npm - @fuzdev/fuz_app - Versions diffs - 0.55.0 → 0.57.0 - Mend

@fuzdev/fuz_app 0.55.0 → 0.57.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (333) hide show

package/dist/actions/CLAUDE.md +211 -155
package/dist/actions/action_bridge.d.ts +8 -5
package/dist/actions/action_bridge.d.ts.map +1 -1
package/dist/actions/action_bridge.js +1 -11
package/dist/actions/action_codegen.d.ts +19 -0
package/dist/actions/action_codegen.d.ts.map +1 -1
package/dist/actions/action_codegen.js +20 -14
package/dist/actions/action_registry.d.ts.map +1 -1
package/dist/actions/action_registry.js +5 -2
package/dist/actions/action_rpc.d.ts +110 -44
package/dist/actions/action_rpc.d.ts.map +1 -1
package/dist/actions/action_rpc.js +92 -287
package/dist/actions/action_spec.d.ts +55 -16
package/dist/actions/action_spec.d.ts.map +1 -1
package/dist/actions/action_spec.js +16 -11
package/dist/actions/action_types.d.ts +28 -60
package/dist/actions/action_types.d.ts.map +1 -1
package/dist/actions/action_types.js +13 -5
package/dist/actions/broadcast_api.d.ts +2 -2
package/dist/actions/broadcast_api.js +2 -2
package/dist/actions/compile_action_registry.d.ts +50 -0
package/dist/actions/compile_action_registry.d.ts.map +1 -0
package/dist/actions/compile_action_registry.js +69 -0
package/dist/actions/heartbeat.d.ts +8 -4
package/dist/actions/heartbeat.d.ts.map +1 -1
package/dist/actions/heartbeat.js +5 -4
package/dist/actions/perform_action.d.ts +145 -0
package/dist/actions/perform_action.d.ts.map +1 -0
package/dist/actions/perform_action.js +258 -0
package/dist/actions/register_action_ws.d.ts +44 -38
package/dist/actions/register_action_ws.d.ts.map +1 -1
package/dist/actions/register_action_ws.js +101 -159
package/dist/actions/register_ws_endpoint.d.ts +2 -10
package/dist/actions/register_ws_endpoint.d.ts.map +1 -1
package/dist/actions/register_ws_endpoint.js +32 -10
package/dist/actions/transports_ws_auth_guard.d.ts +1 -1
package/dist/actions/transports_ws_auth_guard.js +1 -1
package/dist/actions/transports_ws_backend.d.ts +1 -1
package/dist/actions/transports_ws_backend.js +1 -1
package/dist/auth/CLAUDE.md +673 -442
package/dist/auth/account_action_specs.d.ts +28 -7
package/dist/auth/account_action_specs.d.ts.map +1 -1
package/dist/auth/account_action_specs.js +7 -7
package/dist/auth/account_actions.d.ts +8 -14
package/dist/auth/account_actions.d.ts.map +1 -1
package/dist/auth/account_actions.js +26 -32
package/dist/auth/account_queries.d.ts +46 -13
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +73 -33
package/dist/auth/account_routes.d.ts +4 -3
package/dist/auth/account_routes.d.ts.map +1 -1
package/dist/auth/account_routes.js +58 -33
package/dist/auth/account_schema.d.ts +46 -54
package/dist/auth/account_schema.d.ts.map +1 -1
package/dist/auth/account_schema.js +21 -48
package/dist/auth/admin_action_specs.d.ts +55 -21
package/dist/auth/admin_action_specs.d.ts.map +1 -1
package/dist/auth/admin_action_specs.js +42 -26
package/dist/auth/admin_actions.d.ts +14 -21
package/dist/auth/admin_actions.d.ts.map +1 -1
package/dist/auth/admin_actions.js +47 -44
package/dist/auth/audit_emitter.d.ts +160 -0
package/dist/auth/audit_emitter.d.ts.map +1 -0
package/dist/auth/audit_emitter.js +83 -0
package/dist/auth/audit_log_queries.d.ts +17 -87
package/dist/auth/audit_log_queries.d.ts.map +1 -1
package/dist/auth/audit_log_queries.js +17 -96
package/dist/auth/audit_log_routes.d.ts +1 -1
package/dist/auth/audit_log_routes.d.ts.map +1 -1
package/dist/auth/audit_log_routes.js +7 -3
package/dist/auth/audit_log_schema.d.ts +48 -42
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +56 -43
package/dist/auth/auth_guard_resolver.d.ts +44 -0
package/dist/auth/auth_guard_resolver.d.ts.map +1 -0
package/dist/auth/auth_guard_resolver.js +56 -0
package/dist/auth/bootstrap_account.d.ts +7 -7
package/dist/auth/bootstrap_account.d.ts.map +1 -1
package/dist/auth/bootstrap_account.js +7 -7
package/dist/auth/bootstrap_routes.d.ts.map +1 -1
package/dist/auth/bootstrap_routes.js +11 -10
package/dist/auth/cleanup.d.ts +20 -26
package/dist/auth/cleanup.d.ts.map +1 -1
package/dist/auth/cleanup.js +33 -47
package/dist/auth/credential_type_schema.d.ts +115 -0
package/dist/auth/credential_type_schema.d.ts.map +1 -0
package/dist/auth/credential_type_schema.js +127 -0
package/dist/auth/daemon_token_middleware.d.ts +1 -1
package/dist/auth/daemon_token_middleware.js +3 -3
package/dist/auth/ddl.d.ts +2 -2
package/dist/auth/ddl.d.ts.map +1 -1
package/dist/auth/ddl.js +6 -6
package/dist/auth/deps.d.ts +7 -32
package/dist/auth/deps.d.ts.map +1 -1
package/dist/auth/grant_path_schema.d.ts +117 -0
package/dist/auth/grant_path_schema.d.ts.map +1 -0
package/dist/auth/grant_path_schema.js +137 -0
package/dist/auth/invite_queries.d.ts +12 -1
package/dist/auth/invite_queries.d.ts.map +1 -1
package/dist/auth/invite_queries.js +12 -1
package/dist/auth/invite_schema.d.ts +1 -1
package/dist/auth/invite_schema.d.ts.map +1 -1
package/dist/auth/invite_schema.js +1 -1
package/dist/auth/middleware.d.ts.map +1 -1
package/dist/auth/middleware.js +5 -2
package/dist/auth/migrations.d.ts +22 -7
package/dist/auth/migrations.d.ts.map +1 -1
package/dist/auth/migrations.js +64 -25
package/dist/auth/request_context.d.ts +157 -170
package/dist/auth/request_context.d.ts.map +1 -1
package/dist/auth/request_context.js +224 -268
package/dist/auth/{permit_offer_action_specs.d.ts → role_grant_offer_action_specs.d.ts} +130 -100
package/dist/auth/role_grant_offer_action_specs.d.ts.map +1 -0
package/dist/auth/role_grant_offer_action_specs.js +262 -0
package/dist/auth/role_grant_offer_actions.d.ts +104 -0
package/dist/auth/role_grant_offer_actions.d.ts.map +1 -0
package/dist/auth/{permit_offer_actions.js → role_grant_offer_actions.js} +153 -140
package/dist/auth/{permit_offer_notifications.d.ts → role_grant_offer_notifications.d.ts} +80 -70
package/dist/auth/role_grant_offer_notifications.d.ts.map +1 -0
package/dist/auth/role_grant_offer_notifications.js +182 -0
package/dist/auth/{permit_offer_queries.d.ts → role_grant_offer_queries.d.ts} +64 -64
package/dist/auth/role_grant_offer_queries.d.ts.map +1 -0
package/dist/auth/{permit_offer_queries.js → role_grant_offer_queries.js} +136 -123
package/dist/auth/role_grant_offer_schema.d.ts +150 -0
package/dist/auth/role_grant_offer_schema.d.ts.map +1 -0
package/dist/auth/{permit_offer_schema.js → role_grant_offer_schema.js} +55 -36
package/dist/auth/role_grant_queries.d.ts +231 -0
package/dist/auth/role_grant_queries.d.ts.map +1 -0
package/dist/auth/role_grant_queries.js +320 -0
package/dist/auth/role_schema.d.ts +150 -40
package/dist/auth/role_schema.d.ts.map +1 -1
package/dist/auth/role_schema.js +144 -45
package/dist/auth/scope_kind_schema.d.ts +96 -0
package/dist/auth/scope_kind_schema.d.ts.map +1 -0
package/dist/auth/scope_kind_schema.js +94 -0
package/dist/auth/self_service_role_action_specs.d.ts +4 -1
package/dist/auth/self_service_role_action_specs.d.ts.map +1 -1
package/dist/auth/self_service_role_action_specs.js +2 -2
package/dist/auth/self_service_role_actions.d.ts +35 -29
package/dist/auth/self_service_role_actions.d.ts.map +1 -1
package/dist/auth/self_service_role_actions.js +58 -48
package/dist/auth/session_cookie.d.ts +43 -6
package/dist/auth/session_cookie.d.ts.map +1 -1
package/dist/auth/session_cookie.js +31 -5
package/dist/auth/session_middleware.d.ts +37 -3
package/dist/auth/session_middleware.d.ts.map +1 -1
package/dist/auth/session_middleware.js +33 -7
package/dist/auth/signup_routes.d.ts.map +1 -1
package/dist/auth/signup_routes.js +48 -19
package/dist/auth/standard_action_specs.d.ts +2 -2
package/dist/auth/standard_action_specs.js +4 -4
package/dist/auth/standard_rpc_actions.d.ts +23 -19
package/dist/auth/standard_rpc_actions.d.ts.map +1 -1
package/dist/auth/standard_rpc_actions.js +12 -12
package/dist/db/migrate.d.ts +1 -1
package/dist/db/migrate.js +1 -1
package/dist/dev/setup.d.ts +2 -2
package/dist/dev/setup.d.ts.map +1 -1
package/dist/dev/setup.js +4 -4
package/dist/env/load.d.ts +1 -1
package/dist/env/load.js +1 -1
package/dist/hono_context.d.ts +27 -45
package/dist/hono_context.d.ts.map +1 -1
package/dist/hono_context.js +14 -28
package/dist/http/CLAUDE.md +235 -121
package/dist/http/auth_shape.d.ts +191 -0
package/dist/http/auth_shape.d.ts.map +1 -0
package/dist/http/auth_shape.js +237 -0
package/dist/http/common_routes.js +3 -3
package/dist/http/db_routes.d.ts +4 -0
package/dist/http/db_routes.d.ts.map +1 -1
package/dist/http/db_routes.js +44 -7
package/dist/http/error_schemas.d.ts +72 -39
package/dist/http/error_schemas.d.ts.map +1 -1
package/dist/http/error_schemas.js +81 -33
package/dist/http/pending_effects.d.ts +71 -18
package/dist/http/pending_effects.d.ts.map +1 -1
package/dist/http/pending_effects.js +87 -18
package/dist/http/proxy.d.ts +52 -5
package/dist/http/proxy.d.ts.map +1 -1
package/dist/http/proxy.js +92 -14
package/dist/http/route_spec.d.ts +89 -75
package/dist/http/route_spec.d.ts.map +1 -1
package/dist/http/route_spec.js +54 -72
package/dist/http/schema_helpers.d.ts +3 -14
package/dist/http/schema_helpers.d.ts.map +1 -1
package/dist/http/schema_helpers.js +2 -14
package/dist/http/surface.d.ts +2 -10
package/dist/http/surface.d.ts.map +1 -1
package/dist/http/surface.js +3 -4
package/dist/http/surface_query.d.ts +39 -35
package/dist/http/surface_query.d.ts.map +1 -1
package/dist/http/surface_query.js +79 -36
package/dist/primitive_schemas.d.ts +39 -0
package/dist/primitive_schemas.d.ts.map +1 -0
package/dist/primitive_schemas.js +40 -0
package/dist/realtime/sse_auth_guard.d.ts +5 -5
package/dist/realtime/sse_auth_guard.js +9 -9
package/dist/runtime/mock.d.ts +1 -1
package/dist/runtime/mock.js +1 -1
package/dist/server/app_backend.d.ts +14 -11
package/dist/server/app_backend.d.ts.map +1 -1
package/dist/server/app_backend.js +12 -8
package/dist/server/app_server.d.ts +7 -7
package/dist/server/app_server.d.ts.map +1 -1
package/dist/server/app_server.js +35 -40
package/dist/server/validate_nginx.d.ts +1 -1
package/dist/server/validate_nginx.js +1 -1
package/dist/testing/CLAUDE.md +50 -38
package/dist/testing/admin_integration.d.ts +5 -6
package/dist/testing/admin_integration.d.ts.map +1 -1
package/dist/testing/admin_integration.js +87 -85
package/dist/testing/app_server.d.ts +11 -14
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/app_server.js +16 -15
package/dist/testing/assertions.d.ts.map +1 -1
package/dist/testing/assertions.js +2 -1
package/dist/testing/attack_surface.d.ts.map +1 -1
package/dist/testing/attack_surface.js +15 -9
package/dist/testing/audit_completeness.d.ts +2 -2
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +36 -36
package/dist/testing/auth_apps.d.ts +5 -4
package/dist/testing/auth_apps.d.ts.map +1 -1
package/dist/testing/auth_apps.js +22 -19
package/dist/testing/data_exposure.d.ts.map +1 -1
package/dist/testing/data_exposure.js +5 -5
package/dist/testing/db.d.ts +1 -1
package/dist/testing/db.d.ts.map +1 -1
package/dist/testing/db.js +4 -4
package/dist/testing/db_entities.d.ts +22 -0
package/dist/testing/db_entities.d.ts.map +1 -0
package/dist/testing/db_entities.js +28 -0
package/dist/testing/entities.d.ts +8 -7
package/dist/testing/entities.d.ts.map +1 -1
package/dist/testing/entities.js +21 -18
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +13 -14
package/dist/testing/integration_helpers.d.ts +4 -4
package/dist/testing/integration_helpers.d.ts.map +1 -1
package/dist/testing/integration_helpers.js +20 -18
package/dist/testing/middleware.d.ts +4 -4
package/dist/testing/middleware.d.ts.map +1 -1
package/dist/testing/middleware.js +12 -11
package/dist/testing/rpc_attack_surface.d.ts.map +1 -1
package/dist/testing/rpc_attack_surface.js +40 -24
package/dist/testing/rpc_round_trip.d.ts +1 -1
package/dist/testing/rpc_round_trip.d.ts.map +1 -1
package/dist/testing/rpc_round_trip.js +14 -13
package/dist/testing/sse_round_trip.d.ts +3 -4
package/dist/testing/sse_round_trip.d.ts.map +1 -1
package/dist/testing/sse_round_trip.js +7 -11
package/dist/testing/standard.d.ts +1 -1
package/dist/testing/stubs.d.ts +25 -0
package/dist/testing/stubs.d.ts.map +1 -1
package/dist/testing/stubs.js +43 -2
package/dist/testing/surface_invariants.d.ts +14 -6
package/dist/testing/surface_invariants.d.ts.map +1 -1
package/dist/testing/surface_invariants.js +119 -43
package/dist/testing/ws_round_trip.d.ts +12 -13
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/testing/ws_round_trip.js +19 -11
package/dist/ui/AdminAccounts.svelte +23 -20
package/dist/ui/AdminOverview.svelte +15 -13
package/dist/ui/AdminOverview.svelte.d.ts.map +1 -1
package/dist/ui/{AdminPermitHistory.svelte → AdminRoleGrantHistory.svelte} +12 -12
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts +4 -0
package/dist/ui/AdminRoleGrantHistory.svelte.d.ts.map +1 -0
package/dist/ui/BootstrapForm.svelte +1 -1
package/dist/ui/CLAUDE.md +60 -60
package/dist/ui/{PermitOfferForm.svelte → RoleGrantOfferForm.svelte} +27 -26
package/dist/ui/{PermitOfferForm.svelte.d.ts → RoleGrantOfferForm.svelte.d.ts} +7 -7
package/dist/ui/RoleGrantOfferForm.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferHistory.svelte → RoleGrantOfferHistory.svelte} +12 -12
package/dist/ui/{PermitOfferHistory.svelte.d.ts → RoleGrantOfferHistory.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferHistory.svelte.d.ts.map +1 -0
package/dist/ui/{PermitOfferInbox.svelte → RoleGrantOfferInbox.svelte} +14 -14
package/dist/ui/{PermitOfferInbox.svelte.d.ts → RoleGrantOfferInbox.svelte.d.ts} +4 -4
package/dist/ui/RoleGrantOfferInbox.svelte.d.ts.map +1 -0
package/dist/ui/SignupForm.svelte +1 -1
package/dist/ui/SurfaceExplorer.svelte +35 -15
package/dist/ui/SurfaceExplorer.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.d.ts +2 -3
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.js +2 -3
package/dist/ui/admin_accounts_state.svelte.d.ts +18 -18
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_accounts_state.svelte.js +16 -16
package/dist/ui/admin_rpc_adapters.d.ts +20 -20
package/dist/ui/admin_rpc_adapters.d.ts.map +1 -1
package/dist/ui/admin_rpc_adapters.js +17 -17
package/dist/ui/admin_sessions_state.svelte.d.ts +2 -2
package/dist/ui/admin_sessions_state.svelte.js +2 -2
package/dist/ui/audit_log_state.svelte.d.ts +7 -7
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +6 -6
package/dist/ui/auth_state.svelte.d.ts +3 -3
package/dist/ui/auth_state.svelte.d.ts.map +1 -1
package/dist/ui/auth_state.svelte.js +6 -6
package/dist/ui/format_scope.d.ts +2 -2
package/dist/ui/format_scope.js +2 -2
package/dist/ui/{permit_offers_state.svelte.d.ts → role_grant_offers_state.svelte.d.ts} +30 -30
package/dist/ui/role_grant_offers_state.svelte.d.ts.map +1 -0
package/dist/ui/{permit_offers_state.svelte.js → role_grant_offers_state.svelte.js} +18 -18
package/dist/ui/ui_format.js +2 -2
package/package.json +3 -3
package/dist/auth/permit_offer_action_specs.d.ts.map +0 -1
package/dist/auth/permit_offer_action_specs.js +0 -258
package/dist/auth/permit_offer_actions.d.ts +0 -110
package/dist/auth/permit_offer_actions.d.ts.map +0 -1
package/dist/auth/permit_offer_notifications.d.ts.map +0 -1
package/dist/auth/permit_offer_notifications.js +0 -182
package/dist/auth/permit_offer_queries.d.ts.map +0 -1
package/dist/auth/permit_offer_schema.d.ts +0 -125
package/dist/auth/permit_offer_schema.d.ts.map +0 -1
package/dist/auth/permit_queries.d.ts +0 -222
package/dist/auth/permit_queries.d.ts.map +0 -1
package/dist/auth/permit_queries.js +0 -305
package/dist/auth/require_keeper.d.ts +0 -20
package/dist/auth/require_keeper.d.ts.map +0 -1
package/dist/auth/require_keeper.js +0 -35
package/dist/auth/route_guards.d.ts +0 -27
package/dist/auth/route_guards.d.ts.map +0 -1
package/dist/auth/route_guards.js +0 -38
package/dist/auth/session_lifecycle.d.ts +0 -37
package/dist/auth/session_lifecycle.d.ts.map +0 -1
package/dist/auth/session_lifecycle.js +0 -29
package/dist/ui/AdminPermitHistory.svelte.d.ts +0 -4
package/dist/ui/AdminPermitHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferForm.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferHistory.svelte.d.ts.map +0 -1
package/dist/ui/PermitOfferInbox.svelte.d.ts.map +0 -1
package/dist/ui/permit_offers_state.svelte.d.ts.map +0 -1

package/dist/ui/AdminAccounts.svelte CHANGED Viewed

@@ -1,10 +1,10 @@
 <script lang="ts">
 	/**
-	 * Admin accounts table — users with their permits and pending offers.
+	 * Admin accounts table — users with their role_grants and pending offers.
 	 * Consumes `admin_accounts_rpc_context` (read via `AdminAccountsState`)
 	 * and `format_scope_context` for label rendering. Per-row actions:
-	 * grant role (`permit_offer_create`), revoke permit (`permit_revoke`,
-	 * keyed by `actor_id`), retract pending offer (`permit_offer_retract`).
+	 * grant role (`role_grant_offer_create`), revoke role_grant (`role_grant_revoke`,
+	 * keyed by `actor_id`), retract pending offer (`role_grant_offer_retract`).
 	 *
 	 * @module
 	 */
@@ -22,7 +22,7 @@
 	const get_format_scope = format_scope_context.get();
 	const format_scope = $derived(get_format_scope());
-	// `null` global label: global permits render no scope chip — the implicit default in admin tables.
+	// `null` global label: global role_grants render no scope chip — the implicit default in admin tables.
 	const scope_label = (scope_id: string | null, role: string): string | null =>
 		resolve_scope_label(scope_id, role, format_scope, null);
@@ -30,7 +30,7 @@
 	const columns: Array<DatatableColumn<AdminAccountEntryJson>> = [
 		{key: 'account', label: 'username', width: 180},
-		{key: 'permits', label: 'permits', width: 240},
+		{key: 'role_grants', label: 'role_grants', width: 240},
 		{key: 'actor', label: 'grant', width: 200},
 	];
 </script>
@@ -72,31 +72,34 @@
 							updated {format_relative_time(row.account.updated_at)}
 						</div>
 					{/if}
-				{:else if column.key === 'permits'}
-					{#each row.permits as permit (permit.id)}
-						{@const scope = scope_label(permit.scope_id, permit.role)}
+				{:else if column.key === 'role_grants'}
+					{#each row.role_grants as role_grant (role_grant.id)}
+						{@const scope = scope_label(role_grant.scope_id, role_grant.role)}
 						<div class="row">
-							<span class="chip color_b">{permit.role}</span>
+							<span class="chip color_b">{role_grant.role}</span>
 							{#if scope !== null}
-								<span class="text_50 font_size_sm" title={permit.scope_id ?? undefined}>
+								<span class="text_50 font_size_sm" title={role_grant.scope_id ?? undefined}>
 									{scope}
 								</span>
 							{/if}
-							{#if permit.expires_at}
-								<span class="text_50 font_size_sm" title={format_datetime_local(permit.expires_at)}>
-									expires {format_relative_time(permit.expires_at)}
+							{#if role_grant.expires_at}
+								<span
+									class="text_50 font_size_sm"
+									title={format_datetime_local(role_grant.expires_at)}
+								>
+									expires {format_relative_time(role_grant.expires_at)}
 								</span>
 							{/if}
 							{#if admin_accounts.has_rpc && row.actor}
 								{@const actor_id = row.actor.id}
 								<ConfirmButton
-									onconfirm={() => admin_accounts.revoke_permit(actor_id, permit.id)}
-									title="revoke {permit.role}"
+									onconfirm={() => admin_accounts.revoke_role_grant(actor_id, role_grant.id)}
+									title="revoke {role_grant.role}"
 									class="sm"
-									disabled={admin_accounts.revoking_ids.has(permit.id)}
+									disabled={admin_accounts.revoking_ids.has(role_grant.id)}
 								>
 									{#snippet children(_popover, _confirm)}
-										{admin_accounts.revoking_ids.has(permit.id) ? 'revoking…' : 'revoke'}
+										{admin_accounts.revoking_ids.has(role_grant.id) ? 'revoking…' : 'revoke'}
 									{/snippet}
 								</ConfirmButton>
 							{/if}
@@ -130,15 +133,15 @@
 							{/if}
 						</div>
 					{/each}
-					{#if row.permits.length === 0 && row.pending_offers.length === 0}
+					{#if row.role_grants.length === 0 && row.pending_offers.length === 0}
 						<span class="text_50">none</span>
 					{/if}
 				{:else if column.key === 'actor'}
 					{#if admin_accounts.has_rpc}
 						{#each admin_accounts.grantable_roles as role (role)}
-							{#if !row.permits.some((p) => p.role === role) && !row.pending_offers.some((o) => o.role === role)}
+							{#if !row.role_grants.some((p) => p.role === role) && !row.pending_offers.some((o) => o.role === role)}
 								<ConfirmButton
-									onconfirm={() => admin_accounts.grant_permit(row.account.id, role)}
+									onconfirm={() => admin_accounts.create_role_grant(row.account.id, role)}
 									title="offer {role}"
 									class="sm"
 									disabled={admin_accounts.granting_keys.has(`${row.account.id}:${role}`)}

package/dist/ui/AdminOverview.svelte CHANGED Viewed

@@ -3,7 +3,7 @@
 	 * Admin dashboard — six summary panels (accounts, sessions, invites,
 	 * recent activity, security, system) fed by parallel `fetch()` calls
 	 * on mount. Consumes all four admin RPC contexts plus `auth_state_context`;
-	 * derives `role_counts`, `failed_logins`, and `permit_changes` from the
+	 * derives `role_counts`, `failed_logins`, and `role_grant_changes` from the
 	 * audit log slice.
 	 *
 	 * @module
@@ -39,14 +39,16 @@
 		// eslint-disable-next-line svelte/prefer-svelte-reactivity
 		const counts = new Map<string, number>();
 		for (const entry of accounts.accounts) {
-			const roles = new Set(entry.permits.map((p) => p.role));
+			const roles = new Set(entry.role_grants.map((p) => p.role));
 			for (const role of roles) {
 				counts.set(role, (counts.get(role) || 0) + 1);
 			}
 		}
 		return Array.from(counts.entries());
 	});
-	const unroled_count = $derived(accounts.accounts.filter((a) => a.permits.length === 0).length);
+	const unroled_count = $derived(
+		accounts.accounts.filter((a) => a.role_grants.length === 0).length,
+	);
 	// sessions
 	const unique_users = $derived(new Set(sessions.sessions.map((s) => s.username)).size);
@@ -63,9 +65,9 @@
 	const failed_logins = $derived(
 		audit_log.events.filter((e) => e.event_type === 'login' && e.outcome === 'failure'),
 	);
-	const permit_changes = $derived(
+	const role_grant_changes = $derived(
 		audit_log.events.filter(
-			(e) => e.event_type === 'permit_grant' || e.event_type === 'permit_revoke',
+			(e) => e.event_type === 'role_grant_create' || e.event_type === 'role_grant_revoke',
 		),
 	);
@@ -108,10 +110,10 @@
 					{#each accounts.accounts.slice(0, 6) as entry (entry)}
 						<li>
 							<strong>{entry.account.username}</strong>
-							{#each entry.permits as permit (permit.id)}
-								<span class="chip font_size_sm">{permit.role}</span>
+							{#each entry.role_grants as role_grant (role_grant.id)}
+								<span class="chip font_size_sm">{role_grant.role}</span>
 							{/each}
-							{#if entry.permits.length === 0}
+							{#if entry.role_grants.length === 0}
 								<span class="text_50 font_size_sm">no roles</span>
 							{/if}
 						</li>
@@ -244,17 +246,17 @@
 				<span class="text_50">failed logins</span>
 			</div>
 			<div class="baseline-row gap_xs">
-				<strong class="font_size_lg">{permit_changes.length}</strong>
-				<span class="text_50">permit changes</span>
+				<strong class="font_size_lg">{role_grant_changes.length}</strong>
+				<span class="text_50">role_grant changes</span>
 			</div>
-			{#if permit_changes.length > 0}
+			{#if role_grant_changes.length > 0}
 				<ul class="compact-list">
-					{#each permit_changes.slice(0, 4) as event (event.id)}
+					{#each role_grant_changes.slice(0, 4) as event (event.id)}
 						<li class="font_size_sm">
 							<span class="text_50" title={format_datetime_local(event.created_at)}
 								>{format_relative_time(event.created_at)}</span
 							>
-							<code>{event.event_type === 'permit_grant' ? 'grant' : 'revoke'}</code>
+							<code>{event.event_type === 'role_grant_create' ? 'grant' : 'revoke'}</code>
 							{#if event.metadata?.role}
 								<span class="chip font_size_sm">{event.metadata.role}</span>
 							{/if}

package/dist/ui/AdminOverview.svelte.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"AdminOverview.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminOverview.svelte"],"names":[],"mappings":"~~AA0UA~~,QAAA,MAAM,aAAa,2DAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}
1	+ {"version":3,"file":"AdminOverview.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminOverview.svelte"],"names":[],"mappings":"AA4UA,QAAA,MAAM,aAAa,2DAAwC,CAAC;AAC5D,KAAK,aAAa,GAAG,UAAU,CAAC,OAAO,aAAa,CAAC,CAAC;AACtD,eAAe,aAAa,CAAC"}

package/dist/ui/{AdminPermitHistory.svelte → AdminRoleGrantHistory.svelte} RENAMED Viewed

@@ -1,8 +1,8 @@
 <script lang="ts">
 	/**
-	 * Permit grant/revoke history table. Consumes `audit_log_rpc_context`,
-	 * calls `audit_log.fetch_permit_history()` once on mount (the
-	 * `audit_log_permit_history` RPC). Uses `format_scope_context` to render
+	 * Role grant create/revoke history table. Consumes `audit_log_rpc_context`,
+	 * calls `audit_log.fetch_role_grant_history()` once on mount (the
+	 * `audit_log_role_grant_history` RPC). Uses `format_scope_context` to render
 	 * scope ids as human labels.
 	 *
 	 * @module
@@ -12,7 +12,7 @@
 	import {format_relative_time, format_datetime_local, truncate_uuid} from './ui_format.js';
 	import Datatable from './Datatable.svelte';
 	import type {DatatableColumn} from './datatable.js';
-	import type {PermitHistoryEventJson} from '../auth/audit_log_schema.js';
+	import type {RoleGrantHistoryEventJson} from '../auth/audit_log_schema.js';
 	import {format_scope_context, resolve_scope_label} from './format_scope.js';
 	const get_rpc = audit_log_rpc_context.get();
@@ -20,9 +20,9 @@
 	const get_format_scope = format_scope_context.get();
 	const format_scope = $derived(get_format_scope());
-	void audit_log.fetch_permit_history();
+	void audit_log.fetch_role_grant_history();
-	const columns: Array<DatatableColumn<PermitHistoryEventJson>> = [
+	const columns: Array<DatatableColumn<RoleGrantHistoryEventJson>> = [
 		{key: 'event_type', label: 'action', width: 100},
 		{key: 'metadata', label: 'role', width: 160},
 		{key: 'username', label: 'by', width: 140},
@@ -38,22 +38,22 @@
 </script>
 <section>
-	<h1>permit history</h1>
+	<h1>role_grant history</h1>
 	{#if audit_log.loading}
-		<p class="text_50">loading permit history...</p>
+		<p class="text_50">loading role_grant history...</p>
 	{:else if audit_log.error}
 		<p class="color_c_50">{audit_log.error}</p>
 	{:else}
-		<Datatable {columns} rows={audit_log.permit_history_events} height="400px" row_key="id">
+		<Datatable {columns} rows={audit_log.role_grant_history_events} height="400px" row_key="id">
 			{#snippet cell(column, row)}
 				{#if column.key === 'event_type'}
 					<span
 						class="chip"
-						class:color_b={row.event_type === 'permit_grant'}
-						class:color_c={row.event_type === 'permit_revoke'}
+						class:color_b={row.event_type === 'role_grant_create'}
+						class:color_c={row.event_type === 'role_grant_revoke'}
 					>
-						{row.event_type === 'permit_grant' ? 'grant' : 'revoke'}
+						{row.event_type === 'role_grant_create' ? 'grant' : 'revoke'}
 					</span>
 				{:else if column.key === 'metadata'}
 					{#if row.metadata}

package/dist/ui/AdminRoleGrantHistory.svelte.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+declare const AdminRoleGrantHistory: import("svelte").Component<Record<string, never>, {}, "">;
+type AdminRoleGrantHistory = ReturnType<typeof AdminRoleGrantHistory>;
+export default AdminRoleGrantHistory;
+//# sourceMappingURL=AdminRoleGrantHistory.svelte.d.ts.map

package/dist/ui/AdminRoleGrantHistory.svelte.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"AdminRoleGrantHistory.svelte.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/ui/AdminRoleGrantHistory.svelte"],"names":[],"mappings":"AAiGA,QAAA,MAAM,qBAAqB,2DAAwC,CAAC;AACpE,KAAK,qBAAqB,GAAG,UAAU,CAAC,OAAO,qBAAqB,CAAC,CAAC;AACtE,eAAe,qBAAqB,CAAC"}

package/dist/ui/BootstrapForm.svelte CHANGED Viewed

@@ -17,7 +17,7 @@
 	import PendingButton from '@fuzdev/fuz_ui/PendingButton.svelte';
 	import {autofocus} from '@fuzdev/fuz_ui/autofocus.svelte.js';
-	import {Username} from '../auth/account_schema.js';
+	import {Username} from '../primitive_schemas.js';
 	import {PASSWORD_LENGTH_MIN} from '../auth/password.js';
 	import {auth_state_context} from './auth_state.svelte.js';
 	import {FormState} from './form_state.svelte.js';

package/dist/ui/CLAUDE.md CHANGED Viewed

@@ -7,7 +7,7 @@ hold `$state` fields exclusively via runes. Shared dependencies flow
 through Svelte context, never through props — RPC adapters in particular
 are provisioned once at the admin shell and read by every `Admin*.svelte`.
-See ../../docs/usage.md for end-to-end wiring examples (sections "Permit
+See ../../docs/usage.md for end-to-end wiring examples (sections "Role grant
 offer UI" and "Admin UI"). This file is a reference, not a tutorial.
 ## Key patterns
@@ -19,8 +19,8 @@ Five narrow RPC adapter contexts — `admin_accounts_rpc_context`,
 `app_settings_rpc_context`, `account_sessions_rpc_context` — carry a
 reactive `() => Rpc | null` accessor. All five declare a `() => () => null`
 default so components mounted without a provisioner render the "rpc adapter
-not wired" state instead of crashing. (`permit_offers_state_context` carries
-a `PermitOffersState` directly, not an RPC accessor, and isn't counted
+not wired" state instead of crashing. (`role_grant_offers_state_context` carries
+a `RoleGrantOffersState` directly, not an RPC accessor, and isn't counted
 here.) The standard consumer shape:
 ```ts
@@ -43,14 +43,13 @@ context — RPC adapters are never threaded through props.
 Every state class backed by a narrow RPC interface exposes a `has_rpc`
 getter. When `false`, `fetch()`, mutations, and `subscribe` no-op and
-set `error` to `'rpc adapter not wired'`. Post-2026-04-23 RPC migration
-this applies uniformly — `AdminSessionsState`'s listing + mutations all
-run through the shared `AdminAccountsRpc`, so `has_rpc` gates the whole
-surface.
+set `error` to `'rpc adapter not wired'`. `AdminSessionsState`'s listing
+plus mutations all run through the shared `AdminAccountsRpc`, so
+`has_rpc` gates the whole surface.
 ### `$state.raw` Map keyed by id + `$derived` views
-`PermitOffersState` maintains a single `Map<string, PermitOfferJson>` in
+`RoleGrantOffersState` maintains a single `Map<string, RoleGrantOfferJson>` in
 `$state.raw`, keyed by offer id, and exposes `incoming` / `outgoing` /
 `history` as `$derived.by` arrays. Writes go through `#merge_offers`
 (clone-and-replace) / `#remove_offer` — never mutate the Map in place
@@ -58,13 +57,13 @@ because `$state.raw` expects reference swaps.
 ### Reducer pattern for WS notifications
-`PermitOffersState.apply_notification(notification)` is the single
+`RoleGrantOffersState.apply_notification(notification)` is the single
 reducer — `subscribe(subscribe_fn)` is a thin subscription adapter over
-it. Six methods land on the reducer: `permit_offer_received` /
+it. Six methods land on the reducer: `role_grant_offer_received` /
 `_retracted` / `_accepted` / `_declined` / `_supersede` all merge a
-`{offer}` payload; `permit_revoke` is ignored at this layer (permit
-lifecycle lives in auth/permits state). The six notification specs and
-their payload shapes are defined in `../auth/permit_offer_notifications.ts`
+`{offer}` payload; `role_grant_revoke` is ignored at this layer (role_grant
+lifecycle lives in auth/role_grants state). The six notification specs and
+their payload shapes are defined in `../auth/role_grant_offer_notifications.ts`
 (see `../auth/CLAUDE.md` §WS notifications).
 ### Svelte 5 inline `$props` shape
@@ -76,7 +75,7 @@ conventions.
 ### Context over props for shared deps
-Auth, RPC adapters, sidebar, and permit offers all flow through
+Auth, RPC adapters, sidebar, and role_grant offers all flow through
 `create_context` from `@fuzdev/fuz_ui/context_helpers.js`. Components
 consume with `const x = x_context.get()` (or a `get_rpc`/`$derived`
 pair when the value may change reactively). New shared state joins the
@@ -126,9 +125,9 @@ Every admin component below consumes its RPC adapter via the matching
 context and delegates rendering to `Datatable` + `ConfirmButton` for
 destructive actions.
-- `AdminAccounts.svelte` — accounts + permits + pending offers.
+- `AdminAccounts.svelte` — accounts + role_grants + pending offers.
   Consumes `admin_accounts_rpc_context`. Per-row actions: grant (+role
-  chip with `ConfirmButton`), revoke (`actor_id` + `permit_id`),
+  chip with `ConfirmButton`), revoke (`actor_id` + `role_grant_id`),
   retract pending offer. Tracks `granting_keys` / `revoking_ids` /
   `retracting_ids` for per-action spinners.
 - `AdminAuditLog.svelte` — audit event stream. Consumes
@@ -140,11 +139,11 @@ destructive actions.
 - `AdminOverview.svelte` — dashboard panels (accounts / sessions /
   invites / recent activity / security / system). Consumes all four
   RPC contexts plus `auth_state_context`; fetches in parallel on mount.
-  Derives `role_counts`, `failed_logins`, `permit_changes` from
+  Derives `role_counts`, `failed_logins`, `role_grant_changes` from
   the audit log.
-- `AdminPermitHistory.svelte` — permit-grant/revoke history table.
+- `AdminRoleGrantHistory.svelte` — role-grant-create/revoke history table.
   Consumes `audit_log_rpc_context`, calls
-  `audit_log.fetch_permit_history()` once on mount.
+  `audit_log.fetch_role_grant_history()` once on mount.
 - `AdminSessions.svelte` — cross-account active sessions.
   Both listing (`admin_session_list` RPC) and the two revoke-all
   mutations go through `admin_accounts_rpc_context` (reused).
@@ -161,41 +160,42 @@ destructive actions.
   dump `params`/`query`/`input`/`output`/`errors` schemas as JSON.
   Also tables middleware, env, events, and diagnostics.
-## Permit offers
+## Role grant offers
-- `PermitOfferInbox.svelte` — recipient-side pending inbox; renders
-  `PermitOffersState.incoming`. Props: `format_actor?`, `format_scope?`,
+- `RoleGrantOfferInbox.svelte` — recipient-side pending inbox; renders
+  `RoleGrantOffersState.incoming`. Props: `format_actor?`, `format_scope?`,
   `format_role?` — consumers plug in display names for actor/scope ids.
   Accept is a `PendingButton`; decline is a `ConfirmButton` whose
-  popover contains a textarea (max `PERMIT_OFFER_MESSAGE_LENGTH_MAX`).
-- `PermitOfferForm.svelte` — grantor-side create form. Props:
+  popover contains a textarea (max `ROLE_GRANT_OFFER_MESSAGE_LENGTH_MAX`).
+- `RoleGrantOfferForm.svelte` — grantor-side create form. Props:
   `to_account_id`, `to_actor_id = null` (optional — narrows the offer
   to a specific actor on the recipient account; default account-grain),
-  `roles: Array<string>` (pre-filtered upstream by `web_grantable`),
+  `roles: Array<string>` (pre-filtered upstream by admin-grant-path —
+  `RoleSpec.grant_paths` includes `'admin'`),
   `scope_id = null`, `on_created?`, `format_role?`. Surfaces five
-  reason codes with friendly copy: `ERROR_OFFER_SELF_TARGET`,
-  `ERROR_OFFER_ROLE_NOT_GRANTABLE`, `ERROR_OFFER_NOT_AUTHORIZED`,
-  `ERROR_OFFER_ACTOR_ACCOUNT_MISMATCH`, `ERROR_OFFER_ACTOR_MISMATCH`
-  — imported from `../auth/permit_offer_action_specs.js` (see
-  `../auth/CLAUDE.md` for `permit_offer_action_specs.ts` +
-  `permit_offer_actions.ts`).
-- `PermitOfferHistory.svelte` — both-directions history (recipient +
+  reason codes with friendly copy: `ERROR_ROLE_GRANT_OFFER_SELF_TARGET`,
+  `ERROR_ROLE_GRANT_OFFER_ROLE_NOT_GRANTABLE`, `ERROR_ROLE_GRANT_OFFER_NOT_AUTHORIZED`,
+  `ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH`, `ERROR_ROLE_GRANT_OFFER_ACTOR_MISMATCH`
+  — imported from `../auth/role_grant_offer_action_specs.js` (see
+  `../auth/CLAUDE.md` for `role_grant_offer_action_specs.ts` +
+  `role_grant_offer_actions.ts`).
+- `RoleGrantOfferHistory.svelte` — both-directions history (recipient +
   grantor, including terminal). Props: `current_actor_id: string | null`
   (classifies row as "sent" vs "received"), `format_actor?`,
   `format_scope?`, `format_role?`. Consumes
-  `permit_offers_state_context`; caller seeds via
-  `PermitOffersState.fetch_history()`.
-- `permit_offers_state.svelte.ts` — `PermitOffersState` (extends
-  `Loadable`) + `permit_offers_state_context`. Options:
-  `rpc: PermitOffersRpc`, `account_id: () => string | null`,
-  `actor_id: () => string | null`. The narrow `PermitOffersRpc`
+  `role_grant_offers_state_context`; caller seeds via
+  `RoleGrantOffersState.fetch_history()`.
+- `role_grant_offers_state.svelte.ts` — `RoleGrantOffersState` (extends
+  `Loadable`) + `role_grant_offers_state_context`. Options:
+  `rpc: RoleGrantOffersRpc`, `account_id: () => string | null`,
+  `actor_id: () => string | null`. The narrow `RoleGrantOffersRpc`
   interface has six methods: `list`, `history`, `create`, `accept`,
   `decline`, `retract`. `$state.raw` Map keyed by offer id;
   `$derived.by` views: `incoming` (recipient-side pending, soonest-
   expiry first), `outgoing` (grantor-side pending, newest-created
   first), `history` (all known, newest-created first). Reducer
-  `apply_notification` handles the six permit-offer notification
-  methods; `permit_revoke` is deliberately ignored here (auth/permits
+  `apply_notification` handles the six role-grant-offer notification
+  methods; `role_grant_revoke` is deliberately ignored here (auth/role_grants
   concern). `reset()` clears the Map.
 ## State primitives
@@ -209,8 +209,8 @@ destructive actions.
 - `auth_state.svelte.ts` — `AuthState`, `auth_state_context`.
   Fields: `verifying`, `verified`, `verify_error`, `account`, `actor`
   (the caller's own `ActorSummaryJson` — surfaced directly so consumers
-  don't derive `actor_id` from the permit list), `permits`,
-  `active_permits` (derived via `is_permit_active`), `roles` (derived),
+  don't derive `actor_id` from the role_grant list), `role_grants`,
+  `active_role_grants` (derived via `is_role_grant_active`), `roles` (derived),
   `needs_bootstrap`. Methods: `check_session()`
   (GET `/api/account/status`), `login`, `bootstrap`, `signup`,
   `logout`. Handles 401/403/409/429 translations inline.
@@ -238,24 +238,24 @@ destructive actions.
   `account_session_revoke_all` RPC actions. Derived `active_count`.
 - `audit_log_state.svelte.ts` — `AuditLogState` extends `Loadable`
   - `audit_log_rpc_context` + narrow `AuditLogRpc` (`list` +
-    `permit_history`). Fields: `events`, `permit_history_events`,
+    `role_grant_history`). Fields: `events`, `role_grant_history_events`,
     `connected`. Internal `#last_seq` for SSE gap fill on reconnect.
-    Methods: `fetch(options?)` (RPC), `fetch_permit_history`,
+    Methods: `fetch(options?)` (RPC), `fetch_role_grant_history`,
     `subscribe()` (opens `EventSource` at `#stream_url`, default
     `/api/admin/audit/stream`; prepends new events; refills gap
     via `since_seq`), `disconnect()`. SSE stays on `EventSource` —
     streaming is not an RPC concern.
 - `admin_accounts_state.svelte.ts` — `AdminAccountsState` extends
   `Loadable` + `admin_accounts_rpc_context` + narrow
-  `AdminAccountsRpc` (six methods: `list_accounts`, `grant_permit`,
-  `revoke_permit`, `retract_offer`, `session_revoke_all`,
+  `AdminAccountsRpc` (six methods: `list_accounts`, `create_role_grant`,
+  `revoke_role_grant`, `retract_offer`, `session_revoke_all`,
   `token_revoke_all` — the last two are also reused by
   `AdminSessionsState`). `SvelteSet`s for in-flight tracking:
   `granting_keys` (`${account_id}:${role}` for the account-grain
-  default; `${account_id}:${role}:${to_actor_id}` when `grant_permit`
-  is called with an actor-targeted offer), `revoking_ids` (permit id),
-  `retracting_ids` (offer id). `revoke_permit` keys on `actor_id`
-  (permits are actor-scoped — matches `row.actor.id` straight from the
+  default; `${account_id}:${role}:${to_actor_id}` when `create_role_grant`
+  is called with an actor-targeted offer), `revoking_ids` (role_grant id),
+  `retracting_ids` (offer id). `revoke_role_grant` keys on `actor_id`
+  (role_grants are actor-scoped — matches `row.actor.id` straight from the
   listing) with optional `reason`.
 - `admin_invites_state.svelte.ts` — `AdminInvitesState` extends
   `Loadable` + `admin_invites_rpc_context` + narrow
@@ -280,8 +280,8 @@ destructive actions.
   objects. `provide_admin_rpc_contexts(adapters)` calls `set` on all
   four contexts in one shot. One line at the admin shell layout:
   `provide_admin_rpc_contexts(create_admin_rpc_adapters(api))`.
-  Method-name mapping is in the module TSDoc (`grant_permit` →
-  `permit_offer_create`, `retract_offer` → `permit_offer_retract`, etc.)
+  Method-name mapping is in the module TSDoc (`create_role_grant` →
+  `role_grant_offer_create`, `retract_offer` → `role_grant_offer_retract`, etc.)
   and the `admin_rpc_adapters.test.ts` fixtures.
 ## RPC adapter contexts
@@ -299,24 +299,24 @@ provisioner pattern.
 - `admin_invites_rpc_context` — `() => AdminInvitesRpc | null`.
   Consumed by `AdminInvites`, `AdminOverview`.
 - `audit_log_rpc_context` — `() => AuditLogRpc | null`. Consumed by
-  `AdminAuditLog`, `AdminPermitHistory`, `AdminOverview`.
+  `AdminAuditLog`, `AdminRoleGrantHistory`, `AdminOverview`.
 - `app_settings_rpc_context` — `() => AppSettingsRpc | null`.
   Consumed by `OpenSignupToggle`, `AdminOverview`.
 - `account_sessions_rpc_context` — `() => AccountSessionsRpc | null`.
   Consumed by `AccountSessions`.
-- `permit_offers_state_context` — carries `PermitOffersState`
-  directly. Consumed by `PermitOfferInbox`, `PermitOfferForm`,
-  `PermitOfferHistory`. Wiring is ctor-bound (RPC + account/actor
-  getters), so there's no separate `permit_offers_rpc_context`.
+- `role_grant_offers_state_context` — carries `RoleGrantOffersState`
+  directly. Consumed by `RoleGrantOfferInbox`, `RoleGrantOfferForm`,
+  `RoleGrantOfferHistory`. Wiring is ctor-bound (RPC + account/actor
+  getters), so there's no separate `role_grant_offers_rpc_context`.
 - `format_scope_context` — `() => FormatScope` (getter shape, matching
   the RPC contexts above). `FormatScope = ({scope_id, role}) => string |
 null`; default returns `null` so callers fall back to the raw uuid.
   Provisioned by `provide_admin_rpc_contexts(adapters, {format_scope})`.
-  Consumed by `AdminAccounts`, `AdminPermitHistory`, `PermitOfferInbox`,
-  `PermitOfferHistory` via the `resolve_scope_label(scope_id, role,
+  Consumed by `AdminAccounts`, `AdminRoleGrantHistory`, `RoleGrantOfferInbox`,
+  `RoleGrantOfferHistory` via the `resolve_scope_label(scope_id, role,
 format_scope, global_label)` helper — `global_label = null` renders no
   chip (admin tables); `'global'` renders an explicit label (offer
-  surfaces). `PermitOfferInbox` / `PermitOfferHistory` accept a
+  surfaces). `RoleGrantOfferInbox` / `RoleGrantOfferHistory` accept a
   `format_scope?: FormatScope` prop — same shape as the context, prop
   wins when supplied.
 - `sidebar_state_context` — `() => SidebarState`. Provisioned by

package/dist/ui/{PermitOfferForm.svelte → RoleGrantOfferForm.svelte} RENAMED Viewed

@@ -1,9 +1,10 @@
 <script lang="ts">
 	/**
-	 * Grantor-side permit offer form.
+	 * Grantor-side role_grant offer form.
 	 *
 	 * Caller supplies `to_account_id`, the subset of roles the grantor may
-	 * offer (typically filtered by `web_grantable`), an optional `scope_id`,
+	 * offer (typically filtered by admin-grant-path — `RoleSpec.grant_paths`
+	 * includes `'admin'`), an optional `scope_id`,
 	 * and an optional `on_created` callback for post-submit UX. Errors from
 	 * the RPC surface the three distinct reason codes — self-target,
 	 * role-not-grantable, not-authorized — so consumers can render them
@@ -12,19 +13,19 @@
 	import PendingButton from '@fuzdev/fuz_ui/PendingButton.svelte';
-	import {permit_offers_state_context} from './permit_offers_state.svelte.js';
+	import {role_grant_offers_state_context} from './role_grant_offers_state.svelte.js';
 	import {FormState} from './form_state.svelte.js';
 	import {
-		PERMIT_OFFER_MESSAGE_LENGTH_MAX,
-		type PermitOfferJson,
-	} from '../auth/permit_offer_schema.js';
+		ROLE_GRANT_OFFER_MESSAGE_LENGTH_MAX,
+		type RoleGrantOfferJson,
+	} from '../auth/role_grant_offer_schema.js';
 	import {
-		ERROR_OFFER_ACTOR_ACCOUNT_MISMATCH,
-		ERROR_OFFER_ACTOR_MISMATCH,
-		ERROR_OFFER_NOT_AUTHORIZED,
-		ERROR_OFFER_ROLE_NOT_GRANTABLE,
-		ERROR_OFFER_SELF_TARGET,
-	} from '../auth/permit_offer_action_specs.js';
+		ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH,
+		ERROR_ROLE_GRANT_OFFER_ACTOR_MISMATCH,
+		ERROR_ROLE_GRANT_OFFER_NOT_AUTHORIZED,
+		ERROR_ROLE_GRANT_OFFER_ROLE_NOT_GRANTABLE,
+		ERROR_ROLE_GRANT_OFFER_SELF_TARGET,
+	} from '../auth/role_grant_offer_action_specs.js';
 	const {
 		to_account_id,
@@ -41,15 +42,15 @@
 		 * actor on the recipient account may accept.
 		 */
 		to_actor_id?: string | null;
-		/** Roles the caller may offer — caller filters by `web_grantable` upstream. */
+		/** Roles the caller may offer — caller filters upstream (default: admin-grant-path). */
 		roles: Array<string>;
 		/** Resource scope for the offer; `null` (default) yields a global offer. */
 		scope_id?: string | null;
-		on_created?: (offer: PermitOfferJson) => void;
+		on_created?: (offer: RoleGrantOfferJson) => void;
 		format_role?: (role: string) => string;
 	} = $props();
-	const permit_offers = permit_offers_state_context.get();
+	const role_grant_offers = role_grant_offers_state_context.get();
 	const form_state = new FormState();
 	let role: string | undefined = $state.raw();
@@ -57,19 +58,19 @@
 	let message = $state.raw('');
 	let local_error: string | null = $state.raw(null);
-	const submitting = $derived(permit_offers.loading);
+	const submitting = $derived(role_grant_offers.loading);
 	const surface_error = (reason: string | null): string | null => {
 		switch (reason) {
-			case ERROR_OFFER_SELF_TARGET:
-				return 'You cannot offer a permit to yourself.';
-			case ERROR_OFFER_ROLE_NOT_GRANTABLE:
+			case ERROR_ROLE_GRANT_OFFER_SELF_TARGET:
+				return 'You cannot offer a role_grant to yourself.';
+			case ERROR_ROLE_GRANT_OFFER_ROLE_NOT_GRANTABLE:
 				return 'That role cannot be offered through this form.';
-			case ERROR_OFFER_NOT_AUTHORIZED:
+			case ERROR_ROLE_GRANT_OFFER_NOT_AUTHORIZED:
 				return 'You are not authorized to offer that role.';
-			case ERROR_OFFER_ACTOR_ACCOUNT_MISMATCH:
+			case ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH:
 				return 'That actor is not on the recipient account.';
-			case ERROR_OFFER_ACTOR_MISMATCH:
+			case ERROR_ROLE_GRANT_OFFER_ACTOR_MISMATCH:
 				return 'This offer is for a different actor on the recipient account.';
 			default:
 				return null;
@@ -83,7 +84,7 @@
 			form_state.focus('role');
 			return;
 		}
-		const offer = await permit_offers.create({
+		const offer = await role_grant_offers.create({
 			to_account_id,
 			to_actor_id,
 			role: selected_role,
@@ -97,12 +98,12 @@
 			return;
 		}
 		// Structured error data carries the reason; fall back to raw error string.
-		const data = permit_offers.error_data as
+		const data = role_grant_offers.error_data as
 			| {data?: {reason?: string}; reason?: string}
 			| null
 			| undefined;
 		const reason = data?.data?.reason ?? data?.reason ?? null;
-		local_error = surface_error(reason) ?? permit_offers.error;
+		local_error = surface_error(reason) ?? role_grant_offers.error;
 	};
 </script>
@@ -133,7 +134,7 @@
 		<textarea
 			name="message"
 			bind:value={message}
-			maxlength={PERMIT_OFFER_MESSAGE_LENGTH_MAX}
+			maxlength={ROLE_GRANT_OFFER_MESSAGE_LENGTH_MAX}
 			placeholder="optional note for the recipient"
 			disabled={submitting}
 		></textarea>