@contractspec/lib.identity-rbac 3.7.25 → 3.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. package/README.md +20 -0
  2. package/dist/browser/contracts/index.js +1 -1
  3. package/dist/browser/contracts/rbac.js +1 -1
  4. package/dist/browser/entities/index.js +1 -1
  5. package/dist/browser/entities/rbac.js +1 -1
  6. package/dist/browser/index.js +1 -1
  7. package/dist/browser/policies/engine.js +1 -1
  8. package/dist/browser/policies/index.js +1 -1
  9. package/dist/contracts/index.js +1 -1
  10. package/dist/contracts/rbac.d.ts +344 -0
  11. package/dist/contracts/rbac.js +1 -1
  12. package/dist/entities/index.d.ts +10 -0
  13. package/dist/entities/index.js +1 -1
  14. package/dist/entities/rbac.d.ts +14 -0
  15. package/dist/entities/rbac.js +1 -1
  16. package/dist/index.js +1 -1
  17. package/dist/node/contracts/index.js +1 -1
  18. package/dist/node/contracts/rbac.js +1 -1
  19. package/dist/node/entities/index.js +1 -1
  20. package/dist/node/entities/rbac.js +1 -1
  21. package/dist/node/index.js +1 -1
  22. package/dist/node/policies/engine.js +1 -1
  23. package/dist/node/policies/index.js +1 -1
  24. package/dist/policies/engine.d.ts +73 -3
  25. package/dist/policies/engine.js +1 -1
  26. package/dist/policies/engine.test.d.ts +1 -0
  27. package/dist/policies/index.d.ts +1 -1
  28. package/dist/policies/index.js +1 -1
  29. package/package.json +4 -3
package/dist/contracts/rbac.js CHANGED
@@ -1,2 +1,2 @@
1
1
  // @bun
2
- import{defineCommand as K,defineQuery as X}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as q,SchemaModel as x}from"@contractspec/lib.schema";var F=["platform.identity-rbac"],z=new x({name:"UserProfile",description:"User profile information",fields:{id:{type:q.String_unsecure(),isOptional:!1},email:{type:q.EmailAddress(),isOptional:!1},emailVerified:{type:q.Boolean(),isOptional:!1},name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},locale:{type:q.String_unsecure(),isOptional:!0},timezone:{type:q.String_unsecure(),isOptional:!0},imageUrl:{type:q.URL(),isOptional:!0},role:{type:q.String_unsecure(),isOptional:!0},onboardingCompleted:{type:q.Boolean(),isOptional:!1},createdAt:{type:q.DateTime(),isOptional:!1}}}),Z=new x({name:"CreateUserInput",description:"Input for creating a new user",fields:{email:{type:q.EmailAddress(),isOptional:!1},name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},password:{type:q.String_unsecure(),isOptional:!0}}}),_=new x({name:"UpdateUserInput",description:"Input for updating a user profile",fields:{name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},locale:{type:q.String_unsecure(),isOptional:!0},timezone:{type:q.String_unsecure(),isOptional:!0},imageUrl:{type:q.URL(),isOptional:!0}}}),$=new x({name:"DeleteUserInput",description:"Input for deleting a user",fields:{confirmEmail:{type:q.EmailAddress(),isOptional:!1}}}),J=new x({name:"SuccessResult",description:"Simple success result",fields:{success:{type:q.Boolean(),isOptional:!1}}}),v=new x({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:q.String_unsecure(),isOptional:!1}}}),A=new x({name:"ListUsersInput",description:"Input for listing users",fields:{limit:{type:q.Int_unsecure(),isOptional:!0},offset:{type:q.Int_unsecure(),isOptional:!0},search:{type:q.String_unsecure(),isOptional:!0}}}),k=new x({name:"ListUsersOutput",description:"Output for listing users",fields:{users:{type:z,isOptional:!1,isArray:!0},total:{type:q.Int_unsecure(),isOptional:!1}}}),f=K({meta:{key:"identity.user.create",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","create"],description:"Create a new user account.",goal:"Register a new user in the system.",context:"Used during signup flows. May trigger email verification."},io:{input:Z,output:z,errors:{EMAIL_EXISTS:{description:"A user with this email already exists",http:409,gqlCode:"EMAIL_EXISTS",when:"Email is already registered"}}},policy:{auth:"anonymous"},sideEffects:{emits:[{key:"user.created",version:"1.0.0",when:"User is successfully created",payload:z}],audit:["user.created"]}}),R=X({meta:{key:"identity.user.me",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","profile"],description:"Get the current authenticated user profile.",goal:"Retrieve user profile for the authenticated session.",context:"Called on app load and after profile updates."},io:{input:null,output:z},policy:{auth:"user"}}),h=K({meta:{key:"identity.user.update",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","update"],description:"Update user profile information.",goal:"Allow users to update their profile.",context:"Self-service profile updates."},io:{input:_,output:z},policy:{auth:"user"},sideEffects:{emits:[{key:"user.updated",version:"1.0.0",when:"User profile is updated",payload:z}],audit:["user.updated"]}}),i=K({meta:{key:"identity.user.delete",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","delete"],description:"Delete user account and all associated data.",goal:"Allow users to delete their account (GDPR compliance).",context:"Self-service account deletion. Cascades to memberships, sessions, etc."},io:{input:$,output:J},policy:{auth:"user",escalate:"human_review"},sideEffects:{emits:[{key:"user.deleted",version:"1.0.0",when:"User account is deleted",payload:v}],audit:["user.deleted"]}}),t=X({meta:{key:"identity.user.list",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","admin","list"],description:"List all users (admin only).",goal:"Allow admins to browse and manage users.",context:"Admin dashboard user management."},io:{input:A,output:k},policy:{auth:"admin"}});import{defineCommand as G,defineQuery as V}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as j,SchemaModel as w}from"@contractspec/lib.schema";var H=new w({name:"Role",description:"RBAC role definition",fields:{id:{type:j.String_unsecure(),isOptional:!1},name:{type:j.String_unsecure(),isOptional:!1},description:{type:j.String_unsecure(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:j.DateTime(),isOptional:!1}}}),Y=new w({name:"PolicyBinding",description:"Role assignment to a target",fields:{id:{type:j.String_unsecure(),isOptional:!1},roleId:{type:j.String_unsecure(),isOptional:!1},targetType:{type:j.String_unsecure(),isOptional:!1},targetId:{type:j.String_unsecure(),isOptional:!1},expiresAt:{type:j.DateTime(),isOptional:!0},createdAt:{type:j.DateTime(),isOptional:!1},role:{type:H,isOptional:!1}}}),B=new w({name:"PermissionCheckResult",description:"Result of a permission check",fields:{allowed:{type:j.Boolean(),isOptional:!1},reason:{type:j.String_unsecure(),isOptional:!0},matchedRole:{type:j.String_unsecure(),isOptional:!0}}}),D=new w({name:"CreateRoleInput",description:"Input for creating a role",fields:{name:{type:j.NonEmptyString(),isOptional:!1},description:{type:j.String_unsecure(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0}}}),b=new w({name:"UpdateRoleInput",description:"Input for updating a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1},name:{type:j.String_unsecure(),isOptional:!0},description:{type:j.String_unsecure(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!0,isArray:!0}}}),g=new w({name:"DeleteRoleInput",description:"Input for deleting a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1}}}),L=new w({name:"ListRolesOutput",description:"Output for listing roles",fields:{roles:{type:H,isOptional:!1,isArray:!0}}}),N=new w({name:"AssignRoleInput",description:"Input for assigning a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1},targetType:{type:j.String_unsecure(),isOptional:!1},targetId:{type:j.String_unsecure(),isOptional:!1},expiresAt:{type:j.DateTime(),isOptional:!0}}}),Q=new w({name:"RevokeRoleInput",description:"Input for revoking a role",fields:{bindingId:{type:j.String_unsecure(),isOptional:!1}}}),W=new w({name:"BindingIdPayload",description:"Payload with binding ID",fields:{bindingId:{type:j.String_unsecure(),isOptional:!1}}}),O=new w({name:"CheckPermissionInput",description:"Input for checking a permission",fields:{userId:{type:j.String_unsecure(),isOptional:!1},orgId:{type:j.String_unsecure(),isOptional:!0},permission:{type:j.String_unsecure(),isOptional:!1}}}),C=new w({name:"ListUserPermissionsInput",description:"Input for listing user permissions",fields:{userId:{type:j.String_unsecure(),isOptional:!1},orgId:{type:j.String_unsecure(),isOptional:!0}}}),I=new w({name:"ListUserPermissionsOutput",description:"Output for listing user permissions",fields:{permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:H,isOptional:!1,isArray:!0}}}),y=G({meta:{key:"identity.rbac.role.create",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","create"],description:"Create a new role with permissions.",goal:"Allow admins to define custom roles.",context:"Role management in admin settings."},io:{input:D,output:H,errors:{ROLE_EXISTS:{description:"A role with this name already exists",http:409,gqlCode:"ROLE_EXISTS",when:"Role name is taken"}}},policy:{auth:"admin"},sideEffects:{audit:["role.created"]}}),d=G({meta:{key:"identity.rbac.role.update",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","update"],description:"Update an existing role.",goal:"Allow admins to modify role permissions.",context:"Role management in admin settings."},io:{input:b,output:H},policy:{auth:"admin"},sideEffects:{audit:["role.updated"]}}),p=G({meta:{key:"identity.rbac.role.delete",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","delete"],description:"Delete an existing role.",goal:"Allow admins to remove unused roles.",context:"Role management. Removes all policy bindings using this role."},io:{input:g,output:J,errors:{ROLE_IN_USE:{description:"Role is still assigned to users or organizations",http:409,gqlCode:"ROLE_IN_USE",when:"Role has active bindings"}}},policy:{auth:"admin"},sideEffects:{audit:["role.deleted"]}}),S=V({meta:{key:"identity.rbac.role.list",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","list"],description:"List all available roles.",goal:"Show available roles for assignment.",context:"Role assignment UI."},io:{input:null,output:L},policy:{auth:"user"}}),o=G({meta:{key:"identity.rbac.assign",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","assign"],description:"Assign a role to a user or organization.",goal:"Grant permissions via role assignment.",context:"User/org permission management."},io:{input:N,output:Y,errors:{ROLE_NOT_FOUND:{description:"The specified role does not exist",http:404,gqlCode:"ROLE_NOT_FOUND",when:"Role ID is invalid"},ALREADY_ASSIGNED:{description:"This role is already assigned to the target",http:409,gqlCode:"ALREADY_ASSIGNED",when:"Binding already exists"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.assigned",version:"1.0.0",when:"Role is assigned",payload:Y}],audit:["role.assigned"]}}),u=G({meta:{key:"identity.rbac.revoke",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","revoke"],description:"Revoke a role from a user or organization.",goal:"Remove permissions via role revocation.",context:"User/org permission management."},io:{input:Q,output:J,errors:{BINDING_NOT_FOUND:{description:"The policy binding does not exist",http:404,gqlCode:"BINDING_NOT_FOUND",when:"Binding ID is invalid"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.revoked",version:"1.0.0",when:"Role is revoked",payload:W}],audit:["role.revoked"]}}),r=V({meta:{key:"identity.rbac.check",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","check","permission"],description:"Check if a user has a specific permission.",goal:"Authorization check before sensitive operations.",context:"Called by other services to verify permissions."},io:{input:O,output:B},policy:{auth:"user"}}),m=V({meta:{key:"identity.rbac.permissions",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","permissions","user"],description:"List all permissions for a user in a context.",goal:"Show what a user can do in an org.",context:"UI permission display, debugging."},io:{input:C,output:I},policy:{auth:"user"}});export{b as UpdateRoleInputModel,d as UpdateRoleContract,H as RoleModel,Q as RevokeRoleInputModel,u as RevokeRoleContract,Y as PolicyBindingModel,B as PermissionCheckResultModel,I as ListUserPermissionsOutputModel,C as ListUserPermissionsInputModel,m as ListUserPermissionsContract,L as ListRolesOutputModel,S as ListRolesContract,g as DeleteRoleInputModel,p as DeleteRoleContract,D as CreateRoleInputModel,y as CreateRoleContract,O as CheckPermissionInputModel,r as CheckPermissionContract,W as BindingIdPayloadModel,N as AssignRoleInputModel,o as AssignRoleContract};
2
+ import{defineCommand as K,defineQuery as X}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as q,SchemaModel as x}from"@contractspec/lib.schema";var F=["platform.identity-rbac"],z=new x({name:"UserProfile",description:"User profile information",fields:{id:{type:q.String_unsecure(),isOptional:!1},email:{type:q.EmailAddress(),isOptional:!1},emailVerified:{type:q.Boolean(),isOptional:!1},name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},locale:{type:q.String_unsecure(),isOptional:!0},timezone:{type:q.String_unsecure(),isOptional:!0},imageUrl:{type:q.URL(),isOptional:!0},role:{type:q.String_unsecure(),isOptional:!0},onboardingCompleted:{type:q.Boolean(),isOptional:!1},createdAt:{type:q.DateTime(),isOptional:!1}}}),Z=new x({name:"CreateUserInput",description:"Input for creating a new user",fields:{email:{type:q.EmailAddress(),isOptional:!1},name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},password:{type:q.String_unsecure(),isOptional:!0}}}),_=new x({name:"UpdateUserInput",description:"Input for updating a user profile",fields:{name:{type:q.String_unsecure(),isOptional:!0},firstName:{type:q.String_unsecure(),isOptional:!0},lastName:{type:q.String_unsecure(),isOptional:!0},locale:{type:q.String_unsecure(),isOptional:!0},timezone:{type:q.String_unsecure(),isOptional:!0},imageUrl:{type:q.URL(),isOptional:!0}}}),$=new x({name:"DeleteUserInput",description:"Input for deleting a user",fields:{confirmEmail:{type:q.EmailAddress(),isOptional:!1}}}),J=new x({name:"SuccessResult",description:"Simple success result",fields:{success:{type:q.Boolean(),isOptional:!1}}}),v=new x({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:q.String_unsecure(),isOptional:!1}}}),A=new x({name:"ListUsersInput",description:"Input for listing users",fields:{limit:{type:q.Int_unsecure(),isOptional:!0},offset:{type:q.Int_unsecure(),isOptional:!0},search:{type:q.String_unsecure(),isOptional:!0}}}),k=new x({name:"ListUsersOutput",description:"Output for listing users",fields:{users:{type:z,isOptional:!1,isArray:!0},total:{type:q.Int_unsecure(),isOptional:!1}}}),f=K({meta:{key:"identity.user.create",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","create"],description:"Create a new user account.",goal:"Register a new user in the system.",context:"Used during signup flows. May trigger email verification."},io:{input:Z,output:z,errors:{EMAIL_EXISTS:{description:"A user with this email already exists",http:409,gqlCode:"EMAIL_EXISTS",when:"Email is already registered"}}},policy:{auth:"anonymous"},sideEffects:{emits:[{key:"user.created",version:"1.0.0",when:"User is successfully created",payload:z}],audit:["user.created"]}}),R=X({meta:{key:"identity.user.me",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","profile"],description:"Get the current authenticated user profile.",goal:"Retrieve user profile for the authenticated session.",context:"Called on app load and after profile updates."},io:{input:null,output:z},policy:{auth:"user"}}),h=K({meta:{key:"identity.user.update",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","update"],description:"Update user profile information.",goal:"Allow users to update their profile.",context:"Self-service profile updates."},io:{input:_,output:z},policy:{auth:"user"},sideEffects:{emits:[{key:"user.updated",version:"1.0.0",when:"User profile is updated",payload:z}],audit:["user.updated"]}}),i=K({meta:{key:"identity.user.delete",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","delete"],description:"Delete user account and all associated data.",goal:"Allow users to delete their account (GDPR compliance).",context:"Self-service account deletion. Cascades to memberships, sessions, etc."},io:{input:$,output:J},policy:{auth:"user",escalate:"human_review"},sideEffects:{emits:[{key:"user.deleted",version:"1.0.0",when:"User account is deleted",payload:v}],audit:["user.deleted"]}}),t=X({meta:{key:"identity.user.list",version:"1.0.0",stability:"stable",owners:[...F],tags:["identity","user","admin","list"],description:"List all users (admin only).",goal:"Allow admins to browse and manage users.",context:"Admin dashboard user management."},io:{input:A,output:k},policy:{auth:"admin"}});import{defineCommand as G,defineQuery as V}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as j,SchemaModel as w}from"@contractspec/lib.schema";var H=new w({name:"Role",description:"RBAC role definition",fields:{id:{type:j.String_unsecure(),isOptional:!1},name:{type:j.String_unsecure(),isOptional:!1},description:{type:j.String_unsecure(),isOptional:!0},source:{type:j.String_unsecure(),isOptional:!0},templateKey:{type:j.String_unsecure(),isOptional:!0},templateVersion:{type:j.String_unsecure(),isOptional:!0},disabledAt:{type:j.DateTime(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:j.DateTime(),isOptional:!1}}}),Y=new w({name:"PolicyBinding",description:"Role assignment to a target",fields:{id:{type:j.String_unsecure(),isOptional:!1},roleId:{type:j.String_unsecure(),isOptional:!1},targetType:{type:j.String_unsecure(),isOptional:!1},targetId:{type:j.String_unsecure(),isOptional:!1},expiresAt:{type:j.DateTime(),isOptional:!0},scopeType:{type:j.String_unsecure(),isOptional:!0},scopeId:{type:j.String_unsecure(),isOptional:!0},tenantId:{type:j.String_unsecure(),isOptional:!0},workspaceId:{type:j.String_unsecure(),isOptional:!0},source:{type:j.String_unsecure(),isOptional:!0},templateKey:{type:j.String_unsecure(),isOptional:!0},templateVersion:{type:j.String_unsecure(),isOptional:!0},effect:{type:j.String_unsecure(),isOptional:!0},disabledAt:{type:j.DateTime(),isOptional:!0},reason:{type:j.String_unsecure(),isOptional:!0},createdAt:{type:j.DateTime(),isOptional:!1},role:{type:H,isOptional:!1}}}),B=new w({name:"PermissionCheckResult",description:"Result of a permission check",fields:{allowed:{type:j.Boolean(),isOptional:!1},reason:{type:j.String_unsecure(),isOptional:!0},matchedRole:{type:j.String_unsecure(),isOptional:!0}}}),D=new w({name:"CreateRoleInput",description:"Input for creating a role",fields:{name:{type:j.NonEmptyString(),isOptional:!1},description:{type:j.String_unsecure(),isOptional:!0},source:{type:j.String_unsecure(),isOptional:!0},templateKey:{type:j.String_unsecure(),isOptional:!0},templateVersion:{type:j.String_unsecure(),isOptional:!0},disabledAt:{type:j.DateTime(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0}}}),b=new w({name:"UpdateRoleInput",description:"Input for updating a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1},name:{type:j.String_unsecure(),isOptional:!0},description:{type:j.String_unsecure(),isOptional:!0},source:{type:j.String_unsecure(),isOptional:!0},templateKey:{type:j.String_unsecure(),isOptional:!0},templateVersion:{type:j.String_unsecure(),isOptional:!0},disabledAt:{type:j.DateTime(),isOptional:!0},permissions:{type:j.String_unsecure(),isOptional:!0,isArray:!0}}}),g=new w({name:"DeleteRoleInput",description:"Input for deleting a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1}}}),L=new w({name:"ListRolesOutput",description:"Output for listing roles",fields:{roles:{type:H,isOptional:!1,isArray:!0}}}),N=new w({name:"AssignRoleInput",description:"Input for assigning a role",fields:{roleId:{type:j.String_unsecure(),isOptional:!1},targetType:{type:j.String_unsecure(),isOptional:!1},targetId:{type:j.String_unsecure(),isOptional:!1},expiresAt:{type:j.DateTime(),isOptional:!0}}}),Q=new w({name:"RevokeRoleInput",description:"Input for revoking a role",fields:{bindingId:{type:j.String_unsecure(),isOptional:!1}}}),W=new w({name:"BindingIdPayload",description:"Payload with binding ID",fields:{bindingId:{type:j.String_unsecure(),isOptional:!1}}}),O=new w({name:"CheckPermissionInput",description:"Input for checking a permission",fields:{userId:{type:j.String_unsecure(),isOptional:!1},orgId:{type:j.String_unsecure(),isOptional:!0},permission:{type:j.String_unsecure(),isOptional:!1}}}),C=new w({name:"ListUserPermissionsInput",description:"Input for listing user permissions",fields:{userId:{type:j.String_unsecure(),isOptional:!1},orgId:{type:j.String_unsecure(),isOptional:!0}}}),I=new w({name:"ListUserPermissionsOutput",description:"Output for listing user permissions",fields:{permissions:{type:j.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:H,isOptional:!1,isArray:!0}}}),E=G({meta:{key:"identity.rbac.role.create",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","create"],description:"Create a new role with permissions.",goal:"Allow admins to define custom roles.",context:"Role management in admin settings."},io:{input:D,output:H,errors:{ROLE_EXISTS:{description:"A role with this name already exists",http:409,gqlCode:"ROLE_EXISTS",when:"Role name is taken"}}},policy:{auth:"admin"},sideEffects:{audit:["role.created"]}}),o=G({meta:{key:"identity.rbac.role.update",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","update"],description:"Update an existing role.",goal:"Allow admins to modify role permissions.",context:"Role management in admin settings."},io:{input:b,output:H},policy:{auth:"admin"},sideEffects:{audit:["role.updated"]}}),y=G({meta:{key:"identity.rbac.role.delete",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","delete"],description:"Delete an existing role.",goal:"Allow admins to remove unused roles.",context:"Role management. Removes all policy bindings using this role."},io:{input:g,output:J,errors:{ROLE_IN_USE:{description:"Role is still assigned to users or organizations",http:409,gqlCode:"ROLE_IN_USE",when:"Role has active bindings"}}},policy:{auth:"admin"},sideEffects:{audit:["role.deleted"]}}),p=V({meta:{key:"identity.rbac.role.list",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","list"],description:"List all available roles.",goal:"Show available roles for assignment.",context:"Role assignment UI."},io:{input:null,output:L},policy:{auth:"user"}}),S=G({meta:{key:"identity.rbac.assign",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","assign"],description:"Assign a role to a user or organization.",goal:"Grant permissions via role assignment.",context:"User/org permission management."},io:{input:N,output:Y,errors:{ROLE_NOT_FOUND:{description:"The specified role does not exist",http:404,gqlCode:"ROLE_NOT_FOUND",when:"Role ID is invalid"},ALREADY_ASSIGNED:{description:"This role is already assigned to the target",http:409,gqlCode:"ALREADY_ASSIGNED",when:"Binding already exists"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.assigned",version:"1.0.0",when:"Role is assigned",payload:Y}],audit:["role.assigned"]}}),u=G({meta:{key:"identity.rbac.revoke",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","revoke"],description:"Revoke a role from a user or organization.",goal:"Remove permissions via role revocation.",context:"User/org permission management."},io:{input:Q,output:J,errors:{BINDING_NOT_FOUND:{description:"The policy binding does not exist",http:404,gqlCode:"BINDING_NOT_FOUND",when:"Binding ID is invalid"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.revoked",version:"1.0.0",when:"Role is revoked",payload:W}],audit:["role.revoked"]}}),r=V({meta:{key:"identity.rbac.check",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","check","permission"],description:"Check if a user has a specific permission.",goal:"Authorization check before sensitive operations.",context:"Called by other services to verify permissions."},io:{input:O,output:B},policy:{auth:"user"}}),m=V({meta:{key:"identity.rbac.permissions",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","permissions","user"],description:"List all permissions for a user in a context.",goal:"Show what a user can do in an org.",context:"UI permission display, debugging."},io:{input:C,output:I},policy:{auth:"user"}});export{b as UpdateRoleInputModel,o as UpdateRoleContract,H as RoleModel,Q as RevokeRoleInputModel,u as RevokeRoleContract,Y as PolicyBindingModel,B as PermissionCheckResultModel,I as ListUserPermissionsOutputModel,C as ListUserPermissionsInputModel,m as ListUserPermissionsContract,L as ListRolesOutputModel,p as ListRolesContract,g as DeleteRoleInputModel,y as DeleteRoleContract,D as CreateRoleInputModel,E as CreateRoleContract,O as CheckPermissionInputModel,r as CheckPermissionContract,W as BindingIdPayloadModel,N as AssignRoleInputModel,S as AssignRoleContract};
package/dist/entities/index.d.ts CHANGED
@@ -56,6 +56,16 @@ export declare const identityRbacEntities: (import("@contractspec/lib.schema").E
56
56
  targetType: import("@contractspec/lib.schema").EntityScalarField;
57
57
  targetId: import("@contractspec/lib.schema").EntityScalarField;
58
58
  expiresAt: import("@contractspec/lib.schema").EntityScalarField;
59
+ scopeType: import("@contractspec/lib.schema").EntityScalarField;
60
+ scopeId: import("@contractspec/lib.schema").EntityScalarField;
61
+ tenantId: import("@contractspec/lib.schema").EntityScalarField;
62
+ workspaceId: import("@contractspec/lib.schema").EntityScalarField;
63
+ source: import("@contractspec/lib.schema").EntityScalarField;
64
+ templateKey: import("@contractspec/lib.schema").EntityScalarField;
65
+ templateVersion: import("@contractspec/lib.schema").EntityScalarField;
66
+ effect: import("@contractspec/lib.schema").EntityScalarField;
67
+ disabledAt: import("@contractspec/lib.schema").EntityScalarField;
68
+ reason: import("@contractspec/lib.schema").EntityScalarField;
59
69
  createdAt: import("@contractspec/lib.schema").EntityScalarField;
60
70
  userId: import("@contractspec/lib.schema").EntityScalarField;
61
71
  organizationId: import("@contractspec/lib.schema").EntityScalarField;
package/dist/entities/index.js CHANGED
@@ -1,2 +1,2 @@
1
1
  // @bun
2
- import{defineEntity as C,defineEntityEnum as U,field as w,index as W}from"@contractspec/lib.schema";var F=U({name:"OrganizationType",values:["PLATFORM_ADMIN","CONTRACT_SPEC_CUSTOMER"],schema:"lssm_sigil",description:"Type of organization in the platform."}),H=C({name:"Organization",description:"An organization is a tenant boundary grouping users.",schema:"lssm_sigil",map:"organization",fields:{id:w.id({description:"Unique organization identifier"}),name:w.string({description:"Organization display name"}),slug:w.string({isOptional:!0,isUnique:!0,description:"URL-friendly identifier"}),logo:w.url({isOptional:!0,description:"Organization logo URL"}),description:w.string({isOptional:!0,description:"Organization description"}),metadata:w.json({isOptional:!0,description:"Arbitrary organization metadata"}),type:w.enum("OrganizationType",{description:"Organization type"}),onboardingCompleted:w.boolean({default:!1}),onboardingStep:w.string({isOptional:!0}),referralCode:w.string({isOptional:!0,isUnique:!0,description:"Unique referral code"}),referredBy:w.string({isOptional:!0,description:"ID of referring user"}),createdAt:w.createdAt(),updatedAt:w.updatedAt(),members:w.hasMany("Member"),invitations:w.hasMany("Invitation"),teams:w.hasMany("Team"),policyBindings:w.hasMany("PolicyBinding")},enums:[F]}),J=C({name:"Member",description:"Membership of a user in an organization with a role.",schema:"lssm_sigil",map:"member",fields:{id:w.id(),userId:w.foreignKey(),organizationId:w.foreignKey(),role:w.string({description:"Role in organization (owner, admin, member)"}),createdAt:w.createdAt(),user:w.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"}),organization:w.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"})},indexes:[W.unique(["userId","organizationId"])]}),L=C({name:"Invitation",description:"An invitation to join an organization.",schema:"lssm_sigil",map:"invitation",fields:{id:w.id(),organizationId:w.foreignKey(),email:w.email({description:"Invited email address"}),role:w.string({isOptional:!0,description:"Role to assign on acceptance"}),status:w.string({default:'"pending"',description:"Invitation status"}),acceptedAt:w.dateTime({isOptional:!0}),expiresAt:w.dateTime({isOptional:!0}),inviterId:w.foreignKey({description:"User who sent the invitation"}),teamId:w.string({isOptional:!0}),createdAt:w.createdAt(),updatedAt:w.updatedAt(),organization:w.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"}),inviter:w.belongsTo("User",["inviterId"],["id"],{onDelete:"Cascade"}),team:w.belongsTo("Team",["teamId"],["id"],{onDelete:"Cascade"})}}),N=C({name:"Team",description:"Team within an organization.",schema:"lssm_sigil",map:"team",fields:{id:w.id(),name:w.string({description:"Team name"}),organizationId:w.foreignKey(),createdAt:w.createdAt(),updatedAt:w.updatedAt(),organization:w.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"}),members:w.hasMany("TeamMember"),invitations:w.hasMany("Invitation")}}),Q=C({name:"TeamMember",description:"Team membership for a user.",schema:"lssm_sigil",map:"team_member",fields:{id:w.id(),teamId:w.foreignKey(),userId:w.foreignKey(),createdAt:w.createdAt(),team:w.belongsTo("Team",["teamId"],["id"],{onDelete:"Cascade"}),user:w.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});import{defineEntity as D,field as q,index as v}from"@contractspec/lib.schema";var X=D({name:"Role",description:"A role defines a named set of permissions.",schema:"lssm_sigil",map:"role",fields:{id:q.id(),name:q.string({isUnique:!0,description:"Unique role name"}),description:q.string({isOptional:!0,description:"Role description"}),permissions:q.string({isArray:!0,description:"Array of permission names"}),createdAt:q.createdAt(),updatedAt:q.updatedAt(),policyBindings:q.hasMany("PolicyBinding")}}),Y=D({name:"Permission",description:"A permission represents an atomic access right.",schema:"lssm_sigil",map:"permission",fields:{id:q.id(),name:q.string({isUnique:!0,description:"Unique permission name"}),description:q.string({isOptional:!0,description:"Permission description"}),createdAt:q.createdAt(),updatedAt:q.updatedAt()}}),Z=D({name:"PolicyBinding",description:"Binds roles to principals (users or organizations).",schema:"lssm_sigil",map:"policy_binding",fields:{id:q.id(),roleId:q.foreignKey(),targetType:q.string({description:'"user" or "organization"'}),targetId:q.string({description:"ID of User or Organization"}),expiresAt:q.dateTime({isOptional:!0,description:"When binding expires"}),createdAt:q.createdAt(),userId:q.string({isOptional:!0}),organizationId:q.string({isOptional:!0}),role:q.belongsTo("Role",["roleId"],["id"],{onDelete:"Cascade"}),user:q.belongsTo("User",["userId"],["id"]),organization:q.belongsTo("Organization",["organizationId"],["id"])},indexes:[v.on(["targetType","targetId"])]}),_=D({name:"ApiKey",description:"API keys for programmatic access.",schema:"lssm_sigil",map:"api_key",fields:{id:q.id(),name:q.string({description:"API key name"}),start:q.string({description:"Starting characters for identification"}),prefix:q.string({description:"API key prefix"}),key:q.string({description:"Hashed API key"}),userId:q.foreignKey(),refillInterval:q.int({description:"Refill interval in ms"}),refillAmount:q.int({description:"Amount to refill"}),lastRefillAt:q.dateTime(),remaining:q.int({description:"Remaining requests"}),requestCount:q.int({description:"Total requests made"}),lastRequest:q.dateTime(),enabled:q.boolean({default:!0}),rateLimitEnabled:q.boolean({default:!0}),rateLimitTimeWindow:q.int({description:"Rate limit window in ms"}),rateLimitMax:q.int({description:"Max requests in window"}),expiresAt:q.dateTime(),permissions:q.string({isArray:!0}),metadata:q.json({isOptional:!0}),createdAt:q.createdAt(),updatedAt:q.updatedAt(),user:q.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),$=D({name:"Passkey",description:"WebAuthn passkeys for passwordless authentication.",schema:"lssm_sigil",map:"passkey",fields:{id:q.id(),name:q.string({description:"Passkey name"}),publicKey:q.string({description:"Public key"}),userId:q.foreignKey(),credentialID:q.string({description:"Credential ID"}),counter:q.int({description:"Counter"}),deviceType:q.string({description:"Device type"}),backedUp:q.boolean({description:"Whether passkey is backed up"}),transports:q.string({description:"Transports"}),aaguid:q.string({description:"Authenticator GUID"}),createdAt:q.createdAt(),user:q.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});import{defineEntity as G,field as j,index as V}from"@contractspec/lib.schema";var B=G({name:"User",description:"A user of the platform. Users hold core profile information and authenticate via Account records.",schema:"lssm_sigil",map:"user",fields:{id:j.id({description:"Unique user identifier"}),email:j.email({isUnique:!0,description:"User email address"}),emailVerified:j.boolean({default:!1,description:"Whether email has been verified"}),name:j.string({isOptional:!0,description:"Display name"}),firstName:j.string({isOptional:!0,description:"First name"}),lastName:j.string({isOptional:!0,description:"Last name"}),locale:j.string({isOptional:!0,description:'User locale (e.g., "en-US")'}),timezone:j.string({isOptional:!0,description:'Olson timezone (e.g., "Europe/Paris")'}),imageUrl:j.url({isOptional:!0,description:"URL of avatar or profile picture"}),image:j.string({isOptional:!0,description:"Legacy image field"}),metadata:j.json({isOptional:!0,description:"Arbitrary user metadata"}),onboardingCompleted:j.boolean({default:!1,description:"Whether onboarding is complete"}),onboardingStep:j.string({isOptional:!0,description:"Current onboarding step"}),whitelistedAt:j.dateTime({isOptional:!0,description:"When user was whitelisted"}),role:j.string({isOptional:!0,default:'"user"',description:"User role (user, admin)"}),banned:j.boolean({default:!1,description:"Whether user is banned"}),banReason:j.string({isOptional:!0,description:"Reason for ban"}),banExpires:j.dateTime({isOptional:!0,description:"When ban expires"}),phoneNumber:j.string({isOptional:!0,isUnique:!0,description:"Phone number"}),phoneNumberVerified:j.boolean({default:!1,description:"Whether phone is verified"}),createdAt:j.createdAt(),updatedAt:j.updatedAt(),sessions:j.hasMany("Session"),accounts:j.hasMany("Account"),memberships:j.hasMany("Member"),invitations:j.hasMany("Invitation"),teamMemberships:j.hasMany("TeamMember"),policyBindings:j.hasMany("PolicyBinding"),apiKeys:j.hasMany("ApiKey"),passkeys:j.hasMany("Passkey")}}),I=G({name:"Session",description:"Represents a login session (e.g., web session or API token).",schema:"lssm_sigil",map:"session",fields:{id:j.id(),userId:j.foreignKey(),expiresAt:j.dateTime({description:"Session expiration time"}),token:j.string({isUnique:!0,description:"Session token"}),ipAddress:j.string({isOptional:!0,description:"Client IP address"}),userAgent:j.string({isOptional:!0,description:"Client user agent"}),impersonatedBy:j.string({isOptional:!0,description:"Admin impersonating this session"}),activeOrganizationId:j.string({isOptional:!0,description:"Active org context"}),activeTeamId:j.string({isOptional:!0,description:"Active team context"}),createdAt:j.createdAt(),updatedAt:j.updatedAt(),user:j.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),K=G({name:"Account",description:"External authentication accounts (OAuth, password, etc.).",schema:"lssm_sigil",map:"account",fields:{id:j.id(),accountId:j.string({description:"Account ID from provider"}),providerId:j.string({description:"Provider identifier"}),userId:j.foreignKey(),accessToken:j.string({isOptional:!0}),refreshToken:j.string({isOptional:!0}),idToken:j.string({isOptional:!0}),accessTokenExpiresAt:j.dateTime({isOptional:!0}),refreshTokenExpiresAt:j.dateTime({isOptional:!0}),scope:j.string({isOptional:!0}),password:j.string({isOptional:!0,description:"Hashed password for password providers"}),createdAt:j.createdAt(),updatedAt:j.updatedAt(),user:j.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})},indexes:[V.unique(["accountId","providerId"])]}),S=G({name:"Verification",description:"Verification tokens for email/phone confirmation.",schema:"lssm_sigil",map:"verification",fields:{id:j.uuid(),identifier:j.string({description:"Email or phone being verified"}),value:j.string({description:"Verification code/token"}),expiresAt:j.dateTime({description:"Token expiration"}),createdAt:j.createdAt(),updatedAt:j.updatedAt()}});var x=[B,I,K,S,H,J,L,N,Q,X,Y,Z,_,$],h={moduleId:"@contractspec/lib.identity-rbac",entities:x,enums:[F]};export{h as identityRbacSchemaContribution,x as identityRbacEntities,S as VerificationEntity,B as UserEntity,Q as TeamMemberEntity,N as TeamEntity,I as SessionEntity,X as RoleEntity,Z as PolicyBindingEntity,Y as PermissionEntity,$ as PasskeyEntity,F as OrganizationTypeEnum,H as OrganizationEntity,J as MemberEntity,L as InvitationEntity,_ as ApiKeyEntity,K as AccountEntity};
2
+ import{defineEntity as C,defineEntityEnum as U,field as w,index as W}from"@contractspec/lib.schema";var F=U({name:"OrganizationType",values:["PLATFORM_ADMIN","CONTRACT_SPEC_CUSTOMER"],schema:"lssm_sigil",description:"Type of organization in the platform."}),H=C({name:"Organization",description:"An organization is a tenant boundary grouping users.",schema:"lssm_sigil",map:"organization",fields:{id:w.id({description:"Unique organization identifier"}),name:w.string({description:"Organization display name"}),slug:w.string({isOptional:!0,isUnique:!0,description:"URL-friendly identifier"}),logo:w.url({isOptional:!0,description:"Organization logo URL"}),description:w.string({isOptional:!0,description:"Organization description"}),metadata:w.json({isOptional:!0,description:"Arbitrary organization metadata"}),type:w.enum("OrganizationType",{description:"Organization type"}),onboardingCompleted:w.boolean({default:!1}),onboardingStep:w.string({isOptional:!0}),referralCode:w.string({isOptional:!0,isUnique:!0,description:"Unique referral code"}),referredBy:w.string({isOptional:!0,description:"ID of referring user"}),createdAt:w.createdAt(),updatedAt:w.updatedAt(),members:w.hasMany("Member"),invitations:w.hasMany("Invitation"),teams:w.hasMany("Team"),policyBindings:w.hasMany("PolicyBinding")},enums:[F]}),J=C({name:"Member",description:"Membership of a user in an organization with a role.",schema:"lssm_sigil",map:"member",fields:{id:w.id(),userId:w.foreignKey(),organizationId:w.foreignKey(),role:w.string({description:"Role in organization (owner, admin, member)"}),createdAt:w.createdAt(),user:w.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"}),organization:w.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"})},indexes:[W.unique(["userId","organizationId"])]}),L=C({name:"Invitation",description:"An invitation to join an organization.",schema:"lssm_sigil",map:"invitation",fields:{id:w.id(),organizationId:w.foreignKey(),email:w.email({description:"Invited email address"}),role:w.string({isOptional:!0,description:"Role to assign on acceptance"}),status:w.string({default:'"pending"',description:"Invitation status"}),acceptedAt:w.dateTime({isOptional:!0}),expiresAt:w.dateTime({isOptional:!0}),inviterId:w.foreignKey({description:"User who sent the invitation"}),teamId:w.string({isOptional:!0}),createdAt:w.createdAt(),updatedAt:w.updatedAt(),organization:w.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"}),inviter:w.belongsTo("User",["inviterId"],["id"],{onDelete:"Cascade"}),team:w.belongsTo("Team",["teamId"],["id"],{onDelete:"Cascade"})}}),N=C({name:"Team",description:"Team within an organization.",schema:"lssm_sigil",map:"team",fields:{id:w.id(),name:w.string({description:"Team name"}),organizationId:w.foreignKey(),createdAt:w.createdAt(),updatedAt:w.updatedAt(),organization:w.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"}),members:w.hasMany("TeamMember"),invitations:w.hasMany("Invitation")}}),Q=C({name:"TeamMember",description:"Team membership for a user.",schema:"lssm_sigil",map:"team_member",fields:{id:w.id(),teamId:w.foreignKey(),userId:w.foreignKey(),createdAt:w.createdAt(),team:w.belongsTo("Team",["teamId"],["id"],{onDelete:"Cascade"}),user:w.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});import{defineEntity as D,field as j,index as v}from"@contractspec/lib.schema";var X=D({name:"Role",description:"A role defines a named set of permissions.",schema:"lssm_sigil",map:"role",fields:{id:j.id(),name:j.string({isUnique:!0,description:"Unique role name"}),description:j.string({isOptional:!0,description:"Role description"}),source:j.string({isOptional:!0,description:"static, dynamic, or template"}),templateKey:j.string({isOptional:!0}),templateVersion:j.string({isOptional:!0}),disabledAt:j.dateTime({isOptional:!0}),permissions:j.string({isArray:!0,description:"Array of permission names"}),createdAt:j.createdAt(),updatedAt:j.updatedAt(),policyBindings:j.hasMany("PolicyBinding")}}),Y=D({name:"Permission",description:"A permission represents an atomic access right.",schema:"lssm_sigil",map:"permission",fields:{id:j.id(),name:j.string({isUnique:!0,description:"Unique permission name"}),description:j.string({isOptional:!0,description:"Permission description"}),createdAt:j.createdAt(),updatedAt:j.updatedAt()}}),Z=D({name:"PolicyBinding",description:"Binds roles to principals (users or organizations).",schema:"lssm_sigil",map:"policy_binding",fields:{id:j.id(),roleId:j.foreignKey(),targetType:j.string({description:'"user" or "organization"'}),targetId:j.string({description:"ID of User or Organization"}),expiresAt:j.dateTime({isOptional:!0,description:"When binding expires"}),scopeType:j.string({isOptional:!0,description:"global, tenant, workspace, organization, or user"}),scopeId:j.string({isOptional:!0}),tenantId:j.string({isOptional:!0}),workspaceId:j.string({isOptional:!0}),source:j.string({isOptional:!0,description:"static, dynamic, or template"}),templateKey:j.string({isOptional:!0}),templateVersion:j.string({isOptional:!0}),effect:j.string({isOptional:!0,description:"grant or deny"}),disabledAt:j.dateTime({isOptional:!0}),reason:j.string({isOptional:!0}),createdAt:j.createdAt(),userId:j.string({isOptional:!0}),organizationId:j.string({isOptional:!0}),role:j.belongsTo("Role",["roleId"],["id"],{onDelete:"Cascade"}),user:j.belongsTo("User",["userId"],["id"]),organization:j.belongsTo("Organization",["organizationId"],["id"])},indexes:[v.on(["targetType","targetId"])]}),_=D({name:"ApiKey",description:"API keys for programmatic access.",schema:"lssm_sigil",map:"api_key",fields:{id:j.id(),name:j.string({description:"API key name"}),start:j.string({description:"Starting characters for identification"}),prefix:j.string({description:"API key prefix"}),key:j.string({description:"Hashed API key"}),userId:j.foreignKey(),refillInterval:j.int({description:"Refill interval in ms"}),refillAmount:j.int({description:"Amount to refill"}),lastRefillAt:j.dateTime(),remaining:j.int({description:"Remaining requests"}),requestCount:j.int({description:"Total requests made"}),lastRequest:j.dateTime(),enabled:j.boolean({default:!0}),rateLimitEnabled:j.boolean({default:!0}),rateLimitTimeWindow:j.int({description:"Rate limit window in ms"}),rateLimitMax:j.int({description:"Max requests in window"}),expiresAt:j.dateTime(),permissions:j.string({isArray:!0}),metadata:j.json({isOptional:!0}),createdAt:j.createdAt(),updatedAt:j.updatedAt(),user:j.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),$=D({name:"Passkey",description:"WebAuthn passkeys for passwordless authentication.",schema:"lssm_sigil",map:"passkey",fields:{id:j.id(),name:j.string({description:"Passkey name"}),publicKey:j.string({description:"Public key"}),userId:j.foreignKey(),credentialID:j.string({description:"Credential ID"}),counter:j.int({description:"Counter"}),deviceType:j.string({description:"Device type"}),backedUp:j.boolean({description:"Whether passkey is backed up"}),transports:j.string({description:"Transports"}),aaguid:j.string({description:"Authenticator GUID"}),createdAt:j.createdAt(),user:j.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});import{defineEntity as G,field as q,index as V}from"@contractspec/lib.schema";var B=G({name:"User",description:"A user of the platform. Users hold core profile information and authenticate via Account records.",schema:"lssm_sigil",map:"user",fields:{id:q.id({description:"Unique user identifier"}),email:q.email({isUnique:!0,description:"User email address"}),emailVerified:q.boolean({default:!1,description:"Whether email has been verified"}),name:q.string({isOptional:!0,description:"Display name"}),firstName:q.string({isOptional:!0,description:"First name"}),lastName:q.string({isOptional:!0,description:"Last name"}),locale:q.string({isOptional:!0,description:'User locale (e.g., "en-US")'}),timezone:q.string({isOptional:!0,description:'Olson timezone (e.g., "Europe/Paris")'}),imageUrl:q.url({isOptional:!0,description:"URL of avatar or profile picture"}),image:q.string({isOptional:!0,description:"Legacy image field"}),metadata:q.json({isOptional:!0,description:"Arbitrary user metadata"}),onboardingCompleted:q.boolean({default:!1,description:"Whether onboarding is complete"}),onboardingStep:q.string({isOptional:!0,description:"Current onboarding step"}),whitelistedAt:q.dateTime({isOptional:!0,description:"When user was whitelisted"}),role:q.string({isOptional:!0,default:'"user"',description:"User role (user, admin)"}),banned:q.boolean({default:!1,description:"Whether user is banned"}),banReason:q.string({isOptional:!0,description:"Reason for ban"}),banExpires:q.dateTime({isOptional:!0,description:"When ban expires"}),phoneNumber:q.string({isOptional:!0,isUnique:!0,description:"Phone number"}),phoneNumberVerified:q.boolean({default:!1,description:"Whether phone is verified"}),createdAt:q.createdAt(),updatedAt:q.updatedAt(),sessions:q.hasMany("Session"),accounts:q.hasMany("Account"),memberships:q.hasMany("Member"),invitations:q.hasMany("Invitation"),teamMemberships:q.hasMany("TeamMember"),policyBindings:q.hasMany("PolicyBinding"),apiKeys:q.hasMany("ApiKey"),passkeys:q.hasMany("Passkey")}}),I=G({name:"Session",description:"Represents a login session (e.g., web session or API token).",schema:"lssm_sigil",map:"session",fields:{id:q.id(),userId:q.foreignKey(),expiresAt:q.dateTime({description:"Session expiration time"}),token:q.string({isUnique:!0,description:"Session token"}),ipAddress:q.string({isOptional:!0,description:"Client IP address"}),userAgent:q.string({isOptional:!0,description:"Client user agent"}),impersonatedBy:q.string({isOptional:!0,description:"Admin impersonating this session"}),activeOrganizationId:q.string({isOptional:!0,description:"Active org context"}),activeTeamId:q.string({isOptional:!0,description:"Active team context"}),createdAt:q.createdAt(),updatedAt:q.updatedAt(),user:q.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),K=G({name:"Account",description:"External authentication accounts (OAuth, password, etc.).",schema:"lssm_sigil",map:"account",fields:{id:q.id(),accountId:q.string({description:"Account ID from provider"}),providerId:q.string({description:"Provider identifier"}),userId:q.foreignKey(),accessToken:q.string({isOptional:!0}),refreshToken:q.string({isOptional:!0}),idToken:q.string({isOptional:!0}),accessTokenExpiresAt:q.dateTime({isOptional:!0}),refreshTokenExpiresAt:q.dateTime({isOptional:!0}),scope:q.string({isOptional:!0}),password:q.string({isOptional:!0,description:"Hashed password for password providers"}),createdAt:q.createdAt(),updatedAt:q.updatedAt(),user:q.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})},indexes:[V.unique(["accountId","providerId"])]}),S=G({name:"Verification",description:"Verification tokens for email/phone confirmation.",schema:"lssm_sigil",map:"verification",fields:{id:q.uuid(),identifier:q.string({description:"Email or phone being verified"}),value:q.string({description:"Verification code/token"}),expiresAt:q.dateTime({description:"Token expiration"}),createdAt:q.createdAt(),updatedAt:q.updatedAt()}});var x=[B,I,K,S,H,J,L,N,Q,X,Y,Z,_,$],h={moduleId:"@contractspec/lib.identity-rbac",entities:x,enums:[F]};export{h as identityRbacSchemaContribution,x as identityRbacEntities,S as VerificationEntity,B as UserEntity,Q as TeamMemberEntity,N as TeamEntity,I as SessionEntity,X as RoleEntity,Z as PolicyBindingEntity,Y as PermissionEntity,$ as PasskeyEntity,F as OrganizationTypeEnum,H as OrganizationEntity,J as MemberEntity,L as InvitationEntity,_ as ApiKeyEntity,K as AccountEntity};
package/dist/entities/rbac.d.ts CHANGED
@@ -5,6 +5,10 @@ export declare const RoleEntity: import("@contractspec/lib.schema").EntitySpec<{
5
5
  id: import("@contractspec/lib.schema").EntityScalarField;
6
6
  name: import("@contractspec/lib.schema").EntityScalarField;
7
7
  description: import("@contractspec/lib.schema").EntityScalarField;
8
+ source: import("@contractspec/lib.schema").EntityScalarField;
9
+ templateKey: import("@contractspec/lib.schema").EntityScalarField;
10
+ templateVersion: import("@contractspec/lib.schema").EntityScalarField;
11
+ disabledAt: import("@contractspec/lib.schema").EntityScalarField;
8
12
  permissions: import("@contractspec/lib.schema").EntityScalarField;
9
13
  createdAt: import("@contractspec/lib.schema").EntityScalarField;
10
14
  updatedAt: import("@contractspec/lib.schema").EntityScalarField;
@@ -29,6 +33,16 @@ export declare const PolicyBindingEntity: import("@contractspec/lib.schema").Ent
29
33
  targetType: import("@contractspec/lib.schema").EntityScalarField;
30
34
  targetId: import("@contractspec/lib.schema").EntityScalarField;
31
35
  expiresAt: import("@contractspec/lib.schema").EntityScalarField;
36
+ scopeType: import("@contractspec/lib.schema").EntityScalarField;
37
+ scopeId: import("@contractspec/lib.schema").EntityScalarField;
38
+ tenantId: import("@contractspec/lib.schema").EntityScalarField;
39
+ workspaceId: import("@contractspec/lib.schema").EntityScalarField;
40
+ source: import("@contractspec/lib.schema").EntityScalarField;
41
+ templateKey: import("@contractspec/lib.schema").EntityScalarField;
42
+ templateVersion: import("@contractspec/lib.schema").EntityScalarField;
43
+ effect: import("@contractspec/lib.schema").EntityScalarField;
44
+ disabledAt: import("@contractspec/lib.schema").EntityScalarField;
45
+ reason: import("@contractspec/lib.schema").EntityScalarField;
32
46
  createdAt: import("@contractspec/lib.schema").EntityScalarField;
33
47
  userId: import("@contractspec/lib.schema").EntityScalarField;
34
48
  organizationId: import("@contractspec/lib.schema").EntityScalarField;
package/dist/entities/rbac.js CHANGED
@@ -1,2 +1,2 @@
1
1
  // @bun
2
- import{defineEntity as j,field as g,index as q}from"@contractspec/lib.schema";var w=j({name:"Role",description:"A role defines a named set of permissions.",schema:"lssm_sigil",map:"role",fields:{id:g.id(),name:g.string({isUnique:!0,description:"Unique role name"}),description:g.string({isOptional:!0,description:"Role description"}),permissions:g.string({isArray:!0,description:"Array of permission names"}),createdAt:g.createdAt(),updatedAt:g.updatedAt(),policyBindings:g.hasMany("PolicyBinding")}}),z=j({name:"Permission",description:"A permission represents an atomic access right.",schema:"lssm_sigil",map:"permission",fields:{id:g.id(),name:g.string({isUnique:!0,description:"Unique permission name"}),description:g.string({isOptional:!0,description:"Permission description"}),createdAt:g.createdAt(),updatedAt:g.updatedAt()}}),B=j({name:"PolicyBinding",description:"Binds roles to principals (users or organizations).",schema:"lssm_sigil",map:"policy_binding",fields:{id:g.id(),roleId:g.foreignKey(),targetType:g.string({description:'"user" or "organization"'}),targetId:g.string({description:"ID of User or Organization"}),expiresAt:g.dateTime({isOptional:!0,description:"When binding expires"}),createdAt:g.createdAt(),userId:g.string({isOptional:!0}),organizationId:g.string({isOptional:!0}),role:g.belongsTo("Role",["roleId"],["id"],{onDelete:"Cascade"}),user:g.belongsTo("User",["userId"],["id"]),organization:g.belongsTo("Organization",["organizationId"],["id"])},indexes:[q.on(["targetType","targetId"])]}),C=j({name:"ApiKey",description:"API keys for programmatic access.",schema:"lssm_sigil",map:"api_key",fields:{id:g.id(),name:g.string({description:"API key name"}),start:g.string({description:"Starting characters for identification"}),prefix:g.string({description:"API key prefix"}),key:g.string({description:"Hashed API key"}),userId:g.foreignKey(),refillInterval:g.int({description:"Refill interval in ms"}),refillAmount:g.int({description:"Amount to refill"}),lastRefillAt:g.dateTime(),remaining:g.int({description:"Remaining requests"}),requestCount:g.int({description:"Total requests made"}),lastRequest:g.dateTime(),enabled:g.boolean({default:!0}),rateLimitEnabled:g.boolean({default:!0}),rateLimitTimeWindow:g.int({description:"Rate limit window in ms"}),rateLimitMax:g.int({description:"Max requests in window"}),expiresAt:g.dateTime(),permissions:g.string({isArray:!0}),metadata:g.json({isOptional:!0}),createdAt:g.createdAt(),updatedAt:g.updatedAt(),user:g.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),D=j({name:"Passkey",description:"WebAuthn passkeys for passwordless authentication.",schema:"lssm_sigil",map:"passkey",fields:{id:g.id(),name:g.string({description:"Passkey name"}),publicKey:g.string({description:"Public key"}),userId:g.foreignKey(),credentialID:g.string({description:"Credential ID"}),counter:g.int({description:"Counter"}),deviceType:g.string({description:"Device type"}),backedUp:g.boolean({description:"Whether passkey is backed up"}),transports:g.string({description:"Transports"}),aaguid:g.string({description:"Authenticator GUID"}),createdAt:g.createdAt(),user:g.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});export{w as RoleEntity,B as PolicyBindingEntity,z as PermissionEntity,D as PasskeyEntity,C as ApiKeyEntity};
2
+ import{defineEntity as j,field as g,index as q}from"@contractspec/lib.schema";var w=j({name:"Role",description:"A role defines a named set of permissions.",schema:"lssm_sigil",map:"role",fields:{id:g.id(),name:g.string({isUnique:!0,description:"Unique role name"}),description:g.string({isOptional:!0,description:"Role description"}),source:g.string({isOptional:!0,description:"static, dynamic, or template"}),templateKey:g.string({isOptional:!0}),templateVersion:g.string({isOptional:!0}),disabledAt:g.dateTime({isOptional:!0}),permissions:g.string({isArray:!0,description:"Array of permission names"}),createdAt:g.createdAt(),updatedAt:g.updatedAt(),policyBindings:g.hasMany("PolicyBinding")}}),z=j({name:"Permission",description:"A permission represents an atomic access right.",schema:"lssm_sigil",map:"permission",fields:{id:g.id(),name:g.string({isUnique:!0,description:"Unique permission name"}),description:g.string({isOptional:!0,description:"Permission description"}),createdAt:g.createdAt(),updatedAt:g.updatedAt()}}),B=j({name:"PolicyBinding",description:"Binds roles to principals (users or organizations).",schema:"lssm_sigil",map:"policy_binding",fields:{id:g.id(),roleId:g.foreignKey(),targetType:g.string({description:'"user" or "organization"'}),targetId:g.string({description:"ID of User or Organization"}),expiresAt:g.dateTime({isOptional:!0,description:"When binding expires"}),scopeType:g.string({isOptional:!0,description:"global, tenant, workspace, organization, or user"}),scopeId:g.string({isOptional:!0}),tenantId:g.string({isOptional:!0}),workspaceId:g.string({isOptional:!0}),source:g.string({isOptional:!0,description:"static, dynamic, or template"}),templateKey:g.string({isOptional:!0}),templateVersion:g.string({isOptional:!0}),effect:g.string({isOptional:!0,description:"grant or deny"}),disabledAt:g.dateTime({isOptional:!0}),reason:g.string({isOptional:!0}),createdAt:g.createdAt(),userId:g.string({isOptional:!0}),organizationId:g.string({isOptional:!0}),role:g.belongsTo("Role",["roleId"],["id"],{onDelete:"Cascade"}),user:g.belongsTo("User",["userId"],["id"]),organization:g.belongsTo("Organization",["organizationId"],["id"])},indexes:[q.on(["targetType","targetId"])]}),C=j({name:"ApiKey",description:"API keys for programmatic access.",schema:"lssm_sigil",map:"api_key",fields:{id:g.id(),name:g.string({description:"API key name"}),start:g.string({description:"Starting characters for identification"}),prefix:g.string({description:"API key prefix"}),key:g.string({description:"Hashed API key"}),userId:g.foreignKey(),refillInterval:g.int({description:"Refill interval in ms"}),refillAmount:g.int({description:"Amount to refill"}),lastRefillAt:g.dateTime(),remaining:g.int({description:"Remaining requests"}),requestCount:g.int({description:"Total requests made"}),lastRequest:g.dateTime(),enabled:g.boolean({default:!0}),rateLimitEnabled:g.boolean({default:!0}),rateLimitTimeWindow:g.int({description:"Rate limit window in ms"}),rateLimitMax:g.int({description:"Max requests in window"}),expiresAt:g.dateTime(),permissions:g.string({isArray:!0}),metadata:g.json({isOptional:!0}),createdAt:g.createdAt(),updatedAt:g.updatedAt(),user:g.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),D=j({name:"Passkey",description:"WebAuthn passkeys for passwordless authentication.",schema:"lssm_sigil",map:"passkey",fields:{id:g.id(),name:g.string({description:"Passkey name"}),publicKey:g.string({description:"Public key"}),userId:g.foreignKey(),credentialID:g.string({description:"Credential ID"}),counter:g.int({description:"Counter"}),deviceType:g.string({description:"Device type"}),backedUp:g.boolean({description:"Whether passkey is backed up"}),transports:g.string({description:"Transports"}),aaguid:g.string({description:"Authenticator GUID"}),createdAt:g.createdAt(),user:g.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});export{w as RoleEntity,B as PolicyBindingEntity,z as PermissionEntity,D as PasskeyEntity,C as ApiKeyEntity};
package/dist/index.js CHANGED
@@ -1,2 +1,2 @@
1
1
  // @bun
2
- import{defineCommand as s,defineQuery as GC}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as F,SchemaModel as D}from"@contractspec/lib.schema";var I=["platform.identity-rbac"],A=new D({name:"UserProfile",description:"User profile information",fields:{id:{type:F.String_unsecure(),isOptional:!1},email:{type:F.EmailAddress(),isOptional:!1},emailVerified:{type:F.Boolean(),isOptional:!1},name:{type:F.String_unsecure(),isOptional:!0},firstName:{type:F.String_unsecure(),isOptional:!0},lastName:{type:F.String_unsecure(),isOptional:!0},locale:{type:F.String_unsecure(),isOptional:!0},timezone:{type:F.String_unsecure(),isOptional:!0},imageUrl:{type:F.URL(),isOptional:!0},role:{type:F.String_unsecure(),isOptional:!0},onboardingCompleted:{type:F.Boolean(),isOptional:!1},createdAt:{type:F.DateTime(),isOptional:!1}}}),jC=new D({name:"CreateUserInput",description:"Input for creating a new user",fields:{email:{type:F.EmailAddress(),isOptional:!1},name:{type:F.String_unsecure(),isOptional:!0},firstName:{type:F.String_unsecure(),isOptional:!0},lastName:{type:F.String_unsecure(),isOptional:!0},password:{type:F.String_unsecure(),isOptional:!0}}}),qC=new D({name:"UpdateUserInput",description:"Input for updating a user profile",fields:{name:{type:F.String_unsecure(),isOptional:!0},firstName:{type:F.String_unsecure(),isOptional:!0},lastName:{type:F.String_unsecure(),isOptional:!0},locale:{type:F.String_unsecure(),isOptional:!0},timezone:{type:F.String_unsecure(),isOptional:!0},imageUrl:{type:F.URL(),isOptional:!0}}}),FC=new D({name:"DeleteUserInput",description:"Input for deleting a user",fields:{confirmEmail:{type:F.EmailAddress(),isOptional:!1}}}),Q=new D({name:"SuccessResult",description:"Simple success result",fields:{success:{type:F.Boolean(),isOptional:!1}}}),HC=new D({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:F.String_unsecure(),isOptional:!1}}}),JC=new D({name:"ListUsersInput",description:"Input for listing users",fields:{limit:{type:F.Int_unsecure(),isOptional:!0},offset:{type:F.Int_unsecure(),isOptional:!0},search:{type:F.String_unsecure(),isOptional:!0}}}),KC=new D({name:"ListUsersOutput",description:"Output for listing users",fields:{users:{type:A,isOptional:!1,isArray:!0},total:{type:F.Int_unsecure(),isOptional:!1}}}),MC=s({meta:{key:"identity.user.create",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","create"],description:"Create a new user account.",goal:"Register a new user in the system.",context:"Used during signup flows. May trigger email verification."},io:{input:jC,output:A,errors:{EMAIL_EXISTS:{description:"A user with this email already exists",http:409,gqlCode:"EMAIL_EXISTS",when:"Email is already registered"}}},policy:{auth:"anonymous"},sideEffects:{emits:[{key:"user.created",version:"1.0.0",when:"User is successfully created",payload:A}],audit:["user.created"]}}),tC=GC({meta:{key:"identity.user.me",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","profile"],description:"Get the current authenticated user profile.",goal:"Retrieve user profile for the authenticated session.",context:"Called on app load and after profile updates."},io:{input:null,output:A},policy:{auth:"user"}}),sC=s({meta:{key:"identity.user.update",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","update"],description:"Update user profile information.",goal:"Allow users to update their profile.",context:"Self-service profile updates."},io:{input:qC,output:A},policy:{auth:"user"},sideEffects:{emits:[{key:"user.updated",version:"1.0.0",when:"User profile is updated",payload:A}],audit:["user.updated"]}}),oC=s({meta:{key:"identity.user.delete",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","delete"],description:"Delete user account and all associated data.",goal:"Allow users to delete their account (GDPR compliance).",context:"Self-service account deletion. Cascades to memberships, sessions, etc."},io:{input:FC,output:Q},policy:{auth:"user",escalate:"human_review"},sideEffects:{emits:[{key:"user.deleted",version:"1.0.0",when:"User account is deleted",payload:HC}],audit:["user.deleted"]}}),TC=GC({meta:{key:"identity.user.list",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","admin","list"],description:"List all users (admin only).",goal:"Allow admins to browse and manage users.",context:"Admin dashboard user management."},io:{input:JC,output:KC},policy:{auth:"admin"}});import{defineCommand as R,defineQuery as T}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as G,SchemaModel as K}from"@contractspec/lib.schema";var V=["platform.identity-rbac"],B=new K({name:"Organization",description:"Organization details",fields:{id:{type:G.String_unsecure(),isOptional:!1},name:{type:G.String_unsecure(),isOptional:!1},slug:{type:G.String_unsecure(),isOptional:!0},logo:{type:G.URL(),isOptional:!0},description:{type:G.String_unsecure(),isOptional:!0},type:{type:G.String_unsecure(),isOptional:!1},onboardingCompleted:{type:G.Boolean(),isOptional:!1},createdAt:{type:G.DateTime(),isOptional:!1}}}),XC=new K({name:"MemberUser",description:"Basic user info within a member",fields:{id:{type:G.String_unsecure(),isOptional:!1},email:{type:G.EmailAddress(),isOptional:!1},name:{type:G.String_unsecure(),isOptional:!0}}}),h=new K({name:"Member",description:"Organization member",fields:{id:{type:G.String_unsecure(),isOptional:!1},userId:{type:G.String_unsecure(),isOptional:!1},organizationId:{type:G.String_unsecure(),isOptional:!1},role:{type:G.String_unsecure(),isOptional:!1},createdAt:{type:G.DateTime(),isOptional:!1},user:{type:XC,isOptional:!1}}}),o=new K({name:"Invitation",description:"Organization invitation",fields:{id:{type:G.String_unsecure(),isOptional:!1},email:{type:G.EmailAddress(),isOptional:!1},role:{type:G.String_unsecure(),isOptional:!0},status:{type:G.String_unsecure(),isOptional:!1},expiresAt:{type:G.DateTime(),isOptional:!0},createdAt:{type:G.DateTime(),isOptional:!1}}}),YC=new K({name:"CreateOrgInput",description:"Input for creating an organization",fields:{name:{type:G.NonEmptyString(),isOptional:!1},slug:{type:G.String_unsecure(),isOptional:!0},description:{type:G.String_unsecure(),isOptional:!0},type:{type:G.String_unsecure(),isOptional:!0}}}),ZC=new K({name:"GetOrgInput",description:"Input for getting an organization",fields:{orgId:{type:G.String_unsecure(),isOptional:!1}}}),_C=new K({name:"UpdateOrgInput",description:"Input for updating an organization",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},name:{type:G.String_unsecure(),isOptional:!0},slug:{type:G.String_unsecure(),isOptional:!0},logo:{type:G.URL(),isOptional:!0},description:{type:G.String_unsecure(),isOptional:!0}}}),$C=new K({name:"InviteMemberInput",description:"Input for inviting a member",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},email:{type:G.EmailAddress(),isOptional:!1},role:{type:G.String_unsecure(),isOptional:!1},teamId:{type:G.String_unsecure(),isOptional:!0}}}),kC=new K({name:"AcceptInviteInput",description:"Input for accepting an invitation",fields:{invitationId:{type:G.String_unsecure(),isOptional:!1}}}),wC=new K({name:"RemoveMemberInput",description:"Input for removing a member",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},userId:{type:G.String_unsecure(),isOptional:!1}}}),DC=new K({name:"MemberRemovedPayload",description:"Payload for member removed event",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},userId:{type:G.String_unsecure(),isOptional:!1}}}),VC=new K({name:"ListMembersInput",description:"Input for listing members",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},limit:{type:G.Int_unsecure(),isOptional:!0},offset:{type:G.Int_unsecure(),isOptional:!0}}}),UC=new K({name:"ListMembersOutput",description:"Output for listing members",fields:{members:{type:h,isOptional:!1,isArray:!0},total:{type:G.Int_unsecure(),isOptional:!1}}}),zC=new K({name:"OrganizationWithRole",description:"Organization with user role",fields:{id:{type:G.String_unsecure(),isOptional:!1},name:{type:G.String_unsecure(),isOptional:!1},slug:{type:G.String_unsecure(),isOptional:!0},logo:{type:G.URL(),isOptional:!0},description:{type:G.String_unsecure(),isOptional:!0},type:{type:G.String_unsecure(),isOptional:!1},onboardingCompleted:{type:G.Boolean(),isOptional:!1},createdAt:{type:G.DateTime(),isOptional:!1},role:{type:G.String_unsecure(),isOptional:!1}}}),AC=new K({name:"ListUserOrgsOutput",description:"Output for listing user organizations",fields:{organizations:{type:zC,isOptional:!1,isArray:!0}}}),pC=R({meta:{key:"identity.org.create",version:"1.0.0",stability:"stable",owners:[...V],tags:["identity","org","create"],description:"Create a new organization.",goal:"Allow users to create new organizations/workspaces.",context:"Called during onboarding or when creating additional workspaces."},io:{input:YC,output:B,errors:{SLUG_EXISTS:{description:"An organization with this slug already exists",http:409,gqlCode:"SLUG_EXISTS",when:"Slug is already taken"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.created",version:"1.0.0",when:"Organization is created",payload:B}],audit:["org.created"]}}),fC=T({meta:{key:"identity.org.get",version:"1.0.0",stability:"stable",owners:[...V],tags:["identity","org","get"],description:"Get organization details.",goal:"Retrieve organization information.",context:"Called when viewing organization settings or dashboard."},io:{input:ZC,output:B},policy:{auth:"user"}}),uC=R({meta:{key:"identity.org.update",version:"1.0.0",stability:"stable",owners:[...V],tags:["identity","org","update"],description:"Update organization details.",goal:"Allow org admins to update organization settings.",context:"Organization settings page."},io:{input:_C,output:B},policy:{auth:"user"},sideEffects:{emits:[{key:"org.updated",version:"1.0.0",when:"Organization is updated",payload:B}],audit:["org.updated"]}}),yC=R({meta:{key:"identity.org.invite",version:"1.0.0",stability:"stable",owners:[...V],tags:["identity","org","invite","member"],description:"Invite a user to join the organization.",goal:"Allow org admins to invite new members.",context:"Team management. Sends invitation email."},io:{input:$C,output:o,errors:{ALREADY_MEMBER:{description:"User is already a member of this organization",http:409,gqlCode:"ALREADY_MEMBER",when:"Invitee is already a member"},INVITE_PENDING:{description:"An invitation for this email is already pending",http:409,gqlCode:"INVITE_PENDING",when:"Active invitation exists"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.invite.sent",version:"1.0.0",when:"Invitation is sent",payload:o}],audit:["org.invite.sent"]}}),SC=R({meta:{key:"identity.org.invite.accept",version:"1.0.0",stability:"stable",owners:[...V],tags:["identity","org","invite","accept"],description:"Accept an organization invitation.",goal:"Allow users to join organizations via invitation.",context:"Called from invitation email link."},io:{input:kC,output:h,errors:{INVITE_EXPIRED:{description:"The invitation has expired",http:410,gqlCode:"INVITE_EXPIRED",when:"Invitation is past expiry date"},INVITE_USED:{description:"The invitation has already been used",http:409,gqlCode:"INVITE_USED",when:"Invitation was already accepted"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.added",version:"1.0.0",when:"Member joins org",payload:h}],audit:["org.member.added"]}}),EC=R({meta:{key:"identity.org.member.remove",version:"1.0.0",stability:"stable",owners:[...V],tags:["identity","org","member","remove"],description:"Remove a member from the organization.",goal:"Allow org admins to remove members.",context:"Team management."},io:{input:wC,output:Q,errors:{CANNOT_REMOVE_OWNER:{description:"Cannot remove the organization owner",http:403,gqlCode:"CANNOT_REMOVE_OWNER",when:"Target is the org owner"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.removed",version:"1.0.0",when:"Member is removed",payload:DC}],audit:["org.member.removed"]}}),rC=T({meta:{key:"identity.org.members.list",version:"1.0.0",stability:"stable",owners:[...V],tags:["identity","org","member","list"],description:"List organization members.",goal:"View all members of an organization.",context:"Team management page."},io:{input:VC,output:UC},policy:{auth:"user"}}),cC=T({meta:{key:"identity.org.list",version:"1.0.0",stability:"stable",owners:[...V],tags:["identity","org","list"],description:"List organizations the current user belongs to.",goal:"Show user their organizations for workspace switching.",context:"Workspace switcher, org selection."},io:{input:null,output:AC},policy:{auth:"user"}});import{defineCommand as O,defineQuery as f}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as q,SchemaModel as Z}from"@contractspec/lib.schema";var N=new Z({name:"Role",description:"RBAC role definition",fields:{id:{type:q.String_unsecure(),isOptional:!1},name:{type:q.String_unsecure(),isOptional:!1},description:{type:q.String_unsecure(),isOptional:!0},permissions:{type:q.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:q.DateTime(),isOptional:!1}}}),p=new Z({name:"PolicyBinding",description:"Role assignment to a target",fields:{id:{type:q.String_unsecure(),isOptional:!1},roleId:{type:q.String_unsecure(),isOptional:!1},targetType:{type:q.String_unsecure(),isOptional:!1},targetId:{type:q.String_unsecure(),isOptional:!1},expiresAt:{type:q.DateTime(),isOptional:!0},createdAt:{type:q.DateTime(),isOptional:!1},role:{type:N,isOptional:!1}}}),QC=new Z({name:"PermissionCheckResult",description:"Result of a permission check",fields:{allowed:{type:q.Boolean(),isOptional:!1},reason:{type:q.String_unsecure(),isOptional:!0},matchedRole:{type:q.String_unsecure(),isOptional:!0}}}),BC=new Z({name:"CreateRoleInput",description:"Input for creating a role",fields:{name:{type:q.NonEmptyString(),isOptional:!1},description:{type:q.String_unsecure(),isOptional:!0},permissions:{type:q.String_unsecure(),isOptional:!1,isArray:!0}}}),NC=new Z({name:"UpdateRoleInput",description:"Input for updating a role",fields:{roleId:{type:q.String_unsecure(),isOptional:!1},name:{type:q.String_unsecure(),isOptional:!0},description:{type:q.String_unsecure(),isOptional:!0},permissions:{type:q.String_unsecure(),isOptional:!0,isArray:!0}}}),WC=new Z({name:"DeleteRoleInput",description:"Input for deleting a role",fields:{roleId:{type:q.String_unsecure(),isOptional:!1}}}),IC=new Z({name:"ListRolesOutput",description:"Output for listing roles",fields:{roles:{type:N,isOptional:!1,isArray:!0}}}),RC=new Z({name:"AssignRoleInput",description:"Input for assigning a role",fields:{roleId:{type:q.String_unsecure(),isOptional:!1},targetType:{type:q.String_unsecure(),isOptional:!1},targetId:{type:q.String_unsecure(),isOptional:!1},expiresAt:{type:q.DateTime(),isOptional:!0}}}),OC=new Z({name:"RevokeRoleInput",description:"Input for revoking a role",fields:{bindingId:{type:q.String_unsecure(),isOptional:!1}}}),vC=new Z({name:"BindingIdPayload",description:"Payload with binding ID",fields:{bindingId:{type:q.String_unsecure(),isOptional:!1}}}),PC=new Z({name:"CheckPermissionInput",description:"Input for checking a permission",fields:{userId:{type:q.String_unsecure(),isOptional:!1},orgId:{type:q.String_unsecure(),isOptional:!0},permission:{type:q.String_unsecure(),isOptional:!1}}}),hC=new Z({name:"ListUserPermissionsInput",description:"Input for listing user permissions",fields:{userId:{type:q.String_unsecure(),isOptional:!1},orgId:{type:q.String_unsecure(),isOptional:!0}}}),gC=new Z({name:"ListUserPermissionsOutput",description:"Output for listing user permissions",fields:{permissions:{type:q.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:N,isOptional:!1,isArray:!0}}}),mC=O({meta:{key:"identity.rbac.role.create",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","create"],description:"Create a new role with permissions.",goal:"Allow admins to define custom roles.",context:"Role management in admin settings."},io:{input:BC,output:N,errors:{ROLE_EXISTS:{description:"A role with this name already exists",http:409,gqlCode:"ROLE_EXISTS",when:"Role name is taken"}}},policy:{auth:"admin"},sideEffects:{audit:["role.created"]}}),dC=O({meta:{key:"identity.rbac.role.update",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","update"],description:"Update an existing role.",goal:"Allow admins to modify role permissions.",context:"Role management in admin settings."},io:{input:NC,output:N},policy:{auth:"admin"},sideEffects:{audit:["role.updated"]}}),iC=O({meta:{key:"identity.rbac.role.delete",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","delete"],description:"Delete an existing role.",goal:"Allow admins to remove unused roles.",context:"Role management. Removes all policy bindings using this role."},io:{input:WC,output:Q,errors:{ROLE_IN_USE:{description:"Role is still assigned to users or organizations",http:409,gqlCode:"ROLE_IN_USE",when:"Role has active bindings"}}},policy:{auth:"admin"},sideEffects:{audit:["role.deleted"]}}),nC=f({meta:{key:"identity.rbac.role.list",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","list"],description:"List all available roles.",goal:"Show available roles for assignment.",context:"Role assignment UI."},io:{input:null,output:IC},policy:{auth:"user"}}),lC=O({meta:{key:"identity.rbac.assign",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","assign"],description:"Assign a role to a user or organization.",goal:"Grant permissions via role assignment.",context:"User/org permission management."},io:{input:RC,output:p,errors:{ROLE_NOT_FOUND:{description:"The specified role does not exist",http:404,gqlCode:"ROLE_NOT_FOUND",when:"Role ID is invalid"},ALREADY_ASSIGNED:{description:"This role is already assigned to the target",http:409,gqlCode:"ALREADY_ASSIGNED",when:"Binding already exists"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.assigned",version:"1.0.0",when:"Role is assigned",payload:p}],audit:["role.assigned"]}}),aC=O({meta:{key:"identity.rbac.revoke",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","revoke"],description:"Revoke a role from a user or organization.",goal:"Remove permissions via role revocation.",context:"User/org permission management."},io:{input:OC,output:Q,errors:{BINDING_NOT_FOUND:{description:"The policy binding does not exist",http:404,gqlCode:"BINDING_NOT_FOUND",when:"Binding ID is invalid"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.revoked",version:"1.0.0",when:"Role is revoked",payload:vC}],audit:["role.revoked"]}}),eC=f({meta:{key:"identity.rbac.check",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","check","permission"],description:"Check if a user has a specific permission.",goal:"Authorization check before sensitive operations.",context:"Called by other services to verify permissions."},io:{input:PC,output:QC},policy:{auth:"user"}}),Cx=f({meta:{key:"identity.rbac.permissions",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","permissions","user"],description:"List all permissions for a user in a context.",goal:"Show what a user can do in an org.",context:"UI permission display, debugging."},io:{input:hC,output:gC},policy:{auth:"user"}});import{defineEntity as v,defineEntityEnum as xx,field as j,index as Lx}from"@contractspec/lib.schema";var g=xx({name:"OrganizationType",values:["PLATFORM_ADMIN","CONTRACT_SPEC_CUSTOMER"],schema:"lssm_sigil",description:"Type of organization in the platform."}),u=v({name:"Organization",description:"An organization is a tenant boundary grouping users.",schema:"lssm_sigil",map:"organization",fields:{id:j.id({description:"Unique organization identifier"}),name:j.string({description:"Organization display name"}),slug:j.string({isOptional:!0,isUnique:!0,description:"URL-friendly identifier"}),logo:j.url({isOptional:!0,description:"Organization logo URL"}),description:j.string({isOptional:!0,description:"Organization description"}),metadata:j.json({isOptional:!0,description:"Arbitrary organization metadata"}),type:j.enum("OrganizationType",{description:"Organization type"}),onboardingCompleted:j.boolean({default:!1}),onboardingStep:j.string({isOptional:!0}),referralCode:j.string({isOptional:!0,isUnique:!0,description:"Unique referral code"}),referredBy:j.string({isOptional:!0,description:"ID of referring user"}),createdAt:j.createdAt(),updatedAt:j.updatedAt(),members:j.hasMany("Member"),invitations:j.hasMany("Invitation"),teams:j.hasMany("Team"),policyBindings:j.hasMany("PolicyBinding")},enums:[g]}),y=v({name:"Member",description:"Membership of a user in an organization with a role.",schema:"lssm_sigil",map:"member",fields:{id:j.id(),userId:j.foreignKey(),organizationId:j.foreignKey(),role:j.string({description:"Role in organization (owner, admin, member)"}),createdAt:j.createdAt(),user:j.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"}),organization:j.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"})},indexes:[Lx.unique(["userId","organizationId"])]}),S=v({name:"Invitation",description:"An invitation to join an organization.",schema:"lssm_sigil",map:"invitation",fields:{id:j.id(),organizationId:j.foreignKey(),email:j.email({description:"Invited email address"}),role:j.string({isOptional:!0,description:"Role to assign on acceptance"}),status:j.string({default:'"pending"',description:"Invitation status"}),acceptedAt:j.dateTime({isOptional:!0}),expiresAt:j.dateTime({isOptional:!0}),inviterId:j.foreignKey({description:"User who sent the invitation"}),teamId:j.string({isOptional:!0}),createdAt:j.createdAt(),updatedAt:j.updatedAt(),organization:j.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"}),inviter:j.belongsTo("User",["inviterId"],["id"],{onDelete:"Cascade"}),team:j.belongsTo("Team",["teamId"],["id"],{onDelete:"Cascade"})}}),E=v({name:"Team",description:"Team within an organization.",schema:"lssm_sigil",map:"team",fields:{id:j.id(),name:j.string({description:"Team name"}),organizationId:j.foreignKey(),createdAt:j.createdAt(),updatedAt:j.updatedAt(),organization:j.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"}),members:j.hasMany("TeamMember"),invitations:j.hasMany("Invitation")}}),r=v({name:"TeamMember",description:"Team membership for a user.",schema:"lssm_sigil",map:"team_member",fields:{id:j.id(),teamId:j.foreignKey(),userId:j.foreignKey(),createdAt:j.createdAt(),team:j.belongsTo("Team",["teamId"],["id"],{onDelete:"Cascade"}),user:j.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});import{defineEntity as P,field as L,index as Gx}from"@contractspec/lib.schema";var c=P({name:"Role",description:"A role defines a named set of permissions.",schema:"lssm_sigil",map:"role",fields:{id:L.id(),name:L.string({isUnique:!0,description:"Unique role name"}),description:L.string({isOptional:!0,description:"Role description"}),permissions:L.string({isArray:!0,description:"Array of permission names"}),createdAt:L.createdAt(),updatedAt:L.updatedAt(),policyBindings:L.hasMany("PolicyBinding")}}),m=P({name:"Permission",description:"A permission represents an atomic access right.",schema:"lssm_sigil",map:"permission",fields:{id:L.id(),name:L.string({isUnique:!0,description:"Unique permission name"}),description:L.string({isOptional:!0,description:"Permission description"}),createdAt:L.createdAt(),updatedAt:L.updatedAt()}}),d=P({name:"PolicyBinding",description:"Binds roles to principals (users or organizations).",schema:"lssm_sigil",map:"policy_binding",fields:{id:L.id(),roleId:L.foreignKey(),targetType:L.string({description:'"user" or "organization"'}),targetId:L.string({description:"ID of User or Organization"}),expiresAt:L.dateTime({isOptional:!0,description:"When binding expires"}),createdAt:L.createdAt(),userId:L.string({isOptional:!0}),organizationId:L.string({isOptional:!0}),role:L.belongsTo("Role",["roleId"],["id"],{onDelete:"Cascade"}),user:L.belongsTo("User",["userId"],["id"]),organization:L.belongsTo("Organization",["organizationId"],["id"])},indexes:[Gx.on(["targetType","targetId"])]}),i=P({name:"ApiKey",description:"API keys for programmatic access.",schema:"lssm_sigil",map:"api_key",fields:{id:L.id(),name:L.string({description:"API key name"}),start:L.string({description:"Starting characters for identification"}),prefix:L.string({description:"API key prefix"}),key:L.string({description:"Hashed API key"}),userId:L.foreignKey(),refillInterval:L.int({description:"Refill interval in ms"}),refillAmount:L.int({description:"Amount to refill"}),lastRefillAt:L.dateTime(),remaining:L.int({description:"Remaining requests"}),requestCount:L.int({description:"Total requests made"}),lastRequest:L.dateTime(),enabled:L.boolean({default:!0}),rateLimitEnabled:L.boolean({default:!0}),rateLimitTimeWindow:L.int({description:"Rate limit window in ms"}),rateLimitMax:L.int({description:"Max requests in window"}),expiresAt:L.dateTime(),permissions:L.string({isArray:!0}),metadata:L.json({isOptional:!0}),createdAt:L.createdAt(),updatedAt:L.updatedAt(),user:L.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),n=P({name:"Passkey",description:"WebAuthn passkeys for passwordless authentication.",schema:"lssm_sigil",map:"passkey",fields:{id:L.id(),name:L.string({description:"Passkey name"}),publicKey:L.string({description:"Public key"}),userId:L.foreignKey(),credentialID:L.string({description:"Credential ID"}),counter:L.int({description:"Counter"}),deviceType:L.string({description:"Device type"}),backedUp:L.boolean({description:"Whether passkey is backed up"}),transports:L.string({description:"Transports"}),aaguid:L.string({description:"Authenticator GUID"}),createdAt:L.createdAt(),user:L.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});import{defineEntity as b,field as x,index as jx}from"@contractspec/lib.schema";var l=b({name:"User",description:"A user of the platform. Users hold core profile information and authenticate via Account records.",schema:"lssm_sigil",map:"user",fields:{id:x.id({description:"Unique user identifier"}),email:x.email({isUnique:!0,description:"User email address"}),emailVerified:x.boolean({default:!1,description:"Whether email has been verified"}),name:x.string({isOptional:!0,description:"Display name"}),firstName:x.string({isOptional:!0,description:"First name"}),lastName:x.string({isOptional:!0,description:"Last name"}),locale:x.string({isOptional:!0,description:'User locale (e.g., "en-US")'}),timezone:x.string({isOptional:!0,description:'Olson timezone (e.g., "Europe/Paris")'}),imageUrl:x.url({isOptional:!0,description:"URL of avatar or profile picture"}),image:x.string({isOptional:!0,description:"Legacy image field"}),metadata:x.json({isOptional:!0,description:"Arbitrary user metadata"}),onboardingCompleted:x.boolean({default:!1,description:"Whether onboarding is complete"}),onboardingStep:x.string({isOptional:!0,description:"Current onboarding step"}),whitelistedAt:x.dateTime({isOptional:!0,description:"When user was whitelisted"}),role:x.string({isOptional:!0,default:'"user"',description:"User role (user, admin)"}),banned:x.boolean({default:!1,description:"Whether user is banned"}),banReason:x.string({isOptional:!0,description:"Reason for ban"}),banExpires:x.dateTime({isOptional:!0,description:"When ban expires"}),phoneNumber:x.string({isOptional:!0,isUnique:!0,description:"Phone number"}),phoneNumberVerified:x.boolean({default:!1,description:"Whether phone is verified"}),createdAt:x.createdAt(),updatedAt:x.updatedAt(),sessions:x.hasMany("Session"),accounts:x.hasMany("Account"),memberships:x.hasMany("Member"),invitations:x.hasMany("Invitation"),teamMemberships:x.hasMany("TeamMember"),policyBindings:x.hasMany("PolicyBinding"),apiKeys:x.hasMany("ApiKey"),passkeys:x.hasMany("Passkey")}}),a=b({name:"Session",description:"Represents a login session (e.g., web session or API token).",schema:"lssm_sigil",map:"session",fields:{id:x.id(),userId:x.foreignKey(),expiresAt:x.dateTime({description:"Session expiration time"}),token:x.string({isUnique:!0,description:"Session token"}),ipAddress:x.string({isOptional:!0,description:"Client IP address"}),userAgent:x.string({isOptional:!0,description:"Client user agent"}),impersonatedBy:x.string({isOptional:!0,description:"Admin impersonating this session"}),activeOrganizationId:x.string({isOptional:!0,description:"Active org context"}),activeTeamId:x.string({isOptional:!0,description:"Active team context"}),createdAt:x.createdAt(),updatedAt:x.updatedAt(),user:x.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),e=b({name:"Account",description:"External authentication accounts (OAuth, password, etc.).",schema:"lssm_sigil",map:"account",fields:{id:x.id(),accountId:x.string({description:"Account ID from provider"}),providerId:x.string({description:"Provider identifier"}),userId:x.foreignKey(),accessToken:x.string({isOptional:!0}),refreshToken:x.string({isOptional:!0}),idToken:x.string({isOptional:!0}),accessTokenExpiresAt:x.dateTime({isOptional:!0}),refreshTokenExpiresAt:x.dateTime({isOptional:!0}),scope:x.string({isOptional:!0}),password:x.string({isOptional:!0,description:"Hashed password for password providers"}),createdAt:x.createdAt(),updatedAt:x.updatedAt(),user:x.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})},indexes:[jx.unique(["accountId","providerId"])]}),CC=b({name:"Verification",description:"Verification tokens for email/phone confirmation.",schema:"lssm_sigil",map:"verification",fields:{id:x.uuid(),identifier:x.string({description:"Email or phone being verified"}),value:x.string({description:"Verification code/token"}),expiresAt:x.dateTime({description:"Token expiration"}),createdAt:x.createdAt(),updatedAt:x.updatedAt()}});var qx=[l,a,e,CC,u,y,S,E,r,c,m,d,i,n],KL={moduleId:"@contractspec/lib.identity-rbac",entities:qx,enums:[g]};import{defineEvent as X}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as C,SchemaModel as Y}from"@contractspec/lib.schema";var Fx=new Y({name:"UserCreatedPayload",description:"Payload for user created event",fields:{userId:{type:C.String_unsecure(),isOptional:!1},email:{type:C.EmailAddress(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!0},createdAt:{type:C.DateTime(),isOptional:!1}}}),Hx=new Y({name:"UserUpdatedPayload",description:"Payload for user updated event",fields:{userId:{type:C.String_unsecure(),isOptional:!1},updatedFields:{type:C.String_unsecure(),isOptional:!1,isArray:!0},updatedAt:{type:C.DateTime(),isOptional:!1}}}),Jx=new Y({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:C.String_unsecure(),isOptional:!1},email:{type:C.EmailAddress(),isOptional:!1},deletedAt:{type:C.DateTime(),isOptional:!1}}}),Kx=new Y({name:"UserEmailVerifiedPayload",description:"Payload for user email verified event",fields:{userId:{type:C.String_unsecure(),isOptional:!1},email:{type:C.EmailAddress(),isOptional:!1},verifiedAt:{type:C.DateTime(),isOptional:!1}}}),Xx=new Y({name:"OrgCreatedPayload",description:"Payload for org created event",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!1},slug:{type:C.String_unsecure(),isOptional:!0},createdBy:{type:C.String_unsecure(),isOptional:!1},createdAt:{type:C.DateTime(),isOptional:!1}}}),Yx=new Y({name:"OrgUpdatedPayload",description:"Payload for org updated event",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},updatedFields:{type:C.String_unsecure(),isOptional:!1,isArray:!0},updatedBy:{type:C.String_unsecure(),isOptional:!1},updatedAt:{type:C.DateTime(),isOptional:!1}}}),Zx=new Y({name:"OrgDeletedPayload",description:"Payload for org deleted event",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!1},deletedBy:{type:C.String_unsecure(),isOptional:!1},deletedAt:{type:C.DateTime(),isOptional:!1}}}),_x=new Y({name:"OrgMemberAddedPayload",description:"Payload for member added event",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},userId:{type:C.String_unsecure(),isOptional:!1},role:{type:C.String_unsecure(),isOptional:!1},invitedBy:{type:C.String_unsecure(),isOptional:!0},joinedAt:{type:C.DateTime(),isOptional:!1}}}),$x=new Y({name:"OrgMemberRemovedPayload",description:"Payload for member removed event",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},userId:{type:C.String_unsecure(),isOptional:!1},removedBy:{type:C.String_unsecure(),isOptional:!0},reason:{type:C.String_unsecure(),isOptional:!0},removedAt:{type:C.DateTime(),isOptional:!1}}}),kx=new Y({name:"OrgMemberRoleChangedPayload",description:"Payload for member role changed event",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},userId:{type:C.String_unsecure(),isOptional:!1},previousRole:{type:C.String_unsecure(),isOptional:!1},newRole:{type:C.String_unsecure(),isOptional:!1},changedBy:{type:C.String_unsecure(),isOptional:!1},changedAt:{type:C.DateTime(),isOptional:!1}}}),wx=new Y({name:"OrgInviteSentPayload",description:"Payload for invite sent event",fields:{invitationId:{type:C.String_unsecure(),isOptional:!1},orgId:{type:C.String_unsecure(),isOptional:!1},email:{type:C.EmailAddress(),isOptional:!1},role:{type:C.String_unsecure(),isOptional:!1},invitedBy:{type:C.String_unsecure(),isOptional:!1},expiresAt:{type:C.DateTime(),isOptional:!0},sentAt:{type:C.DateTime(),isOptional:!1}}}),Dx=new Y({name:"OrgInviteAcceptedPayload",description:"Payload for invite accepted event",fields:{invitationId:{type:C.String_unsecure(),isOptional:!1},orgId:{type:C.String_unsecure(),isOptional:!1},userId:{type:C.String_unsecure(),isOptional:!1},acceptedAt:{type:C.DateTime(),isOptional:!1}}}),Vx=new Y({name:"OrgInviteDeclinedPayload",description:"Payload for invite declined event",fields:{invitationId:{type:C.String_unsecure(),isOptional:!1},orgId:{type:C.String_unsecure(),isOptional:!1},declinedAt:{type:C.DateTime(),isOptional:!1}}}),Ux=new Y({name:"RoleAssignedPayload",description:"Payload for role assigned event",fields:{bindingId:{type:C.String_unsecure(),isOptional:!1},roleId:{type:C.String_unsecure(),isOptional:!1},roleName:{type:C.String_unsecure(),isOptional:!1},targetType:{type:C.String_unsecure(),isOptional:!1},targetId:{type:C.String_unsecure(),isOptional:!1},assignedBy:{type:C.String_unsecure(),isOptional:!1},expiresAt:{type:C.DateTime(),isOptional:!0},assignedAt:{type:C.DateTime(),isOptional:!1}}}),zx=new Y({name:"RoleRevokedPayload",description:"Payload for role revoked event",fields:{bindingId:{type:C.String_unsecure(),isOptional:!1},roleId:{type:C.String_unsecure(),isOptional:!1},roleName:{type:C.String_unsecure(),isOptional:!1},targetType:{type:C.String_unsecure(),isOptional:!1},targetId:{type:C.String_unsecure(),isOptional:!1},revokedBy:{type:C.String_unsecure(),isOptional:!1},revokedAt:{type:C.DateTime(),isOptional:!1}}}),Ax=X({meta:{key:"user.created",version:"1.0.0",description:"A new user has been created.",stability:"stable",owners:["@platform.identity-rbac"],tags:["user","created","identity"]},payload:Fx}),Qx=X({meta:{key:"user.updated",version:"1.0.0",description:"A user profile has been updated.",stability:"stable",owners:["@platform.identity-rbac"],tags:["user","updated","identity"]},payload:Hx}),Bx=X({meta:{key:"user.deleted",version:"1.0.0",description:"A user account has been deleted.",stability:"stable",owners:["@platform.identity-rbac"],tags:["user","deleted","identity"]},pii:["email"],payload:Jx}),Nx=X({meta:{key:"user.email_verified",version:"1.0.0",description:"A user has verified their email address.",stability:"stable",owners:["@platform.identity-rbac"],tags:["user","verified","identity"]},payload:Kx}),Wx=X({meta:{key:"org.created",version:"1.0.0",description:"A new organization has been created.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","created","identity"]},payload:Xx}),Ix=X({meta:{key:"org.updated",version:"1.0.0",description:"An organization has been updated.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","updated","identity"]},payload:Yx}),Rx=X({meta:{key:"org.deleted",version:"1.0.0",description:"An organization has been deleted.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","deleted","identity"]},payload:Zx}),Ox=X({meta:{key:"org.member.added",version:"1.0.0",description:"A user has joined an organization.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","member","added","identity"]},payload:_x}),vx=X({meta:{key:"org.member.removed",version:"1.0.0",description:"A user has left or been removed from an organization.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","member","removed","identity"]},payload:$x}),Px=X({meta:{key:"org.member.role_changed",version:"1.0.0",description:"A member's role in an organization has changed.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","member","role","changed","identity"]},payload:kx}),hx=X({meta:{key:"org.invite.sent",version:"1.0.0",description:"An invitation to join an organization has been sent.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","invite","sent","identity"]},pii:["email"],payload:wx}),gx=X({meta:{key:"org.invite.accepted",version:"1.0.0",description:"An invitation has been accepted.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","invite","accepted","identity"]},payload:Dx}),bx=X({meta:{key:"org.invite.declined",version:"1.0.0",description:"An invitation has been declined.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","invite","declined","identity"]},payload:Vx}),Mx=X({meta:{key:"role.assigned",version:"1.0.0",description:"A role has been assigned.",stability:"stable",owners:["@platform.identity-rbac"],tags:["role","assigned","identity"]},payload:Ux}),tx=X({meta:{key:"role.revoked",version:"1.0.0",description:"A role has been revoked.",stability:"stable",owners:["@platform.identity-rbac"],tags:["role","revoked","identity"]},payload:zx}),wL={UserCreatedEvent:Ax,UserUpdatedEvent:Qx,UserDeletedEvent:Bx,UserEmailVerifiedEvent:Nx,OrgCreatedEvent:Wx,OrgUpdatedEvent:Ix,OrgDeletedEvent:Rx,OrgMemberAddedEvent:Ox,OrgMemberRemovedEvent:vx,OrgMemberRoleChangedEvent:Px,OrgInviteSentEvent:hx,OrgInviteAcceptedEvent:gx,OrgInviteDeclinedEvent:bx,RoleAssignedEvent:Mx,RoleRevokedEvent:tx};import{defineFeature as sx}from"@contractspec/lib.contracts-spec/features";var UL=sx({meta:{key:"libs.identity-rbac",version:"1.0.0",title:"Identity Rbac",description:"Identity, Organizations, and RBAC module for ContractSpec applications",domain:"identity-rbac",owners:["@contractspec-core"],tags:["package","libs","identity-rbac"],stability:"experimental"},operations:[{key:"identity.org.create",version:"1.0.0"},{key:"identity.org.get",version:"1.0.0"},{key:"identity.org.update",version:"1.0.0"},{key:"identity.org.invite",version:"1.0.0"},{key:"identity.org.invite.accept",version:"1.0.0"},{key:"identity.org.member.remove",version:"1.0.0"},{key:"identity.org.members.list",version:"1.0.0"},{key:"identity.org.list",version:"1.0.0"},{key:"identity.rbac.role.create",version:"1.0.0"},{key:"identity.rbac.role.update",version:"1.0.0"},{key:"identity.rbac.role.delete",version:"1.0.0"},{key:"identity.rbac.role.list",version:"1.0.0"},{key:"identity.rbac.assign",version:"1.0.0"},{key:"identity.rbac.revoke",version:"1.0.0"},{key:"identity.rbac.check",version:"1.0.0"},{key:"identity.rbac.permissions",version:"1.0.0"},{key:"identity.user.create",version:"1.0.0"},{key:"identity.user.me",version:"1.0.0"},{key:"identity.user.update",version:"1.0.0"},{key:"identity.user.delete",version:"1.0.0"},{key:"identity.user.list",version:"1.0.0"}],events:[{key:"user.created",version:"1.0.0"},{key:"user.updated",version:"1.0.0"},{key:"user.deleted",version:"1.0.0"},{key:"user.email_verified",version:"1.0.0"},{key:"org.created",version:"1.0.0"},{key:"org.updated",version:"1.0.0"},{key:"org.deleted",version:"1.0.0"},{key:"org.member.added",version:"1.0.0"},{key:"org.member.removed",version:"1.0.0"},{key:"org.member.role_changed",version:"1.0.0"},{key:"org.invite.sent",version:"1.0.0"},{key:"org.invite.accepted",version:"1.0.0"},{key:"org.invite.declined",version:"1.0.0"},{key:"role.assigned",version:"1.0.0"},{key:"role.revoked",version:"1.0.0"}]});var H={USER_CREATE:"user.create",USER_READ:"user.read",USER_UPDATE:"user.update",USER_DELETE:"user.delete",USER_LIST:"user.list",USER_MANAGE:"user.manage",ORG_CREATE:"org.create",ORG_READ:"org.read",ORG_UPDATE:"org.update",ORG_DELETE:"org.delete",ORG_LIST:"org.list",MEMBER_INVITE:"member.invite",MEMBER_REMOVE:"member.remove",MEMBER_UPDATE_ROLE:"member.update_role",MEMBER_LIST:"member.list",MANAGE_MEMBERS:"org.manage_members",TEAM_CREATE:"team.create",TEAM_UPDATE:"team.update",TEAM_DELETE:"team.delete",TEAM_MANAGE:"team.manage",ROLE_CREATE:"role.create",ROLE_UPDATE:"role.update",ROLE_DELETE:"role.delete",ROLE_ASSIGN:"role.assign",ROLE_REVOKE:"role.revoke",BILLING_VIEW:"billing.view",BILLING_MANAGE:"billing.manage",PROJECT_CREATE:"project.create",PROJECT_READ:"project.read",PROJECT_UPDATE:"project.update",PROJECT_DELETE:"project.delete",PROJECT_MANAGE:"project.manage",ADMIN_ACCESS:"admin.access",ADMIN_IMPERSONATE:"admin.impersonate"},ox={OWNER:{name:"owner",description:"Organization owner with full access",permissions:Object.values(H)},ADMIN:{name:"admin",description:"Administrator with most permissions",permissions:[H.USER_READ,H.USER_LIST,H.ORG_READ,H.ORG_UPDATE,H.MEMBER_INVITE,H.MEMBER_REMOVE,H.MEMBER_UPDATE_ROLE,H.MEMBER_LIST,H.MANAGE_MEMBERS,H.TEAM_CREATE,H.TEAM_UPDATE,H.TEAM_DELETE,H.TEAM_MANAGE,H.PROJECT_CREATE,H.PROJECT_READ,H.PROJECT_UPDATE,H.PROJECT_DELETE,H.PROJECT_MANAGE,H.BILLING_VIEW]},MEMBER:{name:"member",description:"Regular organization member",permissions:[H.USER_READ,H.ORG_READ,H.MEMBER_LIST,H.PROJECT_READ,H.PROJECT_CREATE]},VIEWER:{name:"viewer",description:"Read-only access",permissions:[H.USER_READ,H.ORG_READ,H.MEMBER_LIST,H.PROJECT_READ]}};class xC{roleCache=new Map;bindingCache=new Map;async checkPermission(U,_){let{userId:$,orgId:k,permission:w}=U,z=new Date,LC=_.filter((J)=>J.targetType==="user"&&J.targetId===$),M=k?_.filter((J)=>J.targetType==="organization"&&J.targetId===k):[],W=[...LC,...M].filter((J)=>!J.expiresAt||J.expiresAt>z);if(W.length===0)return{allowed:!1,reason:"No active role bindings found"};for(let J of W)if(J.role.permissions.includes(w))return{allowed:!0,matchedRole:J.role.name};return{allowed:!1,reason:`No role grants the "${w}" permission`}}async getPermissions(U,_,$){let k=new Date,w=$.filter((J)=>J.targetType==="user"&&J.targetId===U),z=_?$.filter((J)=>J.targetType==="organization"&&J.targetId===_):[],M=[...w,...z].filter((J)=>!J.expiresAt||J.expiresAt>k),t=new Set,W=[];for(let J of M){W.push(J.role);for(let bC of J.role.permissions)t.add(bC)}return{permissions:t,roles:W}}async hasAnyPermission(U,_,$,k){let{permissions:w}=await this.getPermissions(U,_,k);return $.some((z)=>w.has(z))}async hasAllPermissions(U,_,$,k){let{permissions:w}=await this.getPermissions(U,_,k);return $.every((z)=>w.has(z))}}function Tx(){return new xC}export{KL as identityRbacSchemaContribution,qx as identityRbacEntities,Tx as createRBACEngine,CC as VerificationEntity,Qx as UserUpdatedEvent,A as UserProfileModel,l as UserEntity,Nx as UserEmailVerifiedEvent,HC as UserDeletedPayloadModel,Bx as UserDeletedEvent,Ax as UserCreatedEvent,qC as UpdateUserInputModel,sC as UpdateUserContract,NC as UpdateRoleInputModel,dC as UpdateRoleContract,_C as UpdateOrgInputModel,uC as UpdateOrgContract,r as TeamMemberEntity,E as TeamEntity,Q as SuccessResultModel,ox as StandardRole,a as SessionEntity,tx as RoleRevokedEvent,N as RoleModel,c as RoleEntity,Mx as RoleAssignedEvent,OC as RevokeRoleInputModel,aC as RevokeRoleContract,wC as RemoveMemberInputModel,EC as RemoveMemberContract,xC as RBACPolicyEngine,p as PolicyBindingModel,d as PolicyBindingEntity,m as PermissionEntity,QC as PermissionCheckResultModel,H as Permission,n as PasskeyEntity,zC as OrganizationWithRoleModel,g as OrganizationTypeEnum,B as OrganizationModel,u as OrganizationEntity,Ix as OrgUpdatedEvent,Px as OrgMemberRoleChangedEvent,vx as OrgMemberRemovedEvent,Ox as OrgMemberAddedEvent,hx as OrgInviteSentEvent,bx as OrgInviteDeclinedEvent,gx as OrgInviteAcceptedEvent,Rx as OrgDeletedEvent,Wx as OrgCreatedEvent,XC as MemberUserModel,DC as MemberRemovedPayloadModel,h as MemberModel,y as MemberEntity,KC as ListUsersOutputModel,JC as ListUsersInputModel,TC as ListUsersContract,gC as ListUserPermissionsOutputModel,hC as ListUserPermissionsInputModel,Cx as ListUserPermissionsContract,AC as ListUserOrgsOutputModel,cC as ListUserOrgsContract,IC as ListRolesOutputModel,nC as ListRolesContract,UC as ListMembersOutputModel,VC as ListMembersInputModel,rC as ListMembersContract,$C as InviteMemberInputModel,yC as InviteMemberContract,o as InvitationModel,S as InvitationEntity,UL as IdentityRbacFeature,wL as IdentityRbacEvents,ZC as GetOrgInputModel,fC as GetOrgContract,tC as GetCurrentUserContract,FC as DeleteUserInputModel,oC as DeleteUserContract,WC as DeleteRoleInputModel,iC as DeleteRoleContract,jC as CreateUserInputModel,MC as CreateUserContract,BC as CreateRoleInputModel,mC as CreateRoleContract,YC as CreateOrgInputModel,pC as CreateOrgContract,PC as CheckPermissionInputModel,eC as CheckPermissionContract,vC as BindingIdPayloadModel,RC as AssignRoleInputModel,lC as AssignRoleContract,i as ApiKeyEntity,e as AccountEntity,kC as AcceptInviteInputModel,SC as AcceptInviteContract};
2
+ import{defineCommand as t,defineQuery as JC}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as $,SchemaModel as W}from"@contractspec/lib.schema";var R=["platform.identity-rbac"],N=new W({name:"UserProfile",description:"User profile information",fields:{id:{type:$.String_unsecure(),isOptional:!1},email:{type:$.EmailAddress(),isOptional:!1},emailVerified:{type:$.Boolean(),isOptional:!1},name:{type:$.String_unsecure(),isOptional:!0},firstName:{type:$.String_unsecure(),isOptional:!0},lastName:{type:$.String_unsecure(),isOptional:!0},locale:{type:$.String_unsecure(),isOptional:!0},timezone:{type:$.String_unsecure(),isOptional:!0},imageUrl:{type:$.URL(),isOptional:!0},role:{type:$.String_unsecure(),isOptional:!0},onboardingCompleted:{type:$.Boolean(),isOptional:!1},createdAt:{type:$.DateTime(),isOptional:!1}}}),KC=new W({name:"CreateUserInput",description:"Input for creating a new user",fields:{email:{type:$.EmailAddress(),isOptional:!1},name:{type:$.String_unsecure(),isOptional:!0},firstName:{type:$.String_unsecure(),isOptional:!0},lastName:{type:$.String_unsecure(),isOptional:!0},password:{type:$.String_unsecure(),isOptional:!0}}}),XC=new W({name:"UpdateUserInput",description:"Input for updating a user profile",fields:{name:{type:$.String_unsecure(),isOptional:!0},firstName:{type:$.String_unsecure(),isOptional:!0},lastName:{type:$.String_unsecure(),isOptional:!0},locale:{type:$.String_unsecure(),isOptional:!0},timezone:{type:$.String_unsecure(),isOptional:!0},imageUrl:{type:$.URL(),isOptional:!0}}}),YC=new W({name:"DeleteUserInput",description:"Input for deleting a user",fields:{confirmEmail:{type:$.EmailAddress(),isOptional:!1}}}),I=new W({name:"SuccessResult",description:"Simple success result",fields:{success:{type:$.Boolean(),isOptional:!1}}}),ZC=new W({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:$.String_unsecure(),isOptional:!1}}}),_C=new W({name:"ListUsersInput",description:"Input for listing users",fields:{limit:{type:$.Int_unsecure(),isOptional:!0},offset:{type:$.Int_unsecure(),isOptional:!0},search:{type:$.String_unsecure(),isOptional:!0}}}),$C=new W({name:"ListUsersOutput",description:"Output for listing users",fields:{users:{type:N,isOptional:!1,isArray:!0},total:{type:$.Int_unsecure(),isOptional:!1}}}),fC=t({meta:{key:"identity.user.create",version:"1.0.0",stability:"stable",owners:[...R],tags:["identity","user","create"],description:"Create a new user account.",goal:"Register a new user in the system.",context:"Used during signup flows. May trigger email verification."},io:{input:KC,output:N,errors:{EMAIL_EXISTS:{description:"A user with this email already exists",http:409,gqlCode:"EMAIL_EXISTS",when:"Email is already registered"}}},policy:{auth:"anonymous"},sideEffects:{emits:[{key:"user.created",version:"1.0.0",when:"User is successfully created",payload:N}],audit:["user.created"]}}),oC=JC({meta:{key:"identity.user.me",version:"1.0.0",stability:"stable",owners:[...R],tags:["identity","user","profile"],description:"Get the current authenticated user profile.",goal:"Retrieve user profile for the authenticated session.",context:"Called on app load and after profile updates."},io:{input:null,output:N},policy:{auth:"user"}}),tC=t({meta:{key:"identity.user.update",version:"1.0.0",stability:"stable",owners:[...R],tags:["identity","user","update"],description:"Update user profile information.",goal:"Allow users to update their profile.",context:"Self-service profile updates."},io:{input:XC,output:N},policy:{auth:"user"},sideEffects:{emits:[{key:"user.updated",version:"1.0.0",when:"User profile is updated",payload:N}],audit:["user.updated"]}}),yC=t({meta:{key:"identity.user.delete",version:"1.0.0",stability:"stable",owners:[...R],tags:["identity","user","delete"],description:"Delete user account and all associated data.",goal:"Allow users to delete their account (GDPR compliance).",context:"Self-service account deletion. Cascades to memberships, sessions, etc."},io:{input:YC,output:I},policy:{auth:"user",escalate:"human_review"},sideEffects:{emits:[{key:"user.deleted",version:"1.0.0",when:"User account is deleted",payload:ZC}],audit:["user.deleted"]}}),SC=JC({meta:{key:"identity.user.list",version:"1.0.0",stability:"stable",owners:[...R],tags:["identity","user","admin","list"],description:"List all users (admin only).",goal:"Allow admins to browse and manage users.",context:"Admin dashboard user management."},io:{input:_C,output:$C},policy:{auth:"admin"}});import{defineCommand as q,defineQuery as S}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as X,SchemaModel as U}from"@contractspec/lib.schema";var A=["platform.identity-rbac"],P=new U({name:"Organization",description:"Organization details",fields:{id:{type:X.String_unsecure(),isOptional:!1},name:{type:X.String_unsecure(),isOptional:!1},slug:{type:X.String_unsecure(),isOptional:!0},logo:{type:X.URL(),isOptional:!0},description:{type:X.String_unsecure(),isOptional:!0},type:{type:X.String_unsecure(),isOptional:!1},onboardingCompleted:{type:X.Boolean(),isOptional:!1},createdAt:{type:X.DateTime(),isOptional:!1}}}),wC=new U({name:"MemberUser",description:"Basic user info within a member",fields:{id:{type:X.String_unsecure(),isOptional:!1},email:{type:X.EmailAddress(),isOptional:!1},name:{type:X.String_unsecure(),isOptional:!0}}}),b=new U({name:"Member",description:"Organization member",fields:{id:{type:X.String_unsecure(),isOptional:!1},userId:{type:X.String_unsecure(),isOptional:!1},organizationId:{type:X.String_unsecure(),isOptional:!1},role:{type:X.String_unsecure(),isOptional:!1},createdAt:{type:X.DateTime(),isOptional:!1},user:{type:wC,isOptional:!1}}}),y=new U({name:"Invitation",description:"Organization invitation",fields:{id:{type:X.String_unsecure(),isOptional:!1},email:{type:X.EmailAddress(),isOptional:!1},role:{type:X.String_unsecure(),isOptional:!0},status:{type:X.String_unsecure(),isOptional:!1},expiresAt:{type:X.DateTime(),isOptional:!0},createdAt:{type:X.DateTime(),isOptional:!1}}}),kC=new U({name:"CreateOrgInput",description:"Input for creating an organization",fields:{name:{type:X.NonEmptyString(),isOptional:!1},slug:{type:X.String_unsecure(),isOptional:!0},description:{type:X.String_unsecure(),isOptional:!0},type:{type:X.String_unsecure(),isOptional:!0}}}),zC=new U({name:"GetOrgInput",description:"Input for getting an organization",fields:{orgId:{type:X.String_unsecure(),isOptional:!1}}}),BC=new U({name:"UpdateOrgInput",description:"Input for updating an organization",fields:{orgId:{type:X.String_unsecure(),isOptional:!1},name:{type:X.String_unsecure(),isOptional:!0},slug:{type:X.String_unsecure(),isOptional:!0},logo:{type:X.URL(),isOptional:!0},description:{type:X.String_unsecure(),isOptional:!0}}}),FC=new U({name:"InviteMemberInput",description:"Input for inviting a member",fields:{orgId:{type:X.String_unsecure(),isOptional:!1},email:{type:X.EmailAddress(),isOptional:!1},role:{type:X.String_unsecure(),isOptional:!1},teamId:{type:X.String_unsecure(),isOptional:!0}}}),VC=new U({name:"AcceptInviteInput",description:"Input for accepting an invitation",fields:{invitationId:{type:X.String_unsecure(),isOptional:!1}}}),UC=new U({name:"RemoveMemberInput",description:"Input for removing a member",fields:{orgId:{type:X.String_unsecure(),isOptional:!1},userId:{type:X.String_unsecure(),isOptional:!1}}}),jC=new U({name:"MemberRemovedPayload",description:"Payload for member removed event",fields:{orgId:{type:X.String_unsecure(),isOptional:!1},userId:{type:X.String_unsecure(),isOptional:!1}}}),QC=new U({name:"ListMembersInput",description:"Input for listing members",fields:{orgId:{type:X.String_unsecure(),isOptional:!1},limit:{type:X.Int_unsecure(),isOptional:!0},offset:{type:X.Int_unsecure(),isOptional:!0}}}),DC=new U({name:"ListMembersOutput",description:"Output for listing members",fields:{members:{type:b,isOptional:!1,isArray:!0},total:{type:X.Int_unsecure(),isOptional:!1}}}),WC=new U({name:"OrganizationWithRole",description:"Organization with user role",fields:{id:{type:X.String_unsecure(),isOptional:!1},name:{type:X.String_unsecure(),isOptional:!1},slug:{type:X.String_unsecure(),isOptional:!0},logo:{type:X.URL(),isOptional:!0},description:{type:X.String_unsecure(),isOptional:!0},type:{type:X.String_unsecure(),isOptional:!1},onboardingCompleted:{type:X.Boolean(),isOptional:!1},createdAt:{type:X.DateTime(),isOptional:!1},role:{type:X.String_unsecure(),isOptional:!1}}}),AC=new U({name:"ListUserOrgsOutput",description:"Output for listing user organizations",fields:{organizations:{type:WC,isOptional:!1,isArray:!0}}}),EC=q({meta:{key:"identity.org.create",version:"1.0.0",stability:"stable",owners:[...A],tags:["identity","org","create"],description:"Create a new organization.",goal:"Allow users to create new organizations/workspaces.",context:"Called during onboarding or when creating additional workspaces."},io:{input:kC,output:P,errors:{SLUG_EXISTS:{description:"An organization with this slug already exists",http:409,gqlCode:"SLUG_EXISTS",when:"Slug is already taken"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.created",version:"1.0.0",when:"Organization is created",payload:P}],audit:["org.created"]}}),pC=S({meta:{key:"identity.org.get",version:"1.0.0",stability:"stable",owners:[...A],tags:["identity","org","get"],description:"Get organization details.",goal:"Retrieve organization information.",context:"Called when viewing organization settings or dashboard."},io:{input:zC,output:P},policy:{auth:"user"}}),sC=q({meta:{key:"identity.org.update",version:"1.0.0",stability:"stable",owners:[...A],tags:["identity","org","update"],description:"Update organization details.",goal:"Allow org admins to update organization settings.",context:"Organization settings page."},io:{input:BC,output:P},policy:{auth:"user"},sideEffects:{emits:[{key:"org.updated",version:"1.0.0",when:"Organization is updated",payload:P}],audit:["org.updated"]}}),uC=q({meta:{key:"identity.org.invite",version:"1.0.0",stability:"stable",owners:[...A],tags:["identity","org","invite","member"],description:"Invite a user to join the organization.",goal:"Allow org admins to invite new members.",context:"Team management. Sends invitation email."},io:{input:FC,output:y,errors:{ALREADY_MEMBER:{description:"User is already a member of this organization",http:409,gqlCode:"ALREADY_MEMBER",when:"Invitee is already a member"},INVITE_PENDING:{description:"An invitation for this email is already pending",http:409,gqlCode:"INVITE_PENDING",when:"Active invitation exists"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.invite.sent",version:"1.0.0",when:"Invitation is sent",payload:y}],audit:["org.invite.sent"]}}),mC=q({meta:{key:"identity.org.invite.accept",version:"1.0.0",stability:"stable",owners:[...A],tags:["identity","org","invite","accept"],description:"Accept an organization invitation.",goal:"Allow users to join organizations via invitation.",context:"Called from invitation email link."},io:{input:VC,output:b,errors:{INVITE_EXPIRED:{description:"The invitation has expired",http:410,gqlCode:"INVITE_EXPIRED",when:"Invitation is past expiry date"},INVITE_USED:{description:"The invitation has already been used",http:409,gqlCode:"INVITE_USED",when:"Invitation was already accepted"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.added",version:"1.0.0",when:"Member joins org",payload:b}],audit:["org.member.added"]}}),rC=q({meta:{key:"identity.org.member.remove",version:"1.0.0",stability:"stable",owners:[...A],tags:["identity","org","member","remove"],description:"Remove a member from the organization.",goal:"Allow org admins to remove members.",context:"Team management."},io:{input:UC,output:I,errors:{CANNOT_REMOVE_OWNER:{description:"Cannot remove the organization owner",http:403,gqlCode:"CANNOT_REMOVE_OWNER",when:"Target is the org owner"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.removed",version:"1.0.0",when:"Member is removed",payload:jC}],audit:["org.member.removed"]}}),cC=S({meta:{key:"identity.org.members.list",version:"1.0.0",stability:"stable",owners:[...A],tags:["identity","org","member","list"],description:"List organization members.",goal:"View all members of an organization.",context:"Team management page."},io:{input:QC,output:DC},policy:{auth:"user"}}),dC=S({meta:{key:"identity.org.list",version:"1.0.0",stability:"stable",owners:[...A],tags:["identity","org","list"],description:"List organizations the current user belongs to.",goal:"Show user their organizations for workspace switching.",context:"Workspace switcher, org selection."},io:{input:null,output:AC},policy:{auth:"user"}});import{defineCommand as v,defineQuery as p}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as K,SchemaModel as D}from"@contractspec/lib.schema";var O=new D({name:"Role",description:"RBAC role definition",fields:{id:{type:K.String_unsecure(),isOptional:!1},name:{type:K.String_unsecure(),isOptional:!1},description:{type:K.String_unsecure(),isOptional:!0},source:{type:K.String_unsecure(),isOptional:!0},templateKey:{type:K.String_unsecure(),isOptional:!0},templateVersion:{type:K.String_unsecure(),isOptional:!0},disabledAt:{type:K.DateTime(),isOptional:!0},permissions:{type:K.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:K.DateTime(),isOptional:!1}}}),E=new D({name:"PolicyBinding",description:"Role assignment to a target",fields:{id:{type:K.String_unsecure(),isOptional:!1},roleId:{type:K.String_unsecure(),isOptional:!1},targetType:{type:K.String_unsecure(),isOptional:!1},targetId:{type:K.String_unsecure(),isOptional:!1},expiresAt:{type:K.DateTime(),isOptional:!0},scopeType:{type:K.String_unsecure(),isOptional:!0},scopeId:{type:K.String_unsecure(),isOptional:!0},tenantId:{type:K.String_unsecure(),isOptional:!0},workspaceId:{type:K.String_unsecure(),isOptional:!0},source:{type:K.String_unsecure(),isOptional:!0},templateKey:{type:K.String_unsecure(),isOptional:!0},templateVersion:{type:K.String_unsecure(),isOptional:!0},effect:{type:K.String_unsecure(),isOptional:!0},disabledAt:{type:K.DateTime(),isOptional:!0},reason:{type:K.String_unsecure(),isOptional:!0},createdAt:{type:K.DateTime(),isOptional:!1},role:{type:O,isOptional:!1}}}),NC=new D({name:"PermissionCheckResult",description:"Result of a permission check",fields:{allowed:{type:K.Boolean(),isOptional:!1},reason:{type:K.String_unsecure(),isOptional:!0},matchedRole:{type:K.String_unsecure(),isOptional:!0}}}),IC=new D({name:"CreateRoleInput",description:"Input for creating a role",fields:{name:{type:K.NonEmptyString(),isOptional:!1},description:{type:K.String_unsecure(),isOptional:!0},source:{type:K.String_unsecure(),isOptional:!0},templateKey:{type:K.String_unsecure(),isOptional:!0},templateVersion:{type:K.String_unsecure(),isOptional:!0},disabledAt:{type:K.DateTime(),isOptional:!0},permissions:{type:K.String_unsecure(),isOptional:!1,isArray:!0}}}),PC=new D({name:"UpdateRoleInput",description:"Input for updating a role",fields:{roleId:{type:K.String_unsecure(),isOptional:!1},name:{type:K.String_unsecure(),isOptional:!0},description:{type:K.String_unsecure(),isOptional:!0},source:{type:K.String_unsecure(),isOptional:!0},templateKey:{type:K.String_unsecure(),isOptional:!0},templateVersion:{type:K.String_unsecure(),isOptional:!0},disabledAt:{type:K.DateTime(),isOptional:!0},permissions:{type:K.String_unsecure(),isOptional:!0,isArray:!0}}}),OC=new D({name:"DeleteRoleInput",description:"Input for deleting a role",fields:{roleId:{type:K.String_unsecure(),isOptional:!1}}}),xC=new D({name:"ListRolesOutput",description:"Output for listing roles",fields:{roles:{type:O,isOptional:!1,isArray:!0}}}),RC=new D({name:"AssignRoleInput",description:"Input for assigning a role",fields:{roleId:{type:K.String_unsecure(),isOptional:!1},targetType:{type:K.String_unsecure(),isOptional:!1},targetId:{type:K.String_unsecure(),isOptional:!1},expiresAt:{type:K.DateTime(),isOptional:!0}}}),qC=new D({name:"RevokeRoleInput",description:"Input for revoking a role",fields:{bindingId:{type:K.String_unsecure(),isOptional:!1}}}),vC=new D({name:"BindingIdPayload",description:"Payload with binding ID",fields:{bindingId:{type:K.String_unsecure(),isOptional:!1}}}),hC=new D({name:"CheckPermissionInput",description:"Input for checking a permission",fields:{userId:{type:K.String_unsecure(),isOptional:!1},orgId:{type:K.String_unsecure(),isOptional:!0},permission:{type:K.String_unsecure(),isOptional:!1}}}),MC=new D({name:"ListUserPermissionsInput",description:"Input for listing user permissions",fields:{userId:{type:K.String_unsecure(),isOptional:!1},orgId:{type:K.String_unsecure(),isOptional:!0}}}),bC=new D({name:"ListUserPermissionsOutput",description:"Output for listing user permissions",fields:{permissions:{type:K.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:O,isOptional:!1,isArray:!0}}}),lC=v({meta:{key:"identity.rbac.role.create",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","create"],description:"Create a new role with permissions.",goal:"Allow admins to define custom roles.",context:"Role management in admin settings."},io:{input:IC,output:O,errors:{ROLE_EXISTS:{description:"A role with this name already exists",http:409,gqlCode:"ROLE_EXISTS",when:"Role name is taken"}}},policy:{auth:"admin"},sideEffects:{audit:["role.created"]}}),aC=v({meta:{key:"identity.rbac.role.update",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","update"],description:"Update an existing role.",goal:"Allow admins to modify role permissions.",context:"Role management in admin settings."},io:{input:PC,output:O},policy:{auth:"admin"},sideEffects:{audit:["role.updated"]}}),iC=v({meta:{key:"identity.rbac.role.delete",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","delete"],description:"Delete an existing role.",goal:"Allow admins to remove unused roles.",context:"Role management. Removes all policy bindings using this role."},io:{input:OC,output:I,errors:{ROLE_IN_USE:{description:"Role is still assigned to users or organizations",http:409,gqlCode:"ROLE_IN_USE",when:"Role has active bindings"}}},policy:{auth:"admin"},sideEffects:{audit:["role.deleted"]}}),nC=p({meta:{key:"identity.rbac.role.list",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","list"],description:"List all available roles.",goal:"Show available roles for assignment.",context:"Role assignment UI."},io:{input:null,output:xC},policy:{auth:"user"}}),eC=v({meta:{key:"identity.rbac.assign",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","assign"],description:"Assign a role to a user or organization.",goal:"Grant permissions via role assignment.",context:"User/org permission management."},io:{input:RC,output:E,errors:{ROLE_NOT_FOUND:{description:"The specified role does not exist",http:404,gqlCode:"ROLE_NOT_FOUND",when:"Role ID is invalid"},ALREADY_ASSIGNED:{description:"This role is already assigned to the target",http:409,gqlCode:"ALREADY_ASSIGNED",when:"Binding already exists"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.assigned",version:"1.0.0",when:"Role is assigned",payload:E}],audit:["role.assigned"]}}),CL=v({meta:{key:"identity.rbac.revoke",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","revoke"],description:"Revoke a role from a user or organization.",goal:"Remove permissions via role revocation.",context:"User/org permission management."},io:{input:qC,output:I,errors:{BINDING_NOT_FOUND:{description:"The policy binding does not exist",http:404,gqlCode:"BINDING_NOT_FOUND",when:"Binding ID is invalid"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.revoked",version:"1.0.0",when:"Role is revoked",payload:vC}],audit:["role.revoked"]}}),LL=p({meta:{key:"identity.rbac.check",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","check","permission"],description:"Check if a user has a specific permission.",goal:"Authorization check before sensitive operations.",context:"Called by other services to verify permissions."},io:{input:hC,output:NC},policy:{auth:"user"}}),GL=p({meta:{key:"identity.rbac.permissions",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","permissions","user"],description:"List all permissions for a user in a context.",goal:"Show what a user can do in an org.",context:"UI permission display, debugging."},io:{input:MC,output:bC},policy:{auth:"user"}});import{defineEntity as h,defineEntityEnum as HL,field as Y,index as JL}from"@contractspec/lib.schema";var g=HL({name:"OrganizationType",values:["PLATFORM_ADMIN","CONTRACT_SPEC_CUSTOMER"],schema:"lssm_sigil",description:"Type of organization in the platform."}),s=h({name:"Organization",description:"An organization is a tenant boundary grouping users.",schema:"lssm_sigil",map:"organization",fields:{id:Y.id({description:"Unique organization identifier"}),name:Y.string({description:"Organization display name"}),slug:Y.string({isOptional:!0,isUnique:!0,description:"URL-friendly identifier"}),logo:Y.url({isOptional:!0,description:"Organization logo URL"}),description:Y.string({isOptional:!0,description:"Organization description"}),metadata:Y.json({isOptional:!0,description:"Arbitrary organization metadata"}),type:Y.enum("OrganizationType",{description:"Organization type"}),onboardingCompleted:Y.boolean({default:!1}),onboardingStep:Y.string({isOptional:!0}),referralCode:Y.string({isOptional:!0,isUnique:!0,description:"Unique referral code"}),referredBy:Y.string({isOptional:!0,description:"ID of referring user"}),createdAt:Y.createdAt(),updatedAt:Y.updatedAt(),members:Y.hasMany("Member"),invitations:Y.hasMany("Invitation"),teams:Y.hasMany("Team"),policyBindings:Y.hasMany("PolicyBinding")},enums:[g]}),u=h({name:"Member",description:"Membership of a user in an organization with a role.",schema:"lssm_sigil",map:"member",fields:{id:Y.id(),userId:Y.foreignKey(),organizationId:Y.foreignKey(),role:Y.string({description:"Role in organization (owner, admin, member)"}),createdAt:Y.createdAt(),user:Y.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"}),organization:Y.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"})},indexes:[JL.unique(["userId","organizationId"])]}),m=h({name:"Invitation",description:"An invitation to join an organization.",schema:"lssm_sigil",map:"invitation",fields:{id:Y.id(),organizationId:Y.foreignKey(),email:Y.email({description:"Invited email address"}),role:Y.string({isOptional:!0,description:"Role to assign on acceptance"}),status:Y.string({default:'"pending"',description:"Invitation status"}),acceptedAt:Y.dateTime({isOptional:!0}),expiresAt:Y.dateTime({isOptional:!0}),inviterId:Y.foreignKey({description:"User who sent the invitation"}),teamId:Y.string({isOptional:!0}),createdAt:Y.createdAt(),updatedAt:Y.updatedAt(),organization:Y.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"}),inviter:Y.belongsTo("User",["inviterId"],["id"],{onDelete:"Cascade"}),team:Y.belongsTo("Team",["teamId"],["id"],{onDelete:"Cascade"})}}),r=h({name:"Team",description:"Team within an organization.",schema:"lssm_sigil",map:"team",fields:{id:Y.id(),name:Y.string({description:"Team name"}),organizationId:Y.foreignKey(),createdAt:Y.createdAt(),updatedAt:Y.updatedAt(),organization:Y.belongsTo("Organization",["organizationId"],["id"],{onDelete:"Cascade"}),members:Y.hasMany("TeamMember"),invitations:Y.hasMany("Invitation")}}),c=h({name:"TeamMember",description:"Team membership for a user.",schema:"lssm_sigil",map:"team_member",fields:{id:Y.id(),teamId:Y.foreignKey(),userId:Y.foreignKey(),createdAt:Y.createdAt(),team:Y.belongsTo("Team",["teamId"],["id"],{onDelete:"Cascade"}),user:Y.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});import{defineEntity as M,field as L,index as KL}from"@contractspec/lib.schema";var d=M({name:"Role",description:"A role defines a named set of permissions.",schema:"lssm_sigil",map:"role",fields:{id:L.id(),name:L.string({isUnique:!0,description:"Unique role name"}),description:L.string({isOptional:!0,description:"Role description"}),source:L.string({isOptional:!0,description:"static, dynamic, or template"}),templateKey:L.string({isOptional:!0}),templateVersion:L.string({isOptional:!0}),disabledAt:L.dateTime({isOptional:!0}),permissions:L.string({isArray:!0,description:"Array of permission names"}),createdAt:L.createdAt(),updatedAt:L.updatedAt(),policyBindings:L.hasMany("PolicyBinding")}}),l=M({name:"Permission",description:"A permission represents an atomic access right.",schema:"lssm_sigil",map:"permission",fields:{id:L.id(),name:L.string({isUnique:!0,description:"Unique permission name"}),description:L.string({isOptional:!0,description:"Permission description"}),createdAt:L.createdAt(),updatedAt:L.updatedAt()}}),a=M({name:"PolicyBinding",description:"Binds roles to principals (users or organizations).",schema:"lssm_sigil",map:"policy_binding",fields:{id:L.id(),roleId:L.foreignKey(),targetType:L.string({description:'"user" or "organization"'}),targetId:L.string({description:"ID of User or Organization"}),expiresAt:L.dateTime({isOptional:!0,description:"When binding expires"}),scopeType:L.string({isOptional:!0,description:"global, tenant, workspace, organization, or user"}),scopeId:L.string({isOptional:!0}),tenantId:L.string({isOptional:!0}),workspaceId:L.string({isOptional:!0}),source:L.string({isOptional:!0,description:"static, dynamic, or template"}),templateKey:L.string({isOptional:!0}),templateVersion:L.string({isOptional:!0}),effect:L.string({isOptional:!0,description:"grant or deny"}),disabledAt:L.dateTime({isOptional:!0}),reason:L.string({isOptional:!0}),createdAt:L.createdAt(),userId:L.string({isOptional:!0}),organizationId:L.string({isOptional:!0}),role:L.belongsTo("Role",["roleId"],["id"],{onDelete:"Cascade"}),user:L.belongsTo("User",["userId"],["id"]),organization:L.belongsTo("Organization",["organizationId"],["id"])},indexes:[KL.on(["targetType","targetId"])]}),i=M({name:"ApiKey",description:"API keys for programmatic access.",schema:"lssm_sigil",map:"api_key",fields:{id:L.id(),name:L.string({description:"API key name"}),start:L.string({description:"Starting characters for identification"}),prefix:L.string({description:"API key prefix"}),key:L.string({description:"Hashed API key"}),userId:L.foreignKey(),refillInterval:L.int({description:"Refill interval in ms"}),refillAmount:L.int({description:"Amount to refill"}),lastRefillAt:L.dateTime(),remaining:L.int({description:"Remaining requests"}),requestCount:L.int({description:"Total requests made"}),lastRequest:L.dateTime(),enabled:L.boolean({default:!0}),rateLimitEnabled:L.boolean({default:!0}),rateLimitTimeWindow:L.int({description:"Rate limit window in ms"}),rateLimitMax:L.int({description:"Max requests in window"}),expiresAt:L.dateTime(),permissions:L.string({isArray:!0}),metadata:L.json({isOptional:!0}),createdAt:L.createdAt(),updatedAt:L.updatedAt(),user:L.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),n=M({name:"Passkey",description:"WebAuthn passkeys for passwordless authentication.",schema:"lssm_sigil",map:"passkey",fields:{id:L.id(),name:L.string({description:"Passkey name"}),publicKey:L.string({description:"Public key"}),userId:L.foreignKey(),credentialID:L.string({description:"Credential ID"}),counter:L.int({description:"Counter"}),deviceType:L.string({description:"Device type"}),backedUp:L.boolean({description:"Whether passkey is backed up"}),transports:L.string({description:"Transports"}),aaguid:L.string({description:"Authenticator GUID"}),createdAt:L.createdAt(),user:L.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}});import{defineEntity as T,field as H,index as XL}from"@contractspec/lib.schema";var e=T({name:"User",description:"A user of the platform. Users hold core profile information and authenticate via Account records.",schema:"lssm_sigil",map:"user",fields:{id:H.id({description:"Unique user identifier"}),email:H.email({isUnique:!0,description:"User email address"}),emailVerified:H.boolean({default:!1,description:"Whether email has been verified"}),name:H.string({isOptional:!0,description:"Display name"}),firstName:H.string({isOptional:!0,description:"First name"}),lastName:H.string({isOptional:!0,description:"Last name"}),locale:H.string({isOptional:!0,description:'User locale (e.g., "en-US")'}),timezone:H.string({isOptional:!0,description:'Olson timezone (e.g., "Europe/Paris")'}),imageUrl:H.url({isOptional:!0,description:"URL of avatar or profile picture"}),image:H.string({isOptional:!0,description:"Legacy image field"}),metadata:H.json({isOptional:!0,description:"Arbitrary user metadata"}),onboardingCompleted:H.boolean({default:!1,description:"Whether onboarding is complete"}),onboardingStep:H.string({isOptional:!0,description:"Current onboarding step"}),whitelistedAt:H.dateTime({isOptional:!0,description:"When user was whitelisted"}),role:H.string({isOptional:!0,default:'"user"',description:"User role (user, admin)"}),banned:H.boolean({default:!1,description:"Whether user is banned"}),banReason:H.string({isOptional:!0,description:"Reason for ban"}),banExpires:H.dateTime({isOptional:!0,description:"When ban expires"}),phoneNumber:H.string({isOptional:!0,isUnique:!0,description:"Phone number"}),phoneNumberVerified:H.boolean({default:!1,description:"Whether phone is verified"}),createdAt:H.createdAt(),updatedAt:H.updatedAt(),sessions:H.hasMany("Session"),accounts:H.hasMany("Account"),memberships:H.hasMany("Member"),invitations:H.hasMany("Invitation"),teamMemberships:H.hasMany("TeamMember"),policyBindings:H.hasMany("PolicyBinding"),apiKeys:H.hasMany("ApiKey"),passkeys:H.hasMany("Passkey")}}),CC=T({name:"Session",description:"Represents a login session (e.g., web session or API token).",schema:"lssm_sigil",map:"session",fields:{id:H.id(),userId:H.foreignKey(),expiresAt:H.dateTime({description:"Session expiration time"}),token:H.string({isUnique:!0,description:"Session token"}),ipAddress:H.string({isOptional:!0,description:"Client IP address"}),userAgent:H.string({isOptional:!0,description:"Client user agent"}),impersonatedBy:H.string({isOptional:!0,description:"Admin impersonating this session"}),activeOrganizationId:H.string({isOptional:!0,description:"Active org context"}),activeTeamId:H.string({isOptional:!0,description:"Active team context"}),createdAt:H.createdAt(),updatedAt:H.updatedAt(),user:H.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})}}),LC=T({name:"Account",description:"External authentication accounts (OAuth, password, etc.).",schema:"lssm_sigil",map:"account",fields:{id:H.id(),accountId:H.string({description:"Account ID from provider"}),providerId:H.string({description:"Provider identifier"}),userId:H.foreignKey(),accessToken:H.string({isOptional:!0}),refreshToken:H.string({isOptional:!0}),idToken:H.string({isOptional:!0}),accessTokenExpiresAt:H.dateTime({isOptional:!0}),refreshTokenExpiresAt:H.dateTime({isOptional:!0}),scope:H.string({isOptional:!0}),password:H.string({isOptional:!0,description:"Hashed password for password providers"}),createdAt:H.createdAt(),updatedAt:H.updatedAt(),user:H.belongsTo("User",["userId"],["id"],{onDelete:"Cascade"})},indexes:[XL.unique(["accountId","providerId"])]}),GC=T({name:"Verification",description:"Verification tokens for email/phone confirmation.",schema:"lssm_sigil",map:"verification",fields:{id:H.uuid(),identifier:H.string({description:"Email or phone being verified"}),value:H.string({description:"Verification code/token"}),expiresAt:H.dateTime({description:"Token expiration"}),createdAt:H.createdAt(),updatedAt:H.updatedAt()}});var YL=[e,CC,LC,GC,s,u,m,r,c,d,l,a,i,n],AG={moduleId:"@contractspec/lib.identity-rbac",entities:YL,enums:[g]};import{defineEvent as j}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as G,SchemaModel as Q}from"@contractspec/lib.schema";var ZL=new Q({name:"UserCreatedPayload",description:"Payload for user created event",fields:{userId:{type:G.String_unsecure(),isOptional:!1},email:{type:G.EmailAddress(),isOptional:!1},name:{type:G.String_unsecure(),isOptional:!0},createdAt:{type:G.DateTime(),isOptional:!1}}}),_L=new Q({name:"UserUpdatedPayload",description:"Payload for user updated event",fields:{userId:{type:G.String_unsecure(),isOptional:!1},updatedFields:{type:G.String_unsecure(),isOptional:!1,isArray:!0},updatedAt:{type:G.DateTime(),isOptional:!1}}}),$L=new Q({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:G.String_unsecure(),isOptional:!1},email:{type:G.EmailAddress(),isOptional:!1},deletedAt:{type:G.DateTime(),isOptional:!1}}}),wL=new Q({name:"UserEmailVerifiedPayload",description:"Payload for user email verified event",fields:{userId:{type:G.String_unsecure(),isOptional:!1},email:{type:G.EmailAddress(),isOptional:!1},verifiedAt:{type:G.DateTime(),isOptional:!1}}}),kL=new Q({name:"OrgCreatedPayload",description:"Payload for org created event",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},name:{type:G.String_unsecure(),isOptional:!1},slug:{type:G.String_unsecure(),isOptional:!0},createdBy:{type:G.String_unsecure(),isOptional:!1},createdAt:{type:G.DateTime(),isOptional:!1}}}),zL=new Q({name:"OrgUpdatedPayload",description:"Payload for org updated event",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},updatedFields:{type:G.String_unsecure(),isOptional:!1,isArray:!0},updatedBy:{type:G.String_unsecure(),isOptional:!1},updatedAt:{type:G.DateTime(),isOptional:!1}}}),BL=new Q({name:"OrgDeletedPayload",description:"Payload for org deleted event",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},name:{type:G.String_unsecure(),isOptional:!1},deletedBy:{type:G.String_unsecure(),isOptional:!1},deletedAt:{type:G.DateTime(),isOptional:!1}}}),FL=new Q({name:"OrgMemberAddedPayload",description:"Payload for member added event",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},userId:{type:G.String_unsecure(),isOptional:!1},role:{type:G.String_unsecure(),isOptional:!1},invitedBy:{type:G.String_unsecure(),isOptional:!0},joinedAt:{type:G.DateTime(),isOptional:!1}}}),VL=new Q({name:"OrgMemberRemovedPayload",description:"Payload for member removed event",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},userId:{type:G.String_unsecure(),isOptional:!1},removedBy:{type:G.String_unsecure(),isOptional:!0},reason:{type:G.String_unsecure(),isOptional:!0},removedAt:{type:G.DateTime(),isOptional:!1}}}),UL=new Q({name:"OrgMemberRoleChangedPayload",description:"Payload for member role changed event",fields:{orgId:{type:G.String_unsecure(),isOptional:!1},userId:{type:G.String_unsecure(),isOptional:!1},previousRole:{type:G.String_unsecure(),isOptional:!1},newRole:{type:G.String_unsecure(),isOptional:!1},changedBy:{type:G.String_unsecure(),isOptional:!1},changedAt:{type:G.DateTime(),isOptional:!1}}}),jL=new Q({name:"OrgInviteSentPayload",description:"Payload for invite sent event",fields:{invitationId:{type:G.String_unsecure(),isOptional:!1},orgId:{type:G.String_unsecure(),isOptional:!1},email:{type:G.EmailAddress(),isOptional:!1},role:{type:G.String_unsecure(),isOptional:!1},invitedBy:{type:G.String_unsecure(),isOptional:!1},expiresAt:{type:G.DateTime(),isOptional:!0},sentAt:{type:G.DateTime(),isOptional:!1}}}),QL=new Q({name:"OrgInviteAcceptedPayload",description:"Payload for invite accepted event",fields:{invitationId:{type:G.String_unsecure(),isOptional:!1},orgId:{type:G.String_unsecure(),isOptional:!1},userId:{type:G.String_unsecure(),isOptional:!1},acceptedAt:{type:G.DateTime(),isOptional:!1}}}),DL=new Q({name:"OrgInviteDeclinedPayload",description:"Payload for invite declined event",fields:{invitationId:{type:G.String_unsecure(),isOptional:!1},orgId:{type:G.String_unsecure(),isOptional:!1},declinedAt:{type:G.DateTime(),isOptional:!1}}}),WL=new Q({name:"RoleAssignedPayload",description:"Payload for role assigned event",fields:{bindingId:{type:G.String_unsecure(),isOptional:!1},roleId:{type:G.String_unsecure(),isOptional:!1},roleName:{type:G.String_unsecure(),isOptional:!1},targetType:{type:G.String_unsecure(),isOptional:!1},targetId:{type:G.String_unsecure(),isOptional:!1},assignedBy:{type:G.String_unsecure(),isOptional:!1},expiresAt:{type:G.DateTime(),isOptional:!0},assignedAt:{type:G.DateTime(),isOptional:!1}}}),AL=new Q({name:"RoleRevokedPayload",description:"Payload for role revoked event",fields:{bindingId:{type:G.String_unsecure(),isOptional:!1},roleId:{type:G.String_unsecure(),isOptional:!1},roleName:{type:G.String_unsecure(),isOptional:!1},targetType:{type:G.String_unsecure(),isOptional:!1},targetId:{type:G.String_unsecure(),isOptional:!1},revokedBy:{type:G.String_unsecure(),isOptional:!1},revokedAt:{type:G.DateTime(),isOptional:!1}}}),NL=j({meta:{key:"user.created",version:"1.0.0",description:"A new user has been created.",stability:"stable",owners:["@platform.identity-rbac"],tags:["user","created","identity"]},payload:ZL}),IL=j({meta:{key:"user.updated",version:"1.0.0",description:"A user profile has been updated.",stability:"stable",owners:["@platform.identity-rbac"],tags:["user","updated","identity"]},payload:_L}),PL=j({meta:{key:"user.deleted",version:"1.0.0",description:"A user account has been deleted.",stability:"stable",owners:["@platform.identity-rbac"],tags:["user","deleted","identity"]},pii:["email"],payload:$L}),OL=j({meta:{key:"user.email_verified",version:"1.0.0",description:"A user has verified their email address.",stability:"stable",owners:["@platform.identity-rbac"],tags:["user","verified","identity"]},payload:wL}),xL=j({meta:{key:"org.created",version:"1.0.0",description:"A new organization has been created.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","created","identity"]},payload:kL}),RL=j({meta:{key:"org.updated",version:"1.0.0",description:"An organization has been updated.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","updated","identity"]},payload:zL}),qL=j({meta:{key:"org.deleted",version:"1.0.0",description:"An organization has been deleted.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","deleted","identity"]},payload:BL}),vL=j({meta:{key:"org.member.added",version:"1.0.0",description:"A user has joined an organization.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","member","added","identity"]},payload:FL}),hL=j({meta:{key:"org.member.removed",version:"1.0.0",description:"A user has left or been removed from an organization.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","member","removed","identity"]},payload:VL}),ML=j({meta:{key:"org.member.role_changed",version:"1.0.0",description:"A member's role in an organization has changed.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","member","role","changed","identity"]},payload:UL}),bL=j({meta:{key:"org.invite.sent",version:"1.0.0",description:"An invitation to join an organization has been sent.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","invite","sent","identity"]},pii:["email"],payload:jL}),gL=j({meta:{key:"org.invite.accepted",version:"1.0.0",description:"An invitation has been accepted.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","invite","accepted","identity"]},payload:QL}),TL=j({meta:{key:"org.invite.declined",version:"1.0.0",description:"An invitation has been declined.",stability:"stable",owners:["@platform.identity-rbac"],tags:["org","invite","declined","identity"]},payload:DL}),fL=j({meta:{key:"role.assigned",version:"1.0.0",description:"A role has been assigned.",stability:"stable",owners:["@platform.identity-rbac"],tags:["role","assigned","identity"]},payload:WL}),oL=j({meta:{key:"role.revoked",version:"1.0.0",description:"A role has been revoked.",stability:"stable",owners:["@platform.identity-rbac"],tags:["role","revoked","identity"]},payload:AL}),qG={UserCreatedEvent:NL,UserUpdatedEvent:IL,UserDeletedEvent:PL,UserEmailVerifiedEvent:OL,OrgCreatedEvent:xL,OrgUpdatedEvent:RL,OrgDeletedEvent:qL,OrgMemberAddedEvent:vL,OrgMemberRemovedEvent:hL,OrgMemberRoleChangedEvent:ML,OrgInviteSentEvent:bL,OrgInviteAcceptedEvent:gL,OrgInviteDeclinedEvent:TL,RoleAssignedEvent:fL,RoleRevokedEvent:oL};import{defineFeature as tL}from"@contractspec/lib.contracts-spec/features";var MG=tL({meta:{key:"libs.identity-rbac",version:"1.0.0",title:"Identity Rbac",description:"Identity, Organizations, and RBAC module for ContractSpec applications",domain:"identity-rbac",owners:["@contractspec-core"],tags:["package","libs","identity-rbac"],stability:"experimental"},operations:[{key:"identity.org.create",version:"1.0.0"},{key:"identity.org.get",version:"1.0.0"},{key:"identity.org.update",version:"1.0.0"},{key:"identity.org.invite",version:"1.0.0"},{key:"identity.org.invite.accept",version:"1.0.0"},{key:"identity.org.member.remove",version:"1.0.0"},{key:"identity.org.members.list",version:"1.0.0"},{key:"identity.org.list",version:"1.0.0"},{key:"identity.rbac.role.create",version:"1.0.0"},{key:"identity.rbac.role.update",version:"1.0.0"},{key:"identity.rbac.role.delete",version:"1.0.0"},{key:"identity.rbac.role.list",version:"1.0.0"},{key:"identity.rbac.assign",version:"1.0.0"},{key:"identity.rbac.revoke",version:"1.0.0"},{key:"identity.rbac.check",version:"1.0.0"},{key:"identity.rbac.permissions",version:"1.0.0"},{key:"identity.user.create",version:"1.0.0"},{key:"identity.user.me",version:"1.0.0"},{key:"identity.user.update",version:"1.0.0"},{key:"identity.user.delete",version:"1.0.0"},{key:"identity.user.list",version:"1.0.0"}],events:[{key:"user.created",version:"1.0.0"},{key:"user.updated",version:"1.0.0"},{key:"user.deleted",version:"1.0.0"},{key:"user.email_verified",version:"1.0.0"},{key:"org.created",version:"1.0.0"},{key:"org.updated",version:"1.0.0"},{key:"org.deleted",version:"1.0.0"},{key:"org.member.added",version:"1.0.0"},{key:"org.member.removed",version:"1.0.0"},{key:"org.member.role_changed",version:"1.0.0"},{key:"org.invite.sent",version:"1.0.0"},{key:"org.invite.accepted",version:"1.0.0"},{key:"org.invite.declined",version:"1.0.0"},{key:"role.assigned",version:"1.0.0"},{key:"role.revoked",version:"1.0.0"}]});import{checkCombinedPolicy as yL,createPolicyContext as SL,PolicyEngine as EL}from"@contractspec/lib.contracts-spec/policy";var w={USER_CREATE:"user.create",USER_READ:"user.read",USER_UPDATE:"user.update",USER_DELETE:"user.delete",USER_LIST:"user.list",USER_MANAGE:"user.manage",ORG_CREATE:"org.create",ORG_READ:"org.read",ORG_UPDATE:"org.update",ORG_DELETE:"org.delete",ORG_LIST:"org.list",MEMBER_INVITE:"member.invite",MEMBER_REMOVE:"member.remove",MEMBER_UPDATE_ROLE:"member.update_role",MEMBER_LIST:"member.list",MANAGE_MEMBERS:"org.manage_members",TEAM_CREATE:"team.create",TEAM_UPDATE:"team.update",TEAM_DELETE:"team.delete",TEAM_MANAGE:"team.manage",ROLE_CREATE:"role.create",ROLE_UPDATE:"role.update",ROLE_DELETE:"role.delete",ROLE_ASSIGN:"role.assign",ROLE_REVOKE:"role.revoke",BILLING_VIEW:"billing.view",BILLING_MANAGE:"billing.manage",PROJECT_CREATE:"project.create",PROJECT_READ:"project.read",PROJECT_UPDATE:"project.update",PROJECT_DELETE:"project.delete",PROJECT_MANAGE:"project.manage",ADMIN_ACCESS:"admin.access",ADMIN_IMPERSONATE:"admin.impersonate"},pL={OWNER:{name:"owner",description:"Organization owner with full access",permissions:Object.values(w)},ADMIN:{name:"admin",description:"Administrator with most permissions",permissions:[w.USER_READ,w.USER_LIST,w.ORG_READ,w.ORG_UPDATE,w.MEMBER_INVITE,w.MEMBER_REMOVE,w.MEMBER_UPDATE_ROLE,w.MEMBER_LIST,w.MANAGE_MEMBERS,w.TEAM_CREATE,w.TEAM_UPDATE,w.TEAM_DELETE,w.TEAM_MANAGE,w.PROJECT_CREATE,w.PROJECT_READ,w.PROJECT_UPDATE,w.PROJECT_DELETE,w.PROJECT_MANAGE,w.BILLING_VIEW]},MEMBER:{name:"member",description:"Regular organization member",permissions:[w.USER_READ,w.ORG_READ,w.MEMBER_LIST,w.PROJECT_READ,w.PROJECT_CREATE]},VIEWER:{name:"viewer",description:"Read-only access",permissions:[w.USER_READ,w.ORG_READ,w.MEMBER_LIST,w.PROJECT_READ]}};class TC{bindings;constructor(C=[]){this.bindings=C}resolveEffectiveAccess(C){return f(C,this.bindings,"static")}}class HC{async checkPermission(C,J){let{userId:Z,orgId:_,permission:k}=C,F=f({userId:Z,orgId:_},J,"static");if(F.deniedPermissions.has(k))return{allowed:!1,reason:`Explicit deny for the "${k}" permission`};if(F.permissions.has(k))return{allowed:!0,matchedRole:F.roles.find((V)=>V.permissions.includes(k))?.name};return{allowed:!1,reason:F.roles.length?`No role grants the "${k}" permission`:"No active role bindings found"}}async getPermissions(C,J,Z){let _=f({userId:C,orgId:J},Z,"static");return{permissions:_.permissions,roles:_.roles}}async hasAnyPermission(C,J,Z,_){let{permissions:k}=await this.getPermissions(C,J,_);return Z.some((F)=>k.has(F))}async hasAllPermissions(C,J,Z,_){let{permissions:k}=await this.getPermissions(C,J,_);return Z.every((F)=>k.has(F))}async evaluateRequirement(C){let J=C.mode??(C.source?"dynamic":"static"),Z;try{Z=C.source?await C.source.resolveEffectiveAccess(C.subject):f(C.subject,C.bindings??[],J)}catch(B){if(C.failClosedOnSourceUnavailable??!0)return{effect:"deny",mode:J,reason:"source_unavailable",source:J,roles:[],permissions:[],missing:gC(C.requirement)};throw B}if(Z.sourceUnavailable&&(C.failClosedOnSourceUnavailable??!0))return{effect:"deny",mode:J,reason:"source_unavailable",source:J,roles:Z.roles,permissions:[...Z.permissions],missing:gC(C.requirement)};Z=sL(Z);let _=(C.subject.roles??[]).filter((B)=>!Z.deniedRoles.has(B)),k=rL(C.requirement,Z,_);if(k.permissions.length||k.roles.length)return{effect:"deny",mode:J,reason:lL(k),source:J,roles:Z.roles,permissions:[...Z.permissions],deniedPermissions:k.permissions,deniedRoles:k.roles,missing:{permissions:k.permissions,roles:k.roles}};let F=SL({id:C.subject.userId,tenantId:C.subject.tenantId,roles:[..._,...Z.roles.map((B)=>B.name)],permissions:[...C.subject.permissions??[],...Z.permissions],attributes:C.subject.attributes??{}}),V=yL(F,C.requirement,C.subject.flags??[]);if(!V.allowed)return{effect:"deny",mode:J,reason:V.reason,source:J,roles:Z.roles,permissions:[...Z.permissions],missing:V.missing};if(C.requirement.policies?.length&&C.policyRegistry){let B=new EL(C.policyRegistry).decide({action:"access",subject:{roles:[...F.roles],attributes:C.subject.attributes},resource:{type:C.requirement.resource?.type??"contractspec.surface",fields:C.requirement.resource?.fields},policies:C.requirement.policies});if(B.effect==="deny")return{...B,mode:J,source:J,roles:Z.roles,permissions:[...Z.permissions]}}return{effect:"allow",mode:J,reason:Z.reasons[0],source:J,roles:Z.roles,permissions:[...Z.permissions],matched:aL(C.requirement,Z,_)}}}function f(C,J,Z){let _=new Set(C.permissions??[]),k=new Set,F=new Set,V=[],B=[],o=new Date;for(let z of J){if(!uL(z,C))continue;if(!mL(z,C))continue;if(z.expiresAt&&z.expiresAt<=o)continue;if(z.disabledAt||z.role.disabledAt){for(let x of z.role.permissions)k.add(x);F.add(z.role.name),B.push(z.reason??`Disabled role ${z.role.name}`);continue}if(z.effect==="deny"){for(let x of z.role.permissions)k.add(x);F.add(z.role.name),B.push(z.reason??`Denied role ${z.role.name}`);continue}V.push(z.role);for(let x of z.role.permissions)_.add(x)}for(let z of k)_.delete(z);if(F.size)V=V.filter((z)=>!F.has(z.name));return{permissions:_,roles:V,deniedPermissions:k,deniedRoles:F,source:Z,reasons:B}}function sL(C){if(!C.deniedPermissions.size&&!C.deniedRoles.size)return C;let J=new Set(C.permissions),Z=C.roles.filter((_)=>C.deniedRoles.has(_.name)).flatMap((_)=>_.permissions);for(let _ of[...C.deniedPermissions,...Z])J.delete(_);return{...C,permissions:J,roles:C.roles.filter((_)=>!C.deniedRoles.has(_.name))}}function uL(C,J){if(C.targetType==="user")return C.targetId===J.userId;if(C.targetType==="organization")return C.targetId===(J.organizationId??J.orgId);if(C.targetType==="workspace")return C.targetId===J.workspaceId;if(C.targetType==="tenant")return C.targetId===J.tenantId;return!1}function mL(C,J){if(C.tenantId&&C.tenantId!==J.tenantId)return!1;if(C.workspaceId&&C.workspaceId!==J.workspaceId)return!1;if(!C.scopeType||!C.scopeId||C.scopeType==="global")return!0;if(C.scopeType==="tenant")return C.scopeId===J.tenantId;if(C.scopeType==="workspace")return C.scopeId===J.workspaceId;if(C.scopeType==="organization")return C.scopeId===(J.organizationId??J.orgId);if(C.scopeType==="user")return C.scopeId===J.userId;return!1}function rL(C,J,Z){return{permissions:cL(C,J),roles:dL(C,J,Z)}}function cL(C,J){let Z=C.permissions??[],_=C.anyPermission??[],k=Z.filter((B)=>J.deniedPermissions.has(B)),V=_.some((B)=>J.permissions.has(B))?[]:_.filter((B)=>J.deniedPermissions.has(B));return[...k,...V]}function dL(C,J,Z){let _=C.roles??[],k=C.anyRole??[],F=new Set([...Z,...J.roles.map((z)=>z.name)]),V=_.filter((z)=>J.deniedRoles.has(z)),o=k.some((z)=>F.has(z))?[]:k.filter((z)=>J.deniedRoles.has(z));return[...V,...o]}function lL(C){let J=[];if(C.permissions.length)J.push(`permissions: ${C.permissions.join(", ")}`);if(C.roles.length)J.push(`roles: ${C.roles.join(", ")}`);return`Explicit deny for ${J.join("; ")}`}function gC(C){return{roles:[...C.roles??[],...C.anyRole??[]],permissions:[...C.permissions??[],...C.anyPermission??[]],flags:C.flags,policies:C.policies?.map((J)=>`${J.key}.v${J.version}`)}}function aL(C,J,Z=[]){let _=[...C.roles??[],...C.anyRole??[]],k=J.roles.find((B)=>_.includes(B.name))?.name??Z.find((B)=>_.includes(B)),F=[...C.permissions??[],...C.anyPermission??[]].find((B)=>J.permissions.has(B)),V=C.policies?.[0];return{role:k,permission:F,policy:V?`${V.key}.v${V.version}`:void 0}}function iL(){return new HC}export{AG as identityRbacSchemaContribution,YL as identityRbacEntities,iL as createRBACEngine,GC as VerificationEntity,IL as UserUpdatedEvent,N as UserProfileModel,e as UserEntity,OL as UserEmailVerifiedEvent,ZC as UserDeletedPayloadModel,PL as UserDeletedEvent,NL as UserCreatedEvent,XC as UpdateUserInputModel,tC as UpdateUserContract,PC as UpdateRoleInputModel,aC as UpdateRoleContract,BC as UpdateOrgInputModel,sC as UpdateOrgContract,c as TeamMemberEntity,r as TeamEntity,I as SuccessResultModel,TC as StaticRolePermissionSource,pL as StandardRole,CC as SessionEntity,oL as RoleRevokedEvent,O as RoleModel,d as RoleEntity,fL as RoleAssignedEvent,qC as RevokeRoleInputModel,CL as RevokeRoleContract,UC as RemoveMemberInputModel,rC as RemoveMemberContract,HC as RBACPolicyEngine,E as PolicyBindingModel,a as PolicyBindingEntity,l as PermissionEntity,NC as PermissionCheckResultModel,w as Permission,n as PasskeyEntity,WC as OrganizationWithRoleModel,g as OrganizationTypeEnum,P as OrganizationModel,s as OrganizationEntity,RL as OrgUpdatedEvent,ML as OrgMemberRoleChangedEvent,hL as OrgMemberRemovedEvent,vL as OrgMemberAddedEvent,bL as OrgInviteSentEvent,TL as OrgInviteDeclinedEvent,gL as OrgInviteAcceptedEvent,qL as OrgDeletedEvent,xL as OrgCreatedEvent,wC as MemberUserModel,jC as MemberRemovedPayloadModel,b as MemberModel,u as MemberEntity,$C as ListUsersOutputModel,_C as ListUsersInputModel,SC as ListUsersContract,bC as ListUserPermissionsOutputModel,MC as ListUserPermissionsInputModel,GL as ListUserPermissionsContract,AC as ListUserOrgsOutputModel,dC as ListUserOrgsContract,xC as ListRolesOutputModel,nC as ListRolesContract,DC as ListMembersOutputModel,QC as ListMembersInputModel,cC as ListMembersContract,FC as InviteMemberInputModel,uC as InviteMemberContract,y as InvitationModel,m as InvitationEntity,MG as IdentityRbacFeature,qG as IdentityRbacEvents,zC as GetOrgInputModel,pC as GetOrgContract,oC as GetCurrentUserContract,YC as DeleteUserInputModel,yC as DeleteUserContract,OC as DeleteRoleInputModel,iC as DeleteRoleContract,KC as CreateUserInputModel,fC as CreateUserContract,IC as CreateRoleInputModel,lC as CreateRoleContract,kC as CreateOrgInputModel,EC as CreateOrgContract,hC as CheckPermissionInputModel,LL as CheckPermissionContract,vC as BindingIdPayloadModel,RC as AssignRoleInputModel,eC as AssignRoleContract,i as ApiKeyEntity,LC as AccountEntity,VC as AcceptInviteInputModel,mC as AcceptInviteContract};