@checkstack/auth-common 0.1.0 → 0.3.0

package/CHANGELOG.md

@@ -1,5 +1,138 @@
 # @checkstack/auth-common
 
+## 0.3.0
+
+### Minor Changes
+
+- 7a23261: ## TanStack Query Integration
+
+  Migrated all frontend components to use `usePluginClient` hook with TanStack Query integration, replacing the legacy `forPlugin()` pattern.
+
+  ### New Features
+
+  - **`usePluginClient` hook**: Provides type-safe access to plugin APIs with `.useQuery()` and `.useMutation()` methods
+  - **Automatic request deduplication**: Multiple components requesting the same data share a single network request
+  - **Built-in caching**: Configurable stale time and cache duration per query
+  - **Loading/error states**: TanStack Query provides `isLoading`, `error`, `isRefetching` states automatically
+  - **Background refetching**: Stale data is automatically refreshed when components mount
+
+  ### Contract Changes
+
+  All RPC contracts now require `operationType: "query"` or `operationType: "mutation"` metadata:
+
+  ```typescript
+  const getItems = proc()
+    .meta({ operationType: "query", access: [access.read] })
+    .output(z.array(itemSchema))
+    .query();
+
+  const createItem = proc()
+    .meta({ operationType: "mutation", access: [access.manage] })
+    .input(createItemSchema)
+    .output(itemSchema)
+    .mutation();
+  ```
+
+  ### Migration
+
+  ```typescript
+  // Before (forPlugin pattern)
+  const api = useApi(myPluginApiRef);
+  const [items, setItems] = useState<Item[]>([]);
+  useEffect(() => {
+    api.getItems().then(setItems);
+  }, [api]);
+
+  // After (usePluginClient pattern)
+  const client = usePluginClient(MyPluginApi);
+  const { data: items, isLoading } = client.getItems.useQuery({});
+  ```
+
+  ### Bug Fixes
+
+  - Fixed `rpc.test.ts` test setup for middleware type inference
+  - Fixed `SearchDialog` to use `setQuery` instead of deprecated `search` method
+  - Fixed null→undefined warnings in notification and queue frontends
+
+### Patch Changes
+
+- Updated dependencies [7a23261]
+  - @checkstack/common@0.3.0
+
+## 0.2.0
+
+### Minor Changes
+
+- 9faec1f: # Unified AccessRule Terminology Refactoring
+
+  This release completes a comprehensive terminology refactoring from "permission" to "accessRule" across the entire codebase, establishing a consistent and modern access control vocabulary.
+
+  ## Changes
+
+  ### Core Infrastructure (`@checkstack/common`)
+
+  - Introduced `AccessRule` interface as the primary access control type
+  - Added `accessPair()` helper for creating read/manage access rule pairs
+  - Added `access()` builder for individual access rules
+  - Replaced `Permission` type with `AccessRule` throughout
+
+  ### API Changes
+
+  - `env.registerPermissions()` → `env.registerAccessRules()`
+  - `meta.permissions` → `meta.access` in RPC contracts
+  - `usePermission()` → `useAccess()` in frontend hooks
+  - Route `permission:` field → `accessRule:` field
+
+  ### UI Changes
+
+  - "Roles & Permissions" tab → "Roles & Access Rules"
+  - "You don't have permission..." → "You don't have access..."
+  - All permission-related UI text updated
+
+  ### Documentation & Templates
+
+  - Updated 18 documentation files with AccessRule terminology
+  - Updated 7 scaffolding templates with `accessPair()` pattern
+  - All code examples use new AccessRule API
+
+  ## Migration Guide
+
+  ### Backend Plugins
+
+  ```diff
+  - import { permissionList } from "./permissions";
+  - env.registerPermissions(permissionList);
+  + import { accessRules } from "./access";
+  + env.registerAccessRules(accessRules);
+  ```
+
+  ### RPC Contracts
+
+  ```diff
+  - .meta({ userType: "user", permissions: [permissions.read.id] })
+  + .meta({ userType: "user", access: [access.read] })
+  ```
+
+  ### Frontend Hooks
+
+  ```diff
+  - const canRead = accessApi.usePermission(permissions.read.id);
+  + const canRead = accessApi.useAccess(access.read);
+  ```
+
+  ### Routes
+
+  ```diff
+  - permission: permissions.entityRead.id,
+  + accessRule: access.read,
+  ```
+
+### Patch Changes
+
+- Updated dependencies [9faec1f]
+- Updated dependencies [f533141]
+  - @checkstack/common@0.2.0
+
 ## 0.1.0
 
 ### Minor Changes

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@checkstack/auth-common",
-  "version": "0.1.0",
+  "version": "0.3.0",
   "type": "module",
   "exports": {
     ".": {

package/src/access.ts

@@ -0,0 +1,91 @@
+import { access, accessPair, type AccessRule } from "@checkstack/common";
+
+/**
+ * Access rules for the Auth plugin.
+ *
+ * Auth has fine-grained access rules for different operations
+ * on users, roles, teams, strategies, etc.
+ */
+export const authAccess = {
+  /**
+   * User management access rules.
+   */
+  users: {
+    read: access("users", "read", "List all users"),
+    create: access(
+      "users.create",
+      "manage",
+      "Create new users (credential strategy)"
+    ),
+    manage: access("users", "manage", "Delete users"),
+  },
+
+  /**
+   * Role management access rules.
+   */
+  roles: {
+    read: access("roles", "read", "Read and list roles"),
+    create: access("roles.create", "manage", "Create new roles"),
+    update: access(
+      "roles.update",
+      "manage",
+      "Update role names and access rules"
+    ),
+    delete: access("roles.delete", "manage", "Delete roles"),
+    manage: access("roles", "manage", "Assign roles to users"),
+  },
+
+  /**
+   * Authentication strategy management.
+   */
+  strategies: access(
+    "strategies",
+    "manage",
+    "Manage authentication strategies and settings"
+  ),
+
+  /**
+   * Registration settings management.
+   */
+  registration: access(
+    "registration",
+    "manage",
+    "Manage user registration settings"
+  ),
+
+  /**
+   * External application management.
+   */
+  applications: access(
+    "applications",
+    "manage",
+    "Create, update, delete, and view external applications"
+  ),
+
+  /**
+   * Team management access rules.
+   */
+  teams: accessPair("teams", {
+    read: "View teams and team memberships",
+    manage: "Create, delete, and manage all teams and resource access",
+  }),
+};
+
+/**
+ * All access rules for registration with the plugin system.
+ */
+export const authAccessRules: AccessRule[] = [
+  authAccess.users.read,
+  authAccess.users.create,
+  authAccess.users.manage,
+  authAccess.roles.read,
+  authAccess.roles.create,
+  authAccess.roles.update,
+  authAccess.roles.delete,
+  authAccess.roles.manage,
+  authAccess.strategies,
+  authAccess.registration,
+  authAccess.applications,
+  authAccess.teams.read,
+  authAccess.teams.manage,
+];

package/src/index.ts

@@ -1,4 +1,4 @@
-export * from "./permissions";
+export * from "./access";
 export * from "./rpc-contract";
 export * from "./plugin-metadata";
 export * from "./schemas";

package/src/rpc-contract.ts

@@ -1,16 +1,12 @@
-import { oc } from "@orpc/contract";
 import {
   createClientDefinition,
-  type ProcedureMetadata,
+  proc,
   lucideIconSchema,
 } from "@checkstack/common";
 import { z } from "zod";
-import { permissions } from "./permissions";
+import { authAccess } from "./access";
 import { pluginMetadata } from "./plugin-metadata";
 
-// Base builder with full metadata support
-const _base = oc.$meta<ProcedureMetadata>({});
-
 // Zod schemas for return types
 const UserDtoSchema = z.object({
   id: z.string(),
@@ -23,12 +19,12 @@ const RoleDtoSchema = z.object({
   id: z.string(),
   name: z.string(),
   description: z.string().optional().nullable(),
-  permissions: z.array(z.string()),
+  accessRules: z.array(z.string()),
   isSystem: z.boolean().optional(),
-  isAssignable: z.boolean().optional(), // False for anonymous role
+  isAssignable: z.boolean().optional(),
 });
 
-const PermissionDtoSchema = z.object({
+const AccessRuleDtoSchema = z.object({
   id: z.string(),
   description: z.string().optional(),
 });
@@ -40,9 +36,9 @@ const StrategyDtoSchema = z.object({
   icon: lucideIconSchema.optional(),
   enabled: z.boolean(),
   configVersion: z.number(),
-  configSchema: z.record(z.string(), z.unknown()), // JSON Schema representation
-  config: z.record(z.string(), z.unknown()).optional(), // VersionedConfig.data (secrets redacted)
-  adminInstructions: z.string().optional(), // Markdown instructions for admins
+  configSchema: z.record(z.string(), z.unknown()),
+  config: z.record(z.string(), z.unknown()).optional(),
+  adminInstructions: z.string().optional(),
 });
 
 const EnabledStrategyDtoSchema = z.object({
@@ -58,32 +54,25 @@ const RegistrationStatusSchema = z.object({
   allowRegistration: z.boolean(),
 });
 
-// ==========================================================================
-// SERVICE-TO-SERVICE SCHEMAS (for auth provider plugins like LDAP)
-// ==========================================================================
-
+// Service-to-service schemas
 const FindUserByEmailInputSchema = z.object({
   email: z.string().email(),
 });
 
-const FindUserByEmailOutputSchema = z
-  .object({
-    id: z.string(),
-  })
-  .optional();
+const FindUserByEmailOutputSchema = z.object({ id: z.string() }).optional();
 
 const UpsertExternalUserInputSchema = z.object({
   email: z.string().email(),
   name: z.string(),
-  providerId: z.string(), // e.g., "ldap"
-  accountId: z.string(), // Provider-specific account ID (e.g., LDAP username)
-  password: z.string(), // Hashed password
-  autoUpdateUser: z.boolean().optional(), // Update existing user's name
+  providerId: z.string(),
+  accountId: z.string(),
+  password: z.string(),
+  autoUpdateUser: z.boolean().optional(),
 });
 
 const UpsertExternalUserOutputSchema = z.object({
   userId: z.string(),
-  created: z.boolean(), // true if new user was created, false if existing
+  created: z.boolean(),
 });
 
 const CreateSessionInputSchema = z.object({
@@ -95,7 +84,7 @@ const CreateSessionInputSchema = z.object({
 const CreateCredentialUserInputSchema = z.object({
   email: z.string().email(),
   name: z.string().min(1),
-  password: z.string(), // Validated against passwordSchema on backend
+  password: z.string(),
 });
 
 const CreateCredentialUserOutputSchema = z.object({
@@ -106,103 +95,132 @@ const CreateCredentialUserOutputSchema = z.object({
 export const authContract = {
   // ==========================================================================
   // ANONYMOUS ENDPOINTS (userType: "anonymous")
-  // These can be called without authentication (login/registration pages)
   // ==========================================================================
 
-  getEnabledStrategies: _base
-    .meta({ userType: "anonymous" })
-    .output(z.array(EnabledStrategyDtoSchema)),
+  getEnabledStrategies: proc({
+    operationType: "query",
+    userType: "anonymous",
+    access: [],
+  }).output(z.array(EnabledStrategyDtoSchema)),
 
-  getRegistrationStatus: _base
-    .meta({ userType: "anonymous" })
-    .output(RegistrationStatusSchema),
+  getRegistrationStatus: proc({
+    operationType: "query",
+    userType: "anonymous",
+    access: [],
+  }).output(RegistrationStatusSchema),
 
   // ==========================================================================
-  // AUTHENTICATED ENDPOINTS (userType: "authenticated" - no specific permission)
+  // AUTHENTICATED ENDPOINTS (userType: "authenticated")
   // ==========================================================================
 
-  permissions: _base
-    .meta({ userType: "authenticated" }) // Any authenticated user can check their own permissions
-    .output(z.object({ permissions: z.array(z.string()) })),
+  accessRules: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [],
+  }).output(z.object({ accessRules: z.array(z.string()) })),
 
   // ==========================================================================
-  // USER MANAGEMENT (userType: "user" with permissions)
+  // USER MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
-  getUsers: _base
-    .meta({ userType: "user", permissions: [permissions.usersRead.id] })
-    .output(z.array(UserDtoSchema)),
+  getUsers: proc({
+    operationType: "query",
+    userType: "user",
+    access: [authAccess.users.read],
+  }).output(z.array(UserDtoSchema)),
 
-  deleteUser: _base
-    .meta({ userType: "user", permissions: [permissions.usersManage.id] })
+  deleteUser: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.users.manage],
+  })
     .input(z.string())
     .output(z.void()),
 
-  createCredentialUser: _base
-    .meta({ userType: "user", permissions: [permissions.usersCreate.id] })
+  createCredentialUser: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.users.create],
+  })
     .input(CreateCredentialUserInputSchema)
     .output(CreateCredentialUserOutputSchema),
 
-  updateUserRoles: _base
-    .meta({ userType: "user", permissions: [permissions.usersManage.id] })
-    .input(
-      z.object({
-        userId: z.string(),
-        roles: z.array(z.string()),
-      })
-    )
+  updateUserRoles: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.users.manage],
+  })
+    .input(z.object({ userId: z.string(), roles: z.array(z.string()) }))
     .output(z.void()),
 
   // ==========================================================================
-  // ROLE MANAGEMENT (userType: "user" with permissions)
+  // ROLE MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
-  getRoles: _base
-    .meta({ userType: "user", permissions: [permissions.rolesRead.id] })
-    .output(z.array(RoleDtoSchema)),
-
-  getPermissions: _base
-    .meta({ userType: "user", permissions: [permissions.rolesRead.id] })
-    .output(z.array(PermissionDtoSchema)),
-
-  createRole: _base
-    .meta({ userType: "user", permissions: [permissions.rolesCreate.id] })
+  getRoles: proc({
+    operationType: "query",
+    userType: "user",
+    access: [authAccess.roles.read],
+  }).output(z.array(RoleDtoSchema)),
+
+  getAccessRules: proc({
+    operationType: "query",
+    userType: "user",
+    access: [authAccess.roles.read],
+  }).output(z.array(AccessRuleDtoSchema)),
+
+  createRole: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.roles.create],
+  })
     .input(
       z.object({
         name: z.string(),
         description: z.string().optional(),
-        permissions: z.array(z.string()),
+        accessRules: z.array(z.string()),
       })
     )
     .output(z.void()),
 
-  updateRole: _base
-    .meta({ userType: "user", permissions: [permissions.rolesUpdate.id] })
+  updateRole: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.roles.update],
+  })
     .input(
       z.object({
         id: z.string(),
         name: z.string().optional(),
         description: z.string().optional(),
-        permissions: z.array(z.string()),
+        accessRules: z.array(z.string()),
       })
     )
     .output(z.void()),
 
-  deleteRole: _base
-    .meta({ userType: "user", permissions: [permissions.rolesDelete.id] })
+  deleteRole: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.roles.delete],
+  })
     .input(z.string())
     .output(z.void()),
 
   // ==========================================================================
-  // STRATEGY MANAGEMENT (userType: "user" with permissions)
+  // STRATEGY MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
-  getStrategies: _base
-    .meta({ userType: "user", permissions: [permissions.strategiesManage.id] })
-    .output(z.array(StrategyDtoSchema)),
+  getStrategies: proc({
+    operationType: "query",
+    userType: "user",
+    access: [authAccess.strategies],
+  }).output(z.array(StrategyDtoSchema)),
 
-  updateStrategy: _base
-    .meta({ userType: "user", permissions: [permissions.strategiesManage.id] })
+  updateStrategy: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.strategies],
+  })
     .input(
       z.object({
         id: z.string(),
@@ -212,26 +230,27 @@ export const authContract = {
     )
     .output(z.object({ success: z.boolean() })),
 
-  reloadAuth: _base
-    .meta({ userType: "user", permissions: [permissions.strategiesManage.id] })
-    .output(z.object({ success: z.boolean() })),
+  reloadAuth: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.strategies],
+  }).output(z.object({ success: z.boolean() })),
 
   // ==========================================================================
-  // REGISTRATION MANAGEMENT (userType: "user" with permissions)
+  // REGISTRATION MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
-  getRegistrationSchema: _base
-    .meta({
-      userType: "user",
-      permissions: [permissions.registrationManage.id],
-    })
-    .output(z.record(z.string(), z.unknown())),
-
-  setRegistrationStatus: _base
-    .meta({
-      userType: "user",
-      permissions: [permissions.registrationManage.id],
-    })
+  getRegistrationSchema: proc({
+    operationType: "query",
+    userType: "user",
+    access: [authAccess.registration],
+  }).output(z.record(z.string(), z.unknown())),
+
+  setRegistrationStatus: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.registration],
+  })
     .input(RegistrationStatusSchema)
     .output(z.object({ success: z.boolean() })),
 
@@ -239,48 +258,41 @@ export const authContract = {
   // INTERNAL SERVICE ENDPOINTS (userType: "service")
   // ==========================================================================
 
-  /**
-   * Get permissions assigned to the anonymous role.
-   * Used by core AuthService for permission checks on public endpoints.
-   */
-  getAnonymousPermissions: _base
-    .meta({ userType: "service" })
-    .output(z.array(z.string())),
+  getAnonymousAccessRules: proc({
+    operationType: "query",
+    userType: "service",
+    access: [],
+  }).output(z.array(z.string())),
 
-  /**
-   * Find a user by email address.
-   * Used by external auth providers (e.g., LDAP) to check if a user exists.
-   */
-  findUserByEmail: _base
-    .meta({ userType: "service" })
+  findUserByEmail: proc({
+    operationType: "query",
+    userType: "service",
+    access: [],
+  })
     .input(FindUserByEmailInputSchema)
     .output(FindUserByEmailOutputSchema),
 
-  /**
-   * Upsert a user from an external auth provider.
-   * Creates user + account if new, or updates user if autoUpdateUser is true.
-   * Used by external auth providers (e.g., LDAP) to sync users.
-   */
-  upsertExternalUser: _base
-    .meta({ userType: "service" })
+  upsertExternalUser: proc({
+    operationType: "mutation",
+    userType: "service",
+    access: [],
+  })
     .input(UpsertExternalUserInputSchema)
     .output(UpsertExternalUserOutputSchema),
 
-  /**
-   * Create a session for a user.
-   * Used by external auth providers (e.g., LDAP) after successful authentication.
-   */
-  createSession: _base
-    .meta({ userType: "service" })
+  createSession: proc({
+    operationType: "mutation",
+    userType: "service",
+    access: [],
+  })
     .input(CreateSessionInputSchema)
     .output(z.object({ sessionId: z.string() })),
 
-  /**
-   * Get a user by their ID.
-   * Used by notification backend to fetch user email for contact resolution.
-   */
-  getUserById: _base
-    .meta({ userType: "service" })
+  getUserById: proc({
+    operationType: "query",
+    userType: "service",
+    access: [],
+  })
     .input(z.object({ userId: z.string() }))
     .output(
       z
@@ -292,49 +304,46 @@ export const authContract = {
         .optional()
     ),
 
-  /**
-   * Filter a list of user IDs to only those who have a specific permission.
-   * Used by SignalService to send signals only to authorized users.
-   */
-  filterUsersByPermission: _base
-    .meta({ userType: "service" })
+  filterUsersByAccessRule: proc({
+    operationType: "query",
+    userType: "service",
+    access: [],
+  })
     .input(
       z.object({
         userIds: z.array(z.string()),
-        permission: z.string(), // Fully-qualified permission ID
+        accessRule: z.string(),
       })
     )
-    .output(z.array(z.string())), // Returns filtered user IDs
+    .output(z.array(z.string())),
 
   // ==========================================================================
-  // APPLICATION MANAGEMENT (userType: "user" with permissions)
-  // External API applications (API keys) with RBAC integration
+  // APPLICATION MANAGEMENT (userType: "user" with access)
   // ==========================================================================
 
-  getApplications: _base
-    .meta({
-      userType: "user",
-      permissions: [permissions.applicationsManage.id],
-    })
-    .output(
-      z.array(
-        z.object({
-          id: z.string(),
-          name: z.string(),
-          description: z.string().optional().nullable(),
-          roles: z.array(z.string()),
-          createdById: z.string(),
-          createdAt: z.coerce.date(),
-          lastUsedAt: z.coerce.date().optional().nullable(),
-        })
-      )
-    ),
+  getApplications: proc({
+    operationType: "query",
+    userType: "user",
+    access: [authAccess.applications],
+  }).output(
+    z.array(
+      z.object({
+        id: z.string(),
+        name: z.string(),
+        description: z.string().optional().nullable(),
+        roles: z.array(z.string()),
+        createdById: z.string(),
+        createdAt: z.coerce.date(),
+        lastUsedAt: z.coerce.date().optional().nullable(),
+      })
+    )
+  ),
 
-  createApplication: _base
-    .meta({
-      userType: "user",
-      permissions: [permissions.applicationsManage.id],
-    })
+  createApplication: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.applications],
+  })
     .input(
       z.object({
         name: z.string().min(1).max(100),
@@ -351,15 +360,15 @@ export const authContract = {
           createdById: z.string(),
           createdAt: z.coerce.date(),
         }),
-        secret: z.string(), // Full secret - ONLY shown once!
+        secret: z.string(),
       })
     ),
 
-  updateApplication: _base
-    .meta({
-      userType: "user",
-      permissions: [permissions.applicationsManage.id],
-    })
+  updateApplication: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.applications],
+  })
     .input(
       z.object({
         id: z.string(),
@@ -370,50 +379,47 @@ export const authContract = {
     )
     .output(z.void()),
 
-  deleteApplication: _base
-    .meta({
-      userType: "user",
-      permissions: [permissions.applicationsManage.id],
-    })
+  deleteApplication: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.applications],
+  })
     .input(z.string())
     .output(z.void()),
 
-  regenerateApplicationSecret: _base
-    .meta({
-      userType: "user",
-      permissions: [permissions.applicationsManage.id],
-    })
+  regenerateApplicationSecret: proc({
+    operationType: "mutation",
+    userType: "user",
+    access: [authAccess.applications],
+  })
     .input(z.string())
-    .output(z.object({ secret: z.string() })), // New secret - shown once
+    .output(z.object({ secret: z.string() })),
 
   // ==========================================================================
-  // TEAM MANAGEMENT (userType: "authenticated" with permissions)
-  // Resource-level access control via teams
-  // Both users and applications can manage teams with proper permissions
+  // TEAM MANAGEMENT (userType: "authenticated" with access)
   // ==========================================================================
 
-  getTeams: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsRead.id],
-    })
-    .output(
-      z.array(
-        z.object({
-          id: z.string(),
-          name: z.string(),
-          description: z.string().optional().nullable(),
-          memberCount: z.number(),
-          isManager: z.boolean(),
-        })
-      )
-    ),
+  getTeams: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [authAccess.teams.read],
+  }).output(
+    z.array(
+      z.object({
+        id: z.string(),
+        name: z.string(),
+        description: z.string().optional().nullable(),
+        memberCount: z.number(),
+        isManager: z.boolean(),
+      })
+    )
+  ),
 
-  getTeam: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsRead.id],
-    })
+  getTeam: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [authAccess.teams.read],
+  })
     .input(z.object({ teamId: z.string() }))
     .output(
       z
@@ -431,11 +437,11 @@ export const authContract = {
         .optional()
     ),
 
-  createTeam: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsManage.id],
-    })
+  createTeam: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.manage],
+  })
     .input(
       z.object({
         name: z.string().min(1).max(100),
@@ -444,11 +450,11 @@ export const authContract = {
     )
     .output(z.object({ id: z.string() })),
 
-  updateTeam: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsRead.id],
-    })
+  updateTeam: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.read],
+  })
     .input(
       z.object({
         id: z.string(),
@@ -458,51 +464,51 @@ export const authContract = {
     )
     .output(z.void()),
 
-  deleteTeam: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsManage.id],
-    })
+  deleteTeam: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.manage],
+  })
     .input(z.string())
     .output(z.void()),
 
-  addUserToTeam: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsRead.id],
-    })
+  addUserToTeam: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.read],
+  })
     .input(z.object({ teamId: z.string(), userId: z.string() }))
     .output(z.void()),
 
-  removeUserFromTeam: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsRead.id],
-    })
+  removeUserFromTeam: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.read],
+  })
     .input(z.object({ teamId: z.string(), userId: z.string() }))
     .output(z.void()),
 
-  addTeamManager: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsManage.id],
-    })
+  addTeamManager: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.manage],
+  })
     .input(z.object({ teamId: z.string(), userId: z.string() }))
     .output(z.void()),
 
-  removeTeamManager: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsManage.id],
-    })
+  removeTeamManager: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.manage],
+  })
     .input(z.object({ teamId: z.string(), userId: z.string() }))
     .output(z.void()),
 
-  getResourceTeamAccess: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsRead.id],
-    })
+  getResourceTeamAccess: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [authAccess.teams.read],
+  })
     .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
     .output(
       z.array(
@@ -515,11 +521,11 @@ export const authContract = {
       )
     ),
 
-  setResourceTeamAccess: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsManage.id],
-    })
+  setResourceTeamAccess: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.manage],
+  })
     .input(
       z.object({
         resourceType: z.string(),
@@ -531,11 +537,11 @@ export const authContract = {
     )
     .output(z.void()),
 
-  removeResourceTeamAccess: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsManage.id],
-    })
+  removeResourceTeamAccess: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.manage],
+  })
     .input(
       z.object({
         resourceType: z.string(),
@@ -545,20 +551,19 @@ export const authContract = {
     )
     .output(z.void()),
 
-  // Resource-level access settings (teamOnly flag)
-  getResourceAccessSettings: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsRead.id],
-    })
+  getResourceAccessSettings: proc({
+    operationType: "query",
+    userType: "authenticated",
+    access: [authAccess.teams.read],
+  })
     .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
     .output(z.object({ teamOnly: z.boolean() })),
 
-  setResourceAccessSettings: _base
-    .meta({
-      userType: "authenticated",
-      permissions: [permissions.teamsManage.id],
-    })
+  setResourceAccessSettings: proc({
+    operationType: "mutation",
+    userType: "authenticated",
+    access: [authAccess.teams.manage],
+  })
     .input(
       z.object({
         resourceType: z.string(),
@@ -572,8 +577,11 @@ export const authContract = {
   // S2S ENDPOINTS FOR TEAM ACCESS (userType: "service")
   // ==========================================================================
 
-  checkResourceTeamAccess: _base
-    .meta({ userType: "service" })
+  checkResourceTeamAccess: proc({
+    operationType: "query",
+    userType: "service",
+    access: [],
+  })
     .input(
       z.object({
         userId: z.string(),
@@ -581,13 +589,16 @@ export const authContract = {
         resourceType: z.string(),
         resourceId: z.string(),
         action: z.enum(["read", "manage"]),
-        hasGlobalPermission: z.boolean(),
+        hasGlobalAccess: z.boolean(),
       })
     )
     .output(z.object({ hasAccess: z.boolean() })),
 
-  getAccessibleResourceIds: _base
-    .meta({ userType: "service" })
+  getAccessibleResourceIds: proc({
+    operationType: "query",
+    userType: "service",
+    access: [],
+  })
     .input(
       z.object({
         userId: z.string(),
@@ -595,13 +606,16 @@ export const authContract = {
         resourceType: z.string(),
         resourceIds: z.array(z.string()),
         action: z.enum(["read", "manage"]),
-        hasGlobalPermission: z.boolean(),
+        hasGlobalAccess: z.boolean(),
       })
     )
     .output(z.array(z.string())),
 
-  deleteResourceGrants: _base
-    .meta({ userType: "service" })
+  deleteResourceGrants: proc({
+    operationType: "mutation",
+    userType: "service",
+    access: [],
+  })
     .input(z.object({ resourceType: z.string(), resourceId: z.string() }))
     .output(z.void()),
 };

package/src/permissions.ts

@@ -1,58 +0,0 @@
-import type { Permission } from "@checkstack/common";
-
-export const permissions = {
-  usersRead: {
-    id: "users.read",
-    description: "List all users",
-  },
-  usersCreate: {
-    id: "users.create",
-    description: "Create new users (credential strategy)",
-  },
-  usersManage: {
-    id: "users.manage",
-    description: "Delete users",
-  },
-  rolesRead: {
-    id: "roles.read",
-    description: "Read and list roles",
-  },
-  rolesCreate: {
-    id: "roles.create",
-    description: "Create new roles",
-  },
-  rolesUpdate: {
-    id: "roles.update",
-    description: "Update role names and permissions",
-  },
-  rolesDelete: {
-    id: "roles.delete",
-    description: "Delete roles",
-  },
-  rolesManage: {
-    id: "roles.manage",
-    description: "Assign roles to users",
-  },
-  strategiesManage: {
-    id: "strategies.manage",
-    description: "Manage authentication strategies and settings",
-  },
-  registrationManage: {
-    id: "registration.manage",
-    description: "Manage user registration settings",
-  },
-  applicationsManage: {
-    id: "applications.manage",
-    description: "Create, update, delete, and view external applications",
-  },
-  teamsRead: {
-    id: "teams.read",
-    description: "View teams and team memberships",
-  },
-  teamsManage: {
-    id: "teams.manage",
-    description: "Create, delete, and manage all teams and resource access",
-  },
-} satisfies Record<string, Permission>;
-
-export const permissionList = Object.values(permissions);