@company-semantics/contracts 2.14.0 → 2.15.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@company-semantics/contracts",
-  "version": "2.14.0",
+  "version": "2.15.0",
   "private": false,
   "repository": {
     "type": "git",

package/src/api/generated-spec-hash.ts

@@ -1,3 +1,3 @@
 // AUTO-GENERATED — do not edit. Run pnpm generate:spec-hash to regenerate.
-export const SPEC_HASH = '9fa707d8d31a' as const;
-export const SPEC_HASH_FULL = '9fa707d8d31a71977fcbf5fdd957f31cd810e226f07e6679d9dec17ddfb91915' as const;
+export const SPEC_HASH = '7e7e7989604b' as const;
+export const SPEC_HASH_FULL = '7e7e7989604b04f9af766c8ebcfe875445c12cec0fa4c4a071680454b635ea2c' as const;

package/src/api/generated.ts

@@ -2415,6 +2415,58 @@ export interface paths {
         patch?: never;
         trace?: never;
     };
+    "/api/me/meetings/recordings/{id}/sharing": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        /** Get a recording sharing state: visibility, ACL grants, caller access */
+        get: operations["getMeetingRecordingSharing"];
+        put?: never;
+        post?: never;
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
+    "/api/me/meetings/recordings/{id}/sharing/acl": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        put?: never;
+        /** Grant a principal access to a recording */
+        post: operations["addMeetingRecordingAclEntry"];
+        delete?: never;
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
+    "/api/me/meetings/recordings/{id}/sharing/acl/{grantId}": {
+        parameters: {
+            query?: never;
+            header?: never;
+            path?: never;
+            cookie?: never;
+        };
+        get?: never;
+        /** Change an existing ACL grant access level */
+        put: operations["updateMeetingRecordingAclEntry"];
+        post?: never;
+        /** Revoke an ACL grant on a recording */
+        delete: operations["deleteMeetingRecordingAclEntry"];
+        options?: never;
+        head?: never;
+        patch?: never;
+        trace?: never;
+    };
     "/api/internal-admin/impersonate/start": {
         parameters: {
             query?: never;
@@ -4302,6 +4354,53 @@ export interface components {
              */
             visibility: "meeting_only" | "shared" | "org" | "finalized_private";
         };
+        /** @description A meeting recording's visibility, ACL grants, and the caller's effective access. */
+        MeetingRecordingSharingState: {
+            /** @description ULID; unified trace key for the recording (INV-MTG-7). */
+            recordingId: string;
+            /**
+             * @description Visibility band for the finalized meeting projection. Default `meeting_only`.
+             * @enum {string}
+             */
+            visibility: "meeting_only" | "shared" | "org" | "finalized_private";
+            acl: {
+                /** Format: uuid */
+                id: string;
+                /** @enum {string} */
+                principalType: "user" | "unit" | "org";
+                /** Format: uuid */
+                principalId: string;
+                /** @enum {string} */
+                accessLevel: "viewer" | "commenter" | "editor";
+                grantedByUserId: string | null;
+                /** Format: date-time */
+                grantedAt: string;
+            }[];
+            effectiveAccess: {
+                /** @enum {string} */
+                level: "owner" | "editor" | "commenter" | "viewer" | "none";
+                source: string;
+            };
+        };
+        /** @description The id of the newly created meeting ACL grant. */
+        AddMeetingRecordingAclResponse: {
+            /** Format: uuid */
+            id: string;
+        };
+        /** @description Grant a principal access to a meeting recording. */
+        AddMeetingRecordingAclRequest: {
+            /** @enum {string} */
+            principalType: "user" | "unit" | "org";
+            /** Format: uuid */
+            principalId: string;
+            /** @enum {string} */
+            accessLevel: "viewer" | "commenter" | "editor";
+        };
+        /** @description Change an existing meeting ACL grant access level. */
+        UpdateMeetingRecordingAclRequest: {
+            /** @enum {string} */
+            accessLevel: "viewer" | "commenter" | "editor";
+        };
         ImpersonationSessionResponse: {
             session: {
                 impersonationSessionId: string;
@@ -8223,6 +8322,128 @@ export interface operations {
             };
         };
     };
+    getMeetingRecordingSharing: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                id: string;
+            };
+            cookie?: never;
+        };
+        requestBody?: never;
+        responses: {
+            /** @description Visibility, ACL grants, and the caller effective access */
+            200: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "application/json": components["schemas"]["MeetingRecordingSharingState"];
+                };
+            };
+            /** @description Recording not found or not owned by this user */
+            404: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+        };
+    };
+    addMeetingRecordingAclEntry: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                id: string;
+            };
+            cookie?: never;
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["AddMeetingRecordingAclRequest"];
+            };
+        };
+        responses: {
+            /** @description ACL grant created */
+            201: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content: {
+                    "application/json": components["schemas"]["AddMeetingRecordingAclResponse"];
+                };
+            };
+            /** @description Recording not found or not owned by this user */
+            404: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+        };
+    };
+    updateMeetingRecordingAclEntry: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                id: string;
+                grantId: string;
+            };
+            cookie?: never;
+        };
+        requestBody: {
+            content: {
+                "application/json": components["schemas"]["UpdateMeetingRecordingAclRequest"];
+            };
+        };
+        responses: {
+            /** @description ACL grant updated */
+            204: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+            /** @description Recording or grant not found / not owned by this user */
+            404: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+        };
+    };
+    deleteMeetingRecordingAclEntry: {
+        parameters: {
+            query?: never;
+            header?: never;
+            path: {
+                id: string;
+                grantId: string;
+            };
+            cookie?: never;
+        };
+        requestBody?: never;
+        responses: {
+            /** @description ACL grant revoked */
+            204: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+            /** @description Recording or grant not found / not owned by this user */
+            404: {
+                headers: {
+                    [name: string]: unknown;
+                };
+                content?: never;
+            };
+        };
+    };
     startImpersonation: {
         parameters: {
             query?: never;

package/src/generated/openapi-routes.ts

@@ -57,6 +57,9 @@ export const openApiRoutes = {
   '/api/me/meetings/recordings/{id}/export': ['POST'],
   '/api/me/meetings/recordings/{id}/export/{jobId}': ['GET'],
   '/api/me/meetings/recordings/{id}/restore': ['POST'],
+  '/api/me/meetings/recordings/{id}/sharing': ['GET'],
+  '/api/me/meetings/recordings/{id}/sharing/acl': ['POST'],
+  '/api/me/meetings/recordings/{id}/sharing/acl/{grantId}': ['DELETE', 'PUT'],
   '/api/me/meetings/recordings/{id}/visibility': ['POST'],
   '/api/me/work-items': ['GET'],
   '/api/me/work-items/counts': ['GET'],

package/src/permissions/index.ts

@@ -7,3 +7,4 @@
 export * from './access-levels';
 export * from './orgchart-roles';
 export * from './access-source';
+export * from './share-api';

package/src/permissions/share-api.ts

@@ -0,0 +1,74 @@
+/**
+ * Share API Vocabulary
+ *
+ * Zod schemas for the polymorphic share API introduced in AUTH-007 (PRD-00675).
+ * Backend routes live at `/api/{entityType}/{id}/...`; every request/response
+ * body validates against one of these schemas. OpenAPI YAML is auto-generated
+ * from these definitions.
+ *
+ * Authority: ADR-CTRL-085 (Rights Table), ADR-CTRL-086 (most-permissive
+ * aggregation), ADR-BE-181 (AUTH-006 compose model).
+ */
+import { z } from 'zod';
+import { AccessLevelSchema } from './access-levels';
+import { AccessSourceSchema } from './access-source';
+
+export const PrincipalTypeSchema = z.enum(['user', 'unit', 'org']);
+export type PrincipalType = z.infer<typeof PrincipalTypeSchema>;
+
+export const PrincipalSchema = z.object({
+  type: PrincipalTypeSchema,
+  id: z.string().uuid(),
+});
+export type Principal = z.infer<typeof PrincipalSchema>;
+
+export const GrantableAccessLevelSchema = z.enum(['editor', 'commenter', 'viewer']);
+export type GrantableAccessLevel = z.infer<typeof GrantableAccessLevelSchema>;
+
+export const EntityVisibilitySchema = z.enum(['private', 'unit', 'org']);
+export type EntityVisibility = z.infer<typeof EntityVisibilitySchema>;
+
+export const AclGrantRequestSchema = z.object({
+  access_level: GrantableAccessLevelSchema,
+});
+export type AclGrantRequest = z.infer<typeof AclGrantRequestSchema>;
+
+export const AclGrantResponseSchema = z.object({
+  id: z.string().uuid(),
+  principal: PrincipalSchema,
+  access_level: GrantableAccessLevelSchema,
+  granted_by_user_id: z.string().uuid(),
+  granted_at: z.string().datetime(),
+});
+export type AclGrantResponse = z.infer<typeof AclGrantResponseSchema>;
+
+export const AclListResponseSchema = z.object({
+  entity_type: z.string(),
+  entity_id: z.string().uuid(),
+  owner_user_id: z.string().uuid().nullable(),
+  visibility: EntityVisibilitySchema,
+  editors_can_share: z.boolean(),
+  grants: z.array(AclGrantResponseSchema),
+});
+export type AclListResponse = z.infer<typeof AclListResponseSchema>;
+
+export const VisibilityPatchRequestSchema = z.object({
+  tier: EntityVisibilitySchema,
+});
+export type VisibilityPatchRequest = z.infer<typeof VisibilityPatchRequestSchema>;
+
+export const OwnerTransferRequestSchema = z.object({
+  new_owner_user_id: z.string().uuid(),
+});
+export type OwnerTransferRequest = z.infer<typeof OwnerTransferRequestSchema>;
+
+export const EffectiveAccessRequestSchema = z.object({
+  principal: PrincipalSchema,
+});
+export type EffectiveAccessRequest = z.infer<typeof EffectiveAccessRequestSchema>;
+
+export const EffectiveAccessResponseSchema = z.object({
+  access_level: AccessLevelSchema.nullable(),
+  source_chain: z.array(AccessSourceSchema),
+});
+export type EffectiveAccessResponse = z.infer<typeof EffectiveAccessResponseSchema>;