@company-semantics/contracts 0.70.0 → 0.71.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/package.json +1 -1
  2. package/src/index.ts +5 -0
  3. package/src/org/index.ts +8 -0
  4. package/src/org/strategy.ts +10 -2
  5. package/src/org/types.ts +96 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@company-semantics/contracts",
3
- "version": "0.70.0",
3
+ "version": "0.71.0",
4
4
  "private": false,
5
5
  "repository": {
6
6
  "type": "git",
package/src/index.ts CHANGED
@@ -193,6 +193,11 @@ export type {
193
193
  WorkspaceMember,
194
194
  AuthMethodConfig,
195
195
  WorkspaceAuthConfig,
196
+ // SSO self-service setup types (PRD-00193)
197
+ SsoSetupInfo,
198
+ SsoReadinessCheck,
199
+ SsoReadiness,
200
+ SsoEnforcementStatus,
196
201
  WorkspaceAuditEvent,
197
202
  // Workspace expansion DTOs (Phase 3)
198
203
  // @see ADR-CONT-031 for design rationale
package/src/org/index.ts CHANGED
@@ -17,6 +17,11 @@ export type {
17
17
  WorkspaceMember,
18
18
  AuthMethodConfig,
19
19
  WorkspaceAuthConfig,
20
+ // SSO self-service setup types (PRD-00193)
21
+ SsoSetupInfo,
22
+ SsoReadinessCheck,
23
+ SsoReadiness,
24
+ SsoEnforcementStatus,
20
25
  WorkspaceAuditEvent,
21
26
  // Workspace expansion DTOs (Phase 3)
22
27
  OrgInviteStatus,
@@ -74,5 +79,8 @@ export type {
74
79
  StrategySource,
75
80
  StrategyDependency,
76
81
  StrategyTreeNode,
82
+ StrategyDocCore,
83
+ StrategyDocCollaborators,
84
+ StrategyDocRelations,
77
85
  StrategyDoc,
78
86
  } from './strategy';
package/src/org/strategy.ts CHANGED
@@ -32,7 +32,7 @@ export interface StrategyTreeNode {
32
32
  readonly memberCount: number;
33
33
  }
34
34
 
35
- export interface StrategyDoc {
35
+ export interface StrategyDocCore {
36
36
  readonly id: string;
37
37
  readonly slug: string;
38
38
  readonly title: string;
@@ -41,13 +41,21 @@ export interface StrategyDoc {
41
41
  readonly content: string;
42
42
  readonly visibility: StrategyVisibility;
43
43
  readonly parentId: string | null;
44
+ }
45
+
46
+ export interface StrategyDocCollaborators {
44
47
  readonly owner: { readonly id: string; readonly name: string } | null;
45
48
  readonly coOwners: ReadonlyArray<{ readonly id: string; readonly name: string }>;
46
49
  readonly canEdit: boolean;
50
+ readonly members: ReadonlyArray<{ readonly id: string; readonly name: string }>;
51
+ }
52
+
53
+ export interface StrategyDocRelations {
47
54
  readonly inheritsFrom: string | null;
48
55
  readonly sources: readonly StrategySource[];
49
56
  readonly dependencies: readonly StrategyDependency[];
50
- readonly members: ReadonlyArray<{ readonly id: string; readonly name: string }>;
51
57
  readonly createdAt: string;
52
58
  readonly updatedAt: string;
53
59
  }
60
+
61
+ export type StrategyDoc = StrategyDocCore & StrategyDocCollaborators & StrategyDocRelations;
package/src/org/types.ts CHANGED
@@ -110,6 +110,71 @@ export interface AuthMethodConfig {
110
110
  provider?: string;
111
111
  }
112
112
 
113
+ // =============================================================================
114
+ // SSO Self-Service Setup Types (PRD-00193)
115
+ // Admin-only types for SSO configuration, readiness, and enforcement status.
116
+ // These fields are omitted for non-admin requests. The backend populates them
117
+ // only when the requester has org.manage_auth capability.
118
+ // =============================================================================
119
+
120
+ /**
121
+ * SSO setup information for admin configuration UI.
122
+ * Contains the data an admin needs to configure their IdP.
123
+ *
124
+ * SECURITY INVARIANT: Never return actual client ID or client secret values.
125
+ * Only boolean indicators (hasClientId, hasClientSecret) are safe to expose.
126
+ */
127
+ export interface SsoSetupInfo {
128
+ /** The callback URL the admin must configure in their IdP. */
129
+ redirectUri: string;
130
+ /** Required OIDC scopes. Always ['openid', 'email', 'profile']. */
131
+ requiredScopes: string[];
132
+ /** Whether both discovery URL and client ID are configured. */
133
+ isOidcConfigured: boolean;
134
+ /** The configured OIDC discovery URL (not a secret, safe to return). Null if not set. */
135
+ oidcDiscoveryUrl: string | null;
136
+ /** Whether a client ID is configured. NEVER return the actual value. */
137
+ hasClientId: boolean;
138
+ /** Whether an encrypted client secret is stored. NEVER return the actual value. */
139
+ hasClientSecret: boolean;
140
+ }
141
+
142
+ /**
143
+ * Individual readiness check for SSO activation.
144
+ */
145
+ export interface SsoReadinessCheck {
146
+ /** Machine-readable check code (e.g., 'VERIFIED_DOMAIN', 'SSO_PROVIDER'). */
147
+ code: string;
148
+ /** Human-readable check label. */
149
+ label: string;
150
+ /** Whether this check passes. */
151
+ passed: boolean;
152
+ /** Descriptive message. */
153
+ message: string;
154
+ }
155
+
156
+ /**
157
+ * SSO readiness assessment aggregating individual checks.
158
+ */
159
+ export interface SsoReadiness {
160
+ /** Whether all checks pass. */
161
+ ready: boolean;
162
+ /** Individual check results. */
163
+ checks: SsoReadinessCheck[];
164
+ }
165
+
166
+ /**
167
+ * SSO enforcement status for the workspace.
168
+ */
169
+ export interface SsoEnforcementStatus {
170
+ /** Whether SSO is currently enforced. */
171
+ enforced: boolean;
172
+ /** Domains subject to enforcement (derived from verified domains). */
173
+ enforcedDomains: string[];
174
+ /** ISO 8601 timestamp when enforcement was enabled. Null if not enforced. */
175
+ enforcedSince: string | null;
176
+ }
177
+
113
178
  /**
114
179
  * Workspace authentication configuration.
115
180
  * Enabled auth methods and provider metadata.
@@ -132,6 +197,21 @@ export interface WorkspaceAuthConfig {
132
197
  /** List of allowed authentication providers */
133
198
  allowedProviders: string[];
134
199
  };
200
+ /**
201
+ * SSO setup information. Admin-only — omitted for non-admin requests.
202
+ * Populated when requester has org.manage_auth capability.
203
+ */
204
+ ssoSetup?: SsoSetupInfo;
205
+ /**
206
+ * SSO readiness assessment. Admin-only — omitted for non-admin requests.
207
+ * Populated when requester has org.manage_auth capability.
208
+ */
209
+ ssoReadiness?: SsoReadiness;
210
+ /**
211
+ * SSO enforcement status. Admin-only — omitted for non-admin requests.
212
+ * Populated when requester has org.manage_auth capability.
213
+ */
214
+ ssoEnforcement?: SsoEnforcementStatus;
135
215
  }
136
216
 
137
217
  /**
@@ -226,10 +306,26 @@ export interface OrgAuthPolicy {
226
306
 
227
307
  /**
228
308
  * Request payload for updating organization auth policy.
309
+ *
310
+ * Field semantics for OIDC credential fields:
311
+ * - undefined = do not change the existing value
312
+ * - null = clear the existing value
313
+ * - string = set to this value
229
314
  */
230
315
  export interface UpdateAuthPolicyRequest {
231
316
  requireSSO?: boolean;
232
317
  allowedProviders?: string[];
318
+ /** OIDC discovery endpoint URL (e.g. https://accounts.google.com/.well-known/openid-configuration). */
319
+ oidcDiscoveryUrl?: string | null;
320
+ /** OAuth 2.0 Client ID from the identity provider. */
321
+ oidcClientId?: string | null;
322
+ /**
323
+ * OAuth 2.0 Client Secret from the identity provider.
324
+ *
325
+ * WRITE-ONLY: Accepted as plaintext on the wire; the backend encrypts
326
+ * before storage. MUST NEVER appear in any read response or projection.
327
+ */
328
+ oidcClientSecret?: string | null;
233
329
  }
234
330
 
235
331
  // =============================================================================