@company-semantics/contracts 0.85.0 → 0.86.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@company-semantics/contracts",
3
- "version": "0.85.0",
3
+ "version": "0.86.0",
4
4
  "private": false,
5
5
  "repository": {
6
6
  "type": "git",
package/src/index.ts CHANGED
@@ -224,8 +224,6 @@ export type {
224
224
  OrgAuthPolicy,
225
225
  UpdateAuthPolicyRequest,
226
226
  Phase3AuditAction,
227
- // Workspace capability types (Phase 3)
228
- WorkspaceCapability,
229
227
  // Domain and multi-org types (Phase 4)
230
228
  // @see ADR-CONT-032 for design rationale
231
229
  DomainStatus,
@@ -260,7 +258,7 @@ export type {
260
258
  StrategyDoc,
261
259
  } from './org/index'
262
260
 
263
- export { ROLE_DISPLAY_MAP, WORKSPACE_CAPABILITIES, ROLE_CAPABILITY_MAP, VIEW_SCOPE_MAP, getViewScope, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './org/index'
261
+ export { ROLE_DISPLAY_MAP, VIEW_SCOPE_MAP, getViewScope, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './org/index'
264
262
 
265
263
  // View authorization types (Phase 5 - ADR-APP-013)
266
264
  export type { AuthorizableView } from './org/index'
@@ -276,6 +274,18 @@ export type {
276
274
  ToolDiscoveryResponse,
277
275
  ToolListMessagePart,
278
276
  ToolListDataPart,
277
+ // Tool domain taxonomy (PRD-00265)
278
+ ToolDomain,
279
+ ToolIntegration,
280
+ ToolIntent,
281
+ ToolStability,
282
+ ToolComplexity,
283
+ // Resource flow types (PRD-00265)
284
+ ResourceType,
285
+ // Capability graph stubs (PRD-00265, implementation in PRD-00268)
286
+ CapabilityGraph,
287
+ CapabilityGraphEdge,
288
+ ToolWorkflow,
279
289
  } from './mcp/index'
280
290
 
281
291
  // Message part types and builder functions
package/src/mcp/index.ts CHANGED
@@ -1,3 +1,6 @@
1
+ import type { ResourceType } from './resources'
2
+ export type { ResourceType } from './resources'
3
+
1
4
  /**
2
5
  * MCP Tool Discovery Types
3
6
  *
@@ -18,15 +21,38 @@
18
21
  */
19
22
 
20
23
  /**
21
- * Tool categories for grouping in UI.
22
- * Maps to user mental model, not implementation.
24
+ * @deprecated Use ToolDomain instead. ToolCategory is too coarse —
25
+ * 'data' conflates discovery, ingestion, and coverage.
23
26
  */
24
27
  export type ToolCategory =
25
- | 'system' // System status, health checks
26
- | 'data' // Data access, ingestion, queries
27
- | 'connections' // OAuth, integrations
28
- | 'automation' // Scheduled tasks, triggers
29
- | 'developer' // Debug, internal tools
28
+ | 'system'
29
+ | 'data'
30
+ | 'connections'
31
+ | 'automation'
32
+ | 'developer'
33
+
34
+ /**
35
+ * Tool domain taxonomy.
36
+ *
37
+ * Each value maps to a distinct domain boundary in the system architecture.
38
+ * Replaces ToolCategory which was too coarse for resource flow reasoning.
39
+ *
40
+ * - organization: Org settings, membership, billing queries
41
+ * - identity: User profile, auth state, preferences
42
+ * - integrations: OAuth connections, provider management
43
+ * - ingestion: Data import, sync jobs, source configuration
44
+ * - discovery: Search, exploration, content queries
45
+ * - knowledge: Fingerprints, embeddings, knowledge graph
46
+ * - system: Health, status, runtime diagnostics
47
+ */
48
+ export type ToolDomain =
49
+ | 'organization'
50
+ | 'identity'
51
+ | 'integrations'
52
+ | 'ingestion'
53
+ | 'discovery'
54
+ | 'knowledge'
55
+ | 'system'
30
56
 
31
57
  /**
32
58
  * Tool visibility levels.
@@ -53,6 +79,51 @@ export type ToolInvocationMode = 'manual' | 'assistant' | 'hybrid'
53
79
  */
54
80
  export type ToolEffectClass = 'pure' | 'effectful'
55
81
 
82
+ /**
83
+ * Tool intent classification.
84
+ *
85
+ * Classifies what the tool does to the system:
86
+ * - read: Pure data retrieval (no side effects)
87
+ * - mutate: State change (creates, updates, deletes)
88
+ * - analysis: Computation over data without mutation (aggregation, scoring)
89
+ *
90
+ * Note: 'control' was removed — system-level operations (health, status,
91
+ * runtime) use 'read' intent in the 'system' domain. Control is a domain
92
+ * classification, not an intent.
93
+ *
94
+ * INVARIANT: intent 'mutate' + risk 'high' → requiresConfirmation must be true.
95
+ * Enforced in backend tool registration, typed here for documentation.
96
+ */
97
+ export type ToolIntent = 'read' | 'mutate' | 'analysis'
98
+
99
+ /**
100
+ * Tool lifecycle stability classification.
101
+ *
102
+ * - experimental: May change or be removed without notice
103
+ * - stable: Production-ready with backward compatibility guarantees
104
+ * - deprecated: Scheduled for removal, consumers should migrate
105
+ */
106
+ export type ToolStability = 'experimental' | 'stable' | 'deprecated'
107
+
108
+ /**
109
+ * Tool computational complexity classification.
110
+ *
111
+ * Classifies the cost and latency profile of a tool invocation:
112
+ * - trivial: Sub-100ms, in-memory or single DB lookup
113
+ * - moderate: 100ms-5s, may involve external API calls
114
+ * - heavy: 5s+, batch processing, large data transfers, long-running ops
115
+ */
116
+ export type ToolComplexity = 'trivial' | 'moderate' | 'heavy'
117
+
118
+ /**
119
+ * Integration provider tag for tools.
120
+ *
121
+ * Known values correspond to registered OAuth providers.
122
+ * Extensible via (string & {}) — new integrations do not require
123
+ * a contracts release, but known values get autocomplete.
124
+ */
125
+ export type ToolIntegration = 'slack' | 'google' | 'zoom' | (string & {})
126
+
56
127
  /**
57
128
  * Complete tool descriptor for discovery and invocation.
58
129
  *
@@ -85,6 +156,101 @@ export interface MCPToolDescriptor {
85
156
  invocationMode: ToolInvocationMode
86
157
  /** Who can see this tool */
87
158
  visibility: ToolVisibility
159
+
160
+ // --- New fields (PRD-00265) ---
161
+
162
+ /** Domain taxonomy classification. Replaces category for routing and grouping. */
163
+ domain: ToolDomain
164
+ /**
165
+ * Integration providers this tool interacts with.
166
+ * Empty or omitted for tools that don't touch external integrations.
167
+ */
168
+ integrations?: ToolIntegration[]
169
+ /**
170
+ * User-impact risk classification.
171
+ * - none: Read-only, no side effects
172
+ * - low: Reversible mutation (can be undone)
173
+ * - moderate: User-visible side effect (notification sent, state changed)
174
+ * - high: Destructive or irreversible (data deletion, external action)
175
+ *
176
+ * INVARIANT: intent 'mutate' + risk 'high' → requiresConfirmation must be true.
177
+ */
178
+ risk: 'none' | 'low' | 'moderate' | 'high'
179
+ /** What the tool does to the system (read, mutate, analysis). */
180
+ intent: ToolIntent
181
+ /** Lifecycle stability classification. */
182
+ stability: ToolStability
183
+ /** Computational complexity and latency profile. */
184
+ complexity: ToolComplexity
185
+ /**
186
+ * Input schema version number.
187
+ * Disambiguates input schema versioning from tool behavior versioning.
188
+ * Increment when the tool's input schema changes shape.
189
+ */
190
+ schemaVersion: number
191
+ /**
192
+ * Authorization scopes required to invoke this tool.
193
+ * References scope strings from trust/scopes.ts.
194
+ * Omit for tools with no specific scope requirements.
195
+ */
196
+ scopes?: string[]
197
+ /**
198
+ * Resource types this tool produces (creates or outputs).
199
+ * Used for capability graph derivation — enables workflow ordering
200
+ * via resource flow instead of explicit `requires` fields.
201
+ */
202
+ produces?: ResourceType[]
203
+ /**
204
+ * Resource types this tool consumes (requires as input).
205
+ * Used for capability graph derivation — a tool that consumes
206
+ * 'integration.connection' can only run after a tool that produces it.
207
+ */
208
+ consumes?: ResourceType[]
209
+ }
210
+
211
+ /**
212
+ * Edge in the capability graph connecting two tools via a resource.
213
+ * A tool that produces a resource connects to tools that consume it.
214
+ *
215
+ * @stub Implementation in PRD-00268 (buildCapabilityGraph)
216
+ */
217
+ export interface CapabilityGraphEdge {
218
+ /** Tool ID that produces the resource */
219
+ from: string
220
+ /** Tool ID that consumes the resource */
221
+ to: string
222
+ /** Resource type flowing between tools */
223
+ resource: ResourceType
224
+ /** Resource domain (extracted from resource namespace prefix, e.g., 'slack' from 'slack.channel') */
225
+ domain?: string
226
+ }
227
+
228
+ /**
229
+ * Named workflow derived from capability graph paths.
230
+ * Represents a common multi-tool sequence (e.g., "Connect Slack → Ingest → Query").
231
+ *
232
+ * @stub Implementation in PRD-00268 (buildCapabilityGraph)
233
+ */
234
+ export interface ToolWorkflow {
235
+ /** Workflow name (e.g., "Slack Onboarding") */
236
+ name: string
237
+ /** Human-readable description of the workflow */
238
+ description: string
239
+ /** Ordered list of tool IDs in this workflow */
240
+ steps: string[]
241
+ }
242
+
243
+ /**
244
+ * Capability graph derived from tool resource flow metadata.
245
+ * Built from produces/consumes fields on MCPToolDescriptor.
246
+ *
247
+ * @stub Type definition only. buildCapabilityGraph() ships in PRD-00268.
248
+ */
249
+ export interface CapabilityGraph {
250
+ /** Resource flow edges between tools */
251
+ edges: CapabilityGraphEdge[]
252
+ /** Named workflows derived from graph paths */
253
+ workflows: ToolWorkflow[]
88
254
  }
89
255
 
90
256
  /**
@@ -97,6 +263,13 @@ export interface MCPToolDescriptor {
97
263
  export interface ToolDiscoveryResponse {
98
264
  /** Tools available to the current user */
99
265
  tools: MCPToolDescriptor[]
266
+ /**
267
+ * Capability graph derived from tool resource flow metadata.
268
+ * Optional — discovery responses may or may not include the computed graph.
269
+ *
270
+ * @stub Graph computation ships in PRD-00268 (buildCapabilityGraph).
271
+ */
272
+ graph?: CapabilityGraph
100
273
  }
101
274
 
102
275
  /**
@@ -0,0 +1,21 @@
1
+ /**
2
+ * Resource type vocabulary for MCP tool resource flow.
3
+ *
4
+ * Uses dot-separated namespacing consistent with trust/scopes.ts conventions.
5
+ * Each value represents a typed resource that tools produce or consume,
6
+ * enabling capability graph derivation from resource flow metadata.
7
+ *
8
+ * This is a CLOSED union — new resource types represent architectural
9
+ * additions that require a contracts release and downstream consumer updates.
10
+ * Unlike ToolIntegration, resource types are not extensible via (string & {}).
11
+ */
12
+ export type ResourceType =
13
+ | 'integration.connection'
14
+ | 'slack.channel'
15
+ | 'slack.channel_scope'
16
+ | 'slack.coverage'
17
+ | 'ingestion.job'
18
+ | 'knowledge.fingerprint'
19
+ | 'org.status'
20
+ | 'system.status'
21
+ | 'system.runtime'
package/src/org/index.ts CHANGED
@@ -68,10 +68,6 @@ export type {
68
68
 
69
69
  export { ROLE_DISPLAY_MAP, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './types';
70
70
 
71
- // Workspace capability types (Phase 3)
72
- export type { WorkspaceCapability } from './capabilities';
73
- export { WORKSPACE_CAPABILITIES, ROLE_CAPABILITY_MAP } from './capabilities';
74
-
75
71
  // Domain types (Phase 4)
76
72
  export type {
77
73
  DomainStatus,
@@ -1,84 +0,0 @@
1
- /**
2
- * Workspace Capability Types
3
- *
4
- * Capability constants for Phase 3 workspace expansion features.
5
- * These define the permission boundaries for workspace actions.
6
- *
7
- * INVARIANTS:
8
- * - Capabilities are checked server-side before any mutation
9
- * - UI uses capabilities to gate action visibility
10
- * - Capabilities map to RBAC roles (see RoleCapabilityMap)
11
- *
12
- * @see ADR-CONT-031 for design rationale
13
- */
14
-
15
- // =============================================================================
16
- // Workspace Capability Type
17
- // =============================================================================
18
-
19
- /**
20
- * Capabilities for workspace actions.
21
- * Used for capability-based access control in Phase 3 features.
22
- *
23
- * Capability hierarchy (implicit):
24
- * - owner: all capabilities
25
- * - admin: invite_member, manage_members (limited), manage_auth, demote_integration (own only)
26
- * - member: none (read-only)
27
- */
28
- export type WorkspaceCapability =
29
- // Member management
30
- | 'org.invite_member'
31
- | 'org.manage_members'
32
- // Integration management
33
- | 'org.promote_integration'
34
- | 'org.demote_integration'
35
- // Auth policy
36
- | 'org.manage_auth'
37
- // Domain claiming (future)
38
- | 'org.claim_domain';
39
-
40
- /**
41
- * All workspace capabilities.
42
- * Use for iteration and validation.
43
- */
44
- export const WORKSPACE_CAPABILITIES: readonly WorkspaceCapability[] = [
45
- 'org.invite_member',
46
- 'org.manage_members',
47
- 'org.promote_integration',
48
- 'org.demote_integration',
49
- 'org.manage_auth',
50
- 'org.claim_domain',
51
- ] as const;
52
-
53
- // =============================================================================
54
- // Role → Capability Mapping
55
- // =============================================================================
56
-
57
- /**
58
- * Capabilities granted to each workspace role.
59
- *
60
- * INVARIANTS:
61
- * - Owner has all capabilities (cannot be restricted)
62
- * - Admin cannot demote other admins (enforce in service layer)
63
- * - Member has no mutation capabilities
64
- *
65
- * @see Phase 3 Invariant #4: Admin floor
66
- * @see Phase 3 Invariant #5: Admin ≠ owner
67
- */
68
- export const ROLE_CAPABILITY_MAP = {
69
- owner: [
70
- 'org.invite_member',
71
- 'org.manage_members',
72
- 'org.promote_integration',
73
- 'org.demote_integration',
74
- 'org.manage_auth',
75
- 'org.claim_domain',
76
- ],
77
- admin: [
78
- 'org.invite_member',
79
- 'org.manage_members', // Note: cannot remove/demote other admins
80
- 'org.manage_auth',
81
- 'org.demote_integration', // Can demote own integrations only
82
- ],
83
- member: [],
84
- } as const satisfies Record<string, readonly WorkspaceCapability[]>;