@company-semantics/contracts 3.0.0 → 5.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@company-semantics/contracts",
-  "version": "3.0.0",
+  "version": "5.0.0",
   "private": false,
   "repository": {
     "type": "git",

package/src/api/generated-spec-hash.ts

@@ -1,3 +1,3 @@
 // AUTO-GENERATED — do not edit. Run pnpm generate:spec-hash to regenerate.
-export const SPEC_HASH = '30c4d8eb9dce' as const;
-export const SPEC_HASH_FULL = '30c4d8eb9dcefed99d44a531c27a9e5a25eb4842c578e8933f64678a13816d07' as const;
+export const SPEC_HASH = 'f8ecf637857f' as const;
+export const SPEC_HASH_FULL = 'f8ecf637857fded90a144d5a76bfa2919d3494bb0b5b78d4131e906ab4a6edf5' as const;

package/src/api/generated.ts

@@ -1859,7 +1859,7 @@ export interface paths {
         };
         get?: never;
         /** Update a manual membership role */
-        put: operations["updateOrgUnitMembershipRole"];
+        put: operations["updateUnitMembershipRole"];
         post?: never;
         delete?: never;
         options?: never;
@@ -3059,8 +3059,7 @@ export interface components {
                 name: string;
                 email: string;
                 jobTitle: string | null;
-                /** @enum {string} */
-                role: "owner" | "admin" | "member" | "auditor";
+                role: ("ceo" | "leader" | "delegate" | "admin") | null;
                 roleNames: string[];
                 joinedAt: string;
                 lastActiveAt: string | null;
@@ -3248,8 +3247,7 @@ export interface components {
             name: string;
             email: string;
             jobTitle: string | null;
-            /** @enum {string} */
-            role: "owner" | "admin" | "member" | "auditor";
+            role: ("ceo" | "leader" | "delegate" | "admin") | null;
             roleNames: string[];
             joinedAt: string;
             lastActiveAt: string | null;
@@ -3305,8 +3303,7 @@ export interface components {
                 orgId: string;
                 orgName: string;
                 orgSlug: string;
-                /** @enum {string} */
-                role: "owner" | "admin" | "member" | "auditor";
+                role: ("ceo" | "leader" | "delegate" | "admin") | null;
                 joinedAt: string;
                 isActive: boolean;
                 /** @enum {string} */
@@ -3341,7 +3338,7 @@ export interface components {
                 orgId: string;
                 email: string;
                 /** @enum {string} */
-                role: "owner" | "admin" | "member" | "auditor";
+                role: "admin" | "member";
                 invitedBy: {
                     id: string;
                     name: string;
@@ -3364,7 +3361,7 @@ export interface components {
             orgId: string;
             email: string;
             /** @enum {string} */
-            role: "owner" | "admin" | "member" | "auditor";
+            role: "admin" | "member";
             invitedBy: {
                 id: string;
                 name: string;
@@ -7641,7 +7638,7 @@ export interface operations {
             };
         };
     };
-    updateOrgUnitMembershipRole: {
+    updateUnitMembershipRole: {
         parameters: {
             query?: never;
             header?: never;

package/src/index.ts

@@ -263,7 +263,6 @@ export type {
   OwnershipTransferStatus,
   // Workspace visibility DTOs (Phase 2)
   // @see ADR-CONT-030 for design rationale
-  WorkspaceRole,
   WorkspaceOverview,
   WorkspaceMember,
   AuthMethodConfig,
@@ -342,7 +341,7 @@ export type {
   PermissionAuditEntry,
 } from './org/index'
 
-export { ROLE_DISPLAY_MAP, VIEW_SCOPE_MAP, getViewScope, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './org/index'
+export { VIEW_SCOPE_MAP, getViewScope, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './org/index'
 
 // View authorization types (Phase 5 - ADR-APP-013)
 export type { AuthorizableView } from './org/index'

package/src/org/index.ts

@@ -12,7 +12,6 @@ export type {
   OwnershipTransferRequest,
   OwnershipTransferStatus,
   // Workspace visibility DTOs (Phase 2)
-  WorkspaceRole,
   WorkspaceOverview,
   WorkspaceMember,
   WorkspaceMemberUnitSummary,
@@ -71,7 +70,7 @@ export type {
   TransferMemberEligibility,
 } from './types';
 
-export { ROLE_DISPLAY_MAP, TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './types';
+export { TRANSFER_RESPONSIBILITIES, IDENTITY_TRUST_LEVEL_LABELS } from './types';
 
 // Domain types (Phase 4)
 export type {
@@ -209,7 +208,6 @@ export type {
   OrgUnitVisibility,
   OrgUnitRelationshipType,
   OrgUnitRelationshipRole,
-  OrgUnitMembershipRole,
   OrgUnitMembershipStatus,
   OrgUnitMembershipSource,
   OrgUnitErrorCode,
@@ -222,7 +220,7 @@ export {
   OrgUnitVisibilitySchema,
   OrgUnitRelationshipTypeSchema,
   OrgUnitRelationshipRoleSchema,
-  OrgUnitMembershipRoleSchema,
+  UnitMembershipRoleSchema,
   OrgUnitMembershipStatusSchema,
   OrgUnitMembershipSourceSchema,
   OrgUnitErrorCodeSchema,
@@ -248,6 +246,7 @@ export {
   UpdateOrgUnitResponseSchema,
 } from './schemas';
 export type {
+  UnitMembershipRole,
   OrgUnit,
   OrgUnitTreeNode,
   OrgUnitMembership,

package/src/org/org-units.ts

@@ -36,9 +36,6 @@ export type OrgUnitRelationshipType = 'collaborates_with' | 'reports_to' | 'depe
 /** Edge role — refines the collaboration nature on a graph edge. */
 export type OrgUnitRelationshipRole = 'owner' | 'participant' | 'supporting';
 
-/** Per-unit user role. Privilege order: owner > manager > member. */
-export type OrgUnitMembershipRole = 'member' | 'manager' | 'owner';
-
 /** Active/pending/removed lifecycle for a unit membership. */
 export type OrgUnitMembershipStatus = 'active' | 'pending' | 'removed';
 

package/src/org/schemas.ts

@@ -12,6 +12,7 @@
  */
 import { z } from 'zod';
 import { CursorPageSchema } from '../api/primitives';
+import { OrgChartRoleSchema } from '../permissions/orgchart-roles';
 
 // ---------------------------------------------------------------------------
 // Sub-schemas
@@ -29,7 +30,7 @@ const WorkspaceMemberSchema = z.object({
   name: z.string(),
   email: z.string(),
   jobTitle: z.string().nullable(),
-  role: z.enum(['owner', 'admin', 'member', 'auditor']),
+  role: OrgChartRoleSchema.nullable(),
   roleNames: z.array(z.string()),
   joinedAt: z.string(),
   lastActiveAt: z.string().nullable(),
@@ -357,7 +358,7 @@ const UserOrgMembershipSchema = z.object({
   orgId: z.string(),
   orgName: z.string(),
   orgSlug: z.string(),
-  role: z.enum(['owner', 'admin', 'member', 'auditor']),
+  role: OrgChartRoleSchema.nullable(),
   joinedAt: z.string(),
   isActive: z.boolean(),
   orgType: z.enum(['personal', 'shared']),
@@ -419,7 +420,7 @@ const OrgInviteSchema = z.object({
   id: z.string(),
   orgId: z.string(),
   email: z.string(),
-  role: z.enum(['owner', 'admin', 'member', 'auditor']),
+  role: z.enum(['admin', 'member']),
   invitedBy: z.object({ id: z.string(), name: z.string() }),
   status: z.enum(['pending', 'accepted', 'expired', 'revoked']),
   createdAt: z.string(),
@@ -676,7 +677,12 @@ export const OrgUnitRelationshipTypeSchema = z.enum([
 
 export const OrgUnitRelationshipRoleSchema = z.enum(['owner', 'participant', 'supporting']);
 
-export const OrgUnitMembershipRoleSchema = z.enum([
+/**
+ * Positional slot a member holds in the org-unit tree. ORTHOGONAL to the
+ * `OrgChartRole` policy vocabulary (this is an INPUT to authority resolution,
+ * not the derived policy role). Level is encoded in the value (l1…l5).
+ */
+export const UnitMembershipRoleSchema = z.enum([
   'member',
   'l1_unit_owner',
   'l2_unit_owner',
@@ -685,6 +691,8 @@ export const OrgUnitMembershipRoleSchema = z.enum([
   'l5_unit_owner',
 ]);
 
+export type UnitMembershipRole = z.infer<typeof UnitMembershipRoleSchema>;
+
 export const OrgUnitMembershipStatusSchema = z.enum(['active', 'pending', 'removed']);
 
 export const OrgUnitMembershipSourceSchema = z.enum([
@@ -750,7 +758,7 @@ export const OrgUnitMembershipSchema = z.object({
   orgId: z.string().uuid(),
   unitId: z.string().uuid(),
   userId: z.string().uuid(),
-  membershipRole: OrgUnitMembershipRoleSchema,
+  membershipRole: UnitMembershipRoleSchema,
   status: OrgUnitMembershipStatusSchema,
   source: OrgUnitMembershipSourceSchema,
   sourceRef: z.string().nullable(),
@@ -1012,7 +1020,7 @@ export const OrgUnitMembershipListResponseSchema = z.object({
  */
 export const OrgUnitPermissionsEntrySchema = z.object({
   userId: z.string().uuid(),
-  membershipRole: OrgUnitMembershipRoleSchema,
+  membershipRole: UnitMembershipRoleSchema,
   inheritedFromUnitId: z.string().uuid(),
   inheritedFromUnitName: z.string().min(1),
 });

package/src/org/types.ts

@@ -5,6 +5,8 @@
  * @see ADR-BE-XXX (Personal vs Shared Organization Model)
  */
 
+import type { OrgChartRole } from '../permissions/orgchart-roles';
+
 /**
  * Organization type distinguishes personal workspaces from shared organizations.
  * - 'personal': Single-user workspace, owned by creator, claimable
@@ -53,22 +55,6 @@ export interface OwnershipTransferStatus {
 // @see ADR-CONT-030 for design rationale
 // =============================================================================
 
-/**
- * Display role for workspace members.
- * Presentation-layer simplification of the internal RBAC roles.
- */
-export type WorkspaceRole = 'owner' | 'admin' | 'member' | 'auditor';
-
-/**
- * RBAC → UI role mapping (presentation only).
- * Maps internal system roles to user-facing display roles.
- */
-export const ROLE_DISPLAY_MAP = {
-  org_owner: 'owner',
-  org_admin: 'admin',
-  org_auditor: 'auditor',
-  // All other roles → 'member'
-} as const satisfies Partial<Record<string, WorkspaceRole>>;
 
 /**
  * Workspace overview for the control plane UI.
@@ -120,9 +106,12 @@ export interface WorkspaceMember {
   email: string;
   /** Free-text job title (`users.job_title`). Null when unset. */
   jobTitle: string | null;
-  /** Display role — derived collapse of RBAC into {owner,admin,member,auditor}. */
-  role: WorkspaceRole;
-  /** Raw RBAC role names (e.g. 'org_owner', 'org_admin', 'auditor'). Superset of `role`. */
+  /**
+   * Display role — the member's highest org-chart standing, or `null` for a
+   * plain member with no org-chart authority. Render via `orgChartRoleLabel`.
+   */
+  role: OrgChartRole | null;
+  /** Raw RBAC role names (e.g. 'ceo', 'admin', 'delegate'). Superset of `role`. */
   roleNames: string[];
   joinedAt: string;
   /** ISO timestamp of last activity; null if never recorded. */
@@ -424,7 +413,8 @@ export interface OrgInvite {
   id: string;
   orgId: string;
   email: string;
-  role: WorkspaceRole;
+  /** Invite role — invites only grant the restricted {admin, member} domain. */
+  role: 'admin' | 'member';
   invitedBy: {
     id: string;
     name: string;
@@ -555,8 +545,11 @@ export interface UserOrgMembership {
   orgId: string;
   orgName: string;
   orgSlug: string;
-  /** Display role derived from RBAC - presentation only, not for auth decisions. */
-  role: WorkspaceRole;
+  /**
+   * Display role — highest org-chart standing, or `null` for a plain member.
+   * Presentation only, not for auth decisions. Render via `orgChartRoleLabel`.
+   */
+  role: OrgChartRole | null;
   /** ISO8601 timestamp when user joined the organization. */
   joinedAt: string;
   /** Whether this membership is currently active. */

package/src/permissions/orgchart-roles.ts

@@ -11,10 +11,14 @@
  *
  * Consumers: AUTH-006 policy registry (PRD-00674),
  * AUTH-009 org-chart member CRUD UI (PRD-00677),
- * AUTH-011C strict-guard flip (PRD-00681).
+ * AUTH-011C convergence (PRD-00681) — the single role vocabulary after the
+ * legacy workspace display-role and per-unit membership-role enums were removed.
  *
- * The legacy `WorkspaceRole` and `OrgUnitMembershipRole` enums coexist with
- * this enum until AUTH-011C deletes them.
+ * The org-level display badge collapses onto this vocabulary: an actor's
+ * highest org-chart standing, or `null` for a plain member with no authority.
+ * The positional slot (`UnitMembershipRole`, `member | l1_unit_owner | …`)
+ * remains a separate, orthogonal axis — it is an INPUT to authority
+ * resolution, not the derived policy role.
  */
 import { z } from 'zod';
 
@@ -22,3 +26,19 @@ export const ORG_CHART_ROLES = ['ceo', 'leader', 'delegate', 'admin'] as const;
 export type OrgChartRole = (typeof ORG_CHART_ROLES)[number];
 
 export const OrgChartRoleSchema = z.enum(ORG_CHART_ROLES);
+
+/**
+ * Human-readable labels for the org-chart role display badge. `null` (no
+ * org-chart standing) renders as "Member" via {@link orgChartRoleLabel}.
+ */
+export const ORG_CHART_ROLE_LABELS: Record<OrgChartRole, string> = {
+  ceo: 'CEO',
+  leader: 'Leader',
+  delegate: 'Delegate',
+  admin: 'Admin',
+};
+
+/** Display label for a (possibly null) org-chart role; `null` = plain member. */
+export function orgChartRoleLabel(role: OrgChartRole | null): string {
+  return role === null ? 'Member' : ORG_CHART_ROLE_LABELS[role];
+}