@contractspec/lib.identity-rbac 1.57.0 → 1.58.0

package/dist/contracts/index.js

@@ -1,5 +1,1046 @@
-import { CreateUserContract, CreateUserInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, SuccessResultModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel } from "./user.js";
-import { AcceptInviteContract, AcceptInviteInputModel, CreateOrgContract, CreateOrgInputModel, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, RemoveMemberContract, RemoveMemberInputModel, UpdateOrgContract, UpdateOrgInputModel } from "./organization.js";
-import { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel } from "./rbac.js";
+// @bun
+// src/contracts/user.ts
+import { SchemaModel, ScalarTypeEnum } from "@contractspec/lib.schema";
+import { defineCommand, defineQuery } from "@contractspec/lib.contracts";
+var OWNERS = ["platform.identity-rbac"];
+var UserProfileModel = new SchemaModel({
+  name: "UserProfile",
+  description: "User profile information",
+  fields: {
+    id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
+    emailVerified: { type: ScalarTypeEnum.Boolean(), isOptional: false },
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true },
+    role: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    onboardingCompleted: { type: ScalarTypeEnum.Boolean(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false }
+  }
+});
+var CreateUserInputModel = new SchemaModel({
+  name: "CreateUserInput",
+  description: "Input for creating a new user",
+  fields: {
+    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    password: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
+  }
+});
+var UpdateUserInputModel = new SchemaModel({
+  name: "UpdateUserInput",
+  description: "Input for updating a user profile",
+  fields: {
+    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
+    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true }
+  }
+});
+var DeleteUserInputModel = new SchemaModel({
+  name: "DeleteUserInput",
+  description: "Input for deleting a user",
+  fields: {
+    confirmEmail: { type: ScalarTypeEnum.EmailAddress(), isOptional: false }
+  }
+});
+var SuccessResultModel = new SchemaModel({
+  name: "SuccessResult",
+  description: "Simple success result",
+  fields: {
+    success: { type: ScalarTypeEnum.Boolean(), isOptional: false }
+  }
+});
+var UserDeletedPayloadModel = new SchemaModel({
+  name: "UserDeletedPayload",
+  description: "Payload for user deleted event",
+  fields: {
+    userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }
+  }
+});
+var ListUsersInputModel = new SchemaModel({
+  name: "ListUsersInput",
+  description: "Input for listing users",
+  fields: {
+    limit: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
+    offset: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
+    search: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
+  }
+});
+var ListUsersOutputModel = new SchemaModel({
+  name: "ListUsersOutput",
+  description: "Output for listing users",
+  fields: {
+    users: { type: UserProfileModel, isOptional: false, isArray: true },
+    total: { type: ScalarTypeEnum.Int_unsecure(), isOptional: false }
+  }
+});
+var CreateUserContract = defineCommand({
+  meta: {
+    key: "identity.user.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "create"],
+    description: "Create a new user account.",
+    goal: "Register a new user in the system.",
+    context: "Used during signup flows. May trigger email verification."
+  },
+  io: {
+    input: CreateUserInputModel,
+    output: UserProfileModel,
+    errors: {
+      EMAIL_EXISTS: {
+        description: "A user with this email already exists",
+        http: 409,
+        gqlCode: "EMAIL_EXISTS",
+        when: "Email is already registered"
+      }
+    }
+  },
+  policy: {
+    auth: "anonymous"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.created",
+        version: "1.0.0",
+        when: "User is successfully created",
+        payload: UserProfileModel
+      }
+    ],
+    audit: ["user.created"]
+  }
+});
+var GetCurrentUserContract = defineQuery({
+  meta: {
+    key: "identity.user.me",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "profile"],
+    description: "Get the current authenticated user profile.",
+    goal: "Retrieve user profile for the authenticated session.",
+    context: "Called on app load and after profile updates."
+  },
+  io: {
+    input: null,
+    output: UserProfileModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var UpdateUserContract = defineCommand({
+  meta: {
+    key: "identity.user.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "update"],
+    description: "Update user profile information.",
+    goal: "Allow users to update their profile.",
+    context: "Self-service profile updates."
+  },
+  io: {
+    input: UpdateUserInputModel,
+    output: UserProfileModel
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.updated",
+        version: "1.0.0",
+        when: "User profile is updated",
+        payload: UserProfileModel
+      }
+    ],
+    audit: ["user.updated"]
+  }
+});
+var DeleteUserContract = defineCommand({
+  meta: {
+    key: "identity.user.delete",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "delete"],
+    description: "Delete user account and all associated data.",
+    goal: "Allow users to delete their account (GDPR compliance).",
+    context: "Self-service account deletion. Cascades to memberships, sessions, etc."
+  },
+  io: {
+    input: DeleteUserInputModel,
+    output: SuccessResultModel
+  },
+  policy: {
+    auth: "user",
+    escalate: "human_review"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "user.deleted",
+        version: "1.0.0",
+        when: "User account is deleted",
+        payload: UserDeletedPayloadModel
+      }
+    ],
+    audit: ["user.deleted"]
+  }
+});
+var ListUsersContract = defineQuery({
+  meta: {
+    key: "identity.user.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS],
+    tags: ["identity", "user", "admin", "list"],
+    description: "List all users (admin only).",
+    goal: "Allow admins to browse and manage users.",
+    context: "Admin dashboard user management."
+  },
+  io: {
+    input: ListUsersInputModel,
+    output: ListUsersOutputModel
+  },
+  policy: {
+    auth: "admin"
+  }
+});
 
-export { AcceptInviteContract, AcceptInviteInputModel, AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateOrgContract, CreateOrgInputModel, CreateRoleContract, CreateRoleInputModel, CreateUserContract, CreateUserInputModel, DeleteRoleContract, DeleteRoleInputModel, DeleteUserContract, DeleteUserInputModel, GetCurrentUserContract, GetOrgContract, GetOrgInputModel, InvitationModel, InviteMemberContract, InviteMemberInputModel, ListMembersContract, ListMembersInputModel, ListMembersOutputModel, ListRolesContract, ListRolesOutputModel, ListUserOrgsContract, ListUserOrgsOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, ListUsersContract, ListUsersInputModel, ListUsersOutputModel, MemberModel, MemberRemovedPayloadModel, MemberUserModel, OrganizationModel, OrganizationWithRoleModel, PermissionCheckResultModel, PolicyBindingModel, RemoveMemberContract, RemoveMemberInputModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, SuccessResultModel, UpdateOrgContract, UpdateOrgInputModel, UpdateRoleContract, UpdateRoleInputModel, UpdateUserContract, UpdateUserInputModel, UserDeletedPayloadModel, UserProfileModel };
+// src/contracts/organization.ts
+import { ScalarTypeEnum as ScalarTypeEnum2, SchemaModel as SchemaModel2 } from "@contractspec/lib.schema";
+import { defineCommand as defineCommand2, defineQuery as defineQuery2 } from "@contractspec/lib.contracts";
+var OWNERS2 = ["platform.identity-rbac"];
+var OrganizationModel = new SchemaModel2({
+  name: "Organization",
+  description: "Organization details",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    onboardingCompleted: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
+  }
+});
+var MemberUserModel = new SchemaModel2({
+  name: "MemberUser",
+  description: "Basic user info within a member",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var MemberModel = new SchemaModel2({
+  name: "Member",
+  description: "Organization member",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    organizationId: {
+      type: ScalarTypeEnum2.String_unsecure(),
+      isOptional: false
+    },
+    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
+    user: { type: MemberUserModel, isOptional: false }
+  }
+});
+var InvitationModel = new SchemaModel2({
+  name: "Invitation",
+  description: "Organization invitation",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
+    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    status: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
+  }
+});
+var CreateOrgInputModel = new SchemaModel2({
+  name: "CreateOrgInput",
+  description: "Input for creating an organization",
+  fields: {
+    name: { type: ScalarTypeEnum2.NonEmptyString(), isOptional: false },
+    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var GetOrgInputModel = new SchemaModel2({
+  name: "GetOrgInput",
+  description: "Input for getting an organization",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var UpdateOrgInputModel = new SchemaModel2({
+  name: "UpdateOrgInput",
+  description: "Input for updating an organization",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var InviteMemberInputModel = new SchemaModel2({
+  name: "InviteMemberInput",
+  description: "Input for inviting a member",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
+    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    teamId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
+  }
+});
+var AcceptInviteInputModel = new SchemaModel2({
+  name: "AcceptInviteInput",
+  description: "Input for accepting an invitation",
+  fields: {
+    invitationId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var RemoveMemberInputModel = new SchemaModel2({
+  name: "RemoveMemberInput",
+  description: "Input for removing a member",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var MemberRemovedPayloadModel = new SchemaModel2({
+  name: "MemberRemovedPayload",
+  description: "Payload for member removed event",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var ListMembersInputModel = new SchemaModel2({
+  name: "ListMembersInput",
+  description: "Input for listing members",
+  fields: {
+    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    limit: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: true },
+    offset: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: true }
+  }
+});
+var ListMembersOutputModel = new SchemaModel2({
+  name: "ListMembersOutput",
+  description: "Output for listing members",
+  fields: {
+    members: { type: MemberModel, isOptional: false, isArray: true },
+    total: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: false }
+  }
+});
+var OrganizationWithRoleModel = new SchemaModel2({
+  name: "OrganizationWithRole",
+  description: "Organization with user role",
+  fields: {
+    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
+    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
+    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
+    onboardingCompleted: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
+    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
+    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
+  }
+});
+var ListUserOrgsOutputModel = new SchemaModel2({
+  name: "ListUserOrgsOutput",
+  description: "Output for listing user organizations",
+  fields: {
+    organizations: {
+      type: OrganizationWithRoleModel,
+      isOptional: false,
+      isArray: true
+    }
+  }
+});
+var CreateOrgContract = defineCommand2({
+  meta: {
+    key: "identity.org.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "create"],
+    description: "Create a new organization.",
+    goal: "Allow users to create new organizations/workspaces.",
+    context: "Called during onboarding or when creating additional workspaces."
+  },
+  io: {
+    input: CreateOrgInputModel,
+    output: OrganizationModel,
+    errors: {
+      SLUG_EXISTS: {
+        description: "An organization with this slug already exists",
+        http: 409,
+        gqlCode: "SLUG_EXISTS",
+        when: "Slug is already taken"
+      }
+    }
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.created",
+        version: "1.0.0",
+        when: "Organization is created",
+        payload: OrganizationModel
+      }
+    ],
+    audit: ["org.created"]
+  }
+});
+var GetOrgContract = defineQuery2({
+  meta: {
+    key: "identity.org.get",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "get"],
+    description: "Get organization details.",
+    goal: "Retrieve organization information.",
+    context: "Called when viewing organization settings or dashboard."
+  },
+  io: {
+    input: GetOrgInputModel,
+    output: OrganizationModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var UpdateOrgContract = defineCommand2({
+  meta: {
+    key: "identity.org.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "update"],
+    description: "Update organization details.",
+    goal: "Allow org admins to update organization settings.",
+    context: "Organization settings page."
+  },
+  io: {
+    input: UpdateOrgInputModel,
+    output: OrganizationModel
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.updated",
+        version: "1.0.0",
+        when: "Organization is updated",
+        payload: OrganizationModel
+      }
+    ],
+    audit: ["org.updated"]
+  }
+});
+var InviteMemberContract = defineCommand2({
+  meta: {
+    key: "identity.org.invite",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "invite", "member"],
+    description: "Invite a user to join the organization.",
+    goal: "Allow org admins to invite new members.",
+    context: "Team management. Sends invitation email."
+  },
+  io: {
+    input: InviteMemberInputModel,
+    output: InvitationModel,
+    errors: {
+      ALREADY_MEMBER: {
+        description: "User is already a member of this organization",
+        http: 409,
+        gqlCode: "ALREADY_MEMBER",
+        when: "Invitee is already a member"
+      },
+      INVITE_PENDING: {
+        description: "An invitation for this email is already pending",
+        http: 409,
+        gqlCode: "INVITE_PENDING",
+        when: "Active invitation exists"
+      }
+    }
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.invite.sent",
+        version: "1.0.0",
+        when: "Invitation is sent",
+        payload: InvitationModel
+      }
+    ],
+    audit: ["org.invite.sent"]
+  }
+});
+var AcceptInviteContract = defineCommand2({
+  meta: {
+    key: "identity.org.invite.accept",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "invite", "accept"],
+    description: "Accept an organization invitation.",
+    goal: "Allow users to join organizations via invitation.",
+    context: "Called from invitation email link."
+  },
+  io: {
+    input: AcceptInviteInputModel,
+    output: MemberModel,
+    errors: {
+      INVITE_EXPIRED: {
+        description: "The invitation has expired",
+        http: 410,
+        gqlCode: "INVITE_EXPIRED",
+        when: "Invitation is past expiry date"
+      },
+      INVITE_USED: {
+        description: "The invitation has already been used",
+        http: 409,
+        gqlCode: "INVITE_USED",
+        when: "Invitation was already accepted"
+      }
+    }
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.member.added",
+        version: "1.0.0",
+        when: "Member joins org",
+        payload: MemberModel
+      }
+    ],
+    audit: ["org.member.added"]
+  }
+});
+var RemoveMemberContract = defineCommand2({
+  meta: {
+    key: "identity.org.member.remove",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "member", "remove"],
+    description: "Remove a member from the organization.",
+    goal: "Allow org admins to remove members.",
+    context: "Team management."
+  },
+  io: {
+    input: RemoveMemberInputModel,
+    output: SuccessResultModel,
+    errors: {
+      CANNOT_REMOVE_OWNER: {
+        description: "Cannot remove the organization owner",
+        http: 403,
+        gqlCode: "CANNOT_REMOVE_OWNER",
+        when: "Target is the org owner"
+      }
+    }
+  },
+  policy: {
+    auth: "user"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "org.member.removed",
+        version: "1.0.0",
+        when: "Member is removed",
+        payload: MemberRemovedPayloadModel
+      }
+    ],
+    audit: ["org.member.removed"]
+  }
+});
+var ListMembersContract = defineQuery2({
+  meta: {
+    key: "identity.org.members.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "member", "list"],
+    description: "List organization members.",
+    goal: "View all members of an organization.",
+    context: "Team management page."
+  },
+  io: {
+    input: ListMembersInputModel,
+    output: ListMembersOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var ListUserOrgsContract = defineQuery2({
+  meta: {
+    key: "identity.org.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: [...OWNERS2],
+    tags: ["identity", "org", "list"],
+    description: "List organizations the current user belongs to.",
+    goal: "Show user their organizations for workspace switching.",
+    context: "Workspace switcher, org selection."
+  },
+  io: {
+    input: null,
+    output: ListUserOrgsOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+
+// src/contracts/rbac.ts
+import { SchemaModel as SchemaModel3, ScalarTypeEnum as ScalarTypeEnum3 } from "@contractspec/lib.schema";
+import { defineCommand as defineCommand3, defineQuery as defineQuery3 } from "@contractspec/lib.contracts";
+var RoleModel = new SchemaModel3({
+  name: "Role",
+  description: "RBAC role definition",
+  fields: {
+    id: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum3.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    },
+    createdAt: { type: ScalarTypeEnum3.DateTime(), isOptional: false }
+  }
+});
+var PolicyBindingModel = new SchemaModel3({
+  name: "PolicyBinding",
+  description: "Role assignment to a target",
+  fields: {
+    id: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    targetType: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    targetId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum3.DateTime(), isOptional: true },
+    createdAt: { type: ScalarTypeEnum3.DateTime(), isOptional: false },
+    role: { type: RoleModel, isOptional: false }
+  }
+});
+var PermissionCheckResultModel = new SchemaModel3({
+  name: "PermissionCheckResult",
+  description: "Result of a permission check",
+  fields: {
+    allowed: { type: ScalarTypeEnum3.Boolean(), isOptional: false },
+    reason: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    matchedRole: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true }
+  }
+});
+var CreateRoleInputModel = new SchemaModel3({
+  name: "CreateRoleInput",
+  description: "Input for creating a role",
+  fields: {
+    name: { type: ScalarTypeEnum3.NonEmptyString(), isOptional: false },
+    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum3.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    }
+  }
+});
+var UpdateRoleInputModel = new SchemaModel3({
+  name: "UpdateRoleInput",
+  description: "Input for updating a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    name: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    permissions: {
+      type: ScalarTypeEnum3.String_unsecure(),
+      isOptional: true,
+      isArray: true
+    }
+  }
+});
+var DeleteRoleInputModel = new SchemaModel3({
+  name: "DeleteRoleInput",
+  description: "Input for deleting a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
+  }
+});
+var ListRolesOutputModel = new SchemaModel3({
+  name: "ListRolesOutput",
+  description: "Output for listing roles",
+  fields: {
+    roles: { type: RoleModel, isOptional: false, isArray: true }
+  }
+});
+var AssignRoleInputModel = new SchemaModel3({
+  name: "AssignRoleInput",
+  description: "Input for assigning a role",
+  fields: {
+    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    targetType: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    targetId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    expiresAt: { type: ScalarTypeEnum3.DateTime(), isOptional: true }
+  }
+});
+var RevokeRoleInputModel = new SchemaModel3({
+  name: "RevokeRoleInput",
+  description: "Input for revoking a role",
+  fields: {
+    bindingId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
+  }
+});
+var BindingIdPayloadModel = new SchemaModel3({
+  name: "BindingIdPayload",
+  description: "Payload with binding ID",
+  fields: {
+    bindingId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
+  }
+});
+var CheckPermissionInputModel = new SchemaModel3({
+  name: "CheckPermissionInput",
+  description: "Input for checking a permission",
+  fields: {
+    userId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
+    permission: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
+  }
+});
+var ListUserPermissionsInputModel = new SchemaModel3({
+  name: "ListUserPermissionsInput",
+  description: "Input for listing user permissions",
+  fields: {
+    userId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
+    orgId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true }
+  }
+});
+var ListUserPermissionsOutputModel = new SchemaModel3({
+  name: "ListUserPermissionsOutput",
+  description: "Output for listing user permissions",
+  fields: {
+    permissions: {
+      type: ScalarTypeEnum3.String_unsecure(),
+      isOptional: false,
+      isArray: true
+    },
+    roles: { type: RoleModel, isOptional: false, isArray: true }
+  }
+});
+var CreateRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.role.create",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "create"],
+    description: "Create a new role with permissions.",
+    goal: "Allow admins to define custom roles.",
+    context: "Role management in admin settings."
+  },
+  io: {
+    input: CreateRoleInputModel,
+    output: RoleModel,
+    errors: {
+      ROLE_EXISTS: {
+        description: "A role with this name already exists",
+        http: 409,
+        gqlCode: "ROLE_EXISTS",
+        when: "Role name is taken"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.created"]
+  }
+});
+var UpdateRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.role.update",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "update"],
+    description: "Update an existing role.",
+    goal: "Allow admins to modify role permissions.",
+    context: "Role management in admin settings."
+  },
+  io: {
+    input: UpdateRoleInputModel,
+    output: RoleModel
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.updated"]
+  }
+});
+var DeleteRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.role.delete",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "delete"],
+    description: "Delete an existing role.",
+    goal: "Allow admins to remove unused roles.",
+    context: "Role management. Removes all policy bindings using this role."
+  },
+  io: {
+    input: DeleteRoleInputModel,
+    output: SuccessResultModel,
+    errors: {
+      ROLE_IN_USE: {
+        description: "Role is still assigned to users or organizations",
+        http: 409,
+        gqlCode: "ROLE_IN_USE",
+        when: "Role has active bindings"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    audit: ["role.deleted"]
+  }
+});
+var ListRolesContract = defineQuery3({
+  meta: {
+    key: "identity.rbac.role.list",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "role", "list"],
+    description: "List all available roles.",
+    goal: "Show available roles for assignment.",
+    context: "Role assignment UI."
+  },
+  io: {
+    input: null,
+    output: ListRolesOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var AssignRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.assign",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "assign"],
+    description: "Assign a role to a user or organization.",
+    goal: "Grant permissions via role assignment.",
+    context: "User/org permission management."
+  },
+  io: {
+    input: AssignRoleInputModel,
+    output: PolicyBindingModel,
+    errors: {
+      ROLE_NOT_FOUND: {
+        description: "The specified role does not exist",
+        http: 404,
+        gqlCode: "ROLE_NOT_FOUND",
+        when: "Role ID is invalid"
+      },
+      ALREADY_ASSIGNED: {
+        description: "This role is already assigned to the target",
+        http: 409,
+        gqlCode: "ALREADY_ASSIGNED",
+        when: "Binding already exists"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "role.assigned",
+        version: "1.0.0",
+        when: "Role is assigned",
+        payload: PolicyBindingModel
+      }
+    ],
+    audit: ["role.assigned"]
+  }
+});
+var RevokeRoleContract = defineCommand3({
+  meta: {
+    key: "identity.rbac.revoke",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "revoke"],
+    description: "Revoke a role from a user or organization.",
+    goal: "Remove permissions via role revocation.",
+    context: "User/org permission management."
+  },
+  io: {
+    input: RevokeRoleInputModel,
+    output: SuccessResultModel,
+    errors: {
+      BINDING_NOT_FOUND: {
+        description: "The policy binding does not exist",
+        http: 404,
+        gqlCode: "BINDING_NOT_FOUND",
+        when: "Binding ID is invalid"
+      }
+    }
+  },
+  policy: {
+    auth: "admin"
+  },
+  sideEffects: {
+    emits: [
+      {
+        key: "role.revoked",
+        version: "1.0.0",
+        when: "Role is revoked",
+        payload: BindingIdPayloadModel
+      }
+    ],
+    audit: ["role.revoked"]
+  }
+});
+var CheckPermissionContract = defineQuery3({
+  meta: {
+    key: "identity.rbac.check",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "check", "permission"],
+    description: "Check if a user has a specific permission.",
+    goal: "Authorization check before sensitive operations.",
+    context: "Called by other services to verify permissions."
+  },
+  io: {
+    input: CheckPermissionInputModel,
+    output: PermissionCheckResultModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+var ListUserPermissionsContract = defineQuery3({
+  meta: {
+    key: "identity.rbac.permissions",
+    version: "1.0.0",
+    stability: "stable",
+    owners: ["@platform.identity-rbac"],
+    tags: ["identity", "rbac", "permissions", "user"],
+    description: "List all permissions for a user in a context.",
+    goal: "Show what a user can do in an org.",
+    context: "UI permission display, debugging."
+  },
+  io: {
+    input: ListUserPermissionsInputModel,
+    output: ListUserPermissionsOutputModel
+  },
+  policy: {
+    auth: "user"
+  }
+});
+export {
+  UserProfileModel,
+  UserDeletedPayloadModel,
+  UpdateUserInputModel,
+  UpdateUserContract,
+  UpdateRoleInputModel,
+  UpdateRoleContract,
+  UpdateOrgInputModel,
+  UpdateOrgContract,
+  SuccessResultModel,
+  RoleModel,
+  RevokeRoleInputModel,
+  RevokeRoleContract,
+  RemoveMemberInputModel,
+  RemoveMemberContract,
+  PolicyBindingModel,
+  PermissionCheckResultModel,
+  OrganizationWithRoleModel,
+  OrganizationModel,
+  MemberUserModel,
+  MemberRemovedPayloadModel,
+  MemberModel,
+  ListUsersOutputModel,
+  ListUsersInputModel,
+  ListUsersContract,
+  ListUserPermissionsOutputModel,
+  ListUserPermissionsInputModel,
+  ListUserPermissionsContract,
+  ListUserOrgsOutputModel,
+  ListUserOrgsContract,
+  ListRolesOutputModel,
+  ListRolesContract,
+  ListMembersOutputModel,
+  ListMembersInputModel,
+  ListMembersContract,
+  InviteMemberInputModel,
+  InviteMemberContract,
+  InvitationModel,
+  GetOrgInputModel,
+  GetOrgContract,
+  GetCurrentUserContract,
+  DeleteUserInputModel,
+  DeleteUserContract,
+  DeleteRoleInputModel,
+  DeleteRoleContract,
+  CreateUserInputModel,
+  CreateUserContract,
+  CreateRoleInputModel,
+  CreateRoleContract,
+  CreateOrgInputModel,
+  CreateOrgContract,
+  CheckPermissionInputModel,
+  CheckPermissionContract,
+  BindingIdPayloadModel,
+  AssignRoleInputModel,
+  AssignRoleContract,
+  AcceptInviteInputModel,
+  AcceptInviteContract
+};