@discover-cloud/shared 1.0.0 → 1.0.1

package/dist/authorization/index.d.ts

@@ -0,0 +1,2 @@
+export * from "./permissions";
+export * from "./permission-cache.service";

package/dist/authorization/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./permissions"), exports);
+__exportStar(require("./permission-cache.service"), exports);

package/dist/authorization/permission-cache.service.d.ts

@@ -0,0 +1,12 @@
+import { GlobalPermission, AccountRole } from "../enums";
+export declare class PermissionCacheService {
+    private readonly client;
+    private connected;
+    constructor();
+    resolve(accountId: string, accountRole: AccountRole): Promise<GlobalPermission[]>;
+    invalidate(accountId: string): Promise<void>;
+    invalidateMany(accountIds: string[]): Promise<void>;
+    private key;
+    private safeGet;
+    private safeSet;
+}

package/dist/authorization/permission-cache.service.js

@@ -0,0 +1,132 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionCacheService = void 0;
+const redis_1 = require("redis");
+const permissions_1 = require("./permissions");
+/**
+ * PERMISSION CACHE SERVICE  (@discover-cloud/shared)
+ * ─────────────────────────────────────────────────────
+ * Redis-backed permission cache. Sits between JWT verification and route
+ * handlers — loads permissions for a verified accountId + role, caches
+ * them, and exposes invalidation for role changes and account lifecycle events.
+ *
+ * Cache key:   perms:{accountId}
+ * Cache value: JSON array of GlobalPermission
+ * TTL:         24 hours (auto-evicted; role changes trigger explicit invalidation)
+ *
+ * Cold cache strategy:
+ *   Derive from globalRolePermissions (role → perms map).
+ *   No DB call — the role is already verified in the JWT, and all permissions
+ *   are statically derived from it.
+ *
+ * Invalidation triggers:
+ *   - Role change      → invalidate(accountId)
+ *   - Suspension       → invalidate(accountId)
+ *   - Account deletion → invalidate(accountId)
+ *
+ * NOTE: Uses console.* for logging — shared cannot depend on a service-specific
+ * logger (pino, winston, etc.). Each service's own logger will capture these
+ * via stdout in production.
+ */
+const CACHE_TTL_SECONDS = 24 * 60 * 60; // 24 hours
+const KEY_PREFIX = "perms";
+class PermissionCacheService {
+    constructor() {
+        this.connected = false;
+        this.client = (0, redis_1.createClient)({
+            url: process.env.REDIS_URL ?? "redis://localhost:6379",
+        });
+        this.client.on("error", (err) => {
+            console.error("[PermissionCache] Redis client error", err);
+        });
+        this.client.on("ready", () => {
+            this.connected = true;
+            console.info("[PermissionCache] Redis connected");
+        });
+        this.client.connect().catch((err) => {
+            console.error("[PermissionCache] Redis connection failed", err);
+        });
+    }
+    /* ----------------------------------------------------------------
+       resolve
+       Returns permissions for an account, loading from cache or deriving
+       from the role map on a miss.
+  
+       Never throws — on any Redis failure it falls back to deriving
+       from the role map directly (degraded but functional).
+    ---------------------------------------------------------------- */
+    async resolve(accountId, accountRole) {
+        const cached = await this.safeGet(accountId);
+        if (cached !== null)
+            return cached;
+        // Cache miss — derive from role map (no DB call)
+        const perms = [
+            ...(permissions_1.globalRolePermissions[accountRole] ?? []),
+        ];
+        // Write back (fire-and-forget — don't block the request)
+        this.safeSet(accountId, perms).catch(() => { });
+        return perms;
+    }
+    /* ----------------------------------------------------------------
+       invalidate
+       Removes a specific account's permission cache entry.
+       Call on: role change, suspension, account deletion.
+    ---------------------------------------------------------------- */
+    async invalidate(accountId) {
+        try {
+            await this.client.del(this.key(accountId));
+            console.info(`[PermissionCache] Invalidated: ${accountId}`);
+        }
+        catch (err) {
+            // Log but don't throw — stale entry expires via TTL at worst
+            console.error(`[PermissionCache] Failed to invalidate: ${accountId}`, err);
+        }
+    }
+    /* ----------------------------------------------------------------
+       invalidateMany
+       Batch invalidation — use when a role definition changes globally.
+    ---------------------------------------------------------------- */
+    async invalidateMany(accountIds) {
+        if (accountIds.length === 0)
+            return;
+        try {
+            const keys = accountIds.map((id) => this.key(id));
+            await this.client.del(keys);
+            console.info(`[PermissionCache] Batch invalidated ${accountIds.length} entries`);
+        }
+        catch (err) {
+            console.error("[PermissionCache] Batch invalidation failed", err);
+        }
+    }
+    /* ----------------------------------------------------------------
+       Private helpers
+    ---------------------------------------------------------------- */
+    key(accountId) {
+        return `${KEY_PREFIX}:${accountId}`;
+    }
+    async safeGet(accountId) {
+        if (!this.connected)
+            return null;
+        try {
+            const raw = await this.client.get(this.key(accountId));
+            if (!raw)
+                return null;
+            return JSON.parse(raw);
+        }
+        catch (err) {
+            console.warn(`[PermissionCache] Cache get failed for ${accountId}, bypassing`, err);
+            return null;
+        }
+    }
+    async safeSet(accountId, perms) {
+        if (!this.connected)
+            return;
+        try {
+            await this.client.set(this.key(accountId), JSON.stringify(perms), { EX: CACHE_TTL_SECONDS });
+        }
+        catch (err) {
+            console.warn(`[PermissionCache] Cache set failed for ${accountId}`, err);
+        }
+    }
+}
+exports.PermissionCacheService = PermissionCacheService;

package/dist/authorization/permissions.d.ts

@@ -0,0 +1,74 @@
+import { AccountRole, GlobalPermission, OrganizationRole, OrgPermission } from "../enums";
+import { AccessContext } from "../types";
+/**
+ * GLOBAL ROLE PERMISSION MAP
+ * ───────────────────────────
+ * Defines which GlobalPermissions each AccountRole carries.
+ * This is the single source of truth — the Redis permission cache
+ * derives from this map on a cold cache miss.
+ *
+ * Design principles:
+ *   - SUPERADMIN gets all permissions (dynamically, not hardcoded list)
+ *   - Each role has only the minimum permissions it needs (least privilege)
+ *   - Permissions are additive — no role inherits from another at runtime
+ *   - Adding a new permission: add to the enum above, then grant it here
+ *
+ * ┌─────────────┬──────────────────────────────────────────────────────┐
+ * │ Role        │ Key permissions                                       │
+ * ├─────────────┼──────────────────────────────────────────────────────┤
+ * │ SUPERADMIN  │ Everything — full platform control                    │
+ * │ ADMIN       │ User mgmt, cost data access, logs, health, support   │
+ * │ SUPPORT     │ Read-only user + cost data for support work          │
+ * │ MODERATOR   │ Content moderation only (future)                     │
+ * │ USER        │ No global permissions — service layer gates own data  │
+ * └─────────────┴──────────────────────────────────────────────────────┘
+ */
+export declare const globalRolePermissions: Record<AccountRole, readonly GlobalPermission[]>;
+/**
+ * ORG ROLE PERMISSION MAP  (future work)
+ * ────────────────────────────────────────
+ * Org permissions are NOT in the JWT — they're fetched from the DB
+ * by tenant middleware within each service because:
+ *   1. Org membership changes frequently (invites, role changes, removal)
+ *   2. A user can be in multiple orgs with different roles
+ *   3. Embedding them in the JWT would create stale permission windows
+ *
+ * This map is used by tenant middleware for the DB-free fast path:
+ * if the org role is already known (e.g. from a prior DB fetch cached in
+ * Redis), derive permissions from here rather than re-querying the DB.
+ */
+export declare const orgRolePermissions: Record<OrganizationRole, readonly OrgPermission[]>;
+/**
+ * hasGlobalPermission
+ * Checks if a GlobalPermission is in the AccessContext's perms array.
+ * Perms come from the Redis permission cache, not from the JWT directly.
+ *
+ * This is the primary check for platform-level authorization.
+ */
+export declare const hasGlobalPermission: (ctx: AccessContext, permission: GlobalPermission) => boolean;
+/**
+ * isAllowed
+ * Unified permission check for both GlobalPermission and OrgPermission.
+ *
+ * GlobalPermission → checked against ctx.perms (Redis cache, derived from role)
+ * OrgPermission    → returns false here; handled by tenant middleware in each
+ *                    service via DB lookup. This function is intentionally not
+ *                    the place for org permission checks.
+ *
+ * This makes the boundary explicit: callers that need org permission checks
+ * should use their service's tenant middleware, not isAllowed().
+ */
+export declare const isAllowed: (ctx: AccessContext, permission: GlobalPermission | OrgPermission) => boolean;
+/**
+ * isSuperAdmin
+ * Convenience guard for the rare cases where superadmin-only logic
+ * is needed beyond a single permission check.
+ */
+export declare const isSuperAdmin: (ctx: AccessContext) => boolean;
+/**
+ * deriveGlobalPermissions
+ * Derives permissions for a role from the static map.
+ * Called by PermissionCacheService on a cold cache miss.
+ * Returns a mutable copy — callers can extend it if needed.
+ */
+export declare const deriveGlobalPermissions: (role: AccountRole) => GlobalPermission[];

package/dist/authorization/permissions.js

@@ -0,0 +1,171 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.deriveGlobalPermissions = exports.isSuperAdmin = exports.isAllowed = exports.hasGlobalPermission = exports.orgRolePermissions = exports.globalRolePermissions = void 0;
+const enums_1 = require("../enums");
+/**
+ * GLOBAL ROLE PERMISSION MAP
+ * ───────────────────────────
+ * Defines which GlobalPermissions each AccountRole carries.
+ * This is the single source of truth — the Redis permission cache
+ * derives from this map on a cold cache miss.
+ *
+ * Design principles:
+ *   - SUPERADMIN gets all permissions (dynamically, not hardcoded list)
+ *   - Each role has only the minimum permissions it needs (least privilege)
+ *   - Permissions are additive — no role inherits from another at runtime
+ *   - Adding a new permission: add to the enum above, then grant it here
+ *
+ * ┌─────────────┬──────────────────────────────────────────────────────┐
+ * │ Role        │ Key permissions                                       │
+ * ├─────────────┼──────────────────────────────────────────────────────┤
+ * │ SUPERADMIN  │ Everything — full platform control                    │
+ * │ ADMIN       │ User mgmt, cost data access, logs, health, support   │
+ * │ SUPPORT     │ Read-only user + cost data for support work          │
+ * │ MODERATOR   │ Content moderation only (future)                     │
+ * │ USER        │ No global permissions — service layer gates own data  │
+ * └─────────────┴──────────────────────────────────────────────────────┘
+ */
+exports.globalRolePermissions = {
+    [enums_1.AccountRole.SUPERADMIN]: Object.values(enums_1.GlobalPermission),
+    [enums_1.AccountRole.ADMIN]: [
+        // Account management (no impersonate, no hard delete)
+        enums_1.GlobalPermission.MANAGE_ACCOUNTS,
+        enums_1.GlobalPermission.VIEW_ANY_ACCOUNT,
+        enums_1.GlobalPermission.SUSPEND_ACCOUNT,
+        // Cloud cost data
+        enums_1.GlobalPermission.VIEW_ANY_COST_DATA,
+        enums_1.GlobalPermission.EXPORT_ANY_COST_DATA,
+        enums_1.GlobalPermission.MANAGE_COST_ALERTS,
+        // Platform operations
+        enums_1.GlobalPermission.VIEW_SYSTEM_LOGS,
+        enums_1.GlobalPermission.VIEW_SYSTEM_HEALTH,
+        // Support tooling
+        enums_1.GlobalPermission.SUPPORT_VIEW,
+        enums_1.GlobalPermission.SUPPORT_WRITE,
+    ],
+    [enums_1.AccountRole.SUPPORT]: [
+        // Read-only access to user data and cost data for support purposes
+        // Cannot write, cannot manage accounts, cannot access system internals
+        enums_1.GlobalPermission.VIEW_ANY_ACCOUNT,
+        enums_1.GlobalPermission.VIEW_ANY_COST_DATA,
+        enums_1.GlobalPermission.SUPPORT_VIEW,
+    ],
+    [enums_1.AccountRole.MODERATOR]: [
+        // Only content moderation — no access to user accounts or cost data
+        enums_1.GlobalPermission.MODERATE_CONTENT,
+    ],
+    // Standard users have zero global permissions.
+    // All their data access is handled at the service level
+    // (they can only see their own cost data, their own account, etc.)
+    [enums_1.AccountRole.USER]: [],
+};
+/**
+ * ORG ROLE PERMISSION MAP  (future work)
+ * ────────────────────────────────────────
+ * Org permissions are NOT in the JWT — they're fetched from the DB
+ * by tenant middleware within each service because:
+ *   1. Org membership changes frequently (invites, role changes, removal)
+ *   2. A user can be in multiple orgs with different roles
+ *   3. Embedding them in the JWT would create stale permission windows
+ *
+ * This map is used by tenant middleware for the DB-free fast path:
+ * if the org role is already known (e.g. from a prior DB fetch cached in
+ * Redis), derive permissions from here rather than re-querying the DB.
+ */
+exports.orgRolePermissions = {
+    [enums_1.OrganizationRole.OWNER]: Object.values(enums_1.OrgPermission), // Full org control
+    [enums_1.OrganizationRole.ADMIN]: [
+        enums_1.GlobalPermission.MANAGE_ACCOUNTS, // intentional re-use shape — org admin manages org members
+        enums_1.OrgPermission.MANAGE_ORG_SETTINGS,
+        enums_1.OrgPermission.INVITE_MEMBERS,
+        enums_1.OrgPermission.REMOVE_MEMBERS,
+        enums_1.OrgPermission.CHANGE_MEMBER_ROLES,
+        enums_1.OrgPermission.VIEW_MEMBERS,
+        enums_1.OrgPermission.VIEW_COST_DATA,
+        enums_1.OrgPermission.EXPORT_COST_DATA,
+        enums_1.OrgPermission.MANAGE_COST_REPORTS,
+        enums_1.OrgPermission.MANAGE_ALERTS,
+        enums_1.OrgPermission.MANAGE_CLOUD_ACCOUNTS,
+        enums_1.OrgPermission.VIEW_CLOUD_ACCOUNTS,
+        enums_1.OrgPermission.VIEW_BILLING,
+    ],
+    [enums_1.OrganizationRole.EDITOR]: [
+        enums_1.OrgPermission.VIEW_MEMBERS,
+        enums_1.OrgPermission.VIEW_COST_DATA,
+        enums_1.OrgPermission.EXPORT_COST_DATA,
+        enums_1.OrgPermission.MANAGE_COST_REPORTS,
+        enums_1.OrgPermission.MANAGE_ALERTS,
+        enums_1.OrgPermission.VIEW_CLOUD_ACCOUNTS,
+    ],
+    [enums_1.OrganizationRole.VIEWER]: [
+        enums_1.OrgPermission.VIEW_MEMBERS,
+        enums_1.OrgPermission.VIEW_COST_DATA,
+        enums_1.OrgPermission.VIEW_CLOUD_ACCOUNTS,
+    ],
+    [enums_1.OrganizationRole.BILLING]: [
+        enums_1.OrgPermission.VIEW_BILLING,
+        enums_1.OrgPermission.MANAGE_BILLING,
+        enums_1.OrgPermission.VIEW_COST_DATA,
+        enums_1.OrgPermission.EXPORT_COST_DATA,
+    ],
+};
+/* ====================================================================
+   PERMISSION CHECK HELPERS
+==================================================================== */
+/**
+ * hasGlobalPermission
+ * Checks if a GlobalPermission is in the AccessContext's perms array.
+ * Perms come from the Redis permission cache, not from the JWT directly.
+ *
+ * This is the primary check for platform-level authorization.
+ */
+const hasGlobalPermission = (ctx, permission) => {
+    if (ctx.kind !== "human")
+        return false;
+    return ctx.perms.includes(permission);
+};
+exports.hasGlobalPermission = hasGlobalPermission;
+/**
+ * isAllowed
+ * Unified permission check for both GlobalPermission and OrgPermission.
+ *
+ * GlobalPermission → checked against ctx.perms (Redis cache, derived from role)
+ * OrgPermission    → returns false here; handled by tenant middleware in each
+ *                    service via DB lookup. This function is intentionally not
+ *                    the place for org permission checks.
+ *
+ * This makes the boundary explicit: callers that need org permission checks
+ * should use their service's tenant middleware, not isAllowed().
+ */
+const isAllowed = (ctx, permission) => {
+    if (ctx.kind !== "human")
+        return false;
+    if (Object.values(enums_1.GlobalPermission).includes(permission)) {
+        return (0, exports.hasGlobalPermission)(ctx, permission);
+    }
+    // OrgPermission — not handled here by design.
+    // Use tenant middleware (DB-backed) within the relevant service.
+    return false;
+};
+exports.isAllowed = isAllowed;
+/**
+ * isSuperAdmin
+ * Convenience guard for the rare cases where superadmin-only logic
+ * is needed beyond a single permission check.
+ */
+const isSuperAdmin = (ctx) => {
+    if (ctx.kind !== "human")
+        return false;
+    return ctx.accountRole === enums_1.AccountRole.SUPERADMIN;
+};
+exports.isSuperAdmin = isSuperAdmin;
+/**
+ * deriveGlobalPermissions
+ * Derives permissions for a role from the static map.
+ * Called by PermissionCacheService on a cold cache miss.
+ * Returns a mutable copy — callers can extend it if needed.
+ */
+const deriveGlobalPermissions = (role) => {
+    return [...(exports.globalRolePermissions[role] ?? [])];
+};
+exports.deriveGlobalPermissions = deriveGlobalPermissions;

package/dist/dto/auth-service.dtos.d.ts

@@ -1,5 +1,5 @@
 import { AccountStatus } from "../enums";
-export interface AccountDTO {
+export interface AccountDto {
     id: string;
     email: string;
     isVerified: boolean;
@@ -7,7 +7,7 @@ export interface AccountDTO {
     createdAt: Date;
     updatedAt: Date;
 }
-export interface EmailVerificationDTO {
+export interface EmailVerificationDto {
     id: string;
     accountId: string;
     token: string;
@@ -15,17 +15,15 @@ export interface EmailVerificationDTO {
     isUsed: boolean;
     createdAt: Date;
 }
-export interface OAuthIdentityDTO {
+export interface OAuthIdentityDto {
     id: string;
     accountId: string;
     provider: string;
     providerId: string;
-    accessToken: string | null;
-    refreshToken: string | null;
     createdAt: Date;
     updatedAt: Date;
 }
-export interface PasswordResetDTO {
+export interface PasswordResetDto {
     id: string;
     accountId: string;
     token: string;
@@ -33,10 +31,9 @@ export interface PasswordResetDTO {
     isUsed: boolean;
     createdAt: Date;
 }
-export interface SessionDTO {
+export interface SessionDto {
     id: string;
     accountId: string;
-    token: string;
     expiresAt: Date;
     revokedAt: Date | null;
     ipAddress: string | null;
@@ -45,7 +42,3 @@ export interface SessionDTO {
     createdAt: Date;
     updatedAt: Date;
 }
-export interface TokensResponseDto {
-    accessToken: string;
-    refreshToken: string;
-}

package/dist/dto/response.dtos.d.ts

@@ -1,5 +1,5 @@
 export interface ApiMeta {
-    requestId: string | null;
+    requestId: string;
     timestamp: string;
 }
 export interface ApiSuccessResponse<T> {
@@ -10,39 +10,46 @@ export interface ApiSuccessResponse<T> {
 export interface ApiErrorResponse {
     success: false;
     error: {
-        code?: string;
+        code: string;
         message: string;
         details?: unknown;
     };
     meta: ApiMeta;
 }
+/**
+ * Returned on login / token refresh.
+ * accessToken goes in the response body.
+ * refreshToken goes in an HttpOnly cookie — not in the body.
+ * Only include refreshToken here if your client explicitly needs it
+ * (e.g. mobile clients that can't use cookies).
+ */
+export interface TokensResponseDto {
+    accessToken: string;
+}
+/** Generic message — use for simple confirmations */
 export interface MessageResponseDto {
     message: string;
 }
-export interface LoggedOutResponseDto {
-    loggedOut: boolean;
-}
-export interface LoggedOutAllResponseDto {
-    loggedOutAll: boolean;
-}
-export interface SuspendedResponseDto {
-    suspended: boolean;
-}
-export interface ActivatedResponseDto {
-    activated: boolean;
-}
-export interface DeletedResponseDto {
-    deleted: boolean;
-}
-export interface RevokedResponseDto {
-    revoked: boolean;
-}
-export interface AddedResponseDto {
-    added: boolean;
-}
-export interface UpdatedResponseDto {
-    updated: boolean;
+/**
+ * Generic action confirmation — use when the client needs to know
+ * which action was performed (e.g. in a polling or event-driven context).
+ *
+ * action: machine-readable string, e.g. "account.suspended", "session.revoked"
+ * message: human-readable description
+ */
+export interface ActionResponseDto {
+    action: string;
+    message: string;
 }
-export interface CreatedResponseDto {
-    created: boolean;
+export interface PaginationMeta {
+    page: number;
+    pageSize: number;
+    totalItems: number;
+    totalPages: number;
+    hasNext: boolean;
+    hasPrev: boolean;
+}
+export interface PaginatedResponseDto<T> {
+    items: T[];
+    pagination: PaginationMeta;
 }

package/dist/dto/response.dtos.js

@@ -1,2 +1,6 @@
 "use strict";
+/* ====================================================================
+   RESPONSE DTOs
+   Shared HTTP response shapes used across all services.
+==================================================================== */
 Object.defineProperty(exports, "__esModule", { value: true });

package/dist/dto/user-service.dtos.d.ts

@@ -1,14 +1,13 @@
-import { OrganizationRole, MembershipStatus, OrganizationStatus, Theme, Currency, UserStatus } from "../enums";
-export interface UserDTO {
+import { AccountStatus, OrganizationRole, MembershipStatus, OrganizationStatus, Theme, Currency } from "../enums";
+export interface UserDto {
     id: string;
     email: string;
-    status: UserStatus;
+    status: AccountStatus;
     createdAt: Date;
     updatedAt: Date;
-    deletedAt: Date | null;
 }
-export interface UserProfileDTO {
-    id: string | null;
+export interface UserProfileDto {
+    id: string;
     userId: string;
     displayName: string | null;
     avatarUrl: string | null;
@@ -20,10 +19,9 @@ export interface UserProfileDTO {
     pronouns: string | null;
     createdAt: Date;
     updatedAt: Date;
-    deletedAt: Date | null;
 }
-export interface UserPreferencesDTO {
-    id: string | null;
+export interface UserPreferencesDto {
+    id: string;
     userId: string;
     theme: Theme;
     language: string;
@@ -31,9 +29,8 @@ export interface UserPreferencesDTO {
     emailAlerts: boolean;
     createdAt: Date;
     updatedAt: Date;
-    deletedAt: Date | null;
 }
-export interface OrganizationDTO {
+export interface OrganizationDto {
     id: string;
     name: string;
     slug: string;
@@ -42,7 +39,7 @@ export interface OrganizationDTO {
     updatedAt: Date;
     deletedAt: Date | null;
 }
-export interface OrganizationMemberDTO {
+export interface OrganizationMemberDto {
     id: string;
     userId: string;
     organizationId: string;
@@ -50,5 +47,4 @@ export interface OrganizationMemberDTO {
     status: MembershipStatus;
     createdAt: Date;
     updatedAt: Date;
-    deletedAt: Date | null;
 }

package/dist/enums/domain.enums.d.ts

@@ -0,0 +1,42 @@
+/**
+ * DOMAIN STATUS & CONFIGURATION ENUMS
+ * ──────────────────────────────────────
+ * General-purpose enums for entity lifecycle, UI preferences, and
+ * configuration. Permission-related enums live in permissions.types.ts.
+ */
+export declare enum AccountStatus {
+    ACTIVE = "ACTIVE",
+    SUSPENDED = "SUSPENDED",// Access revoked, data retained, reversible
+    DELETED = "DELETED"
+}
+export declare enum OrganizationStatus {
+    ACTIVE = "ACTIVE",
+    SUSPENDED = "SUSPENDED",// Platform-level suspension (non-payment, policy)
+    CLOSED = "CLOSED"
+}
+/**
+ * OrganizationRole lives in permissions.types.ts alongside OrgPermission
+ * so the role → permission map stays co-located with the role definition.
+ * Re-exported from enums/index.ts for convenience.
+ */
+export declare enum MembershipStatus {
+    PENDING = "PENDING",
+    ACTIVE = "ACTIVE",
+    SUSPENDED = "SUSPENDED",
+    REMOVED = "REMOVED"
+}
+export declare enum Theme {
+    LIGHT = "LIGHT",
+    DARK = "DARK",
+    SYSTEM = "SYSTEM"
+}
+export declare enum Currency {
+    USD = "USD",// US Dollar       — default, all cloud providers
+    EUR = "EUR",// Euro            — AWS/GCP/Azure EU regions
+    GBP = "GBP",// British Pound   — AWS/GCP/Azure UK regions
+    INR = "INR",// Indian Rupee    — AWS/GCP/Azure AP south regions
+    AUD = "AUD",// Australian Dollar
+    CAD = "CAD",// Canadian Dollar
+    JPY = "JPY",// Japanese Yen
+    SGD = "SGD"
+}