@contractspec/lib.identity-rbac 3.7.6 → 3.7.10

package/dist/browser/index.js

@@ -1,6 +1,6 @@
 // src/contracts/user.ts
-import { SchemaModel, ScalarTypeEnum } from "@contractspec/lib.schema";
 import { defineCommand, defineQuery } from "@contractspec/lib.contracts-spec";
+import { ScalarTypeEnum, SchemaModel } from "@contractspec/lib.schema";
 var OWNERS = ["platform.identity-rbac"];
 var UserProfileModel = new SchemaModel({
   name: "UserProfile",
@@ -220,8 +220,8 @@ var ListUsersContract = defineQuery({
 });
 
 // src/contracts/organization.ts
-import { ScalarTypeEnum as ScalarTypeEnum2, SchemaModel as SchemaModel2 } from "@contractspec/lib.schema";
 import { defineCommand as defineCommand2, defineQuery as defineQuery2 } from "@contractspec/lib.contracts-spec";
+import { ScalarTypeEnum as ScalarTypeEnum2, SchemaModel as SchemaModel2 } from "@contractspec/lib.schema";
 var OWNERS2 = ["platform.identity-rbac"];
 var OrganizationModel = new SchemaModel2({
   name: "Organization",
@@ -630,8 +630,8 @@ var ListUserOrgsContract = defineQuery2({
 });
 
 // src/contracts/rbac.ts
-import { SchemaModel as SchemaModel3, ScalarTypeEnum as ScalarTypeEnum3 } from "@contractspec/lib.schema";
 import { defineCommand as defineCommand3, defineQuery as defineQuery3 } from "@contractspec/lib.contracts-spec";
+import { ScalarTypeEnum as ScalarTypeEnum3, SchemaModel as SchemaModel3 } from "@contractspec/lib.schema";
 var RoleModel = new SchemaModel3({
   name: "Role",
   description: "RBAC role definition",
@@ -984,175 +984,12 @@ var ListUserPermissionsContract = defineQuery3({
     auth: "user"
   }
 });
-// src/entities/user.ts
-import { defineEntity, field, index } from "@contractspec/lib.schema";
-var UserEntity = defineEntity({
-  name: "User",
-  description: "A user of the platform. Users hold core profile information and authenticate via Account records.",
-  schema: "lssm_sigil",
-  map: "user",
-  fields: {
-    id: field.id({ description: "Unique user identifier" }),
-    email: field.email({ isUnique: true, description: "User email address" }),
-    emailVerified: field.boolean({
-      default: false,
-      description: "Whether email has been verified"
-    }),
-    name: field.string({ isOptional: true, description: "Display name" }),
-    firstName: field.string({ isOptional: true, description: "First name" }),
-    lastName: field.string({ isOptional: true, description: "Last name" }),
-    locale: field.string({
-      isOptional: true,
-      description: 'User locale (e.g., "en-US")'
-    }),
-    timezone: field.string({
-      isOptional: true,
-      description: 'Olson timezone (e.g., "Europe/Paris")'
-    }),
-    imageUrl: field.url({
-      isOptional: true,
-      description: "URL of avatar or profile picture"
-    }),
-    image: field.string({
-      isOptional: true,
-      description: "Legacy image field"
-    }),
-    metadata: field.json({
-      isOptional: true,
-      description: "Arbitrary user metadata"
-    }),
-    onboardingCompleted: field.boolean({
-      default: false,
-      description: "Whether onboarding is complete"
-    }),
-    onboardingStep: field.string({
-      isOptional: true,
-      description: "Current onboarding step"
-    }),
-    whitelistedAt: field.dateTime({
-      isOptional: true,
-      description: "When user was whitelisted"
-    }),
-    role: field.string({
-      isOptional: true,
-      default: '"user"',
-      description: "User role (user, admin)"
-    }),
-    banned: field.boolean({
-      default: false,
-      description: "Whether user is banned"
-    }),
-    banReason: field.string({
-      isOptional: true,
-      description: "Reason for ban"
-    }),
-    banExpires: field.dateTime({
-      isOptional: true,
-      description: "When ban expires"
-    }),
-    phoneNumber: field.string({
-      isOptional: true,
-      isUnique: true,
-      description: "Phone number"
-    }),
-    phoneNumberVerified: field.boolean({
-      default: false,
-      description: "Whether phone is verified"
-    }),
-    createdAt: field.createdAt(),
-    updatedAt: field.updatedAt(),
-    sessions: field.hasMany("Session"),
-    accounts: field.hasMany("Account"),
-    memberships: field.hasMany("Member"),
-    invitations: field.hasMany("Invitation"),
-    teamMemberships: field.hasMany("TeamMember"),
-    policyBindings: field.hasMany("PolicyBinding"),
-    apiKeys: field.hasMany("ApiKey"),
-    passkeys: field.hasMany("Passkey")
-  }
-});
-var SessionEntity = defineEntity({
-  name: "Session",
-  description: "Represents a login session (e.g., web session or API token).",
-  schema: "lssm_sigil",
-  map: "session",
-  fields: {
-    id: field.id(),
-    userId: field.foreignKey(),
-    expiresAt: field.dateTime({ description: "Session expiration time" }),
-    token: field.string({ isUnique: true, description: "Session token" }),
-    ipAddress: field.string({
-      isOptional: true,
-      description: "Client IP address"
-    }),
-    userAgent: field.string({
-      isOptional: true,
-      description: "Client user agent"
-    }),
-    impersonatedBy: field.string({
-      isOptional: true,
-      description: "Admin impersonating this session"
-    }),
-    activeOrganizationId: field.string({
-      isOptional: true,
-      description: "Active org context"
-    }),
-    activeTeamId: field.string({
-      isOptional: true,
-      description: "Active team context"
-    }),
-    createdAt: field.createdAt(),
-    updatedAt: field.updatedAt(),
-    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
-  }
-});
-var AccountEntity = defineEntity({
-  name: "Account",
-  description: "External authentication accounts (OAuth, password, etc.).",
-  schema: "lssm_sigil",
-  map: "account",
-  fields: {
-    id: field.id(),
-    accountId: field.string({ description: "Account ID from provider" }),
-    providerId: field.string({ description: "Provider identifier" }),
-    userId: field.foreignKey(),
-    accessToken: field.string({ isOptional: true }),
-    refreshToken: field.string({ isOptional: true }),
-    idToken: field.string({ isOptional: true }),
-    accessTokenExpiresAt: field.dateTime({ isOptional: true }),
-    refreshTokenExpiresAt: field.dateTime({ isOptional: true }),
-    scope: field.string({ isOptional: true }),
-    password: field.string({
-      isOptional: true,
-      description: "Hashed password for password providers"
-    }),
-    createdAt: field.createdAt(),
-    updatedAt: field.updatedAt(),
-    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
-  },
-  indexes: [index.unique(["accountId", "providerId"])]
-});
-var VerificationEntity = defineEntity({
-  name: "Verification",
-  description: "Verification tokens for email/phone confirmation.",
-  schema: "lssm_sigil",
-  map: "verification",
-  fields: {
-    id: field.uuid(),
-    identifier: field.string({ description: "Email or phone being verified" }),
-    value: field.string({ description: "Verification code/token" }),
-    expiresAt: field.dateTime({ description: "Token expiration" }),
-    createdAt: field.createdAt(),
-    updatedAt: field.updatedAt()
-  }
-});
-
 // src/entities/organization.ts
 import {
-  defineEntity as defineEntity2,
+  defineEntity,
   defineEntityEnum,
-  field as field2,
-  index as index2
+  field,
+  index
 } from "@contractspec/lib.schema";
 var OrganizationTypeEnum = defineEntityEnum({
   name: "OrganizationType",
@@ -1160,251 +997,414 @@ var OrganizationTypeEnum = defineEntityEnum({
   schema: "lssm_sigil",
   description: "Type of organization in the platform."
 });
-var OrganizationEntity = defineEntity2({
+var OrganizationEntity = defineEntity({
   name: "Organization",
   description: "An organization is a tenant boundary grouping users.",
   schema: "lssm_sigil",
   map: "organization",
   fields: {
-    id: field2.id({ description: "Unique organization identifier" }),
-    name: field2.string({ description: "Organization display name" }),
-    slug: field2.string({
+    id: field.id({ description: "Unique organization identifier" }),
+    name: field.string({ description: "Organization display name" }),
+    slug: field.string({
       isOptional: true,
       isUnique: true,
       description: "URL-friendly identifier"
     }),
-    logo: field2.url({ isOptional: true, description: "Organization logo URL" }),
-    description: field2.string({
+    logo: field.url({ isOptional: true, description: "Organization logo URL" }),
+    description: field.string({
       isOptional: true,
       description: "Organization description"
     }),
-    metadata: field2.json({
+    metadata: field.json({
       isOptional: true,
       description: "Arbitrary organization metadata"
     }),
-    type: field2.enum("OrganizationType", { description: "Organization type" }),
-    onboardingCompleted: field2.boolean({ default: false }),
-    onboardingStep: field2.string({ isOptional: true }),
-    referralCode: field2.string({
+    type: field.enum("OrganizationType", { description: "Organization type" }),
+    onboardingCompleted: field.boolean({ default: false }),
+    onboardingStep: field.string({ isOptional: true }),
+    referralCode: field.string({
       isOptional: true,
       isUnique: true,
       description: "Unique referral code"
     }),
-    referredBy: field2.string({
+    referredBy: field.string({
       isOptional: true,
       description: "ID of referring user"
     }),
-    createdAt: field2.createdAt(),
-    updatedAt: field2.updatedAt(),
-    members: field2.hasMany("Member"),
-    invitations: field2.hasMany("Invitation"),
-    teams: field2.hasMany("Team"),
-    policyBindings: field2.hasMany("PolicyBinding")
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    members: field.hasMany("Member"),
+    invitations: field.hasMany("Invitation"),
+    teams: field.hasMany("Team"),
+    policyBindings: field.hasMany("PolicyBinding")
   },
   enums: [OrganizationTypeEnum]
 });
-var MemberEntity = defineEntity2({
+var MemberEntity = defineEntity({
   name: "Member",
   description: "Membership of a user in an organization with a role.",
   schema: "lssm_sigil",
   map: "member",
   fields: {
-    id: field2.id(),
-    userId: field2.foreignKey(),
-    organizationId: field2.foreignKey(),
-    role: field2.string({
+    id: field.id(),
+    userId: field.foreignKey(),
+    organizationId: field.foreignKey(),
+    role: field.string({
       description: "Role in organization (owner, admin, member)"
     }),
-    createdAt: field2.createdAt(),
-    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" }),
-    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+    createdAt: field.createdAt(),
+    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" }),
+    organization: field.belongsTo("Organization", ["organizationId"], ["id"], {
       onDelete: "Cascade"
     })
   },
-  indexes: [index2.unique(["userId", "organizationId"])]
+  indexes: [index.unique(["userId", "organizationId"])]
 });
-var InvitationEntity = defineEntity2({
+var InvitationEntity = defineEntity({
   name: "Invitation",
   description: "An invitation to join an organization.",
   schema: "lssm_sigil",
   map: "invitation",
   fields: {
-    id: field2.id(),
-    organizationId: field2.foreignKey(),
-    email: field2.email({ description: "Invited email address" }),
-    role: field2.string({
+    id: field.id(),
+    organizationId: field.foreignKey(),
+    email: field.email({ description: "Invited email address" }),
+    role: field.string({
       isOptional: true,
       description: "Role to assign on acceptance"
     }),
-    status: field2.string({
+    status: field.string({
       default: '"pending"',
       description: "Invitation status"
     }),
-    acceptedAt: field2.dateTime({ isOptional: true }),
-    expiresAt: field2.dateTime({ isOptional: true }),
-    inviterId: field2.foreignKey({
+    acceptedAt: field.dateTime({ isOptional: true }),
+    expiresAt: field.dateTime({ isOptional: true }),
+    inviterId: field.foreignKey({
       description: "User who sent the invitation"
     }),
-    teamId: field2.string({ isOptional: true }),
-    createdAt: field2.createdAt(),
-    updatedAt: field2.updatedAt(),
-    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+    teamId: field.string({ isOptional: true }),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    organization: field.belongsTo("Organization", ["organizationId"], ["id"], {
       onDelete: "Cascade"
     }),
-    inviter: field2.belongsTo("User", ["inviterId"], ["id"], {
+    inviter: field.belongsTo("User", ["inviterId"], ["id"], {
       onDelete: "Cascade"
     }),
-    team: field2.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" })
+    team: field.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" })
   }
 });
-var TeamEntity = defineEntity2({
+var TeamEntity = defineEntity({
   name: "Team",
   description: "Team within an organization.",
   schema: "lssm_sigil",
   map: "team",
   fields: {
-    id: field2.id(),
-    name: field2.string({ description: "Team name" }),
-    organizationId: field2.foreignKey(),
-    createdAt: field2.createdAt(),
-    updatedAt: field2.updatedAt(),
-    organization: field2.belongsTo("Organization", ["organizationId"], ["id"], {
+    id: field.id(),
+    name: field.string({ description: "Team name" }),
+    organizationId: field.foreignKey(),
+    createdAt: field.createdAt(),
+    updatedAt: field.updatedAt(),
+    organization: field.belongsTo("Organization", ["organizationId"], ["id"], {
       onDelete: "Cascade"
     }),
-    members: field2.hasMany("TeamMember"),
-    invitations: field2.hasMany("Invitation")
+    members: field.hasMany("TeamMember"),
+    invitations: field.hasMany("Invitation")
   }
 });
-var TeamMemberEntity = defineEntity2({
+var TeamMemberEntity = defineEntity({
   name: "TeamMember",
   description: "Team membership for a user.",
   schema: "lssm_sigil",
   map: "team_member",
   fields: {
-    id: field2.id(),
-    teamId: field2.foreignKey(),
-    userId: field2.foreignKey(),
-    createdAt: field2.createdAt(),
-    team: field2.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" }),
-    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+    id: field.id(),
+    teamId: field.foreignKey(),
+    userId: field.foreignKey(),
+    createdAt: field.createdAt(),
+    team: field.belongsTo("Team", ["teamId"], ["id"], { onDelete: "Cascade" }),
+    user: field.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
   }
 });
 
 // src/entities/rbac.ts
-import { defineEntity as defineEntity3, field as field3, index as index3 } from "@contractspec/lib.schema";
-var RoleEntity = defineEntity3({
+import { defineEntity as defineEntity2, field as field2, index as index2 } from "@contractspec/lib.schema";
+var RoleEntity = defineEntity2({
   name: "Role",
   description: "A role defines a named set of permissions.",
   schema: "lssm_sigil",
   map: "role",
   fields: {
-    id: field3.id(),
-    name: field3.string({ isUnique: true, description: "Unique role name" }),
-    description: field3.string({
+    id: field2.id(),
+    name: field2.string({ isUnique: true, description: "Unique role name" }),
+    description: field2.string({
       isOptional: true,
       description: "Role description"
     }),
-    permissions: field3.string({
+    permissions: field2.string({
       isArray: true,
       description: "Array of permission names"
     }),
-    createdAt: field3.createdAt(),
-    updatedAt: field3.updatedAt(),
-    policyBindings: field3.hasMany("PolicyBinding")
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    policyBindings: field2.hasMany("PolicyBinding")
   }
 });
-var PermissionEntity = defineEntity3({
+var PermissionEntity = defineEntity2({
   name: "Permission",
   description: "A permission represents an atomic access right.",
   schema: "lssm_sigil",
   map: "permission",
   fields: {
-    id: field3.id(),
-    name: field3.string({
+    id: field2.id(),
+    name: field2.string({
       isUnique: true,
       description: "Unique permission name"
     }),
-    description: field3.string({
+    description: field2.string({
       isOptional: true,
       description: "Permission description"
     }),
-    createdAt: field3.createdAt(),
-    updatedAt: field3.updatedAt()
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt()
   }
 });
-var PolicyBindingEntity = defineEntity3({
+var PolicyBindingEntity = defineEntity2({
   name: "PolicyBinding",
   description: "Binds roles to principals (users or organizations).",
   schema: "lssm_sigil",
   map: "policy_binding",
   fields: {
-    id: field3.id(),
-    roleId: field3.foreignKey(),
-    targetType: field3.string({ description: '"user" or "organization"' }),
-    targetId: field3.string({ description: "ID of User or Organization" }),
-    expiresAt: field3.dateTime({
+    id: field2.id(),
+    roleId: field2.foreignKey(),
+    targetType: field2.string({ description: '"user" or "organization"' }),
+    targetId: field2.string({ description: "ID of User or Organization" }),
+    expiresAt: field2.dateTime({
       isOptional: true,
       description: "When binding expires"
     }),
-    createdAt: field3.createdAt(),
-    userId: field3.string({ isOptional: true }),
-    organizationId: field3.string({ isOptional: true }),
-    role: field3.belongsTo("Role", ["roleId"], ["id"], { onDelete: "Cascade" }),
-    user: field3.belongsTo("User", ["userId"], ["id"]),
-    organization: field3.belongsTo("Organization", ["organizationId"], ["id"])
+    createdAt: field2.createdAt(),
+    userId: field2.string({ isOptional: true }),
+    organizationId: field2.string({ isOptional: true }),
+    role: field2.belongsTo("Role", ["roleId"], ["id"], { onDelete: "Cascade" }),
+    user: field2.belongsTo("User", ["userId"], ["id"]),
+    organization: field2.belongsTo("Organization", ["organizationId"], ["id"])
   },
-  indexes: [index3.on(["targetType", "targetId"])]
+  indexes: [index2.on(["targetType", "targetId"])]
 });
-var ApiKeyEntity = defineEntity3({
+var ApiKeyEntity = defineEntity2({
   name: "ApiKey",
   description: "API keys for programmatic access.",
   schema: "lssm_sigil",
   map: "api_key",
   fields: {
-    id: field3.id(),
-    name: field3.string({ description: "API key name" }),
-    start: field3.string({
+    id: field2.id(),
+    name: field2.string({ description: "API key name" }),
+    start: field2.string({
       description: "Starting characters for identification"
     }),
-    prefix: field3.string({ description: "API key prefix" }),
-    key: field3.string({ description: "Hashed API key" }),
+    prefix: field2.string({ description: "API key prefix" }),
+    key: field2.string({ description: "Hashed API key" }),
+    userId: field2.foreignKey(),
+    refillInterval: field2.int({ description: "Refill interval in ms" }),
+    refillAmount: field2.int({ description: "Amount to refill" }),
+    lastRefillAt: field2.dateTime(),
+    remaining: field2.int({ description: "Remaining requests" }),
+    requestCount: field2.int({ description: "Total requests made" }),
+    lastRequest: field2.dateTime(),
+    enabled: field2.boolean({ default: true }),
+    rateLimitEnabled: field2.boolean({ default: true }),
+    rateLimitTimeWindow: field2.int({ description: "Rate limit window in ms" }),
+    rateLimitMax: field2.int({ description: "Max requests in window" }),
+    expiresAt: field2.dateTime(),
+    permissions: field2.string({ isArray: true }),
+    metadata: field2.json({ isOptional: true }),
+    createdAt: field2.createdAt(),
+    updatedAt: field2.updatedAt(),
+    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+var PasskeyEntity = defineEntity2({
+  name: "Passkey",
+  description: "WebAuthn passkeys for passwordless authentication.",
+  schema: "lssm_sigil",
+  map: "passkey",
+  fields: {
+    id: field2.id(),
+    name: field2.string({ description: "Passkey name" }),
+    publicKey: field2.string({ description: "Public key" }),
+    userId: field2.foreignKey(),
+    credentialID: field2.string({ description: "Credential ID" }),
+    counter: field2.int({ description: "Counter" }),
+    deviceType: field2.string({ description: "Device type" }),
+    backedUp: field2.boolean({ description: "Whether passkey is backed up" }),
+    transports: field2.string({ description: "Transports" }),
+    aaguid: field2.string({ description: "Authenticator GUID" }),
+    createdAt: field2.createdAt(),
+    user: field2.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  }
+});
+
+// src/entities/user.ts
+import { defineEntity as defineEntity3, field as field3, index as index3 } from "@contractspec/lib.schema";
+var UserEntity = defineEntity3({
+  name: "User",
+  description: "A user of the platform. Users hold core profile information and authenticate via Account records.",
+  schema: "lssm_sigil",
+  map: "user",
+  fields: {
+    id: field3.id({ description: "Unique user identifier" }),
+    email: field3.email({ isUnique: true, description: "User email address" }),
+    emailVerified: field3.boolean({
+      default: false,
+      description: "Whether email has been verified"
+    }),
+    name: field3.string({ isOptional: true, description: "Display name" }),
+    firstName: field3.string({ isOptional: true, description: "First name" }),
+    lastName: field3.string({ isOptional: true, description: "Last name" }),
+    locale: field3.string({
+      isOptional: true,
+      description: 'User locale (e.g., "en-US")'
+    }),
+    timezone: field3.string({
+      isOptional: true,
+      description: 'Olson timezone (e.g., "Europe/Paris")'
+    }),
+    imageUrl: field3.url({
+      isOptional: true,
+      description: "URL of avatar or profile picture"
+    }),
+    image: field3.string({
+      isOptional: true,
+      description: "Legacy image field"
+    }),
+    metadata: field3.json({
+      isOptional: true,
+      description: "Arbitrary user metadata"
+    }),
+    onboardingCompleted: field3.boolean({
+      default: false,
+      description: "Whether onboarding is complete"
+    }),
+    onboardingStep: field3.string({
+      isOptional: true,
+      description: "Current onboarding step"
+    }),
+    whitelistedAt: field3.dateTime({
+      isOptional: true,
+      description: "When user was whitelisted"
+    }),
+    role: field3.string({
+      isOptional: true,
+      default: '"user"',
+      description: "User role (user, admin)"
+    }),
+    banned: field3.boolean({
+      default: false,
+      description: "Whether user is banned"
+    }),
+    banReason: field3.string({
+      isOptional: true,
+      description: "Reason for ban"
+    }),
+    banExpires: field3.dateTime({
+      isOptional: true,
+      description: "When ban expires"
+    }),
+    phoneNumber: field3.string({
+      isOptional: true,
+      isUnique: true,
+      description: "Phone number"
+    }),
+    phoneNumberVerified: field3.boolean({
+      default: false,
+      description: "Whether phone is verified"
+    }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt(),
+    sessions: field3.hasMany("Session"),
+    accounts: field3.hasMany("Account"),
+    memberships: field3.hasMany("Member"),
+    invitations: field3.hasMany("Invitation"),
+    teamMemberships: field3.hasMany("TeamMember"),
+    policyBindings: field3.hasMany("PolicyBinding"),
+    apiKeys: field3.hasMany("ApiKey"),
+    passkeys: field3.hasMany("Passkey")
+  }
+});
+var SessionEntity = defineEntity3({
+  name: "Session",
+  description: "Represents a login session (e.g., web session or API token).",
+  schema: "lssm_sigil",
+  map: "session",
+  fields: {
+    id: field3.id(),
     userId: field3.foreignKey(),
-    refillInterval: field3.int({ description: "Refill interval in ms" }),
-    refillAmount: field3.int({ description: "Amount to refill" }),
-    lastRefillAt: field3.dateTime(),
-    remaining: field3.int({ description: "Remaining requests" }),
-    requestCount: field3.int({ description: "Total requests made" }),
-    lastRequest: field3.dateTime(),
-    enabled: field3.boolean({ default: true }),
-    rateLimitEnabled: field3.boolean({ default: true }),
-    rateLimitTimeWindow: field3.int({ description: "Rate limit window in ms" }),
-    rateLimitMax: field3.int({ description: "Max requests in window" }),
-    expiresAt: field3.dateTime(),
-    permissions: field3.string({ isArray: true }),
-    metadata: field3.json({ isOptional: true }),
+    expiresAt: field3.dateTime({ description: "Session expiration time" }),
+    token: field3.string({ isUnique: true, description: "Session token" }),
+    ipAddress: field3.string({
+      isOptional: true,
+      description: "Client IP address"
+    }),
+    userAgent: field3.string({
+      isOptional: true,
+      description: "Client user agent"
+    }),
+    impersonatedBy: field3.string({
+      isOptional: true,
+      description: "Admin impersonating this session"
+    }),
+    activeOrganizationId: field3.string({
+      isOptional: true,
+      description: "Active org context"
+    }),
+    activeTeamId: field3.string({
+      isOptional: true,
+      description: "Active team context"
+    }),
     createdAt: field3.createdAt(),
     updatedAt: field3.updatedAt(),
     user: field3.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
   }
 });
-var PasskeyEntity = defineEntity3({
-  name: "Passkey",
-  description: "WebAuthn passkeys for passwordless authentication.",
+var AccountEntity = defineEntity3({
+  name: "Account",
+  description: "External authentication accounts (OAuth, password, etc.).",
   schema: "lssm_sigil",
-  map: "passkey",
+  map: "account",
   fields: {
     id: field3.id(),
-    name: field3.string({ description: "Passkey name" }),
-    publicKey: field3.string({ description: "Public key" }),
+    accountId: field3.string({ description: "Account ID from provider" }),
+    providerId: field3.string({ description: "Provider identifier" }),
     userId: field3.foreignKey(),
-    credentialID: field3.string({ description: "Credential ID" }),
-    counter: field3.int({ description: "Counter" }),
-    deviceType: field3.string({ description: "Device type" }),
-    backedUp: field3.boolean({ description: "Whether passkey is backed up" }),
-    transports: field3.string({ description: "Transports" }),
-    aaguid: field3.string({ description: "Authenticator GUID" }),
+    accessToken: field3.string({ isOptional: true }),
+    refreshToken: field3.string({ isOptional: true }),
+    idToken: field3.string({ isOptional: true }),
+    accessTokenExpiresAt: field3.dateTime({ isOptional: true }),
+    refreshTokenExpiresAt: field3.dateTime({ isOptional: true }),
+    scope: field3.string({ isOptional: true }),
+    password: field3.string({
+      isOptional: true,
+      description: "Hashed password for password providers"
+    }),
     createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt(),
     user: field3.belongsTo("User", ["userId"], ["id"], { onDelete: "Cascade" })
+  },
+  indexes: [index3.unique(["accountId", "providerId"])]
+});
+var VerificationEntity = defineEntity3({
+  name: "Verification",
+  description: "Verification tokens for email/phone confirmation.",
+  schema: "lssm_sigil",
+  map: "verification",
+  fields: {
+    id: field3.uuid(),
+    identifier: field3.string({ description: "Email or phone being verified" }),
+    value: field3.string({ description: "Verification code/token" }),
+    expiresAt: field3.dateTime({ description: "Token expiration" }),
+    createdAt: field3.createdAt(),
+    updatedAt: field3.updatedAt()
   }
 });
 // src/entities/index.ts
@@ -1431,8 +1431,8 @@ var identityRbacSchemaContribution = {
 };
 
 // src/events.ts
-import { SchemaModel as SchemaModel4, ScalarTypeEnum as ScalarTypeEnum4 } from "@contractspec/lib.schema";
 import { defineEvent } from "@contractspec/lib.contracts-spec";
+import { ScalarTypeEnum as ScalarTypeEnum4, SchemaModel as SchemaModel4 } from "@contractspec/lib.schema";
 var UserCreatedPayload = new SchemaModel4({
   name: "UserCreatedPayload",
   description: "Payload for user created event",