auth/permit_offer_actions.ts

Permit offer RPC action handlers — the consentful-permits action surface.

Seven actions: six offer-lifecycle methods (create / accept / decline / retract / list / history) plus permit_revoke (admin-only). All mount on a consumer's JSON-RPC endpoint via create_rpc_endpoint. The action specs themselves live in auth/permit_offer_action_specs.ts. Mutations declare side_effects: true so the RPC dispatcher wraps the handler in a DB transaction; permit_offer_list and permit_offer_history declare side_effects: false so they are addressable via GET.

Authorization: - permit_offer_create — the grantor must hold an active permit for the role being offered, and that role must be web_grantable. Consumers needing a richer policy (e.g., "teacher may offer student in *their* classroom") pass an authorize callback that overrides the default. - permit_offer_accept / permit_offer_decline — keyed to the caller's account; query_* helpers enforce the IDOR guard. - permit_offer_retract — keyed to the caller's actor. - permit_offer_list / permit_offer_history — self by default; {account_id} is admin-only. - permit_revoke — spec-level auth: {role: 'admin'}; the RPC dispatcher rejects non-admin callers before the handler runs. web_grantable gate prevents revoking keeper/daemon-scoped roles via this surface. Keys on actor_id to survive multi-actor accounts.

Audit events are emitted in-transaction by the query layer (atomic with the permit write on accept/revoke) or by the handler via audit_log_fire_and_forget for single-event lifecycle transitions. on_audit_event (SSE broadcast) fires post-commit in both paths.

WS notifications fan out post-commit via emit_after_commit when a notification_sender is wired: offer lifecycle transitions notify the counterparty, permit_revoke notifies the revokee plus each superseded pending offer's grantor.