@contractspec/lib.identity-rbac 1.57.0 → 1.58.0

package/dist/browser/contracts/user.js

@@ -0,0 +1,235 @@
+// src/contracts/user.ts
+import { SchemaModel, ScalarTypeEnum } from "@contractspec/lib.schema";
+import { defineCommand, defineQuery } from "@contractspec/lib.contracts";
+var OWNERS = ["platform.identity-rbac"];
+var UserProfileModel = new SchemaModel({
+  name: "UserProfile",
+  description: "User profile information",
+  fields: {
+    id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
+    emailVerified: { type: ScalarTypeEnum.Boolean(), isOptional: false },
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true },
+    role: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    onboardingCompleted: { type: ScalarTypeEnum.Boolean(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false }
+  }
+});
+var CreateUserInputModel = new SchemaModel({
+  name: "CreateUserInput",
+  description: "Input for creating a new user",
+  fields: {
+    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    password: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
+  }
+});
+var UpdateUserInputModel = new SchemaModel({
+  name: "UpdateUserInput",
+  description: "Input for updating a user profile",
+  fields: {
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true }
+  }
+});
+var DeleteUserInputModel = new SchemaModel({
+  name: "DeleteUserInput",
+  description: "Input for deleting a user",
+  fields: {
+    confirmEmail: { type: ScalarTypeEnum.EmailAddress(), isOptional: false }
+  }
+});
+var SuccessResultModel = new SchemaModel({
+  name: "SuccessResult",
+  description: "Simple success result",
+  fields: {
+    success: { type: ScalarTypeEnum.Boolean(), isOptional: false }
+  }
+});
+var UserDeletedPayloadModel = new SchemaModel({
+  name: "UserDeletedPayload",
+  description: "Payload for user deleted event",
+  fields: {
+    userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }
+  }
+});
+var ListUsersInputModel = new SchemaModel({
+  name: "ListUsersInput",
+  description: "Input for listing users",
+  fields: {
+    limit: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
+    offset: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
+    search: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
+  }
+});
+var ListUsersOutputModel = new SchemaModel({
+  name: "ListUsersOutput",
+  description: "Output for listing users",
+  fields: {
+    users: { type: UserProfileModel, isOptional: false, isArray: true },
+    total: { type: ScalarTypeEnum.Int_unsecure(), isOptional: false }
+  }
+});
+var CreateUserContract = defineCommand({
+  meta: {
+    key: "identity.user.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "create"],
+    description: "Create a new user account.",
+    goal: "Register a new user in the system.",
+    context: "Used during signup flows. May trigger email verification."
+  },
+  io: {
+    input: CreateUserInputModel,
+    output: UserProfileModel,
+    errors: {
+      EMAIL_EXISTS: {
+        description: "A user with this email already exists",
+        http: 409,
+        gqlCode: "EMAIL_EXISTS",
+        when: "Email is already registered"
+      }
+    }
+  },
+  policy: {
+    auth: "anonymous"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.created",
+        version: "1.0.0",
+        when: "User is successfully created",
+        payload: UserProfileModel
+      }
+    ],
+    audit: ["user.created"]
+  }
+});
+var GetCurrentUserContract = defineQuery({
+  meta: {
+    key: "identity.user.me",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "profile"],
+    description: "Get the current authenticated user profile.",
+    goal: "Retrieve user profile for the authenticated session.",
+    context: "Called on app load and after profile updates."
+  },
+  io: {
+    input: null,
+    output: UserProfileModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var UpdateUserContract = defineCommand({
+  meta: {
+    key: "identity.user.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "update"],
+    description: "Update user profile information.",
+    goal: "Allow users to update their profile.",
+    context: "Self-service profile updates."
+  },
+  io: {
+    input: UpdateUserInputModel,
+    output: UserProfileModel
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.updated",
+        version: "1.0.0",
+        when: "User profile is updated",
+        payload: UserProfileModel
+      }
+    ],
+    audit: ["user.updated"]
+  }
+});
+var DeleteUserContract = defineCommand({
+  meta: {
+    key: "identity.user.delete",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "delete"],
+    description: "Delete user account and all associated data.",
+    goal: "Allow users to delete their account (GDPR compliance).",
+    context: "Self-service account deletion. Cascades to memberships, sessions, etc."
+  },
+  io: {
+    input: DeleteUserInputModel,
+    output: SuccessResultModel
+  },
+  policy: {
+    auth: "user",
+    escalate: "human_review"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.deleted",
+        version: "1.0.0",
+        when: "User account is deleted",
+        payload: UserDeletedPayloadModel
+      }
+    ],
+    audit: ["user.deleted"]
+  }
+});
+var ListUsersContract = defineQuery({
+  meta: {
+    key: "identity.user.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "admin", "list"],
+    description: "List all users (admin only).",
+    goal: "Allow admins to browse and manage users.",
+    context: "Admin dashboard user management."
+  },
+  io: {
+    input: ListUsersInputModel,
+    output: ListUsersOutputModel
+  },
+  policy: {
+    auth: "admin"
+  }
+});
+export {
+  UserProfileModel,
+  UserDeletedPayloadModel,
+  UpdateUserInputModel,
+  UpdateUserContract,
+  SuccessResultModel,
+  ListUsersOutputModel,
+  ListUsersInputModel,
+  ListUsersContract,
+  GetCurrentUserContract,
+  DeleteUserInputModel,
+  DeleteUserContract,
+  CreateUserInputModel,
+  CreateUserContract
+};

package/dist/browser/entities/index.js

@@ -0,0 +1,464 @@
+// src/entities/user.ts
+import { defineEntity, field, index } from "@contractspec/lib.schema";
+var UserEntity = defineEntity({
+  name: "User",
+  description: "A user of the platform. Users hold core profile information and authenticate via Account records.",
+  schema: "lssm_sigil",
+  map: "user",
+  fields: {
+    id: field.id({ description: "Unique user identifier" }),
+    email: field.email({ isUnique: true, description: "User email address" }),
+    emailVerified: field.boolean({
+      default: false,
+      description: "Whether email has been verified"
+    }),
+    name: field.string({ isOptional: true, description: "Display name" }),
+    firstName: field.string({ isOptional: true, description: "First name" }),
+    lastName: field.string({ isOptional: true, description: "Last name" }),
+    locale: field.string({
+      isOptional: true,
+      description: 'User locale (e.g., "en-US")'
+    }),
+    timezone: field.string({
+      isOptional: true,
+      description: 'Olson timezone (e.g., "Europe/Paris")'
+    }),
+    imageUrl: field.url({
+      isOptional: true,
+      description: "URL of avatar or profile picture"
+    }),
+    image: field.string({
+      isOptional: true,
+      description: "Legacy image field"
+    }),
+    metadata: field.json({
+      isOptional: true,
+      description: "Arbitrary user metadata"
+    }),
+    onboardingCompleted: field.boolean({
+      default: false,
+      description: "Whether onboarding is complete"
+    }),
+    onboardingStep: field.string({
+      isOptional: true,
+      description: "Current onboarding step"
+    }),
+    whitelistedAt: field.dateTime({
+      isOptional: true,
+      description: "When user was whitelisted"
+    }),
+    role: field.string({
+      isOptional: true,
+      default: '"user"',
+      description: "User role (user, admin)"
+    }),
+    banned: field.boolean({
+      default: false,
+      description: "Whether user is banned"
+    }),
+    banReason: field.string({
+      isOptional: true,
+      description: "Reason for ban"
+    }),
+    banExpires: field.dateTime({
+      isOptional: true,
+      description: "When ban expires"
+    }),
+    phoneNumber: field.string({
+      isOptional: true,
+      isUnique: true,
+      description: "Phone number"
+    }),
+    phoneNumberVerified: field.boolean({
+      default: false,
+      description: "Whether phone is verified"
+    }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    sessions: field.hasMany("Session"),
+    accounts: field.hasMany("Account"),
+    memberships: field.hasMany("Member"),
+    invitations: field.hasMany("Invitation"),
+    teamMemberships: field.hasMany("TeamMember"),
+    policyBindings: field.hasMany("PolicyBinding"),
+    apiKeys: field.hasMany("ApiKey"),
+    passkeys: field.hasMany("Passkey")
+  }
+});
+var SessionEntity = defineEntity({
+  name: "Session",
+  description: "Represents a login session (e.g., web session or API token).",
+  schema: "lssm_sigil",
+  map: "session",
+  fields: {
+    id: field.id(),
+    userId: field.foreignKey(),
+    expiresAt: field.dateTime({ description: "Session expiration time" }),
+    token: field.string({ isUnique: true, description: "Session token" }),
+    ipAddress: field.string({
+      isOptional: true,
+      description: "Client IP address"
+    }),
+    userAgent: field.string({
+      isOptional: true,
+      description: "Client user agent"
+    }),
+    impersonatedBy: field.string({
+      isOptional: true,
+      description: "Admin impersonating this session"
+    }),
+    activeOrganizationId: field.string({
+      isOptional: true,
+      description: "Active org context"
+    }),
+    activeTeamId: field.string({
+      isOptional: true,
+      description: "Active team context"
+    }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+var AccountEntity = defineEntity({
+  name: "Account",
+  description: "External authentication accounts (OAuth, password, etc.).",
+  schema: "lssm_sigil",
+  map: "account",
+  fields: {
+    id: field.id(),
+    accountId: field.string({ description: "Account ID from provider" }),
+    providerId: field.string({ description: "Provider identifier" }),
+    userId: field.foreignKey(),
+    accessToken: field.string({ isOptional: true }),
+    refreshToken: field.string({ isOptional: true }),
+    idToken: field.string({ isOptional: true }),
+    accessTokenExpiresAt: field.dateTime({ isOptional: true }),
+    refreshTokenExpiresAt: field.dateTime({ isOptional: true }),
+    scope: field.string({ isOptional: true }),
+    password: field.string({
+      isOptional: true,
+      description: "Hashed password for password providers"
+    }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  },
+  indexes: [index.unique(["accountId", "providerId"])]
+});
+var VerificationEntity = defineEntity({
+  name: "Verification",
+  description: "Verification tokens for email/phone confirmation.",
+  schema: "lssm_sigil",
+  map: "verification",
+  fields: {
+    id: field.uuid(),
+    identifier: field.string({ description: "Email or phone being verified" }),
+    value: field.string({ description: "Verification code/token" }),
+    expiresAt: field.dateTime({ description: "Token expiration" }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt()
+  }
+});
+
+// src/entities/organization.ts
+import {
+  defineEntity as defineEntity2,
+  defineEntityEnum,
+  field as field2,
+  index as index2
+} from "@contractspec/lib.schema";
+var OrganizationTypeEnum = defineEntityEnum({
+  name: "OrganizationType",
+  values: ["PLATFORM_ADMIN", "CONTRACT_SPEC_CUSTOMER"],
+  schema: "lssm_sigil",
+  description: "Type of organization in the platform."
+});
+var OrganizationEntity = defineEntity2({
+  name: "Organization",
+  description: "An organization is a tenant boundary grouping users.",
+  schema: "lssm_sigil",
+  map: "organization",
+  fields: {
+    id: field2.id({ description: "Unique organization identifier" }),
+    name: field2.string({ description: "Organization display name" }),
+    slug: field2.string({
+      isOptional: true,
+      isUnique: true,
+      description: "URL-friendly identifier"
+    }),
+    logo: field2.url({ isOptional: true, description: "Organization logo URL" }),
+    description: field2.string({
+      isOptional: true,
+      description: "Organization description"
+    }),
+    metadata: field2.json({
+      isOptional: true,
+      description: "Arbitrary organization metadata"
+    }),
+    type: field2.enum("OrganizationType", { description: "Organization type" }),
+    onboardingCompleted: field2.boolean({ default: false }),
+    onboardingStep: field2.string({ isOptional: true }),
+    referralCode: field2.string({
+      isOptional: true,
+      isUnique: true,
+      description: "Unique referral code"
+    }),
+    referredBy: field2.string({
+      isOptional: true,
+      description: "ID of referring user"
+    }),
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    members: field2.hasMany("Member"),
+    invitations: field2.hasMany("Invitation"),
+    teams: field2.hasMany("Team"),
+    policyBindings: field2.hasMany("PolicyBinding")
+  },
+  enums: [OrganizationTypeEnum]
+});
+var MemberEntity = defineEntity2({
+  name: "Member",
+  description: "Membership of a user in an organization with a role.",
+  schema: "lssm_sigil",
+  map: "member",
+  fields: {
+    id: field2.id(),
+    userId: field2.foreignKey(),
+    organizationId: field2.foreignKey(),
+    role: field2.string({
+      description: "Role in organization (owner, admin, member)"
+    }),
+    createdAt: field2.createdAt(),
+    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" }),
+    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+      onDelete: "Cascade"
+    })
+  },
+  indexes: [index2.unique(["userId", "organizationId"])]
+});
+var InvitationEntity = defineEntity2({
+  name: "Invitation",
+  description: "An invitation to join an organization.",
+  schema: "lssm_sigil",
+  map: "invitation",
+  fields: {
+    id: field2.id(),
+    organizationId: field2.foreignKey(),
+    email: field2.email({ description: "Invited email address" }),
+    role: field2.string({
+      isOptional: true,
+      description: "Role to assign on acceptance"
+    }),
+    status: field2.string({
+      default: '"pending"',
+      description: "Invitation status"
+    }),
+    acceptedAt: field2.dateTime({ isOptional: true }),
+    expiresAt: field2.dateTime({ isOptional: true }),
+    inviterId: field2.foreignKey({
+      description: "User who sent the invitation"
+    }),
+    teamId: field2.string({ isOptional: true }),
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+      onDelete: "Cascade"
+    }),
+    inviter: field2.belongsTo("User", ["inviterId"], ["id"], {
+      onDelete: "Cascade"
+    }),
+    team: field2.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+var TeamEntity = defineEntity2({
+  name: "Team",
+  description: "Team within an organization.",
+  schema: "lssm_sigil",
+  map: "team",
+  fields: {
+    id: field2.id(),
+    name: field2.string({ description: "Team name" }),
+    organizationId: field2.foreignKey(),
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+      onDelete: "Cascade"
+    }),
+    members: field2.hasMany("TeamMember"),
+    invitations: field2.hasMany("Invitation")
+  }
+});
+var TeamMemberEntity = defineEntity2({
+  name: "TeamMember",
+  description: "Team membership for a user.",
+  schema: "lssm_sigil",
+  map: "team_member",
+  fields: {
+    id: field2.id(),
+    teamId: field2.foreignKey(),
+    userId: field2.foreignKey(),
+    createdAt: field2.createdAt(),
+    team: field2.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" }),
+    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+
+// src/entities/rbac.ts
+import { defineEntity as defineEntity3, field as field3, index as index3 } from "@contractspec/lib.schema";
+var RoleEntity = defineEntity3({
+  name: "Role",
+  description: "A role defines a named set of permissions.",
+  schema: "lssm_sigil",
+  map: "role",
+  fields: {
+    id: field3.id(),
+    name: field3.string({ isUnique: true, description: "Unique role name" }),
+    description: field3.string({
+      isOptional: true,
+      description: "Role description"
+    }),
+    permissions: field3.string({
+      isArray: true,
+      description: "Array of permission names"
+    }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt(),
+    policyBindings: field3.hasMany("PolicyBinding")
+  }
+});
+var PermissionEntity = defineEntity3({
+  name: "Permission",
+  description: "A permission represents an atomic access right.",
+  schema: "lssm_sigil",
+  map: "permission",
+  fields: {
+    id: field3.id(),
+    name: field3.string({
+      isUnique: true,
+      description: "Unique permission name"
+    }),
+    description: field3.string({
+      isOptional: true,
+      description: "Permission description"
+    }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt()
+  }
+});
+var PolicyBindingEntity = defineEntity3({
+  name: "PolicyBinding",
+  description: "Binds roles to principals (users or organizations).",
+  schema: "lssm_sigil",
+  map: "policy_binding",
+  fields: {
+    id: field3.id(),
+    roleId: field3.foreignKey(),
+    targetType: field3.string({ description: '"user" or "organization"' }),
+    targetId: field3.string({ description: "ID of User or Organization" }),
+    expiresAt: field3.dateTime({
+      isOptional: true,
+      description: "When binding expires"
+    }),
+    createdAt: field3.createdAt(),
+    userId: field3.string({ isOptional: true }),
+    organizationId: field3.string({ isOptional: true }),
+    role: field3.belongsTo("Role", ["roleId"], ["id"], { onDelete: "Cascade" }),
+    user: field3.belongsTo("User", ["userId"], ["id"]),
+    organization: field3.belongsTo("Organization", ["organizationId"], ["id"])
+  },
+  indexes: [index3.on(["targetType", "targetId"])]
+});
+var ApiKeyEntity = defineEntity3({
+  name: "ApiKey",
+  description: "API keys for programmatic access.",
+  schema: "lssm_sigil",
+  map: "api_key",
+  fields: {
+    id: field3.id(),
+    name: field3.string({ description: "API key name" }),
+    start: field3.string({
+      description: "Starting characters for identification"
+    }),
+    prefix: field3.string({ description: "API key prefix" }),
+    key: field3.string({ description: "Hashed API key" }),
+    userId: field3.foreignKey(),
+    refillInterval: field3.int({ description: "Refill interval in ms" }),
+    refillAmount: field3.int({ description: "Amount to refill" }),
+    lastRefillAt: field3.dateTime(),
+    remaining: field3.int({ description: "Remaining requests" }),
+    requestCount: field3.int({ description: "Total requests made" }),
+    lastRequest: field3.dateTime(),
+    enabled: field3.boolean({ default: true }),
+    rateLimitEnabled: field3.boolean({ default: true }),
+    rateLimitTimeWindow: field3.int({ description: "Rate limit window in ms" }),
+    rateLimitMax: field3.int({ description: "Max requests in window" }),
+    expiresAt: field3.dateTime(),
+    permissions: field3.string({ isArray: true }),
+    metadata: field3.json({ isOptional: true }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt(),
+    user: field3.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+var PasskeyEntity = defineEntity3({
+  name: "Passkey",
+  description: "WebAuthn passkeys for passwordless authentication.",
+  schema: "lssm_sigil",
+  map: "passkey",
+  fields: {
+    id: field3.id(),
+    name: field3.string({ description: "Passkey name" }),
+    publicKey: field3.string({ description: "Public key" }),
+    userId: field3.foreignKey(),
+    credentialID: field3.string({ description: "Credential ID" }),
+    counter: field3.int({ description: "Counter" }),
+    deviceType: field3.string({ description: "Device type" }),
+    backedUp: field3.boolean({ description: "Whether passkey is backed up" }),
+    transports: field3.string({ description: "Transports" }),
+    aaguid: field3.string({ description: "Authenticator GUID" }),
+    createdAt: field3.createdAt(),
+    user: field3.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+// src/entities/index.ts
+var identityRbacEntities = [
+  UserEntity,
+  SessionEntity,
+  AccountEntity,
+  VerificationEntity,
+  OrganizationEntity,
+  MemberEntity,
+  InvitationEntity,
+  TeamEntity,
+  TeamMemberEntity,
+  RoleEntity,
+  PermissionEntity,
+  PolicyBindingEntity,
+  ApiKeyEntity,
+  PasskeyEntity
+];
+var identityRbacSchemaContribution = {
+  moduleId: "@contractspec/lib.identity-rbac",
+  entities: identityRbacEntities,
+  enums: [OrganizationTypeEnum]
+};
+export {
+  identityRbacSchemaContribution,
+  identityRbacEntities,
+  VerificationEntity,
+  UserEntity,
+  TeamMemberEntity,
+  TeamEntity,
+  SessionEntity,
+  RoleEntity,
+  PolicyBindingEntity,
+  PermissionEntity,
+  PasskeyEntity,
+  OrganizationTypeEnum,
+  OrganizationEntity,
+  MemberEntity,
+  InvitationEntity,
+  ApiKeyEntity,
+  AccountEntity
+};