@contractspec/lib.identity-rbac 3.7.17 → 3.7.18

package/dist/browser/contracts/index.js

@@ -1,1045 +1 @@
-// src/contracts/user.ts
-import { defineCommand, defineQuery } from "@contractspec/lib.contracts-spec";
-import { ScalarTypeEnum, SchemaModel } from "@contractspec/lib.schema";
-var OWNERS = ["platform.identity-rbac"];
-var UserProfileModel = new SchemaModel({
-  name: "UserProfile",
-  description: "User profile information",
-  fields: {
-    id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },
-    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
-    emailVerified: { type: ScalarTypeEnum.Boolean(), isOptional: false },
-    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true },
-    role: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    onboardingCompleted: { type: ScalarTypeEnum.Boolean(), isOptional: false },
-    createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false }
-  }
-});
-var CreateUserInputModel = new SchemaModel({
-  name: "CreateUserInput",
-  description: "Input for creating a new user",
-  fields: {
-    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
-    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    password: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
-  }
-});
-var UpdateUserInputModel = new SchemaModel({
-  name: "UpdateUserInput",
-  description: "Input for updating a user profile",
-  fields: {
-    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true }
-  }
-});
-var DeleteUserInputModel = new SchemaModel({
-  name: "DeleteUserInput",
-  description: "Input for deleting a user",
-  fields: {
-    confirmEmail: { type: ScalarTypeEnum.EmailAddress(), isOptional: false }
-  }
-});
-var SuccessResultModel = new SchemaModel({
-  name: "SuccessResult",
-  description: "Simple success result",
-  fields: {
-    success: { type: ScalarTypeEnum.Boolean(), isOptional: false }
-  }
-});
-var UserDeletedPayloadModel = new SchemaModel({
-  name: "UserDeletedPayload",
-  description: "Payload for user deleted event",
-  fields: {
-    userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }
-  }
-});
-var ListUsersInputModel = new SchemaModel({
-  name: "ListUsersInput",
-  description: "Input for listing users",
-  fields: {
-    limit: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
-    offset: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
-    search: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
-  }
-});
-var ListUsersOutputModel = new SchemaModel({
-  name: "ListUsersOutput",
-  description: "Output for listing users",
-  fields: {
-    users: { type: UserProfileModel, isOptional: false, isArray: true },
-    total: { type: ScalarTypeEnum.Int_unsecure(), isOptional: false }
-  }
-});
-var CreateUserContract = defineCommand({
-  meta: {
-    key: "identity.user.create",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "create"],
-    description: "Create a new user account.",
-    goal: "Register a new user in the system.",
-    context: "Used during signup flows. May trigger email verification."
-  },
-  io: {
-    input: CreateUserInputModel,
-    output: UserProfileModel,
-    errors: {
-      EMAIL_EXISTS: {
-        description: "A user with this email already exists",
-        http: 409,
-        gqlCode: "EMAIL_EXISTS",
-        when: "Email is already registered"
-      }
-    }
-  },
-  policy: {
-    auth: "anonymous"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "user.created",
-        version: "1.0.0",
-        when: "User is successfully created",
-        payload: UserProfileModel
-      }
-    ],
-    audit: ["user.created"]
-  }
-});
-var GetCurrentUserContract = defineQuery({
-  meta: {
-    key: "identity.user.me",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "profile"],
-    description: "Get the current authenticated user profile.",
-    goal: "Retrieve user profile for the authenticated session.",
-    context: "Called on app load and after profile updates."
-  },
-  io: {
-    input: null,
-    output: UserProfileModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-var UpdateUserContract = defineCommand({
-  meta: {
-    key: "identity.user.update",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "update"],
-    description: "Update user profile information.",
-    goal: "Allow users to update their profile.",
-    context: "Self-service profile updates."
-  },
-  io: {
-    input: UpdateUserInputModel,
-    output: UserProfileModel
-  },
-  policy: {
-    auth: "user"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "user.updated",
-        version: "1.0.0",
-        when: "User profile is updated",
-        payload: UserProfileModel
-      }
-    ],
-    audit: ["user.updated"]
-  }
-});
-var DeleteUserContract = defineCommand({
-  meta: {
-    key: "identity.user.delete",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "delete"],
-    description: "Delete user account and all associated data.",
-    goal: "Allow users to delete their account (GDPR compliance).",
-    context: "Self-service account deletion. Cascades to memberships, sessions, etc."
-  },
-  io: {
-    input: DeleteUserInputModel,
-    output: SuccessResultModel
-  },
-  policy: {
-    auth: "user",
-    escalate: "human_review"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "user.deleted",
-        version: "1.0.0",
-        when: "User account is deleted",
-        payload: UserDeletedPayloadModel
-      }
-    ],
-    audit: ["user.deleted"]
-  }
-});
-var ListUsersContract = defineQuery({
-  meta: {
-    key: "identity.user.list",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "admin", "list"],
-    description: "List all users (admin only).",
-    goal: "Allow admins to browse and manage users.",
-    context: "Admin dashboard user management."
-  },
-  io: {
-    input: ListUsersInputModel,
-    output: ListUsersOutputModel
-  },
-  policy: {
-    auth: "admin"
-  }
-});
-
-// src/contracts/organization.ts
-import { defineCommand as defineCommand2, defineQuery as defineQuery2 } from "@contractspec/lib.contracts-spec";
-import { ScalarTypeEnum as ScalarTypeEnum2, SchemaModel as SchemaModel2 } from "@contractspec/lib.schema";
-var OWNERS2 = ["platform.identity-rbac"];
-var OrganizationModel = new SchemaModel2({
-  name: "Organization",
-  description: "Organization details",
-  fields: {
-    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
-    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    onboardingCompleted: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
-    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
-  }
-});
-var MemberUserModel = new SchemaModel2({
-  name: "MemberUser",
-  description: "Basic user info within a member",
-  fields: {
-    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
-    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
-  }
-});
-var MemberModel = new SchemaModel2({
-  name: "Member",
-  description: "Organization member",
-  fields: {
-    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    organizationId: {
-      type: ScalarTypeEnum2.String_unsecure(),
-      isOptional: false
-    },
-    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
-    user: { type: MemberUserModel, isOptional: false }
-  }
-});
-var InvitationModel = new SchemaModel2({
-  name: "Invitation",
-  description: "Organization invitation",
-  fields: {
-    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
-    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    status: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true },
-    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
-  }
-});
-var CreateOrgInputModel = new SchemaModel2({
-  name: "CreateOrgInput",
-  description: "Input for creating an organization",
-  fields: {
-    name: { type: ScalarTypeEnum2.NonEmptyString(), isOptional: false },
-    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
-  }
-});
-var GetOrgInputModel = new SchemaModel2({
-  name: "GetOrgInput",
-  description: "Input for getting an organization",
-  fields: {
-    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var UpdateOrgInputModel = new SchemaModel2({
-  name: "UpdateOrgInput",
-  description: "Input for updating an organization",
-  fields: {
-    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
-    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
-  }
-});
-var InviteMemberInputModel = new SchemaModel2({
-  name: "InviteMemberInput",
-  description: "Input for inviting a member",
-  fields: {
-    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    email: { type: ScalarTypeEnum2.EmailAddress(), isOptional: false },
-    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    teamId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
-  }
-});
-var AcceptInviteInputModel = new SchemaModel2({
-  name: "AcceptInviteInput",
-  description: "Input for accepting an invitation",
-  fields: {
-    invitationId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var RemoveMemberInputModel = new SchemaModel2({
-  name: "RemoveMemberInput",
-  description: "Input for removing a member",
-  fields: {
-    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var MemberRemovedPayloadModel = new SchemaModel2({
-  name: "MemberRemovedPayload",
-  description: "Payload for member removed event",
-  fields: {
-    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var ListMembersInputModel = new SchemaModel2({
-  name: "ListMembersInput",
-  description: "Input for listing members",
-  fields: {
-    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    limit: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: true },
-    offset: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: true }
-  }
-});
-var ListMembersOutputModel = new SchemaModel2({
-  name: "ListMembersOutput",
-  description: "Output for listing members",
-  fields: {
-    members: { type: MemberModel, isOptional: false, isArray: true },
-    total: { type: ScalarTypeEnum2.Int_unsecure(), isOptional: false }
-  }
-});
-var OrganizationWithRoleModel = new SchemaModel2({
-  name: "OrganizationWithRole",
-  description: "Organization with user role",
-  fields: {
-    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    slug: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    logo: { type: ScalarTypeEnum2.URL(), isOptional: true },
-    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    type: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    onboardingCompleted: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
-    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
-    role: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var ListUserOrgsOutputModel = new SchemaModel2({
-  name: "ListUserOrgsOutput",
-  description: "Output for listing user organizations",
-  fields: {
-    organizations: {
-      type: OrganizationWithRoleModel,
-      isOptional: false,
-      isArray: true
-    }
-  }
-});
-var CreateOrgContract = defineCommand2({
-  meta: {
-    key: "identity.org.create",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS2],
-    tags: ["identity", "org", "create"],
-    description: "Create a new organization.",
-    goal: "Allow users to create new organizations/workspaces.",
-    context: "Called during onboarding or when creating additional workspaces."
-  },
-  io: {
-    input: CreateOrgInputModel,
-    output: OrganizationModel,
-    errors: {
-      SLUG_EXISTS: {
-        description: "An organization with this slug already exists",
-        http: 409,
-        gqlCode: "SLUG_EXISTS",
-        when: "Slug is already taken"
-      }
-    }
-  },
-  policy: {
-    auth: "user"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "org.created",
-        version: "1.0.0",
-        when: "Organization is created",
-        payload: OrganizationModel
-      }
-    ],
-    audit: ["org.created"]
-  }
-});
-var GetOrgContract = defineQuery2({
-  meta: {
-    key: "identity.org.get",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS2],
-    tags: ["identity", "org", "get"],
-    description: "Get organization details.",
-    goal: "Retrieve organization information.",
-    context: "Called when viewing organization settings or dashboard."
-  },
-  io: {
-    input: GetOrgInputModel,
-    output: OrganizationModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-var UpdateOrgContract = defineCommand2({
-  meta: {
-    key: "identity.org.update",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS2],
-    tags: ["identity", "org", "update"],
-    description: "Update organization details.",
-    goal: "Allow org admins to update organization settings.",
-    context: "Organization settings page."
-  },
-  io: {
-    input: UpdateOrgInputModel,
-    output: OrganizationModel
-  },
-  policy: {
-    auth: "user"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "org.updated",
-        version: "1.0.0",
-        when: "Organization is updated",
-        payload: OrganizationModel
-      }
-    ],
-    audit: ["org.updated"]
-  }
-});
-var InviteMemberContract = defineCommand2({
-  meta: {
-    key: "identity.org.invite",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS2],
-    tags: ["identity", "org", "invite", "member"],
-    description: "Invite a user to join the organization.",
-    goal: "Allow org admins to invite new members.",
-    context: "Team management. Sends invitation email."
-  },
-  io: {
-    input: InviteMemberInputModel,
-    output: InvitationModel,
-    errors: {
-      ALREADY_MEMBER: {
-        description: "User is already a member of this organization",
-        http: 409,
-        gqlCode: "ALREADY_MEMBER",
-        when: "Invitee is already a member"
-      },
-      INVITE_PENDING: {
-        description: "An invitation for this email is already pending",
-        http: 409,
-        gqlCode: "INVITE_PENDING",
-        when: "Active invitation exists"
-      }
-    }
-  },
-  policy: {
-    auth: "user"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "org.invite.sent",
-        version: "1.0.0",
-        when: "Invitation is sent",
-        payload: InvitationModel
-      }
-    ],
-    audit: ["org.invite.sent"]
-  }
-});
-var AcceptInviteContract = defineCommand2({
-  meta: {
-    key: "identity.org.invite.accept",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS2],
-    tags: ["identity", "org", "invite", "accept"],
-    description: "Accept an organization invitation.",
-    goal: "Allow users to join organizations via invitation.",
-    context: "Called from invitation email link."
-  },
-  io: {
-    input: AcceptInviteInputModel,
-    output: MemberModel,
-    errors: {
-      INVITE_EXPIRED: {
-        description: "The invitation has expired",
-        http: 410,
-        gqlCode: "INVITE_EXPIRED",
-        when: "Invitation is past expiry date"
-      },
-      INVITE_USED: {
-        description: "The invitation has already been used",
-        http: 409,
-        gqlCode: "INVITE_USED",
-        when: "Invitation was already accepted"
-      }
-    }
-  },
-  policy: {
-    auth: "user"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "org.member.added",
-        version: "1.0.0",
-        when: "Member joins org",
-        payload: MemberModel
-      }
-    ],
-    audit: ["org.member.added"]
-  }
-});
-var RemoveMemberContract = defineCommand2({
-  meta: {
-    key: "identity.org.member.remove",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS2],
-    tags: ["identity", "org", "member", "remove"],
-    description: "Remove a member from the organization.",
-    goal: "Allow org admins to remove members.",
-    context: "Team management."
-  },
-  io: {
-    input: RemoveMemberInputModel,
-    output: SuccessResultModel,
-    errors: {
-      CANNOT_REMOVE_OWNER: {
-        description: "Cannot remove the organization owner",
-        http: 403,
-        gqlCode: "CANNOT_REMOVE_OWNER",
-        when: "Target is the org owner"
-      }
-    }
-  },
-  policy: {
-    auth: "user"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "org.member.removed",
-        version: "1.0.0",
-        when: "Member is removed",
-        payload: MemberRemovedPayloadModel
-      }
-    ],
-    audit: ["org.member.removed"]
-  }
-});
-var ListMembersContract = defineQuery2({
-  meta: {
-    key: "identity.org.members.list",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS2],
-    tags: ["identity", "org", "member", "list"],
-    description: "List organization members.",
-    goal: "View all members of an organization.",
-    context: "Team management page."
-  },
-  io: {
-    input: ListMembersInputModel,
-    output: ListMembersOutputModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-var ListUserOrgsContract = defineQuery2({
-  meta: {
-    key: "identity.org.list",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS2],
-    tags: ["identity", "org", "list"],
-    description: "List organizations the current user belongs to.",
-    goal: "Show user their organizations for workspace switching.",
-    context: "Workspace switcher, org selection."
-  },
-  io: {
-    input: null,
-    output: ListUserOrgsOutputModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-
-// src/contracts/rbac.ts
-import { defineCommand as defineCommand3, defineQuery as defineQuery3 } from "@contractspec/lib.contracts-spec";
-import { ScalarTypeEnum as ScalarTypeEnum3, SchemaModel as SchemaModel3 } from "@contractspec/lib.schema";
-var RoleModel = new SchemaModel3({
-  name: "Role",
-  description: "RBAC role definition",
-  fields: {
-    id: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    name: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
-    permissions: {
-      type: ScalarTypeEnum3.String_unsecure(),
-      isOptional: false,
-      isArray: true
-    },
-    createdAt: { type: ScalarTypeEnum3.DateTime(), isOptional: false }
-  }
-});
-var PolicyBindingModel = new SchemaModel3({
-  name: "PolicyBinding",
-  description: "Role assignment to a target",
-  fields: {
-    id: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    targetType: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    targetId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    expiresAt: { type: ScalarTypeEnum3.DateTime(), isOptional: true },
-    createdAt: { type: ScalarTypeEnum3.DateTime(), isOptional: false },
-    role: { type: RoleModel, isOptional: false }
-  }
-});
-var PermissionCheckResultModel = new SchemaModel3({
-  name: "PermissionCheckResult",
-  description: "Result of a permission check",
-  fields: {
-    allowed: { type: ScalarTypeEnum3.Boolean(), isOptional: false },
-    reason: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
-    matchedRole: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true }
-  }
-});
-var CreateRoleInputModel = new SchemaModel3({
-  name: "CreateRoleInput",
-  description: "Input for creating a role",
-  fields: {
-    name: { type: ScalarTypeEnum3.NonEmptyString(), isOptional: false },
-    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
-    permissions: {
-      type: ScalarTypeEnum3.String_unsecure(),
-      isOptional: false,
-      isArray: true
-    }
-  }
-});
-var UpdateRoleInputModel = new SchemaModel3({
-  name: "UpdateRoleInput",
-  description: "Input for updating a role",
-  fields: {
-    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    name: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
-    description: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
-    permissions: {
-      type: ScalarTypeEnum3.String_unsecure(),
-      isOptional: true,
-      isArray: true
-    }
-  }
-});
-var DeleteRoleInputModel = new SchemaModel3({
-  name: "DeleteRoleInput",
-  description: "Input for deleting a role",
-  fields: {
-    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
-  }
-});
-var ListRolesOutputModel = new SchemaModel3({
-  name: "ListRolesOutput",
-  description: "Output for listing roles",
-  fields: {
-    roles: { type: RoleModel, isOptional: false, isArray: true }
-  }
-});
-var AssignRoleInputModel = new SchemaModel3({
-  name: "AssignRoleInput",
-  description: "Input for assigning a role",
-  fields: {
-    roleId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    targetType: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    targetId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    expiresAt: { type: ScalarTypeEnum3.DateTime(), isOptional: true }
-  }
-});
-var RevokeRoleInputModel = new SchemaModel3({
-  name: "RevokeRoleInput",
-  description: "Input for revoking a role",
-  fields: {
-    bindingId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
-  }
-});
-var BindingIdPayloadModel = new SchemaModel3({
-  name: "BindingIdPayload",
-  description: "Payload with binding ID",
-  fields: {
-    bindingId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
-  }
-});
-var CheckPermissionInputModel = new SchemaModel3({
-  name: "CheckPermissionInput",
-  description: "Input for checking a permission",
-  fields: {
-    userId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    orgId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true },
-    permission: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false }
-  }
-});
-var ListUserPermissionsInputModel = new SchemaModel3({
-  name: "ListUserPermissionsInput",
-  description: "Input for listing user permissions",
-  fields: {
-    userId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: false },
-    orgId: { type: ScalarTypeEnum3.String_unsecure(), isOptional: true }
-  }
-});
-var ListUserPermissionsOutputModel = new SchemaModel3({
-  name: "ListUserPermissionsOutput",
-  description: "Output for listing user permissions",
-  fields: {
-    permissions: {
-      type: ScalarTypeEnum3.String_unsecure(),
-      isOptional: false,
-      isArray: true
-    },
-    roles: { type: RoleModel, isOptional: false, isArray: true }
-  }
-});
-var CreateRoleContract = defineCommand3({
-  meta: {
-    key: "identity.rbac.role.create",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "role", "create"],
-    description: "Create a new role with permissions.",
-    goal: "Allow admins to define custom roles.",
-    context: "Role management in admin settings."
-  },
-  io: {
-    input: CreateRoleInputModel,
-    output: RoleModel,
-    errors: {
-      ROLE_EXISTS: {
-        description: "A role with this name already exists",
-        http: 409,
-        gqlCode: "ROLE_EXISTS",
-        when: "Role name is taken"
-      }
-    }
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    audit: ["role.created"]
-  }
-});
-var UpdateRoleContract = defineCommand3({
-  meta: {
-    key: "identity.rbac.role.update",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "role", "update"],
-    description: "Update an existing role.",
-    goal: "Allow admins to modify role permissions.",
-    context: "Role management in admin settings."
-  },
-  io: {
-    input: UpdateRoleInputModel,
-    output: RoleModel
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    audit: ["role.updated"]
-  }
-});
-var DeleteRoleContract = defineCommand3({
-  meta: {
-    key: "identity.rbac.role.delete",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "role", "delete"],
-    description: "Delete an existing role.",
-    goal: "Allow admins to remove unused roles.",
-    context: "Role management. Removes all policy bindings using this role."
-  },
-  io: {
-    input: DeleteRoleInputModel,
-    output: SuccessResultModel,
-    errors: {
-      ROLE_IN_USE: {
-        description: "Role is still assigned to users or organizations",
-        http: 409,
-        gqlCode: "ROLE_IN_USE",
-        when: "Role has active bindings"
-      }
-    }
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    audit: ["role.deleted"]
-  }
-});
-var ListRolesContract = defineQuery3({
-  meta: {
-    key: "identity.rbac.role.list",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "role", "list"],
-    description: "List all available roles.",
-    goal: "Show available roles for assignment.",
-    context: "Role assignment UI."
-  },
-  io: {
-    input: null,
-    output: ListRolesOutputModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-var AssignRoleContract = defineCommand3({
-  meta: {
-    key: "identity.rbac.assign",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "assign"],
-    description: "Assign a role to a user or organization.",
-    goal: "Grant permissions via role assignment.",
-    context: "User/org permission management."
-  },
-  io: {
-    input: AssignRoleInputModel,
-    output: PolicyBindingModel,
-    errors: {
-      ROLE_NOT_FOUND: {
-        description: "The specified role does not exist",
-        http: 404,
-        gqlCode: "ROLE_NOT_FOUND",
-        when: "Role ID is invalid"
-      },
-      ALREADY_ASSIGNED: {
-        description: "This role is already assigned to the target",
-        http: 409,
-        gqlCode: "ALREADY_ASSIGNED",
-        when: "Binding already exists"
-      }
-    }
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "role.assigned",
-        version: "1.0.0",
-        when: "Role is assigned",
-        payload: PolicyBindingModel
-      }
-    ],
-    audit: ["role.assigned"]
-  }
-});
-var RevokeRoleContract = defineCommand3({
-  meta: {
-    key: "identity.rbac.revoke",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "revoke"],
-    description: "Revoke a role from a user or organization.",
-    goal: "Remove permissions via role revocation.",
-    context: "User/org permission management."
-  },
-  io: {
-    input: RevokeRoleInputModel,
-    output: SuccessResultModel,
-    errors: {
-      BINDING_NOT_FOUND: {
-        description: "The policy binding does not exist",
-        http: 404,
-        gqlCode: "BINDING_NOT_FOUND",
-        when: "Binding ID is invalid"
-      }
-    }
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "role.revoked",
-        version: "1.0.0",
-        when: "Role is revoked",
-        payload: BindingIdPayloadModel
-      }
-    ],
-    audit: ["role.revoked"]
-  }
-});
-var CheckPermissionContract = defineQuery3({
-  meta: {
-    key: "identity.rbac.check",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "check", "permission"],
-    description: "Check if a user has a specific permission.",
-    goal: "Authorization check before sensitive operations.",
-    context: "Called by other services to verify permissions."
-  },
-  io: {
-    input: CheckPermissionInputModel,
-    output: PermissionCheckResultModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-var ListUserPermissionsContract = defineQuery3({
-  meta: {
-    key: "identity.rbac.permissions",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "permissions", "user"],
-    description: "List all permissions for a user in a context.",
-    goal: "Show what a user can do in an org.",
-    context: "UI permission display, debugging."
-  },
-  io: {
-    input: ListUserPermissionsInputModel,
-    output: ListUserPermissionsOutputModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-export {
-  UserProfileModel,
-  UserDeletedPayloadModel,
-  UpdateUserInputModel,
-  UpdateUserContract,
-  UpdateRoleInputModel,
-  UpdateRoleContract,
-  UpdateOrgInputModel,
-  UpdateOrgContract,
-  SuccessResultModel,
-  RoleModel,
-  RevokeRoleInputModel,
-  RevokeRoleContract,
-  RemoveMemberInputModel,
-  RemoveMemberContract,
-  PolicyBindingModel,
-  PermissionCheckResultModel,
-  OrganizationWithRoleModel,
-  OrganizationModel,
-  MemberUserModel,
-  MemberRemovedPayloadModel,
-  MemberModel,
-  ListUsersOutputModel,
-  ListUsersInputModel,
-  ListUsersContract,
-  ListUserPermissionsOutputModel,
-  ListUserPermissionsInputModel,
-  ListUserPermissionsContract,
-  ListUserOrgsOutputModel,
-  ListUserOrgsContract,
-  ListRolesOutputModel,
-  ListRolesContract,
-  ListMembersOutputModel,
-  ListMembersInputModel,
-  ListMembersContract,
-  InviteMemberInputModel,
-  InviteMemberContract,
-  InvitationModel,
-  GetOrgInputModel,
-  GetOrgContract,
-  GetCurrentUserContract,
-  DeleteUserInputModel,
-  DeleteUserContract,
-  DeleteRoleInputModel,
-  DeleteRoleContract,
-  CreateUserInputModel,
-  CreateUserContract,
-  CreateRoleInputModel,
-  CreateRoleContract,
-  CreateOrgInputModel,
-  CreateOrgContract,
-  CheckPermissionInputModel,
-  CheckPermissionContract,
-  BindingIdPayloadModel,
-  AssignRoleInputModel,
-  AssignRoleContract,
-  AcceptInviteInputModel,
-  AcceptInviteContract
-};
+import{defineCommand as F,defineQuery as X}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as U,SchemaModel as x}from"@contractspec/lib.schema";var I=["platform.identity-rbac"],A=new x({name:"UserProfile",description:"User profile information",fields:{id:{type:U.String_unsecure(),isOptional:!1},email:{type:U.EmailAddress(),isOptional:!1},emailVerified:{type:U.Boolean(),isOptional:!1},name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},locale:{type:U.String_unsecure(),isOptional:!0},timezone:{type:U.String_unsecure(),isOptional:!0},imageUrl:{type:U.URL(),isOptional:!0},role:{type:U.String_unsecure(),isOptional:!0},onboardingCompleted:{type:U.Boolean(),isOptional:!1},createdAt:{type:U.DateTime(),isOptional:!1}}}),Y=new x({name:"CreateUserInput",description:"Input for creating a new user",fields:{email:{type:U.EmailAddress(),isOptional:!1},name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},password:{type:U.String_unsecure(),isOptional:!0}}}),Z=new x({name:"UpdateUserInput",description:"Input for updating a user profile",fields:{name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},locale:{type:U.String_unsecure(),isOptional:!0},timezone:{type:U.String_unsecure(),isOptional:!0},imageUrl:{type:U.URL(),isOptional:!0}}}),_=new x({name:"DeleteUserInput",description:"Input for deleting a user",fields:{confirmEmail:{type:U.EmailAddress(),isOptional:!1}}}),D=new x({name:"SuccessResult",description:"Simple success result",fields:{success:{type:U.Boolean(),isOptional:!1}}}),$=new x({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:U.String_unsecure(),isOptional:!1}}}),B=new x({name:"ListUsersInput",description:"Input for listing users",fields:{limit:{type:U.Int_unsecure(),isOptional:!0},offset:{type:U.Int_unsecure(),isOptional:!0},search:{type:U.String_unsecure(),isOptional:!0}}}),z=new x({name:"ListUsersOutput",description:"Output for listing users",fields:{users:{type:A,isOptional:!1,isArray:!0},total:{type:U.Int_unsecure(),isOptional:!1}}}),m=F({meta:{key:"identity.user.create",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","create"],description:"Create a new user account.",goal:"Register a new user in the system.",context:"Used during signup flows. May trigger email verification."},io:{input:Y,output:A,errors:{EMAIL_EXISTS:{description:"A user with this email already exists",http:409,gqlCode:"EMAIL_EXISTS",when:"Email is already registered"}}},policy:{auth:"anonymous"},sideEffects:{emits:[{key:"user.created",version:"1.0.0",when:"User is successfully created",payload:A}],audit:["user.created"]}}),l=X({meta:{key:"identity.user.me",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","profile"],description:"Get the current authenticated user profile.",goal:"Retrieve user profile for the authenticated session.",context:"Called on app load and after profile updates."},io:{input:null,output:A},policy:{auth:"user"}}),e=F({meta:{key:"identity.user.update",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","update"],description:"Update user profile information.",goal:"Allow users to update their profile.",context:"Self-service profile updates."},io:{input:Z,output:A},policy:{auth:"user"},sideEffects:{emits:[{key:"user.updated",version:"1.0.0",when:"User profile is updated",payload:A}],audit:["user.updated"]}}),a=F({meta:{key:"identity.user.delete",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","delete"],description:"Delete user account and all associated data.",goal:"Allow users to delete their account (GDPR compliance).",context:"Self-service account deletion. Cascades to memberships, sessions, etc."},io:{input:_,output:D},policy:{auth:"user",escalate:"human_review"},sideEffects:{emits:[{key:"user.deleted",version:"1.0.0",when:"User account is deleted",payload:$}],audit:["user.deleted"]}}),tt=X({meta:{key:"identity.user.list",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","admin","list"],description:"List all users (admin only).",goal:"Allow admins to browse and manage users.",context:"Admin dashboard user management."},io:{input:B,output:z},policy:{auth:"admin"}});import{defineCommand as j,defineQuery as J}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as t,SchemaModel as L}from"@contractspec/lib.schema";var k=["platform.identity-rbac"],G=new L({name:"Organization",description:"Organization details",fields:{id:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!1},slug:{type:t.String_unsecure(),isOptional:!0},logo:{type:t.URL(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0},type:{type:t.String_unsecure(),isOptional:!1},onboardingCompleted:{type:t.Boolean(),isOptional:!1},createdAt:{type:t.DateTime(),isOptional:!1}}}),P=new L({name:"MemberUser",description:"Basic user info within a member",fields:{id:{type:t.String_unsecure(),isOptional:!1},email:{type:t.EmailAddress(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!0}}}),w=new L({name:"Member",description:"Organization member",fields:{id:{type:t.String_unsecure(),isOptional:!1},userId:{type:t.String_unsecure(),isOptional:!1},organizationId:{type:t.String_unsecure(),isOptional:!1},role:{type:t.String_unsecure(),isOptional:!1},createdAt:{type:t.DateTime(),isOptional:!1},user:{type:P,isOptional:!1}}}),H=new L({name:"Invitation",description:"Organization invitation",fields:{id:{type:t.String_unsecure(),isOptional:!1},email:{type:t.EmailAddress(),isOptional:!1},role:{type:t.String_unsecure(),isOptional:!0},status:{type:t.String_unsecure(),isOptional:!1},expiresAt:{type:t.DateTime(),isOptional:!0},createdAt:{type:t.DateTime(),isOptional:!1}}}),b=new L({name:"CreateOrgInput",description:"Input for creating an organization",fields:{name:{type:t.NonEmptyString(),isOptional:!1},slug:{type:t.String_unsecure(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0},type:{type:t.String_unsecure(),isOptional:!0}}}),s=new L({name:"GetOrgInput",description:"Input for getting an organization",fields:{orgId:{type:t.String_unsecure(),isOptional:!1}}}),Q=new L({name:"UpdateOrgInput",description:"Input for updating an organization",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!0},slug:{type:t.String_unsecure(),isOptional:!0},logo:{type:t.URL(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0}}}),O=new L({name:"InviteMemberInput",description:"Input for inviting a member",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},email:{type:t.EmailAddress(),isOptional:!1},role:{type:t.String_unsecure(),isOptional:!1},teamId:{type:t.String_unsecure(),isOptional:!0}}}),R=new L({name:"AcceptInviteInput",description:"Input for accepting an invitation",fields:{invitationId:{type:t.String_unsecure(),isOptional:!1}}}),N=new L({name:"RemoveMemberInput",description:"Input for removing a member",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},userId:{type:t.String_unsecure(),isOptional:!1}}}),W=new L({name:"MemberRemovedPayload",description:"Payload for member removed event",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},userId:{type:t.String_unsecure(),isOptional:!1}}}),f=new L({name:"ListMembersInput",description:"Input for listing members",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},limit:{type:t.Int_unsecure(),isOptional:!0},offset:{type:t.Int_unsecure(),isOptional:!0}}}),i=new L({name:"ListMembersOutput",description:"Output for listing members",fields:{members:{type:w,isOptional:!1,isArray:!0},total:{type:t.Int_unsecure(),isOptional:!1}}}),h=new L({name:"OrganizationWithRole",description:"Organization with user role",fields:{id:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!1},slug:{type:t.String_unsecure(),isOptional:!0},logo:{type:t.URL(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0},type:{type:t.String_unsecure(),isOptional:!1},onboardingCompleted:{type:t.Boolean(),isOptional:!1},createdAt:{type:t.DateTime(),isOptional:!1},role:{type:t.String_unsecure(),isOptional:!1}}}),o=new L({name:"ListUserOrgsOutput",description:"Output for listing user organizations",fields:{organizations:{type:h,isOptional:!1,isArray:!0}}}),Ct=j({meta:{key:"identity.org.create",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","create"],description:"Create a new organization.",goal:"Allow users to create new organizations/workspaces.",context:"Called during onboarding or when creating additional workspaces."},io:{input:b,output:G,errors:{SLUG_EXISTS:{description:"An organization with this slug already exists",http:409,gqlCode:"SLUG_EXISTS",when:"Slug is already taken"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.created",version:"1.0.0",when:"Organization is created",payload:G}],audit:["org.created"]}}),Ut=J({meta:{key:"identity.org.get",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","get"],description:"Get organization details.",goal:"Retrieve organization information.",context:"Called when viewing organization settings or dashboard."},io:{input:s,output:G},policy:{auth:"user"}}),Lt=j({meta:{key:"identity.org.update",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","update"],description:"Update organization details.",goal:"Allow org admins to update organization settings.",context:"Organization settings page."},io:{input:Q,output:G},policy:{auth:"user"},sideEffects:{emits:[{key:"org.updated",version:"1.0.0",when:"Organization is updated",payload:G}],audit:["org.updated"]}}),vt=j({meta:{key:"identity.org.invite",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","invite","member"],description:"Invite a user to join the organization.",goal:"Allow org admins to invite new members.",context:"Team management. Sends invitation email."},io:{input:O,output:H,errors:{ALREADY_MEMBER:{description:"User is already a member of this organization",http:409,gqlCode:"ALREADY_MEMBER",when:"Invitee is already a member"},INVITE_PENDING:{description:"An invitation for this email is already pending",http:409,gqlCode:"INVITE_PENDING",when:"Active invitation exists"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.invite.sent",version:"1.0.0",when:"Invitation is sent",payload:H}],audit:["org.invite.sent"]}}),xt=j({meta:{key:"identity.org.invite.accept",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","invite","accept"],description:"Accept an organization invitation.",goal:"Allow users to join organizations via invitation.",context:"Called from invitation email link."},io:{input:R,output:w,errors:{INVITE_EXPIRED:{description:"The invitation has expired",http:410,gqlCode:"INVITE_EXPIRED",when:"Invitation is past expiry date"},INVITE_USED:{description:"The invitation has already been used",http:409,gqlCode:"INVITE_USED",when:"Invitation was already accepted"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.added",version:"1.0.0",when:"Member joins org",payload:w}],audit:["org.member.added"]}}),kt=j({meta:{key:"identity.org.member.remove",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","member","remove"],description:"Remove a member from the organization.",goal:"Allow org admins to remove members.",context:"Team management."},io:{input:N,output:D,errors:{CANNOT_REMOVE_OWNER:{description:"Cannot remove the organization owner",http:403,gqlCode:"CANNOT_REMOVE_OWNER",when:"Target is the org owner"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.removed",version:"1.0.0",when:"Member is removed",payload:W}],audit:["org.member.removed"]}}),At=J({meta:{key:"identity.org.members.list",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","member","list"],description:"List organization members.",goal:"View all members of an organization.",context:"Team management page."},io:{input:f,output:i},policy:{auth:"user"}}),Dt=J({meta:{key:"identity.org.list",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","list"],description:"List organizations the current user belongs to.",goal:"Show user their organizations for workspace switching.",context:"Workspace switcher, org selection."},io:{input:null,output:o},policy:{auth:"user"}});import{defineCommand as q,defineQuery as V}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as C,SchemaModel as v}from"@contractspec/lib.schema";var g=new v({name:"Role",description:"RBAC role definition",fields:{id:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!1},description:{type:C.String_unsecure(),isOptional:!0},permissions:{type:C.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:C.DateTime(),isOptional:!1}}}),K=new v({name:"PolicyBinding",description:"Role assignment to a target",fields:{id:{type:C.String_unsecure(),isOptional:!1},roleId:{type:C.String_unsecure(),isOptional:!1},targetType:{type:C.String_unsecure(),isOptional:!1},targetId:{type:C.String_unsecure(),isOptional:!1},expiresAt:{type:C.DateTime(),isOptional:!0},createdAt:{type:C.DateTime(),isOptional:!1},role:{type:g,isOptional:!1}}}),M=new v({name:"PermissionCheckResult",description:"Result of a permission check",fields:{allowed:{type:C.Boolean(),isOptional:!1},reason:{type:C.String_unsecure(),isOptional:!0},matchedRole:{type:C.String_unsecure(),isOptional:!0}}}),d=new v({name:"CreateRoleInput",description:"Input for creating a role",fields:{name:{type:C.NonEmptyString(),isOptional:!1},description:{type:C.String_unsecure(),isOptional:!0},permissions:{type:C.String_unsecure(),isOptional:!1,isArray:!0}}}),r=new v({name:"UpdateRoleInput",description:"Input for updating a role",fields:{roleId:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!0},description:{type:C.String_unsecure(),isOptional:!0},permissions:{type:C.String_unsecure(),isOptional:!0,isArray:!0}}}),T=new v({name:"DeleteRoleInput",description:"Input for deleting a role",fields:{roleId:{type:C.String_unsecure(),isOptional:!1}}}),p=new v({name:"ListRolesOutput",description:"Output for listing roles",fields:{roles:{type:g,isOptional:!1,isArray:!0}}}),y=new v({name:"AssignRoleInput",description:"Input for assigning a role",fields:{roleId:{type:C.String_unsecure(),isOptional:!1},targetType:{type:C.String_unsecure(),isOptional:!1},targetId:{type:C.String_unsecure(),isOptional:!1},expiresAt:{type:C.DateTime(),isOptional:!0}}}),E=new v({name:"RevokeRoleInput",description:"Input for revoking a role",fields:{bindingId:{type:C.String_unsecure(),isOptional:!1}}}),u=new v({name:"BindingIdPayload",description:"Payload with binding ID",fields:{bindingId:{type:C.String_unsecure(),isOptional:!1}}}),n=new v({name:"CheckPermissionInput",description:"Input for checking a permission",fields:{userId:{type:C.String_unsecure(),isOptional:!1},orgId:{type:C.String_unsecure(),isOptional:!0},permission:{type:C.String_unsecure(),isOptional:!1}}}),c=new v({name:"ListUserPermissionsInput",description:"Input for listing user permissions",fields:{userId:{type:C.String_unsecure(),isOptional:!1},orgId:{type:C.String_unsecure(),isOptional:!0}}}),S=new v({name:"ListUserPermissionsOutput",description:"Output for listing user permissions",fields:{permissions:{type:C.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:g,isOptional:!1,isArray:!0}}}),Gt=q({meta:{key:"identity.rbac.role.create",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","create"],description:"Create a new role with permissions.",goal:"Allow admins to define custom roles.",context:"Role management in admin settings."},io:{input:d,output:g,errors:{ROLE_EXISTS:{description:"A role with this name already exists",http:409,gqlCode:"ROLE_EXISTS",when:"Role name is taken"}}},policy:{auth:"admin"},sideEffects:{audit:["role.created"]}}),gt=q({meta:{key:"identity.rbac.role.update",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","update"],description:"Update an existing role.",goal:"Allow admins to modify role permissions.",context:"Role management in admin settings."},io:{input:r,output:g},policy:{auth:"admin"},sideEffects:{audit:["role.updated"]}}),It=q({meta:{key:"identity.rbac.role.delete",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","delete"],description:"Delete an existing role.",goal:"Allow admins to remove unused roles.",context:"Role management. Removes all policy bindings using this role."},io:{input:T,output:D,errors:{ROLE_IN_USE:{description:"Role is still assigned to users or organizations",http:409,gqlCode:"ROLE_IN_USE",when:"Role has active bindings"}}},policy:{auth:"admin"},sideEffects:{audit:["role.deleted"]}}),jt=V({meta:{key:"identity.rbac.role.list",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","list"],description:"List all available roles.",goal:"Show available roles for assignment.",context:"Role assignment UI."},io:{input:null,output:p},policy:{auth:"user"}}),qt=q({meta:{key:"identity.rbac.assign",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","assign"],description:"Assign a role to a user or organization.",goal:"Grant permissions via role assignment.",context:"User/org permission management."},io:{input:y,output:K,errors:{ROLE_NOT_FOUND:{description:"The specified role does not exist",http:404,gqlCode:"ROLE_NOT_FOUND",when:"Role ID is invalid"},ALREADY_ASSIGNED:{description:"This role is already assigned to the target",http:409,gqlCode:"ALREADY_ASSIGNED",when:"Binding already exists"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.assigned",version:"1.0.0",when:"Role is assigned",payload:K}],audit:["role.assigned"]}}),wt=q({meta:{key:"identity.rbac.revoke",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","revoke"],description:"Revoke a role from a user or organization.",goal:"Remove permissions via role revocation.",context:"User/org permission management."},io:{input:E,output:D,errors:{BINDING_NOT_FOUND:{description:"The policy binding does not exist",http:404,gqlCode:"BINDING_NOT_FOUND",when:"Binding ID is invalid"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.revoked",version:"1.0.0",when:"Role is revoked",payload:u}],audit:["role.revoked"]}}),Ft=V({meta:{key:"identity.rbac.check",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","check","permission"],description:"Check if a user has a specific permission.",goal:"Authorization check before sensitive operations.",context:"Called by other services to verify permissions."},io:{input:n,output:M},policy:{auth:"user"}}),Ht=V({meta:{key:"identity.rbac.permissions",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","permissions","user"],description:"List all permissions for a user in a context.",goal:"Show what a user can do in an org.",context:"UI permission display, debugging."},io:{input:c,output:S},policy:{auth:"user"}});export{A as UserProfileModel,$ as UserDeletedPayloadModel,Z as UpdateUserInputModel,e as UpdateUserContract,r as UpdateRoleInputModel,gt as UpdateRoleContract,Q as UpdateOrgInputModel,Lt as UpdateOrgContract,D as SuccessResultModel,g as RoleModel,E as RevokeRoleInputModel,wt as RevokeRoleContract,N as RemoveMemberInputModel,kt as RemoveMemberContract,K as PolicyBindingModel,M as PermissionCheckResultModel,h as OrganizationWithRoleModel,G as OrganizationModel,P as MemberUserModel,W as MemberRemovedPayloadModel,w as MemberModel,z as ListUsersOutputModel,B as ListUsersInputModel,tt as ListUsersContract,S as ListUserPermissionsOutputModel,c as ListUserPermissionsInputModel,Ht as ListUserPermissionsContract,o as ListUserOrgsOutputModel,Dt as ListUserOrgsContract,p as ListRolesOutputModel,jt as ListRolesContract,i as ListMembersOutputModel,f as ListMembersInputModel,At as ListMembersContract,O as InviteMemberInputModel,vt as InviteMemberContract,H as InvitationModel,s as GetOrgInputModel,Ut as GetOrgContract,l as GetCurrentUserContract,_ as DeleteUserInputModel,a as DeleteUserContract,T as DeleteRoleInputModel,It as DeleteRoleContract,Y as CreateUserInputModel,m as CreateUserContract,d as CreateRoleInputModel,Gt as CreateRoleContract,b as CreateOrgInputModel,Ct as CreateOrgContract,n as CheckPermissionInputModel,Ft as CheckPermissionContract,u as BindingIdPayloadModel,y as AssignRoleInputModel,qt as AssignRoleContract,R as AcceptInviteInputModel,xt as AcceptInviteContract};