@company-semantics/contracts 0.120.0 → 0.121.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/package.json +1 -1
  2. package/src/api/generated.ts +210 -581
  3. package/src/org/index.ts +22 -0
  4. package/src/org/schemas.ts +131 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@company-semantics/contracts",
3
- "version": "0.120.0",
3
+ "version": "0.121.0",
4
4
  "private": false,
5
5
  "repository": {
6
6
  "type": "git",
package/src/api/generated.ts CHANGED
@@ -191,12 +191,7 @@ export interface paths {
191
191
  path?: never;
192
192
  cookie?: never;
193
193
  };
194
- /**
195
- * List user's org memberships
196
- * @description Returns all organizations the current user is a member of.
197
- * Used by the org switcher UI for multi-org support.
198
- * Only returns active memberships.
199
- */
194
+ /** List user's org memberships */
200
195
  get: operations["listUserOrgs"];
201
196
  put?: never;
202
197
  post?: never;
@@ -215,12 +210,7 @@ export interface paths {
215
210
  };
216
211
  get?: never;
217
212
  put?: never;
218
- /**
219
- * Set active org context
220
- * @description Set the active organization context for the current user.
221
- * Validates that the user is a member of the target org.
222
- * Does NOT re-authenticate or elevate permissions.
223
- */
213
+ /** Set active org context */
224
214
  post: operations["setActiveOrg"];
225
215
  delete?: never;
226
216
  options?: never;
@@ -844,11 +834,7 @@ export interface paths {
844
834
  path?: never;
845
835
  cookie?: never;
846
836
  };
847
- /**
848
- * Check workspace access
849
- * @description Lightweight authorization probe for the workspace control plane.
850
- * Returns whether the current user has access to workspace features.
851
- */
837
+ /** Check workspace access */
852
838
  get: operations["getWorkspaceAccess"];
853
839
  put?: never;
854
840
  post?: never;
@@ -865,11 +851,7 @@ export interface paths {
865
851
  path?: never;
866
852
  cookie?: never;
867
853
  };
868
- /**
869
- * Get workspace overview
870
- * @description Returns workspace overview including org details, owner info, and member count.
871
- * Requires org.view_workspace capability.
872
- */
854
+ /** Get workspace overview */
873
855
  get: operations["getWorkspaceOverview"];
874
856
  put?: never;
875
857
  post?: never;
@@ -892,10 +874,7 @@ export interface paths {
892
874
  delete?: never;
893
875
  options?: never;
894
876
  head?: never;
895
- /**
896
- * Rename the workspace
897
- * @description PATCH the workspace name. Requires org.manage_users capability (owner or admin).
898
- */
877
+ /** Rename the workspace */
899
878
  patch: operations["renameWorkspace"];
900
879
  trace?: never;
901
880
  };
@@ -906,12 +885,7 @@ export interface paths {
906
885
  path?: never;
907
886
  cookie?: never;
908
887
  };
909
- /**
910
- * Get workspace members
911
- * @description Returns list of workspace members with their roles.
912
- * Human users only (no agent actors).
913
- * Requires org.view_workspace capability.
914
- */
888
+ /** Get workspace members */
915
889
  get: operations["getWorkspaceMembers"];
916
890
  put?: never;
917
891
  post?: never;
@@ -928,12 +902,7 @@ export interface paths {
928
902
  path?: never;
929
903
  cookie?: never;
930
904
  };
931
- /**
932
- * Get workspace auth config
933
- * @description Returns workspace authentication configuration.
934
- * Shows which auth methods are enabled.
935
- * Requires org.view_workspace capability.
936
- */
905
+ /** Get workspace auth config */
937
906
  get: operations["getWorkspaceAuth"];
938
907
  put?: never;
939
908
  post?: never;
@@ -950,13 +919,7 @@ export interface paths {
950
919
  path?: never;
951
920
  cookie?: never;
952
921
  };
953
- /**
954
- * Get workspace audit log
955
- * @description Returns workspace audit events.
956
- * Only returns spec-defined events (server-side filtering).
957
- * Supports pagination with limit (max 100) and offset (max 1000).
958
- * Requires org.view_workspace capability.
959
- */
922
+ /** Get workspace audit log */
960
923
  get: operations["getWorkspaceAudit"];
961
924
  put?: never;
962
925
  post?: never;
@@ -979,12 +942,7 @@ export interface paths {
979
942
  delete?: never;
980
943
  options?: never;
981
944
  head?: never;
982
- /**
983
- * Update workspace auth policy
984
- * @description Updates the workspace authentication policy.
985
- * Owner-only endpoint (requires org.manage_auth capability).
986
- * Auth policy changes do NOT affect existing sessions.
987
- */
945
+ /** Update workspace auth policy */
988
946
  patch: operations["updateWorkspaceAuthPolicy"];
989
947
  trace?: never;
990
948
  };
@@ -997,12 +955,7 @@ export interface paths {
997
955
  };
998
956
  get?: never;
999
957
  put?: never;
1000
- /**
1001
- * Validate OIDC discovery URL
1002
- * @description Validates an OIDC discovery URL before saving SSO credentials.
1003
- * Checks HTTPS requirement, SSRF protection, and required OIDC fields.
1004
- * Admin-only endpoint (requires org.manage_auth capability).
1005
- */
958
+ /** Validate OIDC discovery URL */
1006
959
  post: operations["validateOidcDiscovery"];
1007
960
  delete?: never;
1008
961
  options?: never;
@@ -1019,13 +972,7 @@ export interface paths {
1019
972
  };
1020
973
  get?: never;
1021
974
  put?: never;
1022
- /**
1023
- * Initiate test SSO login attempt
1024
- * @description Creates a pending SSO test attempt, generates an OAuth state token
1025
- * with isTest=true, builds the IdP authorization URL, and returns
1026
- * the URL and attempt ID for polling.
1027
- * Requires org.manage_auth capability.
1028
- */
975
+ /** Initiate a test SSO login */
1029
976
  post: operations["initiateTestSso"];
1030
977
  delete?: never;
1031
978
  options?: never;
@@ -1040,12 +987,7 @@ export interface paths {
1040
987
  path?: never;
1041
988
  cookie?: never;
1042
989
  };
1043
- /**
1044
- * Poll test SSO attempt status
1045
- * @description Returns the current status of a test SSO login attempt.
1046
- * Pending attempts older than 5 minutes are lazily reported as expired.
1047
- * Requires org.manage_auth capability.
1048
- */
990
+ /** Poll test SSO login status */
1049
991
  get: operations["pollTestSso"];
1050
992
  put?: never;
1051
993
  post?: never;
@@ -1156,12 +1098,7 @@ export interface paths {
1156
1098
  get?: never;
1157
1099
  put?: never;
1158
1100
  post?: never;
1159
- /**
1160
- * Remove workspace member
1161
- * @description Remove a member from the workspace.
1162
- * Cannot remove the owner (must transfer ownership first).
1163
- * Admin floor enforced (at least one admin must remain).
1164
- */
1101
+ /** Remove workspace member */
1165
1102
  delete: operations["removeMember"];
1166
1103
  options?: never;
1167
1104
  head?: never;
@@ -1181,12 +1118,7 @@ export interface paths {
1181
1118
  delete?: never;
1182
1119
  options?: never;
1183
1120
  head?: never;
1184
- /**
1185
- * Change member role
1186
- * @description Change a member's role.
1187
- * Cannot change the owner's role (must transfer ownership first).
1188
- * Admin floor enforced (cannot demote last admin).
1189
- */
1121
+ /** Change member role */
1190
1122
  patch: operations["changeMemberRole"];
1191
1123
  trace?: never;
1192
1124
  };
@@ -1274,11 +1206,7 @@ export interface paths {
1274
1206
  };
1275
1207
  get?: never;
1276
1208
  put?: never;
1277
- /**
1278
- * Resync workspace logo from Slack
1279
- * @description Manually resync the workspace logo from the connected Slack workspace icon.
1280
- * Requires org.view_workspace capability and an active Slack connection.
1281
- */
1209
+ /** Resync workspace logo from Slack */
1282
1210
  post: operations["resyncSlackLogo"];
1283
1211
  delete?: never;
1284
1212
  options?: never;
@@ -1295,13 +1223,7 @@ export interface paths {
1295
1223
  };
1296
1224
  get?: never;
1297
1225
  put?: never;
1298
- /**
1299
- * Resolve a tokenized URL path to hydrated navigation layers
1300
- * @description Resolves a tokenized workspace URL path to hydrated entity data.
1301
- * Used by the frontend for cold-start deep linking and browser back/forward.
1302
- * Path segments follow a [type, slug] pair grammar: "dept" before "team",
1303
- * "team" requires preceding "dept", and "members" must be terminal.
1304
- */
1226
+ /** Resolve a tokenized URL path to hydrated navigation layers */
1305
1227
  post: operations["resolveWorkspacePath"];
1306
1228
  delete?: never;
1307
1229
  options?: never;
@@ -2087,11 +2009,7 @@ export interface paths {
2087
2009
  };
2088
2010
  get?: never;
2089
2011
  put?: never;
2090
- /**
2091
- * Leave an organization
2092
- * @description Voluntarily leave a shared organization. Cannot leave personal orgs
2093
- * or if the user is the sole owner.
2094
- */
2012
+ /** Leave an organization */
2095
2013
  post: operations["leaveOrg"];
2096
2014
  delete?: never;
2097
2015
  options?: never;
@@ -2184,10 +2102,7 @@ export interface paths {
2184
2102
  };
2185
2103
  get?: never;
2186
2104
  put?: never;
2187
- /**
2188
- * Batch check authorization scopes for current user
2189
- * @description Checks whether the current user has access to each of the given scopes. Scope strings are implementation-defined and not part of the public API vocabulary. Accepts 1-20 scope strings per request.
2190
- */
2105
+ /** Batch check authorization scopes for current user */
2191
2106
  post: operations["checkScopeBatch"];
2192
2107
  delete?: never;
2193
2108
  options?: never;
@@ -2321,7 +2236,18 @@ export interface components {
2321
2236
  memberCount: number;
2322
2237
  };
2323
2238
  UserOrgsResponse: {
2324
- orgs: components["schemas"]["UserOrgMembership"][];
2239
+ orgs: {
2240
+ userId: string;
2241
+ orgId: string;
2242
+ orgName: string;
2243
+ orgSlug: string;
2244
+ /** @enum {string} */
2245
+ role: "owner" | "admin" | "member" | "auditor";
2246
+ joinedAt: string;
2247
+ isActive: boolean;
2248
+ /** @enum {string} */
2249
+ orgType: "personal" | "shared";
2250
+ }[];
2325
2251
  };
2326
2252
  UserOrgMembership: {
2327
2253
  /** Format: uuid */
@@ -2337,16 +2263,12 @@ export interface components {
2337
2263
  orgType: components["schemas"]["OrgType"];
2338
2264
  };
2339
2265
  SetActiveOrgRequest: {
2340
- /**
2341
- * Format: uuid
2342
- * @description The ID of the organization to switch to
2343
- */
2266
+ /** Format: uuid */
2344
2267
  orgId: string;
2345
2268
  };
2346
2269
  SetActiveOrgResponse: {
2347
2270
  /** @constant */
2348
2271
  success: true;
2349
- /** Format: uuid */
2350
2272
  activeOrgId: string;
2351
2273
  };
2352
2274
  /** @enum {string} */
@@ -2955,19 +2877,16 @@ export interface components {
2955
2877
  name: string;
2956
2878
  };
2957
2879
  WorkspaceOverview: {
2958
- /** Format: uuid */
2959
2880
  id: string;
2960
2881
  name: string;
2961
- type: components["schemas"]["OrgType"];
2882
+ /** @enum {string} */
2883
+ type: "personal" | "shared";
2962
2884
  logoUrl: string | null;
2963
2885
  owner: {
2964
- /** Format: uuid */
2965
2886
  id: string;
2966
2887
  name: string;
2967
- /** Format: email */
2968
2888
  email: string;
2969
2889
  };
2970
- /** Format: date-time */
2971
2890
  createdAt: string;
2972
2891
  memberCount: number;
2973
2892
  claimable: boolean;
@@ -2983,10 +2902,15 @@ export interface components {
2983
2902
  joinedAt: string;
2984
2903
  };
2985
2904
  WorkspaceMembersResponse: {
2986
- items: components["schemas"]["WorkspaceMember"][];
2987
- /** @description Cursor for next page, null if no more results */
2988
- nextCursor?: string | null;
2989
- /** @description Whether more results are available */
2905
+ items: {
2906
+ id: string;
2907
+ name: string;
2908
+ email: string;
2909
+ /** @enum {string} */
2910
+ role: "owner" | "admin" | "member" | "auditor";
2911
+ joinedAt: string;
2912
+ }[];
2913
+ nextCursor: string | null;
2990
2914
  hasMore: boolean;
2991
2915
  };
2992
2916
  AuthMethodConfig: {
@@ -2994,10 +2918,82 @@ export interface components {
2994
2918
  provider?: string;
2995
2919
  };
2996
2920
  WorkspaceAuthConfig: {
2997
- emailOtp: components["schemas"]["AuthMethodConfig"];
2998
- googleSso: components["schemas"]["AuthMethodConfig"];
2999
- microsoftSso: components["schemas"]["AuthMethodConfig"];
3000
- okta: components["schemas"]["AuthMethodConfig"];
2921
+ emailOtp: {
2922
+ enabled: boolean;
2923
+ provider?: string;
2924
+ };
2925
+ googleSso: {
2926
+ enabled: boolean;
2927
+ provider?: string;
2928
+ };
2929
+ microsoftSso: {
2930
+ enabled: boolean;
2931
+ provider?: string;
2932
+ };
2933
+ okta: {
2934
+ enabled: boolean;
2935
+ provider?: string;
2936
+ };
2937
+ policy: {
2938
+ requireSSO: boolean;
2939
+ allowedProviders: string[];
2940
+ };
2941
+ ssoSetup?: {
2942
+ redirectUri: string;
2943
+ requiredScopes: string[];
2944
+ isOidcConfigured: boolean;
2945
+ oidcDiscoveryUrl: string | null;
2946
+ hasClientId: boolean;
2947
+ hasClientSecret: boolean;
2948
+ /** @enum {string} */
2949
+ providerStatus: "NOT_CONFIGURED" | "CONFIG_SAVED" | "CONFIG_VALID" | "TEST_SUCCESS" | "ENABLED";
2950
+ /** @enum {string} */
2951
+ currentStep: "configure" | "test" | "enable" | "enforce";
2952
+ stepCompleted: boolean;
2953
+ activeProvider: string | null;
2954
+ oidcValidation?: {
2955
+ valid: boolean;
2956
+ issuer?: string;
2957
+ authorizationEndpoint?: string;
2958
+ error?: string;
2959
+ /** @enum {string} */
2960
+ errorCode?: "UNREACHABLE" | "INVALID_DOCUMENT" | "MISSING_FIELDS" | "SSRF_BLOCKED";
2961
+ };
2962
+ credentialsSavedAt?: string;
2963
+ lastTestSuccessAt?: string;
2964
+ lastTestSuccessProvider?: string;
2965
+ };
2966
+ ssoReadiness?: {
2967
+ ready: boolean;
2968
+ checks: {
2969
+ code: string;
2970
+ label: string;
2971
+ passed: boolean;
2972
+ message: string;
2973
+ }[];
2974
+ };
2975
+ ssoEnforcement?: {
2976
+ enforced: boolean;
2977
+ enforcedDomains: string[];
2978
+ enforcedSince: string | null;
2979
+ };
2980
+ /** @enum {string} */
2981
+ workspaceSsoState?: "SSO_DISABLED" | "SSO_ENABLED" | "SSO_ENFORCED";
2982
+ ownerIdentities?: {
2983
+ userId: string;
2984
+ name: string;
2985
+ email: string;
2986
+ hasSsoIdentity: boolean;
2987
+ linkedProvider: string | null;
2988
+ lastSsoLoginAt: string | null;
2989
+ }[];
2990
+ providerSuggestion?: {
2991
+ suggestedProvider: ("google" | "microsoft") | null;
2992
+ /** @enum {string} */
2993
+ confidence: "high" | "low";
2994
+ reason: string;
2995
+ detectedDomain?: string;
2996
+ };
3001
2997
  };
3002
2998
  WorkspaceAuditEvent: {
3003
2999
  /** Format: uuid */
@@ -3015,21 +3011,15 @@ export interface components {
3015
3011
  summary: string;
3016
3012
  };
3017
3013
  UpdateAuthPolicyRequest: {
3018
- /** @description Whether SSO is required for all members */
3019
3014
  requireSSO?: boolean;
3020
- /** @description List of allowed auth providers */
3021
3015
  allowedProviders?: string[];
3022
- /** @description OIDC discovery URL for SSO configuration */
3023
3016
  oidcDiscoveryUrl?: string | null;
3024
- /** @description OIDC client ID credential */
3025
3017
  oidcClientId?: string | null;
3026
- /** @description OIDC client secret credential */
3027
3018
  oidcClientSecret?: string | null;
3028
3019
  };
3029
3020
  OrgAuthPolicy: {
3030
3021
  requireSSO: boolean;
3031
3022
  allowedProviders: string[];
3032
- /** @description True when the requesting admin's own SSO session was revoked by this operation */
3033
3023
  selfRevoked?: boolean;
3034
3024
  };
3035
3025
  CreateInviteRequest: {
@@ -3078,24 +3068,17 @@ export interface components {
3078
3068
  };
3079
3069
  RemoveMemberResponse: {
3080
3070
  success: boolean;
3081
- /** Format: uuid */
3082
3071
  memberId: string;
3083
- /** Format: email */
3084
3072
  memberEmail: string;
3085
3073
  message: string;
3086
3074
  };
3087
3075
  ChangeMemberRoleRequest: {
3088
- /**
3089
- * @description New role for the member
3090
- * @enum {string}
3091
- */
3076
+ /** @enum {string} */
3092
3077
  newRole: "admin" | "member";
3093
3078
  };
3094
3079
  ChangeMemberRoleResponse: {
3095
3080
  success: boolean;
3096
- /** Format: uuid */
3097
3081
  memberId: string;
3098
- /** Format: email */
3099
3082
  memberEmail: string;
3100
3083
  previousRole: string;
3101
3084
  newRole: string;
@@ -3502,6 +3485,76 @@ export interface components {
3502
3485
  id?: string;
3503
3486
  runtimeProfile?: string;
3504
3487
  };
3488
+ WorkspaceNameRequest: {
3489
+ name: string;
3490
+ };
3491
+ WorkspaceAuditResponse: {
3492
+ id: string;
3493
+ timestamp: string;
3494
+ actor: {
3495
+ id: string;
3496
+ name: string;
3497
+ /** @enum {string} */
3498
+ type: "user" | "system";
3499
+ };
3500
+ action: string;
3501
+ summary: string;
3502
+ }[];
3503
+ ValidateOidcRequest: {
3504
+ discoveryUrl: string;
3505
+ };
3506
+ WorkspaceResyncSlackLogoResponse: {
3507
+ /** @constant */
3508
+ success: true;
3509
+ logoUrl: string | null;
3510
+ };
3511
+ WorkspaceResolvePathResponse: {
3512
+ layers: ({
3513
+ /** @constant */
3514
+ type: "dept";
3515
+ entity: {
3516
+ id: string;
3517
+ name: string;
3518
+ slug: string;
3519
+ memberCount: number;
3520
+ };
3521
+ } | {
3522
+ /** @constant */
3523
+ type: "team";
3524
+ entity: {
3525
+ id: string;
3526
+ name: string;
3527
+ slug: string;
3528
+ memberCount: number;
3529
+ };
3530
+ } | {
3531
+ /** @constant */
3532
+ type: "members";
3533
+ /** @enum {string} */
3534
+ scope: "org" | "dept" | "team";
3535
+ })[];
3536
+ };
3537
+ ResolvePathRequest: {
3538
+ path: string[];
3539
+ };
3540
+ TestSsoInitiation: {
3541
+ authorizationUrl: string;
3542
+ attemptId: string;
3543
+ };
3544
+ TestSsoResult: {
3545
+ /** @enum {string} */
3546
+ status: "pending" | "success" | "failed" | "expired";
3547
+ claims?: {
3548
+ sub: string;
3549
+ email?: string;
3550
+ name?: string;
3551
+ issuer: string;
3552
+ };
3553
+ identityLinked?: boolean;
3554
+ error?: string;
3555
+ /** @enum {string} */
3556
+ errorCode?: "IDENTITY_CONFLICT" | "DOMAIN_MISMATCH" | "ISSUER_MISMATCH" | "CALLBACK_ERROR";
3557
+ };
3505
3558
  };
3506
3559
  responses: never;
3507
3560
  parameters: never;
@@ -3764,15 +3817,6 @@ export interface operations {
3764
3817
  "application/json": components["schemas"]["UserOrgsResponse"];
3765
3818
  };
3766
3819
  };
3767
- /** @description Not authenticated */
3768
- 401: {
3769
- headers: {
3770
- [name: string]: unknown;
3771
- };
3772
- content: {
3773
- "application/json": components["schemas"]["ErrorResponse"];
3774
- };
3775
- };
3776
3820
  };
3777
3821
  };
3778
3822
  setActiveOrg: {
@@ -3797,33 +3841,6 @@ export interface operations {
3797
3841
  "application/json": components["schemas"]["SetActiveOrgResponse"];
3798
3842
  };
3799
3843
  };
3800
- /** @description Invalid orgId format */
3801
- 400: {
3802
- headers: {
3803
- [name: string]: unknown;
3804
- };
3805
- content: {
3806
- "application/json": components["schemas"]["ErrorResponse"];
3807
- };
3808
- };
3809
- /** @description Not authenticated */
3810
- 401: {
3811
- headers: {
3812
- [name: string]: unknown;
3813
- };
3814
- content: {
3815
- "application/json": components["schemas"]["ErrorResponse"];
3816
- };
3817
- };
3818
- /** @description User is not a member of the target organization */
3819
- 403: {
3820
- headers: {
3821
- [name: string]: unknown;
3822
- };
3823
- content: {
3824
- "application/json": components["schemas"]["ErrorResponse"];
3825
- };
3826
- };
3827
3844
  };
3828
3845
  };
3829
3846
  getDismissedBanners: {
@@ -5142,7 +5159,7 @@ export interface operations {
5142
5159
  };
5143
5160
  requestBody?: never;
5144
5161
  responses: {
5145
- /** @description Access check result */
5162
+ /** @description Workspace access status */
5146
5163
  200: {
5147
5164
  headers: {
5148
5165
  [name: string]: unknown;
@@ -5151,15 +5168,6 @@ export interface operations {
5151
5168
  "application/json": components["schemas"]["WorkspaceAccessResponse"];
5152
5169
  };
5153
5170
  };
5154
- /** @description Not authenticated */
5155
- 401: {
5156
- headers: {
5157
- [name: string]: unknown;
5158
- };
5159
- content: {
5160
- "application/json": components["schemas"]["ErrorResponse"];
5161
- };
5162
- };
5163
5171
  };
5164
5172
  };
5165
5173
  getWorkspaceOverview: {
@@ -5180,24 +5188,6 @@ export interface operations {
5180
5188
  "application/json": components["schemas"]["WorkspaceOverview"];
5181
5189
  };
5182
5190
  };
5183
- /** @description No org.view_workspace capability */
5184
- 403: {
5185
- headers: {
5186
- [name: string]: unknown;
5187
- };
5188
- content: {
5189
- "application/json": components["schemas"]["ErrorResponse"];
5190
- };
5191
- };
5192
- /** @description Workspace not found */
5193
- 404: {
5194
- headers: {
5195
- [name: string]: unknown;
5196
- };
5197
- content: {
5198
- "application/json": components["schemas"]["ErrorResponse"];
5199
- };
5200
- };
5201
5191
  };
5202
5192
  };
5203
5193
  renameWorkspace: {
@@ -5209,7 +5199,7 @@ export interface operations {
5209
5199
  };
5210
5200
  requestBody: {
5211
5201
  content: {
5212
- "application/json": components["schemas"]["RenameWorkspaceRequest"];
5202
+ "application/json": components["schemas"]["WorkspaceNameRequest"];
5213
5203
  };
5214
5204
  };
5215
5205
  responses: {
@@ -5222,41 +5212,12 @@ export interface operations {
5222
5212
  "application/json": components["schemas"]["WorkspaceOverview"];
5223
5213
  };
5224
5214
  };
5225
- /** @description Invalid name */
5226
- 400: {
5227
- headers: {
5228
- [name: string]: unknown;
5229
- };
5230
- content: {
5231
- "application/json": components["schemas"]["ErrorResponse"];
5232
- };
5233
- };
5234
- /** @description Missing org.manage_users capability */
5235
- 403: {
5236
- headers: {
5237
- [name: string]: unknown;
5238
- };
5239
- content: {
5240
- "application/json": components["schemas"]["ErrorResponse"];
5241
- };
5242
- };
5243
- /** @description Workspace not found */
5244
- 404: {
5245
- headers: {
5246
- [name: string]: unknown;
5247
- };
5248
- content: {
5249
- "application/json": components["schemas"]["ErrorResponse"];
5250
- };
5251
- };
5252
5215
  };
5253
5216
  };
5254
5217
  getWorkspaceMembers: {
5255
5218
  parameters: {
5256
5219
  query?: {
5257
- /** @description Cursor for pagination */
5258
5220
  cursor?: string;
5259
- /** @description Max results per page (default 100, max 200) */
5260
5221
  limit?: number;
5261
5222
  };
5262
5223
  header?: never;
@@ -5274,15 +5235,6 @@ export interface operations {
5274
5235
  "application/json": components["schemas"]["WorkspaceMembersResponse"];
5275
5236
  };
5276
5237
  };
5277
- /** @description No org.view_workspace capability */
5278
- 403: {
5279
- headers: {
5280
- [name: string]: unknown;
5281
- };
5282
- content: {
5283
- "application/json": components["schemas"]["ErrorResponse"];
5284
- };
5285
- };
5286
5238
  };
5287
5239
  };
5288
5240
  getWorkspaceAuth: {
@@ -5294,7 +5246,7 @@ export interface operations {
5294
5246
  };
5295
5247
  requestBody?: never;
5296
5248
  responses: {
5297
- /** @description Workspace auth configuration */
5249
+ /** @description Workspace authentication configuration */
5298
5250
  200: {
5299
5251
  headers: {
5300
5252
  [name: string]: unknown;
@@ -5303,23 +5255,12 @@ export interface operations {
5303
5255
  "application/json": components["schemas"]["WorkspaceAuthConfig"];
5304
5256
  };
5305
5257
  };
5306
- /** @description No org.view_workspace capability */
5307
- 403: {
5308
- headers: {
5309
- [name: string]: unknown;
5310
- };
5311
- content: {
5312
- "application/json": components["schemas"]["ErrorResponse"];
5313
- };
5314
- };
5315
5258
  };
5316
5259
  };
5317
5260
  getWorkspaceAudit: {
5318
5261
  parameters: {
5319
5262
  query?: {
5320
- /** @description Number of events to return (default 50, max 100) */
5321
5263
  limit?: number;
5322
- /** @description Pagination offset (default 0, max 1000) */
5323
5264
  offset?: number;
5324
5265
  };
5325
5266
  header?: never;
@@ -5328,31 +5269,13 @@ export interface operations {
5328
5269
  };
5329
5270
  requestBody?: never;
5330
5271
  responses: {
5331
- /** @description List of audit events */
5272
+ /** @description Workspace audit events */
5332
5273
  200: {
5333
5274
  headers: {
5334
5275
  [name: string]: unknown;
5335
5276
  };
5336
5277
  content: {
5337
- "application/json": components["schemas"]["WorkspaceAuditEvent"][];
5338
- };
5339
- };
5340
- /** @description Offset exceeds maximum pagination depth */
5341
- 400: {
5342
- headers: {
5343
- [name: string]: unknown;
5344
- };
5345
- content: {
5346
- "application/json": components["schemas"]["ErrorResponse"];
5347
- };
5348
- };
5349
- /** @description No org.view_workspace capability */
5350
- 403: {
5351
- headers: {
5352
- [name: string]: unknown;
5353
- };
5354
- content: {
5355
- "application/json": components["schemas"]["ErrorResponse"];
5278
+ "application/json": components["schemas"]["WorkspaceAuditResponse"];
5356
5279
  };
5357
5280
  };
5358
5281
  };
@@ -5379,24 +5302,6 @@ export interface operations {
5379
5302
  "application/json": components["schemas"]["OrgAuthPolicy"];
5380
5303
  };
5381
5304
  };
5382
- /** @description Actor lacks org.manage_auth capability */
5383
- 403: {
5384
- headers: {
5385
- [name: string]: unknown;
5386
- };
5387
- content: {
5388
- "application/json": components["schemas"]["ErrorResponse"];
5389
- };
5390
- };
5391
- /** @description Would lock out all authority principals */
5392
- 409: {
5393
- headers: {
5394
- [name: string]: unknown;
5395
- };
5396
- content: {
5397
- "application/json": components["schemas"]["ErrorResponse"];
5398
- };
5399
- };
5400
5305
  };
5401
5306
  };
5402
5307
  validateOidcDiscovery: {
@@ -5408,14 +5313,11 @@ export interface operations {
5408
5313
  };
5409
5314
  requestBody: {
5410
5315
  content: {
5411
- "application/json": {
5412
- /** @description The OIDC discovery URL to validate */
5413
- discoveryUrl: string;
5414
- };
5316
+ "application/json": components["schemas"]["ValidateOidcRequest"];
5415
5317
  };
5416
5318
  };
5417
5319
  responses: {
5418
- /** @description Validation result */
5320
+ /** @description OIDC validation result */
5419
5321
  200: {
5420
5322
  headers: {
5421
5323
  [name: string]: unknown;
@@ -5424,24 +5326,6 @@ export interface operations {
5424
5326
  "application/json": components["schemas"]["OidcValidationResult"];
5425
5327
  };
5426
5328
  };
5427
- /** @description Invalid request body */
5428
- 400: {
5429
- headers: {
5430
- [name: string]: unknown;
5431
- };
5432
- content: {
5433
- "application/json": components["schemas"]["ErrorResponse"];
5434
- };
5435
- };
5436
- /** @description Missing org.manage_auth capability */
5437
- 403: {
5438
- headers: {
5439
- [name: string]: unknown;
5440
- };
5441
- content: {
5442
- "application/json": components["schemas"]["ErrorResponse"];
5443
- };
5444
- };
5445
5329
  };
5446
5330
  };
5447
5331
  initiateTestSso: {
@@ -5453,45 +5337,13 @@ export interface operations {
5453
5337
  };
5454
5338
  requestBody?: never;
5455
5339
  responses: {
5456
- /** @description Test SSO initiation with authorization URL */
5340
+ /** @description Test SSO initiation result with authorization URL */
5457
5341
  200: {
5458
5342
  headers: {
5459
5343
  [name: string]: unknown;
5460
5344
  };
5461
5345
  content: {
5462
- "application/json": {
5463
- /** @description IdP authorization URL to redirect user to */
5464
- authorizationUrl: string;
5465
- /** @description ID of the created test attempt for polling */
5466
- attemptId: string;
5467
- };
5468
- };
5469
- };
5470
- /** @description No SSO provider configured or OIDC credentials missing */
5471
- 400: {
5472
- headers: {
5473
- [name: string]: unknown;
5474
- };
5475
- content: {
5476
- "application/json": components["schemas"]["ErrorResponse"];
5477
- };
5478
- };
5479
- /** @description Missing org.manage_auth capability */
5480
- 403: {
5481
- headers: {
5482
- [name: string]: unknown;
5483
- };
5484
- content: {
5485
- "application/json": components["schemas"]["ErrorResponse"];
5486
- };
5487
- };
5488
- /** @description A test is already in progress (debounce) */
5489
- 429: {
5490
- headers: {
5491
- [name: string]: unknown;
5492
- };
5493
- content: {
5494
- "application/json": components["schemas"]["ErrorResponse"];
5346
+ "application/json": components["schemas"]["TestSsoInitiation"];
5495
5347
  };
5496
5348
  };
5497
5349
  };
@@ -5500,50 +5352,18 @@ export interface operations {
5500
5352
  parameters: {
5501
5353
  query?: never;
5502
5354
  header?: never;
5503
- path: {
5504
- /** @description The test attempt ID to poll */
5505
- attemptId: string;
5506
- };
5355
+ path?: never;
5507
5356
  cookie?: never;
5508
5357
  };
5509
5358
  requestBody?: never;
5510
5359
  responses: {
5511
- /** @description Test SSO result */
5360
+ /** @description Test SSO attempt status */
5512
5361
  200: {
5513
5362
  headers: {
5514
5363
  [name: string]: unknown;
5515
5364
  };
5516
5365
  content: {
5517
- "application/json": {
5518
- /** @enum {string} */
5519
- status: "pending" | "success" | "failed" | "expired";
5520
- claims?: {
5521
- sub?: string;
5522
- email?: string;
5523
- issuer?: string;
5524
- };
5525
- identityLinked?: boolean;
5526
- error?: string;
5527
- errorCode?: string;
5528
- };
5529
- };
5530
- };
5531
- /** @description Missing org.manage_auth capability */
5532
- 403: {
5533
- headers: {
5534
- [name: string]: unknown;
5535
- };
5536
- content: {
5537
- "application/json": components["schemas"]["ErrorResponse"];
5538
- };
5539
- };
5540
- /** @description Attempt not found */
5541
- 404: {
5542
- headers: {
5543
- [name: string]: unknown;
5544
- };
5545
- content: {
5546
- "application/json": components["schemas"]["ErrorResponse"];
5366
+ "application/json": components["schemas"]["TestSsoResult"];
5547
5367
  };
5548
5368
  };
5549
5369
  };
@@ -5763,10 +5583,7 @@ export interface operations {
5763
5583
  parameters: {
5764
5584
  query?: never;
5765
5585
  header?: never;
5766
- path: {
5767
- /** @description Member ID */
5768
- id: string;
5769
- };
5586
+ path?: never;
5770
5587
  cookie?: never;
5771
5588
  };
5772
5589
  requestBody?: never;
@@ -5780,43 +5597,13 @@ export interface operations {
5780
5597
  "application/json": components["schemas"]["RemoveMemberResponse"];
5781
5598
  };
5782
5599
  };
5783
- /** @description Forbidden (owner protection, missing capability) */
5784
- 403: {
5785
- headers: {
5786
- [name: string]: unknown;
5787
- };
5788
- content: {
5789
- "application/json": components["schemas"]["ErrorResponse"];
5790
- };
5791
- };
5792
- /** @description Member not found */
5793
- 404: {
5794
- headers: {
5795
- [name: string]: unknown;
5796
- };
5797
- content: {
5798
- "application/json": components["schemas"]["ErrorResponse"];
5799
- };
5800
- };
5801
- /** @description Conflict (admin floor violation) */
5802
- 409: {
5803
- headers: {
5804
- [name: string]: unknown;
5805
- };
5806
- content: {
5807
- "application/json": components["schemas"]["ErrorResponse"];
5808
- };
5809
- };
5810
5600
  };
5811
5601
  };
5812
5602
  changeMemberRole: {
5813
5603
  parameters: {
5814
5604
  query?: never;
5815
5605
  header?: never;
5816
- path: {
5817
- /** @description Member ID */
5818
- id: string;
5819
- };
5606
+ path?: never;
5820
5607
  cookie?: never;
5821
5608
  };
5822
5609
  requestBody: {
@@ -5834,42 +5621,6 @@ export interface operations {
5834
5621
  "application/json": components["schemas"]["ChangeMemberRoleResponse"];
5835
5622
  };
5836
5623
  };
5837
- /** @description Invalid request body */
5838
- 400: {
5839
- headers: {
5840
- [name: string]: unknown;
5841
- };
5842
- content: {
5843
- "application/json": components["schemas"]["ErrorResponse"];
5844
- };
5845
- };
5846
- /** @description Forbidden (owner demotion, missing capability) */
5847
- 403: {
5848
- headers: {
5849
- [name: string]: unknown;
5850
- };
5851
- content: {
5852
- "application/json": components["schemas"]["ErrorResponse"];
5853
- };
5854
- };
5855
- /** @description Member not found */
5856
- 404: {
5857
- headers: {
5858
- [name: string]: unknown;
5859
- };
5860
- content: {
5861
- "application/json": components["schemas"]["ErrorResponse"];
5862
- };
5863
- };
5864
- /** @description Conflict (admin floor violation) */
5865
- 409: {
5866
- headers: {
5867
- [name: string]: unknown;
5868
- };
5869
- content: {
5870
- "application/json": components["schemas"]["ErrorResponse"];
5871
- };
5872
- };
5873
5624
  };
5874
5625
  };
5875
5626
  listDomains: {
@@ -6070,49 +5821,13 @@ export interface operations {
6070
5821
  };
6071
5822
  requestBody?: never;
6072
5823
  responses: {
6073
- /** @description Logo resynced */
5824
+ /** @description Resync result with new logo URL */
6074
5825
  200: {
6075
5826
  headers: {
6076
5827
  [name: string]: unknown;
6077
5828
  };
6078
5829
  content: {
6079
- "application/json": components["schemas"]["ResyncSlackLogoResponse"];
6080
- };
6081
- };
6082
- /** @description Slack not connected */
6083
- 400: {
6084
- headers: {
6085
- [name: string]: unknown;
6086
- };
6087
- content: {
6088
- "application/json": components["schemas"]["ErrorResponse"];
6089
- };
6090
- };
6091
- /** @description Not authenticated */
6092
- 401: {
6093
- headers: {
6094
- [name: string]: unknown;
6095
- };
6096
- content: {
6097
- "application/json": components["schemas"]["ErrorResponse"];
6098
- };
6099
- };
6100
- /** @description No org.view_workspace capability */
6101
- 403: {
6102
- headers: {
6103
- [name: string]: unknown;
6104
- };
6105
- content: {
6106
- "application/json": components["schemas"]["ErrorResponse"];
6107
- };
6108
- };
6109
- /** @description Rate limit exceeded */
6110
- 429: {
6111
- headers: {
6112
- [name: string]: unknown;
6113
- };
6114
- content: {
6115
- "application/json": components["schemas"]["ErrorResponse"];
5830
+ "application/json": components["schemas"]["WorkspaceResyncSlackLogoResponse"];
6116
5831
  };
6117
5832
  };
6118
5833
  };
@@ -6126,58 +5841,17 @@ export interface operations {
6126
5841
  };
6127
5842
  requestBody: {
6128
5843
  content: {
6129
- "application/json": {
6130
- /** @description Flat tokenized segments, e.g. ["dept", "engineering", "team", "front-end"] */
6131
- path: string[];
6132
- };
5844
+ "application/json": components["schemas"]["ResolvePathRequest"];
6133
5845
  };
6134
5846
  };
6135
5847
  responses: {
6136
- /** @description Resolved layers */
5848
+ /** @description Resolved navigation layers */
6137
5849
  200: {
6138
5850
  headers: {
6139
5851
  [name: string]: unknown;
6140
5852
  };
6141
5853
  content: {
6142
- "application/json": {
6143
- layers: components["schemas"]["ResolvedLayer"][];
6144
- };
6145
- };
6146
- };
6147
- /** @description Invalid segment grammar */
6148
- 400: {
6149
- headers: {
6150
- [name: string]: unknown;
6151
- };
6152
- content: {
6153
- "application/json": components["schemas"]["ErrorResponse"];
6154
- };
6155
- };
6156
- /** @description Not authenticated */
6157
- 401: {
6158
- headers: {
6159
- [name: string]: unknown;
6160
- };
6161
- content: {
6162
- "application/json": components["schemas"]["ErrorResponse"];
6163
- };
6164
- };
6165
- /** @description No org.view_workspace capability */
6166
- 403: {
6167
- headers: {
6168
- [name: string]: unknown;
6169
- };
6170
- content: {
6171
- "application/json": components["schemas"]["ErrorResponse"];
6172
- };
6173
- };
6174
- /** @description Entity slug not found */
6175
- 404: {
6176
- headers: {
6177
- [name: string]: unknown;
6178
- };
6179
- content: {
6180
- "application/json": components["schemas"]["ErrorResponse"];
5854
+ "application/json": components["schemas"]["WorkspaceResolvePathResponse"];
6181
5855
  };
6182
5856
  };
6183
5857
  };
@@ -7970,9 +7644,7 @@ export interface operations {
7970
7644
  parameters: {
7971
7645
  query?: never;
7972
7646
  header?: never;
7973
- path: {
7974
- orgId: string;
7975
- };
7647
+ path?: never;
7976
7648
  cookie?: never;
7977
7649
  };
7978
7650
  requestBody?: never;
@@ -7982,32 +7654,7 @@ export interface operations {
7982
7654
  headers: {
7983
7655
  [name: string]: unknown;
7984
7656
  };
7985
- content: {
7986
- "application/json": {
7987
- /** @constant */
7988
- success?: true;
7989
- /** Format: uuid */
7990
- nextOrgId?: string | null;
7991
- };
7992
- };
7993
- };
7994
- /** @description Cannot leave personal org or sole owner */
7995
- 400: {
7996
- headers: {
7997
- [name: string]: unknown;
7998
- };
7999
- content: {
8000
- "application/json": components["schemas"]["ErrorResponse"];
8001
- };
8002
- };
8003
- /** @description Not a member of this organization */
8004
- 404: {
8005
- headers: {
8006
- [name: string]: unknown;
8007
- };
8008
- content: {
8009
- "application/json": components["schemas"]["ErrorResponse"];
8010
- };
7657
+ content?: never;
8011
7658
  };
8012
7659
  };
8013
7660
  };
@@ -8396,24 +8043,6 @@ export interface operations {
8396
8043
  "application/json": components["schemas"]["ScopeCheckBatchResponse"];
8397
8044
  };
8398
8045
  };
8399
- /** @description Invalid input (empty array, >20 items, invalid scope format) */
8400
- 400: {
8401
- headers: {
8402
- [name: string]: unknown;
8403
- };
8404
- content: {
8405
- "application/json": components["schemas"]["ErrorResponse"];
8406
- };
8407
- };
8408
- /** @description Not authenticated */
8409
- 401: {
8410
- headers: {
8411
- [name: string]: unknown;
8412
- };
8413
- content: {
8414
- "application/json": components["schemas"]["ErrorResponse"];
8415
- };
8416
- };
8417
8046
  };
8418
8047
  };
8419
8048
  }
package/src/org/index.ts CHANGED
@@ -179,3 +179,25 @@ export type {
179
179
  ScopeCheckResponse,
180
180
  ScopeCheckBatchResponse,
181
181
  } from './schemas';
182
+
183
+ // Org lifecycle response schemas (PRD-00446)
184
+ export {
185
+ InviteResponseSchema,
186
+ InviteListResponseSchema,
187
+ DomainResponseSchema,
188
+ DomainListResponseSchema,
189
+ OrgBillingResponseSchema,
190
+ OrgDeletionStatusSchema,
191
+ OwnershipTransferResponseSchema,
192
+ OwnershipTransferPreviewSchema,
193
+ } from './schemas';
194
+ export type {
195
+ InviteResponse,
196
+ InviteListResponse,
197
+ DomainResponse,
198
+ DomainListResponse,
199
+ OrgBillingResponse,
200
+ OrgDeletionStatus,
201
+ OwnershipTransferResponse,
202
+ OwnershipTransferPreview,
203
+ } from './schemas';
package/src/org/schemas.ts CHANGED
@@ -371,3 +371,134 @@ export const ScopeCheckBatchResponseSchema = z.object({
371
371
  });
372
372
 
373
373
  export type ScopeCheckBatchResponse = z.infer<typeof ScopeCheckBatchResponseSchema>;
374
+
375
+ // ---------------------------------------------------------------------------
376
+ // Invite sub-schema
377
+ // ---------------------------------------------------------------------------
378
+
379
+ const OrgInviteSchema = z.object({
380
+ id: z.string(),
381
+ orgId: z.string(),
382
+ email: z.string(),
383
+ role: z.enum(['owner', 'admin', 'member', 'auditor']),
384
+ invitedBy: z.object({ id: z.string(), name: z.string() }),
385
+ status: z.enum(['pending', 'accepted', 'expired', 'revoked']),
386
+ createdAt: z.string(),
387
+ expiresAt: z.string(),
388
+ acceptedAt: z.string().optional(),
389
+ });
390
+
391
+ // ---------------------------------------------------------------------------
392
+ // POST /api/workspace/invites
393
+ // ---------------------------------------------------------------------------
394
+
395
+ export const InviteResponseSchema = z.object({
396
+ invite: OrgInviteSchema,
397
+ });
398
+
399
+ export type InviteResponse = z.infer<typeof InviteResponseSchema>;
400
+
401
+ // ---------------------------------------------------------------------------
402
+ // GET /api/workspace/invites
403
+ // ---------------------------------------------------------------------------
404
+
405
+ export const InviteListResponseSchema = z.array(OrgInviteSchema);
406
+
407
+ export type InviteListResponse = z.infer<typeof InviteListResponseSchema>;
408
+
409
+ // ---------------------------------------------------------------------------
410
+ // OrgDomain sub-schema
411
+ // ---------------------------------------------------------------------------
412
+
413
+ const OrgDomainSchema = z.object({
414
+ id: z.string(),
415
+ orgId: z.string(),
416
+ domain: z.string(),
417
+ status: z.enum(['pending', 'verified']),
418
+ verificationMethod: z.enum(['dns_txt', 'email', 'idp']),
419
+ verificationToken: z.string().optional(),
420
+ verifiedAt: z.string().nullable(),
421
+ createdAt: z.string(),
422
+ verifiedBy: z.object({ id: z.string(), name: z.string(), email: z.string() }).optional(),
423
+ });
424
+
425
+ // ---------------------------------------------------------------------------
426
+ // GET /api/workspace/domains/:id/verify (single domain)
427
+ // POST /api/workspace/domains/:id/verify (returns verified OrgDomain)
428
+ // ---------------------------------------------------------------------------
429
+
430
+ export const DomainResponseSchema = OrgDomainSchema;
431
+
432
+ export type DomainResponse = z.infer<typeof DomainResponseSchema>;
433
+
434
+ // ---------------------------------------------------------------------------
435
+ // GET /api/workspace/domains
436
+ // ---------------------------------------------------------------------------
437
+
438
+ export const DomainListResponseSchema = z.array(OrgDomainSchema);
439
+
440
+ export type DomainListResponse = z.infer<typeof DomainListResponseSchema>;
441
+
442
+ // ---------------------------------------------------------------------------
443
+ // GET /api/orgs/:orgId/billing
444
+ // ---------------------------------------------------------------------------
445
+
446
+ export const OrgBillingResponseSchema = z.object({
447
+ planName: z.string(),
448
+ planStatus: z.enum(['active', 'trialing', 'past_due', 'canceled']),
449
+ billingCadence: z.string(),
450
+ seatCount: z.number(),
451
+ seatLimit: z.number(),
452
+ billingOwnerUserId: z.string(),
453
+ });
454
+
455
+ export type OrgBillingResponse = z.infer<typeof OrgBillingResponseSchema>;
456
+
457
+ // ---------------------------------------------------------------------------
458
+ // GET /api/org/deletion-eligibility
459
+ // ---------------------------------------------------------------------------
460
+
461
+ const MemberClassificationSchema = z.object({
462
+ userId: z.string(),
463
+ email: z.string(),
464
+ suggestedFate: z.enum(['REMOVE_FROM_ORG', 'DELETE_ACCOUNT', 'BLOCKED']),
465
+ reason: z.string(),
466
+ });
467
+
468
+ export const OrgDeletionStatusSchema = z.object({
469
+ orgId: z.string(),
470
+ eligible: z.boolean(),
471
+ isPersonalOrg: z.boolean(),
472
+ ownerStatus: z.string().optional(),
473
+ deletionRequestedAt: z.string().optional(),
474
+ classifications: z.array(MemberClassificationSchema),
475
+ });
476
+
477
+ export type OrgDeletionStatus = z.infer<typeof OrgDeletionStatusSchema>;
478
+
479
+ // ---------------------------------------------------------------------------
480
+ // POST /api/org/transfer-ownership (initiate)
481
+ // ---------------------------------------------------------------------------
482
+
483
+ export const OwnershipTransferResponseSchema = z.object({
484
+ transferId: z.string(),
485
+ expiresAt: z.string(),
486
+ message: z.string(),
487
+ });
488
+
489
+ export type OwnershipTransferResponse = z.infer<typeof OwnershipTransferResponseSchema>;
490
+
491
+ // ---------------------------------------------------------------------------
492
+ // POST /api/org/transfer-ownership/preview
493
+ // ---------------------------------------------------------------------------
494
+
495
+ export const OwnershipTransferPreviewSchema = z.object({
496
+ workspaceName: z.string(),
497
+ initiatorName: z.string(),
498
+ initiatorEmail: z.string(),
499
+ note: z.string().optional(),
500
+ expiresAt: z.string(),
501
+ token: z.string(),
502
+ });
503
+
504
+ export type OwnershipTransferPreview = z.infer<typeof OwnershipTransferPreviewSchema>;