@fuzdev/fuz_app 0.58.0 → 0.59.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/actions/CLAUDE.md +8 -3
- package/dist/auth/CLAUDE.md +59 -31
- package/dist/auth/account_action_specs.d.ts +9 -0
- package/dist/auth/account_action_specs.d.ts.map +1 -1
- package/dist/auth/account_action_specs.js +9 -0
- package/dist/auth/admin_action_specs.d.ts +35 -0
- package/dist/auth/admin_action_specs.d.ts.map +1 -1
- package/dist/auth/admin_action_specs.js +35 -0
- package/dist/auth/role_grant_offer_action_specs.d.ts +17 -0
- package/dist/auth/role_grant_offer_action_specs.d.ts.map +1 -1
- package/dist/auth/role_grant_offer_action_specs.js +17 -0
- package/dist/auth/self_service_role_action_specs.d.ts +8 -0
- package/dist/auth/self_service_role_action_specs.d.ts.map +1 -1
- package/dist/auth/self_service_role_action_specs.js +8 -0
- package/package.json +1 -1
package/dist/actions/CLAUDE.md
CHANGED
|
@@ -71,9 +71,14 @@ resolved) and is rejected at registration when paired with
|
|
|
71
71
|
`auth.account !== 'required'` (no account to key on); `'both'` runs
|
|
72
72
|
both checks. **Throttle-requests semantics** — every invocation records,
|
|
73
73
|
regardless of outcome (different from REST login's throttle-failures
|
|
74
|
-
that resets on success). The motivating threat is admin
|
|
75
|
-
(`invite_create` account-existence probe) where the
|
|
76
|
-
invocation is the threat
|
|
74
|
+
that resets on success). The originally motivating threat is admin
|
|
75
|
+
mutation oracles (`invite_create` account-existence probe) where the
|
|
76
|
+
_successful_ invocation is the threat; the same shape extends to
|
|
77
|
+
authed-spam oracles (`role_grant_offer_create` iterating
|
|
78
|
+
`to_account_id` to probe `ERROR_ACCOUNT_NOT_FOUND`) and to paginated
|
|
79
|
+
cross-account reads (`admin_account_list`, `audit_log_list`,
|
|
80
|
+
`audit_log_role_grant_history`) where every successful page is an
|
|
81
|
+
enumeration step. Limiters are configured at server-assembly
|
|
77
82
|
time via `AppServerOptions.action_ip_rate_limiter` /
|
|
78
83
|
`action_account_rate_limiter` and threaded into both dispatchers
|
|
79
84
|
automatically; consumers wiring `register_action_ws` directly forward
|
package/dist/auth/CLAUDE.md
CHANGED
|
@@ -1232,26 +1232,30 @@ acting?: ActingActor` biconditional).
|
|
|
1232
1232
|
|
|
1233
1233
|
| Spec | Side effects | Rate limit | Input | Output |
|
|
1234
1234
|
| ------------------------------------------ | ------------ | ----------- | --------------------------------------------------------- | ----------------------------- |
|
|
1235
|
-
| `admin_account_list_action_spec` | false |
|
|
1236
|
-
| `admin_session_list_action_spec` | false |
|
|
1235
|
+
| `admin_account_list_action_spec` | false | `'account'` | `{limit?, offset?}` | `{accounts, grantable_roles}` |
|
|
1236
|
+
| `admin_session_list_action_spec` | false | `'account'` | `z.void()` | `{sessions}` |
|
|
1237
1237
|
| `admin_session_revoke_all_action_spec` | true | `'account'` | `{account_id}` | `{ok, count}` |
|
|
1238
1238
|
| `admin_token_revoke_all_action_spec` | true | `'account'` | `{account_id}` | `{ok, count}` |
|
|
1239
|
-
| `audit_log_list_action_spec` | false |
|
|
1240
|
-
| `audit_log_role_grant_history_action_spec` | false |
|
|
1239
|
+
| `audit_log_list_action_spec` | false | `'account'` | `{event_type?, account_id?, limit?, offset?, since_seq?}` | `{events}` |
|
|
1240
|
+
| `audit_log_role_grant_history_action_spec` | false | `'account'` | `{limit?, offset?}` | `{events}` |
|
|
1241
1241
|
| `invite_create_action_spec` | true | `'account'` | `{email?, username?}` | `{ok, invite}` |
|
|
1242
|
-
| `invite_list_action_spec` | false |
|
|
1242
|
+
| `invite_list_action_spec` | false | `'account'` | `z.void()` | `{invites}` |
|
|
1243
1243
|
| `invite_delete_action_spec` | true | `'account'` | `{invite_id}` | `{ok}` |
|
|
1244
1244
|
| `app_settings_get_action_spec` | false | | `z.void()` | `{settings}` |
|
|
1245
1245
|
| `app_settings_update_action_spec` | true | `'account'` | `{open_signup}` | `{ok, settings}` |
|
|
1246
1246
|
|
|
1247
|
-
|
|
1248
|
-
admin's `request_context.actor.id`.
|
|
1249
|
-
|
|
1250
|
-
|
|
1251
|
-
|
|
1252
|
-
|
|
1253
|
-
|
|
1254
|
-
|
|
1247
|
+
Every admin spec declares `rate_limit: 'account'` — keyed on the
|
|
1248
|
+
admin's `request_context.actor.id`. Mutations cap the
|
|
1249
|
+
`invite_create`-style account-existence oracle (`LOWER()` lookup in
|
|
1250
|
+
`query_account_by_username/_by_email`); reads cap admin-side scraping
|
|
1251
|
+
of paginated cross-account listings (`admin_account_list`,
|
|
1252
|
+
`audit_log_list`, `audit_log_role_grant_history`) and unbounded
|
|
1253
|
+
cross-account reads (`admin_session_list`, `invite_list`). The
|
|
1254
|
+
dispatcher's per-action hook (shared by HTTP RPC + WS) records every
|
|
1255
|
+
invocation regardless of outcome so successful probes consume budget.
|
|
1256
|
+
Default `DEFAULT_ACTION_ACCOUNT_RATE_LIMIT` is 1200/15min per actor —
|
|
1257
|
+
permissive enough for any human admin workflow, slow enough that
|
|
1258
|
+
scripted oracles surface in audit. Tighten downstream via
|
|
1255
1259
|
`AppServerOptions.action_account_rate_limiter`.
|
|
1256
1260
|
|
|
1257
1261
|
`AUDIT_LOG_LIST_LIMIT_MAX = 200` — page size clamp. `ADMIN_ACCOUNT_LIST_DEFAULT_LIMIT = 50` / `ADMIN_ACCOUNT_LIST_LIMIT_MAX = 200` — same shape on `admin_account_list`.
|
|
@@ -1344,15 +1348,25 @@ Every input row below also carries the shared `acting?: ActingActor`
|
|
|
1344
1348
|
field that the dispatcher's authorization phase reads off the raw
|
|
1345
1349
|
params (omitted from the table for brevity).
|
|
1346
1350
|
|
|
1347
|
-
| Spec | Input | Output |
|
|
1348
|
-
| -------------------------------------- | ---------------------------------------------------------- | ---------------------------------------------- |
|
|
1349
|
-
| `role_grant_offer_create_action_spec` | `{to_account_id, to_actor_id?, role, scope_id?, message?}` | `{offer}` |
|
|
1350
|
-
| `role_grant_offer_accept_action_spec` | `{offer_id}` | `{role_grant_id, offer, superseded_offer_ids}` |
|
|
1351
|
-
| `role_grant_offer_decline_action_spec` | `{offer_id, reason?}` | `{ok}` |
|
|
1352
|
-
| `role_grant_offer_retract_action_spec` | `{offer_id}` | `{ok}` |
|
|
1353
|
-
| `role_grant_offer_list_action_spec` | `{account_id?}` | `{offers}` |
|
|
1354
|
-
| `role_grant_offer_history_action_spec` | `{account_id?, limit?, offset?}` | `{offers}` |
|
|
1355
|
-
| `role_grant_revoke_action_spec` | `{actor_id, role_grant_id, reason?}` | `{ok, revoked}` |
|
|
1351
|
+
| Spec | Rate limit | Input | Output |
|
|
1352
|
+
| -------------------------------------- | ----------- | ---------------------------------------------------------- | ---------------------------------------------- |
|
|
1353
|
+
| `role_grant_offer_create_action_spec` | `'account'` | `{to_account_id, to_actor_id?, role, scope_id?, message?}` | `{offer}` |
|
|
1354
|
+
| `role_grant_offer_accept_action_spec` | | `{offer_id}` | `{role_grant_id, offer, superseded_offer_ids}` |
|
|
1355
|
+
| `role_grant_offer_decline_action_spec` | | `{offer_id, reason?}` | `{ok}` |
|
|
1356
|
+
| `role_grant_offer_retract_action_spec` | | `{offer_id}` | `{ok}` |
|
|
1357
|
+
| `role_grant_offer_list_action_spec` | | `{account_id?}` | `{offers}` |
|
|
1358
|
+
| `role_grant_offer_history_action_spec` | | `{account_id?, limit?, offset?}` | `{offers}` |
|
|
1359
|
+
| `role_grant_revoke_action_spec` | `'account'` | `{actor_id, role_grant_id, reason?}` | `{ok, revoked}` |
|
|
1360
|
+
|
|
1361
|
+
`role_grant_offer_create` carries the same shape as `invite_create` —
|
|
1362
|
+
hostile authed callers can iterate `to_account_id` to spam offers and
|
|
1363
|
+
probe `ERROR_ACCOUNT_NOT_FOUND` /
|
|
1364
|
+
`ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH` as account-existence
|
|
1365
|
+
oracles, so the rate cap fires on the same threat model the admin
|
|
1366
|
+
`invite_create` spec addresses upstream. `role_grant_revoke` keeps its
|
|
1367
|
+
cap because it's an admin mutation. The accept / decline / retract /
|
|
1368
|
+
list / history specs are recipient-side or caller-own-data — no
|
|
1369
|
+
enumeration vector, no rate cap.
|
|
1356
1370
|
|
|
1357
1371
|
Error reason constants (exported as `as const` literals):
|
|
1358
1372
|
|
|
@@ -1500,15 +1514,23 @@ operations are account-scoped via `query_session_revoke_for_account` /
|
|
|
1500
1514
|
or token id returns `revoked: false` rather than revealing whether the id
|
|
1501
1515
|
exists.
|
|
1502
1516
|
|
|
1503
|
-
| Spec | Side effects | Input | Output |
|
|
1504
|
-
| ---------------------------------------- | ------------ | -------------- | ----------------------- |
|
|
1505
|
-
| `account_verify_action_spec` | false | `z.void()` | `SessionAccountJson` |
|
|
1506
|
-
| `account_session_list_action_spec` | false | `z.void()` | `{sessions}` |
|
|
1507
|
-
| `account_session_revoke_action_spec` | true | `{session_id}` | `{ok, revoked}` |
|
|
1508
|
-
| `account_session_revoke_all_action_spec` | true | `z.void()` | `{ok, count}` |
|
|
1509
|
-
| `account_token_create_action_spec` | true | `{name?}` | `{ok, token, id, name}` |
|
|
1510
|
-
| `account_token_list_action_spec` | false | `z.void()` | `{tokens}` |
|
|
1511
|
-
| `account_token_revoke_action_spec` | true | `{token_id}` | `{ok, revoked}` |
|
|
1517
|
+
| Spec | Side effects | Rate limit | Input | Output |
|
|
1518
|
+
| ---------------------------------------- | ------------ | ----------- | -------------- | ----------------------- |
|
|
1519
|
+
| `account_verify_action_spec` | false | | `z.void()` | `SessionAccountJson` |
|
|
1520
|
+
| `account_session_list_action_spec` | false | | `z.void()` | `{sessions}` |
|
|
1521
|
+
| `account_session_revoke_action_spec` | true | | `{session_id}` | `{ok, revoked}` |
|
|
1522
|
+
| `account_session_revoke_all_action_spec` | true | | `z.void()` | `{ok, count}` |
|
|
1523
|
+
| `account_token_create_action_spec` | true | `'account'` | `{name?}` | `{ok, token, id, name}` |
|
|
1524
|
+
| `account_token_list_action_spec` | false | | `z.void()` | `{tokens}` |
|
|
1525
|
+
| `account_token_revoke_action_spec` | true | | `{token_id}` | `{ok, revoked}` |
|
|
1526
|
+
|
|
1527
|
+
`account_token_create` declares `rate_limit: 'account'` to bound the
|
|
1528
|
+
_rate_ of token churn. The outstanding-token count is already capped by
|
|
1529
|
+
`max_tokens` via `query_api_token_enforce_limit`, but the per-account
|
|
1530
|
+
burn rate is not — without this cap a caller could rotate tokens in a
|
|
1531
|
+
tight loop to amplify `token_create` audit churn. The other six specs
|
|
1532
|
+
are IDOR-guarded reads/revokes of caller-own state with no enumeration
|
|
1533
|
+
vector, so rate caps are symmetry-only and skipped.
|
|
1512
1534
|
|
|
1513
1535
|
`session_id` validates as `Blake3Hash`; `token_id` validates as
|
|
1514
1536
|
`ApiTokenId` (`tok_[A-Za-z0-9_-]{12}`).
|
|
@@ -1546,6 +1568,12 @@ distinguish self-toggled role_grants from admin grants/offers. The
|
|
|
1546
1568
|
part of the documented surface rather than riding on `z.looseObject`
|
|
1547
1569
|
permissiveness.
|
|
1548
1570
|
|
|
1571
|
+
Declares `rate_limit: 'account'` — every call writes a
|
|
1572
|
+
`role_grant_create` / `role_grant_revoke` audit row regardless of
|
|
1573
|
+
`changed`, so a flapping loop could inflate the log and obscure
|
|
1574
|
+
unrelated activity. The toggle's idempotency doesn't bound the burn
|
|
1575
|
+
rate; the dispatcher's per-action hook does.
|
|
1576
|
+
|
|
1549
1577
|
Method name is static — `role` lives in the input, not the method
|
|
1550
1578
|
name. Mirrors the `role_grant_offer_create({role})` precedent. Per-role
|
|
1551
1579
|
parameterized methods would break the `satisfies RequestResponseActionSpec`
|
|
@@ -164,6 +164,14 @@ export declare const account_session_revoke_all_action_spec: {
|
|
|
164
164
|
async: true;
|
|
165
165
|
description: string;
|
|
166
166
|
};
|
|
167
|
+
/**
|
|
168
|
+
* `rate_limit: 'account'` bounds the burn rate of API-token creates. The
|
|
169
|
+
* outstanding-token count is already capped by `max_tokens` (via
|
|
170
|
+
* `query_api_token_enforce_limit`), but the per-account *rate* of churn
|
|
171
|
+
* is not — without this cap, a caller could rotate tokens in a tight
|
|
172
|
+
* loop to amplify `token_create` audit churn or attempt to provoke
|
|
173
|
+
* downstream rate-limit hot spots.
|
|
174
|
+
*/
|
|
167
175
|
export declare const account_token_create_action_spec: {
|
|
168
176
|
method: string;
|
|
169
177
|
kind: "request_response";
|
|
@@ -184,6 +192,7 @@ export declare const account_token_create_action_spec: {
|
|
|
184
192
|
}, z.core.$strict>;
|
|
185
193
|
async: true;
|
|
186
194
|
description: string;
|
|
195
|
+
rate_limit: "account";
|
|
187
196
|
};
|
|
188
197
|
export declare const account_token_list_action_spec: {
|
|
189
198
|
method: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"account_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAMzE,6EAA6E;AAC7E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,WAAW,CAAC;AACzC,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,iBAAiB;;;;;;;;kBAE5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,iFAAiF;AACjF,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,6DAA6D;AAC7D,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,+CAA+C;AAC/C,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;mBAOf,CAAC;AACf,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB;;;;;kBAK5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,qDAAqD;AACrD,eAAO,MAAM,cAAc,WAAW,CAAC;AACvC,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,4DAA4D;AAC5D,eAAO,MAAM,eAAe;;;;;;;;;;kBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAIlE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;CAUV,CAAC;AAEtC,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;CAUd,CAAC;AAEtC,eAAO,MAAM,gCAAgC
|
|
1
|
+
{"version":3,"file":"account_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/account_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAMzE,6EAA6E;AAC7E,eAAO,MAAM,WAAW,WAAW,CAAC;AACpC,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,WAAW,CAAC,CAAC;AAEtD,uDAAuD;AACvD,eAAO,MAAM,gBAAgB,WAAW,CAAC;AACzC,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,yCAAyC;AACzC,eAAO,MAAM,iBAAiB;;;;;;;;kBAE5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,2EAA2E;AAC3E,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,iFAAiF;AACjF,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,6DAA6D;AAC7D,eAAO,MAAM,qBAAqB,WAAW,CAAC;AAC9C,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,+CAA+C;AAC/C,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;mBAOf,CAAC;AACf,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,2EAA2E;AAC3E,eAAO,MAAM,iBAAiB;;;;;kBAK5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,qDAAqD;AACrD,eAAO,MAAM,cAAc,WAAW,CAAC;AACvC,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D,4DAA4D;AAC5D,eAAO,MAAM,eAAe;;;;;;;;;;kBAE1B,CAAC;AACH,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,wCAAwC;AACxC,eAAO,MAAM,gBAAgB;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,+EAA+E;AAC/E,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAIlE,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;CAUF,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;CAUV,CAAC;AAEtC,eAAO,MAAM,sCAAsC;;;;;;;;;;;;;;;;CAUd,CAAC;AAEtC;;;;;;;GAOG;AACH,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;;;;CAWR,CAAC;AAEtC,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;CAUN,CAAC;AAEtC,eAAO,MAAM,gCAAgC;;;;;;;;;;;;;;;;;;CAUR,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wBAAwB,EAAE,KAAK,CAAC,yBAAyB,CAQrE,CAAC"}
|
|
@@ -112,6 +112,14 @@ export const account_session_revoke_all_action_spec = {
|
|
|
112
112
|
async: true,
|
|
113
113
|
description: 'Revoke every auth session for the current account.',
|
|
114
114
|
};
|
|
115
|
+
/**
|
|
116
|
+
* `rate_limit: 'account'` bounds the burn rate of API-token creates. The
|
|
117
|
+
* outstanding-token count is already capped by `max_tokens` (via
|
|
118
|
+
* `query_api_token_enforce_limit`), but the per-account *rate* of churn
|
|
119
|
+
* is not — without this cap, a caller could rotate tokens in a tight
|
|
120
|
+
* loop to amplify `token_create` audit churn or attempt to provoke
|
|
121
|
+
* downstream rate-limit hot spots.
|
|
122
|
+
*/
|
|
115
123
|
export const account_token_create_action_spec = {
|
|
116
124
|
method: 'account_token_create',
|
|
117
125
|
kind: 'request_response',
|
|
@@ -122,6 +130,7 @@ export const account_token_create_action_spec = {
|
|
|
122
130
|
output: TokenCreateOutput,
|
|
123
131
|
async: true,
|
|
124
132
|
description: 'Create an API token for the current account. Raw token is returned once.',
|
|
133
|
+
rate_limit: 'account',
|
|
125
134
|
};
|
|
126
135
|
export const account_token_list_action_spec = {
|
|
127
136
|
method: 'account_token_list',
|
|
@@ -264,6 +264,12 @@ export declare const AppSettingsUpdateOutput: z.ZodObject<{
|
|
|
264
264
|
}, z.core.$strict>;
|
|
265
265
|
}, z.core.$strict>;
|
|
266
266
|
export type AppSettingsUpdateOutput = z.infer<typeof AppSettingsUpdateOutput>;
|
|
267
|
+
/**
|
|
268
|
+
* `rate_limit: 'account'` bounds admin-side scraping of the account table
|
|
269
|
+
* via `(limit, offset)` walking — admin trust is not a substitute for a
|
|
270
|
+
* read-rate cap when the listing is paginated and cross-account (yields
|
|
271
|
+
* every account + actor + active role_grant in the system).
|
|
272
|
+
*/
|
|
267
273
|
export declare const admin_account_list_action_spec: {
|
|
268
274
|
method: string;
|
|
269
275
|
kind: "request_response";
|
|
@@ -318,7 +324,13 @@ export declare const admin_account_list_action_spec: {
|
|
|
318
324
|
}, z.core.$strict>;
|
|
319
325
|
async: true;
|
|
320
326
|
description: string;
|
|
327
|
+
rate_limit: "account";
|
|
321
328
|
};
|
|
329
|
+
/**
|
|
330
|
+
* `rate_limit: 'account'` bounds cross-account scraping of every active
|
|
331
|
+
* `auth_session` row — no pagination, but the read is unbounded across
|
|
332
|
+
* accounts and reveals one row per live cookie globally.
|
|
333
|
+
*/
|
|
322
334
|
export declare const admin_session_list_action_spec: {
|
|
323
335
|
method: string;
|
|
324
336
|
kind: "request_response";
|
|
@@ -344,6 +356,7 @@ export declare const admin_session_list_action_spec: {
|
|
|
344
356
|
}, z.core.$strict>;
|
|
345
357
|
async: true;
|
|
346
358
|
description: string;
|
|
359
|
+
rate_limit: "account";
|
|
347
360
|
};
|
|
348
361
|
export declare const admin_session_revoke_all_action_spec: {
|
|
349
362
|
method: string;
|
|
@@ -389,6 +402,14 @@ export declare const admin_token_revoke_all_action_spec: {
|
|
|
389
402
|
description: string;
|
|
390
403
|
rate_limit: "account";
|
|
391
404
|
};
|
|
405
|
+
/**
|
|
406
|
+
* `rate_limit: 'account'` bounds admin-side enumeration of the entire
|
|
407
|
+
* audit log via `(limit, offset)` walking — same shape as
|
|
408
|
+
* `admin_account_list_action_spec`. The listing carries cross-account
|
|
409
|
+
* forensic detail (target ids, IPs, metadata), so the read-rate cap is
|
|
410
|
+
* the only check that distinguishes a human reviewer from a scraping
|
|
411
|
+
* script.
|
|
412
|
+
*/
|
|
392
413
|
export declare const audit_log_list_action_spec: {
|
|
393
414
|
method: string;
|
|
394
415
|
kind: "request_response";
|
|
@@ -433,7 +454,13 @@ export declare const audit_log_list_action_spec: {
|
|
|
433
454
|
}, z.core.$strict>;
|
|
434
455
|
async: true;
|
|
435
456
|
description: string;
|
|
457
|
+
rate_limit: "account";
|
|
436
458
|
};
|
|
459
|
+
/**
|
|
460
|
+
* `rate_limit: 'account'` bounds admin-side enumeration of the role_grant
|
|
461
|
+
* history via `(limit, offset)` walking — same shape as `audit_log_list`,
|
|
462
|
+
* narrower projection but identical scraping vector.
|
|
463
|
+
*/
|
|
437
464
|
export declare const audit_log_role_grant_history_action_spec: {
|
|
438
465
|
method: string;
|
|
439
466
|
kind: "request_response";
|
|
@@ -471,6 +498,7 @@ export declare const audit_log_role_grant_history_action_spec: {
|
|
|
471
498
|
}, z.core.$strict>;
|
|
472
499
|
async: true;
|
|
473
500
|
description: string;
|
|
501
|
+
rate_limit: "account";
|
|
474
502
|
};
|
|
475
503
|
export declare const invite_create_action_spec: {
|
|
476
504
|
method: string;
|
|
@@ -503,6 +531,12 @@ export declare const invite_create_action_spec: {
|
|
|
503
531
|
description: string;
|
|
504
532
|
rate_limit: "account";
|
|
505
533
|
};
|
|
534
|
+
/**
|
|
535
|
+
* `rate_limit: 'account'` bounds admin-side scraping of the invite table —
|
|
536
|
+
* bounded by table size, but every row carries email + username +
|
|
537
|
+
* creator/claimer identifiers worth defense-in-depth against an admin
|
|
538
|
+
* mutation oracle running scripted reads alongside `invite_create`.
|
|
539
|
+
*/
|
|
506
540
|
export declare const invite_list_action_spec: {
|
|
507
541
|
method: string;
|
|
508
542
|
kind: "request_response";
|
|
@@ -531,6 +565,7 @@ export declare const invite_list_action_spec: {
|
|
|
531
565
|
}, z.core.$strict>;
|
|
532
566
|
async: true;
|
|
533
567
|
description: string;
|
|
568
|
+
rate_limit: "account";
|
|
534
569
|
};
|
|
535
570
|
export declare const invite_delete_action_spec: {
|
|
536
571
|
method: string;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"admin_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAgBzE,+BAA+B;AAC/B,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAE5C,8CAA8C;AAC9C,eAAO,MAAM,gCAAgC,KAAK,CAAC;AACnD,0CAA0C;AAC1C,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAIhD,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;;mBAcrB,CAAC;AACd,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;mBAIrB,CAAC;AACd,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,mGAAmG;AACnG,eAAO,MAAM,sBAAsB;;;;;;;;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;kBAGnC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;mBAyBjB,CAAC;AACd,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,mCAAmC;AACnC,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,gDAAgD;AAChD,eAAO,MAAM,6BAA6B;;;;mBAc7B,CAAC;AACd,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAE1F,iDAAiD;AACjD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;kBAEzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wFAAwF;AACxF,eAAO,MAAM,iBAAiB;;;;kBAS3B,CAAC;AACJ,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;;;;;;;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,+BAA+B;AAC/B,eAAO,MAAM,eAAe;;mBAIf,CAAC;AACd,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;;;;;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iCAAiC;AACjC,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,oCAAoC;AACpC,eAAO,MAAM,mBAAmB;;mBAInB,CAAC;AACd,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,qCAAqC;AACrC,eAAO,MAAM,oBAAoB;;;;;;;kBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;kBAGlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAI9E,eAAO,MAAM,8BAA8B
|
|
1
|
+
{"version":3,"file":"admin_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAgBzE,+BAA+B;AAC/B,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAE5C,8CAA8C;AAC9C,eAAO,MAAM,gCAAgC,KAAK,CAAC;AACnD,0CAA0C;AAC1C,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAIhD,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;;mBAcrB,CAAC;AACd,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;mBAIrB,CAAC;AACd,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,mGAAmG;AACnG,eAAO,MAAM,sBAAsB;;;;;;;;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;kBAGnC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;mBAyBjB,CAAC;AACd,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,mCAAmC;AACnC,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,gDAAgD;AAChD,eAAO,MAAM,6BAA6B;;;;mBAc7B,CAAC;AACd,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAE1F,iDAAiD;AACjD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;kBAEzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wFAAwF;AACxF,eAAO,MAAM,iBAAiB;;;;kBAS3B,CAAC;AACJ,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;;;;;;;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,+BAA+B;AAC/B,eAAO,MAAM,eAAe;;mBAIf,CAAC;AACd,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;;;;;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iCAAiC;AACjC,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,oCAAoC;AACpC,eAAO,MAAM,mBAAmB;;mBAInB,CAAC;AACd,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,qCAAqC;AACrC,eAAO,MAAM,oBAAoB;;;;;;;kBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;kBAGlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAI9E;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWN,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;CAWN,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;;;;CAWV,CAAC;AAEtC;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWhB,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWC,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;CAUJ,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;CAWP,CAAC;AAEtC;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB,EAAE,KAAK,CAAC,yBAAyB,CAYnE,CAAC"}
|
|
@@ -193,6 +193,12 @@ export const AppSettingsUpdateOutput = z.strictObject({
|
|
|
193
193
|
settings: AppSettingsWithUsernameJson,
|
|
194
194
|
});
|
|
195
195
|
// -- Action specs -----------------------------------------------------------
|
|
196
|
+
/**
|
|
197
|
+
* `rate_limit: 'account'` bounds admin-side scraping of the account table
|
|
198
|
+
* via `(limit, offset)` walking — admin trust is not a substitute for a
|
|
199
|
+
* read-rate cap when the listing is paginated and cross-account (yields
|
|
200
|
+
* every account + actor + active role_grant in the system).
|
|
201
|
+
*/
|
|
196
202
|
export const admin_account_list_action_spec = {
|
|
197
203
|
method: 'admin_account_list',
|
|
198
204
|
kind: 'request_response',
|
|
@@ -203,7 +209,13 @@ export const admin_account_list_action_spec = {
|
|
|
203
209
|
output: AdminAccountListOutput,
|
|
204
210
|
async: true,
|
|
205
211
|
description: 'List all accounts with their actors, role_grants, and pending offers. Admin-only.',
|
|
212
|
+
rate_limit: 'account',
|
|
206
213
|
};
|
|
214
|
+
/**
|
|
215
|
+
* `rate_limit: 'account'` bounds cross-account scraping of every active
|
|
216
|
+
* `auth_session` row — no pagination, but the read is unbounded across
|
|
217
|
+
* accounts and reveals one row per live cookie globally.
|
|
218
|
+
*/
|
|
207
219
|
export const admin_session_list_action_spec = {
|
|
208
220
|
method: 'admin_session_list',
|
|
209
221
|
kind: 'request_response',
|
|
@@ -214,6 +226,7 @@ export const admin_session_list_action_spec = {
|
|
|
214
226
|
output: AdminSessionListOutput,
|
|
215
227
|
async: true,
|
|
216
228
|
description: 'List every active auth session across all accounts. Admin-only.',
|
|
229
|
+
rate_limit: 'account',
|
|
217
230
|
};
|
|
218
231
|
export const admin_session_revoke_all_action_spec = {
|
|
219
232
|
method: 'admin_session_revoke_all',
|
|
@@ -239,6 +252,14 @@ export const admin_token_revoke_all_action_spec = {
|
|
|
239
252
|
description: 'Revoke all API tokens for an account. Admin-only.',
|
|
240
253
|
rate_limit: 'account',
|
|
241
254
|
};
|
|
255
|
+
/**
|
|
256
|
+
* `rate_limit: 'account'` bounds admin-side enumeration of the entire
|
|
257
|
+
* audit log via `(limit, offset)` walking — same shape as
|
|
258
|
+
* `admin_account_list_action_spec`. The listing carries cross-account
|
|
259
|
+
* forensic detail (target ids, IPs, metadata), so the read-rate cap is
|
|
260
|
+
* the only check that distinguishes a human reviewer from a scraping
|
|
261
|
+
* script.
|
|
262
|
+
*/
|
|
242
263
|
export const audit_log_list_action_spec = {
|
|
243
264
|
method: 'audit_log_list',
|
|
244
265
|
kind: 'request_response',
|
|
@@ -249,7 +270,13 @@ export const audit_log_list_action_spec = {
|
|
|
249
270
|
output: AuditLogListOutput,
|
|
250
271
|
async: true,
|
|
251
272
|
description: 'List audit log events with optional filters. Admin-only.',
|
|
273
|
+
rate_limit: 'account',
|
|
252
274
|
};
|
|
275
|
+
/**
|
|
276
|
+
* `rate_limit: 'account'` bounds admin-side enumeration of the role_grant
|
|
277
|
+
* history via `(limit, offset)` walking — same shape as `audit_log_list`,
|
|
278
|
+
* narrower projection but identical scraping vector.
|
|
279
|
+
*/
|
|
253
280
|
export const audit_log_role_grant_history_action_spec = {
|
|
254
281
|
method: 'audit_log_role_grant_history',
|
|
255
282
|
kind: 'request_response',
|
|
@@ -260,6 +287,7 @@ export const audit_log_role_grant_history_action_spec = {
|
|
|
260
287
|
output: AuditLogRoleGrantHistoryOutput,
|
|
261
288
|
async: true,
|
|
262
289
|
description: 'List role_grant grant and revoke events with usernames. Admin-only.',
|
|
290
|
+
rate_limit: 'account',
|
|
263
291
|
};
|
|
264
292
|
export const invite_create_action_spec = {
|
|
265
293
|
method: 'invite_create',
|
|
@@ -273,6 +301,12 @@ export const invite_create_action_spec = {
|
|
|
273
301
|
description: 'Create an invite addressed to an email, username, or both. Admin-only.',
|
|
274
302
|
rate_limit: 'account',
|
|
275
303
|
};
|
|
304
|
+
/**
|
|
305
|
+
* `rate_limit: 'account'` bounds admin-side scraping of the invite table —
|
|
306
|
+
* bounded by table size, but every row carries email + username +
|
|
307
|
+
* creator/claimer identifiers worth defense-in-depth against an admin
|
|
308
|
+
* mutation oracle running scripted reads alongside `invite_create`.
|
|
309
|
+
*/
|
|
276
310
|
export const invite_list_action_spec = {
|
|
277
311
|
method: 'invite_list',
|
|
278
312
|
kind: 'request_response',
|
|
@@ -283,6 +317,7 @@ export const invite_list_action_spec = {
|
|
|
283
317
|
output: InviteListOutput,
|
|
284
318
|
async: true,
|
|
285
319
|
description: 'List all invites with creator and claimer usernames. Admin-only.',
|
|
320
|
+
rate_limit: 'account',
|
|
286
321
|
};
|
|
287
322
|
export const invite_delete_action_spec = {
|
|
288
323
|
method: 'invite_delete',
|
|
@@ -209,6 +209,16 @@ export declare const RoleGrantRevokeOutput: z.ZodObject<{
|
|
|
209
209
|
revoked: z.ZodLiteral<true>;
|
|
210
210
|
}, z.core.$strict>;
|
|
211
211
|
export type RoleGrantRevokeOutput = z.infer<typeof RoleGrantRevokeOutput>;
|
|
212
|
+
/**
|
|
213
|
+
* `rate_limit: 'account'` throttles offer-spam at the authenticated
|
|
214
|
+
* grantor and bounds the account-existence oracle on `to_account_id` —
|
|
215
|
+
* the same shape as `invite_create_action_spec` upstream addresses, where
|
|
216
|
+
* a hostile authed caller iterates recipients to probe
|
|
217
|
+
* `ERROR_ACCOUNT_NOT_FOUND` (and the actor-binding via
|
|
218
|
+
* `ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH`) as an enumeration
|
|
219
|
+
* vector. Failure-outcome audit rows preserve the forensic trail; the
|
|
220
|
+
* rate cap closes the budget.
|
|
221
|
+
*/
|
|
212
222
|
export declare const role_grant_offer_create_action_spec: {
|
|
213
223
|
method: string;
|
|
214
224
|
kind: "request_response";
|
|
@@ -250,6 +260,7 @@ export declare const role_grant_offer_create_action_spec: {
|
|
|
250
260
|
async: true;
|
|
251
261
|
description: string;
|
|
252
262
|
error_reasons: ("role_grant_offer_self_target" | "role_grant_offer_role_not_grantable" | "role_grant_offer_not_authorized" | "role_grant_offer_actor_account_mismatch")[];
|
|
263
|
+
rate_limit: "account";
|
|
253
264
|
};
|
|
254
265
|
export declare const role_grant_offer_accept_action_spec: {
|
|
255
266
|
method: string;
|
|
@@ -405,6 +416,12 @@ export declare const role_grant_offer_history_action_spec: {
|
|
|
405
416
|
async: true;
|
|
406
417
|
description: string;
|
|
407
418
|
};
|
|
419
|
+
/**
|
|
420
|
+
* `rate_limit: 'account'` bounds admin-side burn of `role_grant_revoke` —
|
|
421
|
+
* the action is admin-gated and audit-trailed, but the per-account cap
|
|
422
|
+
* keeps a single admin script from churning role_grants in a loop and
|
|
423
|
+
* obscuring audit context for unrelated activity.
|
|
424
|
+
*/
|
|
408
425
|
export declare const role_grant_revoke_action_spec: {
|
|
409
426
|
method: string;
|
|
410
427
|
kind: "request_response";
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"role_grant_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAUzE,oEAAoE;AACpE,eAAO,MAAM,kCAAkC,EAAG,8BAAuC,CAAC;AAC1F,kEAAkE;AAClE,eAAO,MAAM,+BAA+B,EAAG,2BAAoC,CAAC;AACpF,sDAAsD;AACtD,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,wGAAwG;AACxG,eAAO,MAAM,gCAAgC,EAAG,4BAAqC,CAAC;AACtF,uIAAuI;AACvI,eAAO,MAAM,yCAAyC,EACrD,qCAA8C,CAAC;AAChD,gKAAgK;AAChK,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,6FAA6F;AAC7F,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,wHAAwH;AACxH,eAAO,MAAM,6CAA6C,EACzD,yCAAkD,CAAC;AAIpD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;kBAoBpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;kBAQrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,uGAAuG;AACvG,eAAO,MAAM,uBAAuB;;;mBAOvB,CAAC;AACd,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;;mBAa1B,CAAC;AACd,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,0EAA0E;AAC1E,eAAO,MAAM,sBAAsB;;kBAAwC,CAAC;AAC5E,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AAC9F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AACjG,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;kBAGhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,eAAO,MAAM,mCAAmC
|
|
1
|
+
{"version":3,"file":"role_grant_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAUzE,oEAAoE;AACpE,eAAO,MAAM,kCAAkC,EAAG,8BAAuC,CAAC;AAC1F,kEAAkE;AAClE,eAAO,MAAM,+BAA+B,EAAG,2BAAoC,CAAC;AACpF,sDAAsD;AACtD,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,wGAAwG;AACxG,eAAO,MAAM,gCAAgC,EAAG,4BAAqC,CAAC;AACtF,uIAAuI;AACvI,eAAO,MAAM,yCAAyC,EACrD,qCAA8C,CAAC;AAChD,gKAAgK;AAChK,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,6FAA6F;AAC7F,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,wHAAwH;AACxH,eAAO,MAAM,6CAA6C,EACzD,yCAAkD,CAAC;AAIpD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;kBAoBpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;kBAQrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,uGAAuG;AACvG,eAAO,MAAM,uBAAuB;;;mBAOvB,CAAC;AACd,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;;mBAa1B,CAAC;AACd,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,0EAA0E;AAC1E,eAAO,MAAM,sBAAsB;;kBAAwC,CAAC;AAC5E,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AAC9F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AACjG,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;kBAGhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkBX,CAAC;AAEtC,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiBX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWT,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC;;;;;GAKG;AACH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;CAaL,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,KAAK,CAAC,yBAAyB,CAQ9E,CAAC"}
|
|
@@ -157,6 +157,16 @@ export const RoleGrantRevokeOutput = z.strictObject({
|
|
|
157
157
|
revoked: z.literal(true),
|
|
158
158
|
});
|
|
159
159
|
// -- Action specs -----------------------------------------------------------
|
|
160
|
+
/**
|
|
161
|
+
* `rate_limit: 'account'` throttles offer-spam at the authenticated
|
|
162
|
+
* grantor and bounds the account-existence oracle on `to_account_id` —
|
|
163
|
+
* the same shape as `invite_create_action_spec` upstream addresses, where
|
|
164
|
+
* a hostile authed caller iterates recipients to probe
|
|
165
|
+
* `ERROR_ACCOUNT_NOT_FOUND` (and the actor-binding via
|
|
166
|
+
* `ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH`) as an enumeration
|
|
167
|
+
* vector. Failure-outcome audit rows preserve the forensic trail; the
|
|
168
|
+
* rate cap closes the budget.
|
|
169
|
+
*/
|
|
160
170
|
export const role_grant_offer_create_action_spec = {
|
|
161
171
|
method: 'role_grant_offer_create',
|
|
162
172
|
kind: 'request_response',
|
|
@@ -173,6 +183,7 @@ export const role_grant_offer_create_action_spec = {
|
|
|
173
183
|
ERROR_ROLE_GRANT_OFFER_NOT_AUTHORIZED,
|
|
174
184
|
ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH,
|
|
175
185
|
],
|
|
186
|
+
rate_limit: 'account',
|
|
176
187
|
};
|
|
177
188
|
export const role_grant_offer_accept_action_spec = {
|
|
178
189
|
method: 'role_grant_offer_accept',
|
|
@@ -237,6 +248,12 @@ export const role_grant_offer_history_action_spec = {
|
|
|
237
248
|
async: true,
|
|
238
249
|
description: 'List every offer involving the caller (either direction), including terminal rows, newest first. Admins may pass `account_id` to inspect another account.',
|
|
239
250
|
};
|
|
251
|
+
/**
|
|
252
|
+
* `rate_limit: 'account'` bounds admin-side burn of `role_grant_revoke` —
|
|
253
|
+
* the action is admin-gated and audit-trailed, but the per-account cap
|
|
254
|
+
* keeps a single admin script from churning role_grants in a loop and
|
|
255
|
+
* obscuring audit context for unrelated activity.
|
|
256
|
+
*/
|
|
240
257
|
export const role_grant_revoke_action_spec = {
|
|
241
258
|
method: 'role_grant_revoke',
|
|
242
259
|
kind: 'request_response',
|
|
@@ -29,6 +29,13 @@ export declare const SelfServiceRoleSetOutput: z.ZodObject<{
|
|
|
29
29
|
changed: z.ZodBoolean;
|
|
30
30
|
}, z.core.$strict>;
|
|
31
31
|
export type SelfServiceRoleSetOutput = z.infer<typeof SelfServiceRoleSetOutput>;
|
|
32
|
+
/**
|
|
33
|
+
* `rate_limit: 'account'` bounds audit-row churn. The toggle is idempotent
|
|
34
|
+
* (`changed: false` re-grants/re-revokes), but every call still writes a
|
|
35
|
+
* `role_grant_create` or `role_grant_revoke` audit row with
|
|
36
|
+
* `self_service: true`. Without the cap, a caller could flap the role in
|
|
37
|
+
* a loop to inflate the audit log and obscure other activity.
|
|
38
|
+
*/
|
|
32
39
|
export declare const self_service_role_set_action_spec: {
|
|
33
40
|
method: string;
|
|
34
41
|
kind: "request_response";
|
|
@@ -50,6 +57,7 @@ export declare const self_service_role_set_action_spec: {
|
|
|
50
57
|
}, z.core.$strict>;
|
|
51
58
|
async: true;
|
|
52
59
|
description: string;
|
|
60
|
+
rate_limit: "account";
|
|
53
61
|
};
|
|
54
62
|
/**
|
|
55
63
|
* All self-service role action specs — a codegen-ready registry. Single-element
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAIzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,yCAAyC;AACzC,eAAO,MAAM,uBAAuB;;;;kBAOlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;kBAInC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,eAAO,MAAM,iCAAiC
|
|
1
|
+
{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAIzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,yCAAyC;AACzC,eAAO,MAAM,uBAAuB;;;;kBAOlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;kBAInC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF;;;;;;GAMG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;;CAYT,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,aAAa,CAAC,yBAAyB,CAEvF,CAAC"}
|
|
@@ -30,6 +30,13 @@ export const SelfServiceRoleSetOutput = z.strictObject({
|
|
|
30
30
|
enabled: z.boolean(),
|
|
31
31
|
changed: z.boolean(),
|
|
32
32
|
});
|
|
33
|
+
/**
|
|
34
|
+
* `rate_limit: 'account'` bounds audit-row churn. The toggle is idempotent
|
|
35
|
+
* (`changed: false` re-grants/re-revokes), but every call still writes a
|
|
36
|
+
* `role_grant_create` or `role_grant_revoke` audit row with
|
|
37
|
+
* `self_service: true`. Without the cap, a caller could flap the role in
|
|
38
|
+
* a loop to inflate the audit log and obscure other activity.
|
|
39
|
+
*/
|
|
33
40
|
export const self_service_role_set_action_spec = {
|
|
34
41
|
method: 'self_service_role_set',
|
|
35
42
|
kind: 'request_response',
|
|
@@ -40,6 +47,7 @@ export const self_service_role_set_action_spec = {
|
|
|
40
47
|
output: SelfServiceRoleSetOutput,
|
|
41
48
|
async: true,
|
|
42
49
|
description: 'Toggle a self-service role. Idempotent in both directions — `changed: false` when post-call state already matched the request.',
|
|
50
|
+
rate_limit: 'account',
|
|
43
51
|
};
|
|
44
52
|
/**
|
|
45
53
|
* All self-service role action specs — a codegen-ready registry. Single-element
|