@fuzdev/fuz_app 0.67.1 → 0.68.0

package/dist/auth/cell_grant_actions.js

@@ -0,0 +1,208 @@
+/**
+ * Cell-grant ACL RPC handlers.
+ *
+ * Three `request_response` actions bound to specs in
+ * `./cell_grant_action_specs.ts`:
+ *
+ * Grant management is **manage-tier only** (`can_manage_cell` = admin /
+ * owner). Editor-grant holders may edit a cell's content + relations but
+ * cannot manage its grants — delegating the share list would let an editor
+ * widen access or mint peer editors and escape the manager's authority.
+ *
+ * - `cell_grant_create` — admin / owner only. Validates role-shaped
+ *   principals against the role schema; rejects owner-as-principal.
+ *   Actor-shaped principals carry a pre-resolved `actor_id` (callers pick
+ *   via `actor_search`). Idempotent — re-granting the same principal
+ *   updates `level` via UPSERT.
+ * - `cell_grant_revoke` — admin / owner, plus self for actor-shaped grants
+ *   ("leave shared cell"). Returns `still_admitted` computed by re-running
+ *   `can_view_cell` against the remaining grants.
+ * - `cell_grant_list` — admin / owner only. Viewers and editors alike get
+ *   the IDOR-mask 404 (the share list is the manager's to curate).
+ *
+ * All three 404 with `cell_not_found` on cell-miss / cell-unviewable, and
+ * with `cell_grant_not_found` on grant-miss, mirroring the existence-leak
+ * guards in `cell_actions.ts`.
+ *
+ * Audit events `cell_grant_create` / `cell_grant_revoke` carry IDs only
+ * (no display-name snapshots); see `./cell_grant_audit_metadata.ts`.
+ *
+ * @module
+ */
+import { rpc_action } from '../actions/action_rpc.js';
+import { jsonrpc_errors } from '../http/jsonrpc_errors.js';
+import { cell_grant_create_action_spec, cell_grant_revoke_action_spec, cell_grant_list_action_spec, ERROR_CELL_GRANT_NOT_FOUND, ERROR_CELL_GRANT_PRINCIPAL_IS_OWNER, ERROR_CELL_GRANT_UNKNOWN_ROLE, } from './cell_grant_action_specs.js';
+import { ERROR_CELL_NOT_FOUND } from './cell_action_specs.js';
+import { can_view_cell, can_manage_cell } from './cell_authorize.js';
+import { query_cell_get } from '../db/cell_queries.js';
+import { query_cell_grant_create, query_cell_grant_get, query_cell_grant_delete, query_cell_grant_list_for_cell, } from '../db/cell_grant_queries.js';
+export const to_grant_json = (row) => ({
+    id: row.id,
+    cell_id: row.cell_id,
+    level: row.level,
+    actor_id: row.actor_id,
+    role: row.role,
+    scope_id: row.scope_id,
+    granted_by: row.granted_by,
+    created_at: typeof row.created_at === 'string' ? row.created_at : row.created_at.toISOString(),
+});
+/**
+ * Build the audit-metadata principal envelope from a `cell_grant` row.
+ * Picks the actor-shape branch when `actor_id IS NOT NULL`,
+ * otherwise the role-shape branch. The CHECK constraint guarantees
+ * exactly one of the two holds.
+ */
+const principal_from_row = (row) => row.actor_id !== null ? { actor_id: row.actor_id } : { role: row.role, scope_id: row.scope_id };
+/**
+ * Map the wire-input principal to the query-input shape. Both arms pass
+ * through unchanged — the wire and query shapes are aligned (pickers run
+ * `actor_search` upstream and submit the resolved id).
+ */
+const to_query_principal = (principal) => {
+    if (principal.kind === 'actor') {
+        return { kind: 'actor', actor_id: principal.actor_id };
+    }
+    return {
+        kind: 'role',
+        role: principal.role,
+        scope_id: principal.scope_id ?? null,
+    };
+};
+/**
+ * Reject the create when the principal actor is the cell's owner.
+ * Skipped for role-shaped principals (a role isn't a single actor) and
+ * for system cells (`created_by IS NULL`). With actor-grain principals
+ * the comparison is direct — `cell.created_by` is already an actor id.
+ */
+const assert_principal_is_not_owner = (cell, principal) => {
+    if (principal.kind !== 'actor')
+        return;
+    if (cell.created_by === null)
+        return;
+    if (cell.created_by === principal.actor_id) {
+        throw jsonrpc_errors.invalid_params('grant principal is the cell owner', {
+            reason: ERROR_CELL_GRANT_PRINCIPAL_IS_OWNER,
+        });
+    }
+};
+/** Create the three `cell_grant_*` RPC actions. */
+export const create_cell_grant_actions = (deps) => {
+    const { roles } = deps;
+    const create_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const cell = await query_cell_get(ctx, input.cell_id);
+        if (!cell) {
+            // IDOR mask: same code as cell_get's miss/unviewable so probing
+            // for cells via the share endpoint is no easier than via cell_get.
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        // Grant management is manage-tier only (admin / owner). Editor-grant
+        // holders may edit the cell's content + relations but cannot mint
+        // grants of any level — delegating the share list would let editors
+        // widen access (or mint peer editors) and escape the manager's
+        // authority. Non-managers get the IDOR-mask 404, same as a non-viewer
+        // on the read path.
+        if (!can_manage_cell(auth, cell)) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        const principal = to_query_principal(input.principal);
+        // Role validity — only relevant for role-shaped principals; reject
+        // before insert so dead grant rows nothing can match are foreclosed.
+        if (principal.kind === 'role' && !roles.role_specs.has(principal.role)) {
+            throw jsonrpc_errors.invalid_params(`unknown role "${principal.role}"`, {
+                reason: ERROR_CELL_GRANT_UNKNOWN_ROLE,
+            });
+        }
+        assert_principal_is_not_owner(cell, principal);
+        const row = await query_cell_grant_create(ctx, {
+            cell_id: cell.id,
+            level: input.level,
+            principal,
+            granted_by: auth.actor.id,
+        });
+        deps.audit.emit(ctx, {
+            event_type: 'cell_grant_create',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: {
+                cell_id: row.cell_id,
+                grant_id: row.id,
+                level: row.level,
+                principal: principal_from_row(row),
+            },
+        });
+        return { grant: to_grant_json(row) };
+    };
+    const revoke_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const grant = await query_cell_grant_get(ctx, input.grant_id);
+        if (!grant) {
+            throw jsonrpc_errors.not_found('cell grant', { reason: ERROR_CELL_GRANT_NOT_FOUND });
+        }
+        const cell = await query_cell_get(ctx, grant.cell_id);
+        if (!cell) {
+            // Grant exists but its cell is gone (soft-deleted out from under
+            // it). Treat as a grant miss for the IDOR mask.
+            throw jsonrpc_errors.not_found('cell grant', { reason: ERROR_CELL_GRANT_NOT_FOUND });
+        }
+        const is_manager = can_manage_cell(auth, cell);
+        // "Is the grant being revoked the caller's own actor-shaped grant?"
+        // Self-revoke is the leave-shared-cell affordance — open regardless of
+        // authority path. Owner-with-self-grant can't happen
+        // (`assert_principal_is_not_owner` blocks it at create time).
+        const is_self_actor_grant = grant.actor_id !== null && grant.actor_id === auth.actor.id;
+        // Grant management is manage-tier only (admin / owner); editor-grant
+        // holders cannot revoke grants (mirrors the create gate). The sole
+        // exception is self-revoke. Non-qualifying callers get the IDOR mask.
+        if (!is_manager && !is_self_actor_grant) {
+            throw jsonrpc_errors.not_found('cell grant', { reason: ERROR_CELL_GRANT_NOT_FOUND });
+        }
+        const deleted = await query_cell_grant_delete(ctx, grant.id);
+        if (!deleted) {
+            // Raced with another revoker. Same shape as cell_actions.ts —
+            // 404 covers the gap.
+            throw jsonrpc_errors.not_found('cell grant', { reason: ERROR_CELL_GRANT_NOT_FOUND });
+        }
+        // Recompute admit state against the remaining grants. Always true
+        // for non-self revokes (caller didn't admit via this row), but the
+        // recompute is uniform shape — let `can_view_cell` decide.
+        const remaining = await query_cell_grant_list_for_cell(ctx, cell.id);
+        const still_admitted = can_view_cell(auth, cell, remaining);
+        const audit_metadata = {
+            cell_id: deleted.cell_id,
+            grant_id: deleted.id,
+            level: deleted.level,
+            principal: principal_from_row(deleted),
+            ...(is_self_actor_grant ? { self: true } : {}),
+        };
+        deps.audit.emit(ctx, {
+            event_type: 'cell_grant_revoke',
+            actor_id: auth.actor.id,
+            account_id: auth.account.id,
+            ip: ctx.client_ip,
+            metadata: audit_metadata,
+        });
+        return { ok: true, still_admitted };
+    };
+    const list_handler = async (input, ctx) => {
+        const auth = ctx.auth;
+        const cell = await query_cell_get(ctx, input.cell_id);
+        if (!cell) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        // Same authz gate as create — manage tier only (admin / owner). The
+        // share list is the manager's to curate; viewers and editors alike
+        // fall through to the IDOR-mask 404.
+        if (!can_manage_cell(auth, cell)) {
+            throw jsonrpc_errors.not_found('cell', { reason: ERROR_CELL_NOT_FOUND });
+        }
+        const grants = await query_cell_grant_list_for_cell(ctx, cell.id);
+        return { grants: grants.map(to_grant_json) };
+    };
+    return [
+        rpc_action(cell_grant_create_action_spec, create_handler),
+        rpc_action(cell_grant_revoke_action_spec, revoke_handler),
+        rpc_action(cell_grant_list_action_spec, list_handler),
+    ];
+};

package/dist/auth/cell_grant_audit_metadata.d.ts

@@ -0,0 +1,75 @@
+/**
+ * Audit-log metadata schemas for the `cell_grant` ACL events.
+ *
+ * IDs only — no display-name snapshots. By convention audit logs store
+ * references, not denormalized strings; viewer tooling resolves
+ * `actor_id` → `actor.name`, `scope_id` → scope name, etc. at read time.
+ *
+ * Apps register these via `extra_events:` on `create_audit_log_config`
+ * alongside the other cell metadata schemas.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/**
+ * Principal columns as stored on `cell_grant`. Discriminated by which
+ * keys are present: `{actor_id}` for an actor-shaped grant,
+ * `{role, scope_id}` for a role-shaped grant. Actor-shaped grants
+ * carry only the id; names are never persisted in the audit envelope.
+ */
+export declare const CellGrantPrincipalAuditMetadata: z.ZodUnion<readonly [z.ZodObject<{
+    actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+}, z.core.$loose>, z.ZodObject<{
+    role: z.ZodString;
+    scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$loose>]>;
+export type CellGrantPrincipalAuditMetadata = z.infer<typeof CellGrantPrincipalAuditMetadata>;
+/**
+ * Metadata envelope for `cell_grant_create`.
+ *
+ * Emitted on every successful create OR re-share update path
+ * (UPSERT-on-unique-index). The audit reader correlates create-vs-update
+ * via `grant_id` if needed; the design doesn't require distinguishing
+ * the two at the metadata level.
+ */
+export declare const CellGrantCreateAuditMetadata: z.ZodObject<{
+    cell_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    grant_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    level: z.ZodEnum<{
+        viewer: "viewer";
+        editor: "editor";
+    }>;
+    principal: z.ZodUnion<readonly [z.ZodObject<{
+        actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$loose>, z.ZodObject<{
+        role: z.ZodString;
+        scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$loose>]>;
+}, z.core.$loose>;
+export type CellGrantCreateAuditMetadata = z.infer<typeof CellGrantCreateAuditMetadata>;
+/**
+ * Metadata envelope for `cell_grant_revoke`.
+ *
+ * `self: true` distinguishes the recipient-side "leave shared cell"
+ * path (actor-shaped grant where the principal actor === caller
+ * actor) from a delegator-side revoke. Single event type for both
+ * — the boolean is enough for forensic review and avoids surface-
+ * doubling with a parallel `cell_grant_leave` event.
+ */
+export declare const CellGrantRevokeAuditMetadata: z.ZodObject<{
+    cell_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    grant_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    level: z.ZodEnum<{
+        viewer: "viewer";
+        editor: "editor";
+    }>;
+    principal: z.ZodUnion<readonly [z.ZodObject<{
+        actor_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    }, z.core.$loose>, z.ZodObject<{
+        role: z.ZodString;
+        scope_id: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$loose>]>;
+    self: z.ZodOptional<z.ZodLiteral<true>>;
+}, z.core.$loose>;
+export type CellGrantRevokeAuditMetadata = z.infer<typeof CellGrantRevokeAuditMetadata>;
+//# sourceMappingURL=cell_grant_audit_metadata.d.ts.map

package/dist/auth/cell_grant_audit_metadata.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_grant_audit_metadata.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cell_grant_audit_metadata.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB;;;;;GAKG;AACH,eAAO,MAAM,+BAA+B;;;;;mBAG1C,CAAC;AACH,MAAM,MAAM,+BAA+B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,+BAA+B,CAAC,CAAC;AAE9F;;;;;;;GAOG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;iBAKvC,CAAC;AACH,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC;AAExF;;;;;;;;GAQG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;iBAMvC,CAAC;AACH,MAAM,MAAM,4BAA4B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,4BAA4B,CAAC,CAAC"}

package/dist/auth/cell_grant_audit_metadata.js

@@ -0,0 +1,54 @@
+/**
+ * Audit-log metadata schemas for the `cell_grant` ACL events.
+ *
+ * IDs only — no display-name snapshots. By convention audit logs store
+ * references, not denormalized strings; viewer tooling resolves
+ * `actor_id` → `actor.name`, `scope_id` → scope name, etc. at read time.
+ *
+ * Apps register these via `extra_events:` on `create_audit_log_config`
+ * alongside the other cell metadata schemas.
+ *
+ * @module
+ */
+import { z } from 'zod';
+import { Uuid } from '@fuzdev/fuz_util/id.js';
+/**
+ * Principal columns as stored on `cell_grant`. Discriminated by which
+ * keys are present: `{actor_id}` for an actor-shaped grant,
+ * `{role, scope_id}` for a role-shaped grant. Actor-shaped grants
+ * carry only the id; names are never persisted in the audit envelope.
+ */
+export const CellGrantPrincipalAuditMetadata = z.union([
+    z.looseObject({ actor_id: Uuid }),
+    z.looseObject({ role: z.string(), scope_id: Uuid.nullable() }),
+]);
+/**
+ * Metadata envelope for `cell_grant_create`.
+ *
+ * Emitted on every successful create OR re-share update path
+ * (UPSERT-on-unique-index). The audit reader correlates create-vs-update
+ * via `grant_id` if needed; the design doesn't require distinguishing
+ * the two at the metadata level.
+ */
+export const CellGrantCreateAuditMetadata = z.looseObject({
+    cell_id: Uuid,
+    grant_id: Uuid,
+    level: z.enum(['viewer', 'editor']),
+    principal: CellGrantPrincipalAuditMetadata,
+});
+/**
+ * Metadata envelope for `cell_grant_revoke`.
+ *
+ * `self: true` distinguishes the recipient-side "leave shared cell"
+ * path (actor-shaped grant where the principal actor === caller
+ * actor) from a delegator-side revoke. Single event type for both
+ * — the boolean is enough for forensic review and avoids surface-
+ * doubling with a parallel `cell_grant_leave` event.
+ */
+export const CellGrantRevokeAuditMetadata = z.looseObject({
+    cell_id: Uuid,
+    grant_id: Uuid,
+    level: z.enum(['viewer', 'editor']),
+    principal: CellGrantPrincipalAuditMetadata,
+    self: z.literal(true).optional(),
+});

package/dist/auth/cell_item_action_specs.d.ts

@@ -0,0 +1,331 @@
+/**
+ * Cell-item RPC specs — declarative contract for the four ordered-child
+ * verbs (`insert` / `move` / `delete` / `list`).
+ *
+ * `(parent_id, position) → child_id` rows. `position` is opaque text
+ * (fractional-indexing key); the wire validates the alphabet
+ * (`^[0-9A-Za-z]+$`) and length, the lex-ordering invariant is the
+ * client's contract.
+ *
+ * @module
+ */
+import { z } from 'zod';
+/** Error reason — `cell_item_list` got neither `parent_id` nor `child_id`. */
+export declare const ERROR_CELL_ITEM_LIST_REQUIRES_PARENT_OR_CHILD: "cell_item_list_requires_parent_or_child";
+/**
+ * Error reason — `(parent_id, position)` collision on `cell_item_insert`
+ * or `cell_item_move`. Surfaces when two clients computed the same
+ * fractional-indexing key (rare given helper-side jitter; the safety
+ * net for the residual race). Client refreshes its bracket and retries.
+ */
+export declare const ERROR_CELL_ITEM_POSITION_TAKEN: "cell_item_position_taken";
+/**
+ * Position grammar — base62 fractional-indexing key. Wire enforces
+ * non-empty, alphabet only, and the helper's `FRACTIONAL_INDEX_LENGTH_MAX`
+ * cap (well above realistic lengths even for hundreds of consecutive
+ * front-inserts; set high to avoid arbitrary cliffs). Lex ordering is the
+ * contract; the no-trailing-`'0'` invariant lives in the helper, not the
+ * wire.
+ */
+export declare const CellItemPosition: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+export type CellItemPosition = z.infer<typeof CellItemPosition>;
+/**
+ * Wire-format for a `cell_item` row.
+ *
+ * `position` is branded `CellItemPosition` so consumers that round-trip
+ * the value back into a `position_after` / `position` input field don't
+ * need a cast at every call site. Wire ingress is validated by the
+ * `CellItemPosition` Zod schema (alphabet + length); wire egress trusts
+ * the DB CHECK constraint that backs `cell_item.position`, so the
+ * server-side `to_item_json` casts a raw string from `CellItemRow`.
+ */
+export declare const ItemJson: z.ZodObject<{
+    parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+    child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    created_at: z.ZodString;
+}, z.core.$strict>;
+export type ItemJson = z.infer<typeof ItemJson>;
+/**
+ * Input for `cell_item_insert`. Caller computes `position` via
+ * `fractional_index_between(prev, next)` (`@fuzdev/fuz_util/fractional_index.js`)
+ * client-side. Returns `cell_item_position_taken` on `(parent_id,
+ * position)` unique violation; client refreshes bracket and retries.
+ */
+export declare const CellItemInsertInput: z.ZodObject<{
+    parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type CellItemInsertInput = z.infer<typeof CellItemInsertInput>;
+export declare const CellItemInsertOutput: z.ZodObject<{
+    item: z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        created_at: z.ZodString;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type CellItemInsertOutput = z.infer<typeof CellItemInsertOutput>;
+/**
+ * Input for `cell_item_move`. Move within the same parent (cross-parent
+ * moves are a future extension).
+ */
+export declare const CellItemMoveInput: z.ZodObject<{
+    parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+    new_position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type CellItemMoveInput = z.infer<typeof CellItemMoveInput>;
+export declare const CellItemMoveOutput: z.ZodObject<{
+    item: z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        created_at: z.ZodString;
+    }, z.core.$strict>;
+}, z.core.$strict>;
+export type CellItemMoveOutput = z.infer<typeof CellItemMoveOutput>;
+/** Input for `cell_item_delete`. Idempotent on the slot key. */
+export declare const CellItemDeleteInput: z.ZodObject<{
+    parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type CellItemDeleteInput = z.infer<typeof CellItemDeleteInput>;
+export declare const CellItemDeleteOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    deleted: z.ZodBoolean;
+}, z.core.$strict>;
+export type CellItemDeleteOutput = z.infer<typeof CellItemDeleteOutput>;
+/**
+ * Input for `cell_item_list`. Pass `parent_id` for forward items or
+ * `child_id` for reverse lists — exactly one. Reverse listing has 2-layer
+ * authz (child view-check gates the call; per-parent view-check filters
+ * the rows).
+ *
+ * Forward listing supports cursor pagination via `position_after`
+ * (return rows with `position > position_after`). The reverse listing
+ * doesn't paginate (the result set is small in practice — number of
+ * parents containing a given child).
+ */
+export declare const CellItemListInput: z.ZodObject<{
+    parent_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    child_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    position_after: z.ZodOptional<z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">>;
+    limit: z.ZodOptional<z.ZodNumber>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type CellItemListInput = z.infer<typeof CellItemListInput>;
+export declare const CellItemListOutput: z.ZodObject<{
+    items: z.ZodArray<z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        created_at: z.ZodString;
+    }, z.core.$strict>>;
+}, z.core.$strict>;
+export type CellItemListOutput = z.infer<typeof CellItemListOutput>;
+export declare const cell_item_insert_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        item: z.ZodObject<{
+            parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+            child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const cell_item_move_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        new_position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        item: z.ZodObject<{
+            parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+            child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const cell_item_delete_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        deleted: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+};
+export declare const cell_item_list_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "optional";
+        actor: "optional";
+    };
+    side_effects: false;
+    input: z.ZodObject<{
+        parent_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        child_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        position_after: z.ZodOptional<z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">>;
+        limit: z.ZodOptional<z.ZodNumber>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        items: z.ZodArray<z.ZodObject<{
+            parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+            child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    rate_limit: "ip";
+    description: string;
+};
+/** All cell_item action specs — composed into `all_cell_action_specs`. */
+export declare const all_cell_item_action_specs: readonly [{
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        item: z.ZodObject<{
+            parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+            child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+}, {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        new_position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        item: z.ZodObject<{
+            parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+            child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+}, {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        deleted: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+}, {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "optional";
+        actor: "optional";
+    };
+    side_effects: false;
+    input: z.ZodObject<{
+        parent_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        child_id: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+        position_after: z.ZodOptional<z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">>;
+        limit: z.ZodOptional<z.ZodNumber>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        items: z.ZodArray<z.ZodObject<{
+            parent_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            position: z.core.$ZodBranded<z.ZodString, "CellItemPosition", "out">;
+            child_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+            created_at: z.ZodString;
+        }, z.core.$strict>>;
+    }, z.core.$strict>;
+    async: true;
+    rate_limit: "ip";
+    description: string;
+}];
+//# sourceMappingURL=cell_item_action_specs.d.ts.map

package/dist/auth/cell_item_action_specs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cell_item_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/cell_item_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAYtB,8EAA8E;AAC9E,eAAO,MAAM,6CAA6C,EACzD,yCAAkD,CAAC;AAEpD;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAIlF;;;;;;;GAOG;AACH,eAAO,MAAM,gBAAgB,4DAKF,CAAC;AAC5B,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE;;;;;;;;;GASG;AACH,eAAO,MAAM,QAAQ;;;;;kBAKnB,CAAC;AACH,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,QAAQ,CAAC,CAAC;AAIhD;;;;;GAKG;AACH,eAAO,MAAM,mBAAmB;;;;;kBAO9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,eAAO,MAAM,oBAAoB;;;;;;;kBAAmC,CAAC;AACrE,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAIxE;;;GAGG;AACH,eAAO,MAAM,iBAAiB;;;;;kBAK5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,eAAO,MAAM,kBAAkB;;;;;;;kBAAmC,CAAC;AACnE,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,gEAAgE;AAChE,eAAO,MAAM,mBAAmB;;;;kBAI9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,eAAO,MAAM,oBAAoB;;;kBAG/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAIxE;;;;;;;;;;GAUG;AACH,eAAO,MAAM,iBAAiB;;;;;;kBAmB3B,CAAC;AACJ,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,eAAO,MAAM,kBAAkB;;;;;;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAIpE,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;;;CAWJ,CAAC;AAEtC,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAEtC,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;CAWJ,CAAC;AAEtC,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;CAYF,CAAC;AAEtC,0EAA0E;AAC1E,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAK7B,CAAC"}