@company-semantics/contracts 0.119.0 → 0.120.0

package/src/org/index.ts

@@ -136,3 +136,46 @@ export type {
   ShareState,
   PermissionAuditEntry,
 } from './sharing';
+
+// Workspace response schemas (PRD-00445)
+export {
+  WorkspaceAccessResponseSchema,
+  WorkspaceOverviewSchema,
+  WorkspaceMembersResponseSchema,
+  WorkspaceAuthConfigSchema,
+  WorkspaceAuditEventSchema,
+  WorkspaceAuditResponseSchema,
+  WorkspaceResolvePathResponseSchema,
+  OrgAuthPolicySchema,
+  OidcValidationResultSchema,
+  WorkspaceResyncSlackLogoResponseSchema,
+  TestSsoInitiationSchema,
+  TestSsoResultSchema,
+  RemoveMemberResponseSchema,
+  ChangeMemberRoleResponseSchema,
+  UserOrgsResponseSchema,
+  SetActiveOrgResponseSchema,
+  LeaveOrgResponseSchema,
+  ScopeCheckResponseSchema,
+  ScopeCheckBatchResponseSchema,
+} from './schemas';
+export type {
+  WorkspaceAccessResponse,
+  WorkspaceOverview as WorkspaceOverviewDto,
+  WorkspaceMembersResponse,
+  WorkspaceAuthConfig as WorkspaceAuthConfigDto,
+  WorkspaceAuditEvent as WorkspaceAuditEventDto,
+  WorkspaceResolvePathResponse,
+  OrgAuthPolicy as OrgAuthPolicyDto,
+  OidcValidationResult as OidcValidationResultDto,
+  WorkspaceResyncSlackLogoResponse,
+  TestSsoInitiation as TestSsoInitiationDto,
+  TestSsoResult as TestSsoResultDto,
+  RemoveMemberResponse,
+  ChangeMemberRoleResponse,
+  UserOrgsResponse,
+  SetActiveOrgResponse,
+  LeaveOrgResponse,
+  ScopeCheckResponse,
+  ScopeCheckBatchResponse,
+} from './schemas';

package/src/org/schemas.ts

@@ -0,0 +1,373 @@
+/**
+ * Org/Workspace Response Schemas
+ *
+ * Zod response schemas for workspace core endpoints.
+ * Canonical location for runtime validation of workspace API responses.
+ *
+ * Covers:
+ *  - workspace.ts (GET /api/workspace, /access, /members, /auth, /audit, etc.)
+ *  - members.ts   (DELETE/PATCH /api/workspace/members)
+ *  - user-orgs.ts (GET /api/user/orgs, POST /api/user/active-org, /leave)
+ *  - scope-check.ts (GET /api/scope/check, POST /api/scope/check-batch)
+ */
+import { z } from 'zod';
+import { CursorPageSchema } from '../api/primitives';
+
+// ---------------------------------------------------------------------------
+// Sub-schemas
+// ---------------------------------------------------------------------------
+
+const WorkspaceMemberSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  email: z.string(),
+  role: z.enum(['owner', 'admin', 'member', 'auditor']),
+  joinedAt: z.string(),
+});
+
+const WorkspaceOwnerSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  email: z.string(),
+});
+
+// ---------------------------------------------------------------------------
+// GET /api/workspace/access
+// ---------------------------------------------------------------------------
+
+export const WorkspaceAccessResponseSchema = z.object({
+  hasAccess: z.boolean(),
+});
+
+export type WorkspaceAccessResponse = z.infer<typeof WorkspaceAccessResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// GET /api/workspace
+// PATCH /api/workspace/name (returns WorkspaceOverview)
+// ---------------------------------------------------------------------------
+
+export const WorkspaceOverviewSchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  type: z.enum(['personal', 'shared']),
+  logoUrl: z.string().nullable(),
+  owner: WorkspaceOwnerSchema,
+  createdAt: z.string(),
+  memberCount: z.number(),
+  claimable: z.boolean(),
+});
+
+export type WorkspaceOverview = z.infer<typeof WorkspaceOverviewSchema>;
+
+// ---------------------------------------------------------------------------
+// GET /api/workspace/members
+// ---------------------------------------------------------------------------
+
+export const WorkspaceMembersResponseSchema = CursorPageSchema(WorkspaceMemberSchema);
+
+export type WorkspaceMembersResponse = z.infer<typeof WorkspaceMembersResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// GET /api/workspace/auth
+// ---------------------------------------------------------------------------
+
+const OidcValidationResultSchema = z.object({
+  valid: z.boolean(),
+  issuer: z.string().optional(),
+  authorizationEndpoint: z.string().optional(),
+  error: z.string().optional(),
+  errorCode: z.enum(['UNREACHABLE', 'INVALID_DOCUMENT', 'MISSING_FIELDS', 'SSRF_BLOCKED']).optional(),
+});
+
+const SsoDiscoveryConfigSchema = z.object({
+  redirectUri: z.string(),
+  requiredScopes: z.array(z.string()),
+  isOidcConfigured: z.boolean(),
+  oidcDiscoveryUrl: z.string().nullable(),
+});
+
+const SsoCredentialStatusSchema = z.object({
+  hasClientId: z.boolean(),
+  hasClientSecret: z.boolean(),
+});
+
+const ProviderStatusSchema = z.enum([
+  'NOT_CONFIGURED',
+  'CONFIG_SAVED',
+  'CONFIG_VALID',
+  'TEST_SUCCESS',
+  'ENABLED',
+]);
+
+const SsoStepperStepSchema = z.enum(['configure', 'test', 'enable', 'enforce']);
+
+const SsoOperationalStateSchema = z.object({
+  providerStatus: ProviderStatusSchema,
+  currentStep: SsoStepperStepSchema,
+  stepCompleted: z.boolean(),
+  activeProvider: z.string().nullable(),
+  oidcValidation: OidcValidationResultSchema.optional(),
+  credentialsSavedAt: z.string().optional(),
+  lastTestSuccessAt: z.string().optional(),
+  lastTestSuccessProvider: z.string().optional(),
+});
+
+const SsoSetupInfoSchema = SsoDiscoveryConfigSchema.merge(SsoCredentialStatusSchema).merge(
+  SsoOperationalStateSchema
+);
+
+const SsoReadinessCheckSchema = z.object({
+  code: z.string(),
+  label: z.string(),
+  passed: z.boolean(),
+  message: z.string(),
+});
+
+const SsoReadinessSchema = z.object({
+  ready: z.boolean(),
+  checks: z.array(SsoReadinessCheckSchema),
+});
+
+const SsoEnforcementStatusSchema = z.object({
+  enforced: z.boolean(),
+  enforcedDomains: z.array(z.string()),
+  enforcedSince: z.string().nullable(),
+});
+
+const OwnerIdentityInfoSchema = z.object({
+  userId: z.string(),
+  name: z.string(),
+  email: z.string(),
+  hasSsoIdentity: z.boolean(),
+  linkedProvider: z.string().nullable(),
+  lastSsoLoginAt: z.string().nullable(),
+});
+
+const ProviderSuggestionSchema = z.object({
+  suggestedProvider: z.enum(['google', 'microsoft']).nullable(),
+  confidence: z.enum(['high', 'low']),
+  reason: z.string(),
+  detectedDomain: z.string().optional(),
+});
+
+const AuthMethodConfigSchema = z.object({
+  enabled: z.boolean(),
+  provider: z.string().optional(),
+});
+
+export const WorkspaceAuthConfigSchema = z.object({
+  emailOtp: AuthMethodConfigSchema,
+  googleSso: AuthMethodConfigSchema,
+  microsoftSso: AuthMethodConfigSchema,
+  okta: AuthMethodConfigSchema,
+  policy: z.object({
+    requireSSO: z.boolean(),
+    allowedProviders: z.array(z.string()),
+  }),
+  ssoSetup: SsoSetupInfoSchema.optional(),
+  ssoReadiness: SsoReadinessSchema.optional(),
+  ssoEnforcement: SsoEnforcementStatusSchema.optional(),
+  workspaceSsoState: z.enum(['SSO_DISABLED', 'SSO_ENABLED', 'SSO_ENFORCED']).optional(),
+  ownerIdentities: z.array(OwnerIdentityInfoSchema).optional(),
+  providerSuggestion: ProviderSuggestionSchema.optional(),
+});
+
+export type WorkspaceAuthConfig = z.infer<typeof WorkspaceAuthConfigSchema>;
+
+// ---------------------------------------------------------------------------
+// GET /api/workspace/audit
+// ---------------------------------------------------------------------------
+
+export const WorkspaceAuditEventSchema = z.object({
+  id: z.string(),
+  timestamp: z.string(),
+  actor: z.object({
+    id: z.string(),
+    name: z.string(),
+    type: z.enum(['user', 'system']),
+  }),
+  action: z.string(),
+  summary: z.string(),
+});
+
+export const WorkspaceAuditResponseSchema = z.array(WorkspaceAuditEventSchema);
+
+export type WorkspaceAuditEvent = z.infer<typeof WorkspaceAuditEventSchema>;
+
+// ---------------------------------------------------------------------------
+// POST /api/workspace/resolve-path
+// ---------------------------------------------------------------------------
+
+const ResolvedDeptEntitySchema = z.object({
+  id: z.string(),
+  name: z.string(),
+  slug: z.string(),
+  memberCount: z.number(),
+});
+
+export const WorkspaceResolvePathResponseSchema = z.object({
+  layers: z.array(
+    z.discriminatedUnion('type', [
+      z.object({ type: z.literal('dept'), entity: ResolvedDeptEntitySchema }),
+      z.object({ type: z.literal('team'), entity: ResolvedDeptEntitySchema }),
+      z.object({ type: z.literal('members'), scope: z.enum(['org', 'dept', 'team']) }),
+    ])
+  ),
+});
+
+export type WorkspaceResolvePathResponse = z.infer<typeof WorkspaceResolvePathResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// PATCH /api/workspace/auth-policy
+// ---------------------------------------------------------------------------
+
+export const OrgAuthPolicySchema = z.object({
+  requireSSO: z.boolean(),
+  allowedProviders: z.array(z.string()),
+  selfRevoked: z.boolean().optional(),
+});
+
+export type OrgAuthPolicy = z.infer<typeof OrgAuthPolicySchema>;
+
+// ---------------------------------------------------------------------------
+// POST /api/workspace/auth-policy/validate-oidc
+// ---------------------------------------------------------------------------
+
+export { OidcValidationResultSchema };
+export type OidcValidationResult = z.infer<typeof OidcValidationResultSchema>;
+
+// ---------------------------------------------------------------------------
+// POST /api/workspace/resync-slack-logo
+// ---------------------------------------------------------------------------
+
+export const WorkspaceResyncSlackLogoResponseSchema = z.object({
+  success: z.literal(true),
+  logoUrl: z.string().nullable(),
+});
+
+export type WorkspaceResyncSlackLogoResponse = z.infer<typeof WorkspaceResyncSlackLogoResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// POST /api/workspace/auth-policy/test-sso
+// ---------------------------------------------------------------------------
+
+export const TestSsoInitiationSchema = z.object({
+  authorizationUrl: z.string(),
+  attemptId: z.string(),
+});
+
+export type TestSsoInitiation = z.infer<typeof TestSsoInitiationSchema>;
+
+// ---------------------------------------------------------------------------
+// GET /api/workspace/auth-policy/test-sso/:attemptId
+// ---------------------------------------------------------------------------
+
+export const TestSsoResultSchema = z.object({
+  status: z.enum(['pending', 'success', 'failed', 'expired']),
+  claims: z
+    .object({
+      sub: z.string(),
+      email: z.string().optional(),
+      name: z.string().optional(),
+      issuer: z.string(),
+    })
+    .optional(),
+  identityLinked: z.boolean().optional(),
+  error: z.string().optional(),
+  errorCode: z
+    .enum(['IDENTITY_CONFLICT', 'DOMAIN_MISMATCH', 'ISSUER_MISMATCH', 'CALLBACK_ERROR'])
+    .optional(),
+});
+
+export type TestSsoResult = z.infer<typeof TestSsoResultSchema>;
+
+// ---------------------------------------------------------------------------
+// DELETE /api/workspace/members/:id
+// ---------------------------------------------------------------------------
+
+export const RemoveMemberResponseSchema = z.object({
+  success: z.boolean(),
+  memberId: z.string(),
+  memberEmail: z.string(),
+  message: z.string(),
+});
+
+export type RemoveMemberResponse = z.infer<typeof RemoveMemberResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// PATCH /api/workspace/members/:id/role
+// ---------------------------------------------------------------------------
+
+export const ChangeMemberRoleResponseSchema = z.object({
+  success: z.boolean(),
+  memberId: z.string(),
+  memberEmail: z.string(),
+  previousRole: z.string(),
+  newRole: z.string(),
+  message: z.string(),
+});
+
+export type ChangeMemberRoleResponse = z.infer<typeof ChangeMemberRoleResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// GET /api/user/orgs
+// ---------------------------------------------------------------------------
+
+const UserOrgMembershipSchema = z.object({
+  userId: z.string(),
+  orgId: z.string(),
+  orgName: z.string(),
+  orgSlug: z.string(),
+  role: z.enum(['owner', 'admin', 'member', 'auditor']),
+  joinedAt: z.string(),
+  isActive: z.boolean(),
+  orgType: z.enum(['personal', 'shared']),
+});
+
+export const UserOrgsResponseSchema = z.object({
+  orgs: z.array(UserOrgMembershipSchema),
+});
+
+export type UserOrgsResponse = z.infer<typeof UserOrgsResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// POST /api/user/active-org
+// ---------------------------------------------------------------------------
+
+export const SetActiveOrgResponseSchema = z.object({
+  success: z.literal(true),
+  activeOrgId: z.string(),
+});
+
+export type SetActiveOrgResponse = z.infer<typeof SetActiveOrgResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// POST /api/user/orgs/:orgId/leave
+// ---------------------------------------------------------------------------
+
+export const LeaveOrgResponseSchema = z.object({
+  success: z.literal(true),
+  nextOrgId: z.string().nullable(),
+});
+
+export type LeaveOrgResponse = z.infer<typeof LeaveOrgResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// GET /api/scope/check
+// ---------------------------------------------------------------------------
+
+export const ScopeCheckResponseSchema = z.object({
+  hasAccess: z.boolean(),
+});
+
+export type ScopeCheckResponse = z.infer<typeof ScopeCheckResponseSchema>;
+
+// ---------------------------------------------------------------------------
+// POST /api/scope/check-batch
+// ---------------------------------------------------------------------------
+
+export const ScopeCheckBatchResponseSchema = z.object({
+  results: z.record(z.string(), z.object({ hasAccess: z.boolean() })),
+});
+
+export type ScopeCheckBatchResponse = z.infer<typeof ScopeCheckBatchResponseSchema>;