@fuzdev/fuz_app 0.67.0 → 0.68.0

package/dist/auth/admin_actions.js

@@ -29,9 +29,11 @@
  */
 import { rpc_action } from '../actions/action_rpc.js';
 import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
-import { builtin_role_specs_by_name, list_roles_with_grant_path, } from './role_schema.js';
+import { builtin_role_specs_by_name, list_roles_with_grant_path, ROLE_ADMIN, ROLE_KEEPER, } from './role_schema.js';
+import { has_role } from './request_context.js';
+import { query_account_has_global_role, query_account_has_active_global_role, query_count_active_accounts_with_global_role, } from './role_grant_queries.js';
 import { GRANT_PATH_ADMIN } from './grant_path_schema.js';
-import { query_account_by_email, query_account_by_id, query_account_by_username, query_admin_account_list, } from './account_queries.js';
+import { query_account_by_email, query_account_by_id, query_account_by_username, query_account_soft_delete, query_account_undelete, query_actor_soft_delete, query_actor_undelete, query_actors_by_account, query_admin_account_list, query_purge_account, } from './account_queries.js';
 import { query_session_list_all_active, query_session_revoke_all_for_account, } from './session_queries.js';
 import { query_revoke_all_api_tokens_for_account } from './api_token_queries.js';
 import { query_audit_log_list_role_grant_history, query_audit_log_list_with_usernames, } from './audit_log_queries.js';
@@ -40,8 +42,8 @@ import { query_create_invite, query_invite_delete_unclaimed, query_invite_list_a
 import {} from './app_settings_schema.js';
 import { query_app_settings_load_with_username, query_app_settings_update, } from './app_settings_queries.js';
 import { is_pg_unique_violation } from '../db/pg_error.js';
-import { ERROR_ACCOUNT_NOT_FOUND, ERROR_INVITE_ACCOUNT_EXISTS_EMAIL, ERROR_INVITE_ACCOUNT_EXISTS_USERNAME, ERROR_INVITE_DUPLICATE, ERROR_INVITE_NOT_FOUND, } from '../http/error_schemas.js';
-import { admin_account_list_action_spec, admin_session_list_action_spec, admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, audit_log_list_action_spec, audit_log_role_grant_history_action_spec, invite_create_action_spec, invite_list_action_spec, invite_delete_action_spec, app_settings_get_action_spec, app_settings_update_action_spec, } from './admin_action_specs.js';
+import { ERROR_ACCOUNT_NOT_FOUND, ERROR_INSUFFICIENT_PERMISSIONS, ERROR_INVITE_ACCOUNT_EXISTS_EMAIL, ERROR_INVITE_ACCOUNT_EXISTS_USERNAME, ERROR_INVITE_DUPLICATE, ERROR_INVITE_NOT_FOUND, } from '../http/error_schemas.js';
+import { admin_account_list_action_spec, admin_session_list_action_spec, admin_session_revoke_all_action_spec, admin_token_revoke_all_action_spec, audit_log_list_action_spec, audit_log_role_grant_history_action_spec, invite_create_action_spec, invite_list_action_spec, invite_delete_action_spec, account_delete_action_spec, account_purge_action_spec, account_undelete_action_spec, app_settings_get_action_spec, app_settings_update_action_spec, ERROR_PURGE_NOT_CONFIRMED, ERROR_CANNOT_DELETE_KEEPER, ERROR_CANNOT_DELETE_LAST_ADMIN, } from './admin_action_specs.js';
 /**
  * Create the admin-only RPC actions.
  *
@@ -61,6 +63,7 @@ export const create_admin_actions = (deps, options = {}) => {
         const accounts = await query_admin_account_list(ctx, {
             limit: input.limit,
             offset: input.offset,
+            include_deleted: input.include_deleted,
         });
         return { accounts, grantable_roles };
     };
@@ -228,8 +231,219 @@ export const create_admin_actions = (deps, options = {}) => {
         });
         return { ok: true };
     };
+    // Shared removability guard for `account_delete` / `account_purge`,
+    // checked after auth + (for purge) confirm, before any mutation. Two
+    // protections, each emitting a forensic `outcome: 'failure'` audit row
+    // (fail-loud) before throwing 403:
+    //   1. **Keeper** — the keeper account is never API-removable: auth +
+    //      daemon-token resolution both pivot on it, so removing it bricks
+    //      keeper/daemon auth with no recovery (keeper role is non-web-
+    //      revocable and purge itself needs keeper auth). Out-of-band only.
+    //   2. **Last admin** — the sole remaining *active* admin is protected
+    //      (soft-deleted admins can't log in, so they don't count). Unlike
+    //      the keeper guard this is keeper-recoverable, but it stops an admin
+    //      tombstoning the last admin in one call.
+    // A missing account holds neither role here and falls through to the
+    // handler's own not-found path. `event_type` selects the audit event so
+    // the failure row matches the operation in flight.
+    const assert_account_removable = async (ctx, target_account_id, event_type) => {
+        const auth = ctx.auth;
+        const deny = (reason, message) => {
+            deps.audit.emit(ctx, {
+                event_type,
+                outcome: 'failure',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                target_account_id,
+                ip: ctx.client_ip,
+                metadata: { reason },
+            });
+            throw jsonrpc_errors.forbidden(message, { reason });
+        };
+        const verb = event_type === 'account_purge' ? 'purge' : 'delete';
+        if (await query_account_has_global_role(ctx, target_account_id, ROLE_KEEPER)) {
+            deny(ERROR_CANNOT_DELETE_KEEPER, `cannot ${verb} the keeper account`);
+        }
+        // `_active_` variant: a tombstoned admin is already excluded from the
+        // active count, so removing it can't drop the tally — guarding it would
+        // falsely block (cannot_delete_last_admin) the removal of a soft-deleted
+        // admin while another active admin exists. Keeper branch above stays
+        // unconditional; the last-admin branch fires only for an *active* target.
+        if ((await query_account_has_active_global_role(ctx, target_account_id, ROLE_ADMIN)) &&
+            (await query_count_active_accounts_with_global_role(ctx, ROLE_ADMIN)) <= 1) {
+            deny(ERROR_CANNOT_DELETE_LAST_ADMIN, `cannot ${verb} the last admin account`);
+        }
+    };
+    // Soft-delete an account (reversible tombstone). Self-or-admin:
+    // deleting another account requires the admin role. Tombstones the
+    // account + its actor(s), revokes sessions/tokens, closes sockets, and
+    // emits `account_delete` + one `actor_delete` per soft-deleted actor —
+    // each carrying its identity snapshot. `delete` = soft.
+    const account_delete_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const target_account_id = input.account_id ?? auth.account.id;
+        // Self-or-admin elevation: deleting someone else needs admin.
+        if (target_account_id !== auth.account.id && !has_role(auth, ROLE_ADMIN)) {
+            throw jsonrpc_errors.forbidden('cannot delete another account', {
+                reason: ERROR_INSUFFICIENT_PERMISSIONS,
+            });
+        }
+        // Keeper + last-admin guards (fail-loud, before the tombstone).
+        await assert_account_removable(ctx, target_account_id, 'account_delete');
+        // Snapshot actor names before the tombstone.
+        const actors = await query_actors_by_account(ctx, target_account_id);
+        const snapshot = await query_account_soft_delete(ctx, target_account_id, auth.actor.id);
+        if (!snapshot) {
+            // Missing or already soft-deleted — UUID probe key, failure audit is safe.
+            deps.audit.emit(ctx, {
+                event_type: 'account_delete',
+                outcome: 'failure',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                ip: ctx.client_ip,
+                metadata: { reason: ERROR_ACCOUNT_NOT_FOUND, attempted_account_id: target_account_id },
+            });
+            throw jsonrpc_errors.not_found('account', { reason: ERROR_ACCOUNT_NOT_FOUND });
+        }
+        const soft_deleted_actors = [];
+        for (const actor of actors) {
+            if (await query_actor_soft_delete(ctx, actor.id, auth.actor.id)) {
+                soft_deleted_actors.push(actor);
+            }
+        }
+        await query_session_revoke_all_for_account(ctx, target_account_id);
+        await query_revoke_all_api_tokens_for_account(ctx, target_account_id);
+        if (connection_closer)
+            connection_closer.close_sockets_for_account(target_account_id);
+        deps.audit.emit(ctx, {
+            event_type: 'account_delete',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            target_account_id,
+            ip: ctx.client_ip,
+            metadata: { username: snapshot.username, email: snapshot.email },
+        });
+        for (const actor of soft_deleted_actors) {
+            deps.audit.emit(ctx, {
+                event_type: 'actor_delete',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                target_account_id,
+                target_actor_id: actor.id,
+                ip: ctx.client_ip,
+                metadata: { name: actor.name },
+            });
+        }
+        return { ok: true, deleted: true };
+    };
+    // Hard-purge an account (keeper-only, irreversible). Fail-loud:
+    // requires `confirm: true` + emits a WARN. Snapshots identity into
+    // `account_purge` + per-actor `actor_purge` before the cascading delete
+    // removes the rows — the `audit_log` id columns carry no FK, so the
+    // purged ids survive on historical rows and the snapshots name them.
+    const account_purge_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        // Fail-loud: refuse the irreversible purge without explicit confirm.
+        if (input.confirm !== true) {
+            throw jsonrpc_errors.invalid_params('purge requires confirm: true', {
+                reason: ERROR_PURGE_NOT_CONFIRMED,
+            });
+        }
+        // Keeper + last-admin guards (fail-loud, before the cascade).
+        await assert_account_removable(ctx, input.account_id, 'account_purge');
+        // Snapshot actors before the cascade removes them.
+        const actors = await query_actors_by_account(ctx, input.account_id);
+        const snapshot = await query_purge_account(ctx, input.account_id);
+        if (!snapshot) {
+            deps.audit.emit(ctx, {
+                event_type: 'account_purge',
+                outcome: 'failure',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                ip: ctx.client_ip,
+                metadata: { reason: ERROR_ACCOUNT_NOT_FOUND, attempted_account_id: input.account_id },
+            });
+            throw jsonrpc_errors.not_found('account', { reason: ERROR_ACCOUNT_NOT_FOUND });
+        }
+        if (connection_closer)
+            connection_closer.close_sockets_for_account(input.account_id);
+        deps.log.warn(`account hard-purged (irreversible cascading delete): ${input.account_id} by actor ${auth.actor.id}`);
+        deps.audit.emit(ctx, {
+            event_type: 'account_purge',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            target_account_id: input.account_id,
+            ip: ctx.client_ip,
+            metadata: { username: snapshot.username, email: snapshot.email },
+        });
+        for (const actor of actors) {
+            deps.audit.emit(ctx, {
+                event_type: 'actor_purge',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                target_account_id: input.account_id,
+                target_actor_id: actor.id,
+                ip: ctx.client_ip,
+                metadata: { name: actor.name },
+            });
+        }
+        return { ok: true, purged: true };
+    };
+    // Reactivate a soft-deleted account (clears the tombstone). Admin-only —
+    // the self path is unreachable (a tombstoned account can't authenticate).
+    // Clears `deleted_at` on the account + its soft-deleted actor(s) and
+    // emits `account_undelete` + one `actor_undelete` per reactivated actor.
+    // Does NOT restore revoked sessions/tokens. The inverse of `delete`.
+    const account_undelete_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        // Snapshot actors (the listing includes soft-deleted rows) before
+        // clearing the tombstones so names land in the per-actor events.
+        const actors = await query_actors_by_account(ctx, input.account_id);
+        const snapshot = await query_account_undelete(ctx, input.account_id);
+        if (!snapshot) {
+            // Missing or not soft-deleted — UUID probe key, failure audit is safe.
+            deps.audit.emit(ctx, {
+                event_type: 'account_undelete',
+                outcome: 'failure',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                ip: ctx.client_ip,
+                metadata: { reason: ERROR_ACCOUNT_NOT_FOUND, attempted_account_id: input.account_id },
+            });
+            throw jsonrpc_errors.not_found('account', { reason: ERROR_ACCOUNT_NOT_FOUND });
+        }
+        const undeleted_actors = [];
+        for (const actor of actors) {
+            if (await query_actor_undelete(ctx, actor.id)) {
+                undeleted_actors.push(actor);
+            }
+        }
+        deps.audit.emit(ctx, {
+            event_type: 'account_undelete',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            target_account_id: input.account_id,
+            ip: ctx.client_ip,
+            metadata: { username: snapshot.username, email: snapshot.email },
+        });
+        for (const actor of undeleted_actors) {
+            deps.audit.emit(ctx, {
+                event_type: 'actor_undelete',
+                actor_id: auth.actor.id,
+                account_id: auth.account.id,
+                target_account_id: input.account_id,
+                target_actor_id: actor.id,
+                ip: ctx.client_ip,
+                metadata: { name: actor.name },
+            });
+        }
+        return { ok: true, undeleted: true };
+    };
     const actions = [
         rpc_action(admin_account_list_action_spec, account_list_handler),
+        rpc_action(account_delete_action_spec, account_delete_handler),
+        rpc_action(account_purge_action_spec, account_purge_handler),
+        rpc_action(account_undelete_action_spec, account_undelete_handler),
         rpc_action(admin_session_list_action_spec, session_list_handler),
         rpc_action(admin_session_revoke_all_action_spec, session_revoke_all_handler),
         rpc_action(admin_token_revoke_all_action_spec, token_revoke_all_handler),

package/dist/auth/audit_log_ddl.d.ts

@@ -17,8 +17,17 @@
  * - `target_actor_id` is populated iff the event subject is actor-bound
  *   (see `AuditLogEvent.target_actor_id` doc-comment for the rule).
  *
+ * **No FK on the four identity columns.** They are plain `UUID`, not
+ * `REFERENCES … ON DELETE SET NULL`. An audit log is an append-only
+ * historical record, not a live relational entity; `SET NULL` erased the
+ * very attribution the log exists to preserve. With soft-delete as the
+ * default (`account.deleted_at`) the rows stay and the ids JOIN-resolve;
+ * on a hard purge the raw id survives instead of nulling, and the purge
+ * audit event snapshots the identity into metadata (delete = soft,
+ * purge = hard).
+ *
  * @module
  */
-export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq BIGSERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,\n  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
+export declare const AUDIT_LOG_SCHEMA = "\nCREATE TABLE IF NOT EXISTS audit_log (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  seq BIGSERIAL NOT NULL,\n  event_type TEXT NOT NULL,\n  outcome TEXT NOT NULL DEFAULT 'success',\n  actor_id UUID,\n  account_id UUID,\n  target_account_id UUID,\n  target_actor_id UUID,\n  ip TEXT,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  metadata JSONB\n)";
 export declare const AUDIT_LOG_INDEXES: string[];
 //# sourceMappingURL=audit_log_ddl.d.ts.map

package/dist/auth/audit_log_ddl.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AAEH,eAAO,MAAM,gBAAgB,ohBAa3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAM7B,CAAC"}
+{"version":3,"file":"audit_log_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,eAAO,MAAM,gBAAgB,gXAa3B,CAAC;AAEH,eAAO,MAAM,iBAAiB,UAM7B,CAAC"}

package/dist/auth/audit_log_ddl.js

@@ -17,6 +17,15 @@
  * - `target_actor_id` is populated iff the event subject is actor-bound
  *   (see `AuditLogEvent.target_actor_id` doc-comment for the rule).
  *
+ * **No FK on the four identity columns.** They are plain `UUID`, not
+ * `REFERENCES … ON DELETE SET NULL`. An audit log is an append-only
+ * historical record, not a live relational entity; `SET NULL` erased the
+ * very attribution the log exists to preserve. With soft-delete as the
+ * default (`account.deleted_at`) the rows stay and the ids JOIN-resolve;
+ * on a hard purge the raw id survives instead of nulling, and the purge
+ * audit event snapshots the identity into metadata (delete = soft,
+ * purge = hard).
+ *
  * @module
  */
 export const AUDIT_LOG_SCHEMA = `
@@ -25,10 +34,10 @@ CREATE TABLE IF NOT EXISTS audit_log (
   seq BIGSERIAL NOT NULL,
   event_type TEXT NOT NULL,
   outcome TEXT NOT NULL DEFAULT 'success',
-  actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,
-  account_id UUID REFERENCES account(id) ON DELETE SET NULL,
-  target_account_id UUID REFERENCES account(id) ON DELETE SET NULL,
-  target_actor_id UUID REFERENCES actor(id) ON DELETE SET NULL,
+  actor_id UUID,
+  account_id UUID,
+  target_account_id UUID,
+  target_actor_id UUID,
   ip TEXT,
   created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
   metadata JSONB

package/dist/auth/audit_log_schema.d.ts

@@ -16,7 +16,7 @@ import { Uuid } from '@fuzdev/fuz_util/id.js';
  * Not a security boundary — in-process code has many other paths to subvert
  * audit logging.
  */
-export declare const AUDIT_EVENT_TYPES: readonly ["login", "logout", "bootstrap", "signup", "password_change", "session_revoke", "session_revoke_all", "token_create", "token_revoke", "token_revoke_all", "role_grant_create", "role_grant_revoke", "role_grant_offer_create", "role_grant_offer_accept", "role_grant_offer_decline", "role_grant_offer_retract", "role_grant_offer_expire", "role_grant_offer_supersede", "invite_create", "invite_delete", "app_settings_update"];
+export declare const AUDIT_EVENT_TYPES: readonly ["login", "logout", "bootstrap", "signup", "password_change", "session_revoke", "session_revoke_all", "token_create", "token_revoke", "token_revoke_all", "role_grant_create", "role_grant_revoke", "role_grant_offer_create", "role_grant_offer_accept", "role_grant_offer_decline", "role_grant_offer_retract", "role_grant_offer_expire", "role_grant_offer_supersede", "invite_create", "invite_delete", "account_delete", "account_purge", "account_undelete", "actor_delete", "actor_purge", "actor_undelete", "app_settings_update"];
 /** Zod schema for audit event types. */
 export declare const AuditEventType: z.ZodEnum<{
     bootstrap: "bootstrap";
@@ -39,6 +39,12 @@ export declare const AuditEventType: z.ZodEnum<{
     role_grant_offer_supersede: "role_grant_offer_supersede";
     invite_create: "invite_create";
     invite_delete: "invite_delete";
+    account_delete: "account_delete";
+    account_purge: "account_purge";
+    account_undelete: "account_undelete";
+    actor_delete: "actor_delete";
+    actor_purge: "actor_purge";
+    actor_undelete: "actor_undelete";
     app_settings_update: "app_settings_update";
 }>;
 export type AuditEventType = z.infer<typeof AuditEventType>;
@@ -192,6 +198,33 @@ export declare const audit_metadata_schemas: Readonly<{
     invite_delete: z.ZodObject<{
         invite_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
     }, z.core.$loose>;
+    account_delete: z.ZodObject<{
+        username: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        reason: z.ZodOptional<z.ZodString>;
+        attempted_account_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$loose>;
+    account_purge: z.ZodObject<{
+        username: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        reason: z.ZodOptional<z.ZodString>;
+        attempted_account_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$loose>;
+    account_undelete: z.ZodObject<{
+        username: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodNullable<z.ZodString>>;
+        reason: z.ZodOptional<z.ZodString>;
+        attempted_account_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$loose>;
+    actor_delete: z.ZodObject<{
+        name: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
+    actor_purge: z.ZodObject<{
+        name: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
+    actor_undelete: z.ZodObject<{
+        name: z.ZodOptional<z.ZodString>;
+    }, z.core.$loose>;
     app_settings_update: z.ZodObject<{
         setting: z.ZodString;
         old_value: z.ZodUnknown;

package/dist/auth/audit_log_schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAoB5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,8aAsBnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkNW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}
+{"version":3,"file":"audit_log_schema.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/audit_log_schema.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AACtB,OAAO,EAAC,IAAI,EAAC,MAAM,wBAAwB,CAAC;AAoB5C;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB,shBA4BnB,CAAC;AAEZ,wCAAwC;AACxC,eAAO,MAAM,cAAc;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAA4B,CAAC;AACxD,MAAM,MAAM,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAC;AAE5D;;;;GAIG;AACH,eAAO,MAAM,2BAA2B,QAA+B,CAAC;AAExE,0DAA0D;AAC1D,eAAO,MAAM,kBAAkB,aAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,2CAA2C;AAC3C,eAAO,MAAM,YAAY;;;EAAiC,CAAC;AAC3D,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC;AAExD;;;;;;GAMG;AACH,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAqRW,CAAC;AAE/C,+EAA+E;AAC/E,MAAM,MAAM,gBAAgB,GAAG;KAC7B,CAAC,IAAI,cAAc,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,OAAO,sBAAsB,CAAC,CAAC,CAAC,CAAC,CAAC;CAClE,CAAC;AAEF,oGAAoG;AACpG,MAAM,WAAW,aAAa;IAC7B,EAAE,EAAE,IAAI,CAAC;IACT,GAAG,EAAE,MAAM,CAAC;IACZ,UAAU,EAAE,kBAAkB,CAAC;IAC/B,OAAO,EAAE,YAAY,CAAC;IACtB;;;;;;;;;;;;;OAaG;IACH,QAAQ,EAAE,IAAI,GAAG,IAAI,CAAC;IACtB,UAAU,EAAE,IAAI,GAAG,IAAI,CAAC;IACxB,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAkCG;IACH,eAAe,EAAE,IAAI,GAAG,IAAI,CAAC;IAC7B,EAAE,EAAE,MAAM,GAAG,IAAI,CAAC;IAClB,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACzC;AAED;;;;GAIG;AACH,eAAO,MAAM,kBAAkB,GAAI,CAAC,SAAS,cAAc,EAC1D,OAAO,aAAa,GAAG;IAAC,UAAU,EAAE,CAAC,CAAA;CAAC,KACpC,gBAAgB,CAAC,CAAC,CAAC,GAAG,IAExB,CAAC;AAEF,6CAA6C;AAC7C,MAAM,WAAW,aAAa,CAAC,CAAC,SAAS,MAAM,GAAG,cAAc;IAC/D,UAAU,EAAE,CAAC,CAAC;IACd,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,QAAQ,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACvB,UAAU,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IACzB,iBAAiB,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAChC,eAAe,CAAC,EAAE,IAAI,GAAG,IAAI,CAAC;IAC9B,EAAE,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB;;;;OAIG;IACH,QAAQ,CAAC,EAAE,CAAC,SAAS,cAAc,GAChC,CAAC,gBAAgB,CAAC,CAAC,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC,GAAG,IAAI,GACtD,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAClC;AAED;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,WAAW,cAAc;IAC9B,iFAAiF;IACjF,QAAQ,CAAC,WAAW,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC5C;;;OAGG;IACH,QAAQ,CAAC,gBAAgB,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;CAC/D;AAED,4FAA4F;AAC5F,eAAO,MAAM,wBAAwB,EAAE,cAGrC,CAAC;AAEH,6CAA6C;AAC7C,MAAM,WAAW,2BAA2B;IAC3C;;;;;;;;OAQG;IACH,YAAY,CAAC,EAAE,QAAQ,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,GAAG,IAAI,CAAC,CAAC,CAAC;CAC1D;AAED;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,uBAAuB,GAAI,UAAU,2BAA2B,KAAG,cA2B/E,CAAC;AAEF,gDAAgD;AAChD,eAAO,MAAM,uBAAuB,KAAK,CAAC;AAE1C,6CAA6C;AAC7C,MAAM,WAAW,mBAAmB;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,aAAa,CAAC,EAAE,KAAK,CAAC,MAAM,CAAC,CAAC;IAC9B,UAAU,CAAC,EAAE,IAAI,CAAC;IAClB,OAAO,CAAC,EAAE,YAAY,CAAC;IACvB,0GAA0G;IAC1G,SAAS,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;kBAY5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,+DAA+D;AAC/D,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;kBAGzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wEAAwE;AACxE,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF,iEAAiE;AACjE,eAAO,MAAM,gBAAgB;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC"}

package/dist/auth/audit_log_schema.js

@@ -52,6 +52,12 @@ export const AUDIT_EVENT_TYPES = Object.freeze([
     'role_grant_offer_supersede',
     'invite_create',
     'invite_delete',
+    'account_delete',
+    'account_purge',
+    'account_undelete',
+    'actor_delete',
+    'actor_purge',
+    'actor_undelete',
     'app_settings_update',
 ]);
 /** Zod schema for audit event types. */
@@ -266,6 +272,73 @@ export const audit_metadata_schemas = Object.freeze({
     invite_delete: z.looseObject({
         invite_id: Uuid.meta({ description: 'Id of the deleted invite.' }),
     }),
+    // Account/actor deletion snapshots identity into metadata so the
+    // identity behind a now-orphaned audit id survives a purge (the
+    // `audit_log` id columns carry no FK). `delete` = soft (reversible
+    // tombstone), `purge` = hard (irreversible cascading removal). Known
+    // fields are optional so the same schema validates the success
+    // snapshot and the not-found failure shape (`reason` /
+    // `attempted_account_id`). See `auth/CLAUDE.md` §Account/actor deletion
+    // (delete = soft, purge = hard).
+    account_delete: z.looseObject({
+        username: z.string().optional().meta({ description: 'Username at soft-delete time.' }),
+        email: z
+            .string()
+            .nullable()
+            .optional()
+            .meta({ description: 'Email at soft-delete time; null when unset.' }),
+        reason: z
+            .string()
+            .optional()
+            .meta({ description: 'Failure category. Set only on `outcome=failure`.' }),
+        attempted_account_id: Uuid.optional().meta({
+            description: 'Probed account id when the target was missing (`outcome=failure`).',
+        }),
+    }),
+    account_purge: z.looseObject({
+        username: z.string().optional().meta({ description: 'Username at purge time.' }),
+        email: z
+            .string()
+            .nullable()
+            .optional()
+            .meta({ description: 'Email at purge time; null when unset.' }),
+        reason: z
+            .string()
+            .optional()
+            .meta({ description: 'Failure category. Set only on `outcome=failure`.' }),
+        attempted_account_id: Uuid.optional().meta({
+            description: 'Probed account id when the target was missing (`outcome=failure`).',
+        }),
+    }),
+    // `account_undelete` / `actor_undelete` are the reactivation events
+    // (clearing the soft-delete tombstone). Same identity-snapshot shape as
+    // the delete events so reviewers see who was reactivated; `reason` /
+    // `attempted_account_id` carry the not-found failure shape. Admin-only —
+    // the self path is unreachable (a tombstoned account can't authenticate).
+    account_undelete: z.looseObject({
+        username: z.string().optional().meta({ description: 'Username at reactivation time.' }),
+        email: z
+            .string()
+            .nullable()
+            .optional()
+            .meta({ description: 'Email at reactivation time; null when unset.' }),
+        reason: z
+            .string()
+            .optional()
+            .meta({ description: 'Failure category. Set only on `outcome=failure`.' }),
+        attempted_account_id: Uuid.optional().meta({
+            description: 'Probed account id when the target was missing/not-deleted (`outcome=failure`).',
+        }),
+    }),
+    actor_delete: z.looseObject({
+        name: z.string().optional().meta({ description: 'Actor display name at soft-delete time.' }),
+    }),
+    actor_purge: z.looseObject({
+        name: z.string().optional().meta({ description: 'Actor display name at purge time.' }),
+    }),
+    actor_undelete: z.looseObject({
+        name: z.string().optional().meta({ description: 'Actor display name at reactivation time.' }),
+    }),
     app_settings_update: z.looseObject({
         setting: z.string().meta({ description: 'Name of the setting that changed.' }),
         old_value: z.unknown().meta({ description: 'Setting value before the update.' }),

package/dist/auth/auth_ddl.d.ts

@@ -9,8 +9,8 @@
  *
  * @module
  */
-export declare const ACCOUNT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS account (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  username TEXT UNIQUE NOT NULL,\n  email TEXT,\n  email_verified BOOLEAN NOT NULL DEFAULT false,\n  password_hash TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  created_by UUID,\n  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  updated_by UUID\n)";
-export declare const ACTOR_SCHEMA = "\nCREATE TABLE IF NOT EXISTS actor (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  name TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  updated_at TIMESTAMPTZ,\n  updated_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
+export declare const ACCOUNT_SCHEMA = "\nCREATE TABLE IF NOT EXISTS account (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  username TEXT UNIQUE NOT NULL,\n  email TEXT,\n  email_verified BOOLEAN NOT NULL DEFAULT false,\n  password_hash TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  created_by UUID,\n  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  updated_by UUID,\n  deleted_at TIMESTAMPTZ,\n  deleted_by UUID\n)";
+export declare const ACTOR_SCHEMA = "\nCREATE TABLE IF NOT EXISTS actor (\n  id UUID PRIMARY KEY DEFAULT gen_random_uuid(),\n  account_id UUID NOT NULL REFERENCES account(id) ON DELETE CASCADE,\n  name TEXT NOT NULL,\n  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),\n  updated_at TIMESTAMPTZ,\n  updated_by UUID REFERENCES actor(id) ON DELETE SET NULL,\n  deleted_at TIMESTAMPTZ,\n  deleted_by UUID REFERENCES actor(id) ON DELETE SET NULL\n)";
 export declare const ACTOR_INDEX = "\nCREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)";
 /**
  * Functional index on `LOWER(actor.name)` supporting case-insensitive

package/dist/auth/auth_ddl.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/auth_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,eAAO,MAAM,cAAc,8WAWzB,CAAC;AAEH,eAAO,MAAM,YAAY,mUAQvB,CAAC;AAEH,eAAO,MAAM,WAAW,wEAC0C,CAAC;AAEnE;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,8FACqD,CAAC;AAEzF,eAAO,MAAM,iBAAiB,2ZAU5B,CAAC;AAEH,eAAO,MAAM,kBAAkB,UAI9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,0RAO9B,CAAC;AAEH,eAAO,MAAM,oBAAoB,UAGhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,iUAU3B,CAAC;AAEH,eAAO,MAAM,mBAAmB,4GACsE,CAAC;AAEvG,eAAO,MAAM,yBAAyB,6FACiD,CAAC;AAExF,eAAO,MAAM,eAAe,gFAC8C,CAAC;AAE3E,eAAO,MAAM,qBAAqB,wJAIhC,CAAC;AAEH,6FAA6F;AAC7F,eAAO,MAAM,mBAAmB,yHAGP,CAAC;AAE1B,eAAO,MAAM,aAAa,6ZAUxB,CAAC;AAEH,eAAO,MAAM,cAAc,UAI1B,CAAC;AAEF,eAAO,MAAM,mBAAmB,oMAM9B,CAAC;AAEH,eAAO,MAAM,iBAAiB,sEACkC,CAAC"}
+{"version":3,"file":"auth_ddl.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/auth_ddl.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAMH,eAAO,MAAM,cAAc,6ZAazB,CAAC;AAEH,eAAO,MAAM,YAAY,0ZAUvB,CAAC;AAEH,eAAO,MAAM,WAAW,wEAC0C,CAAC;AAEnE;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,8FACqD,CAAC;AAEzF,eAAO,MAAM,iBAAiB,2ZAU5B,CAAC;AAEH,eAAO,MAAM,kBAAkB,UAI9B,CAAC;AAEF,eAAO,MAAM,mBAAmB,0RAO9B,CAAC;AAEH,eAAO,MAAM,oBAAoB,UAGhC,CAAC;AAEF,eAAO,MAAM,gBAAgB,iUAU3B,CAAC;AAEH,eAAO,MAAM,mBAAmB,4GACsE,CAAC;AAEvG,eAAO,MAAM,yBAAyB,6FACiD,CAAC;AAExF,eAAO,MAAM,eAAe,gFAC8C,CAAC;AAE3E,eAAO,MAAM,qBAAqB,wJAIhC,CAAC;AAEH,6FAA6F;AAC7F,eAAO,MAAM,mBAAmB,yHAGP,CAAC;AAE1B,eAAO,MAAM,aAAa,6ZAUxB,CAAC;AAEH,eAAO,MAAM,cAAc,UAI1B,CAAC;AAEF,eAAO,MAAM,mBAAmB,oMAM9B,CAAC;AAEH,eAAO,MAAM,iBAAiB,sEACkC,CAAC"}

package/dist/auth/auth_ddl.js

@@ -9,6 +9,10 @@
  *
  * @module
  */
+// `deleted_at` is the soft-delete tombstone (delete = soft, purge = hard).
+// Auth resolution treats a non-null `deleted_at` as absent; the username /
+// email unique indexes stay unconditional so a soft-deleted identity stays
+// reserved (no reuse): delete is soft, purge is hard.
 export const ACCOUNT_SCHEMA = `
 CREATE TABLE IF NOT EXISTS account (
   id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
@@ -19,7 +23,9 @@ CREATE TABLE IF NOT EXISTS account (
   created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
   created_by UUID,
   updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
-  updated_by UUID
+  updated_by UUID,
+  deleted_at TIMESTAMPTZ,
+  deleted_by UUID
 )`;
 export const ACTOR_SCHEMA = `
 CREATE TABLE IF NOT EXISTS actor (
@@ -28,7 +34,9 @@ CREATE TABLE IF NOT EXISTS actor (
   name TEXT NOT NULL,
   created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
   updated_at TIMESTAMPTZ,
-  updated_by UUID REFERENCES actor(id) ON DELETE SET NULL
+  updated_by UUID REFERENCES actor(id) ON DELETE SET NULL,
+  deleted_at TIMESTAMPTZ,
+  deleted_by UUID REFERENCES actor(id) ON DELETE SET NULL
 )`;
 export const ACTOR_INDEX = `
 CREATE INDEX IF NOT EXISTS idx_actor_account ON actor(account_id)`;