npm - @company-semantics/contracts - Versions diffs - 0.72.0 → 0.73.0 - Mend

@company-semantics/contracts 0.72.0 → 0.73.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@company-semantics/contracts",
-  "version": "0.72.0",
+  "version": "0.73.0",
   "private": false,
   "repository": {
     "type": "git",

package/src/index.ts CHANGED Viewed

@@ -198,6 +198,15 @@ export type {
   SsoReadinessCheck,
   SsoReadiness,
   SsoEnforcementStatus,
+  // SSO stepper types (PRD-00197)
+  ProviderStatus,
+  WorkspaceSsoState,
+  SsoStepperStep,
+  OwnerIdentityInfo,
+  OidcValidationResult,
+  TestSsoInitiation,
+  TestSsoResult,
+  ProviderSuggestion,
   WorkspaceAuditEvent,
   // Workspace expansion DTOs (Phase 3)
   // @see ADR-CONT-031 for design rationale

package/src/org/index.ts CHANGED Viewed

@@ -22,6 +22,15 @@ export type {
   SsoReadinessCheck,
   SsoReadiness,
   SsoEnforcementStatus,
+  // SSO stepper types (PRD-00197)
+  ProviderStatus,
+  WorkspaceSsoState,
+  SsoStepperStep,
+  OwnerIdentityInfo,
+  OidcValidationResult,
+  TestSsoInitiation,
+  TestSsoResult,
+  ProviderSuggestion,
   WorkspaceAuditEvent,
   // Workspace expansion DTOs (Phase 3)
   OrgInviteStatus,

package/src/org/types.ts CHANGED Viewed

@@ -137,6 +137,22 @@ export interface SsoSetupInfo {
   hasClientId: boolean;
   /** Whether an encrypted client secret is stored. NEVER return the actual value. */
   hasClientSecret: boolean;
+  /** Provider-level configuration status (state machine position). */
+  providerStatus: ProviderStatus;
+  /** Backend-authoritative stepper step derivation. Frontend MUST NOT re-derive. */
+  currentStep: SsoStepperStep;
+  /** True when enforce step is completed (ENABLED + requireSso). */
+  stepCompleted: boolean;
+  /** Currently active SSO provider, or null if none configured. */
+  activeProvider: string | null;
+  /** Validation result from OIDC discovery check, if available. */
+  oidcValidation?: OidcValidationResult;
+  /** ISO 8601 timestamp when OIDC credentials were last saved. */
+  credentialsSavedAt?: string;
+  /** ISO 8601 timestamp of last successful SSO test. */
+  lastTestSuccessAt?: string;
+  /** Provider used for last successful SSO test. Must match activeProvider for validity. */
+  lastTestSuccessProvider?: string;
 }
 /**
@@ -175,6 +191,71 @@ export interface SsoEnforcementStatus {
   enforcedSince: string | null;
 }
+// =============================================================================
+// SSO Stepper Types (PRD-00197)
+// Types for the provider state machine, workspace SSO state, stepper step,
+// and supporting types for the SSO stepper redesign.
+// =============================================================================
+/**
+ * Provider-level configuration lifecycle.
+ * NOT_CONFIGURED → CONFIG_SAVED → CONFIG_VALID → TEST_SUCCESS → ENABLED
+ * Any state → NOT_CONFIGURED (on credential removal or provider switch)
+ */
+export type ProviderStatus =
+  | 'NOT_CONFIGURED'
+  | 'CONFIG_SAVED'
+  | 'CONFIG_VALID'
+  | 'TEST_SUCCESS'
+  | 'ENABLED';
+/** Workspace SSO state derived from provider status + policy. */
+export type WorkspaceSsoState = 'SSO_DISABLED' | 'SSO_ENABLED' | 'SSO_ENFORCED';
+/** Backend-authoritative stepper step. Frontend MUST NOT re-derive. */
+export type SsoStepperStep = 'configure' | 'test' | 'enable' | 'enforce';
+/** Owner identity information for the SSO readiness surface. */
+export interface OwnerIdentityInfo {
+  userId: string;
+  name: string;
+  email: string;
+  hasSsoIdentity: boolean;
+  linkedProvider: string | null;
+  lastSsoLoginAt: string | null;
+}
+/** Result of validating an OIDC discovery URL. */
+export interface OidcValidationResult {
+  valid: boolean;
+  issuer?: string;
+  authorizationEndpoint?: string;
+  error?: string;
+  errorCode?: 'UNREACHABLE' | 'INVALID_DOCUMENT' | 'MISSING_FIELDS' | 'SSRF_BLOCKED';
+}
+/** Initiation payload for a test SSO login attempt. */
+export interface TestSsoInitiation {
+  authorizationUrl: string;
+  attemptId: string;
+}
+/** Result of a test SSO login attempt. */
+export interface TestSsoResult {
+  status: 'pending' | 'success' | 'failed' | 'expired';
+  claims?: { sub: string; email?: string; name?: string; issuer: string };
+  identityLinked?: boolean;
+  error?: string;
+  errorCode?: 'IDENTITY_CONFLICT' | 'DOMAIN_MISMATCH' | 'ISSUER_MISMATCH' | 'CALLBACK_ERROR';
+}
+/** MX-based provider suggestion for SSO setup. */
+export interface ProviderSuggestion {
+  suggestedProvider: 'google' | 'microsoft' | null;
+  confidence: 'high' | 'low';
+  reason: string;
+}
 /**
  * Workspace authentication configuration.
  * Enabled auth methods and provider metadata.
@@ -212,6 +293,12 @@ export interface WorkspaceAuthConfig {
    * Populated when requester has org.manage_auth capability.
    */
   ssoEnforcement?: SsoEnforcementStatus;
+  /** Derived workspace SSO state. Admin-only — omitted for non-admin requests. */
+  workspaceSsoState?: WorkspaceSsoState;
+  /** Owner identity linking info for SSO readiness. Admin-only. */
+  ownerIdentities?: OwnerIdentityInfo[];
+  /** MX-based provider suggestion. Admin-only. */
+  providerSuggestion?: ProviderSuggestion;
 }
 /**