@fuzdev/fuz_app 0.58.0 → 0.60.0

package/dist/auth/audit_log_schema.js

@@ -64,7 +64,7 @@ export const AuditOutcome = z.enum(['success', 'failure']);
  * stub schema); the Zod schemas themselves are reachable and mutable —
  * freeze isn't a security boundary.
  */
-export const AUDIT_METADATA_SCHEMAS = Object.freeze({
+export const audit_metadata_schemas = Object.freeze({
     login: z
         .looseObject({
         username: z.string().meta({ description: 'Username submitted with the login attempt.' }),
@@ -265,9 +265,9 @@ export const get_audit_metadata = (event) => {
     return event.metadata;
 };
 /** Builtin fuz_app audit-log config — every existing event type and its metadata schema. */
-export const BUILTIN_AUDIT_LOG_CONFIG = Object.freeze({
+export const builtin_audit_log_config = Object.freeze({
     event_types: AUDIT_EVENT_TYPES,
-    metadata_schemas: AUDIT_METADATA_SCHEMAS,
+    metadata_schemas: audit_metadata_schemas,
 });
 /**
  * Build an `AuditLogConfig` by merging fuz_app builtins with consumer extras.
@@ -277,20 +277,20 @@ export const BUILTIN_AUDIT_LOG_CONFIG = Object.freeze({
  *
  * Call once at startup; pass the result to `create_app_backend` (which
  * threads it into `AppDeps.audit`). Builtin handlers omit the
- * `audit_log_config` slot and pick up `BUILTIN_AUDIT_LOG_CONFIG`.
+ * `audit_log_config` slot and pick up `builtin_audit_log_config`.
  *
  * @throws Error when an `extra_events` key collides with a builtin event type or fails `AuditEventTypeName` format validation
  */
 export const create_audit_log_config = (options) => {
     const extras = options?.extra_events;
     if (!extras)
-        return BUILTIN_AUDIT_LOG_CONFIG;
+        return builtin_audit_log_config;
     const extra_entries = Object.entries(extras);
     if (extra_entries.length === 0)
-        return BUILTIN_AUDIT_LOG_CONFIG;
+        return builtin_audit_log_config;
     const builtin_set = new Set(AUDIT_EVENT_TYPES);
     const extra_keys = [];
-    const metadata_schemas = { ...AUDIT_METADATA_SCHEMAS };
+    const metadata_schemas = { ...audit_metadata_schemas };
     for (const [t, schema] of extra_entries) {
         if (builtin_set.has(t)) {
             throw new Error(`extra_events key "${t}" collides with a builtin event type — pick a distinct string (e.g. "app_${t}")`);

package/dist/auth/auth_ddl.d.ts

@@ -12,6 +12,13 @@
 export declare const ACCOUNT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS account (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  username TEXT UNIQUE NOT NULL,\n  email TEXT,\n  email_verified BOOLEAN NOT NULL DEFAULT false,\n  password_hash TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  created_by UUID,\n  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  updated_by UUID\n)";
 export declare const ACTOR_SCHEMA = "\nCREATE TABLE IF NOT EXISTS actor (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  name TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  updated_at TIMESTAMPTZ,\n  updated_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
 export declare const ACTOR_INDEX = "\nCREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)";
+/**
+ * Functional index on `LOWER(actor.name)` supporting case-insensitive
+ * prefix search by `actor_search` (`LOWER(name) LIKE LOWER(query) || '%'`).
+ * `text_pattern_ops` keeps the LIKE-prefix pattern index-eligible — without
+ * it the planner falls back to a sequential scan once the table grows.
+ */
+export declare const ACTOR_NAME_LOWER_INDEX = "\nCREATE INDEX IF NOT EXISTS idx_actor_name_lower ON actor (LOWER(name) text_pattern_ops)";
 export declare const ROLE_GRANT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS role_grant (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  actor_id UUID NOT NULL REFERENCES actor(id) ON DELETE CASCADE,\n  role TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ,\n  revoked_at TIMESTAMPTZ,\n  revoked_by UUID REFERENCES actor(id) ON DELETE SET NULL,\n  granted_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
 export declare const ROLE_GRANT_INDEXES: string[];
 export declare const AUTH_SESSION_SCHEMA = "\nCREATE TABLE IF NOT EXISTS auth_session (\n  id TEXT PRIMARY KEY,\n  account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  expires_at TIMESTAMPTZ NOT NULL,\n  last_seen_at TIMESTAMPTZ NOT NULL DEFAULT NOW()\n)";

package/dist/auth/auth_ddl.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/auth_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,eAAO,MAAM,cAAc,8WAWzB,CAAC;AAEH,eAAO,MAAM,YAAY,mUAQvB,CAAC;AAEH,eAAO,MAAM,WAAW,wEAC0C,CAAC;AAEnE,eAAO,MAAM,iBAAiB,2ZAU5B,CAAC;AAEH,eAAO,MAAM,kBAAkB,UAI9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,0RAO9B,CAAC;AAEH,eAAO,MAAM,oBAAoB,UAGhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,iUAU3B,CAAC;AAEH,eAAO,MAAM,mBAAmB,4GACsE,CAAC;AAEvG,eAAO,MAAM,yBAAyB,6FACiD,CAAC;AAExF,eAAO,MAAM,eAAe,gFAC8C,CAAC;AAE3E,eAAO,MAAM,qBAAqB,wJAIhC,CAAC;AAEH,6FAA6F;AAC7F,eAAO,MAAM,mBAAmB,yHAGP,CAAC;AAE1B,eAAO,MAAM,aAAa,6ZAUxB,CAAC;AAEH,eAAO,MAAM,cAAc,UAI1B,CAAC;AAEF,eAAO,MAAM,mBAAmB,oMAM9B,CAAC;AAEH,eAAO,MAAM,iBAAiB,sEACkC,CAAC"}
+{"version":3,"file":"auth_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/auth_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,eAAO,MAAM,cAAc,8WAWzB,CAAC;AAEH,eAAO,MAAM,YAAY,mUAQvB,CAAC;AAEH,eAAO,MAAM,WAAW,wEAC0C,CAAC;AAEnE;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,8FACqD,CAAC;AAEzF,eAAO,MAAM,iBAAiB,2ZAU5B,CAAC;AAEH,eAAO,MAAM,kBAAkB,UAI9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,0RAO9B,CAAC;AAEH,eAAO,MAAM,oBAAoB,UAGhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,iUAU3B,CAAC;AAEH,eAAO,MAAM,mBAAmB,4GACsE,CAAC;AAEvG,eAAO,MAAM,yBAAyB,6FACiD,CAAC;AAExF,eAAO,MAAM,eAAe,gFAC8C,CAAC;AAE3E,eAAO,MAAM,qBAAqB,wJAIhC,CAAC;AAEH,6FAA6F;AAC7F,eAAO,MAAM,mBAAmB,yHAGP,CAAC;AAE1B,eAAO,MAAM,aAAa,6ZAUxB,CAAC;AAEH,eAAO,MAAM,cAAc,UAI1B,CAAC;AAEF,eAAO,MAAM,mBAAmB,oMAM9B,CAAC;AAEH,eAAO,MAAM,iBAAiB,sEACkC,CAAC"}

package/dist/auth/auth_ddl.js

@@ -32,6 +32,14 @@ CREATE TABLE IF NOT EXISTS actor (
 )`;
 export const ACTOR_INDEX = `
 CREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)`;
+/**
+ * Functional index on `LOWER(actor.name)` supporting case-insensitive
+ * prefix search by `actor_search` (`LOWER(name) LIKE LOWER(query) || '%'`).
+ * `text_pattern_ops` keeps the LIKE-prefix pattern index-eligible — without
+ * it the planner falls back to a sequential scan once the table grows.
+ */
+export const ACTOR_NAME_LOWER_INDEX = `
+CREATE INDEX IF NOT EXISTS idx_actor_name_lower ON actor (LOWER(name) text_pattern_ops)`;
 export const ROLE_GRANT_SCHEMA = `
 CREATE TABLE IF NOT EXISTS role_grant (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),

package/dist/auth/credential_type_schema.d.ts

@@ -67,7 +67,7 @@ export interface CredentialTypeMeta {
  * here. Read once at startup by `create_credential_type_schema`;
  * runtime mutation has no effect on already-built schemas.
  */
-export declare const BUILTIN_CREDENTIAL_TYPE_META: ReadonlyMap<string, CredentialTypeMeta>;
+export declare const builtin_credential_type_meta: ReadonlyMap<string, CredentialTypeMeta>;
 /** The result of `create_credential_type_schema` — a Zod schema and metadata map. */
 export interface CredentialTypeSchemaResult {
     /**

package/dist/auth/credential_type_schema.js

@@ -60,7 +60,7 @@ export const BuiltinCredentialType = z.enum(BUILTIN_CREDENTIAL_TYPES);
  * here. Read once at startup by `create_credential_type_schema`;
  * runtime mutation has no effect on already-built schemas.
  */
-export const BUILTIN_CREDENTIAL_TYPE_META = new Map([
+export const builtin_credential_type_meta = new Map([
     [
         CREDENTIAL_TYPE_SESSION,
         { description: 'Cookie-based session credential, signed and validated server-side.' },
@@ -109,7 +109,7 @@ export const create_credential_type_schema = (consumer_types = {}) => {
         if (!parsed.success) {
             throw new Error(`Invalid credential-type name "${name}": ${parsed.error.issues[0].message}`);
         }
-        if (BUILTIN_CREDENTIAL_TYPE_META.has(name)) {
+        if (builtin_credential_type_meta.has(name)) {
             throw new Error(`Consumer credential-type "${name}" collides with builtin credential-type`);
         }
         if (seen.has(name)) {
@@ -119,7 +119,7 @@ export const create_credential_type_schema = (consumer_types = {}) => {
     }
     const all_names = [...BUILTIN_CREDENTIAL_TYPES, ...consumer_names];
     const CredentialType = z.enum(all_names);
-    const credential_types = new Map(BUILTIN_CREDENTIAL_TYPE_META);
+    const credential_types = new Map(builtin_credential_type_meta);
     for (const name of consumer_names) {
         credential_types.set(name, consumer_types[name]);
     }

package/dist/auth/grant_path_schema.d.ts

@@ -70,7 +70,7 @@ export interface GrantPathMeta {
  * here. Read once at startup by `create_grant_path_schema`; runtime
  * mutation has no effect on already-built schemas.
  */
-export declare const BUILTIN_GRANT_PATH_META: ReadonlyMap<string, GrantPathMeta>;
+export declare const builtin_grant_path_meta: ReadonlyMap<string, GrantPathMeta>;
 /** The result of `create_grant_path_schema` — a Zod schema and metadata map. */
 export interface GrantPathSchemaResult {
     /**

package/dist/auth/grant_path_schema.js

@@ -63,7 +63,7 @@ export const BuiltinGrantPath = z.enum(BUILTIN_GRANT_PATHS);
  * here. Read once at startup by `create_grant_path_schema`; runtime
  * mutation has no effect on already-built schemas.
  */
-export const BUILTIN_GRANT_PATH_META = new Map([
+export const builtin_grant_path_meta = new Map([
     [
         GRANT_PATH_ADMIN,
         {
@@ -119,7 +119,7 @@ export const create_grant_path_schema = (consumer_paths = {}) => {
         if (!parsed.success) {
             throw new Error(`Invalid grant-path name "${name}": ${parsed.error.issues[0].message}`);
         }
-        if (BUILTIN_GRANT_PATH_META.has(name)) {
+        if (builtin_grant_path_meta.has(name)) {
             throw new Error(`Consumer grant-path "${name}" collides with builtin grant-path`);
         }
         if (seen.has(name)) {
@@ -129,7 +129,7 @@ export const create_grant_path_schema = (consumer_paths = {}) => {
     }
     const all_names = [...BUILTIN_GRANT_PATHS, ...consumer_names];
     const GrantPath = z.enum(all_names);
-    const grant_paths = new Map(BUILTIN_GRANT_PATH_META);
+    const grant_paths = new Map(builtin_grant_path_meta);
     for (const name of consumer_names) {
         grant_paths.set(name, consumer_paths[name]);
     }

package/dist/auth/migrations.d.ts

@@ -17,7 +17,7 @@
  *
  * To add a migration in the pre-stable phase, prefer extending an existing
  * entry's body (consumers will re-bootstrap on upgrade). If you do append
- * a new entry to `AUTH_MIGRATIONS`, the runner will apply it on existing
+ * a new entry to `auth_migrations`, the runner will apply it on existing
  * tracker rows — the same shape that will become mandatory once the
  * schema stabilizes:
  *
@@ -46,7 +46,7 @@ export declare const AUTH_MIGRATION_NAMESPACE = "fuz_auth";
  * as `ReadonlyArray<string>` (not a literal tuple) so `.includes()` accepts
  * any consumer-supplied namespace string without a cast.
  */
-export declare const RESERVED_MIGRATION_NAMESPACES: ReadonlyArray<string>;
+export declare const reserved_migration_namespaces: ReadonlyArray<string>;
 /**
  * Auth schema migrations in order.
  *
@@ -67,7 +67,7 @@ export declare const RESERVED_MIGRATION_NAMESPACES: ReadonlyArray<string>;
  *   (registry-membership validation against `create_scope_kind_schema`);
  *   v2 may add INSERT-time `(role, scope_kind)` enforcement.
  */
-export declare const AUTH_MIGRATIONS: Array<Migration>;
+export declare const auth_migrations: Array<Migration>;
 /** Pre-composed migration namespace for auth tables. */
-export declare const AUTH_MIGRATION_NS: MigrationNamespace;
+export declare const auth_migration_ns: MigrationNamespace;
 //# sourceMappingURL=migrations.d.ts.map

package/dist/auth/migrations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"migrations.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/migrations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AA8BH,OAAO,KAAK,EAAC,SAAS,EAAE,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEpE,wDAAwD;AACxD,eAAO,MAAM,wBAAwB,aAAa,CAAC;AAEnD;;;;;;GAMG;AACH,eAAO,MAAM,6BAA6B,EAAE,aAAa,CAAC,MAAM,CAA8B,CAAC;AAE/F;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,SAAS,CAqF5C,CAAC;AAEF,wDAAwD;AACxD,eAAO,MAAM,iBAAiB,EAAE,kBAG/B,CAAC"}
+{"version":3,"file":"migrations.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/migrations.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AA+BH,OAAO,KAAK,EAAC,SAAS,EAAE,kBAAkB,EAAC,MAAM,kBAAkB,CAAC;AAEpE,wDAAwD;AACxD,eAAO,MAAM,wBAAwB,aAAa,CAAC;AAEnD;;;;;;GAMG;AACH,eAAO,MAAM,6BAA6B,EAAE,aAAa,CAAC,MAAM,CAA8B,CAAC;AAE/F;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,eAAe,EAAE,KAAK,CAAC,SAAS,CAsF5C,CAAC;AAEF,wDAAwD;AACxD,eAAO,MAAM,iBAAiB,EAAE,kBAG/B,CAAC"}

package/dist/auth/migrations.js

@@ -17,7 +17,7 @@
  *
  * To add a migration in the pre-stable phase, prefer extending an existing
  * entry's body (consumers will re-bootstrap on upgrade). If you do append
- * a new entry to `AUTH_MIGRATIONS`, the runner will apply it on existing
+ * a new entry to `auth_migrations`, the runner will apply it on existing
  * tracker rows — the same shape that will become mandatory once the
  * schema stabilizes:
  *
@@ -36,7 +36,7 @@
  *
  * @module
  */
-import { ACCOUNT_SCHEMA, ACCOUNT_EMAIL_INDEX, ACCOUNT_USERNAME_CI_INDEX, ACTOR_SCHEMA, ACTOR_INDEX, ROLE_GRANT_SCHEMA, ROLE_GRANT_INDEXES, AUTH_SESSION_SCHEMA, AUTH_SESSION_INDEXES, API_TOKEN_SCHEMA, API_TOKEN_INDEX, BOOTSTRAP_LOCK_SCHEMA, BOOTSTRAP_LOCK_SEED, INVITE_SCHEMA, INVITE_INDEXES, APP_SETTINGS_SCHEMA, APP_SETTINGS_SEED, } from './auth_ddl.js';
+import { ACCOUNT_SCHEMA, ACCOUNT_EMAIL_INDEX, ACCOUNT_USERNAME_CI_INDEX, ACTOR_SCHEMA, ACTOR_INDEX, ACTOR_NAME_LOWER_INDEX, ROLE_GRANT_SCHEMA, ROLE_GRANT_INDEXES, AUTH_SESSION_SCHEMA, AUTH_SESSION_INDEXES, API_TOKEN_SCHEMA, API_TOKEN_INDEX, BOOTSTRAP_LOCK_SCHEMA, BOOTSTRAP_LOCK_SEED, INVITE_SCHEMA, INVITE_INDEXES, APP_SETTINGS_SCHEMA, APP_SETTINGS_SEED, } from './auth_ddl.js';
 import { AUDIT_LOG_SCHEMA, AUDIT_LOG_INDEXES } from './audit_log_ddl.js';
 import { ROLE_GRANT_OFFER_SCHEMA, ROLE_GRANT_OFFER_PENDING_UNIQUE_INDEX, ROLE_GRANT_OFFER_INBOX_INDEX, ROLE_GRANT_OFFER_SCOPE_SENTINEL_UUID, ROLE_GRANT_OFFER_SCOPE_KIND_GLOBAL_TOKEN, } from './role_grant_offer_ddl.js';
 /** Namespace identifier for fuz_app auth migrations. */
@@ -48,7 +48,7 @@ export const AUTH_MIGRATION_NAMESPACE = 'fuz_auth';
  * as `ReadonlyArray<string>` (not a literal tuple) so `.includes()` accepts
  * any consumer-supplied namespace string without a cast.
  */
-export const RESERVED_MIGRATION_NAMESPACES = [AUTH_MIGRATION_NAMESPACE];
+export const reserved_migration_namespaces = [AUTH_MIGRATION_NAMESPACE];
 /**
  * Auth schema migrations in order.
  *
@@ -69,7 +69,7 @@ export const RESERVED_MIGRATION_NAMESPACES = [AUTH_MIGRATION_NAMESPACE];
  *   (registry-membership validation against `create_scope_kind_schema`);
  *   v2 may add INSERT-time `(role, scope_kind)` enforcement.
  */
-export const AUTH_MIGRATIONS = [
+export const auth_migrations = [
     // v0: full auth schema — all IF NOT EXISTS, safe for existing databases
     {
         name: 'full_auth_schema',
@@ -79,6 +79,7 @@ export const AUTH_MIGRATIONS = [
             await db.query(ACCOUNT_USERNAME_CI_INDEX);
             await db.query(ACTOR_SCHEMA);
             await db.query(ACTOR_INDEX);
+            await db.query(ACTOR_NAME_LOWER_INDEX);
             await db.query(ROLE_GRANT_SCHEMA);
             for (const sql of ROLE_GRANT_INDEXES) {
                 await db.query(sql);
@@ -150,7 +151,7 @@ export const AUTH_MIGRATIONS = [
     },
 ];
 /** Pre-composed migration namespace for auth tables. */
-export const AUTH_MIGRATION_NS = {
+export const auth_migration_ns = {
     namespace: AUTH_MIGRATION_NAMESPACE,
-    migrations: AUTH_MIGRATIONS,
+    migrations: auth_migrations,
 };

package/dist/auth/role_grant_offer_action_specs.d.ts

@@ -209,6 +209,16 @@ export declare const RoleGrantRevokeOutput: z.ZodObject<{
     revoked: z.ZodLiteral<true>;
 }, z.core.$strict>;
 export type RoleGrantRevokeOutput = z.infer<typeof RoleGrantRevokeOutput>;
+/**
+ * `rate_limit: 'account'` throttles offer-spam at the authenticated
+ * grantor and bounds the account-existence oracle on `to_account_id` —
+ * the same shape as `invite_create_action_spec` upstream addresses, where
+ * a hostile authed caller iterates recipients to probe
+ * `ERROR_ACCOUNT_NOT_FOUND` (and the actor-binding via
+ * `ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH`) as an enumeration
+ * vector. Failure-outcome audit rows preserve the forensic trail; the
+ * rate cap closes the budget.
+ */
 export declare const role_grant_offer_create_action_spec: {
     method: string;
     kind: "request_response";
@@ -250,6 +260,7 @@ export declare const role_grant_offer_create_action_spec: {
     async: true;
     description: string;
     error_reasons: ("role_grant_offer_self_target" | "role_grant_offer_role_not_grantable" | "role_grant_offer_not_authorized" | "role_grant_offer_actor_account_mismatch")[];
+    rate_limit: "account";
 };
 export declare const role_grant_offer_accept_action_spec: {
     method: string;
@@ -405,6 +416,12 @@ export declare const role_grant_offer_history_action_spec: {
     async: true;
     description: string;
 };
+/**
+ * `rate_limit: 'account'` bounds admin-side burn of `role_grant_revoke` —
+ * the action is admin-gated and audit-trailed, but the per-account cap
+ * keeps a single admin script from churning role_grants in a loop and
+ * obscuring audit context for unrelated activity.
+ */
 export declare const role_grant_revoke_action_spec: {
     method: string;
     kind: "request_response";

package/dist/auth/role_grant_offer_action_specs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"role_grant_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAUzE,oEAAoE;AACpE,eAAO,MAAM,kCAAkC,EAAG,8BAAuC,CAAC;AAC1F,kEAAkE;AAClE,eAAO,MAAM,+BAA+B,EAAG,2BAAoC,CAAC;AACpF,sDAAsD;AACtD,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,wGAAwG;AACxG,eAAO,MAAM,gCAAgC,EAAG,4BAAqC,CAAC;AACtF,uIAAuI;AACvI,eAAO,MAAM,yCAAyC,EACrD,qCAA8C,CAAC;AAChD,gKAAgK;AAChK,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,6FAA6F;AAC7F,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,wHAAwH;AACxH,eAAO,MAAM,6CAA6C,EACzD,yCAAkD,CAAC;AAIpD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;kBAoBpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;kBAQrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,uGAAuG;AACvG,eAAO,MAAM,uBAAuB;;;mBAOvB,CAAC;AACd,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;;mBAa1B,CAAC;AACd,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,0EAA0E;AAC1E,eAAO,MAAM,sBAAsB;;kBAAwC,CAAC;AAC5E,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AAC9F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AACjG,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;kBAGhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiBX,CAAC;AAEtC,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiBX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWT,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;CAaL,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,KAAK,CAAC,yBAAyB,CAQ9E,CAAC"}
+{"version":3,"file":"role_grant_offer_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_offer_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;GAmBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAUzE,oEAAoE;AACpE,eAAO,MAAM,kCAAkC,EAAG,8BAAuC,CAAC;AAC1F,kEAAkE;AAClE,eAAO,MAAM,+BAA+B,EAAG,2BAAoC,CAAC;AACpF,sDAAsD;AACtD,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAClF,wGAAwG;AACxG,eAAO,MAAM,gCAAgC,EAAG,4BAAqC,CAAC;AACtF,uIAAuI;AACvI,eAAO,MAAM,yCAAyC,EACrD,qCAA8C,CAAC;AAChD,gKAAgK;AAChK,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,6FAA6F;AAC7F,eAAO,MAAM,qCAAqC,EAAG,iCAA0C,CAAC;AAChG,wHAAwH;AACxH,eAAO,MAAM,6CAA6C,EACzD,yCAAkD,CAAC;AAIpD;;;;;;;;;;GAUG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;kBAoBpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;kBAQrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,uGAAuG;AACvG,eAAO,MAAM,uBAAuB;;;mBAOvB,CAAC;AACd,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;;;GAMG;AACH,eAAO,MAAM,oBAAoB;;;;;kBAQ/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE;;;;GAIG;AACH,eAAO,MAAM,0BAA0B;;;;;mBAa1B,CAAC;AACd,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;kBAErC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;kBAIrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,0EAA0E;AAC1E,eAAO,MAAM,sBAAsB;;kBAAwC,CAAC;AAC5E,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AAC9F,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;;;;;;;;;;;;;;;;;kBAAwD,CAAC;AACjG,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;kBAGhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E;;;;;;;;;GASG;AACH,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkBX,CAAC;AAEtC,eAAO,MAAM,mCAAmC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAiBX,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWT,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC;;;;;GAKG;AACH,eAAO,MAAM,6BAA6B;;;;;;;;;;;;;;;;;;;;;;;;CAaL,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,iCAAiC,EAAE,KAAK,CAAC,yBAAyB,CAQ9E,CAAC"}

package/dist/auth/role_grant_offer_action_specs.js

@@ -157,6 +157,16 @@ export const RoleGrantRevokeOutput = z.strictObject({
     revoked: z.literal(true),
 });
 // -- Action specs -----------------------------------------------------------
+/**
+ * `rate_limit: 'account'` throttles offer-spam at the authenticated
+ * grantor and bounds the account-existence oracle on `to_account_id` —
+ * the same shape as `invite_create_action_spec` upstream addresses, where
+ * a hostile authed caller iterates recipients to probe
+ * `ERROR_ACCOUNT_NOT_FOUND` (and the actor-binding via
+ * `ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH`) as an enumeration
+ * vector. Failure-outcome audit rows preserve the forensic trail; the
+ * rate cap closes the budget.
+ */
 export const role_grant_offer_create_action_spec = {
     method: 'role_grant_offer_create',
     kind: 'request_response',
@@ -173,6 +183,7 @@ export const role_grant_offer_create_action_spec = {
         ERROR_ROLE_GRANT_OFFER_NOT_AUTHORIZED,
         ERROR_ROLE_GRANT_OFFER_ACTOR_ACCOUNT_MISMATCH,
     ],
+    rate_limit: 'account',
 };
 export const role_grant_offer_accept_action_spec = {
     method: 'role_grant_offer_accept',
@@ -237,6 +248,12 @@ export const role_grant_offer_history_action_spec = {
     async: true,
     description: 'List every offer involving the caller (either direction), including terminal rows, newest first. Admins may pass `account_id` to inspect another account.',
 };
+/**
+ * `rate_limit: 'account'` bounds admin-side burn of `role_grant_revoke` —
+ * the action is admin-gated and audit-trailed, but the per-account cap
+ * keeps a single admin script from churning role_grants in a loop and
+ * obscuring audit context for unrelated activity.
+ */
 export const role_grant_revoke_action_spec = {
     method: 'role_grant_revoke',
     kind: 'request_response',

package/dist/auth/role_grant_offer_actions.js

@@ -40,7 +40,7 @@
 import { rpc_action, } from '../actions/action_rpc.js';
 import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
 import { emit_after_commit } from '../http/pending_effects.js';
-import { BUILTIN_ROLE_SPECS_BY_NAME, ROLE_ADMIN, role_has_grant_path, } from './role_schema.js';
+import { builtin_role_specs_by_name, ROLE_ADMIN, role_has_grant_path, } from './role_schema.js';
 import { GRANT_PATH_ADMIN } from './grant_path_schema.js';
 import { ROLE_GRANT_OFFER_DEFAULT_TTL_MS, to_role_grant_offer_json, } from './role_grant_offer_schema.js';
 import { query_role_grant_offer_create, query_role_grant_offer_decline, query_role_grant_offer_retract, query_role_grant_offer_list, query_role_grant_offer_history_for_account, query_accept_offer, RoleGrantOfferActorAccountMismatchError, RoleGrantOfferActorMismatchError, RoleGrantOfferAlreadyTerminalError, RoleGrantOfferExpiredError, RoleGrantOfferNotFoundError, RoleGrantOfferSelfTargetError, } from './role_grant_offer_queries.js';
@@ -108,7 +108,7 @@ export const authorize_admin_or_holder = async (auth, input, _deps, _ctx) => {
  */
 export const create_role_grant_offer_actions = (deps, options = {}) => {
     const { log, audit, notification_sender = null } = deps;
-    const role_specs = options.roles?.role_specs ?? BUILTIN_ROLE_SPECS_BY_NAME;
+    const role_specs = options.roles?.role_specs ?? builtin_role_specs_by_name;
     const default_ttl_ms = options.default_ttl_ms ?? ROLE_GRANT_OFFER_DEFAULT_TTL_MS;
     const authorize = options.authorize ?? default_authorize;
     // Four denial paths (admin-grant-path gate, authorize, self-target,

package/dist/auth/role_grant_offer_notifications.d.ts

@@ -23,7 +23,7 @@
  * `NotificationSender.send_to_account` argument), not in the payload.
  *
  * The specs surface as `EventSpec`s via `create_action_event_spec` — callers
- * append `ROLE_GRANT_OFFER_NOTIFICATION_SPECS` to their `event_specs` on
+ * append `role_grant_offer_notification_specs` to their `event_specs` on
  * `create_app_server` so the surface reflects them and DEV-mode broadcast
  * validation catches payload drift.
  *
@@ -376,7 +376,7 @@ export declare const role_grant_revoke_notification_spec: {
  * Pass to `create_app_server`'s `event_specs` so the attack surface reflects
  * them and DEV-mode `create_validated_broadcaster` catches payload drift.
  */
-export declare const ROLE_GRANT_OFFER_NOTIFICATION_SPECS: Array<EventSpec>;
+export declare const role_grant_offer_notification_specs: Array<EventSpec>;
 export declare const build_role_grant_offer_received_notification: (params: RoleGrantOfferReceivedParams) => JsonrpcNotification;
 export declare const build_role_grant_offer_retracted_notification: (params: RoleGrantOfferRetractedParams) => JsonrpcNotification;
 export declare const build_role_grant_offer_accepted_notification: (params: RoleGrantOfferAcceptedParams) => JsonrpcNotification;

package/dist/auth/role_grant_offer_notifications.js

@@ -23,7 +23,7 @@
  * `NotificationSender.send_to_account` argument), not in the payload.
  *
  * The specs surface as `EventSpec`s via `create_action_event_spec` — callers
- * append `ROLE_GRANT_OFFER_NOTIFICATION_SPECS` to their `event_specs` on
+ * append `role_grant_offer_notification_specs` to their `event_specs` on
  * `create_app_server` so the surface reflects them and DEV-mode broadcast
  * validation catches payload drift.
  *
@@ -165,7 +165,7 @@ export const role_grant_revoke_notification_spec = {
  * Pass to `create_app_server`'s `event_specs` so the attack surface reflects
  * them and DEV-mode `create_validated_broadcaster` catches payload drift.
  */
-export const ROLE_GRANT_OFFER_NOTIFICATION_SPECS = [
+export const role_grant_offer_notification_specs = [
     create_action_event_spec(role_grant_offer_received_notification_spec),
     create_action_event_spec(role_grant_offer_retracted_notification_spec),
     create_action_event_spec(role_grant_offer_accepted_notification_spec),

package/dist/auth/role_grant_queries.d.ts

@@ -113,6 +113,27 @@ export declare const query_role_grant_find_active_for_actor: (deps: QueryDeps, a
  * The `IS NOT DISTINCT FROM` comparison handles the NULL case uniformly.
  */
 export declare const query_role_grant_has_role: (deps: QueryDeps, actor_id: string, role: string, scope_id?: string | null) => Promise<boolean>;
+/**
+ * Account-grain check: does any actor on `account_id` hold an active
+ * global role_grant for `role`?
+ *
+ * Symmetric with `query_role_grant_has_role` but keyed on the account
+ * instead of a single actor — for surfaces with `auth: actor: 'none'`
+ * that don't load `auth.role_grants` and can't use the in-memory
+ * `has_scoped_role` predicate. Joins `role_grant` → `actor`; matches
+ * only global role_grants (`scope_id IS NULL`) since the use case is
+ * "is the caller's account broadly admin", not scope-aware.
+ *
+ * Fast under the existing `idx_role_grant_actor` index — the inner
+ * `actor_id IN (...)` subquery is index-scan, and the outer EXISTS
+ * stops at the first match.
+ *
+ * @param deps - query dependencies
+ * @param account_id - the account to check
+ * @param role - the role to check for (e.g. `ROLE_ADMIN`)
+ * @returns `true` if any actor on the account has an active global role_grant for `role`
+ */
+export declare const query_account_has_global_role: (deps: QueryDeps, account_id: string, role: string) => Promise<boolean>;
 /**
  * List all role_grants for an actor (including revoked/expired).
  */

package/dist/auth/role_grant_queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"role_grant_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,SAAS,EAAE,oBAAoB,EAAC,MAAM,qBAAqB,CAAC;AAMzE,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,8BAA8B,CAAC;AAElE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,OAAO,oBAAoB,KACzB,OAAO,CAAC,SAAS,CAmCnB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,2CAA2C,GACvD,MAAM,SAAS,EACf,eAAe,MAAM,EACrB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,IAAI,CAAA;CAAC,GAAG,IAAI,CASjD,CAAC;AAEF,qHAAqH;AACrH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,IAAI,EACnB,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CA+CtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAS1B,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAK1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yCAAyC,GACrD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,8IAA8I;AAC9I,MAAM,WAAW,oBAAoB;IACpC;;;;;;;;OAQG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,IAAI,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,IAAI,CAAC;QACf,QAAQ,EAAE,IAAI,CAAC;QACf,UAAU,EAAE,IAAI,CAAC;KACjB,CAAC,CAAC;IACH;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA8C9B,CAAC;AAEF,iIAAiI;AACjI,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,UAAU,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;IACH;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA4C1B,CAAC"}
+{"version":3,"file":"role_grant_queries.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/role_grant_queries.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAEjD,OAAO,KAAK,EAAC,SAAS,EAAC,MAAM,qBAAqB,CAAC;AACnD,OAAO,KAAK,EAAC,SAAS,EAAE,oBAAoB,EAAC,MAAM,qBAAqB,CAAC;AAMzE,OAAO,KAAK,EAAC,eAAe,EAAC,MAAM,8BAA8B,CAAC;AAElE;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,OAAO,oBAAoB,KACzB,OAAO,CAAC,SAAS,CAmCnB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,2CAA2C,GACvD,MAAM,SAAS,EACf,eAAe,MAAM,EACrB,UAAU,MAAM,KACd,OAAO,CAAC;IAAC,IAAI,EAAE,MAAM,CAAC;IAAC,UAAU,EAAE,IAAI,CAAA;CAAC,GAAG,IAAI,CASjD,CAAC;AAEF,qHAAqH;AACrH,MAAM,WAAW,qBAAqB;IACrC,EAAE,EAAE,IAAI,CAAC;IACT,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB;;;;;;;;OAQG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,uBAAuB,GACnC,MAAM,SAAS,EACf,eAAe,IAAI,EACnB,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,qBAAqB,GAAG,IAAI,CA+CtC,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,sCAAsC,GAClD,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAS1B,CAAC;AAEF;;;;;;;;;GASG;AACH,eAAO,MAAM,yBAAyB,GACrC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,WAAW,MAAM,GAAG,IAAI,KACtB,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;;;;;;;;;;;;;;;;;;GAmBG;AACH,eAAO,MAAM,6BAA6B,GACzC,MAAM,SAAS,EACf,YAAY,MAAM,EAClB,MAAM,MAAM,KACV,OAAO,CAAC,OAAO,CAajB,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,+BAA+B,GAC3C,MAAM,SAAS,EACf,UAAU,MAAM,KACd,OAAO,CAAC,KAAK,CAAC,SAAS,CAAC,CAK1B,CAAC;AAEF;;;;;;;;GAQG;AACH,eAAO,MAAM,yCAAyC,GACrD,MAAM,SAAS,EACf,MAAM,MAAM,KACV,OAAO,CAAC,MAAM,GAAG,IAAI,CAavB,CAAC;AAEF,8IAA8I;AAC9I,MAAM,WAAW,oBAAoB;IACpC;;;;;;;;OAQG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,IAAI,CAAC;QACpB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,IAAI,CAAC;QACf,QAAQ,EAAE,IAAI,CAAC;QACf,UAAU,EAAE,IAAI,CAAC;KACjB,CAAC,CAAC;IACH;;;;;;;;;;OAUG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,eAAO,MAAM,iCAAiC,GAC7C,MAAM,SAAS,EACf,UAAU,IAAI,EACd,YAAY,IAAI,GAAG,IAAI,EACvB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,oBAAoB,CA8C9B,CAAC;AAEF,iIAAiI;AACjI,MAAM,WAAW,gBAAgB;IAChC;;;;OAIG;IACH,OAAO,EAAE,KAAK,CAAC;QACd,aAAa,EAAE,MAAM,CAAC;QACtB,IAAI,EAAE,MAAM,CAAC;QACb,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;QAC1B,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;QACxB,UAAU,EAAE,MAAM,CAAC;KACnB,CAAC,CAAC;IACH;;;;;OAKG;IACH,iBAAiB,EAAE,KAAK,CAAC,eAAe,CAAC,CAAC;CAC1C;AAED;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,eAAO,MAAM,4BAA4B,GACxC,MAAM,SAAS,EACf,UAAU,MAAM,EAChB,MAAM,MAAM,EACZ,YAAY,MAAM,GAAG,IAAI,EACzB,SAAS,MAAM,GAAG,IAAI,KACpB,OAAO,CAAC,gBAAgB,CA4C1B,CAAC"}

package/dist/auth/role_grant_queries.js

@@ -180,6 +180,37 @@ export const query_role_grant_has_role = async (deps, actor_id, role, scope_id)
 		 ) AS exists`, [actor_id, role, scope_id ?? null]);
     return row?.exists ?? false;
 };
+/**
+ * Account-grain check: does any actor on `account_id` hold an active
+ * global role_grant for `role`?
+ *
+ * Symmetric with `query_role_grant_has_role` but keyed on the account
+ * instead of a single actor — for surfaces with `auth: actor: 'none'`
+ * that don't load `auth.role_grants` and can't use the in-memory
+ * `has_scoped_role` predicate. Joins `role_grant` → `actor`; matches
+ * only global role_grants (`scope_id IS NULL`) since the use case is
+ * "is the caller's account broadly admin", not scope-aware.
+ *
+ * Fast under the existing `idx_role_grant_actor` index — the inner
+ * `actor_id IN (...)` subquery is index-scan, and the outer EXISTS
+ * stops at the first match.
+ *
+ * @param deps - query dependencies
+ * @param account_id - the account to check
+ * @param role - the role to check for (e.g. `ROLE_ADMIN`)
+ * @returns `true` if any actor on the account has an active global role_grant for `role`
+ */
+export const query_account_has_global_role = async (deps, account_id, role) => {
+    const row = await deps.db.query_one(`SELECT EXISTS(
+			SELECT 1 FROM role_grant
+			WHERE actor_id IN (SELECT id FROM actor WHERE account_id = $1)
+			  AND role = $2
+			  AND scope_id IS NULL
+			  AND revoked_at IS NULL
+			  AND (expires_at IS NULL OR expires_at > NOW())
+		 ) AS exists`, [account_id, role]);
+    return row?.exists ?? false;
+};
 /**
  * List all role_grants for an actor (including revoked/expired).
  */

package/dist/auth/role_schema.d.ts

@@ -63,7 +63,7 @@ export type BuiltinRole = z.infer<typeof BuiltinRole>;
  *   flows. Only useful for diagnostic snapshotting.
  *
  * Builtins (`keeper`, `admin`) ship preconfigured in
- * `BUILTIN_ROLE_SPECS_BY_NAME`.
+ * `builtin_role_specs_by_name`.
  */
 export interface RoleSpec {
     /** Unique role name. Must match `RoleName` regex; collisions with builtins throw. */
@@ -105,7 +105,7 @@ export interface RoleSpec {
  * no effect on already-built role schemas (the factory copies entries
  * into a fresh `Map`).
  */
-export declare const BUILTIN_ROLE_SPECS_BY_NAME: ReadonlyMap<string, RoleSpec>;
+export declare const builtin_role_specs_by_name: ReadonlyMap<string, RoleSpec>;
 /** Optional registries to validate `RoleSpec` cross-axis fields against at construction time. */
 export interface CreateRoleSchemaOptions {
     /** Pass `create_credential_type_schema()` to validate `RoleSpec.required_credential_types` entries. */

package/dist/auth/role_schema.js

@@ -44,7 +44,7 @@ export const BuiltinRole = z.enum(BUILTIN_ROLES);
  * no effect on already-built role schemas (the factory copies entries
  * into a fresh `Map`).
  */
-export const BUILTIN_ROLE_SPECS_BY_NAME = new Map([
+export const builtin_role_specs_by_name = new Map([
     [
         ROLE_KEEPER,
         {
@@ -139,7 +139,7 @@ export const create_role_schema = (consumer_roles, options = {}) => {
         if (!parsed.success) {
             throw new Error(`Invalid role name "${spec.name}": ${parsed.error.issues[0].message}`);
         }
-        if (BUILTIN_ROLE_SPECS_BY_NAME.has(spec.name)) {
+        if (builtin_role_specs_by_name.has(spec.name)) {
             throw new Error(`App role "${spec.name}" collides with builtin role`);
         }
         if (seen.has(spec.name)) {
@@ -150,7 +150,7 @@ export const create_role_schema = (consumer_roles, options = {}) => {
         validate_registry_membership(spec.name, 'applicable_scope_kinds', spec.applicable_scope_kinds, scope_kinds_registry);
         validate_registry_membership(spec.name, 'grant_paths', spec.grant_paths, grant_paths_registry);
     }
-    const role_specs = new Map(BUILTIN_ROLE_SPECS_BY_NAME);
+    const role_specs = new Map(builtin_role_specs_by_name);
     for (const spec of consumer_roles) {
         role_specs.set(spec.name, spec);
     }

package/dist/auth/self_service_role_action_specs.d.ts

@@ -29,6 +29,13 @@ export declare const SelfServiceRoleSetOutput: z.ZodObject<{
     changed: z.ZodBoolean;
 }, z.core.$strict>;
 export type SelfServiceRoleSetOutput = z.infer<typeof SelfServiceRoleSetOutput>;
+/**
+ * `rate_limit: 'account'` bounds audit-row churn. The toggle is idempotent
+ * (`changed: false` re-grants/re-revokes), but every call still writes a
+ * `role_grant_create` or `role_grant_revoke` audit row with
+ * `self_service: true`. Without the cap, a caller could flap the role in
+ * a loop to inflate the audit log and obscure other activity.
+ */
 export declare const self_service_role_set_action_spec: {
     method: string;
     kind: "request_response";
@@ -50,6 +57,7 @@ export declare const self_service_role_set_action_spec: {
     }, z.core.$strict>;
     async: true;
     description: string;
+    rate_limit: "account";
 };
 /**
  * All self-service role action specs — a codegen-ready registry. Single-element

package/dist/auth/self_service_role_action_specs.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAIzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,yCAAyC;AACzC,eAAO,MAAM,uBAAuB;;;;kBAOlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;kBAInC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;CAWT,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,aAAa,CAAC,yBAAyB,CAEvF,CAAC"}
+{"version":3,"file":"self_service_role_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/self_service_role_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAEtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAIzE,0FAA0F;AAC1F,eAAO,MAAM,oCAAoC,EAAG,gCAAyC,CAAC;AAE9F,yCAAyC;AACzC,eAAO,MAAM,uBAAuB;;;;kBAOlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;GAIG;AACH,eAAO,MAAM,wBAAwB;;;;kBAInC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF;;;;;;GAMG;AACH,eAAO,MAAM,iCAAiC;;;;;;;;;;;;;;;;;;;;;;CAYT,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,kCAAkC,EAAE,aAAa,CAAC,yBAAyB,CAEvF,CAAC"}

package/dist/auth/self_service_role_action_specs.js

@@ -30,6 +30,13 @@ export const SelfServiceRoleSetOutput = z.strictObject({
     enabled: z.boolean(),
     changed: z.boolean(),
 });
+/**
+ * `rate_limit: 'account'` bounds audit-row churn. The toggle is idempotent
+ * (`changed: false` re-grants/re-revokes), but every call still writes a
+ * `role_grant_create` or `role_grant_revoke` audit row with
+ * `self_service: true`. Without the cap, a caller could flap the role in
+ * a loop to inflate the audit log and obscure other activity.
+ */
 export const self_service_role_set_action_spec = {
     method: 'self_service_role_set',
     kind: 'request_response',
@@ -40,6 +47,7 @@ export const self_service_role_set_action_spec = {
     output: SelfServiceRoleSetOutput,
     async: true,
     description: 'Toggle a self-service role. Idempotent in both directions — `changed: false` when post-call state already matched the request.',
+    rate_limit: 'account',
 };
 /**
  * All self-service role action specs — a codegen-ready registry. Single-element

package/dist/auth/self_service_role_actions.d.ts

@@ -44,7 +44,7 @@ export interface SelfServiceRoleActionsOptions {
     /**
      * Optional override allowlist of role strings eligible for
      * self-service. When omitted, eligibility is derived from
-     * `roles.role_specs` (or `BUILTIN_ROLE_SPECS_BY_NAME` when `roles`
+     * `roles.role_specs` (or `builtin_role_specs_by_name` when `roles`
      * is also omitted) by selecting every role whose
      * `RoleSpec.grant_paths` includes `'self_service'`. Pass an empty
      * array to lock the surface down (every call comes back as

package/dist/auth/self_service_role_actions.js

@@ -38,7 +38,7 @@
  */
 import { rpc_action } from '../actions/action_rpc.js';
 import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
-import { BUILTIN_ROLE_SPECS_BY_NAME, list_roles_with_grant_path, } from './role_schema.js';
+import { builtin_role_specs_by_name, list_roles_with_grant_path, } from './role_schema.js';
 import { GRANT_PATH_SELF_SERVICE } from './grant_path_schema.js';
 import { query_create_role_grant, query_revoke_role_grant } from './role_grant_queries.js';
 import { is_role_grant_active } from './account_schema.js';
@@ -55,7 +55,7 @@ import { ERROR_ROLE_NOT_SELF_SERVICE_ELIGIBLE, self_service_role_set_action_spec
  * @throws Error at factory time if any `eligible_roles` entry is missing from `options.roles.role_specs`
  */
 export const create_self_service_role_actions = (deps, options = {}) => {
-    const role_specs = options.roles?.role_specs ?? BUILTIN_ROLE_SPECS_BY_NAME;
+    const role_specs = options.roles?.role_specs ?? builtin_role_specs_by_name;
     const eligible = options.eligible_roles
         ? new Set(options.eligible_roles)
         : new Set(list_roles_with_grant_path(role_specs, GRANT_PATH_SELF_SERVICE));

package/dist/auth/session_cookie.d.ts

@@ -38,7 +38,7 @@ export interface SessionCookieOptions {
  * - `sameSite: 'strict'` - Prevents CSRF
  * - `httpOnly: true` - Prevents XSS access to cookie
  */
-export declare const SESSION_COOKIE_OPTIONS: SessionCookieOptions;
+export declare const session_cookie_options: SessionCookieOptions;
 /**
  * Configuration for a session cookie format.
  *

package/dist/auth/session_cookie.js

@@ -31,7 +31,7 @@ const EXPIRES_AT_INTEGER_RE = /^\d+$/;
  * - `sameSite: 'strict'` - Prevents CSRF
  * - `httpOnly: true` - Prevents XSS access to cookie
  */
-export const SESSION_COOKIE_OPTIONS = {
+export const session_cookie_options = {
     path: '/',
     httpOnly: true,
     secure: true,