@contractspec/lib.identity-rbac 1.57.0 → 1.58.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/browser/contracts/index.js +1045 -0
- package/dist/browser/contracts/organization.js +655 -0
- package/dist/browser/contracts/rbac.js +599 -0
- package/dist/browser/contracts/user.js +235 -0
- package/dist/browser/entities/index.js +464 -0
- package/dist/browser/entities/organization.js +150 -0
- package/dist/browser/entities/rbac.js +124 -0
- package/dist/browser/entities/user.js +168 -0
- package/dist/browser/events.js +374 -0
- package/dist/browser/identity-rbac.capability.js +28 -0
- package/dist/browser/identity-rbac.feature.js +67 -0
- package/dist/browser/index.js +2099 -0
- package/dist/browser/policies/engine.js +154 -0
- package/dist/browser/policies/index.js +154 -0
- package/dist/contracts/index.d.ts +4 -4
- package/dist/contracts/index.d.ts.map +1 -0
- package/dist/contracts/index.js +1045 -4
- package/dist/contracts/organization.d.ts +758 -764
- package/dist/contracts/organization.d.ts.map +1 -1
- package/dist/contracts/organization.js +653 -602
- package/dist/contracts/rbac.d.ts +517 -523
- package/dist/contracts/rbac.d.ts.map +1 -1
- package/dist/contracts/rbac.js +597 -481
- package/dist/contracts/user.d.ts +513 -519
- package/dist/contracts/user.d.ts.map +1 -1
- package/dist/contracts/user.js +222 -319
- package/dist/entities/index.d.ts +164 -169
- package/dist/entities/index.d.ts.map +1 -1
- package/dist/entities/index.js +462 -33
- package/dist/entities/organization.d.ts +58 -63
- package/dist/entities/organization.d.ts.map +1 -1
- package/dist/entities/organization.js +145 -145
- package/dist/entities/rbac.d.ts +62 -67
- package/dist/entities/rbac.d.ts.map +1 -1
- package/dist/entities/rbac.js +119 -132
- package/dist/entities/user.d.ts +66 -71
- package/dist/entities/user.d.ts.map +1 -1
- package/dist/entities/user.js +164 -189
- package/dist/events.d.ts +537 -543
- package/dist/events.d.ts.map +1 -1
- package/dist/events.js +343 -651
- package/dist/identity-rbac.capability.d.ts +2 -7
- package/dist/identity-rbac.capability.d.ts.map +1 -1
- package/dist/identity-rbac.capability.js +29 -29
- package/dist/identity-rbac.feature.d.ts +1 -6
- package/dist/identity-rbac.feature.d.ts.map +1 -1
- package/dist/identity-rbac.feature.js +66 -193
- package/dist/index.d.ts +6 -12
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +2100 -14
- package/dist/node/contracts/index.js +1045 -0
- package/dist/node/contracts/organization.js +655 -0
- package/dist/node/contracts/rbac.js +599 -0
- package/dist/node/contracts/user.js +235 -0
- package/dist/node/entities/index.js +464 -0
- package/dist/node/entities/organization.js +150 -0
- package/dist/node/entities/rbac.js +124 -0
- package/dist/node/entities/user.js +168 -0
- package/dist/node/events.js +374 -0
- package/dist/node/identity-rbac.capability.js +28 -0
- package/dist/node/identity-rbac.feature.js +67 -0
- package/dist/node/index.js +2099 -0
- package/dist/node/policies/engine.js +154 -0
- package/dist/node/policies/index.js +154 -0
- package/dist/policies/engine.d.ts +98 -101
- package/dist/policies/engine.d.ts.map +1 -1
- package/dist/policies/engine.js +151 -164
- package/dist/policies/index.d.ts +2 -2
- package/dist/policies/index.d.ts.map +1 -0
- package/dist/policies/index.js +154 -2
- package/package.json +149 -40
- package/dist/contracts/organization.js.map +0 -1
- package/dist/contracts/rbac.js.map +0 -1
- package/dist/contracts/user.js.map +0 -1
- package/dist/entities/index.js.map +0 -1
- package/dist/entities/organization.js.map +0 -1
- package/dist/entities/rbac.js.map +0 -1
- package/dist/entities/user.js.map +0 -1
- package/dist/events.js.map +0 -1
- package/dist/identity-rbac.capability.js.map +0 -1
- package/dist/identity-rbac.feature.js.map +0 -1
- package/dist/policies/engine.js.map +0 -1
package/dist/contracts/rbac.js
CHANGED
|
@@ -1,484 +1,600 @@
|
|
|
1
|
-
|
|
2
|
-
|
|
1
|
+
// @bun
|
|
2
|
+
// src/contracts/user.ts
|
|
3
|
+
import { SchemaModel, ScalarTypeEnum } from "@contractspec/lib.schema";
|
|
3
4
|
import { defineCommand, defineQuery } from "@contractspec/lib.contracts";
|
|
4
|
-
|
|
5
|
-
|
|
6
|
-
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
16
|
-
|
|
17
|
-
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
|
|
30
|
-
|
|
31
|
-
|
|
32
|
-
}
|
|
33
|
-
|
|
34
|
-
|
|
35
|
-
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
51
|
-
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
});
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
132
|
-
|
|
133
|
-
|
|
134
|
-
|
|
135
|
-
|
|
136
|
-
|
|
137
|
-
|
|
138
|
-
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
142
|
-
|
|
143
|
-
|
|
144
|
-
|
|
145
|
-
|
|
146
|
-
|
|
147
|
-
|
|
148
|
-
|
|
149
|
-
|
|
150
|
-
|
|
151
|
-
|
|
152
|
-
|
|
153
|
-
|
|
154
|
-
|
|
155
|
-
|
|
156
|
-
|
|
157
|
-
|
|
158
|
-
|
|
159
|
-
|
|
160
|
-
|
|
161
|
-
|
|
162
|
-
|
|
163
|
-
|
|
164
|
-
|
|
165
|
-
|
|
166
|
-
|
|
167
|
-
|
|
168
|
-
|
|
169
|
-
|
|
170
|
-
|
|
171
|
-
|
|
172
|
-
|
|
173
|
-
|
|
174
|
-
|
|
175
|
-
|
|
176
|
-
|
|
177
|
-
|
|
178
|
-
|
|
179
|
-
|
|
180
|
-
|
|
181
|
-
}
|
|
182
|
-
|
|
183
|
-
|
|
184
|
-
|
|
185
|
-
|
|
186
|
-
|
|
187
|
-
|
|
188
|
-
|
|
189
|
-
|
|
190
|
-
|
|
191
|
-
|
|
192
|
-
|
|
193
|
-
|
|
194
|
-
|
|
195
|
-
|
|
196
|
-
|
|
197
|
-
|
|
198
|
-
|
|
199
|
-
|
|
200
|
-
|
|
201
|
-
|
|
202
|
-
|
|
203
|
-
|
|
204
|
-
|
|
205
|
-
|
|
206
|
-
|
|
207
|
-
|
|
208
|
-
|
|
209
|
-
|
|
210
|
-
|
|
211
|
-
|
|
212
|
-
|
|
213
|
-
|
|
214
|
-
|
|
215
|
-
|
|
216
|
-
|
|
217
|
-
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
isOptional: false,
|
|
221
|
-
isArray: true
|
|
222
|
-
},
|
|
223
|
-
roles: {
|
|
224
|
-
type: RoleModel,
|
|
225
|
-
isOptional: false,
|
|
226
|
-
isArray: true
|
|
227
|
-
}
|
|
228
|
-
}
|
|
229
|
-
});
|
|
230
|
-
/**
|
|
231
|
-
* Create a new role.
|
|
232
|
-
*/
|
|
233
|
-
const CreateRoleContract = defineCommand({
|
|
234
|
-
meta: {
|
|
235
|
-
key: "identity.rbac.role.create",
|
|
236
|
-
version: "1.0.0",
|
|
237
|
-
stability: "stable",
|
|
238
|
-
owners: ["@platform.identity-rbac"],
|
|
239
|
-
tags: [
|
|
240
|
-
"identity",
|
|
241
|
-
"rbac",
|
|
242
|
-
"role",
|
|
243
|
-
"create"
|
|
244
|
-
],
|
|
245
|
-
description: "Create a new role with permissions.",
|
|
246
|
-
goal: "Allow admins to define custom roles.",
|
|
247
|
-
context: "Role management in admin settings."
|
|
248
|
-
},
|
|
249
|
-
io: {
|
|
250
|
-
input: CreateRoleInputModel,
|
|
251
|
-
output: RoleModel,
|
|
252
|
-
errors: { ROLE_EXISTS: {
|
|
253
|
-
description: "A role with this name already exists",
|
|
254
|
-
http: 409,
|
|
255
|
-
gqlCode: "ROLE_EXISTS",
|
|
256
|
-
when: "Role name is taken"
|
|
257
|
-
} }
|
|
258
|
-
},
|
|
259
|
-
policy: { auth: "admin" },
|
|
260
|
-
sideEffects: { audit: ["role.created"] }
|
|
261
|
-
});
|
|
262
|
-
/**
|
|
263
|
-
* Update a role.
|
|
264
|
-
*/
|
|
265
|
-
const UpdateRoleContract = defineCommand({
|
|
266
|
-
meta: {
|
|
267
|
-
key: "identity.rbac.role.update",
|
|
268
|
-
version: "1.0.0",
|
|
269
|
-
stability: "stable",
|
|
270
|
-
owners: ["@platform.identity-rbac"],
|
|
271
|
-
tags: [
|
|
272
|
-
"identity",
|
|
273
|
-
"rbac",
|
|
274
|
-
"role",
|
|
275
|
-
"update"
|
|
276
|
-
],
|
|
277
|
-
description: "Update an existing role.",
|
|
278
|
-
goal: "Allow admins to modify role permissions.",
|
|
279
|
-
context: "Role management in admin settings."
|
|
280
|
-
},
|
|
281
|
-
io: {
|
|
282
|
-
input: UpdateRoleInputModel,
|
|
283
|
-
output: RoleModel
|
|
284
|
-
},
|
|
285
|
-
policy: { auth: "admin" },
|
|
286
|
-
sideEffects: { audit: ["role.updated"] }
|
|
287
|
-
});
|
|
288
|
-
/**
|
|
289
|
-
* Delete a role.
|
|
290
|
-
*/
|
|
291
|
-
const DeleteRoleContract = defineCommand({
|
|
292
|
-
meta: {
|
|
293
|
-
key: "identity.rbac.role.delete",
|
|
294
|
-
version: "1.0.0",
|
|
295
|
-
stability: "stable",
|
|
296
|
-
owners: ["@platform.identity-rbac"],
|
|
297
|
-
tags: [
|
|
298
|
-
"identity",
|
|
299
|
-
"rbac",
|
|
300
|
-
"role",
|
|
301
|
-
"delete"
|
|
302
|
-
],
|
|
303
|
-
description: "Delete an existing role.",
|
|
304
|
-
goal: "Allow admins to remove unused roles.",
|
|
305
|
-
context: "Role management. Removes all policy bindings using this role."
|
|
306
|
-
},
|
|
307
|
-
io: {
|
|
308
|
-
input: DeleteRoleInputModel,
|
|
309
|
-
output: SuccessResultModel,
|
|
310
|
-
errors: { ROLE_IN_USE: {
|
|
311
|
-
description: "Role is still assigned to users or organizations",
|
|
312
|
-
http: 409,
|
|
313
|
-
gqlCode: "ROLE_IN_USE",
|
|
314
|
-
when: "Role has active bindings"
|
|
315
|
-
} }
|
|
316
|
-
},
|
|
317
|
-
policy: { auth: "admin" },
|
|
318
|
-
sideEffects: { audit: ["role.deleted"] }
|
|
319
|
-
});
|
|
320
|
-
/**
|
|
321
|
-
* List all roles.
|
|
322
|
-
*/
|
|
323
|
-
const ListRolesContract = defineQuery({
|
|
324
|
-
meta: {
|
|
325
|
-
key: "identity.rbac.role.list",
|
|
326
|
-
version: "1.0.0",
|
|
327
|
-
stability: "stable",
|
|
328
|
-
owners: ["@platform.identity-rbac"],
|
|
329
|
-
tags: [
|
|
330
|
-
"identity",
|
|
331
|
-
"rbac",
|
|
332
|
-
"role",
|
|
333
|
-
"list"
|
|
334
|
-
],
|
|
335
|
-
description: "List all available roles.",
|
|
336
|
-
goal: "Show available roles for assignment.",
|
|
337
|
-
context: "Role assignment UI."
|
|
338
|
-
},
|
|
339
|
-
io: {
|
|
340
|
-
input: null,
|
|
341
|
-
output: ListRolesOutputModel
|
|
342
|
-
},
|
|
343
|
-
policy: { auth: "user" }
|
|
344
|
-
});
|
|
345
|
-
/**
|
|
346
|
-
* Assign a role to a user or organization.
|
|
347
|
-
*/
|
|
348
|
-
const AssignRoleContract = defineCommand({
|
|
349
|
-
meta: {
|
|
350
|
-
key: "identity.rbac.assign",
|
|
351
|
-
version: "1.0.0",
|
|
352
|
-
stability: "stable",
|
|
353
|
-
owners: ["@platform.identity-rbac"],
|
|
354
|
-
tags: [
|
|
355
|
-
"identity",
|
|
356
|
-
"rbac",
|
|
357
|
-
"assign"
|
|
358
|
-
],
|
|
359
|
-
description: "Assign a role to a user or organization.",
|
|
360
|
-
goal: "Grant permissions via role assignment.",
|
|
361
|
-
context: "User/org permission management."
|
|
362
|
-
},
|
|
363
|
-
io: {
|
|
364
|
-
input: AssignRoleInputModel,
|
|
365
|
-
output: PolicyBindingModel,
|
|
366
|
-
errors: {
|
|
367
|
-
ROLE_NOT_FOUND: {
|
|
368
|
-
description: "The specified role does not exist",
|
|
369
|
-
http: 404,
|
|
370
|
-
gqlCode: "ROLE_NOT_FOUND",
|
|
371
|
-
when: "Role ID is invalid"
|
|
372
|
-
},
|
|
373
|
-
ALREADY_ASSIGNED: {
|
|
374
|
-
description: "This role is already assigned to the target",
|
|
375
|
-
http: 409,
|
|
376
|
-
gqlCode: "ALREADY_ASSIGNED",
|
|
377
|
-
when: "Binding already exists"
|
|
378
|
-
}
|
|
379
|
-
}
|
|
380
|
-
},
|
|
381
|
-
policy: { auth: "admin" },
|
|
382
|
-
sideEffects: {
|
|
383
|
-
emits: [{
|
|
384
|
-
key: "role.assigned",
|
|
385
|
-
version: "1.0.0",
|
|
386
|
-
when: "Role is assigned",
|
|
387
|
-
payload: PolicyBindingModel
|
|
388
|
-
}],
|
|
389
|
-
audit: ["role.assigned"]
|
|
390
|
-
}
|
|
391
|
-
});
|
|
392
|
-
/**
|
|
393
|
-
* Revoke a role from a user or organization.
|
|
394
|
-
*/
|
|
395
|
-
const RevokeRoleContract = defineCommand({
|
|
396
|
-
meta: {
|
|
397
|
-
key: "identity.rbac.revoke",
|
|
398
|
-
version: "1.0.0",
|
|
399
|
-
stability: "stable",
|
|
400
|
-
owners: ["@platform.identity-rbac"],
|
|
401
|
-
tags: [
|
|
402
|
-
"identity",
|
|
403
|
-
"rbac",
|
|
404
|
-
"revoke"
|
|
405
|
-
],
|
|
406
|
-
description: "Revoke a role from a user or organization.",
|
|
407
|
-
goal: "Remove permissions via role revocation.",
|
|
408
|
-
context: "User/org permission management."
|
|
409
|
-
},
|
|
410
|
-
io: {
|
|
411
|
-
input: RevokeRoleInputModel,
|
|
412
|
-
output: SuccessResultModel,
|
|
413
|
-
errors: { BINDING_NOT_FOUND: {
|
|
414
|
-
description: "The policy binding does not exist",
|
|
415
|
-
http: 404,
|
|
416
|
-
gqlCode: "BINDING_NOT_FOUND",
|
|
417
|
-
when: "Binding ID is invalid"
|
|
418
|
-
} }
|
|
419
|
-
},
|
|
420
|
-
policy: { auth: "admin" },
|
|
421
|
-
sideEffects: {
|
|
422
|
-
emits: [{
|
|
423
|
-
key: "role.revoked",
|
|
424
|
-
version: "1.0.0",
|
|
425
|
-
when: "Role is revoked",
|
|
426
|
-
payload: BindingIdPayloadModel
|
|
427
|
-
}],
|
|
428
|
-
audit: ["role.revoked"]
|
|
429
|
-
}
|
|
430
|
-
});
|
|
431
|
-
/**
|
|
432
|
-
* Check if a user has a specific permission.
|
|
433
|
-
*/
|
|
434
|
-
const CheckPermissionContract = defineQuery({
|
|
435
|
-
meta: {
|
|
436
|
-
key: "identity.rbac.check",
|
|
437
|
-
version: "1.0.0",
|
|
438
|
-
stability: "stable",
|
|
439
|
-
owners: ["@platform.identity-rbac"],
|
|
440
|
-
tags: [
|
|
441
|
-
"identity",
|
|
442
|
-
"rbac",
|
|
443
|
-
"check",
|
|
444
|
-
"permission"
|
|
445
|
-
],
|
|
446
|
-
description: "Check if a user has a specific permission.",
|
|
447
|
-
goal: "Authorization check before sensitive operations.",
|
|
448
|
-
context: "Called by other services to verify permissions."
|
|
449
|
-
},
|
|
450
|
-
io: {
|
|
451
|
-
input: CheckPermissionInputModel,
|
|
452
|
-
output: PermissionCheckResultModel
|
|
453
|
-
},
|
|
454
|
-
policy: { auth: "user" }
|
|
455
|
-
});
|
|
456
|
-
/**
|
|
457
|
-
* List permissions for a user.
|
|
458
|
-
*/
|
|
459
|
-
const ListUserPermissionsContract = defineQuery({
|
|
460
|
-
meta: {
|
|
461
|
-
key: "identity.rbac.permissions",
|
|
462
|
-
version: "1.0.0",
|
|
463
|
-
stability: "stable",
|
|
464
|
-
owners: ["@platform.identity-rbac"],
|
|
465
|
-
tags: [
|
|
466
|
-
"identity",
|
|
467
|
-
"rbac",
|
|
468
|
-
"permissions",
|
|
469
|
-
"user"
|
|
470
|
-
],
|
|
471
|
-
description: "List all permissions for a user in a context.",
|
|
472
|
-
goal: "Show what a user can do in an org.",
|
|
473
|
-
context: "UI permission display, debugging."
|
|
474
|
-
},
|
|
475
|
-
io: {
|
|
476
|
-
input: ListUserPermissionsInputModel,
|
|
477
|
-
output: ListUserPermissionsOutputModel
|
|
478
|
-
},
|
|
479
|
-
policy: { auth: "user" }
|
|
5
|
+
var OWNERS = ["platform.identity-rbac"];
|
|
6
|
+
var UserProfileModel = new SchemaModel({
|
|
7
|
+
name: "UserProfile",
|
|
8
|
+
description: "User profile information",
|
|
9
|
+
fields: {
|
|
10
|
+
id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },
|
|
11
|
+
email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
|
|
12
|
+
emailVerified: { type: ScalarTypeEnum.Boolean(), isOptional: false },
|
|
13
|
+
name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
14
|
+
firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
15
|
+
lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
16
|
+
locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
17
|
+
timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
18
|
+
imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true },
|
|
19
|
+
role: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
20
|
+
onboardingCompleted: { type: ScalarTypeEnum.Boolean(), isOptional: false },
|
|
21
|
+
createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false }
|
|
22
|
+
}
|
|
23
|
+
});
|
|
24
|
+
var CreateUserInputModel = new SchemaModel({
|
|
25
|
+
name: "CreateUserInput",
|
|
26
|
+
description: "Input for creating a new user",
|
|
27
|
+
fields: {
|
|
28
|
+
email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
|
|
29
|
+
name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
30
|
+
firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
31
|
+
lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
32
|
+
password: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
|
|
33
|
+
}
|
|
34
|
+
});
|
|
35
|
+
var UpdateUserInputModel = new SchemaModel({
|
|
36
|
+
name: "UpdateUserInput",
|
|
37
|
+
description: "Input for updating a user profile",
|
|
38
|
+
fields: {
|
|
39
|
+
name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
40
|
+
firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
41
|
+
lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
42
|
+
locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
43
|
+
timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
|
|
44
|
+
imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true }
|
|
45
|
+
}
|
|
46
|
+
});
|
|
47
|
+
var DeleteUserInputModel = new SchemaModel({
|
|
48
|
+
name: "DeleteUserInput",
|
|
49
|
+
description: "Input for deleting a user",
|
|
50
|
+
fields: {
|
|
51
|
+
confirmEmail: { type: ScalarTypeEnum.EmailAddress(), isOptional: false }
|
|
52
|
+
}
|
|
53
|
+
});
|
|
54
|
+
var SuccessResultModel = new SchemaModel({
|
|
55
|
+
name: "SuccessResult",
|
|
56
|
+
description: "Simple success result",
|
|
57
|
+
fields: {
|
|
58
|
+
success: { type: ScalarTypeEnum.Boolean(), isOptional: false }
|
|
59
|
+
}
|
|
60
|
+
});
|
|
61
|
+
var UserDeletedPayloadModel = new SchemaModel({
|
|
62
|
+
name: "UserDeletedPayload",
|
|
63
|
+
description: "Payload for user deleted event",
|
|
64
|
+
fields: {
|
|
65
|
+
userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }
|
|
66
|
+
}
|
|
67
|
+
});
|
|
68
|
+
var ListUsersInputModel = new SchemaModel({
|
|
69
|
+
name: "ListUsersInput",
|
|
70
|
+
description: "Input for listing users",
|
|
71
|
+
fields: {
|
|
72
|
+
limit: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
|
|
73
|
+
offset: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
|
|
74
|
+
search: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
|
|
75
|
+
}
|
|
76
|
+
});
|
|
77
|
+
var ListUsersOutputModel = new SchemaModel({
|
|
78
|
+
name: "ListUsersOutput",
|
|
79
|
+
description: "Output for listing users",
|
|
80
|
+
fields: {
|
|
81
|
+
users: { type: UserProfileModel, isOptional: false, isArray: true },
|
|
82
|
+
total: { type: ScalarTypeEnum.Int_unsecure(), isOptional: false }
|
|
83
|
+
}
|
|
84
|
+
});
|
|
85
|
+
var CreateUserContract = defineCommand({
|
|
86
|
+
meta: {
|
|
87
|
+
key: "identity.user.create",
|
|
88
|
+
version: "1.0.0",
|
|
89
|
+
stability: "stable",
|
|
90
|
+
owners: [...OWNERS],
|
|
91
|
+
tags: ["identity", "user", "create"],
|
|
92
|
+
description: "Create a new user account.",
|
|
93
|
+
goal: "Register a new user in the system.",
|
|
94
|
+
context: "Used during signup flows. May trigger email verification."
|
|
95
|
+
},
|
|
96
|
+
io: {
|
|
97
|
+
input: CreateUserInputModel,
|
|
98
|
+
output: UserProfileModel,
|
|
99
|
+
errors: {
|
|
100
|
+
EMAIL_EXISTS: {
|
|
101
|
+
description: "A user with this email already exists",
|
|
102
|
+
http: 409,
|
|
103
|
+
gqlCode: "EMAIL_EXISTS",
|
|
104
|
+
when: "Email is already registered"
|
|
105
|
+
}
|
|
106
|
+
}
|
|
107
|
+
},
|
|
108
|
+
policy: {
|
|
109
|
+
auth: "anonymous"
|
|
110
|
+
},
|
|
111
|
+
sideEffects: {
|
|
112
|
+
emits: [
|
|
113
|
+
{
|
|
114
|
+
key: "user.created",
|
|
115
|
+
version: "1.0.0",
|
|
116
|
+
when: "User is successfully created",
|
|
117
|
+
payload: UserProfileModel
|
|
118
|
+
}
|
|
119
|
+
],
|
|
120
|
+
audit: ["user.created"]
|
|
121
|
+
}
|
|
122
|
+
});
|
|
123
|
+
var GetCurrentUserContract = defineQuery({
|
|
124
|
+
meta: {
|
|
125
|
+
key: "identity.user.me",
|
|
126
|
+
version: "1.0.0",
|
|
127
|
+
stability: "stable",
|
|
128
|
+
owners: [...OWNERS],
|
|
129
|
+
tags: ["identity", "user", "profile"],
|
|
130
|
+
description: "Get the current authenticated user profile.",
|
|
131
|
+
goal: "Retrieve user profile for the authenticated session.",
|
|
132
|
+
context: "Called on app load and after profile updates."
|
|
133
|
+
},
|
|
134
|
+
io: {
|
|
135
|
+
input: null,
|
|
136
|
+
output: UserProfileModel
|
|
137
|
+
},
|
|
138
|
+
policy: {
|
|
139
|
+
auth: "user"
|
|
140
|
+
}
|
|
141
|
+
});
|
|
142
|
+
var UpdateUserContract = defineCommand({
|
|
143
|
+
meta: {
|
|
144
|
+
key: "identity.user.update",
|
|
145
|
+
version: "1.0.0",
|
|
146
|
+
stability: "stable",
|
|
147
|
+
owners: [...OWNERS],
|
|
148
|
+
tags: ["identity", "user", "update"],
|
|
149
|
+
description: "Update user profile information.",
|
|
150
|
+
goal: "Allow users to update their profile.",
|
|
151
|
+
context: "Self-service profile updates."
|
|
152
|
+
},
|
|
153
|
+
io: {
|
|
154
|
+
input: UpdateUserInputModel,
|
|
155
|
+
output: UserProfileModel
|
|
156
|
+
},
|
|
157
|
+
policy: {
|
|
158
|
+
auth: "user"
|
|
159
|
+
},
|
|
160
|
+
sideEffects: {
|
|
161
|
+
emits: [
|
|
162
|
+
{
|
|
163
|
+
key: "user.updated",
|
|
164
|
+
version: "1.0.0",
|
|
165
|
+
when: "User profile is updated",
|
|
166
|
+
payload: UserProfileModel
|
|
167
|
+
}
|
|
168
|
+
],
|
|
169
|
+
audit: ["user.updated"]
|
|
170
|
+
}
|
|
171
|
+
});
|
|
172
|
+
var DeleteUserContract = defineCommand({
|
|
173
|
+
meta: {
|
|
174
|
+
key: "identity.user.delete",
|
|
175
|
+
version: "1.0.0",
|
|
176
|
+
stability: "stable",
|
|
177
|
+
owners: [...OWNERS],
|
|
178
|
+
tags: ["identity", "user", "delete"],
|
|
179
|
+
description: "Delete user account and all associated data.",
|
|
180
|
+
goal: "Allow users to delete their account (GDPR compliance).",
|
|
181
|
+
context: "Self-service account deletion. Cascades to memberships, sessions, etc."
|
|
182
|
+
},
|
|
183
|
+
io: {
|
|
184
|
+
input: DeleteUserInputModel,
|
|
185
|
+
output: SuccessResultModel
|
|
186
|
+
},
|
|
187
|
+
policy: {
|
|
188
|
+
auth: "user",
|
|
189
|
+
escalate: "human_review"
|
|
190
|
+
},
|
|
191
|
+
sideEffects: {
|
|
192
|
+
emits: [
|
|
193
|
+
{
|
|
194
|
+
key: "user.deleted",
|
|
195
|
+
version: "1.0.0",
|
|
196
|
+
when: "User account is deleted",
|
|
197
|
+
payload: UserDeletedPayloadModel
|
|
198
|
+
}
|
|
199
|
+
],
|
|
200
|
+
audit: ["user.deleted"]
|
|
201
|
+
}
|
|
202
|
+
});
|
|
203
|
+
var ListUsersContract = defineQuery({
|
|
204
|
+
meta: {
|
|
205
|
+
key: "identity.user.list",
|
|
206
|
+
version: "1.0.0",
|
|
207
|
+
stability: "stable",
|
|
208
|
+
owners: [...OWNERS],
|
|
209
|
+
tags: ["identity", "user", "admin", "list"],
|
|
210
|
+
description: "List all users (admin only).",
|
|
211
|
+
goal: "Allow admins to browse and manage users.",
|
|
212
|
+
context: "Admin dashboard user management."
|
|
213
|
+
},
|
|
214
|
+
io: {
|
|
215
|
+
input: ListUsersInputModel,
|
|
216
|
+
output: ListUsersOutputModel
|
|
217
|
+
},
|
|
218
|
+
policy: {
|
|
219
|
+
auth: "admin"
|
|
220
|
+
}
|
|
480
221
|
});
|
|
481
222
|
|
|
482
|
-
|
|
483
|
-
|
|
484
|
-
|
|
223
|
+
// src/contracts/rbac.ts
|
|
224
|
+
import { SchemaModel as SchemaModel2, ScalarTypeEnum as ScalarTypeEnum2 } from "@contractspec/lib.schema";
|
|
225
|
+
import { defineCommand as defineCommand2, defineQuery as defineQuery2 } from "@contractspec/lib.contracts";
|
|
226
|
+
var RoleModel = new SchemaModel2({
|
|
227
|
+
name: "Role",
|
|
228
|
+
description: "RBAC role definition",
|
|
229
|
+
fields: {
|
|
230
|
+
id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
231
|
+
name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
232
|
+
description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
|
|
233
|
+
permissions: {
|
|
234
|
+
type: ScalarTypeEnum2.String_unsecure(),
|
|
235
|
+
isOptional: false,
|
|
236
|
+
isArray: true
|
|
237
|
+
},
|
|
238
|
+
createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
|
|
239
|
+
}
|
|
240
|
+
});
|
|
241
|
+
var PolicyBindingModel = new SchemaModel2({
|
|
242
|
+
name: "PolicyBinding",
|
|
243
|
+
description: "Role assignment to a target",
|
|
244
|
+
fields: {
|
|
245
|
+
id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
246
|
+
roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
247
|
+
targetType: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
248
|
+
targetId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
249
|
+
expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true },
|
|
250
|
+
createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
|
|
251
|
+
role: { type: RoleModel, isOptional: false }
|
|
252
|
+
}
|
|
253
|
+
});
|
|
254
|
+
var PermissionCheckResultModel = new SchemaModel2({
|
|
255
|
+
name: "PermissionCheckResult",
|
|
256
|
+
description: "Result of a permission check",
|
|
257
|
+
fields: {
|
|
258
|
+
allowed: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
|
|
259
|
+
reason: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
|
|
260
|
+
matchedRole: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
|
|
261
|
+
}
|
|
262
|
+
});
|
|
263
|
+
var CreateRoleInputModel = new SchemaModel2({
|
|
264
|
+
name: "CreateRoleInput",
|
|
265
|
+
description: "Input for creating a role",
|
|
266
|
+
fields: {
|
|
267
|
+
name: { type: ScalarTypeEnum2.NonEmptyString(), isOptional: false },
|
|
268
|
+
description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
|
|
269
|
+
permissions: {
|
|
270
|
+
type: ScalarTypeEnum2.String_unsecure(),
|
|
271
|
+
isOptional: false,
|
|
272
|
+
isArray: true
|
|
273
|
+
}
|
|
274
|
+
}
|
|
275
|
+
});
|
|
276
|
+
var UpdateRoleInputModel = new SchemaModel2({
|
|
277
|
+
name: "UpdateRoleInput",
|
|
278
|
+
description: "Input for updating a role",
|
|
279
|
+
fields: {
|
|
280
|
+
roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
281
|
+
name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
|
|
282
|
+
description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
|
|
283
|
+
permissions: {
|
|
284
|
+
type: ScalarTypeEnum2.String_unsecure(),
|
|
285
|
+
isOptional: true,
|
|
286
|
+
isArray: true
|
|
287
|
+
}
|
|
288
|
+
}
|
|
289
|
+
});
|
|
290
|
+
var DeleteRoleInputModel = new SchemaModel2({
|
|
291
|
+
name: "DeleteRoleInput",
|
|
292
|
+
description: "Input for deleting a role",
|
|
293
|
+
fields: {
|
|
294
|
+
roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
|
|
295
|
+
}
|
|
296
|
+
});
|
|
297
|
+
var ListRolesOutputModel = new SchemaModel2({
|
|
298
|
+
name: "ListRolesOutput",
|
|
299
|
+
description: "Output for listing roles",
|
|
300
|
+
fields: {
|
|
301
|
+
roles: { type: RoleModel, isOptional: false, isArray: true }
|
|
302
|
+
}
|
|
303
|
+
});
|
|
304
|
+
var AssignRoleInputModel = new SchemaModel2({
|
|
305
|
+
name: "AssignRoleInput",
|
|
306
|
+
description: "Input for assigning a role",
|
|
307
|
+
fields: {
|
|
308
|
+
roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
309
|
+
targetType: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
310
|
+
targetId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
311
|
+
expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true }
|
|
312
|
+
}
|
|
313
|
+
});
|
|
314
|
+
var RevokeRoleInputModel = new SchemaModel2({
|
|
315
|
+
name: "RevokeRoleInput",
|
|
316
|
+
description: "Input for revoking a role",
|
|
317
|
+
fields: {
|
|
318
|
+
bindingId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
|
|
319
|
+
}
|
|
320
|
+
});
|
|
321
|
+
var BindingIdPayloadModel = new SchemaModel2({
|
|
322
|
+
name: "BindingIdPayload",
|
|
323
|
+
description: "Payload with binding ID",
|
|
324
|
+
fields: {
|
|
325
|
+
bindingId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
|
|
326
|
+
}
|
|
327
|
+
});
|
|
328
|
+
var CheckPermissionInputModel = new SchemaModel2({
|
|
329
|
+
name: "CheckPermissionInput",
|
|
330
|
+
description: "Input for checking a permission",
|
|
331
|
+
fields: {
|
|
332
|
+
userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
333
|
+
orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
|
|
334
|
+
permission: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
|
|
335
|
+
}
|
|
336
|
+
});
|
|
337
|
+
var ListUserPermissionsInputModel = new SchemaModel2({
|
|
338
|
+
name: "ListUserPermissionsInput",
|
|
339
|
+
description: "Input for listing user permissions",
|
|
340
|
+
fields: {
|
|
341
|
+
userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
|
|
342
|
+
orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
|
|
343
|
+
}
|
|
344
|
+
});
|
|
345
|
+
var ListUserPermissionsOutputModel = new SchemaModel2({
|
|
346
|
+
name: "ListUserPermissionsOutput",
|
|
347
|
+
description: "Output for listing user permissions",
|
|
348
|
+
fields: {
|
|
349
|
+
permissions: {
|
|
350
|
+
type: ScalarTypeEnum2.String_unsecure(),
|
|
351
|
+
isOptional: false,
|
|
352
|
+
isArray: true
|
|
353
|
+
},
|
|
354
|
+
roles: { type: RoleModel, isOptional: false, isArray: true }
|
|
355
|
+
}
|
|
356
|
+
});
|
|
357
|
+
var CreateRoleContract = defineCommand2({
|
|
358
|
+
meta: {
|
|
359
|
+
key: "identity.rbac.role.create",
|
|
360
|
+
version: "1.0.0",
|
|
361
|
+
stability: "stable",
|
|
362
|
+
owners: ["@platform.identity-rbac"],
|
|
363
|
+
tags: ["identity", "rbac", "role", "create"],
|
|
364
|
+
description: "Create a new role with permissions.",
|
|
365
|
+
goal: "Allow admins to define custom roles.",
|
|
366
|
+
context: "Role management in admin settings."
|
|
367
|
+
},
|
|
368
|
+
io: {
|
|
369
|
+
input: CreateRoleInputModel,
|
|
370
|
+
output: RoleModel,
|
|
371
|
+
errors: {
|
|
372
|
+
ROLE_EXISTS: {
|
|
373
|
+
description: "A role with this name already exists",
|
|
374
|
+
http: 409,
|
|
375
|
+
gqlCode: "ROLE_EXISTS",
|
|
376
|
+
when: "Role name is taken"
|
|
377
|
+
}
|
|
378
|
+
}
|
|
379
|
+
},
|
|
380
|
+
policy: {
|
|
381
|
+
auth: "admin"
|
|
382
|
+
},
|
|
383
|
+
sideEffects: {
|
|
384
|
+
audit: ["role.created"]
|
|
385
|
+
}
|
|
386
|
+
});
|
|
387
|
+
var UpdateRoleContract = defineCommand2({
|
|
388
|
+
meta: {
|
|
389
|
+
key: "identity.rbac.role.update",
|
|
390
|
+
version: "1.0.0",
|
|
391
|
+
stability: "stable",
|
|
392
|
+
owners: ["@platform.identity-rbac"],
|
|
393
|
+
tags: ["identity", "rbac", "role", "update"],
|
|
394
|
+
description: "Update an existing role.",
|
|
395
|
+
goal: "Allow admins to modify role permissions.",
|
|
396
|
+
context: "Role management in admin settings."
|
|
397
|
+
},
|
|
398
|
+
io: {
|
|
399
|
+
input: UpdateRoleInputModel,
|
|
400
|
+
output: RoleModel
|
|
401
|
+
},
|
|
402
|
+
policy: {
|
|
403
|
+
auth: "admin"
|
|
404
|
+
},
|
|
405
|
+
sideEffects: {
|
|
406
|
+
audit: ["role.updated"]
|
|
407
|
+
}
|
|
408
|
+
});
|
|
409
|
+
var DeleteRoleContract = defineCommand2({
|
|
410
|
+
meta: {
|
|
411
|
+
key: "identity.rbac.role.delete",
|
|
412
|
+
version: "1.0.0",
|
|
413
|
+
stability: "stable",
|
|
414
|
+
owners: ["@platform.identity-rbac"],
|
|
415
|
+
tags: ["identity", "rbac", "role", "delete"],
|
|
416
|
+
description: "Delete an existing role.",
|
|
417
|
+
goal: "Allow admins to remove unused roles.",
|
|
418
|
+
context: "Role management. Removes all policy bindings using this role."
|
|
419
|
+
},
|
|
420
|
+
io: {
|
|
421
|
+
input: DeleteRoleInputModel,
|
|
422
|
+
output: SuccessResultModel,
|
|
423
|
+
errors: {
|
|
424
|
+
ROLE_IN_USE: {
|
|
425
|
+
description: "Role is still assigned to users or organizations",
|
|
426
|
+
http: 409,
|
|
427
|
+
gqlCode: "ROLE_IN_USE",
|
|
428
|
+
when: "Role has active bindings"
|
|
429
|
+
}
|
|
430
|
+
}
|
|
431
|
+
},
|
|
432
|
+
policy: {
|
|
433
|
+
auth: "admin"
|
|
434
|
+
},
|
|
435
|
+
sideEffects: {
|
|
436
|
+
audit: ["role.deleted"]
|
|
437
|
+
}
|
|
438
|
+
});
|
|
439
|
+
var ListRolesContract = defineQuery2({
|
|
440
|
+
meta: {
|
|
441
|
+
key: "identity.rbac.role.list",
|
|
442
|
+
version: "1.0.0",
|
|
443
|
+
stability: "stable",
|
|
444
|
+
owners: ["@platform.identity-rbac"],
|
|
445
|
+
tags: ["identity", "rbac", "role", "list"],
|
|
446
|
+
description: "List all available roles.",
|
|
447
|
+
goal: "Show available roles for assignment.",
|
|
448
|
+
context: "Role assignment UI."
|
|
449
|
+
},
|
|
450
|
+
io: {
|
|
451
|
+
input: null,
|
|
452
|
+
output: ListRolesOutputModel
|
|
453
|
+
},
|
|
454
|
+
policy: {
|
|
455
|
+
auth: "user"
|
|
456
|
+
}
|
|
457
|
+
});
|
|
458
|
+
var AssignRoleContract = defineCommand2({
|
|
459
|
+
meta: {
|
|
460
|
+
key: "identity.rbac.assign",
|
|
461
|
+
version: "1.0.0",
|
|
462
|
+
stability: "stable",
|
|
463
|
+
owners: ["@platform.identity-rbac"],
|
|
464
|
+
tags: ["identity", "rbac", "assign"],
|
|
465
|
+
description: "Assign a role to a user or organization.",
|
|
466
|
+
goal: "Grant permissions via role assignment.",
|
|
467
|
+
context: "User/org permission management."
|
|
468
|
+
},
|
|
469
|
+
io: {
|
|
470
|
+
input: AssignRoleInputModel,
|
|
471
|
+
output: PolicyBindingModel,
|
|
472
|
+
errors: {
|
|
473
|
+
ROLE_NOT_FOUND: {
|
|
474
|
+
description: "The specified role does not exist",
|
|
475
|
+
http: 404,
|
|
476
|
+
gqlCode: "ROLE_NOT_FOUND",
|
|
477
|
+
when: "Role ID is invalid"
|
|
478
|
+
},
|
|
479
|
+
ALREADY_ASSIGNED: {
|
|
480
|
+
description: "This role is already assigned to the target",
|
|
481
|
+
http: 409,
|
|
482
|
+
gqlCode: "ALREADY_ASSIGNED",
|
|
483
|
+
when: "Binding already exists"
|
|
484
|
+
}
|
|
485
|
+
}
|
|
486
|
+
},
|
|
487
|
+
policy: {
|
|
488
|
+
auth: "admin"
|
|
489
|
+
},
|
|
490
|
+
sideEffects: {
|
|
491
|
+
emits: [
|
|
492
|
+
{
|
|
493
|
+
key: "role.assigned",
|
|
494
|
+
version: "1.0.0",
|
|
495
|
+
when: "Role is assigned",
|
|
496
|
+
payload: PolicyBindingModel
|
|
497
|
+
}
|
|
498
|
+
],
|
|
499
|
+
audit: ["role.assigned"]
|
|
500
|
+
}
|
|
501
|
+
});
|
|
502
|
+
var RevokeRoleContract = defineCommand2({
|
|
503
|
+
meta: {
|
|
504
|
+
key: "identity.rbac.revoke",
|
|
505
|
+
version: "1.0.0",
|
|
506
|
+
stability: "stable",
|
|
507
|
+
owners: ["@platform.identity-rbac"],
|
|
508
|
+
tags: ["identity", "rbac", "revoke"],
|
|
509
|
+
description: "Revoke a role from a user or organization.",
|
|
510
|
+
goal: "Remove permissions via role revocation.",
|
|
511
|
+
context: "User/org permission management."
|
|
512
|
+
},
|
|
513
|
+
io: {
|
|
514
|
+
input: RevokeRoleInputModel,
|
|
515
|
+
output: SuccessResultModel,
|
|
516
|
+
errors: {
|
|
517
|
+
BINDING_NOT_FOUND: {
|
|
518
|
+
description: "The policy binding does not exist",
|
|
519
|
+
http: 404,
|
|
520
|
+
gqlCode: "BINDING_NOT_FOUND",
|
|
521
|
+
when: "Binding ID is invalid"
|
|
522
|
+
}
|
|
523
|
+
}
|
|
524
|
+
},
|
|
525
|
+
policy: {
|
|
526
|
+
auth: "admin"
|
|
527
|
+
},
|
|
528
|
+
sideEffects: {
|
|
529
|
+
emits: [
|
|
530
|
+
{
|
|
531
|
+
key: "role.revoked",
|
|
532
|
+
version: "1.0.0",
|
|
533
|
+
when: "Role is revoked",
|
|
534
|
+
payload: BindingIdPayloadModel
|
|
535
|
+
}
|
|
536
|
+
],
|
|
537
|
+
audit: ["role.revoked"]
|
|
538
|
+
}
|
|
539
|
+
});
|
|
540
|
+
var CheckPermissionContract = defineQuery2({
|
|
541
|
+
meta: {
|
|
542
|
+
key: "identity.rbac.check",
|
|
543
|
+
version: "1.0.0",
|
|
544
|
+
stability: "stable",
|
|
545
|
+
owners: ["@platform.identity-rbac"],
|
|
546
|
+
tags: ["identity", "rbac", "check", "permission"],
|
|
547
|
+
description: "Check if a user has a specific permission.",
|
|
548
|
+
goal: "Authorization check before sensitive operations.",
|
|
549
|
+
context: "Called by other services to verify permissions."
|
|
550
|
+
},
|
|
551
|
+
io: {
|
|
552
|
+
input: CheckPermissionInputModel,
|
|
553
|
+
output: PermissionCheckResultModel
|
|
554
|
+
},
|
|
555
|
+
policy: {
|
|
556
|
+
auth: "user"
|
|
557
|
+
}
|
|
558
|
+
});
|
|
559
|
+
var ListUserPermissionsContract = defineQuery2({
|
|
560
|
+
meta: {
|
|
561
|
+
key: "identity.rbac.permissions",
|
|
562
|
+
version: "1.0.0",
|
|
563
|
+
stability: "stable",
|
|
564
|
+
owners: ["@platform.identity-rbac"],
|
|
565
|
+
tags: ["identity", "rbac", "permissions", "user"],
|
|
566
|
+
description: "List all permissions for a user in a context.",
|
|
567
|
+
goal: "Show what a user can do in an org.",
|
|
568
|
+
context: "UI permission display, debugging."
|
|
569
|
+
},
|
|
570
|
+
io: {
|
|
571
|
+
input: ListUserPermissionsInputModel,
|
|
572
|
+
output: ListUserPermissionsOutputModel
|
|
573
|
+
},
|
|
574
|
+
policy: {
|
|
575
|
+
auth: "user"
|
|
576
|
+
}
|
|
577
|
+
});
|
|
578
|
+
export {
|
|
579
|
+
UpdateRoleInputModel,
|
|
580
|
+
UpdateRoleContract,
|
|
581
|
+
RoleModel,
|
|
582
|
+
RevokeRoleInputModel,
|
|
583
|
+
RevokeRoleContract,
|
|
584
|
+
PolicyBindingModel,
|
|
585
|
+
PermissionCheckResultModel,
|
|
586
|
+
ListUserPermissionsOutputModel,
|
|
587
|
+
ListUserPermissionsInputModel,
|
|
588
|
+
ListUserPermissionsContract,
|
|
589
|
+
ListRolesOutputModel,
|
|
590
|
+
ListRolesContract,
|
|
591
|
+
DeleteRoleInputModel,
|
|
592
|
+
DeleteRoleContract,
|
|
593
|
+
CreateRoleInputModel,
|
|
594
|
+
CreateRoleContract,
|
|
595
|
+
CheckPermissionInputModel,
|
|
596
|
+
CheckPermissionContract,
|
|
597
|
+
BindingIdPayloadModel,
|
|
598
|
+
AssignRoleInputModel,
|
|
599
|
+
AssignRoleContract
|
|
600
|
+
};
|