;;;GAYG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;kBASlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E,sGAAsG;AACtG,eAAO,MAAM,qBAAqB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAKhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,MAAM,WAAW,kBAAkB;IAClC,QAAQ,EAAE,QAAQ,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,CAAC,EAAE,KAAK,GAAG,IAAI,CAAC;CACrB;AAED,MAAM,WAAW,oBAAoB;IACpC,QAAQ,EAAE,IAAI,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IAC3B,+EAA+E;IAC/E,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,0GAA0G;IAC1G,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;CAC9B;AAED;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB,GAAI,SAAS,OAAO,KAAG,cAMpD,CAAC;AAEH;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB,GAAI,SAAS,OAAO,KAAG,gBAIlD,CAAC"}

package/dist/auth/account_schema.js

@@ -2,7 +2,14 @@
  * Auth entity types and client-safe schemas.
  *
  * Defines the runtime types for the fuz identity system:
- * `Account`, `Actor`, `Permit`, `AuthSession`, and `ApiToken`.
+ * `Account`, `Actor`, `RoleGrant`, `AuthSession`, and `ApiToken`.
+ *
+ * Identifier primitives (`Username`, `UsernameProvided`, `Email`) live
+ * in `../primitive_schemas.ts` — they're general validator shapes that
+ * don't depend on the auth domain. The auth-shape request-contract
+ * primitive `ActingActor` lives in `../http/auth_shape.ts` next to
+ * `RouteAuth` (the two pair: `auth.actor !== 'none'` ⟺ input declares
+ * `acting?: ActingActor`).
  *
  * DDL lives in `auth/ddl.ts`; role system in `auth/role_schema.ts`.
  * See docs/identity.md for design rationale.
@@ -11,51 +18,15 @@
  */
 import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
-// TODO consider `.brand()` on Username and Email for compile-time safety
-/** Minimum username length (must have start + middle + end characters). */
-export const USERNAME_LENGTH_MIN = 3;
-/** Maximum username length (matches GitHub's limit). */
-export const USERNAME_LENGTH_MAX = 39;
-/** Maximum length for username input on login/lookup — more permissive than `USERNAME_LENGTH_MAX` for forward-compatibility if the creation limit is raised. */
-export const USERNAME_PROVIDED_LENGTH_MAX = 255;
-/** Username for account creation — starts with letter, alphanumeric/dash/underscore middle, ends with alphanumeric. No @ or . allowed. */
-export const Username = z
-    .string()
-    .min(USERNAME_LENGTH_MIN)
-    .max(USERNAME_LENGTH_MAX)
-    .regex(/^[a-zA-Z][0-9a-zA-Z_-]*[0-9a-zA-Z]$/);
-/** Username submitted for login or lookup — minimal validation for forward-compatibility if format rules change. */
-export const UsernameProvided = z.string().min(1).max(USERNAME_PROVIDED_LENGTH_MAX);
-/** Email validation. */
-export const Email = z.email();
-/**
- * `acting` field shared by every action input that needs the caller's
- * acting actor. Declaring `acting: ActingActor` on an action's input
- * is the signal to the RPC dispatcher / route-spec wrapper to resolve
- * an actor against the authenticated account: the authorization phase
- * runs `resolve_acting_actor`, builds the actor-bound `RequestContext`,
- * and loads permits before auth guards fire.
- *
- * Resolution rules: omitted + 1 actor → use it; omitted + multiple
- * actors → `actor_required` with the available list; supplied + on
- * the account → use it; supplied + foreign actor → `actor_not_on_account`.
- *
- * Account-grain routes — input doesn't declare `acting` and auth
- * doesn't require permits (`role` / `keeper`) — skip resolution
- * entirely; their `RequestContext.actor` is `null` and the audit
- * envelope's `actor_id` stays null.
- */
-export const ActingActor = Uuid.optional().meta({
-    description: 'Actor on the authenticated account that this request acts as. Omit on single-actor accounts; required on multi-actor.',
-});
+import { Username, Email } from '../primitive_schemas.js';
 /**
  * Maximum length of the optional free-form `revoked_reason` attached to a
- * revoked permit. Bounds the value at the schema layer so both the admin
+ * revoked role_grant. Bounds the value at the schema layer so both the admin
  * input (when the route surfaces a reason field) and the revokee-facing
- * `permit_revoke` WS notification validate against the same ceiling.
+ * `role_grant_revoke` WS notification validate against the same ceiling.
  */
-export const PERMIT_REVOKED_REASON_LENGTH_MAX = 500;
-export const is_permit_active = (p, now = new Date()) => !p.revoked_at && (!p.expires_at || new Date(p.expires_at) > now);
+export const ROLE_GRANT_REVOKED_REASON_LENGTH_MAX = 500;
+export const is_role_grant_active = (p, now = new Date()) => !p.revoked_at && (!p.expires_at || new Date(p.expires_at) > now);
 // Client-safe Zod schemas — for route output validation and ActionSpec outputs.
 /** Zod schema for `SessionAccount` — account without sensitive fields. */
 export const SessionAccountJson = z.strictObject({
@@ -83,10 +54,11 @@ export const ClientApiTokenJson = z.strictObject({
     last_used_ip: z.string().nullable(),
     created_at: z.string(),
 });
-/** Zod schema for the permit summary returned in admin account listings. */
-export const PermitSummaryJson = z.strictObject({
+/** Zod schema for the role_grant summary returned in admin account listings. */
+export const RoleGrantSummaryJson = z.strictObject({
     id: Uuid,
     role: z.string(),
+    scope_kind: z.string().nullable(),
     scope_id: Uuid.nullable(),
     created_at: z.string(),
     expires_at: z.string().nullable(),
@@ -103,9 +75,9 @@ export const AdminAccountJson = SessionAccountJson.extend({
     updated_by: Uuid.nullable(),
 });
 /**
- * Zod schema for a pending permit offer surfaced in admin account listings.
+ * Zod schema for a pending role_grant offer surfaced in admin account listings.
  *
- * Deliberately narrower than `PermitOfferJson`: omits `message` and
+ * Deliberately narrower than `RoleGrantOfferJson`: omits `message` and
  * `decline_reason` so cross-admin visibility of the listing does not expose
  * grantor-authored text that the audit log also withholds. Full offer
  * payloads remain available through the offer-specific RPC surface and the
@@ -118,17 +90,18 @@ export const AdminAccountJson = SessionAccountJson.extend({
 export const PendingOfferSummaryJson = z.strictObject({
     id: Uuid,
     role: z.string(),
+    scope_kind: z.string().nullable(),
     scope_id: Uuid.nullable(),
     from_actor_id: Uuid,
     from_username: z.string(),
     created_at: z.string(),
     expires_at: z.string(),
 });
-/** Zod schema for an admin account listing entry (account + actor + permits + pending offers). */
+/** Zod schema for an admin account listing entry (account + actor + role_grants + pending offers). */
 export const AdminAccountEntryJson = z.strictObject({
     account: AdminAccountJson,
     actor: ActorSummaryJson.nullable(),
-    permits: z.array(PermitSummaryJson),
+    role_grants: z.array(RoleGrantSummaryJson),
     pending_offers: z.array(PendingOfferSummaryJson),
 });
 /**