@contractspec/lib.identity-rbac 3.7.26 → 3.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (29) hide show
  1. package/README.md +20 -0
  2. package/dist/browser/contracts/index.js +1 -1
  3. package/dist/browser/contracts/rbac.js +1 -1
  4. package/dist/browser/entities/index.js +1 -1
  5. package/dist/browser/entities/rbac.js +1 -1
  6. package/dist/browser/index.js +1 -1
  7. package/dist/browser/policies/engine.js +1 -1
  8. package/dist/browser/policies/index.js +1 -1
  9. package/dist/contracts/index.js +1 -1
  10. package/dist/contracts/rbac.d.ts +344 -0
  11. package/dist/contracts/rbac.js +1 -1
  12. package/dist/entities/index.d.ts +10 -0
  13. package/dist/entities/index.js +1 -1
  14. package/dist/entities/rbac.d.ts +14 -0
  15. package/dist/entities/rbac.js +1 -1
  16. package/dist/index.js +1 -1
  17. package/dist/node/contracts/index.js +1 -1
  18. package/dist/node/contracts/rbac.js +1 -1
  19. package/dist/node/entities/index.js +1 -1
  20. package/dist/node/entities/rbac.js +1 -1
  21. package/dist/node/index.js +1 -1
  22. package/dist/node/policies/engine.js +1 -1
  23. package/dist/node/policies/index.js +1 -1
  24. package/dist/policies/engine.d.ts +73 -3
  25. package/dist/policies/engine.js +1 -1
  26. package/dist/policies/engine.test.d.ts +1 -0
  27. package/dist/policies/index.d.ts +1 -1
  28. package/dist/policies/index.js +1 -1
  29. package/package.json +4 -3
package/dist/browser/policies/engine.js CHANGED
@@ -1 +1 @@
1
- var f={USER_CREATE:"user.create",USER_READ:"user.read",USER_UPDATE:"user.update",USER_DELETE:"user.delete",USER_LIST:"user.list",USER_MANAGE:"user.manage",ORG_CREATE:"org.create",ORG_READ:"org.read",ORG_UPDATE:"org.update",ORG_DELETE:"org.delete",ORG_LIST:"org.list",MEMBER_INVITE:"member.invite",MEMBER_REMOVE:"member.remove",MEMBER_UPDATE_ROLE:"member.update_role",MEMBER_LIST:"member.list",MANAGE_MEMBERS:"org.manage_members",TEAM_CREATE:"team.create",TEAM_UPDATE:"team.update",TEAM_DELETE:"team.delete",TEAM_MANAGE:"team.manage",ROLE_CREATE:"role.create",ROLE_UPDATE:"role.update",ROLE_DELETE:"role.delete",ROLE_ASSIGN:"role.assign",ROLE_REVOKE:"role.revoke",BILLING_VIEW:"billing.view",BILLING_MANAGE:"billing.manage",PROJECT_CREATE:"project.create",PROJECT_READ:"project.read",PROJECT_UPDATE:"project.update",PROJECT_DELETE:"project.delete",PROJECT_MANAGE:"project.manage",ADMIN_ACCESS:"admin.access",ADMIN_IMPERSONATE:"admin.impersonate"},M={OWNER:{name:"owner",description:"Organization owner with full access",permissions:Object.values(f)},ADMIN:{name:"admin",description:"Administrator with most permissions",permissions:[f.USER_READ,f.USER_LIST,f.ORG_READ,f.ORG_UPDATE,f.MEMBER_INVITE,f.MEMBER_REMOVE,f.MEMBER_UPDATE_ROLE,f.MEMBER_LIST,f.MANAGE_MEMBERS,f.TEAM_CREATE,f.TEAM_UPDATE,f.TEAM_DELETE,f.TEAM_MANAGE,f.PROJECT_CREATE,f.PROJECT_READ,f.PROJECT_UPDATE,f.PROJECT_DELETE,f.PROJECT_MANAGE,f.BILLING_VIEW]},MEMBER:{name:"member",description:"Regular organization member",permissions:[f.USER_READ,f.ORG_READ,f.MEMBER_LIST,f.PROJECT_READ,f.PROJECT_CREATE]},VIEWER:{name:"viewer",description:"Read-only access",permissions:[f.USER_READ,f.ORG_READ,f.MEMBER_LIST,f.PROJECT_READ]}};class K{roleCache=new Map;bindingCache=new Map;async checkPermission(z,j){let{userId:k,orgId:q,permission:x}=z,D=new Date,J=j.filter((h)=>h.targetType==="user"&&h.targetId===k),G=q?j.filter((h)=>h.targetType==="organization"&&h.targetId===q):[],F=[...J,...G].filter((h)=>!h.expiresAt||h.expiresAt>D);if(F.length===0)return{allowed:!1,reason:"No active role bindings found"};for(let h of F)if(h.role.permissions.includes(x))return{allowed:!0,matchedRole:h.role.name};return{allowed:!1,reason:`No role grants the "${x}" permission`}}async getPermissions(z,j,k){let q=new Date,x=k.filter((h)=>h.targetType==="user"&&h.targetId===z),D=j?k.filter((h)=>h.targetType==="organization"&&h.targetId===j):[],G=[...x,...D].filter((h)=>!h.expiresAt||h.expiresAt>q),H=new Set,F=[];for(let h of G){F.push(h.role);for(let L of h.role.permissions)H.add(L)}return{permissions:H,roles:F}}async hasAnyPermission(z,j,k,q){let{permissions:x}=await this.getPermissions(z,j,q);return k.some((D)=>x.has(D))}async hasAllPermissions(z,j,k,q){let{permissions:x}=await this.getPermissions(z,j,q);return k.every((D)=>x.has(D))}}function N(){return new K}export{N as createRBACEngine,M as StandardRole,K as RBACPolicyEngine,f as Permission};
1
+ import{checkCombinedPolicy as _,createPolicyContext as $,PolicyEngine as h}from"@contractspec/lib.contracts-spec/policy";var O={USER_CREATE:"user.create",USER_READ:"user.read",USER_UPDATE:"user.update",USER_DELETE:"user.delete",USER_LIST:"user.list",USER_MANAGE:"user.manage",ORG_CREATE:"org.create",ORG_READ:"org.read",ORG_UPDATE:"org.update",ORG_DELETE:"org.delete",ORG_LIST:"org.list",MEMBER_INVITE:"member.invite",MEMBER_REMOVE:"member.remove",MEMBER_UPDATE_ROLE:"member.update_role",MEMBER_LIST:"member.list",MANAGE_MEMBERS:"org.manage_members",TEAM_CREATE:"team.create",TEAM_UPDATE:"team.update",TEAM_DELETE:"team.delete",TEAM_MANAGE:"team.manage",ROLE_CREATE:"role.create",ROLE_UPDATE:"role.update",ROLE_DELETE:"role.delete",ROLE_ASSIGN:"role.assign",ROLE_REVOKE:"role.revoke",BILLING_VIEW:"billing.view",BILLING_MANAGE:"billing.manage",PROJECT_CREATE:"project.create",PROJECT_READ:"project.read",PROJECT_UPDATE:"project.update",PROJECT_DELETE:"project.delete",PROJECT_MANAGE:"project.manage",ADMIN_ACCESS:"admin.access",ADMIN_IMPERSONATE:"admin.impersonate"},f={OWNER:{name:"owner",description:"Organization owner with full access",permissions:Object.values(O)},ADMIN:{name:"admin",description:"Administrator with most permissions",permissions:[O.USER_READ,O.USER_LIST,O.ORG_READ,O.ORG_UPDATE,O.MEMBER_INVITE,O.MEMBER_REMOVE,O.MEMBER_UPDATE_ROLE,O.MEMBER_LIST,O.MANAGE_MEMBERS,O.TEAM_CREATE,O.TEAM_UPDATE,O.TEAM_DELETE,O.TEAM_MANAGE,O.PROJECT_CREATE,O.PROJECT_READ,O.PROJECT_UPDATE,O.PROJECT_DELETE,O.PROJECT_MANAGE,O.BILLING_VIEW]},MEMBER:{name:"member",description:"Regular organization member",permissions:[O.USER_READ,O.ORG_READ,O.MEMBER_LIST,O.PROJECT_READ,O.PROJECT_CREATE]},VIEWER:{name:"viewer",description:"Read-only access",permissions:[O.USER_READ,O.ORG_READ,O.MEMBER_LIST,O.PROJECT_READ]}};class w{bindings;constructor(k=[]){this.bindings=k}resolveEffectiveAccess(k){return W(k,this.bindings,"static")}}class Z{async checkPermission(k,z){let{userId:H,orgId:J,permission:K}=k,T=W({userId:H,orgId:J},z,"static");if(T.deniedPermissions.has(K))return{allowed:!1,reason:`Explicit deny for the "${K}" permission`};if(T.permissions.has(K))return{allowed:!0,matchedRole:T.roles.find((U)=>U.permissions.includes(K))?.name};return{allowed:!1,reason:T.roles.length?`No role grants the "${K}" permission`:"No active role bindings found"}}async getPermissions(k,z,H){let J=W({userId:k,orgId:z},H,"static");return{permissions:J.permissions,roles:J.roles}}async hasAnyPermission(k,z,H,J){let{permissions:K}=await this.getPermissions(k,z,J);return H.some((T)=>K.has(T))}async hasAllPermissions(k,z,H,J){let{permissions:K}=await this.getPermissions(k,z,J);return H.every((T)=>K.has(T))}async evaluateRequirement(k){let z=k.mode??(k.source?"dynamic":"static"),H;try{H=k.source?await k.source.resolveEffectiveAccess(k.subject):W(k.subject,k.bindings??[],z)}catch(Q){if(k.failClosedOnSourceUnavailable??!0)return{effect:"deny",mode:z,reason:"source_unavailable",source:z,roles:[],permissions:[],missing:Y(k.requirement)};throw Q}if(H.sourceUnavailable&&(k.failClosedOnSourceUnavailable??!0))return{effect:"deny",mode:z,reason:"source_unavailable",source:z,roles:H.roles,permissions:[...H.permissions],missing:Y(k.requirement)};H=G(H);let J=(k.subject.roles??[]).filter((Q)=>!H.deniedRoles.has(Q)),K=M(k.requirement,H,J);if(K.permissions.length||K.roles.length)return{effect:"deny",mode:z,reason:B(K),source:z,roles:H.roles,permissions:[...H.permissions],deniedPermissions:K.permissions,deniedRoles:K.roles,missing:{permissions:K.permissions,roles:K.roles}};let T=$({id:k.subject.userId,tenantId:k.subject.tenantId,roles:[...J,...H.roles.map((Q)=>Q.name)],permissions:[...k.subject.permissions??[],...H.permissions],attributes:k.subject.attributes??{}}),U=_(T,k.requirement,k.subject.flags??[]);if(!U.allowed)return{effect:"deny",mode:z,reason:U.reason,source:z,roles:H.roles,permissions:[...H.permissions],missing:U.missing};if(k.requirement.policies?.length&&k.policyRegistry){let Q=new h(k.policyRegistry).decide({action:"access",subject:{roles:[...T.roles],attributes:k.subject.attributes},resource:{type:k.requirement.resource?.type??"contractspec.surface",fields:k.requirement.resource?.fields},policies:k.requirement.policies});if(Q.effect==="deny")return{...Q,mode:z,source:z,roles:H.roles,permissions:[...H.permissions]}}return{effect:"allow",mode:z,reason:H.reasons[0],source:z,roles:H.roles,permissions:[...H.permissions],matched:E(k.requirement,H,J)}}}function W(k,z,H){let J=new Set(k.permissions??[]),K=new Set,T=new Set,U=[],Q=[],X=new Date;for(let L of z){if(!N(L,k))continue;if(!S(L,k))continue;if(L.expiresAt&&L.expiresAt<=X)continue;if(L.disabledAt||L.role.disabledAt){for(let V of L.role.permissions)K.add(V);T.add(L.role.name),Q.push(L.reason??`Disabled role ${L.role.name}`);continue}if(L.effect==="deny"){for(let V of L.role.permissions)K.add(V);T.add(L.role.name),Q.push(L.reason??`Denied role ${L.role.name}`);continue}U.push(L.role);for(let V of L.role.permissions)J.add(V)}for(let L of K)J.delete(L);if(T.size)U=U.filter((L)=>!T.has(L.name));return{permissions:J,roles:U,deniedPermissions:K,deniedRoles:T,source:H,reasons:Q}}function G(k){if(!k.deniedPermissions.size&&!k.deniedRoles.size)return k;let z=new Set(k.permissions),H=k.roles.filter((J)=>k.deniedRoles.has(J.name)).flatMap((J)=>J.permissions);for(let J of[...k.deniedPermissions,...H])z.delete(J);return{...k,permissions:z,roles:k.roles.filter((J)=>!k.deniedRoles.has(J.name))}}function N(k,z){if(k.targetType==="user")return k.targetId===z.userId;if(k.targetType==="organization")return k.targetId===(z.organizationId??z.orgId);if(k.targetType==="workspace")return k.targetId===z.workspaceId;if(k.targetType==="tenant")return k.targetId===z.tenantId;return!1}function S(k,z){if(k.tenantId&&k.tenantId!==z.tenantId)return!1;if(k.workspaceId&&k.workspaceId!==z.workspaceId)return!1;if(!k.scopeType||!k.scopeId||k.scopeType==="global")return!0;if(k.scopeType==="tenant")return k.scopeId===z.tenantId;if(k.scopeType==="workspace")return k.scopeId===z.workspaceId;if(k.scopeType==="organization")return k.scopeId===(z.organizationId??z.orgId);if(k.scopeType==="user")return k.scopeId===z.userId;return!1}function M(k,z,H){return{permissions:C(k,z),roles:F(k,z,H)}}function C(k,z){let H=k.permissions??[],J=k.anyPermission??[],K=H.filter((Q)=>z.deniedPermissions.has(Q)),U=J.some((Q)=>z.permissions.has(Q))?[]:J.filter((Q)=>z.deniedPermissions.has(Q));return[...K,...U]}function F(k,z,H){let J=k.roles??[],K=k.anyRole??[],T=new Set([...H,...z.roles.map((L)=>L.name)]),U=J.filter((L)=>z.deniedRoles.has(L)),X=K.some((L)=>T.has(L))?[]:K.filter((L)=>z.deniedRoles.has(L));return[...U,...X]}function B(k){let z=[];if(k.permissions.length)z.push(`permissions: ${k.permissions.join(", ")}`);if(k.roles.length)z.push(`roles: ${k.roles.join(", ")}`);return`Explicit deny for ${z.join("; ")}`}function Y(k){return{roles:[...k.roles??[],...k.anyRole??[]],permissions:[...k.permissions??[],...k.anyPermission??[]],flags:k.flags,policies:k.policies?.map((z)=>`${z.key}.v${z.version}`)}}function E(k,z,H=[]){let J=[...k.roles??[],...k.anyRole??[]],K=z.roles.find((Q)=>J.includes(Q.name))?.name??H.find((Q)=>J.includes(Q)),T=[...k.permissions??[],...k.anyPermission??[]].find((Q)=>z.permissions.has(Q)),U=k.policies?.[0];return{role:K,permission:T,policy:U?`${U.key}.v${U.version}`:void 0}}function j(){return new Z}export{j as createRBACEngine,w as StaticRolePermissionSource,f as StandardRole,Z as RBACPolicyEngine,O as Permission};
package/dist/browser/policies/index.js CHANGED
@@ -1 +1 @@
1
- var y={USER_CREATE:"user.create",USER_READ:"user.read",USER_UPDATE:"user.update",USER_DELETE:"user.delete",USER_LIST:"user.list",USER_MANAGE:"user.manage",ORG_CREATE:"org.create",ORG_READ:"org.read",ORG_UPDATE:"org.update",ORG_DELETE:"org.delete",ORG_LIST:"org.list",MEMBER_INVITE:"member.invite",MEMBER_REMOVE:"member.remove",MEMBER_UPDATE_ROLE:"member.update_role",MEMBER_LIST:"member.list",MANAGE_MEMBERS:"org.manage_members",TEAM_CREATE:"team.create",TEAM_UPDATE:"team.update",TEAM_DELETE:"team.delete",TEAM_MANAGE:"team.manage",ROLE_CREATE:"role.create",ROLE_UPDATE:"role.update",ROLE_DELETE:"role.delete",ROLE_ASSIGN:"role.assign",ROLE_REVOKE:"role.revoke",BILLING_VIEW:"billing.view",BILLING_MANAGE:"billing.manage",PROJECT_CREATE:"project.create",PROJECT_READ:"project.read",PROJECT_UPDATE:"project.update",PROJECT_DELETE:"project.delete",PROJECT_MANAGE:"project.manage",ADMIN_ACCESS:"admin.access",ADMIN_IMPERSONATE:"admin.impersonate"},q={OWNER:{name:"owner",description:"Organization owner with full access",permissions:Object.values(y)},ADMIN:{name:"admin",description:"Administrator with most permissions",permissions:[y.USER_READ,y.USER_LIST,y.ORG_READ,y.ORG_UPDATE,y.MEMBER_INVITE,y.MEMBER_REMOVE,y.MEMBER_UPDATE_ROLE,y.MEMBER_LIST,y.MANAGE_MEMBERS,y.TEAM_CREATE,y.TEAM_UPDATE,y.TEAM_DELETE,y.TEAM_MANAGE,y.PROJECT_CREATE,y.PROJECT_READ,y.PROJECT_UPDATE,y.PROJECT_DELETE,y.PROJECT_MANAGE,y.BILLING_VIEW]},MEMBER:{name:"member",description:"Regular organization member",permissions:[y.USER_READ,y.ORG_READ,y.MEMBER_LIST,y.PROJECT_READ,y.PROJECT_CREATE]},VIEWER:{name:"viewer",description:"Read-only access",permissions:[y.USER_READ,y.ORG_READ,y.MEMBER_LIST,y.PROJECT_READ]}};class S{roleCache=new Map;bindingCache=new Map;async checkPermission(l,h){let{userId:k,orgId:R,permission:f}=l,x=new Date,W=h.filter((t)=>t.targetType==="user"&&t.targetId===k),F=R?h.filter((t)=>t.targetType==="organization"&&t.targetId===R):[],E=[...W,...F].filter((t)=>!t.expiresAt||t.expiresAt>x);if(E.length===0)return{allowed:!1,reason:"No active role bindings found"};for(let t of E)if(t.role.permissions.includes(f))return{allowed:!0,matchedRole:t.role.name};return{allowed:!1,reason:`No role grants the "${f}" permission`}}async getPermissions(l,h,k){let R=new Date,f=k.filter((t)=>t.targetType==="user"&&t.targetId===l),x=h?k.filter((t)=>t.targetType==="organization"&&t.targetId===h):[],F=[...f,...x].filter((t)=>!t.expiresAt||t.expiresAt>R),K=new Set,E=[];for(let t of F){E.push(t.role);for(let j of t.role.permissions)K.add(j)}return{permissions:K,roles:E}}async hasAnyPermission(l,h,k,R){let{permissions:f}=await this.getPermissions(l,h,R);return k.some((x)=>f.has(x))}async hasAllPermissions(l,h,k,R){let{permissions:f}=await this.getPermissions(l,h,R);return k.every((x)=>f.has(x))}}function z(){return new S}export{z as createRBACEngine,q as StandardRole,S as RBACPolicyEngine,y as Permission};
1
+ import{checkCombinedPolicy as V,createPolicyContext as X,PolicyEngine as Y}from"@contractspec/lib.contracts-spec/policy";var E={USER_CREATE:"user.create",USER_READ:"user.read",USER_UPDATE:"user.update",USER_DELETE:"user.delete",USER_LIST:"user.list",USER_MANAGE:"user.manage",ORG_CREATE:"org.create",ORG_READ:"org.read",ORG_UPDATE:"org.update",ORG_DELETE:"org.delete",ORG_LIST:"org.list",MEMBER_INVITE:"member.invite",MEMBER_REMOVE:"member.remove",MEMBER_UPDATE_ROLE:"member.update_role",MEMBER_LIST:"member.list",MANAGE_MEMBERS:"org.manage_members",TEAM_CREATE:"team.create",TEAM_UPDATE:"team.update",TEAM_DELETE:"team.delete",TEAM_MANAGE:"team.manage",ROLE_CREATE:"role.create",ROLE_UPDATE:"role.update",ROLE_DELETE:"role.delete",ROLE_ASSIGN:"role.assign",ROLE_REVOKE:"role.revoke",BILLING_VIEW:"billing.view",BILLING_MANAGE:"billing.manage",PROJECT_CREATE:"project.create",PROJECT_READ:"project.read",PROJECT_UPDATE:"project.update",PROJECT_DELETE:"project.delete",PROJECT_MANAGE:"project.manage",ADMIN_ACCESS:"admin.access",ADMIN_IMPERSONATE:"admin.impersonate"},Z={OWNER:{name:"owner",description:"Organization owner with full access",permissions:Object.values(E)},ADMIN:{name:"admin",description:"Administrator with most permissions",permissions:[E.USER_READ,E.USER_LIST,E.ORG_READ,E.ORG_UPDATE,E.MEMBER_INVITE,E.MEMBER_REMOVE,E.MEMBER_UPDATE_ROLE,E.MEMBER_LIST,E.MANAGE_MEMBERS,E.TEAM_CREATE,E.TEAM_UPDATE,E.TEAM_DELETE,E.TEAM_MANAGE,E.PROJECT_CREATE,E.PROJECT_READ,E.PROJECT_UPDATE,E.PROJECT_DELETE,E.PROJECT_MANAGE,E.BILLING_VIEW]},MEMBER:{name:"member",description:"Regular organization member",permissions:[E.USER_READ,E.ORG_READ,E.MEMBER_LIST,E.PROJECT_READ,E.PROJECT_CREATE]},VIEWER:{name:"viewer",description:"Read-only access",permissions:[E.USER_READ,E.ORG_READ,E.MEMBER_LIST,E.PROJECT_READ]}};class U{bindings;constructor(h=[]){this.bindings=h}resolveEffectiveAccess(h){return J(h,this.bindings,"static")}}class O{async checkPermission(h,S){let{userId:z,orgId:k,permission:y}=h,T=J({userId:z,orgId:k},S,"static");if(T.deniedPermissions.has(y))return{allowed:!1,reason:`Explicit deny for the "${y}" permission`};if(T.permissions.has(y))return{allowed:!0,matchedRole:T.roles.find((W)=>W.permissions.includes(y))?.name};return{allowed:!1,reason:T.roles.length?`No role grants the "${y}" permission`:"No active role bindings found"}}async getPermissions(h,S,z){let k=J({userId:h,orgId:S},z,"static");return{permissions:k.permissions,roles:k.roles}}async hasAnyPermission(h,S,z,k){let{permissions:y}=await this.getPermissions(h,S,k);return z.some((T)=>y.has(T))}async hasAllPermissions(h,S,z,k){let{permissions:y}=await this.getPermissions(h,S,k);return z.every((T)=>y.has(T))}async evaluateRequirement(h){let S=h.mode??(h.source?"dynamic":"static"),z;try{z=h.source?await h.source.resolveEffectiveAccess(h.subject):J(h.subject,h.bindings??[],S)}catch(K){if(h.failClosedOnSourceUnavailable??!0)return{effect:"deny",mode:S,reason:"source_unavailable",source:S,roles:[],permissions:[],missing:Q(h.requirement)};throw K}if(z.sourceUnavailable&&(h.failClosedOnSourceUnavailable??!0))return{effect:"deny",mode:S,reason:"source_unavailable",source:S,roles:z.roles,permissions:[...z.permissions],missing:Q(h.requirement)};z=_(z);let k=(h.subject.roles??[]).filter((K)=>!z.deniedRoles.has(K)),y=G(h.requirement,z,k);if(y.permissions.length||y.roles.length)return{effect:"deny",mode:S,reason:P(y),source:S,roles:z.roles,permissions:[...z.permissions],deniedPermissions:y.permissions,deniedRoles:y.roles,missing:{permissions:y.permissions,roles:y.roles}};let T=X({id:h.subject.userId,tenantId:h.subject.tenantId,roles:[...k,...z.roles.map((K)=>K.name)],permissions:[...h.subject.permissions??[],...z.permissions],attributes:h.subject.attributes??{}}),W=V(T,h.requirement,h.subject.flags??[]);if(!W.allowed)return{effect:"deny",mode:S,reason:W.reason,source:S,roles:z.roles,permissions:[...z.permissions],missing:W.missing};if(h.requirement.policies?.length&&h.policyRegistry){let K=new Y(h.policyRegistry).decide({action:"access",subject:{roles:[...T.roles],attributes:h.subject.attributes},resource:{type:h.requirement.resource?.type??"contractspec.surface",fields:h.requirement.resource?.fields},policies:h.requirement.policies});if(K.effect==="deny")return{...K,mode:S,source:S,roles:z.roles,permissions:[...z.permissions]}}return{effect:"allow",mode:S,reason:z.reasons[0],source:S,roles:z.roles,permissions:[...z.permissions],matched:B(h.requirement,z,k)}}}function J(h,S,z){let k=new Set(h.permissions??[]),y=new Set,T=new Set,W=[],K=[],L=new Date;for(let C of S){if(!$(C,h))continue;if(!w(C,h))continue;if(C.expiresAt&&C.expiresAt<=L)continue;if(C.disabledAt||C.role.disabledAt){for(let H of C.role.permissions)y.add(H);T.add(C.role.name),K.push(C.reason??`Disabled role ${C.role.name}`);continue}if(C.effect==="deny"){for(let H of C.role.permissions)y.add(H);T.add(C.role.name),K.push(C.reason??`Denied role ${C.role.name}`);continue}W.push(C.role);for(let H of C.role.permissions)k.add(H)}for(let C of y)k.delete(C);if(T.size)W=W.filter((C)=>!T.has(C.name));return{permissions:k,roles:W,deniedPermissions:y,deniedRoles:T,source:z,reasons:K}}function _(h){if(!h.deniedPermissions.size&&!h.deniedRoles.size)return h;let S=new Set(h.permissions),z=h.roles.filter((k)=>h.deniedRoles.has(k.name)).flatMap((k)=>k.permissions);for(let k of[...h.deniedPermissions,...z])S.delete(k);return{...h,permissions:S,roles:h.roles.filter((k)=>!h.deniedRoles.has(k.name))}}function $(h,S){if(h.targetType==="user")return h.targetId===S.userId;if(h.targetType==="organization")return h.targetId===(S.organizationId??S.orgId);if(h.targetType==="workspace")return h.targetId===S.workspaceId;if(h.targetType==="tenant")return h.targetId===S.tenantId;return!1}function w(h,S){if(h.tenantId&&h.tenantId!==S.tenantId)return!1;if(h.workspaceId&&h.workspaceId!==S.workspaceId)return!1;if(!h.scopeType||!h.scopeId||h.scopeType==="global")return!0;if(h.scopeType==="tenant")return h.scopeId===S.tenantId;if(h.scopeType==="workspace")return h.scopeId===S.workspaceId;if(h.scopeType==="organization")return h.scopeId===(S.organizationId??S.orgId);if(h.scopeType==="user")return h.scopeId===S.userId;return!1}function G(h,S,z){return{permissions:M(h,S),roles:N(h,S,z)}}function M(h,S){let z=h.permissions??[],k=h.anyPermission??[],y=z.filter((K)=>S.deniedPermissions.has(K)),W=k.some((K)=>S.permissions.has(K))?[]:k.filter((K)=>S.deniedPermissions.has(K));return[...y,...W]}function N(h,S,z){let k=h.roles??[],y=h.anyRole??[],T=new Set([...z,...S.roles.map((C)=>C.name)]),W=k.filter((C)=>S.deniedRoles.has(C)),L=y.some((C)=>T.has(C))?[]:y.filter((C)=>S.deniedRoles.has(C));return[...W,...L]}function P(h){let S=[];if(h.permissions.length)S.push(`permissions: ${h.permissions.join(", ")}`);if(h.roles.length)S.push(`roles: ${h.roles.join(", ")}`);return`Explicit deny for ${S.join("; ")}`}function Q(h){return{roles:[...h.roles??[],...h.anyRole??[]],permissions:[...h.permissions??[],...h.anyPermission??[]],flags:h.flags,policies:h.policies?.map((S)=>`${S.key}.v${S.version}`)}}function B(h,S,z=[]){let k=[...h.roles??[],...h.anyRole??[]],y=S.roles.find((K)=>k.includes(K.name))?.name??z.find((K)=>k.includes(K)),T=[...h.permissions??[],...h.anyPermission??[]].find((K)=>S.permissions.has(K)),W=h.policies?.[0];return{role:y,permission:T,policy:W?`${W.key}.v${W.version}`:void 0}}function F(){return new O}export{F as createRBACEngine,U as StaticRolePermissionSource,Z as StandardRole,O as RBACPolicyEngine,E as Permission};
package/dist/contracts/index.js CHANGED
@@ -1,2 +1,2 @@
1
1
  // @bun
2
- import{defineCommand as F,defineQuery as X}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as U,SchemaModel as x}from"@contractspec/lib.schema";var I=["platform.identity-rbac"],A=new x({name:"UserProfile",description:"User profile information",fields:{id:{type:U.String_unsecure(),isOptional:!1},email:{type:U.EmailAddress(),isOptional:!1},emailVerified:{type:U.Boolean(),isOptional:!1},name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},locale:{type:U.String_unsecure(),isOptional:!0},timezone:{type:U.String_unsecure(),isOptional:!0},imageUrl:{type:U.URL(),isOptional:!0},role:{type:U.String_unsecure(),isOptional:!0},onboardingCompleted:{type:U.Boolean(),isOptional:!1},createdAt:{type:U.DateTime(),isOptional:!1}}}),Y=new x({name:"CreateUserInput",description:"Input for creating a new user",fields:{email:{type:U.EmailAddress(),isOptional:!1},name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},password:{type:U.String_unsecure(),isOptional:!0}}}),Z=new x({name:"UpdateUserInput",description:"Input for updating a user profile",fields:{name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},locale:{type:U.String_unsecure(),isOptional:!0},timezone:{type:U.String_unsecure(),isOptional:!0},imageUrl:{type:U.URL(),isOptional:!0}}}),_=new x({name:"DeleteUserInput",description:"Input for deleting a user",fields:{confirmEmail:{type:U.EmailAddress(),isOptional:!1}}}),D=new x({name:"SuccessResult",description:"Simple success result",fields:{success:{type:U.Boolean(),isOptional:!1}}}),$=new x({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:U.String_unsecure(),isOptional:!1}}}),B=new x({name:"ListUsersInput",description:"Input for listing users",fields:{limit:{type:U.Int_unsecure(),isOptional:!0},offset:{type:U.Int_unsecure(),isOptional:!0},search:{type:U.String_unsecure(),isOptional:!0}}}),z=new x({name:"ListUsersOutput",description:"Output for listing users",fields:{users:{type:A,isOptional:!1,isArray:!0},total:{type:U.Int_unsecure(),isOptional:!1}}}),m=F({meta:{key:"identity.user.create",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","create"],description:"Create a new user account.",goal:"Register a new user in the system.",context:"Used during signup flows. May trigger email verification."},io:{input:Y,output:A,errors:{EMAIL_EXISTS:{description:"A user with this email already exists",http:409,gqlCode:"EMAIL_EXISTS",when:"Email is already registered"}}},policy:{auth:"anonymous"},sideEffects:{emits:[{key:"user.created",version:"1.0.0",when:"User is successfully created",payload:A}],audit:["user.created"]}}),l=X({meta:{key:"identity.user.me",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","profile"],description:"Get the current authenticated user profile.",goal:"Retrieve user profile for the authenticated session.",context:"Called on app load and after profile updates."},io:{input:null,output:A},policy:{auth:"user"}}),e=F({meta:{key:"identity.user.update",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","update"],description:"Update user profile information.",goal:"Allow users to update their profile.",context:"Self-service profile updates."},io:{input:Z,output:A},policy:{auth:"user"},sideEffects:{emits:[{key:"user.updated",version:"1.0.0",when:"User profile is updated",payload:A}],audit:["user.updated"]}}),a=F({meta:{key:"identity.user.delete",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","delete"],description:"Delete user account and all associated data.",goal:"Allow users to delete their account (GDPR compliance).",context:"Self-service account deletion. Cascades to memberships, sessions, etc."},io:{input:_,output:D},policy:{auth:"user",escalate:"human_review"},sideEffects:{emits:[{key:"user.deleted",version:"1.0.0",when:"User account is deleted",payload:$}],audit:["user.deleted"]}}),tt=X({meta:{key:"identity.user.list",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","admin","list"],description:"List all users (admin only).",goal:"Allow admins to browse and manage users.",context:"Admin dashboard user management."},io:{input:B,output:z},policy:{auth:"admin"}});import{defineCommand as j,defineQuery as J}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as t,SchemaModel as L}from"@contractspec/lib.schema";var k=["platform.identity-rbac"],G=new L({name:"Organization",description:"Organization details",fields:{id:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!1},slug:{type:t.String_unsecure(),isOptional:!0},logo:{type:t.URL(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0},type:{type:t.String_unsecure(),isOptional:!1},onboardingCompleted:{type:t.Boolean(),isOptional:!1},createdAt:{type:t.DateTime(),isOptional:!1}}}),P=new L({name:"MemberUser",description:"Basic user info within a member",fields:{id:{type:t.String_unsecure(),isOptional:!1},email:{type:t.EmailAddress(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!0}}}),w=new L({name:"Member",description:"Organization member",fields:{id:{type:t.String_unsecure(),isOptional:!1},userId:{type:t.String_unsecure(),isOptional:!1},organizationId:{type:t.String_unsecure(),isOptional:!1},role:{type:t.String_unsecure(),isOptional:!1},createdAt:{type:t.DateTime(),isOptional:!1},user:{type:P,isOptional:!1}}}),H=new L({name:"Invitation",description:"Organization invitation",fields:{id:{type:t.String_unsecure(),isOptional:!1},email:{type:t.EmailAddress(),isOptional:!1},role:{type:t.String_unsecure(),isOptional:!0},status:{type:t.String_unsecure(),isOptional:!1},expiresAt:{type:t.DateTime(),isOptional:!0},createdAt:{type:t.DateTime(),isOptional:!1}}}),b=new L({name:"CreateOrgInput",description:"Input for creating an organization",fields:{name:{type:t.NonEmptyString(),isOptional:!1},slug:{type:t.String_unsecure(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0},type:{type:t.String_unsecure(),isOptional:!0}}}),s=new L({name:"GetOrgInput",description:"Input for getting an organization",fields:{orgId:{type:t.String_unsecure(),isOptional:!1}}}),Q=new L({name:"UpdateOrgInput",description:"Input for updating an organization",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!0},slug:{type:t.String_unsecure(),isOptional:!0},logo:{type:t.URL(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0}}}),O=new L({name:"InviteMemberInput",description:"Input for inviting a member",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},email:{type:t.EmailAddress(),isOptional:!1},role:{type:t.String_unsecure(),isOptional:!1},teamId:{type:t.String_unsecure(),isOptional:!0}}}),R=new L({name:"AcceptInviteInput",description:"Input for accepting an invitation",fields:{invitationId:{type:t.String_unsecure(),isOptional:!1}}}),N=new L({name:"RemoveMemberInput",description:"Input for removing a member",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},userId:{type:t.String_unsecure(),isOptional:!1}}}),W=new L({name:"MemberRemovedPayload",description:"Payload for member removed event",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},userId:{type:t.String_unsecure(),isOptional:!1}}}),f=new L({name:"ListMembersInput",description:"Input for listing members",fields:{orgId:{type:t.String_unsecure(),isOptional:!1},limit:{type:t.Int_unsecure(),isOptional:!0},offset:{type:t.Int_unsecure(),isOptional:!0}}}),i=new L({name:"ListMembersOutput",description:"Output for listing members",fields:{members:{type:w,isOptional:!1,isArray:!0},total:{type:t.Int_unsecure(),isOptional:!1}}}),h=new L({name:"OrganizationWithRole",description:"Organization with user role",fields:{id:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!1},slug:{type:t.String_unsecure(),isOptional:!0},logo:{type:t.URL(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0},type:{type:t.String_unsecure(),isOptional:!1},onboardingCompleted:{type:t.Boolean(),isOptional:!1},createdAt:{type:t.DateTime(),isOptional:!1},role:{type:t.String_unsecure(),isOptional:!1}}}),o=new L({name:"ListUserOrgsOutput",description:"Output for listing user organizations",fields:{organizations:{type:h,isOptional:!1,isArray:!0}}}),Ct=j({meta:{key:"identity.org.create",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","create"],description:"Create a new organization.",goal:"Allow users to create new organizations/workspaces.",context:"Called during onboarding or when creating additional workspaces."},io:{input:b,output:G,errors:{SLUG_EXISTS:{description:"An organization with this slug already exists",http:409,gqlCode:"SLUG_EXISTS",when:"Slug is already taken"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.created",version:"1.0.0",when:"Organization is created",payload:G}],audit:["org.created"]}}),Ut=J({meta:{key:"identity.org.get",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","get"],description:"Get organization details.",goal:"Retrieve organization information.",context:"Called when viewing organization settings or dashboard."},io:{input:s,output:G},policy:{auth:"user"}}),Lt=j({meta:{key:"identity.org.update",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","update"],description:"Update organization details.",goal:"Allow org admins to update organization settings.",context:"Organization settings page."},io:{input:Q,output:G},policy:{auth:"user"},sideEffects:{emits:[{key:"org.updated",version:"1.0.0",when:"Organization is updated",payload:G}],audit:["org.updated"]}}),vt=j({meta:{key:"identity.org.invite",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","invite","member"],description:"Invite a user to join the organization.",goal:"Allow org admins to invite new members.",context:"Team management. Sends invitation email."},io:{input:O,output:H,errors:{ALREADY_MEMBER:{description:"User is already a member of this organization",http:409,gqlCode:"ALREADY_MEMBER",when:"Invitee is already a member"},INVITE_PENDING:{description:"An invitation for this email is already pending",http:409,gqlCode:"INVITE_PENDING",when:"Active invitation exists"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.invite.sent",version:"1.0.0",when:"Invitation is sent",payload:H}],audit:["org.invite.sent"]}}),xt=j({meta:{key:"identity.org.invite.accept",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","invite","accept"],description:"Accept an organization invitation.",goal:"Allow users to join organizations via invitation.",context:"Called from invitation email link."},io:{input:R,output:w,errors:{INVITE_EXPIRED:{description:"The invitation has expired",http:410,gqlCode:"INVITE_EXPIRED",when:"Invitation is past expiry date"},INVITE_USED:{description:"The invitation has already been used",http:409,gqlCode:"INVITE_USED",when:"Invitation was already accepted"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.added",version:"1.0.0",when:"Member joins org",payload:w}],audit:["org.member.added"]}}),kt=j({meta:{key:"identity.org.member.remove",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","member","remove"],description:"Remove a member from the organization.",goal:"Allow org admins to remove members.",context:"Team management."},io:{input:N,output:D,errors:{CANNOT_REMOVE_OWNER:{description:"Cannot remove the organization owner",http:403,gqlCode:"CANNOT_REMOVE_OWNER",when:"Target is the org owner"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.removed",version:"1.0.0",when:"Member is removed",payload:W}],audit:["org.member.removed"]}}),At=J({meta:{key:"identity.org.members.list",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","member","list"],description:"List organization members.",goal:"View all members of an organization.",context:"Team management page."},io:{input:f,output:i},policy:{auth:"user"}}),Dt=J({meta:{key:"identity.org.list",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","list"],description:"List organizations the current user belongs to.",goal:"Show user their organizations for workspace switching.",context:"Workspace switcher, org selection."},io:{input:null,output:o},policy:{auth:"user"}});import{defineCommand as q,defineQuery as V}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as C,SchemaModel as v}from"@contractspec/lib.schema";var g=new v({name:"Role",description:"RBAC role definition",fields:{id:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!1},description:{type:C.String_unsecure(),isOptional:!0},permissions:{type:C.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:C.DateTime(),isOptional:!1}}}),K=new v({name:"PolicyBinding",description:"Role assignment to a target",fields:{id:{type:C.String_unsecure(),isOptional:!1},roleId:{type:C.String_unsecure(),isOptional:!1},targetType:{type:C.String_unsecure(),isOptional:!1},targetId:{type:C.String_unsecure(),isOptional:!1},expiresAt:{type:C.DateTime(),isOptional:!0},createdAt:{type:C.DateTime(),isOptional:!1},role:{type:g,isOptional:!1}}}),M=new v({name:"PermissionCheckResult",description:"Result of a permission check",fields:{allowed:{type:C.Boolean(),isOptional:!1},reason:{type:C.String_unsecure(),isOptional:!0},matchedRole:{type:C.String_unsecure(),isOptional:!0}}}),d=new v({name:"CreateRoleInput",description:"Input for creating a role",fields:{name:{type:C.NonEmptyString(),isOptional:!1},description:{type:C.String_unsecure(),isOptional:!0},permissions:{type:C.String_unsecure(),isOptional:!1,isArray:!0}}}),r=new v({name:"UpdateRoleInput",description:"Input for updating a role",fields:{roleId:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!0},description:{type:C.String_unsecure(),isOptional:!0},permissions:{type:C.String_unsecure(),isOptional:!0,isArray:!0}}}),T=new v({name:"DeleteRoleInput",description:"Input for deleting a role",fields:{roleId:{type:C.String_unsecure(),isOptional:!1}}}),p=new v({name:"ListRolesOutput",description:"Output for listing roles",fields:{roles:{type:g,isOptional:!1,isArray:!0}}}),y=new v({name:"AssignRoleInput",description:"Input for assigning a role",fields:{roleId:{type:C.String_unsecure(),isOptional:!1},targetType:{type:C.String_unsecure(),isOptional:!1},targetId:{type:C.String_unsecure(),isOptional:!1},expiresAt:{type:C.DateTime(),isOptional:!0}}}),E=new v({name:"RevokeRoleInput",description:"Input for revoking a role",fields:{bindingId:{type:C.String_unsecure(),isOptional:!1}}}),u=new v({name:"BindingIdPayload",description:"Payload with binding ID",fields:{bindingId:{type:C.String_unsecure(),isOptional:!1}}}),n=new v({name:"CheckPermissionInput",description:"Input for checking a permission",fields:{userId:{type:C.String_unsecure(),isOptional:!1},orgId:{type:C.String_unsecure(),isOptional:!0},permission:{type:C.String_unsecure(),isOptional:!1}}}),c=new v({name:"ListUserPermissionsInput",description:"Input for listing user permissions",fields:{userId:{type:C.String_unsecure(),isOptional:!1},orgId:{type:C.String_unsecure(),isOptional:!0}}}),S=new v({name:"ListUserPermissionsOutput",description:"Output for listing user permissions",fields:{permissions:{type:C.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:g,isOptional:!1,isArray:!0}}}),Gt=q({meta:{key:"identity.rbac.role.create",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","create"],description:"Create a new role with permissions.",goal:"Allow admins to define custom roles.",context:"Role management in admin settings."},io:{input:d,output:g,errors:{ROLE_EXISTS:{description:"A role with this name already exists",http:409,gqlCode:"ROLE_EXISTS",when:"Role name is taken"}}},policy:{auth:"admin"},sideEffects:{audit:["role.created"]}}),gt=q({meta:{key:"identity.rbac.role.update",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","update"],description:"Update an existing role.",goal:"Allow admins to modify role permissions.",context:"Role management in admin settings."},io:{input:r,output:g},policy:{auth:"admin"},sideEffects:{audit:["role.updated"]}}),It=q({meta:{key:"identity.rbac.role.delete",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","delete"],description:"Delete an existing role.",goal:"Allow admins to remove unused roles.",context:"Role management. Removes all policy bindings using this role."},io:{input:T,output:D,errors:{ROLE_IN_USE:{description:"Role is still assigned to users or organizations",http:409,gqlCode:"ROLE_IN_USE",when:"Role has active bindings"}}},policy:{auth:"admin"},sideEffects:{audit:["role.deleted"]}}),jt=V({meta:{key:"identity.rbac.role.list",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","list"],description:"List all available roles.",goal:"Show available roles for assignment.",context:"Role assignment UI."},io:{input:null,output:p},policy:{auth:"user"}}),qt=q({meta:{key:"identity.rbac.assign",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","assign"],description:"Assign a role to a user or organization.",goal:"Grant permissions via role assignment.",context:"User/org permission management."},io:{input:y,output:K,errors:{ROLE_NOT_FOUND:{description:"The specified role does not exist",http:404,gqlCode:"ROLE_NOT_FOUND",when:"Role ID is invalid"},ALREADY_ASSIGNED:{description:"This role is already assigned to the target",http:409,gqlCode:"ALREADY_ASSIGNED",when:"Binding already exists"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.assigned",version:"1.0.0",when:"Role is assigned",payload:K}],audit:["role.assigned"]}}),wt=q({meta:{key:"identity.rbac.revoke",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","revoke"],description:"Revoke a role from a user or organization.",goal:"Remove permissions via role revocation.",context:"User/org permission management."},io:{input:E,output:D,errors:{BINDING_NOT_FOUND:{description:"The policy binding does not exist",http:404,gqlCode:"BINDING_NOT_FOUND",when:"Binding ID is invalid"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.revoked",version:"1.0.0",when:"Role is revoked",payload:u}],audit:["role.revoked"]}}),Ft=V({meta:{key:"identity.rbac.check",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","check","permission"],description:"Check if a user has a specific permission.",goal:"Authorization check before sensitive operations.",context:"Called by other services to verify permissions."},io:{input:n,output:M},policy:{auth:"user"}}),Ht=V({meta:{key:"identity.rbac.permissions",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","permissions","user"],description:"List all permissions for a user in a context.",goal:"Show what a user can do in an org.",context:"UI permission display, debugging."},io:{input:c,output:S},policy:{auth:"user"}});export{A as UserProfileModel,$ as UserDeletedPayloadModel,Z as UpdateUserInputModel,e as UpdateUserContract,r as UpdateRoleInputModel,gt as UpdateRoleContract,Q as UpdateOrgInputModel,Lt as UpdateOrgContract,D as SuccessResultModel,g as RoleModel,E as RevokeRoleInputModel,wt as RevokeRoleContract,N as RemoveMemberInputModel,kt as RemoveMemberContract,K as PolicyBindingModel,M as PermissionCheckResultModel,h as OrganizationWithRoleModel,G as OrganizationModel,P as MemberUserModel,W as MemberRemovedPayloadModel,w as MemberModel,z as ListUsersOutputModel,B as ListUsersInputModel,tt as ListUsersContract,S as ListUserPermissionsOutputModel,c as ListUserPermissionsInputModel,Ht as ListUserPermissionsContract,o as ListUserOrgsOutputModel,Dt as ListUserOrgsContract,p as ListRolesOutputModel,jt as ListRolesContract,i as ListMembersOutputModel,f as ListMembersInputModel,At as ListMembersContract,O as InviteMemberInputModel,vt as InviteMemberContract,H as InvitationModel,s as GetOrgInputModel,Ut as GetOrgContract,l as GetCurrentUserContract,_ as DeleteUserInputModel,a as DeleteUserContract,T as DeleteRoleInputModel,It as DeleteRoleContract,Y as CreateUserInputModel,m as CreateUserContract,d as CreateRoleInputModel,Gt as CreateRoleContract,b as CreateOrgInputModel,Ct as CreateOrgContract,n as CheckPermissionInputModel,Ft as CheckPermissionContract,u as BindingIdPayloadModel,y as AssignRoleInputModel,qt as AssignRoleContract,R as AcceptInviteInputModel,xt as AcceptInviteContract};
2
+ import{defineCommand as F,defineQuery as X}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as U,SchemaModel as x}from"@contractspec/lib.schema";var I=["platform.identity-rbac"],A=new x({name:"UserProfile",description:"User profile information",fields:{id:{type:U.String_unsecure(),isOptional:!1},email:{type:U.EmailAddress(),isOptional:!1},emailVerified:{type:U.Boolean(),isOptional:!1},name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},locale:{type:U.String_unsecure(),isOptional:!0},timezone:{type:U.String_unsecure(),isOptional:!0},imageUrl:{type:U.URL(),isOptional:!0},role:{type:U.String_unsecure(),isOptional:!0},onboardingCompleted:{type:U.Boolean(),isOptional:!1},createdAt:{type:U.DateTime(),isOptional:!1}}}),Y=new x({name:"CreateUserInput",description:"Input for creating a new user",fields:{email:{type:U.EmailAddress(),isOptional:!1},name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},password:{type:U.String_unsecure(),isOptional:!0}}}),Z=new x({name:"UpdateUserInput",description:"Input for updating a user profile",fields:{name:{type:U.String_unsecure(),isOptional:!0},firstName:{type:U.String_unsecure(),isOptional:!0},lastName:{type:U.String_unsecure(),isOptional:!0},locale:{type:U.String_unsecure(),isOptional:!0},timezone:{type:U.String_unsecure(),isOptional:!0},imageUrl:{type:U.URL(),isOptional:!0}}}),_=new x({name:"DeleteUserInput",description:"Input for deleting a user",fields:{confirmEmail:{type:U.EmailAddress(),isOptional:!1}}}),D=new x({name:"SuccessResult",description:"Simple success result",fields:{success:{type:U.Boolean(),isOptional:!1}}}),$=new x({name:"UserDeletedPayload",description:"Payload for user deleted event",fields:{userId:{type:U.String_unsecure(),isOptional:!1}}}),B=new x({name:"ListUsersInput",description:"Input for listing users",fields:{limit:{type:U.Int_unsecure(),isOptional:!0},offset:{type:U.Int_unsecure(),isOptional:!0},search:{type:U.String_unsecure(),isOptional:!0}}}),z=new x({name:"ListUsersOutput",description:"Output for listing users",fields:{users:{type:A,isOptional:!1,isArray:!0},total:{type:U.Int_unsecure(),isOptional:!1}}}),m=F({meta:{key:"identity.user.create",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","create"],description:"Create a new user account.",goal:"Register a new user in the system.",context:"Used during signup flows. May trigger email verification."},io:{input:Y,output:A,errors:{EMAIL_EXISTS:{description:"A user with this email already exists",http:409,gqlCode:"EMAIL_EXISTS",when:"Email is already registered"}}},policy:{auth:"anonymous"},sideEffects:{emits:[{key:"user.created",version:"1.0.0",when:"User is successfully created",payload:A}],audit:["user.created"]}}),l=X({meta:{key:"identity.user.me",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","profile"],description:"Get the current authenticated user profile.",goal:"Retrieve user profile for the authenticated session.",context:"Called on app load and after profile updates."},io:{input:null,output:A},policy:{auth:"user"}}),e=F({meta:{key:"identity.user.update",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","update"],description:"Update user profile information.",goal:"Allow users to update their profile.",context:"Self-service profile updates."},io:{input:Z,output:A},policy:{auth:"user"},sideEffects:{emits:[{key:"user.updated",version:"1.0.0",when:"User profile is updated",payload:A}],audit:["user.updated"]}}),a=F({meta:{key:"identity.user.delete",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","delete"],description:"Delete user account and all associated data.",goal:"Allow users to delete their account (GDPR compliance).",context:"Self-service account deletion. Cascades to memberships, sessions, etc."},io:{input:_,output:D},policy:{auth:"user",escalate:"human_review"},sideEffects:{emits:[{key:"user.deleted",version:"1.0.0",when:"User account is deleted",payload:$}],audit:["user.deleted"]}}),tt=X({meta:{key:"identity.user.list",version:"1.0.0",stability:"stable",owners:[...I],tags:["identity","user","admin","list"],description:"List all users (admin only).",goal:"Allow admins to browse and manage users.",context:"Admin dashboard user management."},io:{input:B,output:z},policy:{auth:"admin"}});import{defineCommand as j,defineQuery as J}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as C,SchemaModel as L}from"@contractspec/lib.schema";var k=["platform.identity-rbac"],G=new L({name:"Organization",description:"Organization details",fields:{id:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!1},slug:{type:C.String_unsecure(),isOptional:!0},logo:{type:C.URL(),isOptional:!0},description:{type:C.String_unsecure(),isOptional:!0},type:{type:C.String_unsecure(),isOptional:!1},onboardingCompleted:{type:C.Boolean(),isOptional:!1},createdAt:{type:C.DateTime(),isOptional:!1}}}),P=new L({name:"MemberUser",description:"Basic user info within a member",fields:{id:{type:C.String_unsecure(),isOptional:!1},email:{type:C.EmailAddress(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!0}}}),w=new L({name:"Member",description:"Organization member",fields:{id:{type:C.String_unsecure(),isOptional:!1},userId:{type:C.String_unsecure(),isOptional:!1},organizationId:{type:C.String_unsecure(),isOptional:!1},role:{type:C.String_unsecure(),isOptional:!1},createdAt:{type:C.DateTime(),isOptional:!1},user:{type:P,isOptional:!1}}}),H=new L({name:"Invitation",description:"Organization invitation",fields:{id:{type:C.String_unsecure(),isOptional:!1},email:{type:C.EmailAddress(),isOptional:!1},role:{type:C.String_unsecure(),isOptional:!0},status:{type:C.String_unsecure(),isOptional:!1},expiresAt:{type:C.DateTime(),isOptional:!0},createdAt:{type:C.DateTime(),isOptional:!1}}}),b=new L({name:"CreateOrgInput",description:"Input for creating an organization",fields:{name:{type:C.NonEmptyString(),isOptional:!1},slug:{type:C.String_unsecure(),isOptional:!0},description:{type:C.String_unsecure(),isOptional:!0},type:{type:C.String_unsecure(),isOptional:!0}}}),s=new L({name:"GetOrgInput",description:"Input for getting an organization",fields:{orgId:{type:C.String_unsecure(),isOptional:!1}}}),Q=new L({name:"UpdateOrgInput",description:"Input for updating an organization",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!0},slug:{type:C.String_unsecure(),isOptional:!0},logo:{type:C.URL(),isOptional:!0},description:{type:C.String_unsecure(),isOptional:!0}}}),O=new L({name:"InviteMemberInput",description:"Input for inviting a member",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},email:{type:C.EmailAddress(),isOptional:!1},role:{type:C.String_unsecure(),isOptional:!1},teamId:{type:C.String_unsecure(),isOptional:!0}}}),R=new L({name:"AcceptInviteInput",description:"Input for accepting an invitation",fields:{invitationId:{type:C.String_unsecure(),isOptional:!1}}}),N=new L({name:"RemoveMemberInput",description:"Input for removing a member",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},userId:{type:C.String_unsecure(),isOptional:!1}}}),W=new L({name:"MemberRemovedPayload",description:"Payload for member removed event",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},userId:{type:C.String_unsecure(),isOptional:!1}}}),f=new L({name:"ListMembersInput",description:"Input for listing members",fields:{orgId:{type:C.String_unsecure(),isOptional:!1},limit:{type:C.Int_unsecure(),isOptional:!0},offset:{type:C.Int_unsecure(),isOptional:!0}}}),i=new L({name:"ListMembersOutput",description:"Output for listing members",fields:{members:{type:w,isOptional:!1,isArray:!0},total:{type:C.Int_unsecure(),isOptional:!1}}}),h=new L({name:"OrganizationWithRole",description:"Organization with user role",fields:{id:{type:C.String_unsecure(),isOptional:!1},name:{type:C.String_unsecure(),isOptional:!1},slug:{type:C.String_unsecure(),isOptional:!0},logo:{type:C.URL(),isOptional:!0},description:{type:C.String_unsecure(),isOptional:!0},type:{type:C.String_unsecure(),isOptional:!1},onboardingCompleted:{type:C.Boolean(),isOptional:!1},createdAt:{type:C.DateTime(),isOptional:!1},role:{type:C.String_unsecure(),isOptional:!1}}}),o=new L({name:"ListUserOrgsOutput",description:"Output for listing user organizations",fields:{organizations:{type:h,isOptional:!1,isArray:!0}}}),Ct=j({meta:{key:"identity.org.create",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","create"],description:"Create a new organization.",goal:"Allow users to create new organizations/workspaces.",context:"Called during onboarding or when creating additional workspaces."},io:{input:b,output:G,errors:{SLUG_EXISTS:{description:"An organization with this slug already exists",http:409,gqlCode:"SLUG_EXISTS",when:"Slug is already taken"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.created",version:"1.0.0",when:"Organization is created",payload:G}],audit:["org.created"]}}),Ut=J({meta:{key:"identity.org.get",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","get"],description:"Get organization details.",goal:"Retrieve organization information.",context:"Called when viewing organization settings or dashboard."},io:{input:s,output:G},policy:{auth:"user"}}),Lt=j({meta:{key:"identity.org.update",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","update"],description:"Update organization details.",goal:"Allow org admins to update organization settings.",context:"Organization settings page."},io:{input:Q,output:G},policy:{auth:"user"},sideEffects:{emits:[{key:"org.updated",version:"1.0.0",when:"Organization is updated",payload:G}],audit:["org.updated"]}}),vt=j({meta:{key:"identity.org.invite",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","invite","member"],description:"Invite a user to join the organization.",goal:"Allow org admins to invite new members.",context:"Team management. Sends invitation email."},io:{input:O,output:H,errors:{ALREADY_MEMBER:{description:"User is already a member of this organization",http:409,gqlCode:"ALREADY_MEMBER",when:"Invitee is already a member"},INVITE_PENDING:{description:"An invitation for this email is already pending",http:409,gqlCode:"INVITE_PENDING",when:"Active invitation exists"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.invite.sent",version:"1.0.0",when:"Invitation is sent",payload:H}],audit:["org.invite.sent"]}}),xt=j({meta:{key:"identity.org.invite.accept",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","invite","accept"],description:"Accept an organization invitation.",goal:"Allow users to join organizations via invitation.",context:"Called from invitation email link."},io:{input:R,output:w,errors:{INVITE_EXPIRED:{description:"The invitation has expired",http:410,gqlCode:"INVITE_EXPIRED",when:"Invitation is past expiry date"},INVITE_USED:{description:"The invitation has already been used",http:409,gqlCode:"INVITE_USED",when:"Invitation was already accepted"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.added",version:"1.0.0",when:"Member joins org",payload:w}],audit:["org.member.added"]}}),kt=j({meta:{key:"identity.org.member.remove",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","member","remove"],description:"Remove a member from the organization.",goal:"Allow org admins to remove members.",context:"Team management."},io:{input:N,output:D,errors:{CANNOT_REMOVE_OWNER:{description:"Cannot remove the organization owner",http:403,gqlCode:"CANNOT_REMOVE_OWNER",when:"Target is the org owner"}}},policy:{auth:"user"},sideEffects:{emits:[{key:"org.member.removed",version:"1.0.0",when:"Member is removed",payload:W}],audit:["org.member.removed"]}}),At=J({meta:{key:"identity.org.members.list",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","member","list"],description:"List organization members.",goal:"View all members of an organization.",context:"Team management page."},io:{input:f,output:i},policy:{auth:"user"}}),Dt=J({meta:{key:"identity.org.list",version:"1.0.0",stability:"stable",owners:[...k],tags:["identity","org","list"],description:"List organizations the current user belongs to.",goal:"Show user their organizations for workspace switching.",context:"Workspace switcher, org selection."},io:{input:null,output:o},policy:{auth:"user"}});import{defineCommand as q,defineQuery as V}from"@contractspec/lib.contracts-spec";import{ScalarTypeEnum as t,SchemaModel as v}from"@contractspec/lib.schema";var g=new v({name:"Role",description:"RBAC role definition",fields:{id:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!1},description:{type:t.String_unsecure(),isOptional:!0},source:{type:t.String_unsecure(),isOptional:!0},templateKey:{type:t.String_unsecure(),isOptional:!0},templateVersion:{type:t.String_unsecure(),isOptional:!0},disabledAt:{type:t.DateTime(),isOptional:!0},permissions:{type:t.String_unsecure(),isOptional:!1,isArray:!0},createdAt:{type:t.DateTime(),isOptional:!1}}}),K=new v({name:"PolicyBinding",description:"Role assignment to a target",fields:{id:{type:t.String_unsecure(),isOptional:!1},roleId:{type:t.String_unsecure(),isOptional:!1},targetType:{type:t.String_unsecure(),isOptional:!1},targetId:{type:t.String_unsecure(),isOptional:!1},expiresAt:{type:t.DateTime(),isOptional:!0},scopeType:{type:t.String_unsecure(),isOptional:!0},scopeId:{type:t.String_unsecure(),isOptional:!0},tenantId:{type:t.String_unsecure(),isOptional:!0},workspaceId:{type:t.String_unsecure(),isOptional:!0},source:{type:t.String_unsecure(),isOptional:!0},templateKey:{type:t.String_unsecure(),isOptional:!0},templateVersion:{type:t.String_unsecure(),isOptional:!0},effect:{type:t.String_unsecure(),isOptional:!0},disabledAt:{type:t.DateTime(),isOptional:!0},reason:{type:t.String_unsecure(),isOptional:!0},createdAt:{type:t.DateTime(),isOptional:!1},role:{type:g,isOptional:!1}}}),M=new v({name:"PermissionCheckResult",description:"Result of a permission check",fields:{allowed:{type:t.Boolean(),isOptional:!1},reason:{type:t.String_unsecure(),isOptional:!0},matchedRole:{type:t.String_unsecure(),isOptional:!0}}}),d=new v({name:"CreateRoleInput",description:"Input for creating a role",fields:{name:{type:t.NonEmptyString(),isOptional:!1},description:{type:t.String_unsecure(),isOptional:!0},source:{type:t.String_unsecure(),isOptional:!0},templateKey:{type:t.String_unsecure(),isOptional:!0},templateVersion:{type:t.String_unsecure(),isOptional:!0},disabledAt:{type:t.DateTime(),isOptional:!0},permissions:{type:t.String_unsecure(),isOptional:!1,isArray:!0}}}),r=new v({name:"UpdateRoleInput",description:"Input for updating a role",fields:{roleId:{type:t.String_unsecure(),isOptional:!1},name:{type:t.String_unsecure(),isOptional:!0},description:{type:t.String_unsecure(),isOptional:!0},source:{type:t.String_unsecure(),isOptional:!0},templateKey:{type:t.String_unsecure(),isOptional:!0},templateVersion:{type:t.String_unsecure(),isOptional:!0},disabledAt:{type:t.DateTime(),isOptional:!0},permissions:{type:t.String_unsecure(),isOptional:!0,isArray:!0}}}),T=new v({name:"DeleteRoleInput",description:"Input for deleting a role",fields:{roleId:{type:t.String_unsecure(),isOptional:!1}}}),p=new v({name:"ListRolesOutput",description:"Output for listing roles",fields:{roles:{type:g,isOptional:!1,isArray:!0}}}),y=new v({name:"AssignRoleInput",description:"Input for assigning a role",fields:{roleId:{type:t.String_unsecure(),isOptional:!1},targetType:{type:t.String_unsecure(),isOptional:!1},targetId:{type:t.String_unsecure(),isOptional:!1},expiresAt:{type:t.DateTime(),isOptional:!0}}}),E=new v({name:"RevokeRoleInput",description:"Input for revoking a role",fields:{bindingId:{type:t.String_unsecure(),isOptional:!1}}}),u=new v({name:"BindingIdPayload",description:"Payload with binding ID",fields:{bindingId:{type:t.String_unsecure(),isOptional:!1}}}),n=new v({name:"CheckPermissionInput",description:"Input for checking a permission",fields:{userId:{type:t.String_unsecure(),isOptional:!1},orgId:{type:t.String_unsecure(),isOptional:!0},permission:{type:t.String_unsecure(),isOptional:!1}}}),c=new v({name:"ListUserPermissionsInput",description:"Input for listing user permissions",fields:{userId:{type:t.String_unsecure(),isOptional:!1},orgId:{type:t.String_unsecure(),isOptional:!0}}}),S=new v({name:"ListUserPermissionsOutput",description:"Output for listing user permissions",fields:{permissions:{type:t.String_unsecure(),isOptional:!1,isArray:!0},roles:{type:g,isOptional:!1,isArray:!0}}}),Gt=q({meta:{key:"identity.rbac.role.create",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","create"],description:"Create a new role with permissions.",goal:"Allow admins to define custom roles.",context:"Role management in admin settings."},io:{input:d,output:g,errors:{ROLE_EXISTS:{description:"A role with this name already exists",http:409,gqlCode:"ROLE_EXISTS",when:"Role name is taken"}}},policy:{auth:"admin"},sideEffects:{audit:["role.created"]}}),gt=q({meta:{key:"identity.rbac.role.update",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","update"],description:"Update an existing role.",goal:"Allow admins to modify role permissions.",context:"Role management in admin settings."},io:{input:r,output:g},policy:{auth:"admin"},sideEffects:{audit:["role.updated"]}}),It=q({meta:{key:"identity.rbac.role.delete",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","delete"],description:"Delete an existing role.",goal:"Allow admins to remove unused roles.",context:"Role management. Removes all policy bindings using this role."},io:{input:T,output:D,errors:{ROLE_IN_USE:{description:"Role is still assigned to users or organizations",http:409,gqlCode:"ROLE_IN_USE",when:"Role has active bindings"}}},policy:{auth:"admin"},sideEffects:{audit:["role.deleted"]}}),jt=V({meta:{key:"identity.rbac.role.list",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","role","list"],description:"List all available roles.",goal:"Show available roles for assignment.",context:"Role assignment UI."},io:{input:null,output:p},policy:{auth:"user"}}),qt=q({meta:{key:"identity.rbac.assign",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","assign"],description:"Assign a role to a user or organization.",goal:"Grant permissions via role assignment.",context:"User/org permission management."},io:{input:y,output:K,errors:{ROLE_NOT_FOUND:{description:"The specified role does not exist",http:404,gqlCode:"ROLE_NOT_FOUND",when:"Role ID is invalid"},ALREADY_ASSIGNED:{description:"This role is already assigned to the target",http:409,gqlCode:"ALREADY_ASSIGNED",when:"Binding already exists"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.assigned",version:"1.0.0",when:"Role is assigned",payload:K}],audit:["role.assigned"]}}),wt=q({meta:{key:"identity.rbac.revoke",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","revoke"],description:"Revoke a role from a user or organization.",goal:"Remove permissions via role revocation.",context:"User/org permission management."},io:{input:E,output:D,errors:{BINDING_NOT_FOUND:{description:"The policy binding does not exist",http:404,gqlCode:"BINDING_NOT_FOUND",when:"Binding ID is invalid"}}},policy:{auth:"admin"},sideEffects:{emits:[{key:"role.revoked",version:"1.0.0",when:"Role is revoked",payload:u}],audit:["role.revoked"]}}),Ft=V({meta:{key:"identity.rbac.check",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","check","permission"],description:"Check if a user has a specific permission.",goal:"Authorization check before sensitive operations.",context:"Called by other services to verify permissions."},io:{input:n,output:M},policy:{auth:"user"}}),Ht=V({meta:{key:"identity.rbac.permissions",version:"1.0.0",stability:"stable",owners:["@platform.identity-rbac"],tags:["identity","rbac","permissions","user"],description:"List all permissions for a user in a context.",goal:"Show what a user can do in an org.",context:"UI permission display, debugging."},io:{input:c,output:S},policy:{auth:"user"}});export{A as UserProfileModel,$ as UserDeletedPayloadModel,Z as UpdateUserInputModel,e as UpdateUserContract,r as UpdateRoleInputModel,gt as UpdateRoleContract,Q as UpdateOrgInputModel,Lt as UpdateOrgContract,D as SuccessResultModel,g as RoleModel,E as RevokeRoleInputModel,wt as RevokeRoleContract,N as RemoveMemberInputModel,kt as RemoveMemberContract,K as PolicyBindingModel,M as PermissionCheckResultModel,h as OrganizationWithRoleModel,G as OrganizationModel,P as MemberUserModel,W as MemberRemovedPayloadModel,w as MemberModel,z as ListUsersOutputModel,B as ListUsersInputModel,tt as ListUsersContract,S as ListUserPermissionsOutputModel,c as ListUserPermissionsInputModel,Ht as ListUserPermissionsContract,o as ListUserOrgsOutputModel,Dt as ListUserOrgsContract,p as ListRolesOutputModel,jt as ListRolesContract,i as ListMembersOutputModel,f as ListMembersInputModel,At as ListMembersContract,O as InviteMemberInputModel,vt as InviteMemberContract,H as InvitationModel,s as GetOrgInputModel,Ut as GetOrgContract,l as GetCurrentUserContract,_ as DeleteUserInputModel,a as DeleteUserContract,T as DeleteRoleInputModel,It as DeleteRoleContract,Y as CreateUserInputModel,m as CreateUserContract,d as CreateRoleInputModel,Gt as CreateRoleContract,b as CreateOrgInputModel,Ct as CreateOrgContract,n as CheckPermissionInputModel,Ft as CheckPermissionContract,u as BindingIdPayloadModel,y as AssignRoleInputModel,qt as AssignRoleContract,R as AcceptInviteInputModel,xt as AcceptInviteContract};
package/dist/contracts/rbac.d.ts CHANGED
@@ -12,6 +12,22 @@ export declare const RoleModel: SchemaModel<{
12
12
  type: import("@contractspec/lib.schema").FieldType<string, string>;
13
13
  isOptional: true;
14
14
  };
15
+ source: {
16
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
17
+ isOptional: true;
18
+ };
19
+ templateKey: {
20
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
21
+ isOptional: true;
22
+ };
23
+ templateVersion: {
24
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
25
+ isOptional: true;
26
+ };
27
+ disabledAt: {
28
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
29
+ isOptional: true;
30
+ };
15
31
  permissions: {
16
32
  type: import("@contractspec/lib.schema").FieldType<string, string>;
17
33
  isOptional: false;
@@ -43,6 +59,46 @@ export declare const PolicyBindingModel: SchemaModel<{
43
59
  type: import("@contractspec/lib.schema").FieldType<Date, string>;
44
60
  isOptional: true;
45
61
  };
62
+ scopeType: {
63
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
64
+ isOptional: true;
65
+ };
66
+ scopeId: {
67
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
68
+ isOptional: true;
69
+ };
70
+ tenantId: {
71
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
72
+ isOptional: true;
73
+ };
74
+ workspaceId: {
75
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
76
+ isOptional: true;
77
+ };
78
+ source: {
79
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
80
+ isOptional: true;
81
+ };
82
+ templateKey: {
83
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
84
+ isOptional: true;
85
+ };
86
+ templateVersion: {
87
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
88
+ isOptional: true;
89
+ };
90
+ effect: {
91
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
92
+ isOptional: true;
93
+ };
94
+ disabledAt: {
95
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
96
+ isOptional: true;
97
+ };
98
+ reason: {
99
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
100
+ isOptional: true;
101
+ };
46
102
  createdAt: {
47
103
  type: import("@contractspec/lib.schema").FieldType<Date, string>;
48
104
  isOptional: false;
@@ -61,6 +117,22 @@ export declare const PolicyBindingModel: SchemaModel<{
61
117
  type: import("@contractspec/lib.schema").FieldType<string, string>;
62
118
  isOptional: true;
63
119
  };
120
+ source: {
121
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
122
+ isOptional: true;
123
+ };
124
+ templateKey: {
125
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
126
+ isOptional: true;
127
+ };
128
+ templateVersion: {
129
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
130
+ isOptional: true;
131
+ };
132
+ disabledAt: {
133
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
134
+ isOptional: true;
135
+ };
64
136
  permissions: {
65
137
  type: import("@contractspec/lib.schema").FieldType<string, string>;
66
138
  isOptional: false;
@@ -97,6 +169,22 @@ export declare const CreateRoleInputModel: SchemaModel<{
97
169
  type: import("@contractspec/lib.schema").FieldType<string, string>;
98
170
  isOptional: true;
99
171
  };
172
+ source: {
173
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
174
+ isOptional: true;
175
+ };
176
+ templateKey: {
177
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
178
+ isOptional: true;
179
+ };
180
+ templateVersion: {
181
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
182
+ isOptional: true;
183
+ };
184
+ disabledAt: {
185
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
186
+ isOptional: true;
187
+ };
100
188
  permissions: {
101
189
  type: import("@contractspec/lib.schema").FieldType<string, string>;
102
190
  isOptional: false;
@@ -116,6 +204,22 @@ export declare const UpdateRoleInputModel: SchemaModel<{
116
204
  type: import("@contractspec/lib.schema").FieldType<string, string>;
117
205
  isOptional: true;
118
206
  };
207
+ source: {
208
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
209
+ isOptional: true;
210
+ };
211
+ templateKey: {
212
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
213
+ isOptional: true;
214
+ };
215
+ templateVersion: {
216
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
217
+ isOptional: true;
218
+ };
219
+ disabledAt: {
220
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
221
+ isOptional: true;
222
+ };
119
223
  permissions: {
120
224
  type: import("@contractspec/lib.schema").FieldType<string, string>;
121
225
  isOptional: true;
@@ -143,6 +247,22 @@ export declare const ListRolesOutputModel: SchemaModel<{
143
247
  type: import("@contractspec/lib.schema").FieldType<string, string>;
144
248
  isOptional: true;
145
249
  };
250
+ source: {
251
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
252
+ isOptional: true;
253
+ };
254
+ templateKey: {
255
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
256
+ isOptional: true;
257
+ };
258
+ templateVersion: {
259
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
260
+ isOptional: true;
261
+ };
262
+ disabledAt: {
263
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
264
+ isOptional: true;
265
+ };
146
266
  permissions: {
147
267
  type: import("@contractspec/lib.schema").FieldType<string, string>;
148
268
  isOptional: false;
@@ -231,6 +351,22 @@ export declare const ListUserPermissionsOutputModel: SchemaModel<{
231
351
  type: import("@contractspec/lib.schema").FieldType<string, string>;
232
352
  isOptional: true;
233
353
  };
354
+ source: {
355
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
356
+ isOptional: true;
357
+ };
358
+ templateKey: {
359
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
360
+ isOptional: true;
361
+ };
362
+ templateVersion: {
363
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
364
+ isOptional: true;
365
+ };
366
+ disabledAt: {
367
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
368
+ isOptional: true;
369
+ };
234
370
  permissions: {
235
371
  type: import("@contractspec/lib.schema").FieldType<string, string>;
236
372
  isOptional: false;
@@ -257,6 +393,22 @@ export declare const CreateRoleContract: import("@contractspec/lib.contracts-spe
257
393
  type: import("@contractspec/lib.schema").FieldType<string, string>;
258
394
  isOptional: true;
259
395
  };
396
+ source: {
397
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
398
+ isOptional: true;
399
+ };
400
+ templateKey: {
401
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
402
+ isOptional: true;
403
+ };
404
+ templateVersion: {
405
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
406
+ isOptional: true;
407
+ };
408
+ disabledAt: {
409
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
410
+ isOptional: true;
411
+ };
260
412
  permissions: {
261
413
  type: import("@contractspec/lib.schema").FieldType<string, string>;
262
414
  isOptional: false;
@@ -275,6 +427,22 @@ export declare const CreateRoleContract: import("@contractspec/lib.contracts-spe
275
427
  type: import("@contractspec/lib.schema").FieldType<string, string>;
276
428
  isOptional: true;
277
429
  };
430
+ source: {
431
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
432
+ isOptional: true;
433
+ };
434
+ templateKey: {
435
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
436
+ isOptional: true;
437
+ };
438
+ templateVersion: {
439
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
440
+ isOptional: true;
441
+ };
442
+ disabledAt: {
443
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
444
+ isOptional: true;
445
+ };
278
446
  permissions: {
279
447
  type: import("@contractspec/lib.schema").FieldType<string, string>;
280
448
  isOptional: false;
@@ -301,6 +469,22 @@ export declare const UpdateRoleContract: import("@contractspec/lib.contracts-spe
301
469
  type: import("@contractspec/lib.schema").FieldType<string, string>;
302
470
  isOptional: true;
303
471
  };
472
+ source: {
473
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
474
+ isOptional: true;
475
+ };
476
+ templateKey: {
477
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
478
+ isOptional: true;
479
+ };
480
+ templateVersion: {
481
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
482
+ isOptional: true;
483
+ };
484
+ disabledAt: {
485
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
486
+ isOptional: true;
487
+ };
304
488
  permissions: {
305
489
  type: import("@contractspec/lib.schema").FieldType<string, string>;
306
490
  isOptional: true;
@@ -319,6 +503,22 @@ export declare const UpdateRoleContract: import("@contractspec/lib.contracts-spe
319
503
  type: import("@contractspec/lib.schema").FieldType<string, string>;
320
504
  isOptional: true;
321
505
  };
506
+ source: {
507
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
508
+ isOptional: true;
509
+ };
510
+ templateKey: {
511
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
512
+ isOptional: true;
513
+ };
514
+ templateVersion: {
515
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
516
+ isOptional: true;
517
+ };
518
+ disabledAt: {
519
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
520
+ isOptional: true;
521
+ };
322
522
  permissions: {
323
523
  type: import("@contractspec/lib.schema").FieldType<string, string>;
324
524
  isOptional: false;
@@ -361,6 +561,22 @@ export declare const ListRolesContract: import("@contractspec/lib.contracts-spec
361
561
  type: import("@contractspec/lib.schema").FieldType<string, string>;
362
562
  isOptional: true;
363
563
  };
564
+ source: {
565
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
566
+ isOptional: true;
567
+ };
568
+ templateKey: {
569
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
570
+ isOptional: true;
571
+ };
572
+ templateVersion: {
573
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
574
+ isOptional: true;
575
+ };
576
+ disabledAt: {
577
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
578
+ isOptional: true;
579
+ };
364
580
  permissions: {
365
581
  type: import("@contractspec/lib.schema").FieldType<string, string>;
366
582
  isOptional: false;
@@ -416,6 +632,46 @@ export declare const AssignRoleContract: import("@contractspec/lib.contracts-spe
416
632
  type: import("@contractspec/lib.schema").FieldType<Date, string>;
417
633
  isOptional: true;
418
634
  };
635
+ scopeType: {
636
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
637
+ isOptional: true;
638
+ };
639
+ scopeId: {
640
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
641
+ isOptional: true;
642
+ };
643
+ tenantId: {
644
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
645
+ isOptional: true;
646
+ };
647
+ workspaceId: {
648
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
649
+ isOptional: true;
650
+ };
651
+ source: {
652
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
653
+ isOptional: true;
654
+ };
655
+ templateKey: {
656
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
657
+ isOptional: true;
658
+ };
659
+ templateVersion: {
660
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
661
+ isOptional: true;
662
+ };
663
+ effect: {
664
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
665
+ isOptional: true;
666
+ };
667
+ disabledAt: {
668
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
669
+ isOptional: true;
670
+ };
671
+ reason: {
672
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
673
+ isOptional: true;
674
+ };
419
675
  createdAt: {
420
676
  type: import("@contractspec/lib.schema").FieldType<Date, string>;
421
677
  isOptional: false;
@@ -434,6 +690,22 @@ export declare const AssignRoleContract: import("@contractspec/lib.contracts-spe
434
690
  type: import("@contractspec/lib.schema").FieldType<string, string>;
435
691
  isOptional: true;
436
692
  };
693
+ source: {
694
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
695
+ isOptional: true;
696
+ };
697
+ templateKey: {
698
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
699
+ isOptional: true;
700
+ };
701
+ templateVersion: {
702
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
703
+ isOptional: true;
704
+ };
705
+ disabledAt: {
706
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
707
+ isOptional: true;
708
+ };
437
709
  permissions: {
438
710
  type: import("@contractspec/lib.schema").FieldType<string, string>;
439
711
  isOptional: false;
@@ -471,6 +743,46 @@ export declare const AssignRoleContract: import("@contractspec/lib.contracts-spe
471
743
  type: import("@contractspec/lib.schema").FieldType<Date, string>;
472
744
  isOptional: true;
473
745
  };
746
+ scopeType: {
747
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
748
+ isOptional: true;
749
+ };
750
+ scopeId: {
751
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
752
+ isOptional: true;
753
+ };
754
+ tenantId: {
755
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
756
+ isOptional: true;
757
+ };
758
+ workspaceId: {
759
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
760
+ isOptional: true;
761
+ };
762
+ source: {
763
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
764
+ isOptional: true;
765
+ };
766
+ templateKey: {
767
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
768
+ isOptional: true;
769
+ };
770
+ templateVersion: {
771
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
772
+ isOptional: true;
773
+ };
774
+ effect: {
775
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
776
+ isOptional: true;
777
+ };
778
+ disabledAt: {
779
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
780
+ isOptional: true;
781
+ };
782
+ reason: {
783
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
784
+ isOptional: true;
785
+ };
474
786
  createdAt: {
475
787
  type: import("@contractspec/lib.schema").FieldType<Date, string>;
476
788
  isOptional: false;
@@ -489,6 +801,22 @@ export declare const AssignRoleContract: import("@contractspec/lib.contracts-spe
489
801
  type: import("@contractspec/lib.schema").FieldType<string, string>;
490
802
  isOptional: true;
491
803
  };
804
+ source: {
805
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
806
+ isOptional: true;
807
+ };
808
+ templateKey: {
809
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
810
+ isOptional: true;
811
+ };
812
+ templateVersion: {
813
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
814
+ isOptional: true;
815
+ };
816
+ disabledAt: {
817
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
818
+ isOptional: true;
819
+ };
492
820
  permissions: {
493
821
  type: import("@contractspec/lib.schema").FieldType<string, string>;
494
822
  isOptional: false;
@@ -589,6 +917,22 @@ export declare const ListUserPermissionsContract: import("@contractspec/lib.cont
589
917
  type: import("@contractspec/lib.schema").FieldType<string, string>;
590
918
  isOptional: true;
591
919
  };
920
+ source: {
921
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
922
+ isOptional: true;
923
+ };
924
+ templateKey: {
925
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
926
+ isOptional: true;
927
+ };
928
+ templateVersion: {
929
+ type: import("@contractspec/lib.schema").FieldType<string, string>;
930
+ isOptional: true;
931
+ };
932
+ disabledAt: {
933
+ type: import("@contractspec/lib.schema").FieldType<Date, string>;
934
+ isOptional: true;
935
+ };
592
936
  permissions: {
593
937
  type: import("@contractspec/lib.schema").FieldType<string, string>;
594
938
  isOptional: false;