@contractspec/lib.identity-rbac 0.0.0-canary-20260113162409

package/dist/contracts/rbac.js

@@ -0,0 +1,484 @@
+import { SuccessResultModel } from "./user.js";
+import { ScalarTypeEnum, SchemaModel } from "@contractspec/lib.schema";
+import { defineCommand, defineQuery } from "@contractspec/lib.contracts";
+
+//#region src/contracts/rbac.ts
+const RoleModel = new SchemaModel({
+	name: "Role",
+	description: "RBAC role definition",
+	fields: {
+		id: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		name: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		description: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true
+		},
+		permissions: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false,
+			isArray: true
+		},
+		createdAt: {
+			type: ScalarTypeEnum.DateTime(),
+			isOptional: false
+		}
+	}
+});
+const PolicyBindingModel = new SchemaModel({
+	name: "PolicyBinding",
+	description: "Role assignment to a target",
+	fields: {
+		id: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		roleId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		targetType: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		targetId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		expiresAt: {
+			type: ScalarTypeEnum.DateTime(),
+			isOptional: true
+		},
+		createdAt: {
+			type: ScalarTypeEnum.DateTime(),
+			isOptional: false
+		},
+		role: {
+			type: RoleModel,
+			isOptional: false
+		}
+	}
+});
+const PermissionCheckResultModel = new SchemaModel({
+	name: "PermissionCheckResult",
+	description: "Result of a permission check",
+	fields: {
+		allowed: {
+			type: ScalarTypeEnum.Boolean(),
+			isOptional: false
+		},
+		reason: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true
+		},
+		matchedRole: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true
+		}
+	}
+});
+const CreateRoleInputModel = new SchemaModel({
+	name: "CreateRoleInput",
+	description: "Input for creating a role",
+	fields: {
+		name: {
+			type: ScalarTypeEnum.NonEmptyString(),
+			isOptional: false
+		},
+		description: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true
+		},
+		permissions: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false,
+			isArray: true
+		}
+	}
+});
+const UpdateRoleInputModel = new SchemaModel({
+	name: "UpdateRoleInput",
+	description: "Input for updating a role",
+	fields: {
+		roleId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		name: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true
+		},
+		description: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true
+		},
+		permissions: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true,
+			isArray: true
+		}
+	}
+});
+const DeleteRoleInputModel = new SchemaModel({
+	name: "DeleteRoleInput",
+	description: "Input for deleting a role",
+	fields: { roleId: {
+		type: ScalarTypeEnum.String_unsecure(),
+		isOptional: false
+	} }
+});
+const ListRolesOutputModel = new SchemaModel({
+	name: "ListRolesOutput",
+	description: "Output for listing roles",
+	fields: { roles: {
+		type: RoleModel,
+		isOptional: false,
+		isArray: true
+	} }
+});
+const AssignRoleInputModel = new SchemaModel({
+	name: "AssignRoleInput",
+	description: "Input for assigning a role",
+	fields: {
+		roleId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		targetType: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		targetId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		expiresAt: {
+			type: ScalarTypeEnum.DateTime(),
+			isOptional: true
+		}
+	}
+});
+const RevokeRoleInputModel = new SchemaModel({
+	name: "RevokeRoleInput",
+	description: "Input for revoking a role",
+	fields: { bindingId: {
+		type: ScalarTypeEnum.String_unsecure(),
+		isOptional: false
+	} }
+});
+const BindingIdPayloadModel = new SchemaModel({
+	name: "BindingIdPayload",
+	description: "Payload with binding ID",
+	fields: { bindingId: {
+		type: ScalarTypeEnum.String_unsecure(),
+		isOptional: false
+	} }
+});
+const CheckPermissionInputModel = new SchemaModel({
+	name: "CheckPermissionInput",
+	description: "Input for checking a permission",
+	fields: {
+		userId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		orgId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true
+		},
+		permission: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		}
+	}
+});
+const ListUserPermissionsInputModel = new SchemaModel({
+	name: "ListUserPermissionsInput",
+	description: "Input for listing user permissions",
+	fields: {
+		userId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false
+		},
+		orgId: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: true
+		}
+	}
+});
+const ListUserPermissionsOutputModel = new SchemaModel({
+	name: "ListUserPermissionsOutput",
+	description: "Output for listing user permissions",
+	fields: {
+		permissions: {
+			type: ScalarTypeEnum.String_unsecure(),
+			isOptional: false,
+			isArray: true
+		},
+		roles: {
+			type: RoleModel,
+			isOptional: false,
+			isArray: true
+		}
+	}
+});
+/**
+* Create a new role.
+*/
+const CreateRoleContract = defineCommand({
+	meta: {
+		key: "identity.rbac.role.create",
+		version: "1.0.0",
+		stability: "stable",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"role",
+			"create"
+		],
+		description: "Create a new role with permissions.",
+		goal: "Allow admins to define custom roles.",
+		context: "Role management in admin settings."
+	},
+	io: {
+		input: CreateRoleInputModel,
+		output: RoleModel,
+		errors: { ROLE_EXISTS: {
+			description: "A role with this name already exists",
+			http: 409,
+			gqlCode: "ROLE_EXISTS",
+			when: "Role name is taken"
+		} }
+	},
+	policy: { auth: "admin" },
+	sideEffects: { audit: ["role.created"] }
+});
+/**
+* Update a role.
+*/
+const UpdateRoleContract = defineCommand({
+	meta: {
+		key: "identity.rbac.role.update",
+		version: "1.0.0",
+		stability: "stable",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"role",
+			"update"
+		],
+		description: "Update an existing role.",
+		goal: "Allow admins to modify role permissions.",
+		context: "Role management in admin settings."
+	},
+	io: {
+		input: UpdateRoleInputModel,
+		output: RoleModel
+	},
+	policy: { auth: "admin" },
+	sideEffects: { audit: ["role.updated"] }
+});
+/**
+* Delete a role.
+*/
+const DeleteRoleContract = defineCommand({
+	meta: {
+		key: "identity.rbac.role.delete",
+		version: "1.0.0",
+		stability: "stable",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"role",
+			"delete"
+		],
+		description: "Delete an existing role.",
+		goal: "Allow admins to remove unused roles.",
+		context: "Role management. Removes all policy bindings using this role."
+	},
+	io: {
+		input: DeleteRoleInputModel,
+		output: SuccessResultModel,
+		errors: { ROLE_IN_USE: {
+			description: "Role is still assigned to users or organizations",
+			http: 409,
+			gqlCode: "ROLE_IN_USE",
+			when: "Role has active bindings"
+		} }
+	},
+	policy: { auth: "admin" },
+	sideEffects: { audit: ["role.deleted"] }
+});
+/**
+* List all roles.
+*/
+const ListRolesContract = defineQuery({
+	meta: {
+		key: "identity.rbac.role.list",
+		version: "1.0.0",
+		stability: "stable",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"role",
+			"list"
+		],
+		description: "List all available roles.",
+		goal: "Show available roles for assignment.",
+		context: "Role assignment UI."
+	},
+	io: {
+		input: null,
+		output: ListRolesOutputModel
+	},
+	policy: { auth: "user" }
+});
+/**
+* Assign a role to a user or organization.
+*/
+const AssignRoleContract = defineCommand({
+	meta: {
+		key: "identity.rbac.assign",
+		version: "1.0.0",
+		stability: "stable",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"assign"
+		],
+		description: "Assign a role to a user or organization.",
+		goal: "Grant permissions via role assignment.",
+		context: "User/org permission management."
+	},
+	io: {
+		input: AssignRoleInputModel,
+		output: PolicyBindingModel,
+		errors: {
+			ROLE_NOT_FOUND: {
+				description: "The specified role does not exist",
+				http: 404,
+				gqlCode: "ROLE_NOT_FOUND",
+				when: "Role ID is invalid"
+			},
+			ALREADY_ASSIGNED: {
+				description: "This role is already assigned to the target",
+				http: 409,
+				gqlCode: "ALREADY_ASSIGNED",
+				when: "Binding already exists"
+			}
+		}
+	},
+	policy: { auth: "admin" },
+	sideEffects: {
+		emits: [{
+			key: "role.assigned",
+			version: "1.0.0",
+			when: "Role is assigned",
+			payload: PolicyBindingModel
+		}],
+		audit: ["role.assigned"]
+	}
+});
+/**
+* Revoke a role from a user or organization.
+*/
+const RevokeRoleContract = defineCommand({
+	meta: {
+		key: "identity.rbac.revoke",
+		version: "1.0.0",
+		stability: "stable",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"revoke"
+		],
+		description: "Revoke a role from a user or organization.",
+		goal: "Remove permissions via role revocation.",
+		context: "User/org permission management."
+	},
+	io: {
+		input: RevokeRoleInputModel,
+		output: SuccessResultModel,
+		errors: { BINDING_NOT_FOUND: {
+			description: "The policy binding does not exist",
+			http: 404,
+			gqlCode: "BINDING_NOT_FOUND",
+			when: "Binding ID is invalid"
+		} }
+	},
+	policy: { auth: "admin" },
+	sideEffects: {
+		emits: [{
+			key: "role.revoked",
+			version: "1.0.0",
+			when: "Role is revoked",
+			payload: BindingIdPayloadModel
+		}],
+		audit: ["role.revoked"]
+	}
+});
+/**
+* Check if a user has a specific permission.
+*/
+const CheckPermissionContract = defineQuery({
+	meta: {
+		key: "identity.rbac.check",
+		version: "1.0.0",
+		stability: "stable",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"check",
+			"permission"
+		],
+		description: "Check if a user has a specific permission.",
+		goal: "Authorization check before sensitive operations.",
+		context: "Called by other services to verify permissions."
+	},
+	io: {
+		input: CheckPermissionInputModel,
+		output: PermissionCheckResultModel
+	},
+	policy: { auth: "user" }
+});
+/**
+* List permissions for a user.
+*/
+const ListUserPermissionsContract = defineQuery({
+	meta: {
+		key: "identity.rbac.permissions",
+		version: "1.0.0",
+		stability: "stable",
+		owners: ["@platform.identity-rbac"],
+		tags: [
+			"identity",
+			"rbac",
+			"permissions",
+			"user"
+		],
+		description: "List all permissions for a user in a context.",
+		goal: "Show what a user can do in an org.",
+		context: "UI permission display, debugging."
+	},
+	io: {
+		input: ListUserPermissionsInputModel,
+		output: ListUserPermissionsOutputModel
+	},
+	policy: { auth: "user" }
+});
+
+//#endregion
+export { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel };
+//# sourceMappingURL=rbac.js.map

package/dist/contracts/rbac.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"rbac.js","names":[],"sources":["../../src/contracts/rbac.ts"],"sourcesContent":["import { SchemaModel, ScalarTypeEnum } from '@contractspec/lib.schema';\nimport { defineCommand, defineQuery } from '@contractspec/lib.contracts';\nimport { SuccessResultModel } from './user';\n\n// ============ SchemaModels ============\n\nexport const RoleModel = new SchemaModel({\n  name: 'Role',\n  description: 'RBAC role definition',\n  fields: {\n    id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n    permissions: {\n      type: ScalarTypeEnum.String_unsecure(),\n      isOptional: false,\n      isArray: true,\n    },\n    createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n  },\n});\n\nexport const PolicyBindingModel = new SchemaModel({\n  name: 'PolicyBinding',\n  description: 'Role assignment to a target',\n  fields: {\n    id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n    targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n    createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n    role: { type: RoleModel, isOptional: false },\n  },\n});\n\nexport const PermissionCheckResultModel = new SchemaModel({\n  name: 'PermissionCheckResult',\n  description: 'Result of a permission check',\n  fields: {\n    allowed: { type: ScalarTypeEnum.Boolean(), isOptional: false },\n    reason: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n    matchedRole: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n  },\n});\n\nexport const CreateRoleInputModel = new SchemaModel({\n  name: 'CreateRoleInput',\n  description: 'Input for creating a role',\n  fields: {\n    name: { type: ScalarTypeEnum.NonEmptyString(), isOptional: false },\n    description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n    permissions: {\n      type: ScalarTypeEnum.String_unsecure(),\n      isOptional: false,\n      isArray: true,\n    },\n  },\n});\n\nexport const UpdateRoleInputModel = new SchemaModel({\n  name: 'UpdateRoleInput',\n  description: 'Input for updating a role',\n  fields: {\n    roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n    description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n    permissions: {\n      type: ScalarTypeEnum.String_unsecure(),\n      isOptional: true,\n      isArray: true,\n    },\n  },\n});\n\nexport const DeleteRoleInputModel = new SchemaModel({\n  name: 'DeleteRoleInput',\n  description: 'Input for deleting a role',\n  fields: {\n    roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n  },\n});\n\nexport const ListRolesOutputModel = new SchemaModel({\n  name: 'ListRolesOutput',\n  description: 'Output for listing roles',\n  fields: {\n    roles: { type: RoleModel, isOptional: false, isArray: true },\n  },\n});\n\nexport const AssignRoleInputModel = new SchemaModel({\n  name: 'AssignRoleInput',\n  description: 'Input for assigning a role',\n  fields: {\n    roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n    targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n  },\n});\n\nexport const RevokeRoleInputModel = new SchemaModel({\n  name: 'RevokeRoleInput',\n  description: 'Input for revoking a role',\n  fields: {\n    bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n  },\n});\n\nexport const BindingIdPayloadModel = new SchemaModel({\n  name: 'BindingIdPayload',\n  description: 'Payload with binding ID',\n  fields: {\n    bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n  },\n});\n\nexport const CheckPermissionInputModel = new SchemaModel({\n  name: 'CheckPermissionInput',\n  description: 'Input for checking a permission',\n  fields: {\n    userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n    permission: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n  },\n});\n\nexport const ListUserPermissionsInputModel = new SchemaModel({\n  name: 'ListUserPermissionsInput',\n  description: 'Input for listing user permissions',\n  fields: {\n    userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n    orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n  },\n});\n\nexport const ListUserPermissionsOutputModel = new SchemaModel({\n  name: 'ListUserPermissionsOutput',\n  description: 'Output for listing user permissions',\n  fields: {\n    permissions: {\n      type: ScalarTypeEnum.String_unsecure(),\n      isOptional: false,\n      isArray: true,\n    },\n    roles: { type: RoleModel, isOptional: false, isArray: true },\n  },\n});\n\n// ============ Contracts ============\n\n/**\n * Create a new role.\n */\nexport const CreateRoleContract = defineCommand({\n  meta: {\n    key: 'identity.rbac.role.create',\n    version: '1.0.0',\n    stability: 'stable',\n    owners: ['@platform.identity-rbac'],\n    tags: ['identity', 'rbac', 'role', 'create'],\n    description: 'Create a new role with permissions.',\n    goal: 'Allow admins to define custom roles.',\n    context: 'Role management in admin settings.',\n  },\n  io: {\n    input: CreateRoleInputModel,\n    output: RoleModel,\n    errors: {\n      ROLE_EXISTS: {\n        description: 'A role with this name already exists',\n        http: 409,\n        gqlCode: 'ROLE_EXISTS',\n        when: 'Role name is taken',\n      },\n    },\n  },\n  policy: {\n    auth: 'admin',\n  },\n  sideEffects: {\n    audit: ['role.created'],\n  },\n});\n\n/**\n * Update a role.\n */\nexport const UpdateRoleContract = defineCommand({\n  meta: {\n    key: 'identity.rbac.role.update',\n    version: '1.0.0',\n    stability: 'stable',\n    owners: ['@platform.identity-rbac'],\n    tags: ['identity', 'rbac', 'role', 'update'],\n    description: 'Update an existing role.',\n    goal: 'Allow admins to modify role permissions.',\n    context: 'Role management in admin settings.',\n  },\n  io: {\n    input: UpdateRoleInputModel,\n    output: RoleModel,\n  },\n  policy: {\n    auth: 'admin',\n  },\n  sideEffects: {\n    audit: ['role.updated'],\n  },\n});\n\n/**\n * Delete a role.\n */\nexport const DeleteRoleContract = defineCommand({\n  meta: {\n    key: 'identity.rbac.role.delete',\n    version: '1.0.0',\n    stability: 'stable',\n    owners: ['@platform.identity-rbac'],\n    tags: ['identity', 'rbac', 'role', 'delete'],\n    description: 'Delete an existing role.',\n    goal: 'Allow admins to remove unused roles.',\n    context: 'Role management. Removes all policy bindings using this role.',\n  },\n  io: {\n    input: DeleteRoleInputModel,\n    output: SuccessResultModel,\n    errors: {\n      ROLE_IN_USE: {\n        description: 'Role is still assigned to users or organizations',\n        http: 409,\n        gqlCode: 'ROLE_IN_USE',\n        when: 'Role has active bindings',\n      },\n    },\n  },\n  policy: {\n    auth: 'admin',\n  },\n  sideEffects: {\n    audit: ['role.deleted'],\n  },\n});\n\n/**\n * List all roles.\n */\nexport const ListRolesContract = defineQuery({\n  meta: {\n    key: 'identity.rbac.role.list',\n    version: '1.0.0',\n    stability: 'stable',\n    owners: ['@platform.identity-rbac'],\n    tags: ['identity', 'rbac', 'role', 'list'],\n    description: 'List all available roles.',\n    goal: 'Show available roles for assignment.',\n    context: 'Role assignment UI.',\n  },\n  io: {\n    input: null,\n    output: ListRolesOutputModel,\n  },\n  policy: {\n    auth: 'user',\n  },\n});\n\n/**\n * Assign a role to a user or organization.\n */\nexport const AssignRoleContract = defineCommand({\n  meta: {\n    key: 'identity.rbac.assign',\n    version: '1.0.0',\n    stability: 'stable',\n    owners: ['@platform.identity-rbac'],\n    tags: ['identity', 'rbac', 'assign'],\n    description: 'Assign a role to a user or organization.',\n    goal: 'Grant permissions via role assignment.',\n    context: 'User/org permission management.',\n  },\n  io: {\n    input: AssignRoleInputModel,\n    output: PolicyBindingModel,\n    errors: {\n      ROLE_NOT_FOUND: {\n        description: 'The specified role does not exist',\n        http: 404,\n        gqlCode: 'ROLE_NOT_FOUND',\n        when: 'Role ID is invalid',\n      },\n      ALREADY_ASSIGNED: {\n        description: 'This role is already assigned to the target',\n        http: 409,\n        gqlCode: 'ALREADY_ASSIGNED',\n        when: 'Binding already exists',\n      },\n    },\n  },\n  policy: {\n    auth: 'admin',\n  },\n  sideEffects: {\n    emits: [\n      {\n        key: 'role.assigned',\n        version: '1.0.0',\n        when: 'Role is assigned',\n        payload: PolicyBindingModel,\n      },\n    ],\n    audit: ['role.assigned'],\n  },\n});\n\n/**\n * Revoke a role from a user or organization.\n */\nexport const RevokeRoleContract = defineCommand({\n  meta: {\n    key: 'identity.rbac.revoke',\n    version: '1.0.0',\n    stability: 'stable',\n    owners: ['@platform.identity-rbac'],\n    tags: ['identity', 'rbac', 'revoke'],\n    description: 'Revoke a role from a user or organization.',\n    goal: 'Remove permissions via role revocation.',\n    context: 'User/org permission management.',\n  },\n  io: {\n    input: RevokeRoleInputModel,\n    output: SuccessResultModel,\n    errors: {\n      BINDING_NOT_FOUND: {\n        description: 'The policy binding does not exist',\n        http: 404,\n        gqlCode: 'BINDING_NOT_FOUND',\n        when: 'Binding ID is invalid',\n      },\n    },\n  },\n  policy: {\n    auth: 'admin',\n  },\n  sideEffects: {\n    emits: [\n      {\n        key: 'role.revoked',\n        version: '1.0.0',\n        when: 'Role is revoked',\n        payload: BindingIdPayloadModel,\n      },\n    ],\n    audit: ['role.revoked'],\n  },\n});\n\n/**\n * Check if a user has a specific permission.\n */\nexport const CheckPermissionContract = defineQuery({\n  meta: {\n    key: 'identity.rbac.check',\n    version: '1.0.0',\n    stability: 'stable',\n    owners: ['@platform.identity-rbac'],\n    tags: ['identity', 'rbac', 'check', 'permission'],\n    description: 'Check if a user has a specific permission.',\n    goal: 'Authorization check before sensitive operations.',\n    context: 'Called by other services to verify permissions.',\n  },\n  io: {\n    input: CheckPermissionInputModel,\n    output: PermissionCheckResultModel,\n  },\n  policy: {\n    auth: 'user',\n  },\n});\n\n/**\n * List permissions for a user.\n */\nexport const ListUserPermissionsContract = defineQuery({\n  meta: {\n    key: 'identity.rbac.permissions',\n    version: '1.0.0',\n    stability: 'stable',\n    owners: ['@platform.identity-rbac'],\n    tags: ['identity', 'rbac', 'permissions', 'user'],\n    description: 'List all permissions for a user in a context.',\n    goal: 'Show what a user can do in an org.',\n    context: 'UI permission display, debugging.',\n  },\n  io: {\n    input: ListUserPermissionsInputModel,\n    output: ListUserPermissionsOutputModel,\n  },\n  policy: {\n    auth: 'user',\n  },\n});\n"],"mappings":";;;;;AAMA,MAAa,YAAY,IAAI,YAAY;CACvC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,IAAI;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACnE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAa,qBAAqB,IAAI,YAAY;CAChD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,IAAI;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACjE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAM;EAChE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM;GAAW,YAAY;GAAO;EAC7C;CACF,CAAC;AAEF,MAAa,6BAA6B,IAAI,YAAY;CACxD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,SAAS;GAAE,MAAM,eAAe,SAAS;GAAE,YAAY;GAAO;EAC9D,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EAC1E;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,MAAM;GAAE,MAAM,eAAe,gBAAgB;GAAE,YAAY;GAAO;EAClE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACF;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EAClE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACF;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,QAAQ;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACtE;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,OAAO;EAAE,MAAM;EAAW,YAAY;EAAO,SAAS;EAAM,EAC7D;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAM;EACjE;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,WAAW;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACzE;CACF,CAAC;AAEF,MAAa,wBAAwB,IAAI,YAAY;CACnD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,WAAW;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACzE;CACF,CAAC;AAEF,MAAa,4BAA4B,IAAI,YAAY;CACvD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACnE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EAC1E;CACF,CAAC;AAEF,MAAa,gCAAgC,IAAI,YAAY;CAC3D,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE;CACF,CAAC;AAEF,MAAa,iCAAiC,IAAI,YAAY;CAC5D,MAAM;CACN,aAAa;CACb,QAAQ;EACN,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,OAAO;GAAE,MAAM;GAAW,YAAY;GAAO,SAAS;GAAM;EAC7D;CACF,CAAC;;;;AAOF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,aAAa;GACX,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,aAAa;GACX,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,oBAAoB,YAAY;CAC3C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAO;EAC1C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;EACpC,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ;GACN,gBAAgB;IACd,aAAa;IACb,MAAM;IACN,SAAS;IACT,MAAM;IACP;GACD,kBAAkB;IAChB,aAAa;IACb,MAAM;IACN,SAAS;IACT,MAAM;IACP;GACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa;EACX,OAAO,CACL;GACE,KAAK;GACL,SAAS;GACT,MAAM;GACN,SAAS;GACV,CACF;EACD,OAAO,CAAC,gBAAgB;EACzB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;EACpC,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,mBAAmB;GACjB,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa;EACX,OAAO,CACL;GACE,KAAK;GACL,SAAS;GACT,MAAM;GACN,SAAS;GACV,CACF;EACD,OAAO,CAAC,eAAe;EACxB;CACF,CAAC;;;;AAKF,MAAa,0BAA0B,YAAY;CACjD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;GAAa;EACjD,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC;;;;AAKF,MAAa,8BAA8B,YAAY;CACrD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAe;GAAO;EACjD,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC"}