@company-semantics/contracts 2.18.0 → 4.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@company-semantics/contracts",
-  "version": "2.18.0",
+  "version": "4.0.0",
   "private": false,
   "repository": {
     "type": "git",

package/src/api/generated-spec-hash.ts

@@ -1,3 +1,3 @@
 // AUTO-GENERATED — do not edit. Run pnpm generate:spec-hash to regenerate.
-export const SPEC_HASH = '3d5da96bdeb1' as const;
-export const SPEC_HASH_FULL = '3d5da96bdeb12a1223f19d67956bfa0a481abc37813c181c0897a10c7e8f9b80' as const;
+export const SPEC_HASH = '30c4d8eb9dce' as const;
+export const SPEC_HASH_FULL = '30c4d8eb9dcefed99d44a531c27a9e5a25eb4842c578e8933f64678a13816d07' as const;

package/src/api/generated.ts

@@ -3590,10 +3590,6 @@ export interface components {
                 id: string;
                 name: string;
             } | null;
-            coOwners: {
-                id: string;
-                name: string;
-            }[];
             canEdit: boolean;
             inheritsFrom: string | null;
             sources: {

package/src/content/schemas.ts

@@ -66,7 +66,6 @@ export const CompanyMdDocResponseSchema = z.object({
   parentId: z.string().nullable(),
   owningUnitId: z.string().nullable(),
   owner: CompanyMdPersonSchema.nullable(),
-  coOwners: z.array(CompanyMdPersonSchema),
   canEdit: z.boolean(),
   inheritsFrom: z.string().nullable(),
   sources: z.array(CompanyMdSourceSchema),

package/src/generated/openapi-routes.ts

@@ -50,6 +50,7 @@ export const openApiRoutes = {
   '/api/internal-admin/impersonate/session': ['GET'],
   '/api/internal-admin/impersonate/start': ['POST'],
   '/api/me': ['GET'],
+  '/api/me/access-list': ['GET'],
   '/api/me/meetings/recordings/start': ['POST'],
   '/api/me/meetings/recordings/{id}': ['DELETE'],
   '/api/me/meetings/recordings/{id}/complete': ['POST'],
@@ -75,6 +76,7 @@ export const openApiRoutes = {
   '/api/org-units/{unitId}/memberships': ['GET', 'POST'],
   '/api/org-units/{unitId}/memberships/{userId}': ['DELETE'],
   '/api/org-units/{unitId}/memberships/{userId}/role': ['PUT'],
+  '/api/org-units/{unitId}/my-authority': ['GET'],
   '/api/org-units/{unitId}/owners': ['GET'],
   '/api/org-units/{unitId}/permissions': ['GET'],
   '/api/org-units/{unitId}/relationships': ['GET', 'POST'],
@@ -143,8 +145,10 @@ export const openApiRoutes = {
   '/api/{entityType}/{id}/acl': ['GET'],
   '/api/{entityType}/{id}/acl/{principalType}/{principalId}': ['DELETE', 'PUT'],
   '/api/{entityType}/{id}/effective-access': ['POST'],
+  '/api/{entityType}/{id}/recent-decisions': ['GET'],
   '/api/{entityType}/{id}/transfer-ownership': ['POST'],
   '/api/{entityType}/{id}/visibility': ['PATCH'],
+  '/api/{entityType}/{id}/who-can-access': ['GET'],
   '/auth/logout': ['POST'],
   '/auth/me': ['GET'],
   '/auth/sso/callback': ['GET', 'POST'],

package/src/index.ts

@@ -263,7 +263,6 @@ export type {
   OwnershipTransferStatus,
   // Workspace visibility DTOs (Phase 2)
   // @see ADR-CONT-030 for design rationale
-  WorkspaceRole,
   WorkspaceOverview,
   WorkspaceMember,
   AuthMethodConfig,
@@ -342,7 +341,7 @@ export type {
   PermissionAuditEntry,
 } from './org/index'
 
-export { ROLE_DISPLAY_MAP, VIEW_SCOPE_MAP, getViewScope, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './org/index'
+export { VIEW_SCOPE_MAP, getViewScope, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './org/index'
 
 // View authorization types (Phase 5 - ADR-APP-013)
 export type { AuthorizableView } from './org/index'

package/src/org/company-md.ts

@@ -123,10 +123,6 @@ export interface CompanyMdDocCore extends CompanyMdNodeIdentity {
 
 export interface CompanyMdDocCollaborators {
   readonly owner: { readonly id: string; readonly name: string } | null;
-  readonly coOwners: ReadonlyArray<{
-    readonly id: string;
-    readonly name: string;
-  }>;
   readonly canEdit: boolean;
   readonly members: ReadonlyArray<{
     readonly id: string;

package/src/org/index.ts

@@ -12,7 +12,6 @@ export type {
   OwnershipTransferRequest,
   OwnershipTransferStatus,
   // Workspace visibility DTOs (Phase 2)
-  WorkspaceRole,
   WorkspaceOverview,
   WorkspaceMember,
   WorkspaceMemberUnitSummary,
@@ -71,7 +70,7 @@ export type {
   TransferMemberEligibility,
 } from './types';
 
-export { ROLE_DISPLAY_MAP, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './types';
+export { TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './types';
 
 // Domain types (Phase 4)
 export type {
@@ -209,7 +208,6 @@ export type {
   OrgUnitVisibility,
   OrgUnitRelationshipType,
   OrgUnitRelationshipRole,
-  OrgUnitMembershipRole,
   OrgUnitMembershipStatus,
   OrgUnitMembershipSource,
   OrgUnitErrorCode,
@@ -222,7 +220,7 @@ export {
   OrgUnitVisibilitySchema,
   OrgUnitRelationshipTypeSchema,
   OrgUnitRelationshipRoleSchema,
-  OrgUnitMembershipRoleSchema,
+  UnitMembershipRoleSchema,
   OrgUnitMembershipStatusSchema,
   OrgUnitMembershipSourceSchema,
   OrgUnitErrorCodeSchema,
@@ -248,6 +246,7 @@ export {
   UpdateOrgUnitResponseSchema,
 } from './schemas';
 export type {
+  UnitMembershipRole,
   OrgUnit,
   OrgUnitTreeNode,
   OrgUnitMembership,

package/src/org/org-units.ts

@@ -36,9 +36,6 @@ export type OrgUnitRelationshipType = 'collaborates_with' | 'reports_to' | 'depe
 /** Edge role — refines the collaboration nature on a graph edge. */
 export type OrgUnitRelationshipRole = 'owner' | 'participant' | 'supporting';
 
-/** Per-unit user role. Privilege order: owner > manager > member. */
-export type OrgUnitMembershipRole = 'member' | 'manager' | 'owner';
-
 /** Active/pending/removed lifecycle for a unit membership. */
 export type OrgUnitMembershipStatus = 'active' | 'pending' | 'removed';
 

package/src/org/schemas.ts

@@ -12,6 +12,7 @@
  */
 import { z } from 'zod';
 import { CursorPageSchema } from '../api/primitives';
+import { OrgChartRoleSchema } from '../permissions/orgchart-roles';
 
 // ---------------------------------------------------------------------------
 // Sub-schemas
@@ -29,7 +30,7 @@ const WorkspaceMemberSchema = z.object({
   name: z.string(),
   email: z.string(),
   jobTitle: z.string().nullable(),
-  role: z.enum(['owner', 'admin', 'member', 'auditor']),
+  role: OrgChartRoleSchema.nullable(),
   roleNames: z.array(z.string()),
   joinedAt: z.string(),
   lastActiveAt: z.string().nullable(),
@@ -357,7 +358,7 @@ const UserOrgMembershipSchema = z.object({
   orgId: z.string(),
   orgName: z.string(),
   orgSlug: z.string(),
-  role: z.enum(['owner', 'admin', 'member', 'auditor']),
+  role: OrgChartRoleSchema.nullable(),
   joinedAt: z.string(),
   isActive: z.boolean(),
   orgType: z.enum(['personal', 'shared']),
@@ -419,7 +420,7 @@ const OrgInviteSchema = z.object({
   id: z.string(),
   orgId: z.string(),
   email: z.string(),
-  role: z.enum(['owner', 'admin', 'member', 'auditor']),
+  role: z.enum(['admin', 'member']),
   invitedBy: z.object({ id: z.string(), name: z.string() }),
   status: z.enum(['pending', 'accepted', 'expired', 'revoked']),
   createdAt: z.string(),
@@ -676,7 +677,12 @@ export const OrgUnitRelationshipTypeSchema = z.enum([
 
 export const OrgUnitRelationshipRoleSchema = z.enum(['owner', 'participant', 'supporting']);
 
-export const OrgUnitMembershipRoleSchema = z.enum([
+/**
+ * Positional slot a member holds in the org-unit tree. ORTHOGONAL to the
+ * `OrgChartRole` policy vocabulary (this is an INPUT to authority resolution,
+ * not the derived policy role). Level is encoded in the value (l1…l5).
+ */
+export const UnitMembershipRoleSchema = z.enum([
   'member',
   'l1_unit_owner',
   'l2_unit_owner',
@@ -685,6 +691,8 @@ export const OrgUnitMembershipRoleSchema = z.enum([
   'l5_unit_owner',
 ]);
 
+export type UnitMembershipRole = z.infer<typeof UnitMembershipRoleSchema>;
+
 export const OrgUnitMembershipStatusSchema = z.enum(['active', 'pending', 'removed']);
 
 export const OrgUnitMembershipSourceSchema = z.enum([
@@ -750,7 +758,7 @@ export const OrgUnitMembershipSchema = z.object({
   orgId: z.string().uuid(),
   unitId: z.string().uuid(),
   userId: z.string().uuid(),
-  membershipRole: OrgUnitMembershipRoleSchema,
+  membershipRole: UnitMembershipRoleSchema,
   status: OrgUnitMembershipStatusSchema,
   source: OrgUnitMembershipSourceSchema,
   sourceRef: z.string().nullable(),
@@ -1012,7 +1020,7 @@ export const OrgUnitMembershipListResponseSchema = z.object({
  */
 export const OrgUnitPermissionsEntrySchema = z.object({
   userId: z.string().uuid(),
-  membershipRole: OrgUnitMembershipRoleSchema,
+  membershipRole: UnitMembershipRoleSchema,
   inheritedFromUnitId: z.string().uuid(),
   inheritedFromUnitName: z.string().min(1),
 });

package/src/org/types.ts

@@ -5,6 +5,8 @@
  * @see ADR-BE-XXX (Personal vs Shared Organization Model)
  */
 
+import type { OrgChartRole } from '../permissions/orgchart-roles';
+
 /**
  * Organization type distinguishes personal workspaces from shared organizations.
  * - 'personal': Single-user workspace, owned by creator, claimable
@@ -53,22 +55,6 @@ export interface OwnershipTransferStatus {
 // @see ADR-CONT-030 for design rationale
 // =============================================================================
 
-/**
- * Display role for workspace members.
- * Presentation-layer simplification of the internal RBAC roles.
- */
-export type WorkspaceRole = 'owner' | 'admin' | 'member' | 'auditor';
-
-/**
- * RBAC → UI role mapping (presentation only).
- * Maps internal system roles to user-facing display roles.
- */
-export const ROLE_DISPLAY_MAP = {
-  org_owner: 'owner',
-  org_admin: 'admin',
-  org_auditor: 'auditor',
-  // All other roles → 'member'
-} as const satisfies Partial<Record<string, WorkspaceRole>>;
 
 /**
  * Workspace overview for the control plane UI.
@@ -120,9 +106,12 @@ export interface WorkspaceMember {
   email: string;
   /** Free-text job title (`users.job_title`). Null when unset. */
   jobTitle: string | null;
-  /** Display role — derived collapse of RBAC into {owner,admin,member,auditor}. */
-  role: WorkspaceRole;
-  /** Raw RBAC role names (e.g. 'org_owner', 'org_admin', 'auditor'). Superset of `role`. */
+  /**
+   * Display role — the member's highest org-chart standing, or `null` for a
+   * plain member with no org-chart authority. Render via `orgChartRoleLabel`.
+   */
+  role: OrgChartRole | null;
+  /** Raw RBAC role names (e.g. 'ceo', 'admin', 'delegate'). Superset of `role`. */
   roleNames: string[];
   joinedAt: string;
   /** ISO timestamp of last activity; null if never recorded. */
@@ -424,7 +413,8 @@ export interface OrgInvite {
   id: string;
   orgId: string;
   email: string;
-  role: WorkspaceRole;
+  /** Invite role — invites only grant the restricted {admin, member} domain. */
+  role: 'admin' | 'member';
   invitedBy: {
     id: string;
     name: string;
@@ -555,8 +545,11 @@ export interface UserOrgMembership {
   orgId: string;
   orgName: string;
   orgSlug: string;
-  /** Display role derived from RBAC - presentation only, not for auth decisions. */
-  role: WorkspaceRole;
+  /**
+   * Display role — highest org-chart standing, or `null` for a plain member.
+   * Presentation only, not for auth decisions. Render via `orgChartRoleLabel`.
+   */
+  role: OrgChartRole | null;
   /** ISO8601 timestamp when user joined the organization. */
   joinedAt: string;
   /** Whether this membership is currently active. */

package/src/permissions/orgchart-roles.ts

@@ -11,10 +11,14 @@
  *
  * Consumers: AUTH-006 policy registry (PRD-00674),
  * AUTH-009 org-chart member CRUD UI (PRD-00677),
- * AUTH-011C strict-guard flip (PRD-00681).
+ * AUTH-011C convergence (PRD-00681) — the single role vocabulary after the
+ * legacy workspace display-role and per-unit membership-role enums were removed.
  *
- * The legacy `WorkspaceRole` and `OrgUnitMembershipRole` enums coexist with
- * this enum until AUTH-011C deletes them.
+ * The org-level display badge collapses onto this vocabulary: an actor's
+ * highest org-chart standing, or `null` for a plain member with no authority.
+ * The positional slot (`UnitMembershipRole`, `member | l1_unit_owner | …`)
+ * remains a separate, orthogonal axis — it is an INPUT to authority
+ * resolution, not the derived policy role.
  */
 import { z } from 'zod';
 
@@ -22,3 +26,19 @@ export const ORG_CHART_ROLES = ['ceo', 'leader', 'delegate', 'admin'] as const;
 export type OrgChartRole = (typeof ORG_CHART_ROLES)[number];
 
 export const OrgChartRoleSchema = z.enum(ORG_CHART_ROLES);
+
+/**
+ * Human-readable labels for the org-chart role display badge. `null` (no
+ * org-chart standing) renders as "Member" via {@link orgChartRoleLabel}.
+ */
+export const ORG_CHART_ROLE_LABELS: Record<OrgChartRole, string> = {
+  ceo: 'CEO',
+  leader: 'Leader',
+  delegate: 'Delegate',
+  admin: 'Admin',
+};
+
+/** Display label for a (possibly null) org-chart role; `null` = plain member. */
+export function orgChartRoleLabel(role: OrgChartRole | null): string {
+  return role === null ? 'Member' : ORG_CHART_ROLE_LABELS[role];
+}