@contractspec/lib.identity-rbac 1.57.0 → 1.58.0

package/dist/browser/index.js

@@ -0,0 +1,2099 @@
+// src/contracts/user.ts
+import { SchemaModel, ScalarTypeEnum } from "@contractspec/lib.schema";
+import { defineCommand, defineQuery } from "@contractspec/lib.contracts";
+var OWNERS = ["platform.identity-rbac"];
+var UserProfileModel = new SchemaModel({
+  name: "UserProfile",
+  description: "User profile information",
+  fields: {
+    id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
+    emailVerified: { type: ScalarTypeEnum.Boolean(), isOptional: false },
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true },
+    role: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    onboardingCompleted: { type: ScalarTypeEnum.Boolean(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false }
+  }
+});
+var CreateUserInputModel = new SchemaModel({
+  name: "CreateUserInput",
+  description: "Input for creating a new user",
+  fields: {
+    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    password: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
+  }
+});
+var UpdateUserInputModel = new SchemaModel({
+  name: "UpdateUserInput",
+  description: "Input for updating a user profile",
+  fields: {
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true }
+  }
+});
+var DeleteUserInputModel = new SchemaModel({
+  name: "DeleteUserInput",
+  description: "Input for deleting a user",
+  fields: {
+    confirmEmail: { type: ScalarTypeEnum.EmailAddress(), isOptional: false }
+  }
+});
+var SuccessResultModel = new SchemaModel({
+  name: "SuccessResult",
+  description: "Simple success result",
+  fields: {
+    success: { type: ScalarTypeEnum.Boolean(), isOptional: false }
+  }
+});
+var UserDeletedPayloadModel = new SchemaModel({
+  name: "UserDeletedPayload",
+  description: "Payload for user deleted event",
+  fields: {
+    userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }
+  }
+});
+var ListUsersInputModel = new SchemaModel({
+  name: "ListUsersInput",
+  description: "Input for listing users",
+  fields: {
+    limit: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
+    offset: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
+    search: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
+  }
+});
+var ListUsersOutputModel = new SchemaModel({
+  name: "ListUsersOutput",
+  description: "Output for listing users",
+  fields: {
+    users: { type: UserProfileModel, isOptional: false, isArray: true },
+    total: { type: ScalarTypeEnum.Int_unsecure(), isOptional: false }
+  }
+});
+var CreateUserContract = defineCommand({
+  meta: {
+    key: "identity.user.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "create"],
+    description: "Create a new user account.",
+    goal: "Register a new user in the system.",
+    context: "Used during signup flows. May trigger email verification."
+  },
+  io: {
+    input: CreateUserInputModel,
+    output: UserProfileModel,
+    errors: {
+      EMAIL_EXISTS: {
+        description: "A user with this email already exists",
+        http: 409,
+        gqlCode: "EMAIL_EXISTS",
+        when: "Email is already registered"
+      }
+    }
+  },
+  policy: {
+    auth: "anonymous"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.created",
+        version: "1.0.0",
+        when: "User is successfully created",
+        payload: UserProfileModel
+      }
+    ],
+    audit: ["user.created"]
+  }
+});
+var GetCurrentUserContract = defineQuery({
+  meta: {
+    key: "identity.user.me",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "profile"],
+    description: "Get the current authenticated user profile.",
+    goal: "Retrieve user profile for the authenticated session.",
+    context: "Called on app load and after profile updates."
+  },
+  io: {
+    input: null,
+    output: UserProfileModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var UpdateUserContract = defineCommand({
+  meta: {
+    key: "identity.user.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "update"],
+    description: "Update user profile information.",
+    goal: "Allow users to update their profile.",
+    context: "Self-service profile updates."
+  },
+  io: {
+    input: UpdateUserInputModel,
+    output: UserProfileModel
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.updated",
+        version: "1.0.0",
+        when: "User profile is updated",
+        payload: UserProfileModel
+      }
+    ],
+    audit: ["user.updated"]
+  }
+});
+var DeleteUserContract = defineCommand({
+  meta: {
+    key: "identity.user.delete",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "delete"],
+    description: "Delete user account and all associated data.",
+    goal: "Allow users to delete their account (GDPR compliance).",
+    context: "Self-service account deletion. Cascades to memberships, sessions, etc."
+  },
+  io: {
+    input: DeleteUserInputModel,
+    output: SuccessResultModel
+  },
+  policy: {
+    auth: "user",
+    escalate: "human_review"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.deleted",
+        version: "1.0.0",
+        when: "User account is deleted",
+        payload: UserDeletedPayloadModel
+      }
+    ],
+    audit: ["user.deleted"]
+  }
+});
+var ListUsersContract = defineQuery({
+  meta: {
+    key: "identity.user.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "admin", "list"],
+    description: "List all users (admin only).",
+    goal: "Allow admins to browse and manage users.",
+    context: "Admin dashboard user management."
+  },
+  io: {
+    input: ListUsersInputModel,
+    output: ListUsersOutputModel
+  },
+  policy: {
+    auth: "admin"
+  }
+});
+
+// src/contracts/organization.ts
+import { ScalarTypeEnum as ScalarTypeEnum2, SchemaModel as SchemaModel2 } from "@contractspec/lib.schema";
+import { defineCommand as defineCommand2, defineQuery as defineQuery2 } from "@contractspec/lib.contracts";
+var OWNERS2 = ["platform.identity-rbac"];
+var OrganizationModel = new SchemaModel2({
+  name: "Organization",
+  description: "Organization details",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    onboardingCompleted: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
+  }
+});
+var MemberUserModel = new SchemaModel2({
+  name: "MemberUser",
+  description: "Basic user info within a member",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var MemberModel = new SchemaModel2({
+  name: "Member",
+  description: "Organization member",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    organizationId: {
+      type: ScalarTypeEnum2.String_unsecure(),
+      isOptional: false
+    },
+    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
+    user: { type: MemberUserModel, isOptional: false }
+  }
+});
+var InvitationModel = new SchemaModel2({
+  name: "Invitation",
+  description: "Organization invitation",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
+    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    status: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
+  }
+});
+var CreateOrgInputModel = new SchemaModel2({
+  name: "CreateOrgInput",
+  description: "Input for creating an organization",
+  fields: {
+    name: { type: ScalarTypeEnum2.NonEmptyString(), isOptional: false },
+    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var GetOrgInputModel = new SchemaModel2({
+  name: "GetOrgInput",
+  description: "Input for getting an organization",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var UpdateOrgInputModel = new SchemaModel2({
+  name: "UpdateOrgInput",
+  description: "Input for updating an organization",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var InviteMemberInputModel = new SchemaModel2({
+  name: "InviteMemberInput",
+  description: "Input for inviting a member",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
+    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    teamId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var AcceptInviteInputModel = new SchemaModel2({
+  name: "AcceptInviteInput",
+  description: "Input for accepting an invitation",
+  fields: {
+    invitationId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var RemoveMemberInputModel = new SchemaModel2({
+  name: "RemoveMemberInput",
+  description: "Input for removing a member",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var MemberRemovedPayloadModel = new SchemaModel2({
+  name: "MemberRemovedPayload",
+  description: "Payload for member removed event",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var ListMembersInputModel = new SchemaModel2({
+  name: "ListMembersInput",
+  description: "Input for listing members",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    limit: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: true },
+    offset: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: true }
+  }
+});
+var ListMembersOutputModel = new SchemaModel2({
+  name: "ListMembersOutput",
+  description: "Output for listing members",
+  fields: {
+    members: { type: MemberModel, isOptional: false, isArray: true },
+    total: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: false }
+  }
+});
+var OrganizationWithRoleModel = new SchemaModel2({
+  name: "OrganizationWithRole",
+  description: "Organization with user role",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    onboardingCompleted: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
+    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var ListUserOrgsOutputModel = new SchemaModel2({
+  name: "ListUserOrgsOutput",
+  description: "Output for listing user organizations",
+  fields: {
+    organizations: {
+      type: OrganizationWithRoleModel,
+      isOptional: false,
+      isArray: true
+    }
+  }
+});
+var CreateOrgContract = defineCommand2({
+  meta: {
+    key: "identity.org.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "create"],
+    description: "Create a new organization.",
+    goal: "Allow users to create new organizations/workspaces.",
+    context: "Called during onboarding or when creating additional workspaces."
+  },
+  io: {
+    input: CreateOrgInputModel,
+    output: OrganizationModel,
+    errors: {
+      SLUG_EXISTS: {
+        description: "An organization with this slug already exists",
+        http: 409,
+        gqlCode: "SLUG_EXISTS",
+        when: "Slug is already taken"
+      }
+    }
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.created",
+        version: "1.0.0",
+        when: "Organization is created",
+        payload: OrganizationModel
+      }
+    ],
+    audit: ["org.created"]
+  }
+});
+var GetOrgContract = defineQuery2({
+  meta: {
+    key: "identity.org.get",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "get"],
+    description: "Get organization details.",
+    goal: "Retrieve organization information.",
+    context: "Called when viewing organization settings or dashboard."
+  },
+  io: {
+    input: GetOrgInputModel,
+    output: OrganizationModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var UpdateOrgContract = defineCommand2({
+  meta: {
+    key: "identity.org.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "update"],
+    description: "Update organization details.",
+    goal: "Allow org admins to update organization settings.",
+    context: "Organization settings page."
+  },
+  io: {
+    input: UpdateOrgInputModel,
+    output: OrganizationModel
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.updated",
+        version: "1.0.0",
+        when: "Organization is updated",
+        payload: OrganizationModel
+      }
+    ],
+    audit: ["org.updated"]
+  }
+});
+var InviteMemberContract = defineCommand2({
+  meta: {
+    key: "identity.org.invite",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "invite", "member"],
+    description: "Invite a user to join the organization.",
+    goal: "Allow org admins to invite new members.",
+    context: "Team management. Sends invitation email."
+  },
+  io: {
+    input: InviteMemberInputModel,
+    output: InvitationModel,
+    errors: {
+      ALREADY_MEMBER: {
+        description: "User is already a member of this organization",
+        http: 409,
+        gqlCode: "ALREADY_MEMBER",
+        when: "Invitee is already a member"
+      },
+      INVITE_PENDING: {
+        description: "An invitation for this email is already pending",
+        http: 409,
+        gqlCode: "INVITE_PENDING",
+        when: "Active invitation exists"
+      }
+    }
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.invite.sent",
+        version: "1.0.0",
+        when: "Invitation is sent",
+        payload: InvitationModel
+      }
+    ],
+    audit: ["org.invite.sent"]
+  }
+});
+var AcceptInviteContract = defineCommand2({
+  meta: {
+    key: "identity.org.invite.accept",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "invite", "accept"],
+    description: "Accept an organization invitation.",
+    goal: "Allow users to join organizations via invitation.",
+    context: "Called from invitation email link."
+  },
+  io: {
+    input: AcceptInviteInputModel,
+    output: MemberModel,
+    errors: {
+      INVITE_EXPIRED: {
+        description: "The invitation has expired",
+        http: 410,
+        gqlCode: "INVITE_EXPIRED",
+        when: "Invitation is past expiry date"
+      },
+      INVITE_USED: {
+        description: "The invitation has already been used",
+        http: 409,
+        gqlCode: "INVITE_USED",
+        when: "Invitation was already accepted"
+      }
+    }
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.member.added",
+        version: "1.0.0",
+        when: "Member joins org",
+        payload: MemberModel
+      }
+    ],
+    audit: ["org.member.added"]
+  }
+});
+var RemoveMemberContract = defineCommand2({
+  meta: {
+    key: "identity.org.member.remove",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "member", "remove"],
+    description: "Remove a member from the organization.",
+    goal: "Allow org admins to remove members.",
+    context: "Team management."
+  },
+  io: {
+    input: RemoveMemberInputModel,
+    output: SuccessResultModel,
+    errors: {
+      CANNOT_REMOVE_OWNER: {
+        description: "Cannot remove the organization owner",
+        http: 403,
+        gqlCode: "CANNOT_REMOVE_OWNER",
+        when: "Target is the org owner"
+      }
+    }
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.member.removed",
+        version: "1.0.0",
+        when: "Member is removed",
+        payload: MemberRemovedPayloadModel
+      }
+    ],
+    audit: ["org.member.removed"]
+  }
+});
+var ListMembersContract = defineQuery2({
+  meta: {
+    key: "identity.org.members.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "member", "list"],
+    description: "List organization members.",
+    goal: "View all members of an organization.",
+    context: "Team management page."
+  },
+  io: {
+    input: ListMembersInputModel,
+    output: ListMembersOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var ListUserOrgsContract = defineQuery2({
+  meta: {
+    key: "identity.org.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "list"],
+    description: "List organizations the current user belongs to.",
+    goal: "Show user their organizations for workspace switching.",
+    context: "Workspace switcher, org selection."
+  },
+  io: {
+    input: null,
+    output: ListUserOrgsOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+
+// src/contracts/rbac.ts
+import { SchemaModel as SchemaModel3, ScalarTypeEnum as ScalarTypeEnum3 } from "@contractspec/lib.schema";
+import { defineCommand as defineCommand3, defineQuery as defineQuery3 } from "@contractspec/lib.contracts";
+var RoleModel = new SchemaModel3({
+  name: "Role",
+  description: "RBAC role definition",
+  fields: {
+    id: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum3.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    },
+    createdAt: { type: ScalarTypeEnum3.DateTime(), isOptional: false }
+  }
+});
+var PolicyBindingModel = new SchemaModel3({
+  name: "PolicyBinding",
+  description: "Role assignment to a target",
+  fields: {
+    id: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    targetType: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    targetId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum3.DateTime(), isOptional: true },
+    createdAt: { type: ScalarTypeEnum3.DateTime(), isOptional: false },
+    role: { type: RoleModel, isOptional: false }
+  }
+});
+var PermissionCheckResultModel = new SchemaModel3({
+  name: "PermissionCheckResult",
+  description: "Result of a permission check",
+  fields: {
+    allowed: { type: ScalarTypeEnum3.Boolean(), isOptional: false },
+    reason: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    matchedRole: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true }
+  }
+});
+var CreateRoleInputModel = new SchemaModel3({
+  name: "CreateRoleInput",
+  description: "Input for creating a role",
+  fields: {
+    name: { type: ScalarTypeEnum3.NonEmptyString(), isOptional: false },
+    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum3.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    }
+  }
+});
+var UpdateRoleInputModel = new SchemaModel3({
+  name: "UpdateRoleInput",
+  description: "Input for updating a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum3.String_unsecure(),
+      isOptional: true,
+      isArray: true
+    }
+  }
+});
+var DeleteRoleInputModel = new SchemaModel3({
+  name: "DeleteRoleInput",
+  description: "Input for deleting a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
+  }
+});
+var ListRolesOutputModel = new SchemaModel3({
+  name: "ListRolesOutput",
+  description: "Output for listing roles",
+  fields: {
+    roles: { type: RoleModel, isOptional: false, isArray: true }
+  }
+});
+var AssignRoleInputModel = new SchemaModel3({
+  name: "AssignRoleInput",
+  description: "Input for assigning a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    targetType: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    targetId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum3.DateTime(), isOptional: true }
+  }
+});
+var RevokeRoleInputModel = new SchemaModel3({
+  name: "RevokeRoleInput",
+  description: "Input for revoking a role",
+  fields: {
+    bindingId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
+  }
+});
+var BindingIdPayloadModel = new SchemaModel3({
+  name: "BindingIdPayload",
+  description: "Payload with binding ID",
+  fields: {
+    bindingId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
+  }
+});
+var CheckPermissionInputModel = new SchemaModel3({
+  name: "CheckPermissionInput",
+  description: "Input for checking a permission",
+  fields: {
+    userId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    permission: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
+  }
+});
+var ListUserPermissionsInputModel = new SchemaModel3({
+  name: "ListUserPermissionsInput",
+  description: "Input for listing user permissions",
+  fields: {
+    userId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true }
+  }
+});
+var ListUserPermissionsOutputModel = new SchemaModel3({
+  name: "ListUserPermissionsOutput",
+  description: "Output for listing user permissions",
+  fields: {
+    permissions: {
+      type: ScalarTypeEnum3.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    },
+    roles: { type: RoleModel, isOptional: false, isArray: true }
+  }
+});
+var CreateRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.role.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "create"],
+    description: "Create a new role with permissions.",
+    goal: "Allow admins to define custom roles.",
+    context: "Role management in admin settings."
+  },
+  io: {
+    input: CreateRoleInputModel,
+    output: RoleModel,
+    errors: {
+      ROLE_EXISTS: {
+        description: "A role with this name already exists",
+        http: 409,
+        gqlCode: "ROLE_EXISTS",
+        when: "Role name is taken"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.created"]
+  }
+});
+var UpdateRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.role.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "update"],
+    description: "Update an existing role.",
+    goal: "Allow admins to modify role permissions.",
+    context: "Role management in admin settings."
+  },
+  io: {
+    input: UpdateRoleInputModel,
+    output: RoleModel
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.updated"]
+  }
+});
+var DeleteRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.role.delete",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "delete"],
+    description: "Delete an existing role.",
+    goal: "Allow admins to remove unused roles.",
+    context: "Role management. Removes all policy bindings using this role."
+  },
+  io: {
+    input: DeleteRoleInputModel,
+    output: SuccessResultModel,
+    errors: {
+      ROLE_IN_USE: {
+        description: "Role is still assigned to users or organizations",
+        http: 409,
+        gqlCode: "ROLE_IN_USE",
+        when: "Role has active bindings"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.deleted"]
+  }
+});
+var ListRolesContract = defineQuery3({
+  meta: {
+    key: "identity.rbac.role.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "list"],
+    description: "List all available roles.",
+    goal: "Show available roles for assignment.",
+    context: "Role assignment UI."
+  },
+  io: {
+    input: null,
+    output: ListRolesOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var AssignRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.assign",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "assign"],
+    description: "Assign a role to a user or organization.",
+    goal: "Grant permissions via role assignment.",
+    context: "User/org permission management."
+  },
+  io: {
+    input: AssignRoleInputModel,
+    output: PolicyBindingModel,
+    errors: {
+      ROLE_NOT_FOUND: {
+        description: "The specified role does not exist",
+        http: 404,
+        gqlCode: "ROLE_NOT_FOUND",
+        when: "Role ID is invalid"
+      },
+      ALREADY_ASSIGNED: {
+        description: "This role is already assigned to the target",
+        http: 409,
+        gqlCode: "ALREADY_ASSIGNED",
+        when: "Binding already exists"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "role.assigned",
+        version: "1.0.0",
+        when: "Role is assigned",
+        payload: PolicyBindingModel
+      }
+    ],
+    audit: ["role.assigned"]
+  }
+});
+var RevokeRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.revoke",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "revoke"],
+    description: "Revoke a role from a user or organization.",
+    goal: "Remove permissions via role revocation.",
+    context: "User/org permission management."
+  },
+  io: {
+    input: RevokeRoleInputModel,
+    output: SuccessResultModel,
+    errors: {
+      BINDING_NOT_FOUND: {
+        description: "The policy binding does not exist",
+        http: 404,
+        gqlCode: "BINDING_NOT_FOUND",
+        when: "Binding ID is invalid"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "role.revoked",
+        version: "1.0.0",
+        when: "Role is revoked",
+        payload: BindingIdPayloadModel
+      }
+    ],
+    audit: ["role.revoked"]
+  }
+});
+var CheckPermissionContract = defineQuery3({
+  meta: {
+    key: "identity.rbac.check",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "check", "permission"],
+    description: "Check if a user has a specific permission.",
+    goal: "Authorization check before sensitive operations.",
+    context: "Called by other services to verify permissions."
+  },
+  io: {
+    input: CheckPermissionInputModel,
+    output: PermissionCheckResultModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var ListUserPermissionsContract = defineQuery3({
+  meta: {
+    key: "identity.rbac.permissions",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "permissions", "user"],
+    description: "List all permissions for a user in a context.",
+    goal: "Show what a user can do in an org.",
+    context: "UI permission display, debugging."
+  },
+  io: {
+    input: ListUserPermissionsInputModel,
+    output: ListUserPermissionsOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+// src/entities/user.ts
+import { defineEntity, field, index } from "@contractspec/lib.schema";
+var UserEntity = defineEntity({
+  name: "User",
+  description: "A user of the platform. Users hold core profile information and authenticate via Account records.",
+  schema: "lssm_sigil",
+  map: "user",
+  fields: {
+    id: field.id({ description: "Unique user identifier" }),
+    email: field.email({ isUnique: true, description: "User email address" }),
+    emailVerified: field.boolean({
+      default: false,
+      description: "Whether email has been verified"
+    }),
+    name: field.string({ isOptional: true, description: "Display name" }),
+    firstName: field.string({ isOptional: true, description: "First name" }),
+    lastName: field.string({ isOptional: true, description: "Last name" }),
+    locale: field.string({
+      isOptional: true,
+      description: 'User locale (e.g., "en-US")'
+    }),
+    timezone: field.string({
+      isOptional: true,
+      description: 'Olson timezone (e.g., "Europe/Paris")'
+    }),
+    imageUrl: field.url({
+      isOptional: true,
+      description: "URL of avatar or profile picture"
+    }),
+    image: field.string({
+      isOptional: true,
+      description: "Legacy image field"
+    }),
+    metadata: field.json({
+      isOptional: true,
+      description: "Arbitrary user metadata"
+    }),
+    onboardingCompleted: field.boolean({
+      default: false,
+      description: "Whether onboarding is complete"
+    }),
+    onboardingStep: field.string({
+      isOptional: true,
+      description: "Current onboarding step"
+    }),
+    whitelistedAt: field.dateTime({
+      isOptional: true,
+      description: "When user was whitelisted"
+    }),
+    role: field.string({
+      isOptional: true,
+      default: '"user"',
+      description: "User role (user, admin)"
+    }),
+    banned: field.boolean({
+      default: false,
+      description: "Whether user is banned"
+    }),
+    banReason: field.string({
+      isOptional: true,
+      description: "Reason for ban"
+    }),
+    banExpires: field.dateTime({
+      isOptional: true,
+      description: "When ban expires"
+    }),
+    phoneNumber: field.string({
+      isOptional: true,
+      isUnique: true,
+      description: "Phone number"
+    }),
+    phoneNumberVerified: field.boolean({
+      default: false,
+      description: "Whether phone is verified"
+    }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    sessions: field.hasMany("Session"),
+    accounts: field.hasMany("Account"),
+    memberships: field.hasMany("Member"),
+    invitations: field.hasMany("Invitation"),
+    teamMemberships: field.hasMany("TeamMember"),
+    policyBindings: field.hasMany("PolicyBinding"),
+    apiKeys: field.hasMany("ApiKey"),
+    passkeys: field.hasMany("Passkey")
+  }
+});
+var SessionEntity = defineEntity({
+  name: "Session",
+  description: "Represents a login session (e.g., web session or API token).",
+  schema: "lssm_sigil",
+  map: "session",
+  fields: {
+    id: field.id(),
+    userId: field.foreignKey(),
+    expiresAt: field.dateTime({ description: "Session expiration time" }),
+    token: field.string({ isUnique: true, description: "Session token" }),
+    ipAddress: field.string({
+      isOptional: true,
+      description: "Client IP address"
+    }),
+    userAgent: field.string({
+      isOptional: true,
+      description: "Client user agent"
+    }),
+    impersonatedBy: field.string({
+      isOptional: true,
+      description: "Admin impersonating this session"
+    }),
+    activeOrganizationId: field.string({
+      isOptional: true,
+      description: "Active org context"
+    }),
+    activeTeamId: field.string({
+      isOptional: true,
+      description: "Active team context"
+    }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+var AccountEntity = defineEntity({
+  name: "Account",
+  description: "External authentication accounts (OAuth, password, etc.).",
+  schema: "lssm_sigil",
+  map: "account",
+  fields: {
+    id: field.id(),
+    accountId: field.string({ description: "Account ID from provider" }),
+    providerId: field.string({ description: "Provider identifier" }),
+    userId: field.foreignKey(),
+    accessToken: field.string({ isOptional: true }),
+    refreshToken: field.string({ isOptional: true }),
+    idToken: field.string({ isOptional: true }),
+    accessTokenExpiresAt: field.dateTime({ isOptional: true }),
+    refreshTokenExpiresAt: field.dateTime({ isOptional: true }),
+    scope: field.string({ isOptional: true }),
+    password: field.string({
+      isOptional: true,
+      description: "Hashed password for password providers"
+    }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  },
+  indexes: [index.unique(["accountId", "providerId"])]
+});
+var VerificationEntity = defineEntity({
+  name: "Verification",
+  description: "Verification tokens for email/phone confirmation.",
+  schema: "lssm_sigil",
+  map: "verification",
+  fields: {
+    id: field.uuid(),
+    identifier: field.string({ description: "Email or phone being verified" }),
+    value: field.string({ description: "Verification code/token" }),
+    expiresAt: field.dateTime({ description: "Token expiration" }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt()
+  }
+});
+
+// src/entities/organization.ts
+import {
+  defineEntity as defineEntity2,
+  defineEntityEnum,
+  field as field2,
+  index as index2
+} from "@contractspec/lib.schema";
+var OrganizationTypeEnum = defineEntityEnum({
+  name: "OrganizationType",
+  values: ["PLATFORM_ADMIN", "CONTRACT_SPEC_CUSTOMER"],
+  schema: "lssm_sigil",
+  description: "Type of organization in the platform."
+});
+var OrganizationEntity = defineEntity2({
+  name: "Organization",
+  description: "An organization is a tenant boundary grouping users.",
+  schema: "lssm_sigil",
+  map: "organization",
+  fields: {
+    id: field2.id({ description: "Unique organization identifier" }),
+    name: field2.string({ description: "Organization display name" }),
+    slug: field2.string({
+      isOptional: true,
+      isUnique: true,
+      description: "URL-friendly identifier"
+    }),
+    logo: field2.url({ isOptional: true, description: "Organization logo URL" }),
+    description: field2.string({
+      isOptional: true,
+      description: "Organization description"
+    }),
+    metadata: field2.json({
+      isOptional: true,
+      description: "Arbitrary organization metadata"
+    }),
+    type: field2.enum("OrganizationType", { description: "Organization type" }),
+    onboardingCompleted: field2.boolean({ default: false }),
+    onboardingStep: field2.string({ isOptional: true }),
+    referralCode: field2.string({
+      isOptional: true,
+      isUnique: true,
+      description: "Unique referral code"
+    }),
+    referredBy: field2.string({
+      isOptional: true,
+      description: "ID of referring user"
+    }),
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    members: field2.hasMany("Member"),
+    invitations: field2.hasMany("Invitation"),
+    teams: field2.hasMany("Team"),
+    policyBindings: field2.hasMany("PolicyBinding")
+  },
+  enums: [OrganizationTypeEnum]
+});
+var MemberEntity = defineEntity2({
+  name: "Member",
+  description: "Membership of a user in an organization with a role.",
+  schema: "lssm_sigil",
+  map: "member",
+  fields: {
+    id: field2.id(),
+    userId: field2.foreignKey(),
+    organizationId: field2.foreignKey(),
+    role: field2.string({
+      description: "Role in organization (owner, admin, member)"
+    }),
+    createdAt: field2.createdAt(),
+    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" }),
+    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+      onDelete: "Cascade"
+    })
+  },
+  indexes: [index2.unique(["userId", "organizationId"])]
+});
+var InvitationEntity = defineEntity2({
+  name: "Invitation",
+  description: "An invitation to join an organization.",
+  schema: "lssm_sigil",
+  map: "invitation",
+  fields: {
+    id: field2.id(),
+    organizationId: field2.foreignKey(),
+    email: field2.email({ description: "Invited email address" }),
+    role: field2.string({
+      isOptional: true,
+      description: "Role to assign on acceptance"
+    }),
+    status: field2.string({
+      default: '"pending"',
+      description: "Invitation status"
+    }),
+    acceptedAt: field2.dateTime({ isOptional: true }),
+    expiresAt: field2.dateTime({ isOptional: true }),
+    inviterId: field2.foreignKey({
+      description: "User who sent the invitation"
+    }),
+    teamId: field2.string({ isOptional: true }),
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+      onDelete: "Cascade"
+    }),
+    inviter: field2.belongsTo("User", ["inviterId"], ["id"], {
+      onDelete: "Cascade"
+    }),
+    team: field2.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+var TeamEntity = defineEntity2({
+  name: "Team",
+  description: "Team within an organization.",
+  schema: "lssm_sigil",
+  map: "team",
+  fields: {
+    id: field2.id(),
+    name: field2.string({ description: "Team name" }),
+    organizationId: field2.foreignKey(),
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+      onDelete: "Cascade"
+    }),
+    members: field2.hasMany("TeamMember"),
+    invitations: field2.hasMany("Invitation")
+  }
+});
+var TeamMemberEntity = defineEntity2({
+  name: "TeamMember",
+  description: "Team membership for a user.",
+  schema: "lssm_sigil",
+  map: "team_member",
+  fields: {
+    id: field2.id(),
+    teamId: field2.foreignKey(),
+    userId: field2.foreignKey(),
+    createdAt: field2.createdAt(),
+    team: field2.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" }),
+    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+
+// src/entities/rbac.ts
+import { defineEntity as defineEntity3, field as field3, index as index3 } from "@contractspec/lib.schema";
+var RoleEntity = defineEntity3({
+  name: "Role",
+  description: "A role defines a named set of permissions.",
+  schema: "lssm_sigil",
+  map: "role",
+  fields: {
+    id: field3.id(),
+    name: field3.string({ isUnique: true, description: "Unique role name" }),
+    description: field3.string({
+      isOptional: true,
+      description: "Role description"
+    }),
+    permissions: field3.string({
+      isArray: true,
+      description: "Array of permission names"
+    }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt(),
+    policyBindings: field3.hasMany("PolicyBinding")
+  }
+});
+var PermissionEntity = defineEntity3({
+  name: "Permission",
+  description: "A permission represents an atomic access right.",
+  schema: "lssm_sigil",
+  map: "permission",
+  fields: {
+    id: field3.id(),
+    name: field3.string({
+      isUnique: true,
+      description: "Unique permission name"
+    }),
+    description: field3.string({
+      isOptional: true,
+      description: "Permission description"
+    }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt()
+  }
+});
+var PolicyBindingEntity = defineEntity3({
+  name: "PolicyBinding",
+  description: "Binds roles to principals (users or organizations).",
+  schema: "lssm_sigil",
+  map: "policy_binding",
+  fields: {
+    id: field3.id(),
+    roleId: field3.foreignKey(),
+    targetType: field3.string({ description: '"user" or "organization"' }),
+    targetId: field3.string({ description: "ID of User or Organization" }),
+    expiresAt: field3.dateTime({
+      isOptional: true,
+      description: "When binding expires"
+    }),
+    createdAt: field3.createdAt(),
+    userId: field3.string({ isOptional: true }),
+    organizationId: field3.string({ isOptional: true }),
+    role: field3.belongsTo("Role", ["roleId"], ["id"], { onDelete: "Cascade" }),
+    user: field3.belongsTo("User", ["userId"], ["id"]),
+    organization: field3.belongsTo("Organization", ["organizationId"], ["id"])
+  },
+  indexes: [index3.on(["targetType", "targetId"])]
+});
+var ApiKeyEntity = defineEntity3({
+  name: "ApiKey",
+  description: "API keys for programmatic access.",
+  schema: "lssm_sigil",
+  map: "api_key",
+  fields: {
+    id: field3.id(),
+    name: field3.string({ description: "API key name" }),
+    start: field3.string({
+      description: "Starting characters for identification"
+    }),
+    prefix: field3.string({ description: "API key prefix" }),
+    key: field3.string({ description: "Hashed API key" }),
+    userId: field3.foreignKey(),
+    refillInterval: field3.int({ description: "Refill interval in ms" }),
+    refillAmount: field3.int({ description: "Amount to refill" }),
+    lastRefillAt: field3.dateTime(),
+    remaining: field3.int({ description: "Remaining requests" }),
+    requestCount: field3.int({ description: "Total requests made" }),
+    lastRequest: field3.dateTime(),
+    enabled: field3.boolean({ default: true }),
+    rateLimitEnabled: field3.boolean({ default: true }),
+    rateLimitTimeWindow: field3.int({ description: "Rate limit window in ms" }),
+    rateLimitMax: field3.int({ description: "Max requests in window" }),
+    expiresAt: field3.dateTime(),
+    permissions: field3.string({ isArray: true }),
+    metadata: field3.json({ isOptional: true }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt(),
+    user: field3.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+var PasskeyEntity = defineEntity3({
+  name: "Passkey",
+  description: "WebAuthn passkeys for passwordless authentication.",
+  schema: "lssm_sigil",
+  map: "passkey",
+  fields: {
+    id: field3.id(),
+    name: field3.string({ description: "Passkey name" }),
+    publicKey: field3.string({ description: "Public key" }),
+    userId: field3.foreignKey(),
+    credentialID: field3.string({ description: "Credential ID" }),
+    counter: field3.int({ description: "Counter" }),
+    deviceType: field3.string({ description: "Device type" }),
+    backedUp: field3.boolean({ description: "Whether passkey is backed up" }),
+    transports: field3.string({ description: "Transports" }),
+    aaguid: field3.string({ description: "Authenticator GUID" }),
+    createdAt: field3.createdAt(),
+    user: field3.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+// src/entities/index.ts
+var identityRbacEntities = [
+  UserEntity,
+  SessionEntity,
+  AccountEntity,
+  VerificationEntity,
+  OrganizationEntity,
+  MemberEntity,
+  InvitationEntity,
+  TeamEntity,
+  TeamMemberEntity,
+  RoleEntity,
+  PermissionEntity,
+  PolicyBindingEntity,
+  ApiKeyEntity,
+  PasskeyEntity
+];
+var identityRbacSchemaContribution = {
+  moduleId: "@contractspec/lib.identity-rbac",
+  entities: identityRbacEntities,
+  enums: [OrganizationTypeEnum]
+};
+
+// src/events.ts
+import { SchemaModel as SchemaModel4, ScalarTypeEnum as ScalarTypeEnum4 } from "@contractspec/lib.schema";
+import { defineEvent } from "@contractspec/lib.contracts";
+var UserCreatedPayload = new SchemaModel4({
+  name: "UserCreatedPayload",
+  description: "Payload for user created event",
+  fields: {
+    userId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum4.EmailAddress(), isOptional: false },
+    name: { type: ScalarTypeEnum4.String_unsecure(), isOptional: true },
+    createdAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var UserUpdatedPayload = new SchemaModel4({
+  name: "UserUpdatedPayload",
+  description: "Payload for user updated event",
+  fields: {
+    userId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    updatedFields: {
+      type: ScalarTypeEnum4.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    },
+    updatedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var UserDeletedPayload = new SchemaModel4({
+  name: "UserDeletedPayload",
+  description: "Payload for user deleted event",
+  fields: {
+    userId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum4.EmailAddress(), isOptional: false },
+    deletedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var UserEmailVerifiedPayload = new SchemaModel4({
+  name: "UserEmailVerifiedPayload",
+  description: "Payload for user email verified event",
+  fields: {
+    userId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum4.EmailAddress(), isOptional: false },
+    verifiedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgCreatedPayload = new SchemaModel4({
+  name: "OrgCreatedPayload",
+  description: "Payload for org created event",
+  fields: {
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    slug: { type: ScalarTypeEnum4.String_unsecure(), isOptional: true },
+    createdBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgUpdatedPayload = new SchemaModel4({
+  name: "OrgUpdatedPayload",
+  description: "Payload for org updated event",
+  fields: {
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    updatedFields: {
+      type: ScalarTypeEnum4.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    },
+    updatedBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    updatedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgDeletedPayload = new SchemaModel4({
+  name: "OrgDeletedPayload",
+  description: "Payload for org deleted event",
+  fields: {
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    deletedBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    deletedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgMemberAddedPayload = new SchemaModel4({
+  name: "OrgMemberAddedPayload",
+  description: "Payload for member added event",
+  fields: {
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    role: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    invitedBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: true },
+    joinedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgMemberRemovedPayload = new SchemaModel4({
+  name: "OrgMemberRemovedPayload",
+  description: "Payload for member removed event",
+  fields: {
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    removedBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: true },
+    reason: { type: ScalarTypeEnum4.String_unsecure(), isOptional: true },
+    removedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgMemberRoleChangedPayload = new SchemaModel4({
+  name: "OrgMemberRoleChangedPayload",
+  description: "Payload for member role changed event",
+  fields: {
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    previousRole: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    newRole: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    changedBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    changedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgInviteSentPayload = new SchemaModel4({
+  name: "OrgInviteSentPayload",
+  description: "Payload for invite sent event",
+  fields: {
+    invitationId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum4.EmailAddress(), isOptional: false },
+    role: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    invitedBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum4.DateTime(), isOptional: true },
+    sentAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgInviteAcceptedPayload = new SchemaModel4({
+  name: "OrgInviteAcceptedPayload",
+  description: "Payload for invite accepted event",
+  fields: {
+    invitationId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    acceptedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var OrgInviteDeclinedPayload = new SchemaModel4({
+  name: "OrgInviteDeclinedPayload",
+  description: "Payload for invite declined event",
+  fields: {
+    invitationId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    declinedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var RoleAssignedPayload = new SchemaModel4({
+  name: "RoleAssignedPayload",
+  description: "Payload for role assigned event",
+  fields: {
+    bindingId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    roleId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    roleName: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    targetType: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    targetId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    assignedBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum4.DateTime(), isOptional: true },
+    assignedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var RoleRevokedPayload = new SchemaModel4({
+  name: "RoleRevokedPayload",
+  description: "Payload for role revoked event",
+  fields: {
+    bindingId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    roleId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    roleName: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    targetType: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    targetId: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    revokedBy: { type: ScalarTypeEnum4.String_unsecure(), isOptional: false },
+    revokedAt: { type: ScalarTypeEnum4.DateTime(), isOptional: false }
+  }
+});
+var UserCreatedEvent = defineEvent({
+  meta: {
+    key: "user.created",
+    version: "1.0.0",
+    description: "A new user has been created.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["user", "created", "identity"]
+  },
+  payload: UserCreatedPayload
+});
+var UserUpdatedEvent = defineEvent({
+  meta: {
+    key: "user.updated",
+    version: "1.0.0",
+    description: "A user profile has been updated.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["user", "updated", "identity"]
+  },
+  payload: UserUpdatedPayload
+});
+var UserDeletedEvent = defineEvent({
+  meta: {
+    key: "user.deleted",
+    version: "1.0.0",
+    description: "A user account has been deleted.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["user", "deleted", "identity"]
+  },
+  pii: ["email"],
+  payload: UserDeletedPayload
+});
+var UserEmailVerifiedEvent = defineEvent({
+  meta: {
+    key: "user.email_verified",
+    version: "1.0.0",
+    description: "A user has verified their email address.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["user", "verified", "identity"]
+  },
+  payload: UserEmailVerifiedPayload
+});
+var OrgCreatedEvent = defineEvent({
+  meta: {
+    key: "org.created",
+    version: "1.0.0",
+    description: "A new organization has been created.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "created", "identity"]
+  },
+  payload: OrgCreatedPayload
+});
+var OrgUpdatedEvent = defineEvent({
+  meta: {
+    key: "org.updated",
+    version: "1.0.0",
+    description: "An organization has been updated.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "updated", "identity"]
+  },
+  payload: OrgUpdatedPayload
+});
+var OrgDeletedEvent = defineEvent({
+  meta: {
+    key: "org.deleted",
+    version: "1.0.0",
+    description: "An organization has been deleted.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "deleted", "identity"]
+  },
+  payload: OrgDeletedPayload
+});
+var OrgMemberAddedEvent = defineEvent({
+  meta: {
+    key: "org.member.added",
+    version: "1.0.0",
+    description: "A user has joined an organization.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "member", "added", "identity"]
+  },
+  payload: OrgMemberAddedPayload
+});
+var OrgMemberRemovedEvent = defineEvent({
+  meta: {
+    key: "org.member.removed",
+    version: "1.0.0",
+    description: "A user has left or been removed from an organization.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "member", "removed", "identity"]
+  },
+  payload: OrgMemberRemovedPayload
+});
+var OrgMemberRoleChangedEvent = defineEvent({
+  meta: {
+    key: "org.member.role_changed",
+    version: "1.0.0",
+    description: "A member's role in an organization has changed.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "member", "role", "changed", "identity"]
+  },
+  payload: OrgMemberRoleChangedPayload
+});
+var OrgInviteSentEvent = defineEvent({
+  meta: {
+    key: "org.invite.sent",
+    version: "1.0.0",
+    description: "An invitation to join an organization has been sent.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "invite", "sent", "identity"]
+  },
+  pii: ["email"],
+  payload: OrgInviteSentPayload
+});
+var OrgInviteAcceptedEvent = defineEvent({
+  meta: {
+    key: "org.invite.accepted",
+    version: "1.0.0",
+    description: "An invitation has been accepted.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "invite", "accepted", "identity"]
+  },
+  payload: OrgInviteAcceptedPayload
+});
+var OrgInviteDeclinedEvent = defineEvent({
+  meta: {
+    key: "org.invite.declined",
+    version: "1.0.0",
+    description: "An invitation has been declined.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["org", "invite", "declined", "identity"]
+  },
+  payload: OrgInviteDeclinedPayload
+});
+var RoleAssignedEvent = defineEvent({
+  meta: {
+    key: "role.assigned",
+    version: "1.0.0",
+    description: "A role has been assigned.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["role", "assigned", "identity"]
+  },
+  payload: RoleAssignedPayload
+});
+var RoleRevokedEvent = defineEvent({
+  meta: {
+    key: "role.revoked",
+    version: "1.0.0",
+    description: "A role has been revoked.",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["role", "revoked", "identity"]
+  },
+  payload: RoleRevokedPayload
+});
+var IdentityRbacEvents = {
+  UserCreatedEvent,
+  UserUpdatedEvent,
+  UserDeletedEvent,
+  UserEmailVerifiedEvent,
+  OrgCreatedEvent,
+  OrgUpdatedEvent,
+  OrgDeletedEvent,
+  OrgMemberAddedEvent,
+  OrgMemberRemovedEvent,
+  OrgMemberRoleChangedEvent,
+  OrgInviteSentEvent,
+  OrgInviteAcceptedEvent,
+  OrgInviteDeclinedEvent,
+  RoleAssignedEvent,
+  RoleRevokedEvent
+};
+
+// src/identity-rbac.feature.ts
+import { defineFeature } from "@contractspec/lib.contracts";
+var IdentityRbacFeature = defineFeature({
+  meta: {
+    key: "identity-rbac",
+    version: "1.0.0",
+    title: "Identity & RBAC",
+    description: "User identity, organization management, and role-based access control",
+    domain: "platform",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "users", "organizations", "permissions"],
+    stability: "stable"
+  },
+  operations: [
+    { key: "identity.user.create", version: "1.0.0" },
+    { key: "identity.user.update", version: "1.0.0" },
+    { key: "identity.user.delete", version: "1.0.0" },
+    { key: "identity.user.me", version: "1.0.0" },
+    { key: "identity.user.list", version: "1.0.0" },
+    { key: "identity.org.create", version: "1.0.0" },
+    { key: "identity.org.update", version: "1.0.0" },
+    { key: "identity.org.get", version: "1.0.0" },
+    { key: "identity.org.list", version: "1.0.0" },
+    { key: "identity.org.invite", version: "1.0.0" },
+    { key: "identity.org.invite.accept", version: "1.0.0" },
+    { key: "identity.org.member.remove", version: "1.0.0" },
+    { key: "identity.org.members.list", version: "1.0.0" },
+    { key: "identity.rbac.role.create", version: "1.0.0" },
+    { key: "identity.rbac.role.update", version: "1.0.0" },
+    { key: "identity.rbac.role.delete", version: "1.0.0" },
+    { key: "identity.rbac.role.list", version: "1.0.0" },
+    { key: "identity.rbac.assign", version: "1.0.0" },
+    { key: "identity.rbac.revoke", version: "1.0.0" },
+    { key: "identity.rbac.check", version: "1.0.0" },
+    { key: "identity.rbac.permissions", version: "1.0.0" }
+  ],
+  events: [
+    { key: "user.created", version: "1.0.0" },
+    { key: "user.updated", version: "1.0.0" },
+    { key: "user.deleted", version: "1.0.0" },
+    { key: "user.email_verified", version: "1.0.0" },
+    { key: "org.created", version: "1.0.0" },
+    { key: "org.updated", version: "1.0.0" },
+    { key: "org.deleted", version: "1.0.0" },
+    { key: "org.member.added", version: "1.0.0" },
+    { key: "org.member.removed", version: "1.0.0" },
+    { key: "org.member.role_changed", version: "1.0.0" },
+    { key: "org.invite.sent", version: "1.0.0" },
+    { key: "org.invite.accepted", version: "1.0.0" },
+    { key: "org.invite.declined", version: "1.0.0" },
+    { key: "role.assigned", version: "1.0.0" },
+    { key: "role.revoked", version: "1.0.0" }
+  ],
+  presentations: [],
+  opToPresentation: [],
+  presentationsTargets: [],
+  capabilities: {
+    provides: [
+      { key: "identity", version: "1.0.0" },
+      { key: "rbac", version: "1.0.0" }
+    ],
+    requires: []
+  }
+});
+
+// src/policies/engine.ts
+var Permission = {
+  USER_CREATE: "user.create",
+  USER_READ: "user.read",
+  USER_UPDATE: "user.update",
+  USER_DELETE: "user.delete",
+  USER_LIST: "user.list",
+  USER_MANAGE: "user.manage",
+  ORG_CREATE: "org.create",
+  ORG_READ: "org.read",
+  ORG_UPDATE: "org.update",
+  ORG_DELETE: "org.delete",
+  ORG_LIST: "org.list",
+  MEMBER_INVITE: "member.invite",
+  MEMBER_REMOVE: "member.remove",
+  MEMBER_UPDATE_ROLE: "member.update_role",
+  MEMBER_LIST: "member.list",
+  MANAGE_MEMBERS: "org.manage_members",
+  TEAM_CREATE: "team.create",
+  TEAM_UPDATE: "team.update",
+  TEAM_DELETE: "team.delete",
+  TEAM_MANAGE: "team.manage",
+  ROLE_CREATE: "role.create",
+  ROLE_UPDATE: "role.update",
+  ROLE_DELETE: "role.delete",
+  ROLE_ASSIGN: "role.assign",
+  ROLE_REVOKE: "role.revoke",
+  BILLING_VIEW: "billing.view",
+  BILLING_MANAGE: "billing.manage",
+  PROJECT_CREATE: "project.create",
+  PROJECT_READ: "project.read",
+  PROJECT_UPDATE: "project.update",
+  PROJECT_DELETE: "project.delete",
+  PROJECT_MANAGE: "project.manage",
+  ADMIN_ACCESS: "admin.access",
+  ADMIN_IMPERSONATE: "admin.impersonate"
+};
+var StandardRole = {
+  OWNER: {
+    name: "owner",
+    description: "Organization owner with full access",
+    permissions: Object.values(Permission)
+  },
+  ADMIN: {
+    name: "admin",
+    description: "Administrator with most permissions",
+    permissions: [
+      Permission.USER_READ,
+      Permission.USER_LIST,
+      Permission.ORG_READ,
+      Permission.ORG_UPDATE,
+      Permission.MEMBER_INVITE,
+      Permission.MEMBER_REMOVE,
+      Permission.MEMBER_UPDATE_ROLE,
+      Permission.MEMBER_LIST,
+      Permission.MANAGE_MEMBERS,
+      Permission.TEAM_CREATE,
+      Permission.TEAM_UPDATE,
+      Permission.TEAM_DELETE,
+      Permission.TEAM_MANAGE,
+      Permission.PROJECT_CREATE,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_UPDATE,
+      Permission.PROJECT_DELETE,
+      Permission.PROJECT_MANAGE,
+      Permission.BILLING_VIEW
+    ]
+  },
+  MEMBER: {
+    name: "member",
+    description: "Regular organization member",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ,
+      Permission.PROJECT_CREATE
+    ]
+  },
+  VIEWER: {
+    name: "viewer",
+    description: "Read-only access",
+    permissions: [
+      Permission.USER_READ,
+      Permission.ORG_READ,
+      Permission.MEMBER_LIST,
+      Permission.PROJECT_READ
+    ]
+  }
+};
+
+class RBACPolicyEngine {
+  roleCache = new Map;
+  bindingCache = new Map;
+  async checkPermission(input, bindings) {
+    const { userId, orgId, permission } = input;
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    if (activeBindings.length === 0) {
+      return {
+        allowed: false,
+        reason: "No active role bindings found"
+      };
+    }
+    for (const binding of activeBindings) {
+      if (binding.role.permissions.includes(permission)) {
+        return {
+          allowed: true,
+          matchedRole: binding.role.name
+        };
+      }
+    }
+    return {
+      allowed: false,
+      reason: `No role grants the "${permission}" permission`
+    };
+  }
+  async getPermissions(userId, orgId, bindings) {
+    const now = new Date;
+    const userBindings = bindings.filter((b) => b.targetType === "user" && b.targetId === userId);
+    const orgBindings = orgId ? bindings.filter((b) => b.targetType === "organization" && b.targetId === orgId) : [];
+    const allBindings = [...userBindings, ...orgBindings];
+    const activeBindings = allBindings.filter((b) => !b.expiresAt || b.expiresAt > now);
+    const permissions = new Set;
+    const roles = [];
+    for (const binding of activeBindings) {
+      roles.push(binding.role);
+      for (const perm of binding.role.permissions) {
+        permissions.add(perm);
+      }
+    }
+    return { permissions, roles };
+  }
+  async hasAnyPermission(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.some((p) => userPerms.has(p));
+  }
+  async hasAllPermissions(userId, orgId, permissions, bindings) {
+    const { permissions: userPerms } = await this.getPermissions(userId, orgId, bindings);
+    return permissions.every((p) => userPerms.has(p));
+  }
+}
+function createRBACEngine() {
+  return new RBACPolicyEngine;
+}
+export {
+  identityRbacSchemaContribution,
+  identityRbacEntities,
+  createRBACEngine,
+  VerificationEntity,
+  UserUpdatedEvent,
+  UserProfileModel,
+  UserEntity,
+  UserEmailVerifiedEvent,
+  UserDeletedPayloadModel,
+  UserDeletedEvent,
+  UserCreatedEvent,
+  UpdateUserInputModel,
+  UpdateUserContract,
+  UpdateRoleInputModel,
+  UpdateRoleContract,
+  UpdateOrgInputModel,
+  UpdateOrgContract,
+  TeamMemberEntity,
+  TeamEntity,
+  SuccessResultModel,
+  StandardRole,
+  SessionEntity,
+  RoleRevokedEvent,
+  RoleModel,
+  RoleEntity,
+  RoleAssignedEvent,
+  RevokeRoleInputModel,
+  RevokeRoleContract,
+  RemoveMemberInputModel,
+  RemoveMemberContract,
+  RBACPolicyEngine,
+  PolicyBindingModel,
+  PolicyBindingEntity,
+  PermissionEntity,
+  PermissionCheckResultModel,
+  Permission,
+  PasskeyEntity,
+  OrganizationWithRoleModel,
+  OrganizationTypeEnum,
+  OrganizationModel,
+  OrganizationEntity,
+  OrgUpdatedEvent,
+  OrgMemberRoleChangedEvent,
+  OrgMemberRemovedEvent,
+  OrgMemberAddedEvent,
+  OrgInviteSentEvent,
+  OrgInviteDeclinedEvent,
+  OrgInviteAcceptedEvent,
+  OrgDeletedEvent,
+  OrgCreatedEvent,
+  MemberUserModel,
+  MemberRemovedPayloadModel,
+  MemberModel,
+  MemberEntity,
+  ListUsersOutputModel,
+  ListUsersInputModel,
+  ListUsersContract,
+  ListUserPermissionsOutputModel,
+  ListUserPermissionsInputModel,
+  ListUserPermissionsContract,
+  ListUserOrgsOutputModel,
+  ListUserOrgsContract,
+  ListRolesOutputModel,
+  ListRolesContract,
+  ListMembersOutputModel,
+  ListMembersInputModel,
+  ListMembersContract,
+  InviteMemberInputModel,
+  InviteMemberContract,
+  InvitationModel,
+  InvitationEntity,
+  IdentityRbacFeature,
+  IdentityRbacEvents,
+  GetOrgInputModel,
+  GetOrgContract,
+  GetCurrentUserContract,
+  DeleteUserInputModel,
+  DeleteUserContract,
+  DeleteRoleInputModel,
+  DeleteRoleContract,
+  CreateUserInputModel,
+  CreateUserContract,
+  CreateRoleInputModel,
+  CreateRoleContract,
+  CreateOrgInputModel,
+  CreateOrgContract,
+  CheckPermissionInputModel,
+  CheckPermissionContract,
+  BindingIdPayloadModel,
+  AssignRoleInputModel,
+  AssignRoleContract,
+  ApiKeyEntity,
+  AccountEntity,
+  AcceptInviteInputModel,
+  AcceptInviteContract
+};