@camstack/types 0.1.30 → 0.1.32

package/dist/schemas/auth-records.d.ts

@@ -11,26 +11,20 @@
  */
 import { z } from 'zod';
 /**
- * Roles in the caps-only auth model.
+ * Auth model (v2 — 2026-05-12 caps-only):
  *
- *   - `admin`  — unrestricted; bypasses the scope check. The only escape
- *     hatch. Replaces the retired `super_admin`.
- *   - `viewer` — non-admin human; MUST have scopes (empty = no access).
- *   - `agent`  — agent-process credential; MUST have scopes for hub calls.
- *   - `scoped` — synthetic role for `cst_*` token callers; no users-table
- *     row; `userId` references the human who minted the token.
+ * Two principals:
+ *   - `isAdmin: true`  — full bypass. Admin scope set is ignored.
+ *   - `isAdmin: false` — every call gated by `scopes` (see TokenScope).
  *
- * `super_admin` was removed when scope semantics collapsed into one
- * model (admin == owner of everything). The local-auth migration
- * silently rewrites `super_admin` rows to `admin` on first boot.
+ * No role enum. There used to be `viewer / agent / scoped` and earlier
+ * `super_admin` — collapsed onto the single boolean because every
+ * non-admin caller is governed by the same scope-check rules; the
+ * distinction was only ever used to route role-specific procedures
+ * which we no longer have. Agents are admin sessions issued via
+ * `createServiceToken`; CLI / webhook integrations are `cst_*` tokens
+ * with `isAdmin: false` + an explicit scope list.
  */
-export declare const UserRoleSchema: z.ZodEnum<{
-    admin: "admin";
-    viewer: "viewer";
-    agent: "agent";
-    scoped: "scoped";
-}>;
-export type UserRole = z.infer<typeof UserRoleSchema>;
 /** Per-method access flavour. Materialised on every cap method via codegen. */
 export declare const MethodAccessSchema: z.ZodEnum<{
     view: "view";
@@ -38,49 +32,91 @@ export declare const MethodAccessSchema: z.ZodEnum<{
     delete: "delete";
 }>;
 export type MethodAccess = z.infer<typeof MethodAccessSchema>;
-/**
- * A single scope grant. `type` is `addon | capability` only — the
- * legacy `route-prefix` form is gone (every endpoint lives behind a cap,
- * by codegen contract). `access` is REQUIRED with min 1 element; "give
- * me everything" is expressed by the `admin` role, not a wildcard scope.
- */
-export declare const TokenScopeSchema: z.ZodObject<{
-    type: z.ZodEnum<{
-        addon: "addon";
-        capability: "capability";
+export declare const CapScopeSchema: z.ZodEnum<{
+    system: "system";
+    device: "device";
+}>;
+export type CapScope = z.infer<typeof CapScopeSchema>;
+export declare const TokenScopeSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
+    type: z.ZodLiteral<"category">;
+    target: z.ZodEnum<{
+        system: "system";
+        device: "device";
     }>;
+    access: z.ZodArray<z.ZodEnum<{
+        view: "view";
+        create: "create";
+        delete: "delete";
+    }>>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"capability">;
     target: z.ZodString;
     access: z.ZodArray<z.ZodEnum<{
         view: "view";
         create: "create";
         delete: "delete";
     }>>;
-}, z.core.$strip>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"addon">;
+    target: z.ZodString;
+    access: z.ZodArray<z.ZodEnum<{
+        view: "view";
+        create: "create";
+        delete: "delete";
+    }>>;
+}, z.core.$strip>, z.ZodObject<{
+    type: z.ZodLiteral<"device">;
+    targets: z.ZodArray<z.ZodString>;
+    access: z.ZodArray<z.ZodEnum<{
+        view: "view";
+        create: "create";
+        delete: "delete";
+    }>>;
+}, z.core.$strip>], "type">;
 export type TokenScope = z.infer<typeof TokenScopeSchema>;
 export declare const UserRecordSchema: z.ZodObject<{
     id: z.ZodString;
     username: z.ZodString;
     passwordHash: z.ZodString;
-    role: z.ZodEnum<{
-        admin: "admin";
-        viewer: "viewer";
-        agent: "agent";
-        scoped: "scoped";
-    }>;
+    isAdmin: z.ZodDefault<z.ZodBoolean>;
     allowedProviders: z.ZodUnion<readonly [z.ZodLiteral<"*">, z.ZodArray<z.ZodString>]>;
     allowedDevices: z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodLiteral<"*">, z.ZodArray<z.ZodString>]>>;
-    scopes: z.ZodDefault<z.ZodArray<z.ZodObject<{
-        type: z.ZodEnum<{
-            addon: "addon";
-            capability: "capability";
+    scopes: z.ZodDefault<z.ZodArray<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"category">;
+        target: z.ZodEnum<{
+            system: "system";
+            device: "device";
         }>;
+        access: z.ZodArray<z.ZodEnum<{
+            view: "view";
+            create: "create";
+            delete: "delete";
+        }>>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"capability">;
         target: z.ZodString;
         access: z.ZodArray<z.ZodEnum<{
             view: "view";
             create: "create";
             delete: "delete";
         }>>;
-    }, z.core.$strip>>>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"addon">;
+        target: z.ZodString;
+        access: z.ZodArray<z.ZodEnum<{
+            view: "view";
+            create: "create";
+            delete: "delete";
+        }>>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"device">;
+        targets: z.ZodArray<z.ZodString>;
+        access: z.ZodArray<z.ZodEnum<{
+            view: "view";
+            create: "create";
+            delete: "delete";
+        }>>;
+    }, z.core.$strip>], "type">>>;
     createdAt: z.ZodNumber;
     updatedAt: z.ZodNumber;
 }, z.core.$strip>;
@@ -88,12 +124,7 @@ export type UserRecord = z.infer<typeof UserRecordSchema>;
 export declare const ApiKeyRecordSchema: z.ZodObject<{
     id: z.ZodString;
     label: z.ZodString;
-    role: z.ZodEnum<{
-        admin: "admin";
-        viewer: "viewer";
-        agent: "agent";
-        scoped: "scoped";
-    }>;
+    isAdmin: z.ZodDefault<z.ZodBoolean>;
     allowedProviders: z.ZodUnion<readonly [z.ZodLiteral<"*">, z.ZodArray<z.ZodString>]>;
     allowedDevices: z.ZodRecord<z.ZodString, z.ZodUnion<readonly [z.ZodLiteral<"*">, z.ZodArray<z.ZodString>]>>;
     tokenHash: z.ZodString;
@@ -108,18 +139,42 @@ export declare const ScopedTokenSchema: z.ZodObject<{
     name: z.ZodString;
     tokenHash: z.ZodString;
     tokenPrefix: z.ZodString;
-    scopes: z.ZodArray<z.ZodObject<{
-        type: z.ZodEnum<{
-            addon: "addon";
-            capability: "capability";
+    scopes: z.ZodArray<z.ZodDiscriminatedUnion<[z.ZodObject<{
+        type: z.ZodLiteral<"category">;
+        target: z.ZodEnum<{
+            system: "system";
+            device: "device";
         }>;
+        access: z.ZodArray<z.ZodEnum<{
+            view: "view";
+            create: "create";
+            delete: "delete";
+        }>>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"capability">;
         target: z.ZodString;
         access: z.ZodArray<z.ZodEnum<{
             view: "view";
             create: "create";
             delete: "delete";
         }>>;
-    }, z.core.$strip>>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"addon">;
+        target: z.ZodString;
+        access: z.ZodArray<z.ZodEnum<{
+            view: "view";
+            create: "create";
+            delete: "delete";
+        }>>;
+    }, z.core.$strip>, z.ZodObject<{
+        type: z.ZodLiteral<"device">;
+        targets: z.ZodArray<z.ZodString>;
+        access: z.ZodArray<z.ZodEnum<{
+            view: "view";
+            create: "create";
+            delete: "delete";
+        }>>;
+    }, z.core.$strip>], "type">>;
     expiresAt: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
     lastUsedAt: z.ZodOptional<z.ZodNullable<z.ZodNumber>>;
     createdAt: z.ZodNumber;

package/dist/schemas/auth-records.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-records.d.ts","sourceRoot":"","sources":["../../src/schemas/auth-records.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB;;;;;;;;;;;;;GAaG;AACH,eAAO,MAAM,cAAc;;;;;EAAiD,CAAA;AAC5E,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAA;AAKrD,+EAA+E;AAC/E,eAAO,MAAM,kBAAkB;;;;EAAuC,CAAA;AACtE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAE7D;;;;;GAKG;AACH,eAAO,MAAM,gBAAgB;;;;;;;;;;;iBAI3B,CAAA;AACF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;iBAe3B,CAAA;AACF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,eAAO,MAAM,kBAAkB;;;;;;;;;;;;;;;iBAU7B,CAAA;AACF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAI7D,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;iBAY5B,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA"}
+{"version":3,"file":"auth-records.d.ts","sourceRoot":"","sources":["../../src/schemas/auth-records.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AACH,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAA;AAIvB;;;;;;;;;;;;;;GAcG;AAEH,+EAA+E;AAC/E,eAAO,MAAM,kBAAkB;;;;EAAuC,CAAA;AACtE,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AA0B7D,eAAO,MAAM,cAAc;;;EAA+B,CAAA;AAC1D,MAAM,MAAM,QAAQ,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,cAAc,CAAC,CAAA;AAErD,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;2BA2B3B,CAAA;AACF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,eAAO,MAAM,gBAAgB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAoB3B,CAAA;AACF,MAAM,MAAM,UAAU,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,gBAAgB,CAAC,CAAA;AAEzD,eAAO,MAAM,kBAAkB;;;;;;;;;;iBAU7B,CAAA;AACF,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,kBAAkB,CAAC,CAAA;AAI7D,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAY5B,CAAA;AACF,MAAM,MAAM,WAAW,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,iBAAiB,CAAC,CAAA"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@camstack/types",
-  "version": "0.1.30",
+  "version": "0.1.32",
   "description": "Shared types, interfaces, and model catalogs for the CamStack detection ecosystem",
   "keywords": [
     "camstack",