npm - @fuzdev/fuz_app - Versions diffs - 0.67.1 → 0.69.0 - Mend

@fuzdev/fuz_app 0.67.1 → 0.69.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (235) hide show

package/dist/actions/perform_action.d.ts.map +1 -1
package/dist/actions/perform_action.js +10 -3
package/dist/auth/CLAUDE.md +99 -5
package/dist/auth/account_queries.d.ts +87 -4
package/dist/auth/account_queries.d.ts.map +1 -1
package/dist/auth/account_queries.js +107 -17
package/dist/auth/account_schema.d.ts +19 -0
package/dist/auth/account_schema.d.ts.map +1 -1
package/dist/auth/account_schema.js +8 -0
package/dist/auth/admin_action_specs.d.ts +170 -3
package/dist/auth/admin_action_specs.d.ts.map +1 -1
package/dist/auth/admin_action_specs.js +148 -4
package/dist/auth/admin_actions.d.ts +4 -14
package/dist/auth/admin_actions.d.ts.map +1 -1
package/dist/auth/admin_actions.js +246 -40
package/dist/auth/audit_log_ddl.d.ts +10 -1
package/dist/auth/audit_log_ddl.d.ts.map +1 -1
package/dist/auth/audit_log_ddl.js +13 -4
package/dist/auth/audit_log_schema.d.ts +34 -1
package/dist/auth/audit_log_schema.d.ts.map +1 -1
package/dist/auth/audit_log_schema.js +73 -0
package/dist/auth/auth_ddl.d.ts +2 -2
package/dist/auth/auth_ddl.d.ts.map +1 -1
package/dist/auth/auth_ddl.js +10 -2
package/dist/auth/cell_action_specs.d.ts +1295 -0
package/dist/auth/cell_action_specs.d.ts.map +1 -0
package/dist/auth/cell_action_specs.js +397 -0
package/dist/auth/cell_actions.d.ts +63 -0
package/dist/auth/cell_actions.d.ts.map +1 -0
package/dist/auth/cell_actions.js +546 -0
package/dist/auth/cell_audit_action_specs.d.ts +131 -0
package/dist/auth/cell_audit_action_specs.d.ts.map +1 -0
package/dist/auth/cell_audit_action_specs.js +70 -0
package/dist/auth/cell_audit_actions.d.ts +18 -0
package/dist/auth/cell_audit_actions.d.ts.map +1 -0
package/dist/auth/cell_audit_actions.js +59 -0
package/dist/auth/cell_audit_events.d.ts +28 -0
package/dist/auth/cell_audit_events.d.ts.map +1 -0
package/dist/auth/cell_audit_events.js +42 -0
package/dist/auth/cell_audit_metadata.d.ts +48 -0
package/dist/auth/cell_audit_metadata.d.ts.map +1 -0
package/dist/auth/cell_audit_metadata.js +46 -0
package/dist/auth/cell_authorize.d.ts +88 -0
package/dist/auth/cell_authorize.d.ts.map +1 -0
package/dist/auth/cell_authorize.js +172 -0
package/dist/auth/cell_data_schema.d.ts +44 -0
package/dist/auth/cell_data_schema.d.ts.map +1 -0
package/dist/auth/cell_data_schema.js +42 -0
package/dist/auth/cell_field_action_specs.d.ts +244 -0
package/dist/auth/cell_field_action_specs.d.ts.map +1 -0
package/dist/auth/cell_field_action_specs.js +136 -0
package/dist/auth/cell_field_actions.d.ts +34 -0
package/dist/auth/cell_field_actions.d.ts.map +1 -0
package/dist/auth/cell_field_actions.js +153 -0
package/dist/auth/cell_field_audit_metadata.d.ts +30 -0
package/dist/auth/cell_field_audit_metadata.d.ts.map +1 -0
package/dist/auth/cell_field_audit_metadata.js +28 -0
package/dist/auth/cell_grant_action_specs.d.ts +333 -0
package/dist/auth/cell_grant_action_specs.d.ts.map +1 -0
package/dist/auth/cell_grant_action_specs.js +148 -0
package/dist/auth/cell_grant_actions.d.ts +50 -0
package/dist/auth/cell_grant_actions.d.ts.map +1 -0
package/dist/auth/cell_grant_actions.js +208 -0
package/dist/auth/cell_grant_audit_metadata.d.ts +75 -0
package/dist/auth/cell_grant_audit_metadata.d.ts.map +1 -0
package/dist/auth/cell_grant_audit_metadata.js +54 -0
package/dist/auth/cell_item_action_specs.d.ts +331 -0
package/dist/auth/cell_item_action_specs.d.ts.map +1 -0
package/dist/auth/cell_item_action_specs.js +182 -0
package/dist/auth/cell_item_actions.d.ts +37 -0
package/dist/auth/cell_item_actions.d.ts.map +1 -0
package/dist/auth/cell_item_actions.js +204 -0
package/dist/auth/cell_item_audit_metadata.d.ts +35 -0
package/dist/auth/cell_item_audit_metadata.d.ts.map +1 -0
package/dist/auth/cell_item_audit_metadata.js +32 -0
package/dist/auth/cell_relation_visibility.d.ts +32 -0
package/dist/auth/cell_relation_visibility.d.ts.map +1 -0
package/dist/auth/cell_relation_visibility.js +57 -0
package/dist/auth/deps.d.ts +9 -0
package/dist/auth/deps.d.ts.map +1 -1
package/dist/auth/role_grant_queries.d.ts +30 -0
package/dist/auth/role_grant_queries.d.ts.map +1 -1
package/dist/auth/role_grant_queries.js +54 -0
package/dist/auth/signup_routes.d.ts +0 -3
package/dist/auth/signup_routes.d.ts.map +1 -1
package/dist/auth/signup_routes.js +9 -3
package/dist/auth/standard_rpc_actions.d.ts +5 -5
package/dist/auth/standard_rpc_actions.js +4 -4
package/dist/db/CLAUDE.md +118 -0
package/dist/db/cell_audit_queries.d.ts +26 -0
package/dist/db/cell_audit_queries.d.ts.map +1 -0
package/dist/db/cell_audit_queries.js +53 -0
package/dist/db/cell_ddl.d.ts +151 -0
package/dist/db/cell_ddl.d.ts.map +1 -0
package/dist/db/cell_ddl.js +247 -0
package/dist/db/cell_field_queries.d.ts +105 -0
package/dist/db/cell_field_queries.d.ts.map +1 -0
package/dist/db/cell_field_queries.js +113 -0
package/dist/db/cell_grant_queries.d.ts +132 -0
package/dist/db/cell_grant_queries.d.ts.map +1 -0
package/dist/db/cell_grant_queries.js +145 -0
package/dist/db/cell_history_ddl.d.ts +38 -0
package/dist/db/cell_history_ddl.d.ts.map +1 -0
package/dist/db/cell_history_ddl.js +61 -0
package/dist/db/cell_item_queries.d.ts +107 -0
package/dist/db/cell_item_queries.d.ts.map +1 -0
package/dist/db/cell_item_queries.js +119 -0
package/dist/db/cell_queries.d.ts +327 -0
package/dist/db/cell_queries.d.ts.map +1 -0
package/dist/db/cell_queries.js +431 -0
package/dist/db/fact_ddl.d.ts +38 -0
package/dist/db/fact_ddl.d.ts.map +1 -0
package/dist/db/fact_ddl.js +71 -0
package/dist/db/fact_queries.d.ts +140 -0
package/dist/db/fact_queries.d.ts.map +1 -0
package/dist/db/fact_queries.js +161 -0
package/dist/db/fact_store.d.ts +112 -0
package/dist/db/fact_store.d.ts.map +1 -0
package/dist/db/fact_store.js +225 -0
package/dist/server/app_server.d.ts +1 -7
package/dist/server/app_server.d.ts.map +1 -1
package/dist/server/app_server.js +1 -5
package/dist/server/env.d.ts +2 -0
package/dist/server/env.d.ts.map +1 -1
package/dist/server/env.js +6 -0
package/dist/server/fact_write.d.ts +32 -0
package/dist/server/fact_write.d.ts.map +1 -0
package/dist/server/fact_write.js +56 -0
package/dist/server/file_fact_fetcher.d.ts +42 -0
package/dist/server/file_fact_fetcher.d.ts.map +1 -0
package/dist/server/file_fact_fetcher.js +60 -0
package/dist/server/file_fact_url.d.ts +53 -0
package/dist/server/file_fact_url.d.ts.map +1 -0
package/dist/server/file_fact_url.js +52 -0
package/dist/server/serve_fact_route.d.ts +78 -0
package/dist/server/serve_fact_route.d.ts.map +1 -0
package/dist/server/serve_fact_route.js +205 -0
package/dist/testing/CLAUDE.md +142 -6
package/dist/testing/app_server.d.ts +46 -0
package/dist/testing/app_server.d.ts.map +1 -1
package/dist/testing/app_server.js +67 -8
package/dist/testing/audit_completeness.d.ts.map +1 -1
package/dist/testing/audit_completeness.js +67 -1
package/dist/testing/cross_backend/account_lifecycle.d.ts +10 -0
package/dist/testing/cross_backend/account_lifecycle.d.ts.map +1 -0
package/dist/testing/cross_backend/account_lifecycle.js +144 -0
package/dist/testing/cross_backend/actor_lookup.d.ts +10 -0
package/dist/testing/cross_backend/actor_lookup.d.ts.map +1 -0
package/dist/testing/cross_backend/actor_lookup.js +83 -0
package/dist/testing/cross_backend/actor_search.d.ts +6 -0
package/dist/testing/cross_backend/actor_search.d.ts.map +1 -0
package/dist/testing/cross_backend/actor_search.js +92 -0
package/dist/testing/cross_backend/app_settings.d.ts +6 -0
package/dist/testing/cross_backend/app_settings.d.ts.map +1 -0
package/dist/testing/cross_backend/app_settings.js +95 -0
package/dist/testing/cross_backend/backend_config.d.ts +1 -1
package/dist/testing/cross_backend/capabilities.d.ts +29 -7
package/dist/testing/cross_backend/capabilities.d.ts.map +1 -1
package/dist/testing/cross_backend/capabilities.js +3 -1
package/dist/testing/cross_backend/cell_cross_helpers.d.ts +39 -0
package/dist/testing/cross_backend/cell_cross_helpers.d.ts.map +1 -0
package/dist/testing/cross_backend/cell_cross_helpers.js +45 -0
package/dist/testing/cross_backend/cell_crud.d.ts +4 -0
package/dist/testing/cross_backend/cell_crud.d.ts.map +1 -0
package/dist/testing/cross_backend/cell_crud.js +168 -0
package/dist/testing/cross_backend/cell_grant_role.d.ts +8 -0
package/dist/testing/cross_backend/cell_grant_role.d.ts.map +1 -0
package/dist/testing/cross_backend/cell_grant_role.js +102 -0
package/dist/testing/cross_backend/cell_relations.d.ts +4 -0
package/dist/testing/cross_backend/cell_relations.d.ts.map +1 -0
package/dist/testing/cross_backend/cell_relations.js +229 -0
package/dist/testing/cross_backend/conformance_case.d.ts +144 -0
package/dist/testing/cross_backend/conformance_case.d.ts.map +1 -0
package/dist/testing/cross_backend/conformance_case.js +132 -0
package/dist/testing/cross_backend/conformance_table.d.ts +46 -0
package/dist/testing/cross_backend/conformance_table.d.ts.map +1 -0
package/dist/testing/cross_backend/conformance_table.js +199 -0
package/dist/testing/cross_backend/default_backend_configs.d.ts.map +1 -1
package/dist/testing/cross_backend/default_backend_configs.js +6 -2
package/dist/testing/cross_backend/default_spine_surface.d.ts +17 -9
package/dist/testing/cross_backend/default_spine_surface.d.ts.map +1 -1
package/dist/testing/cross_backend/default_spine_surface.js +20 -12
package/dist/testing/cross_backend/origin.d.ts +10 -0
package/dist/testing/cross_backend/origin.d.ts.map +1 -0
package/dist/testing/cross_backend/origin.js +73 -0
package/dist/testing/cross_backend/setup.d.ts +22 -40
package/dist/testing/cross_backend/setup.d.ts.map +1 -1
package/dist/testing/cross_backend/setup.js +39 -5
package/dist/testing/cross_backend/testing_reset_actions.d.ts +90 -2
package/dist/testing/cross_backend/testing_reset_actions.d.ts.map +1 -1
package/dist/testing/cross_backend/testing_reset_actions.js +91 -3
package/dist/testing/cross_backend/xfail.d.ts +15 -0
package/dist/testing/cross_backend/xfail.d.ts.map +1 -0
package/dist/testing/cross_backend/xfail.js +37 -0
package/dist/testing/entities.d.ts.map +1 -1
package/dist/testing/entities.js +4 -0
package/dist/testing/integration.d.ts +2 -3
package/dist/testing/integration.d.ts.map +1 -1
package/dist/testing/integration.js +20 -85
package/dist/testing/rate_limiting.d.ts +1 -1
package/dist/testing/rpc_helpers.d.ts +3 -3
package/dist/testing/sse_round_trip.d.ts +1 -1
package/dist/testing/stubs.d.ts.map +1 -1
package/dist/testing/stubs.js +0 -1
package/dist/testing/ws_round_trip.d.ts.map +1 -1
package/dist/testing/ws_round_trip.js +4 -0
package/dist/ui/AdminAccounts.svelte +84 -35
package/dist/ui/AdminAccounts.svelte.d.ts.map +1 -1
package/dist/ui/AdminSessions.svelte +21 -23
package/dist/ui/AdminSessions.svelte.d.ts.map +1 -1
package/dist/ui/CLAUDE.md +17 -26
package/dist/ui/OpenSignupToggle.svelte +2 -5
package/dist/ui/OpenSignupToggle.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.d.ts +9 -10
package/dist/ui/account_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/account_sessions_state.svelte.js +7 -17
package/dist/ui/admin_accounts_state.svelte.d.ts +41 -20
package/dist/ui/admin_accounts_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_accounts_state.svelte.js +52 -22
package/dist/ui/admin_invites_state.svelte.d.ts +8 -11
package/dist/ui/admin_invites_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_invites_state.svelte.js +7 -16
package/dist/ui/admin_rpc_adapters.d.ts +6 -2
package/dist/ui/admin_rpc_adapters.d.ts.map +1 -1
package/dist/ui/admin_rpc_adapters.js +5 -1
package/dist/ui/admin_sessions_state.svelte.d.ts +6 -10
package/dist/ui/admin_sessions_state.svelte.d.ts.map +1 -1
package/dist/ui/admin_sessions_state.svelte.js +4 -14
package/dist/ui/app_settings_state.svelte.d.ts +8 -12
package/dist/ui/app_settings_state.svelte.d.ts.map +1 -1
package/dist/ui/app_settings_state.svelte.js +6 -16
package/dist/ui/audit_log_state.svelte.d.ts +9 -8
package/dist/ui/audit_log_state.svelte.d.ts.map +1 -1
package/dist/ui/audit_log_state.svelte.js +8 -20
package/package.json +2 -2

package/dist/auth/admin_action_specs.d.ts CHANGED Viewed

@@ -28,6 +28,7 @@ export declare const AdminAccountListInput: z.ZodDefault<z.ZodObject<{
     acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
     limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
     offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+    include_deleted: z.ZodOptional<z.ZodNullable<z.ZodBoolean>>;
 }, z.core.$strict>>;
 export type AdminAccountListInput = z.infer<typeof AdminAccountListInput>;
 /** Output for `admin_account_list`. */
@@ -41,6 +42,7 @@ export declare const AdminAccountListOutput: z.ZodObject<{
             created_at: z.ZodString;
             updated_at: z.ZodString;
             updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+            deleted_at: z.ZodNullable<z.ZodString>;
         }, z.core.$strict>;
         actor: z.ZodNullable<z.ZodObject<{
             id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -264,6 +266,81 @@ export declare const AppSettingsUpdateOutput: z.ZodObject<{
     }, z.core.$strict>;
 }, z.core.$strict>;
 export type AppSettingsUpdateOutput = z.infer<typeof AppSettingsUpdateOutput>;
+/**
+ * `data.reason` on `account_purge` when `confirm: true` is absent.
+ * Fail-loud: the irreversible purge refuses to run without explicit
+ * confirmation. Mirrors the Rust `ERROR_PURGE_NOT_CONFIRMED`.
+ */
+export declare const ERROR_PURGE_NOT_CONFIRMED: "purge_not_confirmed";
+/**
+ * `data.reason` (403) on `account_delete` / `account_purge` when the
+ * target account holds an active keeper role_grant. The keeper account
+ * is never deletable or purgeable through the API: auth resolution and
+ * daemon-token resolution both pivot on the keeper account, so tombstoning
+ * or cascading it away would brick keeper/daemon auth with no recovery
+ * path (the keeper role is not web-revocable, and `account_purge` itself
+ * requires keeper auth). Keeper-account removal stays out-of-band
+ * (bootstrap / DB surgery). Mirrors the Rust `ERROR_CANNOT_DELETE_KEEPER`.
+ */
+export declare const ERROR_CANNOT_DELETE_KEEPER: "cannot_delete_keeper";
+/**
+ * `data.reason` (403) on `account_delete` / `account_purge` when the target
+ * is the **sole remaining active admin** — removing it would leave the
+ * system with no account that can authenticate into the admin surface (and
+ * `account_undelete` is itself admin-gated). Unlike the keeper guard this is
+ * keeper-recoverable (a keeper can re-grant admin), but the guard avoids the
+ * foot-gun of an admin tombstoning the last admin in one call. Soft-deleted
+ * admins don't count toward the tally (they can't log in). Mirrors the Rust
+ * `ERROR_CANNOT_DELETE_LAST_ADMIN`.
+ */
+export declare const ERROR_CANNOT_DELETE_LAST_ADMIN: "cannot_delete_last_admin";
+/**
+ * Input for `account_delete` (soft delete). `account_id` is optional —
+ * omitted (or equal to the caller's own account) is a self-delete; a
+ * different account requires the admin role (handler-enforced
+ * elevation, like `role_grant_offer_list`).
+ */
+export declare const AccountDeleteInput: z.ZodDefault<z.ZodObject<{
+    account_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>>;
+export type AccountDeleteInput = z.infer<typeof AccountDeleteInput>;
+/** Output for `account_delete`. */
+export declare const AccountDeleteOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    deleted: z.ZodBoolean;
+}, z.core.$strict>;
+export type AccountDeleteOutput = z.infer<typeof AccountDeleteOutput>;
+/** Input for `account_purge` (hard, irreversible delete). Keeper-only. */
+export declare const AccountPurgeInput: z.ZodObject<{
+    account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    confirm: z.ZodOptional<z.ZodBoolean>;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type AccountPurgeInput = z.infer<typeof AccountPurgeInput>;
+/** Output for `account_purge`. */
+export declare const AccountPurgeOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    purged: z.ZodBoolean;
+}, z.core.$strict>;
+export type AccountPurgeOutput = z.infer<typeof AccountPurgeOutput>;
+/**
+ * Input for `account_undelete` (reactivation). `account_id` is required —
+ * unlike `account_delete` there is no self path: a soft-deleted account
+ * can't authenticate (auth resolution excludes it, sessions are revoked),
+ * so reactivation is always an admin acting on another account.
+ */
+export declare const AccountUndeleteInput: z.ZodObject<{
+    account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+    acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+}, z.core.$strict>;
+export type AccountUndeleteInput = z.infer<typeof AccountUndeleteInput>;
+/** Output for `account_undelete`. */
+export declare const AccountUndeleteOutput: z.ZodObject<{
+    ok: z.ZodLiteral<true>;
+    undeleted: z.ZodBoolean;
+}, z.core.$strict>;
+export type AccountUndeleteOutput = z.infer<typeof AccountUndeleteOutput>;
 /**
  * `rate_limit: 'account'` bounds admin-side scraping of the account table
  * via `(limit, offset)` walking — admin trust is not a substitute for a
@@ -284,6 +361,7 @@ export declare const admin_account_list_action_spec: {
         acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
         limit: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
         offset: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
+        include_deleted: z.ZodOptional<z.ZodNullable<z.ZodBoolean>>;
     }, z.core.$strict>>;
     output: z.ZodObject<{
         accounts: z.ZodArray<z.ZodObject<{
@@ -295,6 +373,7 @@ export declare const admin_account_list_action_spec: {
                 created_at: z.ZodString;
                 updated_at: z.ZodString;
                 updated_by: z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+                deleted_at: z.ZodNullable<z.ZodString>;
             }, z.core.$strict>;
             actor: z.ZodNullable<z.ZodObject<{
                 id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
@@ -588,6 +667,95 @@ export declare const invite_delete_action_spec: {
     description: string;
     rate_limit: "account";
 };
+/**
+ * Soft-delete an account (reversible tombstone). Self-or-admin: the
+ * caller may delete their own account; deleting another requires the
+ * admin role (handler-enforced elevation). No `admin_` prefix — the
+ * privilege lives in the auth check, not the name, so self-service
+ * deletion stays open (`delete` = soft, `purge` = hard).
+ */
+export declare const account_delete_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+    };
+    side_effects: true;
+    input: z.ZodDefault<z.ZodObject<{
+        account_id: z.ZodOptional<z.ZodNullable<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        deleted: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+    rate_limit: "account";
+};
+/**
+ * Hard-purge an account (keeper-gated, irreversible). Keeper credential
+ * (`daemon_token`) + keeper role + explicit `confirm: true`. Not
+ * admin-reachable and not self-service — the most dangerous operation is
+ * the most restricted. `purge` = hard; the word + gating + WARN flag the
+ * danger (fail-loud).
+ */
+export declare const account_purge_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+        roles: string[];
+        credential_types: string[];
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        confirm: z.ZodOptional<z.ZodBoolean>;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        purged: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+    rate_limit: "account";
+};
+/**
+ * Reactivate a soft-deleted account (clears the tombstone). Admin-only —
+ * there is no self path because a soft-deleted account can't authenticate
+ * (auth resolution excludes it and its sessions are revoked), so
+ * reactivation is always an admin acting on another account. The inverse
+ * of `account_delete`; does not restore revoked sessions/tokens
+ * (delete = soft, purge = hard).
+ */
+export declare const account_undelete_action_spec: {
+    method: string;
+    kind: "request_response";
+    initiator: "frontend";
+    auth: {
+        account: "required";
+        actor: "required";
+        roles: string[];
+    };
+    side_effects: true;
+    input: z.ZodObject<{
+        account_id: z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">;
+        acting: z.ZodOptional<z.core.$ZodBranded<z.ZodUUID, "Uuid", "out">>;
+    }, z.core.$strict>;
+    output: z.ZodObject<{
+        ok: z.ZodLiteral<true>;
+        undeleted: z.ZodBoolean;
+    }, z.core.$strict>;
+    async: true;
+    description: string;
+    rate_limit: "account";
+};
 export declare const app_settings_get_action_spec: {
     method: string;
     kind: "request_response";
@@ -642,9 +810,8 @@ export declare const app_settings_update_action_spec: {
 /**
  * All admin action specs — a codegen-ready registry. Consumers spread this
  * into their own action-spec array to include admin methods in a typed
- * client surface. Always includes the two app-settings specs; the runtime
- * factory only wires their handlers when `AdminActionOptions.app_settings`
- * is provided.
+ * client surface. Includes the two app-settings specs, whose handlers the
+ * runtime factory always wires.
  */
 export declare const all_admin_action_specs: Array<RequestResponseActionSpec>;
 //# sourceMappingURL=admin_action_specs.d.ts.map

package/dist/auth/admin_action_specs.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"admin_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;~~AAgBzE~~,+BAA+B;AAC/B,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAE5C,8CAA8C;AAC9C,eAAO,MAAM,gCAAgC,KAAK,CAAC;AACnD,0CAA0C;AAC1C,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAIhD,sCAAsC;AACtC,eAAO,MAAM,qBAAqB~~;;;;mBAcrB~~,CAAC;AACd,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;mBAIrB,CAAC;AACd,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,mGAAmG;AACnG,eAAO,MAAM,sBAAsB;;;;;;;;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;kBAGnC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;mBAyBjB,CAAC;AACd,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,mCAAmC;AACnC,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,gDAAgD;AAChD,eAAO,MAAM,6BAA6B;;;;mBAc7B,CAAC;AACd,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAE1F,iDAAiD;AACjD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;kBAEzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wFAAwF;AACxF,eAAO,MAAM,iBAAiB;;;;kBAS3B,CAAC;AACJ,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;;;;;;;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,+BAA+B;AAC/B,eAAO,MAAM,eAAe;;mBAIf,CAAC;AACd,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;;;;;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iCAAiC;AACjC,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,oCAAoC;AACpC,eAAO,MAAM,mBAAmB;;mBAInB,CAAC;AACd,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,qCAAqC;AACrC,eAAO,MAAM,oBAAoB;;;;;;;kBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;kBAGlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;~~AAI9E~~;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;~~CAWN,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;CAWN,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;;;;CAWV,CAAC;AAEtC;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWhB,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWC,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;CAUJ,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;CAWP,CAAC;AAEtC~~;;;;;;GAMG~~;AACH,eAAO,MAAM,sBAAsB,EAAE,KAAK,CAAC,yBAAyB,~~CAYnE~~,CAAC"}
1	+ {"version":3,"file":"admin_action_specs.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_action_specs.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAEH,OAAO,EAAC,CAAC,EAAC,MAAM,KAAK,CAAC;AAGtB,OAAO,KAAK,EAAC,yBAAyB,EAAC,MAAM,2BAA2B,CAAC;AAiBzE,+BAA+B;AAC/B,eAAO,MAAM,wBAAwB,MAAM,CAAC;AAE5C,8CAA8C;AAC9C,eAAO,MAAM,gCAAgC,KAAK,CAAC;AACnD,0CAA0C;AAC1C,eAAO,MAAM,4BAA4B,MAAM,CAAC;AAIhD,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;;;;mBAkBrB,CAAC;AACd,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,sCAAsC;AACtC,eAAO,MAAM,qBAAqB;;mBAIrB,CAAC;AACd,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAE1E,mGAAmG;AACnG,eAAO,MAAM,sBAAsB;;;;;;;;;kBAEjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,4CAA4C;AAC5C,eAAO,MAAM,0BAA0B;;;kBAGrC,CAAC;AACH,MAAM,MAAM,0BAA0B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,0BAA0B,CAAC,CAAC;AAEpF,6CAA6C;AAC7C,eAAO,MAAM,2BAA2B;;;kBAGtC,CAAC;AACH,MAAM,MAAM,2BAA2B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,2BAA2B,CAAC,CAAC;AAEtF,0CAA0C;AAC1C,eAAO,MAAM,wBAAwB;;;kBAGnC,CAAC;AACH,MAAM,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,wBAAwB,CAAC,CAAC;AAEhF,2CAA2C;AAC3C,eAAO,MAAM,yBAAyB;;;kBAGpC,CAAC;AACH,MAAM,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,yBAAyB,CAAC,CAAC;AAElF;;;;;GAKG;AACH,eAAO,MAAM,iBAAiB;;;;;;;;;;;mBAyBjB,CAAC;AACd,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,mCAAmC;AACnC,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;;;;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,gDAAgD;AAChD,eAAO,MAAM,6BAA6B;;;;mBAc7B,CAAC;AACd,MAAM,MAAM,6BAA6B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,6BAA6B,CAAC,CAAC;AAE1F,iDAAiD;AACjD,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;kBAEzC,CAAC;AACH,MAAM,MAAM,8BAA8B,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,8BAA8B,CAAC,CAAC;AAE5F,wFAAwF;AACxF,eAAO,MAAM,iBAAiB;;;;kBAS3B,CAAC;AACJ,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;;;;;;;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,+BAA+B;AAC/B,eAAO,MAAM,eAAe;;mBAIf,CAAC;AACd,MAAM,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,eAAe,CAAC,CAAC;AAE9D,2FAA2F;AAC3F,eAAO,MAAM,gBAAgB;;;;;;;;;;;;kBAE3B,CAAC;AACH,MAAM,MAAM,gBAAgB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAC;AAEhE,iCAAiC;AACjC,eAAO,MAAM,iBAAiB;;;kBAG5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;kBAE7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,oCAAoC;AACpC,eAAO,MAAM,mBAAmB;;mBAInB,CAAC;AACd,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,qCAAqC;AACrC,eAAO,MAAM,oBAAoB;;;;;;;kBAE/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,uCAAuC;AACvC,eAAO,MAAM,sBAAsB;;;kBAGjC,CAAC;AACH,MAAM,MAAM,sBAAsB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,sBAAsB,CAAC,CAAC;AAE5E,wCAAwC;AACxC,eAAO,MAAM,uBAAuB;;;;;;;;kBAGlC,CAAC;AACH,MAAM,MAAM,uBAAuB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,uBAAuB,CAAC,CAAC;AAE9E;;;;GAIG;AACH,eAAO,MAAM,yBAAyB,EAAG,qBAA8B,CAAC;AAExE;;;;;;;;;GASG;AACH,eAAO,MAAM,0BAA0B,EAAG,sBAA+B,CAAC;AAE1E;;;;;;;;;GASG;AACH,eAAO,MAAM,8BAA8B,EAAG,0BAAmC,CAAC;AAElF;;;;;GAKG;AACH,eAAO,MAAM,kBAAkB;;;mBAOlB,CAAC;AACd,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE,mCAAmC;AACnC,eAAO,MAAM,mBAAmB;;;kBAG9B,CAAC;AACH,MAAM,MAAM,mBAAmB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,mBAAmB,CAAC,CAAC;AAEtE,0EAA0E;AAC1E,eAAO,MAAM,iBAAiB;;;;kBAM5B,CAAC;AACH,MAAM,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAC;AAElE,kCAAkC;AAClC,eAAO,MAAM,kBAAkB;;;kBAG7B,CAAC;AACH,MAAM,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAC;AAEpE;;;;;GAKG;AACH,eAAO,MAAM,oBAAoB;;;kBAG/B,CAAC;AACH,MAAM,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,oBAAoB,CAAC,CAAC;AAExE,qCAAqC;AACrC,eAAO,MAAM,qBAAqB;;;kBAGhC,CAAC;AACH,MAAM,MAAM,qBAAqB,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,qBAAqB,CAAC,CAAC;AAI1E;;;;;GAKG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWN,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,8BAA8B;;;;;;;;;;;;;;;;;;;;;;;;;;CAWN,CAAC;AAEtC,eAAO,MAAM,oCAAoC;;;;;;;;;;;;;;;;;;;;;CAWZ,CAAC;AAEtC,eAAO,MAAM,kCAAkC;;;;;;;;;;;;;;;;;;;;;CAWV,CAAC;AAEtC;;;;;;;GAOG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWF,CAAC;AAEtC;;;;GAIG;AACH,eAAO,MAAM,wCAAwC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWhB,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC;;;;;GAKG;AACH,eAAO,MAAM,uBAAuB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAWC,CAAC;AAEtC,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;CAWD,CAAC;AAEtC;;;;;;GAMG;AACH,eAAO,MAAM,0BAA0B;;;;;;;;;;;;;;;;;;;;CAYF,CAAC;AAEtC;;;;;;GAMG;AACH,eAAO,MAAM,yBAAyB;;;;;;;;;;;;;;;;;;;;;;;CAiBD,CAAC;AAEtC;;;;;;;GAOG;AACH,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;CAYJ,CAAC;AAEtC,eAAO,MAAM,4BAA4B;;;;;;;;;;;;;;;;;;;;;;;CAUJ,CAAC;AAEtC,eAAO,MAAM,+BAA+B;;;;;;;;;;;;;;;;;;;;;;;;;;CAWP,CAAC;AAEtC;;;;;GAKG;AACH,eAAO,MAAM,sBAAsB,EAAE,KAAK,CAAC,yBAAyB,CAenE,CAAC"}

package/dist/auth/admin_action_specs.js CHANGED Viewed

@@ -17,7 +17,8 @@
  */
 import { z } from 'zod';
 import { Uuid } from '@fuzdev/fuz_util/id.js';
-import { ROLE_ADMIN, RoleName } from './role_schema.js';
+import { ROLE_ADMIN, ROLE_KEEPER, RoleName } from './role_schema.js';
+import { CREDENTIAL_TYPE_DAEMON_TOKEN } from './credential_type_schema.js';
 import { AdminAccountEntryJson } from './account_schema.js';
 import { Email, Username } from '../primitive_schemas.js';
 import { ActingActor } from '../http/auth_shape.js';
@@ -45,6 +46,9 @@ export const AdminAccountListInput = z
         description: `Max accounts to return (default ${ADMIN_ACCOUNT_LIST_DEFAULT_LIMIT}, max ${ADMIN_ACCOUNT_LIST_LIMIT_MAX}).`,
     }),
     offset: z.number().int().min(0).nullish().meta({ description: 'Pagination offset.' }),
+    include_deleted: z.boolean().nullish().meta({
+        description: 'Include soft-deleted (tombstoned) accounts in the listing. Default false (active only). Used by the admin UI to surface accounts for reactivation via `account_undelete`.',
+    }),
 })
     .default({});
 /** Output for `admin_account_list`. */
@@ -192,6 +196,81 @@ export const AppSettingsUpdateOutput = z.strictObject({
     ok: z.literal(true),
     settings: AppSettingsWithUsernameJson,
 });
+/**
+ * `data.reason` on `account_purge` when `confirm: true` is absent.
+ * Fail-loud: the irreversible purge refuses to run without explicit
+ * confirmation. Mirrors the Rust `ERROR_PURGE_NOT_CONFIRMED`.
+ */
+export const ERROR_PURGE_NOT_CONFIRMED = 'purge_not_confirmed';
+/**
+ * `data.reason` (403) on `account_delete` / `account_purge` when the
+ * target account holds an active keeper role_grant. The keeper account
+ * is never deletable or purgeable through the API: auth resolution and
+ * daemon-token resolution both pivot on the keeper account, so tombstoning
+ * or cascading it away would brick keeper/daemon auth with no recovery
+ * path (the keeper role is not web-revocable, and `account_purge` itself
+ * requires keeper auth). Keeper-account removal stays out-of-band
+ * (bootstrap / DB surgery). Mirrors the Rust `ERROR_CANNOT_DELETE_KEEPER`.
+ */
+export const ERROR_CANNOT_DELETE_KEEPER = 'cannot_delete_keeper';
+/**
+ * `data.reason` (403) on `account_delete` / `account_purge` when the target
+ * is the **sole remaining active admin** — removing it would leave the
+ * system with no account that can authenticate into the admin surface (and
+ * `account_undelete` is itself admin-gated). Unlike the keeper guard this is
+ * keeper-recoverable (a keeper can re-grant admin), but the guard avoids the
+ * foot-gun of an admin tombstoning the last admin in one call. Soft-deleted
+ * admins don't count toward the tally (they can't log in). Mirrors the Rust
+ * `ERROR_CANNOT_DELETE_LAST_ADMIN`.
+ */
+export const ERROR_CANNOT_DELETE_LAST_ADMIN = 'cannot_delete_last_admin';
+/**
+ * Input for `account_delete` (soft delete). `account_id` is optional —
+ * omitted (or equal to the caller's own account) is a self-delete; a
+ * different account requires the admin role (handler-enforced
+ * elevation, like `role_grant_offer_list`).
+ */
+export const AccountDeleteInput = z
+    .strictObject({
+    account_id: Uuid.nullish().meta({
+        description: 'Account to soft-delete. Omit for self-delete; another account requires admin.',
+    }),
+    acting: ActingActor,
+})
+    .default({});
+/** Output for `account_delete`. */
+export const AccountDeleteOutput = z.strictObject({
+    ok: z.literal(true),
+    deleted: z.boolean(),
+});
+/** Input for `account_purge` (hard, irreversible delete). Keeper-only. */
+export const AccountPurgeInput = z.strictObject({
+    account_id: Uuid.meta({ description: 'Account to hard-purge.' }),
+    confirm: z.boolean().optional().meta({
+        description: 'Must be `true` — fail-loud guard against an accidental irreversible purge.',
+    }),
+    acting: ActingActor,
+});
+/** Output for `account_purge`. */
+export const AccountPurgeOutput = z.strictObject({
+    ok: z.literal(true),
+    purged: z.boolean(),
+});
+/**
+ * Input for `account_undelete` (reactivation). `account_id` is required —
+ * unlike `account_delete` there is no self path: a soft-deleted account
+ * can't authenticate (auth resolution excludes it, sessions are revoked),
+ * so reactivation is always an admin acting on another account.
+ */
+export const AccountUndeleteInput = z.strictObject({
+    account_id: Uuid.meta({ description: 'Soft-deleted account to reactivate.' }),
+    acting: ActingActor,
+});
+/** Output for `account_undelete`. */
+export const AccountUndeleteOutput = z.strictObject({
+    ok: z.literal(true),
+    undeleted: z.boolean(),
+});
 // -- Action specs -----------------------------------------------------------
 /**
  * `rate_limit: 'account'` bounds admin-side scraping of the account table
@@ -331,6 +410,69 @@ export const invite_delete_action_spec = {
     description: 'Delete an unclaimed invite. Admin-only.',
     rate_limit: 'account',
 };
+/**
+ * Soft-delete an account (reversible tombstone). Self-or-admin: the
+ * caller may delete their own account; deleting another requires the
+ * admin role (handler-enforced elevation). No `admin_` prefix — the
+ * privilege lives in the auth check, not the name, so self-service
+ * deletion stays open (`delete` = soft, `purge` = hard).
+ */
+export const account_delete_action_spec = {
+    method: 'account_delete',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: { account: 'required', actor: 'required' },
+    side_effects: true,
+    input: AccountDeleteInput,
+    output: AccountDeleteOutput,
+    async: true,
+    description: 'Soft-delete an account (reversible tombstone): blocks auth, revokes sessions/tokens, soft-deletes its actor(s). Self-service for own account; admin required to delete another.',
+    rate_limit: 'account',
+};
+/**
+ * Hard-purge an account (keeper-gated, irreversible). Keeper credential
+ * (`daemon_token`) + keeper role + explicit `confirm: true`. Not
+ * admin-reachable and not self-service — the most dangerous operation is
+ * the most restricted. `purge` = hard; the word + gating + WARN flag the
+ * danger (fail-loud).
+ */
+export const account_purge_action_spec = {
+    method: 'account_purge',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: {
+        account: 'required',
+        actor: 'required',
+        roles: [ROLE_KEEPER],
+        credential_types: [CREDENTIAL_TYPE_DAEMON_TOKEN],
+    },
+    side_effects: true,
+    input: AccountPurgeInput,
+    output: AccountPurgeOutput,
+    async: true,
+    description: 'Hard-purge an account (irreversible cascading delete). Keeper-only + explicit confirm. Audit ids survive; identity snapshotted in metadata.',
+    rate_limit: 'account',
+};
+/**
+ * Reactivate a soft-deleted account (clears the tombstone). Admin-only —
+ * there is no self path because a soft-deleted account can't authenticate
+ * (auth resolution excludes it and its sessions are revoked), so
+ * reactivation is always an admin acting on another account. The inverse
+ * of `account_delete`; does not restore revoked sessions/tokens
+ * (delete = soft, purge = hard).
+ */
+export const account_undelete_action_spec = {
+    method: 'account_undelete',
+    kind: 'request_response',
+    initiator: 'frontend',
+    auth: { account: 'required', actor: 'required', roles: [ROLE_ADMIN] },
+    side_effects: true,
+    input: AccountUndeleteInput,
+    output: AccountUndeleteOutput,
+    async: true,
+    description: 'Reactivate a soft-deleted account (clears the deleted_at tombstone on the account + its actors). Admin-only. Does not restore revoked sessions/tokens — principals re-auth fresh.',
+    rate_limit: 'account',
+};
 export const app_settings_get_action_spec = {
     method: 'app_settings_get',
     kind: 'request_response',
@@ -357,9 +499,8 @@ export const app_settings_update_action_spec = {
 /**
  * All admin action specs — a codegen-ready registry. Consumers spread this
  * into their own action-spec array to include admin methods in a typed
- * client surface. Always includes the two app-settings specs; the runtime
- * factory only wires their handlers when `AdminActionOptions.app_settings`
- * is provided.
+ * client surface. Includes the two app-settings specs, whose handlers the
+ * runtime factory always wires.
  */
 export const all_admin_action_specs = [
     admin_account_list_action_spec,
@@ -371,6 +512,9 @@ export const all_admin_action_specs = [
     invite_create_action_spec,
     invite_list_action_spec,
     invite_delete_action_spec,
+    account_delete_action_spec,
+    account_purge_action_spec,
+    account_undelete_action_spec,
     app_settings_get_action_spec,
     app_settings_update_action_spec,
 ];

package/dist/auth/admin_actions.d.ts CHANGED Viewed

@@ -7,9 +7,10 @@
  *   `admin_session_revoke_all`, `admin_token_revoke_all`.
  * - Audit log reads: `audit_log_list`, `audit_log_role_grant_history`.
  * - Invite CRUD: `invite_create`, `invite_list`, `invite_delete`.
- * - App settings: `app_settings_get`, `app_settings_update` (registered only
- *   when `AdminActionOptions.app_settings` is provided — the mutable ref is
- *   owned by the server context and shared with signup middleware).
+ * - App settings: `app_settings_get`, `app_settings_update`. The update
+ *   handler writes the `app_settings` row in the database; signup reads the
+ *   `open_signup` toggle fresh from that row on every request, so no
+ *   in-memory state is shared between this surface and signup.
  *
  * The action specs themselves live in `auth/admin_action_specs.ts`. Mutations
  * emit matching audit events via `deps.audit.emit`.
@@ -30,7 +31,6 @@
 import { type RpcAction } from '../actions/action_rpc.js';
 import type { ConnectionCloser } from '../actions/connection_closer.js';
 import { type RoleSchemaResult } from './role_schema.js';
-import { type AppSettings } from './app_settings_schema.js';
 import type { RouteFactoryDeps } from './deps.js';
 /** Options for `create_admin_actions`. */
 export interface AdminActionOptions {
@@ -41,15 +41,6 @@ export interface AdminActionOptions {
      * `admin_account_list`.
      */
     roles?: RoleSchemaResult;
-    /**
-     * Mutable in-memory app settings ref — typically `ctx.app_settings` from
-     * `AppServerContext`. When provided, the factory wires the
-     * `app_settings_get` and `app_settings_update` handlers; the update
-     * handler mutates this ref so signup middleware reads the new value
-     * without a DB round trip. When omitted, those two methods have no
-     * handler and RPC dispatch returns `method_not_found`.
-     */
-    app_settings?: AppSettings;
     /**
      * Live-connection closer — when set, `admin_session_revoke_all` and
      * `admin_token_revoke_all` handlers eagerly close affected WebSocket
@@ -70,7 +61,6 @@ export interface AdminActionOptions {
  *   optional `AuditLogConfig`.
  * @param options - role schema for `grantable_roles` derivation
  * @returns the `RpcAction` array to spread into a `create_rpc_endpoint` call
- * @mutates `options.app_settings` ref - `app_settings_update` writes `open_signup`, `updated_at`, and `updated_by` so signup middleware reads without a DB round trip
  */
 export declare const create_admin_actions: (deps: Pick<RouteFactoryDeps, "log" | "audit">, options?: AdminActionOptions) => Array<RpcAction>;
 //# sourceMappingURL=admin_actions.d.ts.map

package/dist/auth/admin_actions.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"admin_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_actions.ts"],"names":[],"mappings":"AAAA~~;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG~~;AAEH,OAAO,EAAsC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAEtE,OAAO,~~EAGN~~,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;~~AAuB1B~~,OAAO,~~EAAC,~~KAAK,~~WAAW,~~EAAC,~~MAAM,0BAA0B,CAAC;AAK1D,OAAO,KAAK,EAAC,~~gBAAgB,EAAC,MAAM,WAAW,CAAC;~~AA6ChD~~,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB~~;;;;;;;OAOG;IACH,YAAY,CAAC,EAAE,WAAW,CAAC;IAC3B~~;;;;;;;;OAQG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAED~~;;;;;;;;;;GAUG~~;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,kBAAuB,KAC9B,KAAK,CAAC,SAAS,~~CAmRjB~~,CAAC"}
1	+ {"version":3,"file":"admin_actions.d.ts","sourceRoot":"../src/lib/","sources":["../../src/lib/auth/admin_actions.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA6BG;AAEH,OAAO,EAAsC,KAAK,SAAS,EAAC,MAAM,0BAA0B,CAAC;AAC7F,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,iCAAiC,CAAC;AAEtE,OAAO,EAKN,KAAK,gBAAgB,EACrB,MAAM,kBAAkB,CAAC;AAyC1B,OAAO,KAAK,EAAC,gBAAgB,EAAC,MAAM,WAAW,CAAC;AA0DhD,0CAA0C;AAC1C,MAAM,WAAW,kBAAkB;IAClC;;;;;OAKG;IACH,KAAK,CAAC,EAAE,gBAAgB,CAAC;IACzB;;;;;;;;OAQG;IACH,iBAAiB,CAAC,EAAE,gBAAgB,GAAG,IAAI,CAAC;CAC5C;AAED;;;;;;;;;GASG;AACH,eAAO,MAAM,oBAAoB,GAChC,MAAM,IAAI,CAAC,gBAAgB,EAAE,KAAK,GAAG,OAAO,CAAC,EAC7C,UAAS,kBAAuB,KAC9B,KAAK,CAAC,SAAS,CAqfjB,CAAC"}