npm - @company-semantics/contracts - Versions diffs - 0.70.0 → 0.72.0 - Mend

@company-semantics/contracts 0.70.0 → 0.72.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@company-semantics/contracts",
-  "version": "0.70.0",
+  "version": "0.72.0",
   "private": false,
   "repository": {
     "type": "git",

package/src/index.ts CHANGED Viewed

@@ -193,6 +193,11 @@ export type {
   WorkspaceMember,
   AuthMethodConfig,
   WorkspaceAuthConfig,
+  // SSO self-service setup types (PRD-00193)
+  SsoSetupInfo,
+  SsoReadinessCheck,
+  SsoReadiness,
+  SsoEnforcementStatus,
   WorkspaceAuditEvent,
   // Workspace expansion DTOs (Phase 3)
   // @see ADR-CONT-031 for design rationale

package/src/org/domain.ts CHANGED Viewed

@@ -43,7 +43,7 @@ export interface OrgDomain {
   /** ISO8601 timestamp when claim was created. */
   createdAt: string;
   /** Who verified the domain (present only for verified domains). */
-  verifiedBy?: { id: string; name: string };
+  verifiedBy?: { id: string; name: string; email: string };
 }
 // =============================================================================

package/src/org/index.ts CHANGED Viewed

@@ -17,6 +17,11 @@ export type {
   WorkspaceMember,
   AuthMethodConfig,
   WorkspaceAuthConfig,
+  // SSO self-service setup types (PRD-00193)
+  SsoSetupInfo,
+  SsoReadinessCheck,
+  SsoReadiness,
+  SsoEnforcementStatus,
   WorkspaceAuditEvent,
   // Workspace expansion DTOs (Phase 3)
   OrgInviteStatus,
@@ -74,5 +79,8 @@ export type {
   StrategySource,
   StrategyDependency,
   StrategyTreeNode,
+  StrategyDocCore,
+  StrategyDocCollaborators,
+  StrategyDocRelations,
   StrategyDoc,
 } from './strategy';

package/src/org/strategy.ts CHANGED Viewed

@@ -32,7 +32,7 @@ export interface StrategyTreeNode {
   readonly memberCount: number;
 }
-export interface StrategyDoc {
+export interface StrategyDocCore {
   readonly id: string;
   readonly slug: string;
   readonly title: string;
@@ -41,13 +41,21 @@ export interface StrategyDoc {
   readonly content: string;
   readonly visibility: StrategyVisibility;
   readonly parentId: string | null;
+}
+export interface StrategyDocCollaborators {
   readonly owner: { readonly id: string; readonly name: string } | null;
   readonly coOwners: ReadonlyArray<{ readonly id: string; readonly name: string }>;
   readonly canEdit: boolean;
+  readonly members: ReadonlyArray<{ readonly id: string; readonly name: string }>;
+}
+export interface StrategyDocRelations {
   readonly inheritsFrom: string | null;
   readonly sources: readonly StrategySource[];
   readonly dependencies: readonly StrategyDependency[];
-  readonly members: ReadonlyArray<{ readonly id: string; readonly name: string }>;
   readonly createdAt: string;
   readonly updatedAt: string;
 }
+export type StrategyDoc = StrategyDocCore & StrategyDocCollaborators & StrategyDocRelations;

package/src/org/types.ts CHANGED Viewed

@@ -110,6 +110,71 @@ export interface AuthMethodConfig {
   provider?: string;
 }
+// =============================================================================
+// SSO Self-Service Setup Types (PRD-00193)
+// Admin-only types for SSO configuration, readiness, and enforcement status.
+// These fields are omitted for non-admin requests. The backend populates them
+// only when the requester has org.manage_auth capability.
+// =============================================================================
+/**
+ * SSO setup information for admin configuration UI.
+ * Contains the data an admin needs to configure their IdP.
+ *
+ * SECURITY INVARIANT: Never return actual client ID or client secret values.
+ * Only boolean indicators (hasClientId, hasClientSecret) are safe to expose.
+ */
+export interface SsoSetupInfo {
+  /** The callback URL the admin must configure in their IdP. */
+  redirectUri: string;
+  /** Required OIDC scopes. Always ['openid', 'email', 'profile']. */
+  requiredScopes: string[];
+  /** Whether both discovery URL and client ID are configured. */
+  isOidcConfigured: boolean;
+  /** The configured OIDC discovery URL (not a secret, safe to return). Null if not set. */
+  oidcDiscoveryUrl: string | null;
+  /** Whether a client ID is configured. NEVER return the actual value. */
+  hasClientId: boolean;
+  /** Whether an encrypted client secret is stored. NEVER return the actual value. */
+  hasClientSecret: boolean;
+}
+/**
+ * Individual readiness check for SSO activation.
+ */
+export interface SsoReadinessCheck {
+  /** Machine-readable check code (e.g., 'VERIFIED_DOMAIN', 'SSO_PROVIDER'). */
+  code: string;
+  /** Human-readable check label. */
+  label: string;
+  /** Whether this check passes. */
+  passed: boolean;
+  /** Descriptive message. */
+  message: string;
+}
+/**
+ * SSO readiness assessment aggregating individual checks.
+ */
+export interface SsoReadiness {
+  /** Whether all checks pass. */
+  ready: boolean;
+  /** Individual check results. */
+  checks: SsoReadinessCheck[];
+}
+/**
+ * SSO enforcement status for the workspace.
+ */
+export interface SsoEnforcementStatus {
+  /** Whether SSO is currently enforced. */
+  enforced: boolean;
+  /** Domains subject to enforcement (derived from verified domains). */
+  enforcedDomains: string[];
+  /** ISO 8601 timestamp when enforcement was enabled. Null if not enforced. */
+  enforcedSince: string | null;
+}
 /**
  * Workspace authentication configuration.
  * Enabled auth methods and provider metadata.
@@ -132,6 +197,21 @@ export interface WorkspaceAuthConfig {
     /** List of allowed authentication providers */
     allowedProviders: string[];
   };
+  /**
+   * SSO setup information. Admin-only — omitted for non-admin requests.
+   * Populated when requester has org.manage_auth capability.
+   */
+  ssoSetup?: SsoSetupInfo;
+  /**
+   * SSO readiness assessment. Admin-only — omitted for non-admin requests.
+   * Populated when requester has org.manage_auth capability.
+   */
+  ssoReadiness?: SsoReadiness;
+  /**
+   * SSO enforcement status. Admin-only — omitted for non-admin requests.
+   * Populated when requester has org.manage_auth capability.
+   */
+  ssoEnforcement?: SsoEnforcementStatus;
 }
 /**
@@ -226,10 +306,26 @@ export interface OrgAuthPolicy {
 /**
  * Request payload for updating organization auth policy.
+ *
+ * Field semantics for OIDC credential fields:
+ * - undefined = do not change the existing value
+ * - null = clear the existing value
+ * - string = set to this value
  */
 export interface UpdateAuthPolicyRequest {
   requireSSO?: boolean;
   allowedProviders?: string[];
+  /** OIDC discovery endpoint URL (e.g. https://accounts.google.com/.well-known/openid-configuration). */
+  oidcDiscoveryUrl?: string | null;
+  /** OAuth 2.0 Client ID from the identity provider. */
+  oidcClientId?: string | null;
+  /**
+   * OAuth 2.0 Client Secret from the identity provider.
+   *
+   * WRITE-ONLY: Accepted as plaintext on the wire; the backend encrypts
+   * before storage. MUST NEVER appear in any read response or projection.
+   */
+  oidcClientSecret?: string | null;
 }
 // =============================================================================