npm - @company-semantics/contracts - Versions diffs - 0.37.0 → 0.38.0 - Mend

@company-semantics/contracts 0.37.0 → 0.38.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@company-semantics/contracts",
-  "version": "0.37.0",
+  "version": "0.38.0",
   "private": false,
   "repository": {
     "type": "git",

package/src/index.ts CHANGED Viewed

@@ -145,6 +145,13 @@ export type {
   Phase3AuditAction,
   // Workspace capability types (Phase 3)
   WorkspaceCapability,
+  // Domain and multi-org types (Phase 4)
+  // @see ADR-CONT-032 for design rationale
+  DomainStatus,
+  DomainVerificationMethod,
+  OrgDomain,
+  Phase4AuditAction,
+  UserOrgMembership,
 } from './org/index'
 export { ROLE_DISPLAY_MAP, WORKSPACE_CAPABILITIES, ROLE_CAPABILITY_MAP } from './org/index'

package/src/org/domain.ts ADDED Viewed

@@ -0,0 +1,67 @@
+/**
+ * Domain Types (Phase 4)
+ *
+ * Vocabulary types for enterprise domain verification and trust.
+ * @see ADR-CONT-032 (Phase 4: Enterprise Identity, Domain Trust, Multi-Org)
+ */
+/**
+ * Status of a domain claim within an organization.
+ * - 'pending': Domain claimed but not yet verified
+ * - 'verified': Domain ownership confirmed via DNS TXT record
+ * - 'revoked': Domain claim revoked by org owner
+ *
+ * INVARIANT: Only ONE org may have status='verified' for any domain globally.
+ */
+export type DomainStatus = 'pending' | 'verified' | 'revoked';
+/**
+ * Method used to verify domain ownership.
+ * - 'dns_txt': DNS TXT record verification (primary method)
+ * - 'email': Email-based verification (reserved for future)
+ * - 'idp': IdP-based verification via SAML/OIDC (reserved for future)
+ */
+export type DomainVerificationMethod = 'dns_txt' | 'email' | 'idp';
+/**
+ * Organization domain claim and verification status.
+ * Represents a domain that an org has claimed or verified ownership of.
+ *
+ * INVARIANT: Domain verification does not grant access.
+ * INVARIANT: Only one org can have a verified claim on any email domain.
+ */
+export interface OrgDomain {
+  id: string;
+  orgId: string;
+  domain: string;
+  status: DomainStatus;
+  verificationMethod: DomainVerificationMethod;
+  /** Verification token - only visible to org owner. */
+  verificationToken?: string;
+  /** ISO8601 timestamp when domain was verified, null if pending/revoked. */
+  verifiedAt: string | null;
+  /** ISO8601 timestamp when claim was created. */
+  createdAt: string;
+}
+// =============================================================================
+// Phase 4 Audit Action Types
+// =============================================================================
+/**
+ * Audit actions for Phase 4 enterprise identity features.
+ * These actions are emitted by the backend when domain/auth state changes.
+ *
+ * INVARIANT: All domain and auth policy mutations must emit audit events.
+ */
+export type Phase4AuditAction =
+  // Domain lifecycle
+  | 'org.domain.claimed'
+  | 'org.domain.verified'
+  | 'org.domain.revoked'
+  // Auth policy enforcement
+  | 'org.auth_policy.enforced'
+  | 'org.auth_policy.override_used' // Emergency SSO bypass succeeded
+  | 'org.auth_policy.override_attempted' // Emergency SSO bypass denied (incident review)
+  // Multi-org context
+  | 'user.active_org.switched';

package/src/org/index.ts CHANGED Viewed

@@ -32,6 +32,8 @@ export type {
   PromoteIntegrationRequest,
   DemoteIntegrationRequest,
   Phase3AuditAction,
+  // Multi-org membership types (Phase 4)
+  UserOrgMembership,
 } from './types';
 export { ROLE_DISPLAY_MAP } from './types';
@@ -39,3 +41,11 @@ export { ROLE_DISPLAY_MAP } from './types';
 // Workspace capability types (Phase 3)
 export type { WorkspaceCapability } from './capabilities';
 export { WORKSPACE_CAPABILITIES, ROLE_CAPABILITY_MAP } from './capabilities';
+// Domain types (Phase 4)
+export type {
+  DomainStatus,
+  DomainVerificationMethod,
+  OrgDomain,
+  Phase4AuditAction,
+} from './domain';

package/src/org/types.ts CHANGED Viewed

@@ -304,3 +304,28 @@ export type Phase3AuditAction =
   | 'integration.scope_demoted'
   // Auth policy
   | 'org.auth_policy.updated';
+// =============================================================================
+// Multi-Org Membership Types (Phase 4)
+// @see ADR-CONT-032 for design rationale
+// =============================================================================
+/**
+ * User organization membership summary.
+ * Represents a user's membership in an organization for multi-org context switching.
+ *
+ * INVARIANT: role is DERIVED from RBAC at write-time (presentation only).
+ * INVARIANT: RBAC remains the authoritative source of truth for permissions.
+ */
+export interface UserOrgMembership {
+  userId: string;
+  orgId: string;
+  orgName: string;
+  orgSlug: string;
+  /** Display role derived from RBAC - presentation only, not for auth decisions. */
+  role: WorkspaceRole;
+  /** ISO8601 timestamp when user joined the organization. */
+  joinedAt: string;
+  /** Whether this membership is currently active. */
+  isActive: boolean;
+}