@contractspec/lib.identity-rbac 1.44.1 → 1.45.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (22) hide show
  1. package/dist/contracts/organization.d.ts +198 -198
  2. package/dist/contracts/organization.d.ts.map +1 -1
  3. package/dist/contracts/organization.js +13 -13
  4. package/dist/contracts/organization.js.map +1 -1
  5. package/dist/contracts/rbac.d.ts +128 -128
  6. package/dist/contracts/rbac.d.ts.map +1 -1
  7. package/dist/contracts/rbac.js +10 -10
  8. package/dist/contracts/rbac.js.map +1 -1
  9. package/dist/contracts/user.d.ts +142 -142
  10. package/dist/contracts/user.js +8 -8
  11. package/dist/contracts/user.js.map +1 -1
  12. package/dist/entities/index.d.ts +160 -160
  13. package/dist/entities/organization.d.ts +59 -59
  14. package/dist/entities/rbac.d.ts +63 -63
  15. package/dist/entities/user.d.ts +67 -67
  16. package/dist/events.d.ts +174 -174
  17. package/dist/events.d.ts.map +1 -1
  18. package/dist/events.js +15 -15
  19. package/dist/events.js.map +1 -1
  20. package/dist/identity-rbac.feature.js +39 -39
  21. package/dist/identity-rbac.feature.js.map +1 -1
  22. package/package.json +5 -5
package/dist/contracts/rbac.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"rbac.d.ts","names":[],"sources":["../../src/contracts/rbac.ts"],"sourcesContent":[],"mappings":";;;;;cAMa,WAAS;;UAcpB,2BAAA,CAAA;;EAdW,CAAA;EAcX,IAAA,EAAA;;;;;;IAdoB,UAAA,EAAA,IAAA;EAAA,CAAA;EAgBT,WAAA,EAAA;IAYX,IAAA,uCAAA,CAAA,MAAA,EAAA,MAAA,CAAA;;;;;;;;;cAZW,oBAAkB;;UAY7B,2BAAA,CAAA;;;;IAZ6B,IAAA,uCAAA,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;EAclB,CAAA;EAQX,UAAA,EAAA;;;EARqC,CAAA;EAAA,QAAA,EAAA;IAU1B,IAAA,uCAYX,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;;IAZ+B,IAAA,uCAAA,KAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,IAAA;EAcpB,CAAA;EAaX,SAAA,EAAA;;;;EAb+B,IAAA,EAAA;IAAA,IAAA,aAAA,CAAA;MAepB,EAAA,EAAA;QAQA,IAAA,uCAMX,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,KAAA;;;;;;;QAN+B,IAAA,uCAAA,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,IAAA;MAQpB,CAAA;MASX,WAAA,EAAA;;;;;MAT+B,SAAA,EAAA;QAAA,IAAA,uCAAA,KAAA,EAAA,MAAA,CAAA;QAWpB,UAAA,EAMX,KAAA;MAEW,CAAA;IAQA,CAAA,CAAA;IAQX,UAAA,EAAA,KAAA;;;AARoC,cAlFzB,0BAkFyB,EAlFC,WAkFD,CAAA;EAAA,OAAA,EAAA;IAUzB,IAAA,EApFX,2BAAA,CAAA,SA2FA,CAAA,OAAA,EAAA,OAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;EAPwC,MAAA,EAAA;IAAA,IAAA,uCAAA,CAAA,MAAA,EAAA,MAAA,CAAA;IAS7B,UAAA,EAAA,IAAA;EAWX,CAAA;;;;;;cAtGW,sBAAoB;;IA2FU,IAAA,EA/EzC,2BAAA,CAAA,SA+EyC,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;EAkB9B,CAAA;EA6BX,WAAA,EAAA;;;EA7B6B,CAAA;EAAA,WAAA,EAAA;;;;;;cA/FlB,sBAAoB;;IA+FF,IAAA,EAlF7B,2BAAA,CAAA,SAkF6B,CAAA,MAAA,EAAA,MAAA,CAAA;IAkClB,UAAA,EAAA,KAqBX;EAAA,CAAA;;;;EArB6B,CAAA;EAAA,WAAA,EAAA;;;;;;;;EAAA,CAAA;AA0B/B,CAAA,CAAA;AA6BE,cAzKW,oBAyKX,EAzK+B,WAyK/B,CAAA;EA7B6B,MAAA,EAAA;IAAA,IAAA,EAtI7B,2BAAA,CAAA,SAsI6B,CAAA,MAAA,EAAA,MAAA,CAAA;;;CAAA,CAAA;AAkClB,cAtKA,oBAwLX,EAxL+B,WAwL/B,CAAA;EAAA,KAAA,EAAA;IAlB4B,IAAA,aAAA,CAAA;;cAhK5B,2BAAA,CAAA;;;;;QAgK4B,UAAA,EAAA,KAAA;MAAA,CAAA;MAAA,WAAA,EAAA;QAuBjB,IAAA,uCA2CX,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,IAAA;;;;;QA3C6B,OAAA,EAAA,IAAA;MAAA,CAAA;;;;;;;;;;cArLlB,sBAAoB;;UAS/B,2BAAA,CAAA;;;;;;;;;;;;;;;;cAEW,sBAAoB;;UAM/B,2BAAA,CAAA;;;CAoK6B,CAAA;AAgDlB,cAlNA,qBAuPX,EAvPgC,WAuPhC,CAAA;EAAA,SAAA,EAAA;IArC6B,IAAA,EA5M7B,2BAAA,CAAA,SA4M6B,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;;cA1MlB,2BAAyB;;IA0MP,IAAA,EAlM7B,2BAAA,CAAA,SAkM6B,CAAA,MAAA,EAAA,MAAA,CAAA;IA0ClB,UAAA,EAAA,KAAA;EAkBX,CAAA;;;IAlBkC,UAAA,EAAA,IAAA;EAAA,CAAA;;;;;CAAA,CAAA;AAuBvB,cAjQA,6BAmRX,EAnRwC,WAmRxC,CAAA;EAAA,MAAA,EAAA;UA5QA,2BAAA,CAAA;IA0PsC,UAAA,EAAA,KAAA;EAAA,CAAA;;;;;;cAxP3B,gCAA8B;;UAWzC,2BAAA,CAAA;;IA6OsC,OAAA,EAAA,IAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAtO3B,iDAAkB,cAAA;;UA6B7B,2BAAA,CAAA;;;;;;;;;;;;;;UA7B6B,2BAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;cAkClB,iDAAkB,cAAA;;UAqB7B,2BAAA,CAAA;;;;;;;;;;;;;;;;;;UArB6B,2BAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;cA0BlB,iDAAkB,cAAA;;UA6B7B,2BAAA,CAAA;;;;;UA7B6B,2BAAA,CAAA;;;;;;;cAkClB,mBAAiB,4BAAA,CAAA,cAkB5B,2BAAA,CAlB4B,cAAA,EAAA;;;;cAAA,2BAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAuBjB,iDAAkB,cAAA;;UA2C7B,2BAAA,CAAA;;;;;;;;;;;;;;;;;UA3C6B,2BAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAgDlB,iDAAkB,cAAA;;UAqC7B,2BAAA,CAAA;;;;;UArC6B,2BAAA,CAAA;;;;;;;;;;;;;;;;;cA0ClB,sDAAuB,cAAA;;UAkBlC,2BAAA,CAAA;;;;;;;;;;;;;UAlBkC,2BAAA,CAAA;;;;;;;;;;;;;;;cAuBvB,0DAA2B,cAAA;;UAkBtC,2BAAA,CAAA;;;;;;;;;UAlBsC,2BAAA,CAAA"}
1
+ {"version":3,"file":"rbac.d.ts","names":[],"sources":["../../src/contracts/rbac.ts"],"sourcesContent":[],"mappings":";;;;;cAMa,WAAS;;UAcpB,2BAAA,CAAA;;EAdW,CAAA;EAcX,IAAA,EAAA;;;;;;IAdoB,UAAA,EAAA,IAAA;EAAA,CAAA;EAgBT,WAAA,EAAA;IAYX,IAAA,uCAAA,CAAA,MAAA,EAAA,MAAA,CAAA;;;;;;;;;cAZW,oBAAkB;;UAY7B,2BAAA,CAAA;;;;IAZ6B,IAAA,uCAAA,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;EAclB,CAAA;EAQX,UAAA,EAAA;;;EARqC,CAAA;EAAA,QAAA,EAAA;IAU1B,IAAA,uCAYX,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;;IAZ+B,IAAA,uCAAA,KAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,IAAA;EAcpB,CAAA;EAaX,SAAA,EAAA;;;;EAb+B,IAAA,EAAA;IAAA,IAAA,aAAA,CAAA;MAepB,EAAA,EAAA;QAQA,IAAA,uCAMX,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,KAAA;;;;;;;QAN+B,IAAA,uCAAA,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,IAAA;MAQpB,CAAA;MASX,WAAA,EAAA;;;;;MAT+B,SAAA,EAAA;QAAA,IAAA,uCAAA,KAAA,EAAA,MAAA,CAAA;QAWpB,UAAA,EAMX,KAAA;MAEW,CAAA;IAQA,CAAA,CAAA;IAQX,UAAA,EAAA,KAAA;;;AARoC,cAlFzB,0BAkFyB,EAlFC,WAkFD,CAAA;EAAA,OAAA,EAAA;IAUzB,IAAA,EApFX,2BAAA,CAAA,SA2FA,CAAA,OAAA,EAAA,OAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;EAPwC,MAAA,EAAA;IAAA,IAAA,uCAAA,CAAA,MAAA,EAAA,MAAA,CAAA;IAS7B,UAAA,EAAA,IAAA;EAWX,CAAA;;;;;;cAtGW,sBAAoB;;IA2FU,IAAA,EA/EzC,2BAAA,CAAA,SA+EyC,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;EAkB9B,CAAA;EA6BX,WAAA,EAAA;;;EA7B6B,CAAA;EAAA,WAAA,EAAA;;;;;;cA/FlB,sBAAoB;;IA+FF,IAAA,EAlF7B,2BAAA,CAAA,SAkF6B,CAAA,MAAA,EAAA,MAAA,CAAA;IAkClB,UAAA,EAAA,KAqBX;EAAA,CAAA;;;;EArB6B,CAAA;EAAA,WAAA,EAAA;;;;;;;;EAAA,CAAA;AA0B/B,CAAA,CAAA;AA6BE,cAzKW,oBAyKX,EAzK+B,WAyK/B,CAAA;EA7B6B,MAAA,EAAA;IAAA,IAAA,EAtI7B,2BAAA,CAAA,SAsI6B,CAAA,MAAA,EAAA,MAAA,CAAA;;;CAAA,CAAA;AAkClB,cAtKA,oBAwLX,EAxL+B,WAwL/B,CAAA;EAAA,KAAA,EAAA;IAlB4B,IAAA,aAAA,CAAA;;cAhK5B,2BAAA,CAAA;;;;;QAgK4B,UAAA,EAAA,KAAA;MAAA,CAAA;MAAA,WAAA,EAAA;QAuBjB,IAAA,uCA2CX,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,IAAA;;;;;QA3C6B,OAAA,EAAA,IAAA;MAAA,CAAA;;;;;;;;;;cArLlB,sBAAoB;;UAS/B,2BAAA,CAAA;;;;;;;;;;;;;;;;cAEW,sBAAoB;;UAM/B,2BAAA,CAAA;;;CAoK6B,CAAA;AAgDlB,cAlNA,qBAuPX,EAvPgC,WAuPhC,CAAA;EAAA,SAAA,EAAA;IArC6B,IAAA,EA5M7B,2BAAA,CAAA,SA4M6B,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;;cA1MlB,2BAAyB;;IA0MP,IAAA,EAlM7B,2BAAA,CAAA,SAkM6B,CAAA,MAAA,EAAA,MAAA,CAAA;IA0ClB,UAAA,EAAA,KAAA;EAkBX,CAAA;;;IAlBkC,UAAA,EAAA,IAAA;EAAA,CAAA;;;;;CAAA,CAAA;AAuBvB,cAjQA,6BAmRX,EAnRwC,WAmRxC,CAAA;EAAA,MAAA,EAAA;UA5QA,2BAAA,CAAA;IA0PsC,UAAA,EAAA,KAAA;EAAA,CAAA;;;;;;cAxP3B,gCAA8B;;UAWzC,2BAAA,CAAA;;IA6OsC,OAAA,EAAA,IAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAtO3B,kDAAkB,cAAA;;UA6B7B,2BAAA,CAAA;;;;;;;;;;;;;;UA7B6B,2BAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;cAkClB,kDAAkB,cAAA;;UAqB7B,2BAAA,CAAA;;;;;;;;;;;;;;;;;;UArB6B,2BAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;cA0BlB,kDAAkB,cAAA;;UA6B7B,2BAAA,CAAA;;;;;UA7B6B,2BAAA,CAAA;;;;;;;cAkClB,mBAAiB,6BAAA,CAAA,cAkB5B,2BAAA,CAlB4B,cAAA,EAAA;;;;cAAA,2BAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAuBjB,kDAAkB,cAAA;;UA2C7B,2BAAA,CAAA;;;;;;;;;;;;;;;;;UA3C6B,2BAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAgDlB,kDAAkB,cAAA;;UAqC7B,2BAAA,CAAA;;;;;UArC6B,2BAAA,CAAA;;;;;;;;;;;;;;;;;cA0ClB,uDAAuB,cAAA;;UAkBlC,2BAAA,CAAA;;;;;;;;;;;;;UAlBkC,2BAAA,CAAA;;;;;;;;;;;;;;;cAuBvB,2DAA2B,cAAA;;UAkBtC,2BAAA,CAAA;;;;;;;;;UAlBsC,2BAAA,CAAA"}
package/dist/contracts/rbac.js CHANGED
@@ -233,7 +233,7 @@ const ListUserPermissionsOutputModel = new SchemaModel({
233
233
  const CreateRoleContract = defineCommand({
234
234
  meta: {
235
235
  key: "identity.rbac.role.create",
236
- version: 1,
236
+ version: "1.0.0",
237
237
  stability: "stable",
238
238
  owners: ["@platform.identity-rbac"],
239
239
  tags: [
@@ -265,7 +265,7 @@ const CreateRoleContract = defineCommand({
265
265
  const UpdateRoleContract = defineCommand({
266
266
  meta: {
267
267
  key: "identity.rbac.role.update",
268
- version: 1,
268
+ version: "1.0.0",
269
269
  stability: "stable",
270
270
  owners: ["@platform.identity-rbac"],
271
271
  tags: [
@@ -291,7 +291,7 @@ const UpdateRoleContract = defineCommand({
291
291
  const DeleteRoleContract = defineCommand({
292
292
  meta: {
293
293
  key: "identity.rbac.role.delete",
294
- version: 1,
294
+ version: "1.0.0",
295
295
  stability: "stable",
296
296
  owners: ["@platform.identity-rbac"],
297
297
  tags: [
@@ -323,7 +323,7 @@ const DeleteRoleContract = defineCommand({
323
323
  const ListRolesContract = defineQuery({
324
324
  meta: {
325
325
  key: "identity.rbac.role.list",
326
- version: 1,
326
+ version: "1.0.0",
327
327
  stability: "stable",
328
328
  owners: ["@platform.identity-rbac"],
329
329
  tags: [
@@ -348,7 +348,7 @@ const ListRolesContract = defineQuery({
348
348
  const AssignRoleContract = defineCommand({
349
349
  meta: {
350
350
  key: "identity.rbac.assign",
351
- version: 1,
351
+ version: "1.0.0",
352
352
  stability: "stable",
353
353
  owners: ["@platform.identity-rbac"],
354
354
  tags: [
@@ -382,7 +382,7 @@ const AssignRoleContract = defineCommand({
382
382
  sideEffects: {
383
383
  emits: [{
384
384
  key: "role.assigned",
385
- version: 1,
385
+ version: "1.0.0",
386
386
  when: "Role is assigned",
387
387
  payload: PolicyBindingModel
388
388
  }],
@@ -395,7 +395,7 @@ const AssignRoleContract = defineCommand({
395
395
  const RevokeRoleContract = defineCommand({
396
396
  meta: {
397
397
  key: "identity.rbac.revoke",
398
- version: 1,
398
+ version: "1.0.0",
399
399
  stability: "stable",
400
400
  owners: ["@platform.identity-rbac"],
401
401
  tags: [
@@ -421,7 +421,7 @@ const RevokeRoleContract = defineCommand({
421
421
  sideEffects: {
422
422
  emits: [{
423
423
  key: "role.revoked",
424
- version: 1,
424
+ version: "1.0.0",
425
425
  when: "Role is revoked",
426
426
  payload: BindingIdPayloadModel
427
427
  }],
@@ -434,7 +434,7 @@ const RevokeRoleContract = defineCommand({
434
434
  const CheckPermissionContract = defineQuery({
435
435
  meta: {
436
436
  key: "identity.rbac.check",
437
- version: 1,
437
+ version: "1.0.0",
438
438
  stability: "stable",
439
439
  owners: ["@platform.identity-rbac"],
440
440
  tags: [
@@ -459,7 +459,7 @@ const CheckPermissionContract = defineQuery({
459
459
  const ListUserPermissionsContract = defineQuery({
460
460
  meta: {
461
461
  key: "identity.rbac.permissions",
462
- version: 1,
462
+ version: "1.0.0",
463
463
  stability: "stable",
464
464
  owners: ["@platform.identity-rbac"],
465
465
  tags: [
package/dist/contracts/rbac.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"rbac.js","names":[],"sources":["../../src/contracts/rbac.ts"],"sourcesContent":["import { SchemaModel, ScalarTypeEnum } from '@contractspec/lib.schema';\nimport { defineCommand, defineQuery } from '@contractspec/lib.contracts';\nimport { SuccessResultModel } from './user';\n\n// ============ SchemaModels ============\n\nexport const RoleModel = new SchemaModel({\n name: 'Role',\n description: 'RBAC role definition',\n fields: {\n id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nexport const PolicyBindingModel = new SchemaModel({\n name: 'PolicyBinding',\n description: 'Role assignment to a target',\n fields: {\n id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n role: { type: RoleModel, isOptional: false },\n },\n});\n\nexport const PermissionCheckResultModel = new SchemaModel({\n name: 'PermissionCheckResult',\n description: 'Result of a permission check',\n fields: {\n allowed: { type: ScalarTypeEnum.Boolean(), isOptional: false },\n reason: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n matchedRole: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n },\n});\n\nexport const CreateRoleInputModel = new SchemaModel({\n name: 'CreateRoleInput',\n description: 'Input for creating a role',\n fields: {\n name: { type: ScalarTypeEnum.NonEmptyString(), isOptional: false },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n },\n});\n\nexport const UpdateRoleInputModel = new SchemaModel({\n name: 'UpdateRoleInput',\n description: 'Input for updating a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: true,\n isArray: true,\n },\n },\n});\n\nexport const DeleteRoleInputModel = new SchemaModel({\n name: 'DeleteRoleInput',\n description: 'Input for deleting a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const ListRolesOutputModel = new SchemaModel({\n name: 'ListRolesOutput',\n description: 'Output for listing roles',\n fields: {\n roles: { type: RoleModel, isOptional: false, isArray: true },\n },\n});\n\nexport const AssignRoleInputModel = new SchemaModel({\n name: 'AssignRoleInput',\n description: 'Input for assigning a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n },\n});\n\nexport const RevokeRoleInputModel = new SchemaModel({\n name: 'RevokeRoleInput',\n description: 'Input for revoking a role',\n fields: {\n bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const BindingIdPayloadModel = new SchemaModel({\n name: 'BindingIdPayload',\n description: 'Payload with binding ID',\n fields: {\n bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const CheckPermissionInputModel = new SchemaModel({\n name: 'CheckPermissionInput',\n description: 'Input for checking a permission',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permission: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const ListUserPermissionsInputModel = new SchemaModel({\n name: 'ListUserPermissionsInput',\n description: 'Input for listing user permissions',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n },\n});\n\nexport const ListUserPermissionsOutputModel = new SchemaModel({\n name: 'ListUserPermissionsOutput',\n description: 'Output for listing user permissions',\n fields: {\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n roles: { type: RoleModel, isOptional: false, isArray: true },\n },\n});\n\n// ============ Contracts ============\n\n/**\n * Create a new role.\n */\nexport const CreateRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.role.create',\n version: 1,\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'role', 'create'],\n description: 'Create a new role with permissions.',\n goal: 'Allow admins to define custom roles.',\n context: 'Role management in admin settings.',\n },\n io: {\n input: CreateRoleInputModel,\n output: RoleModel,\n errors: {\n ROLE_EXISTS: {\n description: 'A role with this name already exists',\n http: 409,\n gqlCode: 'ROLE_EXISTS',\n when: 'Role name is taken',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.created'],\n },\n});\n\n/**\n * Update a role.\n */\nexport const UpdateRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.role.update',\n version: 1,\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'role', 'update'],\n description: 'Update an existing role.',\n goal: 'Allow admins to modify role permissions.',\n context: 'Role management in admin settings.',\n },\n io: {\n input: UpdateRoleInputModel,\n output: RoleModel,\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.updated'],\n },\n});\n\n/**\n * Delete a role.\n */\nexport const DeleteRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.role.delete',\n version: 1,\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'role', 'delete'],\n description: 'Delete an existing role.',\n goal: 'Allow admins to remove unused roles.',\n context: 'Role management. Removes all policy bindings using this role.',\n },\n io: {\n input: DeleteRoleInputModel,\n output: SuccessResultModel,\n errors: {\n ROLE_IN_USE: {\n description: 'Role is still assigned to users or organizations',\n http: 409,\n gqlCode: 'ROLE_IN_USE',\n when: 'Role has active bindings',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.deleted'],\n },\n});\n\n/**\n * List all roles.\n */\nexport const ListRolesContract = defineQuery({\n meta: {\n key: 'identity.rbac.role.list',\n version: 1,\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'role', 'list'],\n description: 'List all available roles.',\n goal: 'Show available roles for assignment.',\n context: 'Role assignment UI.',\n },\n io: {\n input: null,\n output: ListRolesOutputModel,\n },\n policy: {\n auth: 'user',\n },\n});\n\n/**\n * Assign a role to a user or organization.\n */\nexport const AssignRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.assign',\n version: 1,\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'assign'],\n description: 'Assign a role to a user or organization.',\n goal: 'Grant permissions via role assignment.',\n context: 'User/org permission management.',\n },\n io: {\n input: AssignRoleInputModel,\n output: PolicyBindingModel,\n errors: {\n ROLE_NOT_FOUND: {\n description: 'The specified role does not exist',\n http: 404,\n gqlCode: 'ROLE_NOT_FOUND',\n when: 'Role ID is invalid',\n },\n ALREADY_ASSIGNED: {\n description: 'This role is already assigned to the target',\n http: 409,\n gqlCode: 'ALREADY_ASSIGNED',\n when: 'Binding already exists',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n emits: [\n {\n key: 'role.assigned',\n version: 1,\n when: 'Role is assigned',\n payload: PolicyBindingModel,\n },\n ],\n audit: ['role.assigned'],\n },\n});\n\n/**\n * Revoke a role from a user or organization.\n */\nexport const RevokeRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.revoke',\n version: 1,\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'revoke'],\n description: 'Revoke a role from a user or organization.',\n goal: 'Remove permissions via role revocation.',\n context: 'User/org permission management.',\n },\n io: {\n input: RevokeRoleInputModel,\n output: SuccessResultModel,\n errors: {\n BINDING_NOT_FOUND: {\n description: 'The policy binding does not exist',\n http: 404,\n gqlCode: 'BINDING_NOT_FOUND',\n when: 'Binding ID is invalid',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n emits: [\n {\n key: 'role.revoked',\n version: 1,\n when: 'Role is revoked',\n payload: BindingIdPayloadModel,\n },\n ],\n audit: ['role.revoked'],\n },\n});\n\n/**\n * Check if a user has a specific permission.\n */\nexport const CheckPermissionContract = defineQuery({\n meta: {\n key: 'identity.rbac.check',\n version: 1,\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'check', 'permission'],\n description: 'Check if a user has a specific permission.',\n goal: 'Authorization check before sensitive operations.',\n context: 'Called by other services to verify permissions.',\n },\n io: {\n input: CheckPermissionInputModel,\n output: PermissionCheckResultModel,\n },\n policy: {\n auth: 'user',\n },\n});\n\n/**\n * List permissions for a user.\n */\nexport const ListUserPermissionsContract = defineQuery({\n meta: {\n key: 'identity.rbac.permissions',\n version: 1,\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'permissions', 'user'],\n description: 'List all permissions for a user in a context.',\n goal: 'Show what a user can do in an org.',\n context: 'UI permission display, debugging.',\n },\n io: {\n input: ListUserPermissionsInputModel,\n output: ListUserPermissionsOutputModel,\n },\n policy: {\n auth: 'user',\n },\n});\n"],"mappings":";;;;;AAMA,MAAa,YAAY,IAAI,YAAY;CACvC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,IAAI;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACnE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAa,qBAAqB,IAAI,YAAY;CAChD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,IAAI;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACjE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAM;EAChE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM;GAAW,YAAY;GAAO;EAC7C;CACF,CAAC;AAEF,MAAa,6BAA6B,IAAI,YAAY;CACxD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,SAAS;GAAE,MAAM,eAAe,SAAS;GAAE,YAAY;GAAO;EAC9D,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EAC1E;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,MAAM;GAAE,MAAM,eAAe,gBAAgB;GAAE,YAAY;GAAO;EAClE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACF;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EAClE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACF;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,QAAQ;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACtE;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,OAAO;EAAE,MAAM;EAAW,YAAY;EAAO,SAAS;EAAM,EAC7D;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAM;EACjE;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,WAAW;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACzE;CACF,CAAC;AAEF,MAAa,wBAAwB,IAAI,YAAY;CACnD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,WAAW;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACzE;CACF,CAAC;AAEF,MAAa,4BAA4B,IAAI,YAAY;CACvD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACnE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EAC1E;CACF,CAAC;AAEF,MAAa,gCAAgC,IAAI,YAAY;CAC3D,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE;CACF,CAAC;AAEF,MAAa,iCAAiC,IAAI,YAAY;CAC5D,MAAM;CACN,aAAa;CACb,QAAQ;EACN,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,OAAO;GAAE,MAAM;GAAW,YAAY;GAAO,SAAS;GAAM;EAC7D;CACF,CAAC;;;;AAOF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,aAAa;GACX,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,aAAa;GACX,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,oBAAoB,YAAY;CAC3C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAO;EAC1C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;EACpC,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ;GACN,gBAAgB;IACd,aAAa;IACb,MAAM;IACN,SAAS;IACT,MAAM;IACP;GACD,kBAAkB;IAChB,aAAa;IACb,MAAM;IACN,SAAS;IACT,MAAM;IACP;GACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa;EACX,OAAO,CACL;GACE,KAAK;GACL,SAAS;GACT,MAAM;GACN,SAAS;GACV,CACF;EACD,OAAO,CAAC,gBAAgB;EACzB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;EACpC,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,mBAAmB;GACjB,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa;EACX,OAAO,CACL;GACE,KAAK;GACL,SAAS;GACT,MAAM;GACN,SAAS;GACV,CACF;EACD,OAAO,CAAC,eAAe;EACxB;CACF,CAAC;;;;AAKF,MAAa,0BAA0B,YAAY;CACjD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;GAAa;EACjD,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC;;;;AAKF,MAAa,8BAA8B,YAAY;CACrD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAe;GAAO;EACjD,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC"}
1
+ {"version":3,"file":"rbac.js","names":[],"sources":["../../src/contracts/rbac.ts"],"sourcesContent":["import { SchemaModel, ScalarTypeEnum } from '@contractspec/lib.schema';\nimport { defineCommand, defineQuery } from '@contractspec/lib.contracts';\nimport { SuccessResultModel } from './user';\n\n// ============ SchemaModels ============\n\nexport const RoleModel = new SchemaModel({\n name: 'Role',\n description: 'RBAC role definition',\n fields: {\n id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nexport const PolicyBindingModel = new SchemaModel({\n name: 'PolicyBinding',\n description: 'Role assignment to a target',\n fields: {\n id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n role: { type: RoleModel, isOptional: false },\n },\n});\n\nexport const PermissionCheckResultModel = new SchemaModel({\n name: 'PermissionCheckResult',\n description: 'Result of a permission check',\n fields: {\n allowed: { type: ScalarTypeEnum.Boolean(), isOptional: false },\n reason: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n matchedRole: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n },\n});\n\nexport const CreateRoleInputModel = new SchemaModel({\n name: 'CreateRoleInput',\n description: 'Input for creating a role',\n fields: {\n name: { type: ScalarTypeEnum.NonEmptyString(), isOptional: false },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n },\n});\n\nexport const UpdateRoleInputModel = new SchemaModel({\n name: 'UpdateRoleInput',\n description: 'Input for updating a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: true,\n isArray: true,\n },\n },\n});\n\nexport const DeleteRoleInputModel = new SchemaModel({\n name: 'DeleteRoleInput',\n description: 'Input for deleting a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const ListRolesOutputModel = new SchemaModel({\n name: 'ListRolesOutput',\n description: 'Output for listing roles',\n fields: {\n roles: { type: RoleModel, isOptional: false, isArray: true },\n },\n});\n\nexport const AssignRoleInputModel = new SchemaModel({\n name: 'AssignRoleInput',\n description: 'Input for assigning a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n },\n});\n\nexport const RevokeRoleInputModel = new SchemaModel({\n name: 'RevokeRoleInput',\n description: 'Input for revoking a role',\n fields: {\n bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const BindingIdPayloadModel = new SchemaModel({\n name: 'BindingIdPayload',\n description: 'Payload with binding ID',\n fields: {\n bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const CheckPermissionInputModel = new SchemaModel({\n name: 'CheckPermissionInput',\n description: 'Input for checking a permission',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permission: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const ListUserPermissionsInputModel = new SchemaModel({\n name: 'ListUserPermissionsInput',\n description: 'Input for listing user permissions',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n },\n});\n\nexport const ListUserPermissionsOutputModel = new SchemaModel({\n name: 'ListUserPermissionsOutput',\n description: 'Output for listing user permissions',\n fields: {\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n roles: { type: RoleModel, isOptional: false, isArray: true },\n },\n});\n\n// ============ Contracts ============\n\n/**\n * Create a new role.\n */\nexport const CreateRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.role.create',\n version: '1.0.0',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'role', 'create'],\n description: 'Create a new role with permissions.',\n goal: 'Allow admins to define custom roles.',\n context: 'Role management in admin settings.',\n },\n io: {\n input: CreateRoleInputModel,\n output: RoleModel,\n errors: {\n ROLE_EXISTS: {\n description: 'A role with this name already exists',\n http: 409,\n gqlCode: 'ROLE_EXISTS',\n when: 'Role name is taken',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.created'],\n },\n});\n\n/**\n * Update a role.\n */\nexport const UpdateRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.role.update',\n version: '1.0.0',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'role', 'update'],\n description: 'Update an existing role.',\n goal: 'Allow admins to modify role permissions.',\n context: 'Role management in admin settings.',\n },\n io: {\n input: UpdateRoleInputModel,\n output: RoleModel,\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.updated'],\n },\n});\n\n/**\n * Delete a role.\n */\nexport const DeleteRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.role.delete',\n version: '1.0.0',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'role', 'delete'],\n description: 'Delete an existing role.',\n goal: 'Allow admins to remove unused roles.',\n context: 'Role management. Removes all policy bindings using this role.',\n },\n io: {\n input: DeleteRoleInputModel,\n output: SuccessResultModel,\n errors: {\n ROLE_IN_USE: {\n description: 'Role is still assigned to users or organizations',\n http: 409,\n gqlCode: 'ROLE_IN_USE',\n when: 'Role has active bindings',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.deleted'],\n },\n});\n\n/**\n * List all roles.\n */\nexport const ListRolesContract = defineQuery({\n meta: {\n key: 'identity.rbac.role.list',\n version: '1.0.0',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'role', 'list'],\n description: 'List all available roles.',\n goal: 'Show available roles for assignment.',\n context: 'Role assignment UI.',\n },\n io: {\n input: null,\n output: ListRolesOutputModel,\n },\n policy: {\n auth: 'user',\n },\n});\n\n/**\n * Assign a role to a user or organization.\n */\nexport const AssignRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.assign',\n version: '1.0.0',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'assign'],\n description: 'Assign a role to a user or organization.',\n goal: 'Grant permissions via role assignment.',\n context: 'User/org permission management.',\n },\n io: {\n input: AssignRoleInputModel,\n output: PolicyBindingModel,\n errors: {\n ROLE_NOT_FOUND: {\n description: 'The specified role does not exist',\n http: 404,\n gqlCode: 'ROLE_NOT_FOUND',\n when: 'Role ID is invalid',\n },\n ALREADY_ASSIGNED: {\n description: 'This role is already assigned to the target',\n http: 409,\n gqlCode: 'ALREADY_ASSIGNED',\n when: 'Binding already exists',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n emits: [\n {\n key: 'role.assigned',\n version: '1.0.0',\n when: 'Role is assigned',\n payload: PolicyBindingModel,\n },\n ],\n audit: ['role.assigned'],\n },\n});\n\n/**\n * Revoke a role from a user or organization.\n */\nexport const RevokeRoleContract = defineCommand({\n meta: {\n key: 'identity.rbac.revoke',\n version: '1.0.0',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'revoke'],\n description: 'Revoke a role from a user or organization.',\n goal: 'Remove permissions via role revocation.',\n context: 'User/org permission management.',\n },\n io: {\n input: RevokeRoleInputModel,\n output: SuccessResultModel,\n errors: {\n BINDING_NOT_FOUND: {\n description: 'The policy binding does not exist',\n http: 404,\n gqlCode: 'BINDING_NOT_FOUND',\n when: 'Binding ID is invalid',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n emits: [\n {\n key: 'role.revoked',\n version: '1.0.0',\n when: 'Role is revoked',\n payload: BindingIdPayloadModel,\n },\n ],\n audit: ['role.revoked'],\n },\n});\n\n/**\n * Check if a user has a specific permission.\n */\nexport const CheckPermissionContract = defineQuery({\n meta: {\n key: 'identity.rbac.check',\n version: '1.0.0',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'check', 'permission'],\n description: 'Check if a user has a specific permission.',\n goal: 'Authorization check before sensitive operations.',\n context: 'Called by other services to verify permissions.',\n },\n io: {\n input: CheckPermissionInputModel,\n output: PermissionCheckResultModel,\n },\n policy: {\n auth: 'user',\n },\n});\n\n/**\n * List permissions for a user.\n */\nexport const ListUserPermissionsContract = defineQuery({\n meta: {\n key: 'identity.rbac.permissions',\n version: '1.0.0',\n stability: 'stable',\n owners: ['@platform.identity-rbac'],\n tags: ['identity', 'rbac', 'permissions', 'user'],\n description: 'List all permissions for a user in a context.',\n goal: 'Show what a user can do in an org.',\n context: 'UI permission display, debugging.',\n },\n io: {\n input: ListUserPermissionsInputModel,\n output: ListUserPermissionsOutputModel,\n },\n policy: {\n auth: 'user',\n },\n});\n"],"mappings":";;;;;AAMA,MAAa,YAAY,IAAI,YAAY;CACvC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,IAAI;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACnE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAa,qBAAqB,IAAI,YAAY;CAChD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,IAAI;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACjE,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAM;EAChE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM;GAAW,YAAY;GAAO;EAC7C;CACF,CAAC;AAEF,MAAa,6BAA6B,IAAI,YAAY;CACxD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,SAAS;GAAE,MAAM,eAAe,SAAS;GAAE,YAAY;GAAO;EAC9D,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EAC1E;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,MAAM;GAAE,MAAM,eAAe,gBAAgB;GAAE,YAAY;GAAO;EAClE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACF;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,MAAM;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EAClE,aAAa;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACF;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,QAAQ;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACtE;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,OAAO;EAAE,MAAM;EAAW,YAAY;EAAO,SAAS;EAAM,EAC7D;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAM,eAAe,UAAU;GAAE,YAAY;GAAM;EACjE;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAI,YAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,WAAW;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACzE;CACF,CAAC;AAEF,MAAa,wBAAwB,IAAI,YAAY;CACnD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,WAAW;EAAE,MAAM,eAAe,iBAAiB;EAAE,YAAY;EAAO,EACzE;CACF,CAAC;AAEF,MAAa,4BAA4B,IAAI,YAAY;CACvD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACnE,YAAY;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EAC1E;CACF,CAAC;AAEF,MAAa,gCAAgC,IAAI,YAAY;CAC3D,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAM,eAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE;CACF,CAAC;AAEF,MAAa,iCAAiC,IAAI,YAAY;CAC5D,MAAM;CACN,aAAa;CACb,QAAQ;EACN,aAAa;GACX,MAAM,eAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,OAAO;GAAE,MAAM;GAAW,YAAY;GAAO,SAAS;GAAM;EAC7D;CACF,CAAC;;;;AAOF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,aAAa;GACX,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,aAAa;GACX,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,oBAAoB,YAAY;CAC3C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAO;EAC1C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;EACpC,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ;GACN,gBAAgB;IACd,aAAa;IACb,MAAM;IACN,SAAS;IACT,MAAM;IACP;GACD,kBAAkB;IAChB,aAAa;IACb,MAAM;IACN,SAAS;IACT,MAAM;IACP;GACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa;EACX,OAAO,CACL;GACE,KAAK;GACL,SAAS;GACT,MAAM;GACN,SAAS;GACV,CACF;EACD,OAAO,CAAC,gBAAgB;EACzB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;EACpC,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,mBAAmB;GACjB,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa;EACX,OAAO,CACL;GACE,KAAK;GACL,SAAS;GACT,MAAM;GACN,SAAS;GACV,CACF;EACD,OAAO,CAAC,eAAe;EACxB;CACF,CAAC;;;;AAKF,MAAa,0BAA0B,YAAY;CACjD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAS;GAAa;EACjD,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC;;;;AAKF,MAAa,8BAA8B,YAAY;CACrD,MAAM;EACJ,KAAK;EACL,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,0BAA0B;EACnC,MAAM;GAAC;GAAY;GAAQ;GAAe;GAAO;EACjD,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC"}