npm - @valentinkolb/cloud - Versions diffs - 0.3.1 → 0.5.0 - Mend

@valentinkolb/cloud 0.3.1 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (194) hide show

package/package.json +18 -8
package/scripts/preload.ts +78 -23
package/src/_internal/define-app.ts +119 -47
package/src/_internal/runtime-context.ts +1 -0
package/src/api/accounts-entities.ts +4 -0
package/src/api/admin-core-settings.ts +98 -0
package/src/api/announcements.ts +131 -0
package/src/api/auth/schemas.ts +24 -0
package/src/api/auth.ts +113 -10
package/src/api/index.ts +15 -25
package/src/api/me.ts +203 -14
package/src/api/search/schemas.ts +1 -0
package/src/api/search.ts +62 -8
package/src/config/ssr.ts +2 -9
package/src/contracts/announcements.test.ts +37 -0
package/src/contracts/announcements.ts +121 -0
package/src/contracts/app.ts +4 -0
package/src/contracts/index.ts +3 -2
package/src/contracts/registry.ts +4 -0
package/src/contracts/shared.ts +108 -1
package/src/desktop/index.ts +704 -0
package/src/desktop/solid.tsx +938 -0
package/src/server/api/index.ts +1 -1
package/src/server/api/respond.ts +50 -10
package/src/server/index.ts +44 -38
package/src/server/middleware/auth.ts +98 -9
package/src/server/middleware/index.ts +2 -1
package/src/server/middleware/settings.ts +26 -0
package/src/server/services/access.test.ts +197 -0
package/src/server/services/access.ts +254 -6
package/src/server/services/index.ts +14 -11
package/src/server/services/pagination.ts +22 -0
package/src/server/time.ts +45 -0
package/src/services/account-lifecycle/index.ts +142 -18
package/src/services/accounts/app.ts +658 -170
package/src/services/accounts/authz.test.ts +77 -0
package/src/services/accounts/authz.ts +22 -0
package/src/services/accounts/entities.ts +84 -5
package/src/services/accounts/groups.ts +30 -24
package/src/services/accounts/model.test.ts +30 -0
package/src/services/accounts/switching.test.ts +14 -0
package/src/services/accounts/switching.ts +15 -6
package/src/services/accounts/users.ts +75 -52
package/src/services/announcements/index.test.ts +32 -0
package/src/services/announcements/index.ts +224 -0
package/src/services/audit/index.test.ts +84 -0
package/src/services/audit/index.ts +431 -0
package/src/services/auth-flows/index.ts +9 -2
package/src/services/auth-flows/ipa.ts +0 -2
package/src/services/auth-flows/magic-link.ts +3 -2
package/src/services/auth-flows/password-reset.ts +284 -0
package/src/services/auth-flows/proxy-return.test.ts +24 -0
package/src/services/auth-flows/proxy-return.ts +49 -0
package/src/services/gateway.ts +162 -0
package/src/services/index.ts +44 -2
package/src/services/ipa/effective-groups.test.ts +33 -0
package/src/services/ipa/effective-groups.ts +70 -0
package/src/services/ipa/profile.ts +45 -3
package/src/services/ipa/search.ts +3 -5
package/src/services/ipa/service-account.ts +15 -0
package/src/services/ipa/sync-planning.test.ts +32 -0
package/src/services/ipa/sync-planning.ts +22 -0
package/src/services/ipa/sync.ts +110 -38
package/src/services/oauth-tokens.ts +104 -0
package/src/services/postgres.ts +21 -6
package/src/services/providers/local/auth.test.ts +22 -0
package/src/services/providers/local/auth.ts +46 -3
package/src/services/secrets.ts +10 -0
package/src/services/service-account-credentials.test.ts +210 -0
package/src/services/service-account-credentials.ts +715 -0
package/src/services/service-accounts.ts +188 -0
package/src/services/session/index.ts +7 -8
package/src/services/settings/app.ts +4 -20
package/src/services/settings/defaults.ts +64 -22
package/src/services/settings/store.ts +47 -0
package/src/services/weather/forecast.ts +40 -7
package/src/services/webauthn.test.ts +36 -0
package/src/services/webauthn.ts +384 -0
package/src/shared/icons.ts +391 -100
package/src/shared/index.ts +7 -0
package/src/shared/markdown/extensions/code.ts +38 -1
package/src/shared/markdown/extensions/images.ts +39 -3
package/src/shared/markdown/extensions/info-blocks.ts +5 -5
package/src/shared/markdown/extensions/mark.ts +48 -0
package/src/shared/markdown/extensions/sub-sup.ts +60 -0
package/src/shared/markdown/extensions/tables.ts +79 -58
package/src/shared/markdown/formula.test.ts +1089 -0
package/src/shared/markdown/formula.ts +1187 -0
package/src/shared/markdown/index.ts +76 -2
package/src/shared/mock-cover.ts +130 -0
package/src/shared/redirect.test.ts +49 -0
package/src/shared/redirect.ts +52 -0
package/src/shared/theme.test.ts +24 -0
package/src/shared/theme.ts +68 -0
package/src/shared/time.ts +13 -0
package/src/ssr/AdminLayout.tsx +7 -3
package/src/ssr/AdminSidebar.tsx +115 -49
package/src/ssr/AppLaunchpad.island.tsx +176 -0
package/src/ssr/Footer.island.tsx +3 -8
package/src/ssr/GlobalAnnouncements.island.tsx +141 -0
package/src/ssr/GlobalSearchDialog.tsx +545 -117
package/src/ssr/HotkeysHelpRail.island.tsx +3 -70
package/src/ssr/Layout.tsx +74 -66
package/src/ssr/LayoutBreadcrumbs.island.tsx +44 -0
package/src/ssr/LayoutHelp.tsx +266 -0
package/src/ssr/NavMenu.island.tsx +0 -39
package/src/ssr/ThemeToggleRail.island.tsx +3 -3
package/src/ssr/TimezoneCookie.island.tsx +23 -0
package/src/ssr/islands/index.ts +13 -0
package/src/styles/base-popover.css +5 -2
package/src/styles/effects.css +87 -6
package/src/styles/global.css +146 -9
package/src/styles/input.css +3 -1
package/src/styles/utilities-buttons.css +133 -27
package/src/styles/utilities-code-display.css +67 -0
package/src/styles/utilities-completion.css +223 -0
package/src/styles/utilities-detail.css +73 -0
package/src/styles/utilities-feedback.css +16 -15
package/src/styles/utilities-layout.css +42 -2
package/src/styles/utilities-markdown-editor.css +472 -0
package/src/styles/utilities-navigation.css +63 -8
package/src/styles/utilities-script.css +84 -0
package/src/styles/utilities-table-tile.css +229 -0
package/src/types/ambient.d.ts +9 -0
package/src/ui/completion/behaviors.test.ts +95 -0
package/src/ui/completion/behaviors.ts +205 -0
package/src/ui/completion/engine.ts +368 -0
package/src/ui/completion/index.ts +40 -0
package/src/ui/completion/overlay.ts +92 -0
package/src/ui/dialog-core.ts +173 -45
package/src/ui/filter/FilterChip.tsx +42 -40
package/src/ui/index.ts +11 -12
package/src/ui/input/AutocompleteEditor.tsx +656 -0
package/src/ui/input/CheckboxCard.tsx +91 -0
package/src/ui/input/Combobox.tsx +375 -0
package/src/ui/input/DatePicker.tsx +846 -0
package/src/ui/input/DateTimeInput.tsx +29 -4
package/src/ui/input/FileDropzone.tsx +116 -0
package/src/ui/input/IconInput.tsx +116 -0
package/src/ui/input/ImageInput.tsx +19 -2
package/src/ui/input/MultiSelectInput.tsx +448 -0
package/src/ui/input/NumberInput.tsx +417 -61
package/src/ui/input/SegmentedControl.tsx +2 -2
package/src/ui/input/Select.tsx +172 -10
package/src/ui/input/Slider.tsx +3 -4
package/src/ui/input/Switch.tsx +3 -2
package/src/ui/input/TemplateEditor.tsx +212 -0
package/src/ui/input/TextInput.tsx +144 -13
package/src/ui/input/index.ts +53 -8
package/src/ui/input/markdown/MarkdownEditor.tsx +774 -0
package/src/ui/input/markdown/Toolbar.tsx +90 -0
package/src/ui/input/markdown/actions.ts +233 -0
package/src/ui/input/markdown/active-formats.ts +94 -0
package/src/ui/input/markdown/behaviors.ts +193 -0
package/src/ui/input/markdown/code-zone.ts +23 -0
package/src/ui/input/markdown/highlight.ts +316 -0
package/src/ui/layout.ts +22 -0
package/src/ui/misc/AppOverview.tsx +105 -0
package/src/ui/misc/AppWorkspace.tsx +607 -0
package/src/ui/misc/Calendar.tsx +1291 -0
package/src/ui/misc/Chart.tsx +162 -0
package/src/ui/misc/CodeDisplay.tsx +54 -0
package/src/ui/misc/ContextMenu.tsx +2 -2
package/src/ui/misc/DataTable.tsx +269 -0
package/src/ui/misc/DockWorkspace.tsx +425 -0
package/src/ui/misc/Docs.tsx +153 -0
package/src/ui/misc/Dropdown.tsx +2 -2
package/src/ui/misc/EntitySearch.tsx +260 -129
package/src/ui/misc/LinkCard.tsx +14 -2
package/src/ui/misc/LogEntriesTable.tsx +34 -31
package/src/ui/misc/Pagination.tsx +31 -12
package/src/ui/misc/PanelDialog.tsx +109 -0
package/src/ui/misc/Panes.tsx +873 -0
package/src/ui/misc/PermissionEditor.tsx +358 -262
package/src/ui/misc/Placeholder.tsx +40 -0
package/src/ui/misc/ProgressBar.tsx +1 -1
package/src/ui/misc/ResourceApiKeys.tsx +260 -0
package/src/ui/misc/SettingsModal.tsx +150 -0
package/src/ui/misc/StatCell.tsx +182 -40
package/src/ui/misc/StatGrid.tsx +149 -0
package/src/ui/misc/StructuredDataPreview.tsx +107 -0
package/src/ui/misc/code-highlight.ts +213 -0
package/src/ui/misc/index.ts +93 -12
package/src/ui/prompts.tsx +362 -312
package/src/ui/toast.ts +384 -0
package/src/ui/widgets/Widget.tsx +12 -4
package/src/ssr/MoreAppsDropdown.island.tsx +0 -61
package/src/ui/ipa/GroupView.tsx +0 -36
package/src/ui/ipa/LoginBtn.tsx +0 -16
package/src/ui/ipa/UserView.tsx +0 -58
package/src/ui/ipa/index.ts +0 -4
package/src/ui/navigation.ts +0 -32
package/src/ui/sidebar.tsx +0 -468
/package/src/ui/{ipa → misc}/Avatar.tsx +0 -0

package/src/services/accounts/app.ts CHANGED Viewed

@@ -1,5 +1,6 @@
 import { sql } from "bun";
 import { accountLifecycle } from "../account-lifecycle";
+import { audit, type AuditActor, type AuditTarget } from "../audit";
 import { lifecycleJobs } from "../account-lifecycle/scheduler";
 import { logger, logging, type LogEntry } from "../logging";
 import { notifications } from "../notifications";
@@ -11,6 +12,7 @@ import { providers } from "../providers";
 import * as users from "./users";
 import * as groups from "./groups";
 import * as entities from "./entities";
+import { canMutateManagedGroup, hasOnlySelfUpdateFields, isAdminActor, isSelfTarget, type AccountsActor } from "./authz";
 import type {
   BaseGroup,
   BaseUser,
@@ -23,7 +25,17 @@ import type {
   UserProvider,
 } from "../../contracts/shared";
 import { dates } from "../../shared";
-import { err, fail, ok, paginate, type PageParams, type Paginated, type Result, type ServiceError } from "../../server/services";
+import {
+  err,
+  fail,
+  ok,
+  paginate,
+  paginateItems,
+  type PageParams,
+  type Paginated,
+  type Result,
+  type ServiceError,
+} from "../../server/services";
 type CreateUserInput =
   | {
@@ -49,6 +61,7 @@ type CreateUserInput =
 type DbRow = Record<string, unknown>;
 type MutationErrorStatus = Extract<MutationResult, { ok: false }>["status"];
+type CreateUserResult = { id: string; uid: string; accountExpires: string | null; notificationSent: boolean };
 export type AccountRequestStatus = "pending" | "completed" | "denied";
 export type AccountRequestScope = "open" | "processed" | "all";
@@ -105,28 +118,6 @@ const ACTIVITY_SOURCES = [
   "auth:lifecycle:scheduler",
 ] as const;
-const paginateItems = <T>(items: T[], pagination?: PageParams): Paginated<T> => {
-  if (!pagination) {
-    return {
-      items,
-      page: 1,
-      perPage: items.length,
-      total: items.length,
-      hasNext: false,
-    };
-  }
-  const { page, perPage, offset } = paginate(pagination);
-  const pagedItems = items.slice(offset, offset + perPage);
-  return {
-    items: pagedItems,
-    page,
-    perPage,
-    total: items.length,
-    hasNext: page * perPage < items.length,
-  };
-};
 const toServiceError = (status: MutationErrorStatus, message: string): ServiceError => {
   if (status === 400) return err.badInput(message);
   if (status === 401) return err.unauthenticated(message);
@@ -226,6 +217,91 @@ const mapSummary = (row: DbRow): AccountsDashboardSummary => {
 const appLog = logger("accounts:app");
+const auditActor = (actor: AccountsActor | null | undefined): AuditActor | null =>
+  actor
+    ? {
+        userId: actor.userId,
+        uid: actor.uid,
+        provider: actor.provider,
+        roles: actor.roles,
+      }
+    : null;
+const userTarget = (user: { id?: string | null; uid?: string | null; provider?: string | null } | null | undefined): AuditTarget => ({
+  type: "user",
+  id: user?.id ?? null,
+  label: user?.uid ?? null,
+  provider: user?.provider ?? null,
+});
+const groupTarget = (group: { id?: string | null; name?: string | null; provider?: string | null } | null | undefined): AuditTarget => ({
+  type: "group",
+  id: group?.id ?? null,
+  label: group?.name ?? null,
+  provider: group?.provider ?? null,
+});
+const recordCompletedMutation = <T,>(params: {
+  action: string;
+  actor?: AuditActor | null;
+  target?: AuditTarget | null;
+  metadata?: Record<string, unknown> | null;
+  result: Result<T>;
+}) => (params.result.ok ? audit.recordResultAfterSideEffect(params) : audit.recordResult(params));
+const requireAdminActor = async <T,>(params: {
+  actor: AccountsActor | null | undefined;
+  action: string;
+  target?: AuditTarget;
+}): Promise<Result<T> | null> => {
+  if (isAdminActor(params.actor)) return null;
+  return audit.deny<T>({
+    action: params.action,
+    actor: auditActor(params.actor),
+    target: params.target,
+    message: "Admin access required",
+  });
+};
+const requireDifferentActor = async <T,>(params: {
+  actor: AccountsActor | null | undefined;
+  targetUserId: string;
+  action: string;
+  message: string;
+  target?: AuditTarget;
+}): Promise<Result<T> | null> => {
+  if (!isSelfTarget({ actor: params.actor, targetUserId: params.targetUserId })) return null;
+  return audit.deny<T>({
+    action: params.action,
+    actor: auditActor(params.actor),
+    target: params.target,
+    message: params.message,
+  });
+};
+const authorizeGroupMutation = async <T,>(params: {
+  actor: AccountsActor | null | undefined;
+  group: BaseGroup;
+  action: string;
+}): Promise<Result<T> | null> => {
+  if (canMutateManagedGroup({ actor: params.actor, groupId: params.group.id, managedGroupIds: [] })) return null;
+  if (!params.actor) {
+    return audit.deny<T>({
+      action: params.action,
+      target: groupTarget(params.group),
+      message: "Access denied",
+    });
+  }
+  const managedGroupIds = await users.getManagedGroupIds({ id: params.actor.userId, recursive: true });
+  if (canMutateManagedGroup({ actor: params.actor, groupId: params.group.id, managedGroupIds })) return null;
+  return audit.deny<T>({
+    action: params.action,
+    actor: auditActor(params.actor),
+    target: groupTarget(params.group),
+    message: "Access denied",
+  });
+};
 const buildAccountRequestWhereClause = (config: {
   access: { userId: string; isAdmin: boolean };
   filter?: { status?: AccountRequestStatus; scope?: AccountRequestScope };
@@ -322,20 +398,102 @@ export const accountsAppService = {
           recursive: config.recursive,
         }),
     },
-    create: async (config: { ipaSession?: string | null; data: CreateUserInput; processedBy: string }) => {
-      const createResult = fromMutationResult(
-        await users.create({
-          ipaSession: config.ipaSession,
-          data: {
-            ...config.data,
-            profile: config.data.provider === "ipa" ? "user" : config.data.profile,
-            admin: config.data.provider === "local" ? config.data.admin : undefined,
-          },
-        }),
-      );
-      if (!createResult.ok) return createResult;
+    create: async (config: {
+      actor: AccountsActor;
+      data: CreateUserInput;
+      processedBy: string;
+    }): Promise<Result<CreateUserResult>> => {
+      const adminError = await requireAdminActor<{ id: string; uid: string; accountExpires: string | null; notificationSent: boolean }>({
+        actor: config.actor,
+        action: "accounts.user.create",
+        target: { type: "user", label: config.data.email, provider: config.data.provider },
+      });
+      if (adminError) return adminError;
+      let requestCompletionFailed = false;
+      const createFromRequest = async () => {
+        const txResult = await sql.begin(async (tx) => {
+          const requestRows: DbRow[] = await tx`
+            SELECT r.id
+            FROM auth.account_requests r
+            JOIN auth.users u ON u.id = r.user_id
+            WHERE r.id = ${config.data.requestId}
+              AND r.status = 'pending'
+              AND lower(u.mail) = lower(${config.data.email})
+            LIMIT 1
+            FOR UPDATE OF r
+          `;
+          if (requestRows.length === 0) {
+            return {
+              completed: false,
+              result: fail(err.badInput("Account request not found, already processed, or not owned by the target email.")),
+            };
+          }
+          const result = fromMutationResult(
+            await users.create({
+              data: {
+                ...config.data,
+                profile: config.data.provider === "ipa" ? "user" : config.data.profile,
+                admin: config.data.provider === "local" ? config.data.admin : undefined,
+              },
+            }),
+          );
+          if (!result.ok) return { completed: false, result };
+          const completedRows: DbRow[] = await tx`
+            UPDATE auth.account_requests
+            SET status = 'completed', processed_at = now(), processed_by = ${config.processedBy}
+            WHERE id = ${config.data.requestId}
+              AND user_id = ${result.data.user.id}::uuid
+              AND status = 'pending'
+            RETURNING id
+          `;
+          return { completed: completedRows.length > 0, result };
+        });
+        if (txResult.result.ok && !txResult.completed) {
+          requestCompletionFailed = true;
+          appLog.warn("Account request completion did not match", {
+            requestId: config.data.requestId,
+            createdUserId: txResult.result.data.user.id,
+            processedBy: config.processedBy,
+          });
+          await audit.recordResultAfterSideEffect({
+            action: "accounts.request.complete",
+            actor: auditActor(config.actor),
+            target: { type: "account_request", id: config.data.requestId },
+            metadata: { createdUserId: txResult.result.data.user.id, provider: config.data.provider },
+            result: fail(err.badInput("Account request not found, already processed, or not owned by the created user")),
+          });
+        }
+        return txResult.result;
+      };
+      const createResult = config.data.requestId
+        ? await createFromRequest()
+        : fromMutationResult(
+            await users.create({
+              data: {
+                ...config.data,
+                profile: config.data.provider === "ipa" ? "user" : config.data.profile,
+                admin: config.data.provider === "local" ? config.data.admin : undefined,
+              },
+            }),
+          );
+      if (!createResult.ok) {
+        return audit.recordResult({
+          action: "accounts.user.create",
+          actor: auditActor(config.actor),
+          target: { type: "user", label: config.data.email, provider: config.data.provider },
+          metadata: { provider: config.data.provider, requestId: config.data.requestId ?? null },
+          result: createResult,
+        });
+      }
       const created = createResult.data;
       const autoSend = config.data.autoSendNotification ?? true;
       if (autoSend && created.user.mail) {
         if (config.data.provider === "ipa" && created.temporaryPassword) {
@@ -366,54 +524,212 @@ export const accountsAppService = {
         }
       }
-      if (config.data.requestId) {
-        // Require the pending request to belong to the user we just created.
-        // Without the user_id match an admin could pass any request ID and
-        // silently "complete" an unrelated request. Fail loudly on zero-match
-        // instead of ignoring it — the caller asked us to close this request.
-        const matched = await sql`
-          UPDATE auth.account_requests
-          SET status = 'completed', processed_at = now(), processed_by = ${config.processedBy}
-          WHERE id = ${config.data.requestId}
-            AND user_id = ${created.user.id}::uuid
-            AND status = 'pending'
-          RETURNING id
-        `;
-        if (matched.length === 0) {
-          appLog.warn("Account request completion did not match", {
-            requestId: config.data.requestId,
-            createdUserId: created.user.id,
-            processedBy: config.processedBy,
-          });
-          return fail(err.badInput("Account request not found, already processed, or not owned by the created user"));
-        }
+      return audit.recordResultAfterSideEffect({
+        action: "accounts.user.create",
+        actor: auditActor(config.actor),
+        target: userTarget(created.user),
+        metadata: { provider: config.data.provider, requestId: config.data.requestId ?? null, notificationSent: autoSend, requestCompletionFailed },
+        result: ok({
+          id: created.user.id,
+          uid: created.user.uid,
+          accountExpires: created.user.accountExpires,
+          notificationSent: autoSend,
+        }),
+      });
+    },
+    update: async (config: { actor: AccountsActor; id: string; data: Parameters<typeof users.update>[0]["data"] }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const selfService = config.actor.userId === config.id;
+      if (selfService && !hasOnlySelfUpdateFields(config.data as Record<string, unknown>)) {
+        return audit.recordResult({
+          action: "accounts.user.update",
+          actor: auditActor(config.actor),
+          target: targetInfo,
+          metadata: { changedFields: Object.keys(config.data), selfService },
+          result: fail(err.forbidden("Only admins can update account management fields.")),
+        });
       }
-      return ok({
-        id: created.user.id,
-        uid: created.user.uid,
-        accountExpires: created.user.accountExpires,
-        notificationSent: autoSend,
+      if (!selfService) {
+        const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.user.update", target: targetInfo });
+        if (adminError) return adminError;
+      }
+      const result = fromMutationResult(await users.update(config));
+      return recordCompletedMutation({
+        action: "accounts.user.update",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        metadata: { changedFields: Object.keys(config.data), selfService },
+        result,
+      });
+    },
+    resetPassword: async (config: { actor: AccountsActor; id: string }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const adminError = await requireAdminActor<{ password: string }>({ actor: config.actor, action: "accounts.user.password_reset", target: targetInfo });
+      if (adminError) return adminError;
+      const selfError = await requireDifferentActor<{ password: string }>({
+        actor: config.actor,
+        targetUserId: config.id,
+        action: "accounts.user.password_reset",
+        target: targetInfo,
+        message: "You cannot reset your own password from the admin users API.",
+      });
+      if (selfError) return selfError;
+      const result = fromMutationResult(await users.resetPassword(config));
+      return recordCompletedMutation({
+        action: "accounts.user.password_reset",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        result: result.ok ? ok({ password: "[REDACTED]" }) : result,
+      }).then(() => result);
+    },
+    setExpiry: async (config: { actor: AccountsActor; id: string; expiryDate: string | null }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.user.set_expiry", target: targetInfo });
+      if (adminError) return adminError;
+      const result = fromMutationResult(await users.setExpiry(config));
+      return recordCompletedMutation({
+        action: "accounts.user.set_expiry",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        metadata: { expiryDate: config.expiryDate },
+        result,
+      });
+    },
+    setProfile: async (config: { actor: AccountsActor; id: string; profile: UserProfile }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.user.set_profile", target: targetInfo });
+      if (adminError) return adminError;
+      const selfError = config.profile === "guest"
+        ? await requireDifferentActor<void>({
+            actor: config.actor,
+            targetUserId: config.id,
+            action: "accounts.user.set_profile",
+            target: targetInfo,
+            message: "You cannot demote your own account to guest.",
+          })
+        : null;
+      if (selfError) return selfError;
+      const result = fromMutationResult(await users.setProfile(config));
+      return recordCompletedMutation({
+        action: "accounts.user.set_profile",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        metadata: { profile: config.profile },
+        result,
+      });
+    },
+    setAdmin: async (config: { actor: AccountsActor; id: string; admin: boolean }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.user.set_admin", target: targetInfo });
+      if (adminError) return adminError;
+      const result = fromMutationResult(await users.setAdmin(config));
+      return recordCompletedMutation({
+        action: "accounts.user.set_admin",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        metadata: { admin: config.admin },
+        result,
+      });
+    },
+    switchProvider: async (config: { actor: AccountsActor; id: string; provider: UserProvider }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.user.switch_provider", target: targetInfo });
+      if (adminError) return adminError;
+      const selfError = await requireDifferentActor<void>({
+        actor: config.actor,
+        targetUserId: config.id,
+        action: "accounts.user.switch_provider",
+        target: targetInfo,
+        message: "You cannot switch your own account provider.",
+      });
+      if (selfError) return selfError;
+      const result = fromMutationResult(await users.switchProvider(config));
+      return recordCompletedMutation({
+        action: "accounts.user.switch_provider",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        metadata: { provider: config.provider },
+        result,
+      });
+    },
+    demoteToGuest: async (config: { actor: AccountsActor; id: string }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.user.demote_to_guest", target: targetInfo });
+      if (adminError) return adminError;
+      const selfError = await requireDifferentActor<void>({
+        actor: config.actor,
+        targetUserId: config.id,
+        action: "accounts.user.demote_to_guest",
+        target: targetInfo,
+        message: "You cannot demote your own account.",
+      });
+      if (selfError) return selfError;
+      const result = fromMutationResult(await users.demoteToGuest(config));
+      return recordCompletedMutation({
+        action: "accounts.user.demote_to_guest",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        result,
+      });
+    },
+    sendLoginLink: async (config: { actor: AccountsActor; id: string }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.user.send_login_link", target: userTarget(target) });
+      if (adminError) return adminError;
+      const result = fromMutationResult(await users.sendLoginLink(config));
+      return recordCompletedMutation({
+        action: "accounts.user.send_login_link",
+        actor: auditActor(config.actor),
+        target: userTarget(target),
+        result,
+      });
+    },
+    createLoginToken: async (config: { actor: AccountsActor; id: string }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const adminError = await requireAdminActor<{ token: string; magicLink: string; expiresInSeconds: number }>({
+        actor: config.actor,
+        action: "accounts.user.create_login_token",
+        target: targetInfo,
+      });
+      if (adminError) return adminError;
+      const result = fromMutationResult(await users.createLoginToken(config));
+      await recordCompletedMutation({
+        action: "accounts.user.create_login_token",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        result: result.ok ? ok({ token: "[REDACTED]", magicLink: "[REDACTED]", expiresInSeconds: result.data.expiresInSeconds }) : result,
+      });
+      return result;
+    },
+    remove: async (config: { actor: AccountsActor; id: string }) => {
+      const target = await users.getMinimal({ id: config.id });
+      const targetInfo = userTarget(target);
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.user.remove", target: targetInfo });
+      if (adminError) return adminError;
+      const selfError = await requireDifferentActor<void>({
+        actor: config.actor,
+        targetUserId: config.id,
+        action: "accounts.user.remove",
+        target: targetInfo,
+        message: "You cannot delete your own account.",
+      });
+      if (selfError) return selfError;
+      const result = fromMutationResult(await users.remove(config));
+      return recordCompletedMutation({
+        action: "accounts.user.remove",
+        actor: auditActor(config.actor),
+        target: targetInfo,
+        result,
       });
     },
-    update: async (config: { ipaSession?: string | null; id: string; data: Parameters<typeof users.update>[0]["data"] }) =>
-      fromMutationResult(await users.update(config)),
-    resetPassword: async (config: { ipaSession: string; id: string }) =>
-      fromMutationResult(await users.resetPassword(config)),
-    setExpiry: async (config: { ipaSession?: string | null; id: string; expiryDate: string | null }) =>
-      fromMutationResult(await users.setExpiry(config)),
-    setProfile: async (config: { id: string; profile: UserProfile }) =>
-      fromMutationResult(await users.setProfile(config)),
-    setAdmin: async (config: { id: string; admin: boolean }) =>
-      fromMutationResult(await users.setAdmin(config)),
-    switchProvider: async (config: { ipaSession: string; id: string; provider: UserProvider }) =>
-      fromMutationResult(await users.switchProvider(config)),
-    demoteToGuest: async (config: { ipaSession: string; id: string; actor: { userId: string; uid: string } }) =>
-      fromMutationResult(await users.demoteToGuest(config)),
-    sendLoginLink: async (config: { id: string }) => fromMutationResult(await users.sendLoginLink(config)),
-    createLoginToken: async (config: { id: string }) => fromMutationResult(await users.createLoginToken(config)),
-    remove: async (config: { ipaSession?: string | null; id: string; actor: { userId: string; uid: string } }) =>
-      fromMutationResult(await users.remove(config)),
     /**
      * Change an IPA user's own password. Verifies the current password via
@@ -422,19 +738,21 @@ export const accountsAppService = {
      * admin app is UI only and must not dispatch on provider or speak to
      * FreeIPA directly.
      */
-    changeOwnPassword: async (config: {
-      user: User;
-      currentPassword: string;
-      newPassword: string;
-    }): Promise<Result<void>> => {
-      if (!(await getFreeIpaConfig()).enabled) return fail(err.badInput("FreeIPA is disabled."));
+    changeOwnPassword: async (config: { user: User; currentPassword: string; newPassword: string }): Promise<Result<void>> => {
+      const actor = { userId: config.user.id, uid: config.user.uid, roles: config.user.roles, provider: config.user.provider };
+      if (!(await getFreeIpaConfig()).enabled) {
+        const result = fail(err.badInput("FreeIPA is disabled."));
+        return audit.recordResult({ action: "accounts.user.change_own_password", actor: auditActor(actor), target: userTarget(config.user), result });
+      }
       if (config.user.provider !== "ipa") {
-        return fail(err.badInput("Password change is only available for IPA accounts."));
+        const result = fail(err.badInput("Password change is only available for IPA accounts."));
+        return audit.recordResult({ action: "accounts.user.change_own_password", actor: auditActor(actor), target: userTarget(config.user), result });
       }
       const verify = await providers.ipa.auth.login(config.user.uid, config.currentPassword);
       if (verify.status !== "success") {
-        return fail(err.unauthenticated("Current password is incorrect."));
+        const result = fail(err.unauthenticated("Current password is incorrect."));
+        return audit.recordResult({ action: "accounts.user.change_own_password", actor: auditActor(actor), target: userTarget(config.user), result });
       }
       const result = await providers.ipa.auth.changePassword({
@@ -442,8 +760,8 @@ export const accountsAppService = {
         uid: config.user.uid,
         newPassword: config.newPassword,
       });
-      if (!result.ok) return fail(toServiceError(result.status, result.error));
-      return ok(undefined);
+      const serviceResult = result.ok ? ok(undefined) : fail(toServiceError(result.status, result.error));
+      return recordCompletedMutation({ action: "accounts.user.change_own_password", actor: auditActor(actor), target: userTarget(config.user), result: serviceResult });
     },
     /**
@@ -451,15 +769,18 @@ export const accountsAppService = {
      * callers must enforce that before calling. Dispatches to the correct
      * provider internally — callers should not branch on provider themselves.
      */
-    removeSelf: async (config: { user: User; ipaSession: string | null }): Promise<Result<void>> => {
-      const actor = { userId: config.user.id, uid: config.user.uid };
+    removeSelf: async (config: { user: User }): Promise<Result<void>> => {
+      const actor = { userId: config.user.id, uid: config.user.uid, roles: config.user.roles, provider: config.user.provider };
+      if (config.user.profile !== "guest") {
+        const result = fail(err.forbidden("Only guest accounts can be self-deleted."));
+        return audit.recordResult({ action: "accounts.user.remove_self", actor: auditActor(actor), target: userTarget(config.user), result });
+      }
       if (config.user.provider === "ipa") {
-        if (!config.ipaSession) return fail(err.unauthenticated("IPA session required."));
-        return fromMutationResult(
-          await providers.ipa.users.remove({ ipaSession: config.ipaSession, id: config.user.id, actor }),
-        );
+        const result = fromMutationResult(await users.remove({ id: config.user.id, actor }));
+        return recordCompletedMutation({ action: "accounts.user.remove_self", actor: auditActor(actor), target: userTarget(config.user), result });
       }
-      return fromMutationResult(await providers.local.users.remove({ id: config.user.id, actor }));
+      const result = fromMutationResult(await providers.local.users.remove({ id: config.user.id, actor }));
+      return recordCompletedMutation({ action: "accounts.user.remove_self", actor: auditActor(actor), target: userTarget(config.user), result });
     },
   },
@@ -511,26 +832,64 @@ export const accountsAppService = {
         });
         return paginateItems(filtered, config.pagination);
       },
-      add: async (config: { ipaSession?: string | null; id: string; provider?: UserProvider; userId?: string; groupId?: string }) =>
-        fromMutationResult(
+      add: async (config: { actor: AccountsActor; id: string; provider?: UserProvider; userId?: string; groupId?: string }) => {
+        const group = await groups.get({ id: config.id });
+        if (!group) {
+          const result = fail(err.notFound("Group not found"));
+          return audit.recordResult({
+            action: "accounts.group.member.add",
+            actor: auditActor(config.actor),
+            target: { type: "group", id: config.id },
+            result,
+          });
+        }
+        const accessError = await authorizeGroupMutation<void>({ actor: config.actor, group, action: "accounts.group.member.add" });
+        if (accessError) return accessError;
+        const result = fromMutationResult(
           await groups.addMember({
-            ipaSession: config.ipaSession,
             id: config.id,
             provider: config.provider,
             user: config.userId,
             group: config.groupId,
           }),
-        ),
-      remove: async (config: { ipaSession?: string | null; id: string; provider?: UserProvider; userId?: string; groupId?: string }) =>
-        fromMutationResult(
+        );
+        return recordCompletedMutation({
+          action: "accounts.group.member.add",
+          actor: auditActor(config.actor),
+          target: groupTarget(group),
+          metadata: { userId: config.userId ?? null, groupId: config.groupId ?? null },
+          result,
+        });
+      },
+      remove: async (config: { actor: AccountsActor; id: string; provider?: UserProvider; userId?: string; groupId?: string }) => {
+        const group = await groups.get({ id: config.id });
+        if (!group) {
+          const result = fail(err.notFound("Group not found"));
+          return audit.recordResult({
+            action: "accounts.group.member.remove",
+            actor: auditActor(config.actor),
+            target: { type: "group", id: config.id },
+            result,
+          });
+        }
+        const accessError = await authorizeGroupMutation<void>({ actor: config.actor, group, action: "accounts.group.member.remove" });
+        if (accessError) return accessError;
+        const result = fromMutationResult(
           await groups.removeMember({
-            ipaSession: config.ipaSession,
             id: config.id,
             provider: config.provider,
             user: config.userId,
             group: config.groupId,
           }),
-        ),
+        );
+        return recordCompletedMutation({
+          action: "accounts.group.member.remove",
+          actor: auditActor(config.actor),
+          target: groupTarget(group),
+          metadata: { userId: config.userId ?? null, groupId: config.groupId ?? null },
+          result,
+        });
+      },
     },
     manager: {
       list: async (config: {
@@ -550,26 +909,64 @@ export const accountsAppService = {
         });
         return paginateItems(filtered, config.pagination);
       },
-      add: async (config: { ipaSession?: string | null; id: string; provider?: UserProvider; userId?: string; groupId?: string }) =>
-        fromMutationResult(
+      add: async (config: { actor: AccountsActor; id: string; provider?: UserProvider; userId?: string; groupId?: string }) => {
+        const group = await groups.get({ id: config.id });
+        if (!group) {
+          const result = fail(err.notFound("Group not found"));
+          return audit.recordResult({
+            action: "accounts.group.manager.add",
+            actor: auditActor(config.actor),
+            target: { type: "group", id: config.id },
+            result,
+          });
+        }
+        const accessError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.group.manager.add", target: groupTarget(group) });
+        if (accessError) return accessError;
+        const result = fromMutationResult(
           await groups.addManager({
-            ipaSession: config.ipaSession,
             id: config.id,
             provider: config.provider,
             user: config.userId,
             group: config.groupId,
           }),
-        ),
-      remove: async (config: { ipaSession?: string | null; id: string; provider?: UserProvider; userId?: string; groupId?: string }) =>
-        fromMutationResult(
+        );
+        return recordCompletedMutation({
+          action: "accounts.group.manager.add",
+          actor: auditActor(config.actor),
+          target: groupTarget(group),
+          metadata: { userId: config.userId ?? null, groupId: config.groupId ?? null },
+          result,
+        });
+      },
+      remove: async (config: { actor: AccountsActor; id: string; provider?: UserProvider; userId?: string; groupId?: string }) => {
+        const group = await groups.get({ id: config.id });
+        if (!group) {
+          const result = fail(err.notFound("Group not found"));
+          return audit.recordResult({
+            action: "accounts.group.manager.remove",
+            actor: auditActor(config.actor),
+            target: { type: "group", id: config.id },
+            result,
+          });
+        }
+        const accessError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.group.manager.remove", target: groupTarget(group) });
+        if (accessError) return accessError;
+        const result = fromMutationResult(
           await groups.removeManager({
-            ipaSession: config.ipaSession,
             id: config.id,
             provider: config.provider,
             user: config.userId,
             group: config.groupId,
           }),
-        ),
+        );
+        return recordCompletedMutation({
+          action: "accounts.group.manager.remove",
+          actor: auditActor(config.actor),
+          target: groupTarget(group),
+          metadata: { userId: config.userId ?? null, groupId: config.groupId ?? null },
+          result,
+        });
+      },
     },
     parent: {
       list: async (config: {
@@ -595,14 +992,62 @@ export const accountsAppService = {
         return paginateItems(filtered, config.pagination);
       },
     },
-    create: async (config: { ipaSession?: string | null; provider: UserProvider; name: string; description?: string; posix?: boolean }) =>
-      fromMutationResult(await groups.create(config)),
-    update: async (config: { ipaSession?: string | null; id: string; provider?: UserProvider; description: string }) =>
-      fromMutationResult(await groups.update(config)),
-    remove: async (config: { ipaSession?: string | null; id: string; provider?: UserProvider }) =>
-      fromMutationResult(await groups.remove(config)),
-    makePosix: async (config: { ipaSession?: string | null; id: string; provider?: UserProvider }) =>
-      fromMutationResult(await groups.makePosix(config)),
+    create: async (config: { actor: AccountsActor; provider: UserProvider; name: string; description?: string; posix?: boolean }) => {
+      const adminError = await requireAdminActor<BaseGroup>({
+        actor: config.actor,
+        action: "accounts.group.create",
+        target: { type: "group", label: config.name, provider: config.provider },
+      });
+      if (adminError) return adminError;
+      const result = fromMutationResult(await groups.create(config));
+      return recordCompletedMutation({
+        action: "accounts.group.create",
+        actor: auditActor(config.actor),
+        target: result.ok ? groupTarget(result.data) : { type: "group", label: config.name, provider: config.provider },
+        metadata: { posix: config.posix ?? false },
+        result,
+      });
+    },
+    update: async (config: { actor: AccountsActor; id: string; provider?: UserProvider; description: string }) => {
+      const group = await groups.get({ id: config.id });
+      const target = groupTarget(group ?? { id: config.id, name: null, provider: config.provider ?? null });
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.group.update", target });
+      if (adminError) return adminError;
+      const result = fromMutationResult(await groups.update(config));
+      return recordCompletedMutation({
+        action: "accounts.group.update",
+        actor: auditActor(config.actor),
+        target,
+        metadata: { changedFields: ["description"] },
+        result,
+      });
+    },
+    remove: async (config: { actor: AccountsActor; id: string; provider?: UserProvider }) => {
+      const group = await groups.get({ id: config.id });
+      const target = groupTarget(group ?? { id: config.id, name: null, provider: config.provider ?? null });
+      const adminError = await requireAdminActor<void>({ actor: config.actor, action: "accounts.group.remove", target });
+      if (adminError) return adminError;
+      const result = fromMutationResult(await groups.remove(config));
+      return recordCompletedMutation({
+        action: "accounts.group.remove",
+        actor: auditActor(config.actor),
+        target,
+        result,
+      });
+    },
+    makePosix: async (config: { actor: AccountsActor; id: string; provider?: UserProvider }) => {
+      const group = await groups.get({ id: config.id });
+      const target = groupTarget(group ?? { id: config.id, name: null, provider: config.provider ?? null });
+      const adminError = await requireAdminActor<{ gidnumber: number | null }>({ actor: config.actor, action: "accounts.group.make_posix", target });
+      if (adminError) return adminError;
+      const result = fromMutationResult(await groups.makePosix(config));
+      return recordCompletedMutation({
+        action: "accounts.group.make_posix",
+        actor: auditActor(config.actor),
+        target,
+        result,
+      });
+    },
   },
   entity: {
     list: async (config: {
@@ -613,6 +1058,7 @@ export const accountsAppService = {
       profile?: UserProfile;
       excludeUserIds?: string[];
       excludeGroupIds?: string[];
+      excludeServiceAccountIds?: string[];
       userMemberOfGroupIds?: string[];
       memberOfGroupId?: string;
       managerOfGroupId?: string;
@@ -628,6 +1074,7 @@ export const accountsAppService = {
         profile: config.profile,
         excludeUserIds: config.excludeUserIds,
         excludeGroupIds: config.excludeGroupIds,
+        excludeServiceAccountIds: config.excludeServiceAccountIds,
         userMemberOfGroupIds: config.userMemberOfGroupIds,
         memberOfGroupId: config.memberOfGroupId,
         managerOfGroupId: config.managerOfGroupId,
@@ -714,15 +1161,22 @@ export const accountsAppService = {
         createdAt: rows[0]!.created_at as Date,
       };
     },
-    create: async (config: { user: Pick<User, "id" | "mail" | "provider">; data: { phone?: string; comment?: string; acceptedAgb: true } }) => {
+    create: async (config: {
+      user: Pick<User, "id" | "uid" | "mail" | "provider" | "roles">;
+      data: { phone?: string; comment?: string; acceptedAgb: true };
+    }) => {
+      const actor = { userId: config.user.id, uid: config.user.uid, roles: config.user.roles, provider: config.user.provider };
       if (!(await getFreeIpaConfig()).enabled) {
-        return fail(err.badInput("FreeIPA is disabled"));
+        const result = fail(err.badInput("FreeIPA is disabled"));
+        return audit.recordResult({ action: "accounts.request.create", actor: auditActor(actor), target: { type: "account_request", label: config.user.mail }, result });
       }
       if (config.user.provider !== "local") {
-        return fail(err.forbidden("Only local accounts can request IPA-backed access"));
+        const result = fail(err.forbidden("Only local accounts can request IPA-backed access"));
+        return audit.recordResult({ action: "accounts.request.create", actor: auditActor(actor), target: { type: "account_request", label: config.user.mail }, result });
       }
       if (!config.user.mail) {
-        return fail(err.badInput("Your account has no email address"));
+        const result = fail(err.badInput("Your account has no email address"));
+        return audit.recordResult({ action: "accounts.request.create", actor: auditActor(actor), target: { type: "account_request", id: config.user.id }, result });
       }
       const existingRows: DbRow[] = await sql`
@@ -730,11 +1184,12 @@ export const accountsAppService = {
         WHERE user_id = ${config.user.id} AND status = 'pending'
       `;
       if (existingRows.length > 0) {
-        return fail({
+        const result = fail({
           code: "CONFLICT",
           message: "You already have a pending account request",
           status: 409,
         });
+        return audit.recordResult({ action: "accounts.request.create", actor: auditActor(actor), target: { type: "account_request", label: config.user.mail }, result });
       }
       try {
@@ -744,55 +1199,100 @@ export const accountsAppService = {
           RETURNING id
         `;
-        return ok({
-          id: rows[0]!.id as string,
+        const requestId = rows[0]!.id as string;
+        const result = ok({
+          id: requestId,
           message: "FreeIPA account request submitted",
         });
+        return audit.recordResultAfterSideEffect({
+          action: "accounts.request.create",
+          actor: auditActor(actor),
+          target: { type: "account_request", id: requestId, label: config.user.mail },
+          metadata: { hasPhone: !!config.data.phone, hasComment: !!config.data.comment },
+          result,
+        });
       } catch (error) {
         // Belt-and-suspenders: the partial unique index
         // uq_account_requests_one_pending_per_user closes the race between the
         // check above and the insert under concurrent submissions.
         if (isUniqueViolation(error, "uq_account_requests_one_pending_per_user")) {
-          return fail({
+          const result = fail({
             code: "CONFLICT",
             message: "You already have a pending account request",
             status: 409,
           });
+          return audit.recordResult({ action: "accounts.request.create", actor: auditActor(actor), target: { type: "account_request", label: config.user.mail }, result });
         }
         throw error;
       }
     },
-    withdraw: async (config: { id: string; userId: string }) => {
+    withdraw: async (config: { id: string; actor: AccountsActor }) => {
+      const deletedRows: DbRow[] = await sql`
+        DELETE FROM auth.account_requests
+        WHERE id = ${config.id}
+          AND user_id = ${config.actor.userId}::uuid
+          AND status = 'pending'
+        RETURNING id
+      `;
+      if (deletedRows.length > 0) {
+        return audit.recordResultAfterSideEffect({
+          action: "accounts.request.withdraw",
+          actor: auditActor(config.actor),
+          target: { type: "account_request", id: config.id },
+          result: ok(),
+        });
+      }
       const rows: DbRow[] = await sql`
         SELECT id, user_id, status FROM auth.account_requests WHERE id = ${config.id}
       `;
-      if (rows.length === 0) return fail(err.notFound("Request"));
+      if (rows.length === 0) {
+        const result = fail(err.notFound("Request"));
+        return audit.recordResult({ action: "accounts.request.withdraw", actor: auditActor(config.actor), target: { type: "account_request", id: config.id }, result });
+      }
       const request = rows[0]!;
-      if (request.user_id !== config.userId) return fail(err.forbidden("Access denied"));
-      if (request.status !== "pending") return fail(err.forbidden("Only pending requests can be withdrawn"));
-      await sql`DELETE FROM auth.account_requests WHERE id = ${config.id}`;
-      return ok();
+      if (request.user_id !== config.actor.userId) {
+        const result = fail(err.forbidden("Access denied"));
+        return audit.recordResult({ action: "accounts.request.withdraw", actor: auditActor(config.actor), target: { type: "account_request", id: config.id }, result });
+      }
+      if (request.status !== "pending") {
+        const result = fail(err.forbidden("Only pending requests can be withdrawn"));
+        return audit.recordResult({ action: "accounts.request.withdraw", actor: auditActor(config.actor), target: { type: "account_request", id: config.id }, result });
+      }
+      const result = fail(err.conflict("Account request could not be withdrawn. Please retry."));
+      return audit.recordResult({ action: "accounts.request.withdraw", actor: auditActor(config.actor), target: { type: "account_request", id: config.id }, result });
     },
-    deny: async (config: { id: string; reason?: string; processedBy: string }) => {
+    deny: async (config: { id: string; reason?: string; actor: AccountsActor }) => {
+      const adminError = await requireAdminActor<void>({
+        actor: config.actor,
+        action: "accounts.request.deny",
+        target: { type: "account_request", id: config.id },
+      });
+      if (adminError) return adminError;
       const rows: DbRow[] = await sql`
-        SELECT r.id, r.user_id, r.status, u.mail AS email, u.given_name AS first_name
-        FROM auth.account_requests r
-        JOIN auth.users u ON u.id = r.user_id
+        UPDATE auth.account_requests r
+        SET status = 'denied', denied_reason = ${config.reason ?? null}, processed_at = now(), processed_by = ${config.actor.userId}
+        FROM auth.users u
         WHERE r.id = ${config.id}
+          AND r.status = 'pending'
+          AND u.id = r.user_id
+        RETURNING r.id, r.user_id, r.status, u.mail AS email, u.given_name AS first_name
       `;
-      if (rows.length === 0) return fail(err.notFound("Request"));
+      if (rows.length === 0) {
+        const currentRows: DbRow[] = await sql`
+          SELECT id, status FROM auth.account_requests WHERE id = ${config.id}
+        `;
+        if (currentRows.length === 0) {
+          const result = fail(err.notFound("Request"));
+          return audit.recordResult({ action: "accounts.request.deny", actor: auditActor(config.actor), target: { type: "account_request", id: config.id }, result });
+        }
+        const result = fail(err.badInput("Only pending requests can be denied"));
+        return audit.recordResult({ action: "accounts.request.deny", actor: auditActor(config.actor), target: { type: "account_request", id: config.id }, result });
+      }
       const request = rows[0]!;
-      if (request.status !== "pending") return fail(err.badInput("Only pending requests can be denied"));
-      await sql`
-        UPDATE auth.account_requests
-        SET status = 'denied', denied_reason = ${config.reason ?? null}, processed_at = now(), processed_by = ${config.processedBy}
-        WHERE id = ${config.id}
-      `;
       if (config.reason) {
         const template = await settings.get<string>("mail.account_request_denial");
@@ -810,11 +1310,17 @@ export const accountsAppService = {
             APP_NAME: appName,
           }),
           autoSend: true,
-          sentBy: config.processedBy,
+          sentBy: config.actor.userId,
         });
       }
-      return ok();
+      return audit.recordResultAfterSideEffect({
+        action: "accounts.request.deny",
+        actor: auditActor(config.actor),
+        target: { type: "account_request", id: config.id, label: request.email as string },
+        metadata: { hasReason: !!config.reason },
+        result: ok(),
+      });
     },
   },
@@ -924,10 +1430,7 @@ export const accountsAppService = {
       return mapSummary(rows[0] ?? {});
     },
     activity: async (): Promise<LogEntry[]> => {
-      const result = await logging.list(
-        { page: 1, perPage: 15, offset: 0 },
-        { sources: [...ACTIVITY_SOURCES] },
-      );
+      const result = await logging.list({ page: 1, perPage: 15, offset: 0 }, { sources: [...ACTIVITY_SOURCES] });
       return result.entries;
     },
   },
@@ -944,21 +1447,6 @@ export const accountsAppService = {
     runGuestBackfill: async (): Promise<string> => lifecycleJobs.submitGuestBackfill(),
     runReminders: async (): Promise<string> => lifecycleJobs.submitReminderRun(),
   },
-  /**
-   * Obtain a privileged FreeIPA service session for operations performed on
-   * behalf of the system (e.g. a local group manager mutating an IPA group
-   * they don't personally own). Exposed through the facade so admin UIs
-   * never import `providers.*` directly.
-   */
-  getServiceIpaSession: async (): Promise<Result<string>> => {
-    if (!(await getFreeIpaConfig()).enabled) return fail(err.badInput("FreeIPA is disabled."));
-    try {
-      return ok(await providers.ipa.auth.getServiceSession());
-    } catch {
-      return fail(err.internal("Internal FreeIPA session unavailable."));
-    }
-  },
 } as const;
 export type AccountsAppService = typeof accountsAppService;