npm - @contractspec/lib.identity-rbac - Versions diffs - 3.7.5 → 3.7.7 - Mend

@contractspec/lib.identity-rbac 3.7.5 → 3.7.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (27) hide show

package/README.md +62 -90
package/dist/browser/contracts/index.js +3 -3
package/dist/browser/contracts/organization.js +2 -2
package/dist/browser/contracts/rbac.js +2 -2
package/dist/browser/contracts/user.js +1 -1
package/dist/browser/entities/index.js +283 -283
package/dist/browser/events.js +1 -1
package/dist/browser/index.js +287 -287
package/dist/contracts/index.d.ts +3 -3
package/dist/contracts/index.js +3 -3
package/dist/contracts/organization.js +2 -2
package/dist/contracts/rbac.js +2 -2
package/dist/contracts/user.js +1 -1
package/dist/entities/index.d.ts +69 -69
package/dist/entities/index.js +283 -283
package/dist/events.js +1 -1
package/dist/index.d.ts +2 -2
package/dist/index.js +287 -287
package/dist/node/contracts/index.js +3 -3
package/dist/node/contracts/organization.js +2 -2
package/dist/node/contracts/rbac.js +2 -2
package/dist/node/contracts/user.js +1 -1
package/dist/node/entities/index.js +283 -283
package/dist/node/events.js +1 -1
package/dist/node/index.js +287 -287
package/dist/policies/index.d.ts +1 -1
package/package.json +7 -7

package/dist/index.js CHANGED Viewed

@@ -1,7 +1,7 @@
 // @bun
 // src/contracts/user.ts
-import { SchemaModel, ScalarTypeEnum } from "@contractspec/lib.schema";
 import { defineCommand, defineQuery } from "@contractspec/lib.contracts-spec";
+import { ScalarTypeEnum, SchemaModel } from "@contractspec/lib.schema";
 var OWNERS = ["platform.identity-rbac"];
 var UserProfileModel = new SchemaModel({
   name: "UserProfile",
@@ -221,8 +221,8 @@ var ListUsersContract = defineQuery({
 });
 // src/contracts/organization.ts
-import { ScalarTypeEnum as ScalarTypeEnum2, SchemaModel as SchemaModel2 } from "@contractspec/lib.schema";
 import { defineCommand as defineCommand2, defineQuery as defineQuery2 } from "@contractspec/lib.contracts-spec";
+import { ScalarTypeEnum as ScalarTypeEnum2, SchemaModel as SchemaModel2 } from "@contractspec/lib.schema";
 var OWNERS2 = ["platform.identity-rbac"];
 var OrganizationModel = new SchemaModel2({
   name: "Organization",
@@ -631,8 +631,8 @@ var ListUserOrgsContract = defineQuery2({
 });
 // src/contracts/rbac.ts
-import { SchemaModel as SchemaModel3, ScalarTypeEnum as ScalarTypeEnum3 } from "@contractspec/lib.schema";
 import { defineCommand as defineCommand3, defineQuery as defineQuery3 } from "@contractspec/lib.contracts-spec";
+import { ScalarTypeEnum as ScalarTypeEnum3, SchemaModel as SchemaModel3 } from "@contractspec/lib.schema";
 var RoleModel = new SchemaModel3({
   name: "Role",
   description: "RBAC role definition",
@@ -985,175 +985,12 @@ var ListUserPermissionsContract = defineQuery3({
     auth: "user"
   }
 });
-// src/entities/user.ts
-import { defineEntity, field, index } from "@contractspec/lib.schema";
-var UserEntity = defineEntity({
-  name: "User",
-  description: "A user of the platform. Users hold core profile information and authenticate via Account records.",
-  schema: "lssm_sigil",
-  map: "user",
-  fields: {
-    id: field.id({ description: "Unique user identifier" }),
-    email: field.email({ isUnique: true, description: "User email address" }),
-    emailVerified: field.boolean({
-      default: false,
-      description: "Whether email has been verified"
-    }),
-    name: field.string({ isOptional: true, description: "Display name" }),
-    firstName: field.string({ isOptional: true, description: "First name" }),
-    lastName: field.string({ isOptional: true, description: "Last name" }),
-    locale: field.string({
-      isOptional: true,
-      description: 'User locale (e.g., "en-US")'
-    }),
-    timezone: field.string({
-      isOptional: true,
-      description: 'Olson timezone (e.g., "Europe/Paris")'
-    }),
-    imageUrl: field.url({
-      isOptional: true,
-      description: "URL of avatar or profile picture"
-    }),
-    image: field.string({
-      isOptional: true,
-      description: "Legacy image field"
-    }),
-    metadata: field.json({
-      isOptional: true,
-      description: "Arbitrary user metadata"
-    }),
-    onboardingCompleted: field.boolean({
-      default: false,
-      description: "Whether onboarding is complete"
-    }),
-    onboardingStep: field.string({
-      isOptional: true,
-      description: "Current onboarding step"
-    }),
-    whitelistedAt: field.dateTime({
-      isOptional: true,
-      description: "When user was whitelisted"
-    }),
-    role: field.string({
-      isOptional: true,
-      default: '"user"',
-      description: "User role (user, admin)"
-    }),
-    banned: field.boolean({
-      default: false,
-      description: "Whether user is banned"
-    }),
-    banReason: field.string({
-      isOptional: true,
-      description: "Reason for ban"
-    }),
-    banExpires: field.dateTime({
-      isOptional: true,
-      description: "When ban expires"
-    }),
-    phoneNumber: field.string({
-      isOptional: true,
-      isUnique: true,
-      description: "Phone number"
-    }),
-    phoneNumberVerified: field.boolean({
-      default: false,
-      description: "Whether phone is verified"
-    }),
-    createdAt: field.createdAt(),
-    updatedAt: field.updatedAt(),
-    sessions: field.hasMany("Session"),
-    accounts: field.hasMany("Account"),
-    memberships: field.hasMany("Member"),
-    invitations: field.hasMany("Invitation"),
-    teamMemberships: field.hasMany("TeamMember"),
-    policyBindings: field.hasMany("PolicyBinding"),
-    apiKeys: field.hasMany("ApiKey"),
-    passkeys: field.hasMany("Passkey")
-  }
-});
-var SessionEntity = defineEntity({
-  name: "Session",
-  description: "Represents a login session (e.g., web session or API token).",
-  schema: "lssm_sigil",
-  map: "session",
-  fields: {
-    id: field.id(),
-    userId: field.foreignKey(),
-    expiresAt: field.dateTime({ description: "Session expiration time" }),
-    token: field.string({ isUnique: true, description: "Session token" }),
-    ipAddress: field.string({
-      isOptional: true,
-      description: "Client IP address"
-    }),
-    userAgent: field.string({
-      isOptional: true,
-      description: "Client user agent"
-    }),
-    impersonatedBy: field.string({
-      isOptional: true,
-      description: "Admin impersonating this session"
-    }),
-    activeOrganizationId: field.string({
-      isOptional: true,
-      description: "Active org context"
-    }),
-    activeTeamId: field.string({
-      isOptional: true,
-      description: "Active team context"
-    }),
-    createdAt: field.createdAt(),
-    updatedAt: field.updatedAt(),
-    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
-  }
-});
-var AccountEntity = defineEntity({
-  name: "Account",
-  description: "External authentication accounts (OAuth, password, etc.).",
-  schema: "lssm_sigil",
-  map: "account",
-  fields: {
-    id: field.id(),
-    accountId: field.string({ description: "Account ID from provider" }),
-    providerId: field.string({ description: "Provider identifier" }),
-    userId: field.foreignKey(),
-    accessToken: field.string({ isOptional: true }),
-    refreshToken: field.string({ isOptional: true }),
-    idToken: field.string({ isOptional: true }),
-    accessTokenExpiresAt: field.dateTime({ isOptional: true }),
-    refreshTokenExpiresAt: field.dateTime({ isOptional: true }),
-    scope: field.string({ isOptional: true }),
-    password: field.string({
-      isOptional: true,
-      description: "Hashed password for password providers"
-    }),
-    createdAt: field.createdAt(),
-    updatedAt: field.updatedAt(),
-    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
-  },
-  indexes: [index.unique(["accountId", "providerId"])]
-});
-var VerificationEntity = defineEntity({
-  name: "Verification",
-  description: "Verification tokens for email/phone confirmation.",
-  schema: "lssm_sigil",
-  map: "verification",
-  fields: {
-    id: field.uuid(),
-    identifier: field.string({ description: "Email or phone being verified" }),
-    value: field.string({ description: "Verification code/token" }),
-    expiresAt: field.dateTime({ description: "Token expiration" }),
-    createdAt: field.createdAt(),
-    updatedAt: field.updatedAt()
-  }
-});
 // src/entities/organization.ts
 import {
-  defineEntity as defineEntity2,
+  defineEntity,
   defineEntityEnum,
-  field as field2,
-  index as index2
+  field,
+  index
 } from "@contractspec/lib.schema";
 var OrganizationTypeEnum = defineEntityEnum({
   name: "OrganizationType",
@@ -1161,251 +998,414 @@ var OrganizationTypeEnum = defineEntityEnum({
   schema: "lssm_sigil",
   description: "Type of organization in the platform."
 });
-var OrganizationEntity = defineEntity2({
+var OrganizationEntity = defineEntity({
   name: "Organization",
   description: "An organization is a tenant boundary grouping users.",
   schema: "lssm_sigil",
   map: "organization",
   fields: {
-    id: field2.id({ description: "Unique organization identifier" }),
-    name: field2.string({ description: "Organization display name" }),
-    slug: field2.string({
+    id: field.id({ description: "Unique organization identifier" }),
+    name: field.string({ description: "Organization display name" }),
+    slug: field.string({
       isOptional: true,
       isUnique: true,
       description: "URL-friendly identifier"
     }),
-    logo: field2.url({ isOptional: true, description: "Organization logo URL" }),
-    description: field2.string({
+    logo: field.url({ isOptional: true, description: "Organization logo URL" }),
+    description: field.string({
       isOptional: true,
       description: "Organization description"
     }),
-    metadata: field2.json({
+    metadata: field.json({
       isOptional: true,
       description: "Arbitrary organization metadata"
     }),
-    type: field2.enum("OrganizationType", { description: "Organization type" }),
-    onboardingCompleted: field2.boolean({ default: false }),
-    onboardingStep: field2.string({ isOptional: true }),
-    referralCode: field2.string({
+    type: field.enum("OrganizationType", { description: "Organization type" }),
+    onboardingCompleted: field.boolean({ default: false }),
+    onboardingStep: field.string({ isOptional: true }),
+    referralCode: field.string({
       isOptional: true,
       isUnique: true,
       description: "Unique referral code"
     }),
-    referredBy: field2.string({
+    referredBy: field.string({
       isOptional: true,
       description: "ID of referring user"
     }),
-    createdAt: field2.createdAt(),
-    updatedAt: field2.updatedAt(),
-    members: field2.hasMany("Member"),
-    invitations: field2.hasMany("Invitation"),
-    teams: field2.hasMany("Team"),
-    policyBindings: field2.hasMany("PolicyBinding")
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    members: field.hasMany("Member"),
+    invitations: field.hasMany("Invitation"),
+    teams: field.hasMany("Team"),
+    policyBindings: field.hasMany("PolicyBinding")
   },
   enums: [OrganizationTypeEnum]
 });
-var MemberEntity = defineEntity2({
+var MemberEntity = defineEntity({
   name: "Member",
   description: "Membership of a user in an organization with a role.",
   schema: "lssm_sigil",
   map: "member",
   fields: {
-    id: field2.id(),
-    userId: field2.foreignKey(),
-    organizationId: field2.foreignKey(),
-    role: field2.string({
+    id: field.id(),
+    userId: field.foreignKey(),
+    organizationId: field.foreignKey(),
+    role: field.string({
       description: "Role in organization (owner, admin, member)"
     }),
-    createdAt: field2.createdAt(),
-    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" }),
-    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+    createdAt: field.createdAt(),
+    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" }),
+    organization: field.belongsTo("Organization", ["organizationId"], ["id"], {
       onDelete: "Cascade"
     })
   },
-  indexes: [index2.unique(["userId", "organizationId"])]
+  indexes: [index.unique(["userId", "organizationId"])]
 });
-var InvitationEntity = defineEntity2({
+var InvitationEntity = defineEntity({
   name: "Invitation",
   description: "An invitation to join an organization.",
   schema: "lssm_sigil",
   map: "invitation",
   fields: {
-    id: field2.id(),
-    organizationId: field2.foreignKey(),
-    email: field2.email({ description: "Invited email address" }),
-    role: field2.string({
+    id: field.id(),
+    organizationId: field.foreignKey(),
+    email: field.email({ description: "Invited email address" }),
+    role: field.string({
       isOptional: true,
       description: "Role to assign on acceptance"
     }),
-    status: field2.string({
+    status: field.string({
       default: '"pending"',
       description: "Invitation status"
     }),
-    acceptedAt: field2.dateTime({ isOptional: true }),
-    expiresAt: field2.dateTime({ isOptional: true }),
-    inviterId: field2.foreignKey({
+    acceptedAt: field.dateTime({ isOptional: true }),
+    expiresAt: field.dateTime({ isOptional: true }),
+    inviterId: field.foreignKey({
       description: "User who sent the invitation"
     }),
-    teamId: field2.string({ isOptional: true }),
-    createdAt: field2.createdAt(),
-    updatedAt: field2.updatedAt(),
-    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+    teamId: field.string({ isOptional: true }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    organization: field.belongsTo("Organization", ["organizationId"], ["id"], {
       onDelete: "Cascade"
     }),
-    inviter: field2.belongsTo("User", ["inviterId"], ["id"], {
+    inviter: field.belongsTo("User", ["inviterId"], ["id"], {
       onDelete: "Cascade"
     }),
-    team: field2.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" })
+    team: field.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" })
   }
 });
-var TeamEntity = defineEntity2({
+var TeamEntity = defineEntity({
   name: "Team",
   description: "Team within an organization.",
   schema: "lssm_sigil",
   map: "team",
   fields: {
-    id: field2.id(),
-    name: field2.string({ description: "Team name" }),
-    organizationId: field2.foreignKey(),
-    createdAt: field2.createdAt(),
-    updatedAt: field2.updatedAt(),
-    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+    id: field.id(),
+    name: field.string({ description: "Team name" }),
+    organizationId: field.foreignKey(),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    organization: field.belongsTo("Organization", ["organizationId"], ["id"], {
       onDelete: "Cascade"
     }),
-    members: field2.hasMany("TeamMember"),
-    invitations: field2.hasMany("Invitation")
+    members: field.hasMany("TeamMember"),
+    invitations: field.hasMany("Invitation")
   }
 });
-var TeamMemberEntity = defineEntity2({
+var TeamMemberEntity = defineEntity({
   name: "TeamMember",
   description: "Team membership for a user.",
   schema: "lssm_sigil",
   map: "team_member",
   fields: {
-    id: field2.id(),
-    teamId: field2.foreignKey(),
-    userId: field2.foreignKey(),
-    createdAt: field2.createdAt(),
-    team: field2.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" }),
-    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+    id: field.id(),
+    teamId: field.foreignKey(),
+    userId: field.foreignKey(),
+    createdAt: field.createdAt(),
+    team: field.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" }),
+    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
   }
 });
 // src/entities/rbac.ts
-import { defineEntity as defineEntity3, field as field3, index as index3 } from "@contractspec/lib.schema";
-var RoleEntity = defineEntity3({
+import { defineEntity as defineEntity2, field as field2, index as index2 } from "@contractspec/lib.schema";
+var RoleEntity = defineEntity2({
   name: "Role",
   description: "A role defines a named set of permissions.",
   schema: "lssm_sigil",
   map: "role",
   fields: {
-    id: field3.id(),
-    name: field3.string({ isUnique: true, description: "Unique role name" }),
-    description: field3.string({
+    id: field2.id(),
+    name: field2.string({ isUnique: true, description: "Unique role name" }),
+    description: field2.string({
       isOptional: true,
       description: "Role description"
     }),
-    permissions: field3.string({
+    permissions: field2.string({
       isArray: true,
       description: "Array of permission names"
     }),
-    createdAt: field3.createdAt(),
-    updatedAt: field3.updatedAt(),
-    policyBindings: field3.hasMany("PolicyBinding")
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    policyBindings: field2.hasMany("PolicyBinding")
   }
 });
-var PermissionEntity = defineEntity3({
+var PermissionEntity = defineEntity2({
   name: "Permission",
   description: "A permission represents an atomic access right.",
   schema: "lssm_sigil",
   map: "permission",
   fields: {
-    id: field3.id(),
-    name: field3.string({
+    id: field2.id(),
+    name: field2.string({
       isUnique: true,
       description: "Unique permission name"
     }),
-    description: field3.string({
+    description: field2.string({
       isOptional: true,
       description: "Permission description"
     }),
-    createdAt: field3.createdAt(),
-    updatedAt: field3.updatedAt()
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt()
   }
 });
-var PolicyBindingEntity = defineEntity3({
+var PolicyBindingEntity = defineEntity2({
   name: "PolicyBinding",
   description: "Binds roles to principals (users or organizations).",
   schema: "lssm_sigil",
   map: "policy_binding",
   fields: {
-    id: field3.id(),
-    roleId: field3.foreignKey(),
-    targetType: field3.string({ description: '"user" or "organization"' }),
-    targetId: field3.string({ description: "ID of User or Organization" }),
-    expiresAt: field3.dateTime({
+    id: field2.id(),
+    roleId: field2.foreignKey(),
+    targetType: field2.string({ description: '"user" or "organization"' }),
+    targetId: field2.string({ description: "ID of User or Organization" }),
+    expiresAt: field2.dateTime({
       isOptional: true,
       description: "When binding expires"
     }),
-    createdAt: field3.createdAt(),
-    userId: field3.string({ isOptional: true }),
-    organizationId: field3.string({ isOptional: true }),
-    role: field3.belongsTo("Role", ["roleId"], ["id"], { onDelete: "Cascade" }),
-    user: field3.belongsTo("User", ["userId"], ["id"]),
-    organization: field3.belongsTo("Organization", ["organizationId"], ["id"])
+    createdAt: field2.createdAt(),
+    userId: field2.string({ isOptional: true }),
+    organizationId: field2.string({ isOptional: true }),
+    role: field2.belongsTo("Role", ["roleId"], ["id"], { onDelete: "Cascade" }),
+    user: field2.belongsTo("User", ["userId"], ["id"]),
+    organization: field2.belongsTo("Organization", ["organizationId"], ["id"])
   },
-  indexes: [index3.on(["targetType", "targetId"])]
+  indexes: [index2.on(["targetType", "targetId"])]
 });
-var ApiKeyEntity = defineEntity3({
+var ApiKeyEntity = defineEntity2({
   name: "ApiKey",
   description: "API keys for programmatic access.",
   schema: "lssm_sigil",
   map: "api_key",
   fields: {
-    id: field3.id(),
-    name: field3.string({ description: "API key name" }),
-    start: field3.string({
+    id: field2.id(),
+    name: field2.string({ description: "API key name" }),
+    start: field2.string({
       description: "Starting characters for identification"
     }),
-    prefix: field3.string({ description: "API key prefix" }),
-    key: field3.string({ description: "Hashed API key" }),
+    prefix: field2.string({ description: "API key prefix" }),
+    key: field2.string({ description: "Hashed API key" }),
+    userId: field2.foreignKey(),
+    refillInterval: field2.int({ description: "Refill interval in ms" }),
+    refillAmount: field2.int({ description: "Amount to refill" }),
+    lastRefillAt: field2.dateTime(),
+    remaining: field2.int({ description: "Remaining requests" }),
+    requestCount: field2.int({ description: "Total requests made" }),
+    lastRequest: field2.dateTime(),
+    enabled: field2.boolean({ default: true }),
+    rateLimitEnabled: field2.boolean({ default: true }),
+    rateLimitTimeWindow: field2.int({ description: "Rate limit window in ms" }),
+    rateLimitMax: field2.int({ description: "Max requests in window" }),
+    expiresAt: field2.dateTime(),
+    permissions: field2.string({ isArray: true }),
+    metadata: field2.json({ isOptional: true }),
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+var PasskeyEntity = defineEntity2({
+  name: "Passkey",
+  description: "WebAuthn passkeys for passwordless authentication.",
+  schema: "lssm_sigil",
+  map: "passkey",
+  fields: {
+    id: field2.id(),
+    name: field2.string({ description: "Passkey name" }),
+    publicKey: field2.string({ description: "Public key" }),
+    userId: field2.foreignKey(),
+    credentialID: field2.string({ description: "Credential ID" }),
+    counter: field2.int({ description: "Counter" }),
+    deviceType: field2.string({ description: "Device type" }),
+    backedUp: field2.boolean({ description: "Whether passkey is backed up" }),
+    transports: field2.string({ description: "Transports" }),
+    aaguid: field2.string({ description: "Authenticator GUID" }),
+    createdAt: field2.createdAt(),
+    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+// src/entities/user.ts
+import { defineEntity as defineEntity3, field as field3, index as index3 } from "@contractspec/lib.schema";
+var UserEntity = defineEntity3({
+  name: "User",
+  description: "A user of the platform. Users hold core profile information and authenticate via Account records.",
+  schema: "lssm_sigil",
+  map: "user",
+  fields: {
+    id: field3.id({ description: "Unique user identifier" }),
+    email: field3.email({ isUnique: true, description: "User email address" }),
+    emailVerified: field3.boolean({
+      default: false,
+      description: "Whether email has been verified"
+    }),
+    name: field3.string({ isOptional: true, description: "Display name" }),
+    firstName: field3.string({ isOptional: true, description: "First name" }),
+    lastName: field3.string({ isOptional: true, description: "Last name" }),
+    locale: field3.string({
+      isOptional: true,
+      description: 'User locale (e.g., "en-US")'
+    }),
+    timezone: field3.string({
+      isOptional: true,
+      description: 'Olson timezone (e.g., "Europe/Paris")'
+    }),
+    imageUrl: field3.url({
+      isOptional: true,
+      description: "URL of avatar or profile picture"
+    }),
+    image: field3.string({
+      isOptional: true,
+      description: "Legacy image field"
+    }),
+    metadata: field3.json({
+      isOptional: true,
+      description: "Arbitrary user metadata"
+    }),
+    onboardingCompleted: field3.boolean({
+      default: false,
+      description: "Whether onboarding is complete"
+    }),
+    onboardingStep: field3.string({
+      isOptional: true,
+      description: "Current onboarding step"
+    }),
+    whitelistedAt: field3.dateTime({
+      isOptional: true,
+      description: "When user was whitelisted"
+    }),
+    role: field3.string({
+      isOptional: true,
+      default: '"user"',
+      description: "User role (user, admin)"
+    }),
+    banned: field3.boolean({
+      default: false,
+      description: "Whether user is banned"
+    }),
+    banReason: field3.string({
+      isOptional: true,
+      description: "Reason for ban"
+    }),
+    banExpires: field3.dateTime({
+      isOptional: true,
+      description: "When ban expires"
+    }),
+    phoneNumber: field3.string({
+      isOptional: true,
+      isUnique: true,
+      description: "Phone number"
+    }),
+    phoneNumberVerified: field3.boolean({
+      default: false,
+      description: "Whether phone is verified"
+    }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt(),
+    sessions: field3.hasMany("Session"),
+    accounts: field3.hasMany("Account"),
+    memberships: field3.hasMany("Member"),
+    invitations: field3.hasMany("Invitation"),
+    teamMemberships: field3.hasMany("TeamMember"),
+    policyBindings: field3.hasMany("PolicyBinding"),
+    apiKeys: field3.hasMany("ApiKey"),
+    passkeys: field3.hasMany("Passkey")
+  }
+});
+var SessionEntity = defineEntity3({
+  name: "Session",
+  description: "Represents a login session (e.g., web session or API token).",
+  schema: "lssm_sigil",
+  map: "session",
+  fields: {
+    id: field3.id(),
     userId: field3.foreignKey(),
-    refillInterval: field3.int({ description: "Refill interval in ms" }),
-    refillAmount: field3.int({ description: "Amount to refill" }),
-    lastRefillAt: field3.dateTime(),
-    remaining: field3.int({ description: "Remaining requests" }),
-    requestCount: field3.int({ description: "Total requests made" }),
-    lastRequest: field3.dateTime(),
-    enabled: field3.boolean({ default: true }),
-    rateLimitEnabled: field3.boolean({ default: true }),
-    rateLimitTimeWindow: field3.int({ description: "Rate limit window in ms" }),
-    rateLimitMax: field3.int({ description: "Max requests in window" }),
-    expiresAt: field3.dateTime(),
-    permissions: field3.string({ isArray: true }),
-    metadata: field3.json({ isOptional: true }),
+    expiresAt: field3.dateTime({ description: "Session expiration time" }),
+    token: field3.string({ isUnique: true, description: "Session token" }),
+    ipAddress: field3.string({
+      isOptional: true,
+      description: "Client IP address"
+    }),
+    userAgent: field3.string({
+      isOptional: true,
+      description: "Client user agent"
+    }),
+    impersonatedBy: field3.string({
+      isOptional: true,
+      description: "Admin impersonating this session"
+    }),
+    activeOrganizationId: field3.string({
+      isOptional: true,
+      description: "Active org context"
+    }),
+    activeTeamId: field3.string({
+      isOptional: true,
+      description: "Active team context"
+    }),
     createdAt: field3.createdAt(),
     updatedAt: field3.updatedAt(),
     user: field3.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
   }
 });
-var PasskeyEntity = defineEntity3({
-  name: "Passkey",
-  description: "WebAuthn passkeys for passwordless authentication.",
+var AccountEntity = defineEntity3({
+  name: "Account",
+  description: "External authentication accounts (OAuth, password, etc.).",
   schema: "lssm_sigil",
-  map: "passkey",
+  map: "account",
   fields: {
     id: field3.id(),
-    name: field3.string({ description: "Passkey name" }),
-    publicKey: field3.string({ description: "Public key" }),
+    accountId: field3.string({ description: "Account ID from provider" }),
+    providerId: field3.string({ description: "Provider identifier" }),
     userId: field3.foreignKey(),
-    credentialID: field3.string({ description: "Credential ID" }),
-    counter: field3.int({ description: "Counter" }),
-    deviceType: field3.string({ description: "Device type" }),
-    backedUp: field3.boolean({ description: "Whether passkey is backed up" }),
-    transports: field3.string({ description: "Transports" }),
-    aaguid: field3.string({ description: "Authenticator GUID" }),
+    accessToken: field3.string({ isOptional: true }),
+    refreshToken: field3.string({ isOptional: true }),
+    idToken: field3.string({ isOptional: true }),
+    accessTokenExpiresAt: field3.dateTime({ isOptional: true }),
+    refreshTokenExpiresAt: field3.dateTime({ isOptional: true }),
+    scope: field3.string({ isOptional: true }),
+    password: field3.string({
+      isOptional: true,
+      description: "Hashed password for password providers"
+    }),
     createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt(),
     user: field3.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  },
+  indexes: [index3.unique(["accountId", "providerId"])]
+});
+var VerificationEntity = defineEntity3({
+  name: "Verification",
+  description: "Verification tokens for email/phone confirmation.",
+  schema: "lssm_sigil",
+  map: "verification",
+  fields: {
+    id: field3.uuid(),
+    identifier: field3.string({ description: "Email or phone being verified" }),
+    value: field3.string({ description: "Verification code/token" }),
+    expiresAt: field3.dateTime({ description: "Token expiration" }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt()
   }
 });
 // src/entities/index.ts
@@ -1432,8 +1432,8 @@ var identityRbacSchemaContribution = {
 };
 // src/events.ts
-import { SchemaModel as SchemaModel4, ScalarTypeEnum as ScalarTypeEnum4 } from "@contractspec/lib.schema";
 import { defineEvent } from "@contractspec/lib.contracts-spec";
+import { ScalarTypeEnum as ScalarTypeEnum4, SchemaModel as SchemaModel4 } from "@contractspec/lib.schema";
 var UserCreatedPayload = new SchemaModel4({
   name: "UserCreatedPayload",
   description: "Payload for user created event",