@contractspec/lib.identity-rbac 3.7.17 → 3.7.18

package/dist/contracts/rbac.js

@@ -1,600 +1,2 @@
 // @bun
-// src/contracts/user.ts
-import { defineCommand, defineQuery } from "@contractspec/lib.contracts-spec";
-import { ScalarTypeEnum, SchemaModel } from "@contractspec/lib.schema";
-var OWNERS = ["platform.identity-rbac"];
-var UserProfileModel = new SchemaModel({
-  name: "UserProfile",
-  description: "User profile information",
-  fields: {
-    id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },
-    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
-    emailVerified: { type: ScalarTypeEnum.Boolean(), isOptional: false },
-    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true },
-    role: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    onboardingCompleted: { type: ScalarTypeEnum.Boolean(), isOptional: false },
-    createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false }
-  }
-});
-var CreateUserInputModel = new SchemaModel({
-  name: "CreateUserInput",
-  description: "Input for creating a new user",
-  fields: {
-    email: { type: ScalarTypeEnum.EmailAddress(), isOptional: false },
-    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    password: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
-  }
-});
-var UpdateUserInputModel = new SchemaModel({
-  name: "UpdateUserInput",
-  description: "Input for updating a user profile",
-  fields: {
-    name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    firstName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    lastName: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    locale: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    timezone: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },
-    imageUrl: { type: ScalarTypeEnum.URL(), isOptional: true }
-  }
-});
-var DeleteUserInputModel = new SchemaModel({
-  name: "DeleteUserInput",
-  description: "Input for deleting a user",
-  fields: {
-    confirmEmail: { type: ScalarTypeEnum.EmailAddress(), isOptional: false }
-  }
-});
-var SuccessResultModel = new SchemaModel({
-  name: "SuccessResult",
-  description: "Simple success result",
-  fields: {
-    success: { type: ScalarTypeEnum.Boolean(), isOptional: false }
-  }
-});
-var UserDeletedPayloadModel = new SchemaModel({
-  name: "UserDeletedPayload",
-  description: "Payload for user deleted event",
-  fields: {
-    userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }
-  }
-});
-var ListUsersInputModel = new SchemaModel({
-  name: "ListUsersInput",
-  description: "Input for listing users",
-  fields: {
-    limit: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
-    offset: { type: ScalarTypeEnum.Int_unsecure(), isOptional: true },
-    search: { type: ScalarTypeEnum.String_unsecure(), isOptional: true }
-  }
-});
-var ListUsersOutputModel = new SchemaModel({
-  name: "ListUsersOutput",
-  description: "Output for listing users",
-  fields: {
-    users: { type: UserProfileModel, isOptional: false, isArray: true },
-    total: { type: ScalarTypeEnum.Int_unsecure(), isOptional: false }
-  }
-});
-var CreateUserContract = defineCommand({
-  meta: {
-    key: "identity.user.create",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "create"],
-    description: "Create a new user account.",
-    goal: "Register a new user in the system.",
-    context: "Used during signup flows. May trigger email verification."
-  },
-  io: {
-    input: CreateUserInputModel,
-    output: UserProfileModel,
-    errors: {
-      EMAIL_EXISTS: {
-        description: "A user with this email already exists",
-        http: 409,
-        gqlCode: "EMAIL_EXISTS",
-        when: "Email is already registered"
-      }
-    }
-  },
-  policy: {
-    auth: "anonymous"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "user.created",
-        version: "1.0.0",
-        when: "User is successfully created",
-        payload: UserProfileModel
-      }
-    ],
-    audit: ["user.created"]
-  }
-});
-var GetCurrentUserContract = defineQuery({
-  meta: {
-    key: "identity.user.me",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "profile"],
-    description: "Get the current authenticated user profile.",
-    goal: "Retrieve user profile for the authenticated session.",
-    context: "Called on app load and after profile updates."
-  },
-  io: {
-    input: null,
-    output: UserProfileModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-var UpdateUserContract = defineCommand({
-  meta: {
-    key: "identity.user.update",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "update"],
-    description: "Update user profile information.",
-    goal: "Allow users to update their profile.",
-    context: "Self-service profile updates."
-  },
-  io: {
-    input: UpdateUserInputModel,
-    output: UserProfileModel
-  },
-  policy: {
-    auth: "user"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "user.updated",
-        version: "1.0.0",
-        when: "User profile is updated",
-        payload: UserProfileModel
-      }
-    ],
-    audit: ["user.updated"]
-  }
-});
-var DeleteUserContract = defineCommand({
-  meta: {
-    key: "identity.user.delete",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "delete"],
-    description: "Delete user account and all associated data.",
-    goal: "Allow users to delete their account (GDPR compliance).",
-    context: "Self-service account deletion. Cascades to memberships, sessions, etc."
-  },
-  io: {
-    input: DeleteUserInputModel,
-    output: SuccessResultModel
-  },
-  policy: {
-    auth: "user",
-    escalate: "human_review"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "user.deleted",
-        version: "1.0.0",
-        when: "User account is deleted",
-        payload: UserDeletedPayloadModel
-      }
-    ],
-    audit: ["user.deleted"]
-  }
-});
-var ListUsersContract = defineQuery({
-  meta: {
-    key: "identity.user.list",
-    version: "1.0.0",
-    stability: "stable",
-    owners: [...OWNERS],
-    tags: ["identity", "user", "admin", "list"],
-    description: "List all users (admin only).",
-    goal: "Allow admins to browse and manage users.",
-    context: "Admin dashboard user management."
-  },
-  io: {
-    input: ListUsersInputModel,
-    output: ListUsersOutputModel
-  },
-  policy: {
-    auth: "admin"
-  }
-});
-
-// src/contracts/rbac.ts
-import { defineCommand as defineCommand2, defineQuery as defineQuery2 } from "@contractspec/lib.contracts-spec";
-import { ScalarTypeEnum as ScalarTypeEnum2, SchemaModel as SchemaModel2 } from "@contractspec/lib.schema";
-var RoleModel = new SchemaModel2({
-  name: "Role",
-  description: "RBAC role definition",
-  fields: {
-    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    permissions: {
-      type: ScalarTypeEnum2.String_unsecure(),
-      isOptional: false,
-      isArray: true
-    },
-    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false }
-  }
-});
-var PolicyBindingModel = new SchemaModel2({
-  name: "PolicyBinding",
-  description: "Role assignment to a target",
-  fields: {
-    id: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    targetType: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    targetId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true },
-    createdAt: { type: ScalarTypeEnum2.DateTime(), isOptional: false },
-    role: { type: RoleModel, isOptional: false }
-  }
-});
-var PermissionCheckResultModel = new SchemaModel2({
-  name: "PermissionCheckResult",
-  description: "Result of a permission check",
-  fields: {
-    allowed: { type: ScalarTypeEnum2.Boolean(), isOptional: false },
-    reason: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    matchedRole: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
-  }
-});
-var CreateRoleInputModel = new SchemaModel2({
-  name: "CreateRoleInput",
-  description: "Input for creating a role",
-  fields: {
-    name: { type: ScalarTypeEnum2.NonEmptyString(), isOptional: false },
-    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    permissions: {
-      type: ScalarTypeEnum2.String_unsecure(),
-      isOptional: false,
-      isArray: true
-    }
-  }
-});
-var UpdateRoleInputModel = new SchemaModel2({
-  name: "UpdateRoleInput",
-  description: "Input for updating a role",
-  fields: {
-    roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    name: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    description: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    permissions: {
-      type: ScalarTypeEnum2.String_unsecure(),
-      isOptional: true,
-      isArray: true
-    }
-  }
-});
-var DeleteRoleInputModel = new SchemaModel2({
-  name: "DeleteRoleInput",
-  description: "Input for deleting a role",
-  fields: {
-    roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var ListRolesOutputModel = new SchemaModel2({
-  name: "ListRolesOutput",
-  description: "Output for listing roles",
-  fields: {
-    roles: { type: RoleModel, isOptional: false, isArray: true }
-  }
-});
-var AssignRoleInputModel = new SchemaModel2({
-  name: "AssignRoleInput",
-  description: "Input for assigning a role",
-  fields: {
-    roleId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    targetType: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    targetId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    expiresAt: { type: ScalarTypeEnum2.DateTime(), isOptional: true }
-  }
-});
-var RevokeRoleInputModel = new SchemaModel2({
-  name: "RevokeRoleInput",
-  description: "Input for revoking a role",
-  fields: {
-    bindingId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var BindingIdPayloadModel = new SchemaModel2({
-  name: "BindingIdPayload",
-  description: "Payload with binding ID",
-  fields: {
-    bindingId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var CheckPermissionInputModel = new SchemaModel2({
-  name: "CheckPermissionInput",
-  description: "Input for checking a permission",
-  fields: {
-    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true },
-    permission: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false }
-  }
-});
-var ListUserPermissionsInputModel = new SchemaModel2({
-  name: "ListUserPermissionsInput",
-  description: "Input for listing user permissions",
-  fields: {
-    userId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: false },
-    orgId: { type: ScalarTypeEnum2.String_unsecure(), isOptional: true }
-  }
-});
-var ListUserPermissionsOutputModel = new SchemaModel2({
-  name: "ListUserPermissionsOutput",
-  description: "Output for listing user permissions",
-  fields: {
-    permissions: {
-      type: ScalarTypeEnum2.String_unsecure(),
-      isOptional: false,
-      isArray: true
-    },
-    roles: { type: RoleModel, isOptional: false, isArray: true }
-  }
-});
-var CreateRoleContract = defineCommand2({
-  meta: {
-    key: "identity.rbac.role.create",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "role", "create"],
-    description: "Create a new role with permissions.",
-    goal: "Allow admins to define custom roles.",
-    context: "Role management in admin settings."
-  },
-  io: {
-    input: CreateRoleInputModel,
-    output: RoleModel,
-    errors: {
-      ROLE_EXISTS: {
-        description: "A role with this name already exists",
-        http: 409,
-        gqlCode: "ROLE_EXISTS",
-        when: "Role name is taken"
-      }
-    }
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    audit: ["role.created"]
-  }
-});
-var UpdateRoleContract = defineCommand2({
-  meta: {
-    key: "identity.rbac.role.update",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "role", "update"],
-    description: "Update an existing role.",
-    goal: "Allow admins to modify role permissions.",
-    context: "Role management in admin settings."
-  },
-  io: {
-    input: UpdateRoleInputModel,
-    output: RoleModel
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    audit: ["role.updated"]
-  }
-});
-var DeleteRoleContract = defineCommand2({
-  meta: {
-    key: "identity.rbac.role.delete",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "role", "delete"],
-    description: "Delete an existing role.",
-    goal: "Allow admins to remove unused roles.",
-    context: "Role management. Removes all policy bindings using this role."
-  },
-  io: {
-    input: DeleteRoleInputModel,
-    output: SuccessResultModel,
-    errors: {
-      ROLE_IN_USE: {
-        description: "Role is still assigned to users or organizations",
-        http: 409,
-        gqlCode: "ROLE_IN_USE",
-        when: "Role has active bindings"
-      }
-    }
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    audit: ["role.deleted"]
-  }
-});
-var ListRolesContract = defineQuery2({
-  meta: {
-    key: "identity.rbac.role.list",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "role", "list"],
-    description: "List all available roles.",
-    goal: "Show available roles for assignment.",
-    context: "Role assignment UI."
-  },
-  io: {
-    input: null,
-    output: ListRolesOutputModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-var AssignRoleContract = defineCommand2({
-  meta: {
-    key: "identity.rbac.assign",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "assign"],
-    description: "Assign a role to a user or organization.",
-    goal: "Grant permissions via role assignment.",
-    context: "User/org permission management."
-  },
-  io: {
-    input: AssignRoleInputModel,
-    output: PolicyBindingModel,
-    errors: {
-      ROLE_NOT_FOUND: {
-        description: "The specified role does not exist",
-        http: 404,
-        gqlCode: "ROLE_NOT_FOUND",
-        when: "Role ID is invalid"
-      },
-      ALREADY_ASSIGNED: {
-        description: "This role is already assigned to the target",
-        http: 409,
-        gqlCode: "ALREADY_ASSIGNED",
-        when: "Binding already exists"
-      }
-    }
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "role.assigned",
-        version: "1.0.0",
-        when: "Role is assigned",
-        payload: PolicyBindingModel
-      }
-    ],
-    audit: ["role.assigned"]
-  }
-});
-var RevokeRoleContract = defineCommand2({
-  meta: {
-    key: "identity.rbac.revoke",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "revoke"],
-    description: "Revoke a role from a user or organization.",
-    goal: "Remove permissions via role revocation.",
-    context: "User/org permission management."
-  },
-  io: {
-    input: RevokeRoleInputModel,
-    output: SuccessResultModel,
-    errors: {
-      BINDING_NOT_FOUND: {
-        description: "The policy binding does not exist",
-        http: 404,
-        gqlCode: "BINDING_NOT_FOUND",
-        when: "Binding ID is invalid"
-      }
-    }
-  },
-  policy: {
-    auth: "admin"
-  },
-  sideEffects: {
-    emits: [
-      {
-        key: "role.revoked",
-        version: "1.0.0",
-        when: "Role is revoked",
-        payload: BindingIdPayloadModel
-      }
-    ],
-    audit: ["role.revoked"]
-  }
-});
-var CheckPermissionContract = defineQuery2({
-  meta: {
-    key: "identity.rbac.check",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "check", "permission"],
-    description: "Check if a user has a specific permission.",
-    goal: "Authorization check before sensitive operations.",
-    context: "Called by other services to verify permissions."
-  },
-  io: {
-    input: CheckPermissionInputModel,
-    output: PermissionCheckResultModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-var ListUserPermissionsContract = defineQuery2({
-  meta: {
-    key: "identity.rbac.permissions",
-    version: "1.0.0",
-    stability: "stable",
-    owners: ["@platform.identity-rbac"],
-    tags: ["identity", "rbac", "permissions", "user"],
-    description: "List all permissions for a user in a context.",
-    goal: "Show what a user can do in an org.",
-    context: "UI permission display, debugging."
-  },
-  io: {
-    input: ListUserPermissionsInputModel,
-    output: ListUserPermissionsOutputModel
-  },
-  policy: {
-    auth: "user"
-  }
-});
-export {
-  UpdateRoleInputModel,
-  UpdateRoleContract,
-  RoleModel,
-  RevokeRoleInputModel,
-  RevokeRoleContract,
-  PolicyBindingModel,
-  PermissionCheckResultModel,
-  ListUserPermissionsOutputModel,
-  ListUserPermissionsInputModel,
-  ListUserPermissionsContract,
-  ListRolesOutputModel,
-  ListRolesContract,
-  DeleteRoleInputModel,
-  DeleteRoleContract,
-  CreateRoleInputModel,
-  CreateRoleContract,
-  CheckPermissionInputModel,
-  CheckPermissionContract,
-  BindingIdPayloadModel,
-  AssignRoleInputModel,
-  AssignRoleContract
-};
+import{defineCommand as K,defineQuery as X}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as q,SchemaModel as x}from"@contractspec/lib.schema";var F=["platform.identity-rbac"],z=new x({name:"UserProfile",description:"User profile information",fields:{id:{type:q.String_unsecure(),isOptional:!1},email:{type:q.EmailAddress(),isOptional:!1},emailVerified:{type:q.Boolean(),isOptional:!1},name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},locale:{type:q.String_unsecure(),isOptional:!0},timezone:{type:q.String_unsecure(),isOptional:!0},imageUrl:{type:q.URL(),isOptional:!0},role:{type:q.String_unsecure(),isOptional:!0},onboardingCompleted:{type:q.Boolean(),isOptional:!1},createdAt:{type:q.DateTime(),isOptional:!1}}}),Z=new x({name:"CreateUserInput",description:"Input for creating a new user",fields:{email:{type:q.EmailAddress(),isOptional:!1},name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},password:{type:q.String_unsecure(),isOptional:!0}}}),_=new x({name:"UpdateUserInput",description:"Input for updating a user profile",fields:{name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},locale:{type:q.String_unsecure(),isOptional:!0},timezone:{type:q.String_unsecure(),isOptional:!0},imageUrl:{type:q.URL(),isOptional:!0}}}),$=new x({name:"DeleteUserInput",description:"Input for deleting a user",fields:{confirmEmail:{type:q.EmailAddress(),isOptional:!1}}}),J=new x({name:"SuccessResult",description:"Simple success result",fields:{success:{type:q.Boolean(),isOptional:!1}}}),v=new x({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:q.String_unsecure(),isOptional:!1}}}),A=new x({name:"ListUsersInput",description:"Input for listing users",fields:{limit:{type:q.Int_unsecure(),isOptional:!0},offset:{type:q.Int_unsecure(),isOptional:!0},search:{type:q.String_unsecure(),isOptional:!0}}}),k=new x({name:"ListUsersOutput",description:"Output for listing users",fields:{users:{type:z,isOptional:!1,isArray:!0},total:{type:q.Int_unsecure(),isOptional:!1}}}),f=K({meta:{key:"identity.user.create",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","create"],description:"Create a new user account.",goal:"Register a new user in the system.",context:"Used during signup flows. May trigger email verification."},io:{input:Z,output:z,errors:{EMAIL_EXISTS:{description:"A user with this email already exists",http:409,gqlCode:"EMAIL_EXISTS",when:"Email is already registered"}}},policy:{auth:"anonymous"},sideEffects:{emits:[{key:"user.created",version:"1.0.0",when:"User is successfully created",payload:z}],audit:["user.created"]}}),R=X({meta:{key:"identity.user.me",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","profile"],description:"Get the current authenticated user profile.",goal:"Retrieve user profile for the authenticated session.",context:"Called on app load and after profile updates."},io:{input:null,output:z},policy:{auth:"user"}}),h=K({meta:{key:"identity.user.update",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","update"],description:"Update user profile information.",goal:"Allow users to update their profile.",context:"Self-service profile updates."},io:{input:_,output:z},policy:{auth:"user"},sideEffects:{emits:[{key:"user.updated",version:"1.0.0",when:"User profile is updated",payload:z}],audit:["user.updated"]}}),i=K({meta:{key:"identity.user.delete",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","delete"],description:"Delete user account and all associated data.",goal:"Allow users to delete their account (GDPR compliance).",context:"Self-service account deletion. Cascades to memberships, sessions, etc."},io:{input:$,output:J},policy:{auth:"user",escalate:"human_review"},sideEffects:{emits:[{key:"user.deleted",version:"1.0.0",when:"User account is deleted",payload:v}],audit:["user.deleted"]}}),t=X({meta:{key:"identity.user.list",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","admin","list"],description:"List all users (admin only).",goal:"Allow admins to browse and manage users.",context:"Admin dashboard user management."},io:{input:A,output:k},policy:{auth:"admin"}});import{defineCommand as G,defineQuery as V}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as j,SchemaModel as w}from"@contractspec/lib.schema";var H=new w({name:"Role",description:"RBAC role definition",fields:{id:{type:j.String_unsecure(),isOptional:!1},name:{type:j.String_unsecure(),isOptional:!1},description:{type:j.String_unsecure(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:j.DateTime(),isOptional:!1}}}),Y=new w({name:"PolicyBinding",description:"Role assignment to a target",fields:{id:{type:j.String_unsecure(),isOptional:!1},roleId:{type:j.String_unsecure(),isOptional:!1},targetType:{type:j.String_unsecure(),isOptional:!1},targetId:{type:j.String_unsecure(),isOptional:!1},expiresAt:{type:j.DateTime(),isOptional:!0},createdAt:{type:j.DateTime(),isOptional:!1},role:{type:H,isOptional:!1}}}),B=new w({name:"PermissionCheckResult",description:"Result of a permission check",fields:{allowed:{type:j.Boolean(),isOptional:!1},reason:{type:j.String_unsecure(),isOptional:!0},matchedRole:{type:j.String_unsecure(),isOptional:!0}}}),D=new w({name:"CreateRoleInput",description:"Input for creating a role",fields:{name:{type:j.NonEmptyString(),isOptional:!1},description:{type:j.String_unsecure(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0}}}),b=new w({name:"UpdateRoleInput",description:"Input for updating a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1},name:{type:j.String_unsecure(),isOptional:!0},description:{type:j.String_unsecure(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!0,isArray:!0}}}),g=new w({name:"DeleteRoleInput",description:"Input for deleting a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1}}}),L=new w({name:"ListRolesOutput",description:"Output for listing roles",fields:{roles:{type:H,isOptional:!1,isArray:!0}}}),N=new w({name:"AssignRoleInput",description:"Input for assigning a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1},targetType:{type:j.String_unsecure(),isOptional:!1},targetId:{type:j.String_unsecure(),isOptional:!1},expiresAt:{type:j.DateTime(),isOptional:!0}}}),Q=new w({name:"RevokeRoleInput",description:"Input for revoking a role",fields:{bindingId:{type:j.String_unsecure(),isOptional:!1}}}),W=new w({name:"BindingIdPayload",description:"Payload with binding ID",fields:{bindingId:{type:j.String_unsecure(),isOptional:!1}}}),O=new w({name:"CheckPermissionInput",description:"Input for checking a permission",fields:{userId:{type:j.String_unsecure(),isOptional:!1},orgId:{type:j.String_unsecure(),isOptional:!0},permission:{type:j.String_unsecure(),isOptional:!1}}}),C=new w({name:"ListUserPermissionsInput",description:"Input for listing user permissions",fields:{userId:{type:j.String_unsecure(),isOptional:!1},orgId:{type:j.String_unsecure(),isOptional:!0}}}),I=new w({name:"ListUserPermissionsOutput",description:"Output for listing user permissions",fields:{permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:H,isOptional:!1,isArray:!0}}}),y=G({meta:{key:"identity.rbac.role.create",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","create"],description:"Create a new role with permissions.",goal:"Allow admins to define custom roles.",context:"Role management in admin settings."},io:{input:D,output:H,errors:{ROLE_EXISTS:{description:"A role with this name already exists",http:409,gqlCode:"ROLE_EXISTS",when:"Role name is taken"}}},policy:{auth:"admin"},sideEffects:{audit:["role.created"]}}),d=G({meta:{key:"identity.rbac.role.update",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","update"],description:"Update an existing role.",goal:"Allow admins to modify role permissions.",context:"Role management in admin settings."},io:{input:b,output:H},policy:{auth:"admin"},sideEffects:{audit:["role.updated"]}}),p=G({meta:{key:"identity.rbac.role.delete",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","delete"],description:"Delete an existing role.",goal:"Allow admins to remove unused roles.",context:"Role management. Removes all policy bindings using this role."},io:{input:g,output:J,errors:{ROLE_IN_USE:{description:"Role is still assigned to users or organizations",http:409,gqlCode:"ROLE_IN_USE",when:"Role has active bindings"}}},policy:{auth:"admin"},sideEffects:{audit:["role.deleted"]}}),S=V({meta:{key:"identity.rbac.role.list",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","list"],description:"List all available roles.",goal:"Show available roles for assignment.",context:"Role assignment UI."},io:{input:null,output:L},policy:{auth:"user"}}),o=G({meta:{key:"identity.rbac.assign",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","assign"],description:"Assign a role to a user or organization.",goal:"Grant permissions via role assignment.",context:"User/org permission management."},io:{input:N,output:Y,errors:{ROLE_NOT_FOUND:{description:"The specified role does not exist",http:404,gqlCode:"ROLE_NOT_FOUND",when:"Role ID is invalid"},ALREADY_ASSIGNED:{description:"This role is already assigned to the target",http:409,gqlCode:"ALREADY_ASSIGNED",when:"Binding already exists"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.assigned",version:"1.0.0",when:"Role is assigned",payload:Y}],audit:["role.assigned"]}}),u=G({meta:{key:"identity.rbac.revoke",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","revoke"],description:"Revoke a role from a user or organization.",goal:"Remove permissions via role revocation.",context:"User/org permission management."},io:{input:Q,output:J,errors:{BINDING_NOT_FOUND:{description:"The policy binding does not exist",http:404,gqlCode:"BINDING_NOT_FOUND",when:"Binding ID is invalid"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.revoked",version:"1.0.0",when:"Role is revoked",payload:W}],audit:["role.revoked"]}}),r=V({meta:{key:"identity.rbac.check",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","check","permission"],description:"Check if a user has a specific permission.",goal:"Authorization check before sensitive operations.",context:"Called by other services to verify permissions."},io:{input:O,output:B},policy:{auth:"user"}}),m=V({meta:{key:"identity.rbac.permissions",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","permissions","user"],description:"List all permissions for a user in a context.",goal:"Show what a user can do in an org.",context:"UI permission display, debugging."},io:{input:C,output:I},policy:{auth:"user"}});export{b as UpdateRoleInputModel,d as UpdateRoleContract,H as RoleModel,Q as RevokeRoleInputModel,u as RevokeRoleContract,Y as PolicyBindingModel,B as PermissionCheckResultModel,I as ListUserPermissionsOutputModel,C as ListUserPermissionsInputModel,m as ListUserPermissionsContract,L as ListRolesOutputModel,S as ListRolesContract,g as DeleteRoleInputModel,p as DeleteRoleContract,D as CreateRoleInputModel,y as CreateRoleContract,O as CheckPermissionInputModel,r as CheckPermissionContract,W as BindingIdPayloadModel,N as AssignRoleInputModel,o as AssignRoleContract};