@company-semantics/contracts 9.1.0 → 9.2.0

package/src/org/sharing.ts

@@ -2,7 +2,7 @@
  * Document access level.
  * Privilege order: editor > commenter > viewer.
  */
-export type AccessLevel = 'viewer' | 'commenter' | 'editor';
+export type AccessLevel = "viewer" | "commenter" | "editor";
 
 /**
  * Document sharing policy.
@@ -11,10 +11,14 @@ export type AccessLevel = 'viewer' | 'commenter' | 'editor';
  * - org_comment: All org members can comment
  * - org_edit: All org members can edit (does NOT imply canShare)
  */
-export type SharePolicy = 'restricted' | 'org_read' | 'org_comment' | 'org_edit';
+export type SharePolicy =
+  | "restricted"
+  | "org_read"
+  | "org_comment"
+  | "org_edit";
 
 export interface AclEntry {
-  readonly principalType: 'user' | 'unit';
+  readonly principalType: "user" | "unit";
   readonly principalId: string;
   readonly principalName: string;
   readonly accessLevel: AccessLevel;
@@ -32,12 +36,12 @@ export interface AclEntry {
  * `org_unit_authority_grants` table and carry an explicit scope set.
  */
 export type AccessSource =
-  | 'org_rbac'
-  | 'sharing_policy'
-  | 'unit_baseline'
-  | 'unit_delegation'
-  | 'acl_grant'
-  | 'doc_ownership';
+  | "org_rbac"
+  | "sharing_policy"
+  | "unit_baseline"
+  | "unit_delegation"
+  | "acl_grant"
+  | "doc_ownership";
 
 export interface AccessReason {
   readonly source: AccessSource;
@@ -55,7 +59,7 @@ export interface AccessReason {
  * - Unit membership grants baseline access ONLY to resources owned by that unit.
  */
 export interface EffectiveAccess {
-  readonly level: 'none' | AccessLevel;
+  readonly level: "none" | AccessLevel;
   readonly reasons: ReadonlyArray<AccessReason>;
   readonly canShare: boolean;
 }
@@ -94,11 +98,11 @@ export interface ShareState {
  * Used by audit views to display a history of permission changes.
  */
 export interface PermissionAuditEntry {
-  readonly action: 'granted' | 'revoked' | 'updated';
-  readonly resourceType: 'goals_doc' | 'unit';
+  readonly action: "granted" | "revoked" | "updated";
+  readonly resourceType: "goals_doc" | "unit";
   readonly resourceId: string;
   readonly resourceName: string;
-  readonly principalType: 'user' | 'unit';
+  readonly principalType: "user" | "unit";
   readonly principalId: string;
   readonly principalName: string;
   readonly detail: string;

package/src/org/tree-ordering.ts

@@ -33,7 +33,9 @@ export interface TreeOrderableNode {
   orderKey: string;
 }
 
-export function orderTreeNodes<T extends TreeOrderableNode>(nodes: readonly T[]): T[] {
+export function orderTreeNodes<T extends TreeOrderableNode>(
+  nodes: readonly T[],
+): T[] {
   const byParent = new Map<string | null, T[]>();
   for (const node of nodes) {
     const bucket = byParent.get(node.parentId) ?? [];

package/src/org/types.ts

@@ -5,21 +5,21 @@
  * @see ADR-BE-XXX (Personal vs Shared Organization Model)
  */
 
-import type { OrgChartRole } from '../permissions/orgchart-roles';
+import type { OrgChartRole } from "../permissions/orgchart-roles";
 
 /**
  * Organization type distinguishes personal workspaces from shared organizations.
  * - 'personal': Single-user workspace, owned by creator, claimable
  * - 'shared': Multi-user organization, owned by one user, not claimable
  */
-export type OrgType = 'personal' | 'shared';
+export type OrgType = "personal" | "shared";
 
 /**
  * Execution scope determines whose identity is used when executing actions.
  * - 'self': Actions execute under the connecting user's identity only
  * - 'org': Actions execute on behalf of the organization (shared access)
  */
-export type ExecutionScope = 'self' | 'org';
+export type ExecutionScope = "self" | "org";
 
 /**
  * Public organization information suitable for API responses.
@@ -55,7 +55,6 @@ export interface OwnershipTransferStatus {
 // @see ADR-CONT-030 for design rationale
 // =============================================================================
 
-
 /**
  * Workspace overview for the control plane UI.
  * Read-only projection of organization state.
@@ -87,14 +86,14 @@ export interface WorkspaceMemberUnitSummary {
   unitName: string;
   /** Human-readable path from the OrgUnit tree (e.g. "Sales / Enterprise"). */
   unitPath: string;
-  role: 'owner' | 'manager' | 'member';
+  role: "owner" | "manager" | "member";
 }
 
 /**
  * Invite status for a workspace member row. `null` for members that have no
  * associated invite record (joined pre-invite system).
  */
-export type WorkspaceMemberInviteStatus = 'active' | 'pending' | 'expired';
+export type WorkspaceMemberInviteStatus = "active" | "pending" | "expired";
 
 /**
  * Workspace member types. Inferred from their Zod schemas in `./schemas`
@@ -103,7 +102,7 @@ export type WorkspaceMemberInviteStatus = 'active' | 'pending' | 'expired';
  * the field-level documentation; do not reintroduce a parallel interface (it
  * was the cause of the `manages`/`avatarUrl` drift — see ADR-CTRL-112).
  */
-export type { WorkspaceMember, WorkspaceMemberDetail } from './schemas';
+export type { WorkspaceMember, WorkspaceMemberDetail } from "./schemas";
 
 /**
  * Recent audit action attached to a member-detail response.
@@ -116,14 +115,13 @@ export interface MemberRecentAction {
   summary: string;
 }
 
-
 /**
  * Entry in the RBAC roles catalog (GET /api/rbac/roles).
  */
 export interface RoleCatalogEntry {
   /** Canonical role name, e.g. 'org_owner'. */
   name: string;
-  type: 'system' | 'custom';
+  type: "system" | "custom";
   /** One-line description sourced from system-roles.ts (or org-provided for custom). */
   description: string;
   /** Scope patterns granted by this role. May contain wildcards (e.g. 'org.view_*'). */
@@ -194,7 +192,8 @@ export interface SsoOperationalState {
  * SECURITY INVARIANT: Never return actual client ID or client secret values.
  * Only boolean indicators (hasClientId, hasClientSecret) are safe to expose.
  */
-export interface SsoSetupInfo extends SsoDiscoveryConfig, SsoCredentialStatus, SsoOperationalState {}
+export interface SsoSetupInfo
+  extends SsoDiscoveryConfig, SsoCredentialStatus, SsoOperationalState {}
 
 /**
  * Individual readiness check for SSO activation.
@@ -244,17 +243,17 @@ export interface SsoEnforcementStatus {
  * Any state → NOT_CONFIGURED (on credential removal or provider switch)
  */
 export type ProviderStatus =
-  | 'NOT_CONFIGURED'
-  | 'CONFIG_SAVED'
-  | 'CONFIG_VALID'
-  | 'TEST_SUCCESS'
-  | 'ENABLED';
+  | "NOT_CONFIGURED"
+  | "CONFIG_SAVED"
+  | "CONFIG_VALID"
+  | "TEST_SUCCESS"
+  | "ENABLED";
 
 /** Workspace SSO state derived from provider status + policy. */
-export type WorkspaceSsoState = 'SSO_DISABLED' | 'SSO_ENABLED' | 'SSO_ENFORCED';
+export type WorkspaceSsoState = "SSO_DISABLED" | "SSO_ENABLED" | "SSO_ENFORCED";
 
 /** Backend-authoritative stepper step. Frontend MUST NOT re-derive. */
-export type SsoStepperStep = 'configure' | 'test' | 'enable' | 'enforce';
+export type SsoStepperStep = "configure" | "test" | "enable" | "enforce";
 
 /** Owner identity information for the SSO readiness surface. */
 export interface OwnerIdentityInfo {
@@ -272,7 +271,11 @@ export interface OidcValidationResult {
   issuer?: string;
   authorizationEndpoint?: string;
   error?: string;
-  errorCode?: 'UNREACHABLE' | 'INVALID_DOCUMENT' | 'MISSING_FIELDS' | 'SSRF_BLOCKED';
+  errorCode?:
+    | "UNREACHABLE"
+    | "INVALID_DOCUMENT"
+    | "MISSING_FIELDS"
+    | "SSRF_BLOCKED";
 }
 
 /** Initiation payload for a test SSO login attempt. */
@@ -283,17 +286,21 @@ export interface TestSsoInitiation {
 
 /** Result of a test SSO login attempt. */
 export interface TestSsoResult {
-  status: 'pending' | 'success' | 'failed' | 'expired';
+  status: "pending" | "success" | "failed" | "expired";
   claims?: { sub: string; email?: string; name?: string; issuer: string };
   identityLinked?: boolean;
   error?: string;
-  errorCode?: 'IDENTITY_CONFLICT' | 'DOMAIN_MISMATCH' | 'ISSUER_MISMATCH' | 'CALLBACK_ERROR';
+  errorCode?:
+    | "IDENTITY_CONFLICT"
+    | "DOMAIN_MISMATCH"
+    | "ISSUER_MISMATCH"
+    | "CALLBACK_ERROR";
 }
 
 /** MX-based provider suggestion for SSO setup. */
 export interface ProviderSuggestion {
-  suggestedProvider: 'google' | 'microsoft' | null;
-  confidence: 'high' | 'low';
+  suggestedProvider: "google" | "microsoft" | null;
+  confidence: "high" | "low";
   reason: string;
   /** The verified domain that triggered the suggestion (for pre-filling provider inputs). */
   detectedDomain?: string;
@@ -354,7 +361,7 @@ export interface WorkspaceAuditEvent {
   actor: {
     id: string;
     name: string;
-    type: 'user' | 'system';
+    type: "user" | "system";
   };
   action: string;
   summary: string;
@@ -368,7 +375,7 @@ export interface WorkspaceAuditEvent {
 /**
  * Status of an organization invite.
  */
-export type OrgInviteStatus = 'pending' | 'accepted' | 'expired' | 'revoked';
+export type OrgInviteStatus = "pending" | "accepted" | "expired" | "revoked";
 
 /**
  * Organization invite for the workspace invites list.
@@ -379,7 +386,7 @@ export interface OrgInvite {
   orgId: string;
   email: string;
   /** Invite role — invites only grant the restricted {admin, member} domain. */
-  role: 'admin' | 'member';
+  role: "admin" | "member";
   invitedBy: {
     id: string;
     name: string;
@@ -395,7 +402,7 @@ export interface OrgInvite {
  */
 export interface CreateInviteRequest {
   email: string;
-  role: 'admin' | 'member';
+  role: "admin" | "member";
 }
 
 /**
@@ -417,7 +424,7 @@ export interface RemoveMemberRequest {
  */
 export interface ChangeMemberRoleRequest {
   memberId: string;
-  newRole: 'admin' | 'member';
+  newRole: "admin" | "member";
 }
 
 /**
@@ -478,20 +485,20 @@ export interface UpdateAuthPolicyRequest {
  */
 export type Phase3AuditAction =
   // Invite lifecycle
-  | 'org.member.invited'
-  | 'org.member.joined'
-  | 'org.invite.revoked'
-  | 'org.invite.expired'
+  | "org.member.invited"
+  | "org.member.joined"
+  | "org.invite.revoked"
+  | "org.invite.expired"
   // Member mutations
-  | 'org.member.removed'
-  | 'org.member.role_changed'
+  | "org.member.removed"
+  | "org.member.role_changed"
   // Organization transition
-  | 'org.type_transition'
+  | "org.type_transition"
   // Integration scope changes
-  | 'integration.scope_promoted'
-  | 'integration.scope_demoted'
+  | "integration.scope_promoted"
+  | "integration.scope_demoted"
   // Auth policy
-  | 'org.auth_policy.updated';
+  | "org.auth_policy.updated";
 
 // =============================================================================
 // Multi-Org Membership Types (Phase 4)
@@ -583,7 +590,7 @@ export interface OrgScopedContext {
  * - 'info': Read-only surface, any member, org.view_* capabilities
  * - 'settings': Admin surface, org.manage_* capabilities
  */
-export type WorkspaceSurface = 'info' | 'settings';
+export type WorkspaceSurface = "info" | "settings";
 
 /**
  * Read-only workspace overview for the Info surface.
@@ -655,10 +662,10 @@ export interface TransferAcceptanceView {
 
 /** Responsibility checklist items shown on the acceptance page. */
 export const TRANSFER_RESPONSIBILITIES = [
-  'You will become the sole owner of this workspace',
-  'You will be responsible for billing and compliance',
-  'The current owner will be downgraded to admin',
-  'This action cannot be undone without a new transfer',
+  "You will become the sole owner of this workspace",
+  "You will be responsible for billing and compliance",
+  "The current owner will be downgraded to admin",
+  "This action cannot be undone without a new transfer",
 ] as const;
 
 export type TransferResponsibility = (typeof TRANSFER_RESPONSIBILITIES)[number];
@@ -669,12 +676,12 @@ export type TransferResponsibility = (typeof TRANSFER_RESPONSIBILITIES)[number];
 // =============================================================================
 
 /** Identity Trust Level — org's identity posture */
-export type IdentityTrustLevel = 'ITL_0' | 'ITL_1' | 'ITL_2';
+export type IdentityTrustLevel = "ITL_0" | "ITL_1" | "ITL_2";
 
 export const IDENTITY_TRUST_LEVEL_LABELS: Record<IdentityTrustLevel, string> = {
-  ITL_0: 'No verified domains',
-  ITL_1: 'Domain verified',
-  ITL_2: 'SSO enforced',
+  ITL_0: "No verified domains",
+  ITL_1: "Domain verified",
+  ITL_2: "SSO enforced",
 } as const;
 
 /** Transfer eligibility result with ITL context */
@@ -701,7 +708,7 @@ export interface TransferMemberEligibility {
 /**
  * Status of an integration request from a member.
  */
-export type IntegrationRequestStatus = 'pending' | 'approved' | 'denied';
+export type IntegrationRequestStatus = "pending" | "approved" | "denied";
 
 /**
  * Advisory integration request created by a member.

package/src/org/view-scopes.ts

@@ -17,19 +17,19 @@
  */
 export const VIEW_SCOPE_MAP = {
   // Protected views (require specific scope)
-  workspace: 'org.view_workspace',
-  timeline: 'org.view_timeline',
-  teamwork: 'org.view_teamwork',
-  'teamwork-member': 'org.view_teamwork',
-  'company-md': 'org.view_company_md',
-  teams: 'org.view_teams',
-  'internal-admin': 'internal.view_admin',
+  workspace: "org.view_workspace",
+  timeline: "org.view_timeline",
+  teamwork: "org.view_teamwork",
+  "teamwork-member": "org.view_teamwork",
+  "company-md": "org.view_company_md",
+  teams: "org.view_teams",
+  "internal-admin": "internal.view_admin",
   // Public views (require only authentication)
   chat: null,
   settings: null,
   chats: null,
-  'my-work': null,
-  'user-md': null,
+  "my-work": null,
+  "user-md": null,
   upgrade: null,
 } as const;
 

package/src/permissions/access-levels.ts

@@ -10,9 +10,14 @@
  *
  * The commenter level is currently a stub — see ADR-CTRL-087.
  */
-import { z } from 'zod';
+import { z } from "zod";
 
-export const ACCESS_LEVELS = ['owner', 'editor', 'commenter', 'viewer'] as const;
+export const ACCESS_LEVELS = [
+  "owner",
+  "editor",
+  "commenter",
+  "viewer",
+] as const;
 export type AccessLevel = (typeof ACCESS_LEVELS)[number];
 
 export const AccessLevelSchema = z.enum(ACCESS_LEVELS);

package/src/permissions/access-source.ts

@@ -14,14 +14,14 @@
  *   - `inheritance`  — org-chart-membership-based unit walk
  *   - `migration`    — one-shot backfill from legacy systems (AUTH-004)
  */
-import { z } from 'zod';
+import { z } from "zod";
 
 export const ACCESS_SOURCES = [
-  'explicit',
-  'ownership',
-  'visibility',
-  'inheritance',
-  'migration',
+  "explicit",
+  "ownership",
+  "visibility",
+  "inheritance",
+  "migration",
 ] as const;
 export type AccessSource = (typeof ACCESS_SOURCES)[number];
 

package/src/permissions/index.ts

@@ -4,8 +4,8 @@
  * Re-exports the three canonical enums introduced in AUTH-001 (PRD-00669).
  * Import from '@company-semantics/contracts' (root).
  */
-export * from './access-levels';
-export * from './orgchart-roles';
-export * from './access-source';
-export * from './share-api';
-export * from './permission-introspection';
+export * from "./access-levels";
+export * from "./orgchart-roles";
+export * from "./access-source";
+export * from "./share-api";
+export * from "./permission-introspection";

package/src/permissions/orgchart-roles.ts

@@ -20,9 +20,9 @@
  * remains a separate, orthogonal axis — it is an INPUT to authority
  * resolution, not the derived policy role.
  */
-import { z } from 'zod';
+import { z } from "zod";
 
-export const ORG_CHART_ROLES = ['ceo', 'leader', 'delegate', 'admin'] as const;
+export const ORG_CHART_ROLES = ["ceo", "leader", "delegate", "admin"] as const;
 export type OrgChartRole = (typeof ORG_CHART_ROLES)[number];
 
 export const OrgChartRoleSchema = z.enum(ORG_CHART_ROLES);
@@ -32,13 +32,13 @@ export const OrgChartRoleSchema = z.enum(ORG_CHART_ROLES);
  * org-chart standing) renders as "Member" via {@link orgChartRoleLabel}.
  */
 export const ORG_CHART_ROLE_LABELS: Record<OrgChartRole, string> = {
-  ceo: 'CEO',
-  leader: 'Leader',
-  delegate: 'Delegate',
-  admin: 'Admin',
+  ceo: "CEO",
+  leader: "Leader",
+  delegate: "Delegate",
+  admin: "Admin",
 };
 
 /** Display label for a (possibly null) org-chart role; `null` = plain member. */
 export function orgChartRoleLabel(role: OrgChartRole | null): string {
-  return role === null ? 'Member' : ORG_CHART_ROLE_LABELS[role];
+  return role === null ? "Member" : ORG_CHART_ROLE_LABELS[role];
 }

package/src/permissions/permission-introspection.ts

@@ -17,10 +17,10 @@
  * flow verbatim to the UI. The schema mirrors what the evaluator records into
  * permission_decisions; the UI never re-derives.
  */
-import { z } from 'zod';
-import { AccessLevelSchema } from './access-levels';
-import { AccessSourceSchema } from './access-source';
-import { PrincipalSchema } from './share-api';
+import { z } from "zod";
+import { AccessLevelSchema } from "./access-levels";
+import { AccessSourceSchema } from "./access-source";
+import { PrincipalSchema } from "./share-api";
 
 // ---------------------------------------------------------------------------
 // WhoCanAccess — every principal with effective access to an entity.
@@ -60,7 +60,9 @@ export const RecentDecisionsResponseSchema = z.object({
   entity_id: z.string().uuid(),
   rows: z.array(RecentDecisionSchema),
 });
-export type RecentDecisionsResponse = z.infer<typeof RecentDecisionsResponseSchema>;
+export type RecentDecisionsResponse = z.infer<
+  typeof RecentDecisionsResponseSchema
+>;
 
 export const RecentDecisionsQuerySchema = z.object({
   limit: z.coerce.number().int().min(1).max(200).default(50),

package/src/permissions/share-api.ts

@@ -9,11 +9,11 @@
  * Authority: ADR-CTRL-085 (Rights Table), ADR-CTRL-086 (most-permissive
  * aggregation), ADR-BE-181 (AUTH-006 compose model).
  */
-import { z } from 'zod';
-import { AccessLevelSchema } from './access-levels';
-import { AccessSourceSchema } from './access-source';
+import { z } from "zod";
+import { AccessLevelSchema } from "./access-levels";
+import { AccessSourceSchema } from "./access-source";
 
-export const PrincipalTypeSchema = z.enum(['user', 'unit', 'org']);
+export const PrincipalTypeSchema = z.enum(["user", "unit", "org"]);
 export type PrincipalType = z.infer<typeof PrincipalTypeSchema>;
 
 export const PrincipalSchema = z.object({
@@ -22,10 +22,14 @@ export const PrincipalSchema = z.object({
 });
 export type Principal = z.infer<typeof PrincipalSchema>;
 
-export const GrantableAccessLevelSchema = z.enum(['editor', 'commenter', 'viewer']);
+export const GrantableAccessLevelSchema = z.enum([
+  "editor",
+  "commenter",
+  "viewer",
+]);
 export type GrantableAccessLevel = z.infer<typeof GrantableAccessLevelSchema>;
 
-export const EntityVisibilitySchema = z.enum(['private', 'unit', 'org']);
+export const EntityVisibilitySchema = z.enum(["private", "unit", "org"]);
 export type EntityVisibility = z.infer<typeof EntityVisibilitySchema>;
 
 export const AclGrantRequestSchema = z.object({
@@ -55,7 +59,9 @@ export type AclListResponse = z.infer<typeof AclListResponseSchema>;
 export const VisibilityPatchRequestSchema = z.object({
   tier: EntityVisibilitySchema,
 });
-export type VisibilityPatchRequest = z.infer<typeof VisibilityPatchRequestSchema>;
+export type VisibilityPatchRequest = z.infer<
+  typeof VisibilityPatchRequestSchema
+>;
 
 export const OwnerTransferRequestSchema = z.object({
   new_owner_user_id: z.string().uuid(),
@@ -65,10 +71,14 @@ export type OwnerTransferRequest = z.infer<typeof OwnerTransferRequestSchema>;
 export const EffectiveAccessRequestSchema = z.object({
   principal: PrincipalSchema,
 });
-export type EffectiveAccessRequest = z.infer<typeof EffectiveAccessRequestSchema>;
+export type EffectiveAccessRequest = z.infer<
+  typeof EffectiveAccessRequestSchema
+>;
 
 export const EffectiveAccessResponseSchema = z.object({
   access_level: AccessLevelSchema.nullable(),
   source_chain: z.array(AccessSourceSchema),
 });
-export type EffectiveAccessResponse = z.infer<typeof EffectiveAccessResponseSchema>;
+export type EffectiveAccessResponse = z.infer<
+  typeof EffectiveAccessResponseSchema
+>;

package/src/pressure.ts

@@ -18,14 +18,14 @@
  * Canonical response header used to signal system pressure to clients.
  * Frontend imports this to avoid stringly-typed header lookups.
  */
-export const SYSTEM_PRESSURE_HEADER = 'X-System-Pressure';
+export const SYSTEM_PRESSURE_HEADER = "X-System-Pressure";
 
 /**
  * Values carried on the `X-System-Pressure` header. `degraded` indicates the
  * backend is actively shedding P3 traffic; `normal` indicates the controller
  * is quiescent.
  */
-export type SystemPressureValue = 'normal' | 'degraded';
+export type SystemPressureValue = "normal" | "degraded";
 
 /**
  * Heap-utilisation ratio above which the load-shed controller begins
@@ -51,7 +51,7 @@ export const CLEAR_HOLDDOWN_MS = 30_000;
  * `retryAfter` mirrors the `Retry-After` header value (seconds).
  */
 export type ShedResponse = {
-  error: 'tenant_quota_shed';
+  error: "tenant_quota_shed";
   retryAfter: number;
-  reason: 'heap_pressure' | 'queue_depth';
+  reason: "heap_pressure" | "queue_depth";
 };

package/src/queryIntent.ts

@@ -19,24 +19,24 @@
  * authority for the intent set itself.
  */
 export type QueryIntent =
-  | 'me.read'
-  | 'workspace.read'
-  | 'workspace.write'
-  | 'company-md.tree.read'
-  | 'company-md.doc.read'
-  | 'company-md.doc.write'
-  | 'company-md.settings.read'
-  | 'company-md.settings.write'
-  | 'chats.events'
-  | 'chats.write'
-  | 'billing.read'
-  | 'ai-usage.read'
-  | 'audit.read'
-  | 'invites.read'
-  | 'invites.write'
-  | 'integrations.status.read'
-  | 'org.transfer.status.read'
-  | 'org.deletion.eligibility.read'
-  | 'user.preferences.read'
-  | 'user.preferences.write'
-  | 'admin.impersonate.events';
+  | "me.read"
+  | "workspace.read"
+  | "workspace.write"
+  | "company-md.tree.read"
+  | "company-md.doc.read"
+  | "company-md.doc.write"
+  | "company-md.settings.read"
+  | "company-md.settings.write"
+  | "chats.events"
+  | "chats.write"
+  | "billing.read"
+  | "ai-usage.read"
+  | "audit.read"
+  | "invites.read"
+  | "invites.write"
+  | "integrations.status.read"
+  | "org.transfer.status.read"
+  | "org.deletion.eligibility.read"
+  | "user.preferences.read"
+  | "user.preferences.write"
+  | "admin.impersonate.events";