@discover-cloud/shared 1.0.0 → 1.0.2

package/dist/dtos/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./user-service.dto"), exports);
+__exportStar(require("./auth-service.dto"), exports);
+__exportStar(require("./response.dto"), exports);

package/dist/dtos/response.dto.d.ts

@@ -0,0 +1,55 @@
+export interface ApiMeta {
+    requestId: string;
+    timestamp: string;
+}
+export interface ApiSuccessResponse<T> {
+    success: true;
+    data: T;
+    meta: ApiMeta;
+}
+export interface ApiErrorResponse {
+    success: false;
+    error: {
+        code: string;
+        message: string;
+        details?: unknown;
+    };
+    meta: ApiMeta;
+}
+/**
+ * Returned on login / token refresh.
+ * accessToken goes in the response body.
+ * refreshToken goes in an HttpOnly cookie — not in the body.
+ * Only include refreshToken here if your client explicitly needs it
+ * (e.g. mobile clients that can't use cookies).
+ */
+export interface TokensResponseDto {
+    accessToken: string;
+}
+/** Generic message — use for simple confirmations */
+export interface MessageResponseDto {
+    message: string;
+}
+/**
+ * Generic action confirmation — use when the client needs to know
+ * which action was performed (e.g. in a polling or event-driven context).
+ *
+ * action: machine-readable string, e.g. "account.suspended", "session.revoked"
+ * message: human-readable description
+ */
+export interface ActionResponseDto {
+    action: string;
+    message: string;
+}
+export interface PaginationMeta {
+    page: number;
+    pageSize: number;
+    totalItems: number;
+    totalPages: number;
+    hasNext: boolean;
+    hasPrev: boolean;
+}
+export interface PaginatedResponseDto<T> {
+    items: T[];
+    pagination: PaginationMeta;
+}

package/dist/dtos/response.dto.js

@@ -0,0 +1,6 @@
+"use strict";
+/* ====================================================================
+   RESPONSE DTOs
+   Shared HTTP response shapes used across all services.
+==================================================================== */
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/dtos/user-service.dto.d.ts

@@ -0,0 +1,50 @@
+import { AccountStatus, OrganizationRole, MembershipStatus, OrganizationStatus, Theme, Currency } from "../enums";
+export interface UserDto {
+    id: string;
+    email: string;
+    status: AccountStatus;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export interface UserProfileDto {
+    id: string;
+    userId: string;
+    displayName: string | null;
+    avatarUrl: string | null;
+    jobTitle: string | null;
+    bio: string | null;
+    timezone: string | null;
+    locale: string;
+    country: string | null;
+    pronouns: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export interface UserPreferencesDto {
+    id: string;
+    userId: string;
+    theme: Theme;
+    language: string;
+    currency: Currency;
+    emailAlerts: boolean;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export interface OrganizationDto {
+    id: string;
+    name: string;
+    slug: string;
+    status: OrganizationStatus;
+    createdAt: Date;
+    updatedAt: Date;
+    deletedAt: Date | null;
+}
+export interface OrganizationMemberDto {
+    id: string;
+    userId: string;
+    organizationId: string;
+    role: OrganizationRole;
+    status: MembershipStatus;
+    createdAt: Date;
+    updatedAt: Date;
+}

package/dist/dtos/user-service.dto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/enums/domain.enums.d.ts

@@ -0,0 +1,42 @@
+/**
+ * DOMAIN STATUS & CONFIGURATION ENUMS
+ * ──────────────────────────────────────
+ * General-purpose enums for entity lifecycle, UI preferences, and
+ * configuration. Permission-related enums live in permissions.types.ts.
+ */
+export declare enum AccountStatus {
+    ACTIVE = "ACTIVE",
+    SUSPENDED = "SUSPENDED",// Access revoked, data retained, reversible
+    DELETED = "DELETED"
+}
+export declare enum OrganizationStatus {
+    ACTIVE = "ACTIVE",
+    SUSPENDED = "SUSPENDED",// Platform-level suspension (non-payment, policy)
+    CLOSED = "CLOSED"
+}
+/**
+ * OrganizationRole lives in permissions.types.ts alongside OrgPermission
+ * so the role → permission map stays co-located with the role definition.
+ * Re-exported from enums/index.ts for convenience.
+ */
+export declare enum MembershipStatus {
+    PENDING = "PENDING",
+    ACTIVE = "ACTIVE",
+    SUSPENDED = "SUSPENDED",
+    REMOVED = "REMOVED"
+}
+export declare enum Theme {
+    LIGHT = "LIGHT",
+    DARK = "DARK",
+    SYSTEM = "SYSTEM"
+}
+export declare enum Currency {
+    USD = "USD",// US Dollar       — default, all cloud providers
+    EUR = "EUR",// Euro            — AWS/GCP/Azure EU regions
+    GBP = "GBP",// British Pound   — AWS/GCP/Azure UK regions
+    INR = "INR",// Indian Rupee    — AWS/GCP/Azure AP south regions
+    AUD = "AUD",// Australian Dollar
+    CAD = "CAD",// Canadian Dollar
+    JPY = "JPY",// Japanese Yen
+    SGD = "SGD"
+}

package/dist/enums/domain.enums.js

@@ -0,0 +1,79 @@
+"use strict";
+/**
+ * DOMAIN STATUS & CONFIGURATION ENUMS
+ * ──────────────────────────────────────
+ * General-purpose enums for entity lifecycle, UI preferences, and
+ * configuration. Permission-related enums live in permissions.types.ts.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Currency = exports.Theme = exports.MembershipStatus = exports.OrganizationStatus = exports.AccountStatus = void 0;
+/* ====================================================================
+   ACCOUNT
+   Lifecycle states for a platform account (auth domain).
+   Replaces the duplicate UserStatus — there is only Account in auth.
+==================================================================== */
+var AccountStatus;
+(function (AccountStatus) {
+    AccountStatus["ACTIVE"] = "ACTIVE";
+    AccountStatus["SUSPENDED"] = "SUSPENDED";
+    AccountStatus["DELETED"] = "DELETED";
+})(AccountStatus || (exports.AccountStatus = AccountStatus = {}));
+/* ====================================================================
+   ORGANIZATION  (future work — defined now for type completeness)
+==================================================================== */
+var OrganizationStatus;
+(function (OrganizationStatus) {
+    OrganizationStatus["ACTIVE"] = "ACTIVE";
+    OrganizationStatus["SUSPENDED"] = "SUSPENDED";
+    OrganizationStatus["CLOSED"] = "CLOSED";
+})(OrganizationStatus || (exports.OrganizationStatus = OrganizationStatus = {}));
+/**
+ * OrganizationRole lives in permissions.types.ts alongside OrgPermission
+ * so the role → permission map stays co-located with the role definition.
+ * Re-exported from enums/index.ts for convenience.
+ */
+/* ====================================================================
+   MEMBERSHIP  (future work)
+   Tracks a user's membership state within an organization.
+
+   PENDING   — invite sent, not yet accepted
+   ACTIVE    — full org member
+   SUSPENDED — access revoked by org admin, invite not cancelled
+   REMOVED   — explicitly removed by admin (different from suspended —
+               removed members must be re-invited to regain access)
+==================================================================== */
+var MembershipStatus;
+(function (MembershipStatus) {
+    MembershipStatus["PENDING"] = "PENDING";
+    MembershipStatus["ACTIVE"] = "ACTIVE";
+    MembershipStatus["SUSPENDED"] = "SUSPENDED";
+    MembershipStatus["REMOVED"] = "REMOVED";
+})(MembershipStatus || (exports.MembershipStatus = MembershipStatus = {}));
+/* ====================================================================
+   UI PREFERENCES
+==================================================================== */
+var Theme;
+(function (Theme) {
+    Theme["LIGHT"] = "LIGHT";
+    Theme["DARK"] = "DARK";
+    Theme["SYSTEM"] = "SYSTEM";
+})(Theme || (exports.Theme = Theme = {}));
+/* ====================================================================
+   CURRENCY
+   Cloud cost monitoring — users see costs in their preferred currency.
+   Amounts are stored in USD (base currency) and converted at display time.
+
+   Expand this list as you add cloud provider regions:
+     AUD, CAD, JPY, SGD, BRL, KRW, SEK, NOK, CHF, MXN ...
+==================================================================== */
+var Currency;
+(function (Currency) {
+    Currency["USD"] = "USD";
+    Currency["EUR"] = "EUR";
+    Currency["GBP"] = "GBP";
+    Currency["INR"] = "INR";
+    Currency["AUD"] = "AUD";
+    Currency["CAD"] = "CAD";
+    Currency["JPY"] = "JPY";
+    Currency["SGD"] = "SGD";
+})(Currency || (exports.Currency = Currency = {}));

package/dist/enums/index.d.ts

@@ -1,3 +1,2 @@
-export * from "./user-service.enums";
-export * from "./auth-service.enums";
-export * from "./permissions.types";
+export * from "./permissions.enums";
+export * from "./domain.enums";

package/dist/enums/index.js

@@ -14,6 +14,5 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-__exportStar(require("./user-service.enums"), exports);
-__exportStar(require("./auth-service.enums"), exports);
-__exportStar(require("./permissions.types"), exports);
+__exportStar(require("./permissions.enums"), exports);
+__exportStar(require("./domain.enums"), exports);

package/dist/enums/permissions.enums.d.ts

@@ -0,0 +1,124 @@
+/**
+ * ACCOUNT ROLES
+ * ──────────────
+ * Platform-level roles assigned to every account.
+ * Ordered from highest to lowest privilege.
+ *
+ * SUPERADMIN  — Full platform control. Internal engineering / founders only.
+ *               Can impersonate users, access all data, manage platform config.
+ *
+ * ADMIN       — Platform operations team. Can manage users, view system health,
+ *               handle support escalations. Cannot touch billing infrastructure.
+ *
+ * SUPPORT     — Customer support agents. Read-only access to user accounts
+ *               and cloud cost data for support purposes. Cannot modify anything.
+ *
+ * MODERATOR   — Content / alert moderation (future). Included now so the
+ *               role exists in the system before the feature ships.
+ *
+ * USER        — Standard authenticated user. Accesses only their own data.
+ *               All cloud cost features are gated at the service level.
+ */
+export declare enum AccountRole {
+    SUPERADMIN = "SUPERADMIN",
+    ADMIN = "ADMIN",
+    SUPPORT = "SUPPORT",
+    MODERATOR = "MODERATOR",
+    USER = "USER"
+}
+/**
+ * GLOBAL PERMISSIONS
+ * ───────────────────
+ * Platform-wide permissions derived from AccountRole.
+ * These are checked at the gateway / service middleware level.
+ *
+ * Naming convention: VERB_NOUN or VERB_SCOPE_NOUN
+ *
+ * Account management
+ *   MANAGE_ACCOUNTS      — Create, update, suspend, delete any account
+ *   VIEW_ANY_ACCOUNT     — Read any account's profile and metadata
+ *   IMPERSONATE_ACCOUNT  — Act as another user (SUPERADMIN only — support tooling)
+ *   SUSPEND_ACCOUNT      — Suspend / unsuspend an account without full delete
+ *   DELETE_ACCOUNT       — Hard delete an account and all associated data
+ *
+ * Cloud cost data (platform-level, not per-org)
+ *   VIEW_ANY_COST_DATA   — Read any user's cloud cost reports (support/admin use)
+ *   EXPORT_ANY_COST_DATA — Export cost data for any user (compliance, support)
+ *   MANAGE_COST_ALERTS   — Create/edit/delete cost alert rules platform-wide
+ *
+ * Platform operations
+ *   VIEW_SYSTEM_LOGS     — Access platform audit logs and system events
+ *   VIEW_SYSTEM_HEALTH   — Read service health, metrics dashboards
+ *   MANAGE_PLATFORM_CONFIG — Modify platform-wide settings (limits, features)
+ *
+ * Support tooling
+ *   SUPPORT_VIEW         — Read-only access to user data for support purposes
+ *   SUPPORT_WRITE        — Ability to make support-sanctioned changes on behalf of users
+ *
+ * Future-proofing (define now, assign later)
+ *   MANAGE_BILLING       — Access to subscription and billing management
+ *   MODERATE_CONTENT     — Moderate user-generated content (alerts, comments, etc.)
+ *   MANAGE_INTEGRATIONS  — Manage platform-level cloud provider integrations
+ */
+export declare enum GlobalPermission {
+    MANAGE_ACCOUNTS = "MANAGE_ACCOUNTS",
+    VIEW_ANY_ACCOUNT = "VIEW_ANY_ACCOUNT",
+    IMPERSONATE_ACCOUNT = "IMPERSONATE_ACCOUNT",
+    SUSPEND_ACCOUNT = "SUSPEND_ACCOUNT",
+    DELETE_ACCOUNT = "DELETE_ACCOUNT",
+    VIEW_ANY_COST_DATA = "VIEW_ANY_COST_DATA",
+    EXPORT_ANY_COST_DATA = "EXPORT_ANY_COST_DATA",
+    MANAGE_COST_ALERTS = "MANAGE_COST_ALERTS",
+    VIEW_SYSTEM_LOGS = "VIEW_SYSTEM_LOGS",
+    VIEW_SYSTEM_HEALTH = "VIEW_SYSTEM_HEALTH",
+    MANAGE_PLATFORM_CONFIG = "MANAGE_PLATFORM_CONFIG",
+    SUPPORT_VIEW = "SUPPORT_VIEW",
+    SUPPORT_WRITE = "SUPPORT_WRITE",
+    MANAGE_BILLING = "MANAGE_BILLING",
+    MODERATE_CONTENT = "MODERATE_CONTENT",
+    MANAGE_INTEGRATIONS = "MANAGE_INTEGRATIONS"
+}
+/**
+ * ORGANIZATION ROLES  (future work)
+ * ────────────────────────────────────
+ * Defined now so the type system is ready when org support ships.
+ * No permissions are assigned yet — see orgRolePermissions below.
+ *
+ * OWNER   — Created the org. Full control, including deletion and billing.
+ * ADMIN   — Manages members and org settings. Cannot delete the org.
+ * EDITOR  — Can create/edit cost reports and dashboards within the org.
+ * VIEWER  — Read-only access to org cost data.
+ * BILLING — Dedicated billing contact. Access to invoices and payment only.
+ */
+export declare enum OrganizationRole {
+    OWNER = "OWNER",
+    ADMIN = "ADMIN",
+    EDITOR = "EDITOR",
+    VIEWER = "VIEWER",
+    BILLING = "BILLING"
+}
+/**
+ * ORG PERMISSIONS  (future work)
+ * ────────────────────────────────
+ * Granular org-scoped permissions. Checked by tenant middleware in each
+ * service via DB lookup — NOT in the JWT (org membership changes too
+ * frequently to embed reliably).
+ *
+ * Naming: VERB_RESOURCE
+ */
+export declare enum OrgPermission {
+    DELETE_ORG = "DELETE_ORG",
+    MANAGE_ORG_SETTINGS = "MANAGE_ORG_SETTINGS",
+    INVITE_MEMBERS = "INVITE_MEMBERS",
+    REMOVE_MEMBERS = "REMOVE_MEMBERS",
+    CHANGE_MEMBER_ROLES = "CHANGE_MEMBER_ROLES",
+    VIEW_MEMBERS = "VIEW_MEMBERS",
+    VIEW_COST_DATA = "VIEW_COST_DATA",
+    EXPORT_COST_DATA = "EXPORT_COST_DATA",
+    MANAGE_COST_REPORTS = "MANAGE_COST_REPORTS",
+    MANAGE_ALERTS = "MANAGE_ALERTS",
+    MANAGE_CLOUD_ACCOUNTS = "MANAGE_CLOUD_ACCOUNTS",
+    VIEW_CLOUD_ACCOUNTS = "VIEW_CLOUD_ACCOUNTS",
+    VIEW_BILLING = "VIEW_BILLING",
+    MANAGE_BILLING = "MANAGE_BILLING"
+}

package/dist/enums/permissions.enums.js

@@ -0,0 +1,141 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.OrgPermission = exports.OrganizationRole = exports.GlobalPermission = exports.AccountRole = void 0;
+/**
+ * ACCOUNT ROLES
+ * ──────────────
+ * Platform-level roles assigned to every account.
+ * Ordered from highest to lowest privilege.
+ *
+ * SUPERADMIN  — Full platform control. Internal engineering / founders only.
+ *               Can impersonate users, access all data, manage platform config.
+ *
+ * ADMIN       — Platform operations team. Can manage users, view system health,
+ *               handle support escalations. Cannot touch billing infrastructure.
+ *
+ * SUPPORT     — Customer support agents. Read-only access to user accounts
+ *               and cloud cost data for support purposes. Cannot modify anything.
+ *
+ * MODERATOR   — Content / alert moderation (future). Included now so the
+ *               role exists in the system before the feature ships.
+ *
+ * USER        — Standard authenticated user. Accesses only their own data.
+ *               All cloud cost features are gated at the service level.
+ */
+var AccountRole;
+(function (AccountRole) {
+    AccountRole["SUPERADMIN"] = "SUPERADMIN";
+    AccountRole["ADMIN"] = "ADMIN";
+    AccountRole["SUPPORT"] = "SUPPORT";
+    AccountRole["MODERATOR"] = "MODERATOR";
+    AccountRole["USER"] = "USER";
+})(AccountRole || (exports.AccountRole = AccountRole = {}));
+/**
+ * GLOBAL PERMISSIONS
+ * ───────────────────
+ * Platform-wide permissions derived from AccountRole.
+ * These are checked at the gateway / service middleware level.
+ *
+ * Naming convention: VERB_NOUN or VERB_SCOPE_NOUN
+ *
+ * Account management
+ *   MANAGE_ACCOUNTS      — Create, update, suspend, delete any account
+ *   VIEW_ANY_ACCOUNT     — Read any account's profile and metadata
+ *   IMPERSONATE_ACCOUNT  — Act as another user (SUPERADMIN only — support tooling)
+ *   SUSPEND_ACCOUNT      — Suspend / unsuspend an account without full delete
+ *   DELETE_ACCOUNT       — Hard delete an account and all associated data
+ *
+ * Cloud cost data (platform-level, not per-org)
+ *   VIEW_ANY_COST_DATA   — Read any user's cloud cost reports (support/admin use)
+ *   EXPORT_ANY_COST_DATA — Export cost data for any user (compliance, support)
+ *   MANAGE_COST_ALERTS   — Create/edit/delete cost alert rules platform-wide
+ *
+ * Platform operations
+ *   VIEW_SYSTEM_LOGS     — Access platform audit logs and system events
+ *   VIEW_SYSTEM_HEALTH   — Read service health, metrics dashboards
+ *   MANAGE_PLATFORM_CONFIG — Modify platform-wide settings (limits, features)
+ *
+ * Support tooling
+ *   SUPPORT_VIEW         — Read-only access to user data for support purposes
+ *   SUPPORT_WRITE        — Ability to make support-sanctioned changes on behalf of users
+ *
+ * Future-proofing (define now, assign later)
+ *   MANAGE_BILLING       — Access to subscription and billing management
+ *   MODERATE_CONTENT     — Moderate user-generated content (alerts, comments, etc.)
+ *   MANAGE_INTEGRATIONS  — Manage platform-level cloud provider integrations
+ */
+var GlobalPermission;
+(function (GlobalPermission) {
+    // Account management
+    GlobalPermission["MANAGE_ACCOUNTS"] = "MANAGE_ACCOUNTS";
+    GlobalPermission["VIEW_ANY_ACCOUNT"] = "VIEW_ANY_ACCOUNT";
+    GlobalPermission["IMPERSONATE_ACCOUNT"] = "IMPERSONATE_ACCOUNT";
+    GlobalPermission["SUSPEND_ACCOUNT"] = "SUSPEND_ACCOUNT";
+    GlobalPermission["DELETE_ACCOUNT"] = "DELETE_ACCOUNT";
+    // Cloud cost data (platform-level)
+    GlobalPermission["VIEW_ANY_COST_DATA"] = "VIEW_ANY_COST_DATA";
+    GlobalPermission["EXPORT_ANY_COST_DATA"] = "EXPORT_ANY_COST_DATA";
+    GlobalPermission["MANAGE_COST_ALERTS"] = "MANAGE_COST_ALERTS";
+    // Platform operations
+    GlobalPermission["VIEW_SYSTEM_LOGS"] = "VIEW_SYSTEM_LOGS";
+    GlobalPermission["VIEW_SYSTEM_HEALTH"] = "VIEW_SYSTEM_HEALTH";
+    GlobalPermission["MANAGE_PLATFORM_CONFIG"] = "MANAGE_PLATFORM_CONFIG";
+    // Support tooling
+    GlobalPermission["SUPPORT_VIEW"] = "SUPPORT_VIEW";
+    GlobalPermission["SUPPORT_WRITE"] = "SUPPORT_WRITE";
+    // Future — define now so they exist in the type system before the features ship
+    GlobalPermission["MANAGE_BILLING"] = "MANAGE_BILLING";
+    GlobalPermission["MODERATE_CONTENT"] = "MODERATE_CONTENT";
+    GlobalPermission["MANAGE_INTEGRATIONS"] = "MANAGE_INTEGRATIONS";
+})(GlobalPermission || (exports.GlobalPermission = GlobalPermission = {}));
+/**
+ * ORGANIZATION ROLES  (future work)
+ * ────────────────────────────────────
+ * Defined now so the type system is ready when org support ships.
+ * No permissions are assigned yet — see orgRolePermissions below.
+ *
+ * OWNER   — Created the org. Full control, including deletion and billing.
+ * ADMIN   — Manages members and org settings. Cannot delete the org.
+ * EDITOR  — Can create/edit cost reports and dashboards within the org.
+ * VIEWER  — Read-only access to org cost data.
+ * BILLING — Dedicated billing contact. Access to invoices and payment only.
+ */
+var OrganizationRole;
+(function (OrganizationRole) {
+    OrganizationRole["OWNER"] = "OWNER";
+    OrganizationRole["ADMIN"] = "ADMIN";
+    OrganizationRole["EDITOR"] = "EDITOR";
+    OrganizationRole["VIEWER"] = "VIEWER";
+    OrganizationRole["BILLING"] = "BILLING";
+})(OrganizationRole || (exports.OrganizationRole = OrganizationRole = {}));
+/**
+ * ORG PERMISSIONS  (future work)
+ * ────────────────────────────────
+ * Granular org-scoped permissions. Checked by tenant middleware in each
+ * service via DB lookup — NOT in the JWT (org membership changes too
+ * frequently to embed reliably).
+ *
+ * Naming: VERB_RESOURCE
+ */
+var OrgPermission;
+(function (OrgPermission) {
+    // Org management
+    OrgPermission["DELETE_ORG"] = "DELETE_ORG";
+    OrgPermission["MANAGE_ORG_SETTINGS"] = "MANAGE_ORG_SETTINGS";
+    // Member management
+    OrgPermission["INVITE_MEMBERS"] = "INVITE_MEMBERS";
+    OrgPermission["REMOVE_MEMBERS"] = "REMOVE_MEMBERS";
+    OrgPermission["CHANGE_MEMBER_ROLES"] = "CHANGE_MEMBER_ROLES";
+    OrgPermission["VIEW_MEMBERS"] = "VIEW_MEMBERS";
+    // Cost data within org
+    OrgPermission["VIEW_COST_DATA"] = "VIEW_COST_DATA";
+    OrgPermission["EXPORT_COST_DATA"] = "EXPORT_COST_DATA";
+    OrgPermission["MANAGE_COST_REPORTS"] = "MANAGE_COST_REPORTS";
+    OrgPermission["MANAGE_ALERTS"] = "MANAGE_ALERTS";
+    // Integrations within org
+    OrgPermission["MANAGE_CLOUD_ACCOUNTS"] = "MANAGE_CLOUD_ACCOUNTS";
+    OrgPermission["VIEW_CLOUD_ACCOUNTS"] = "VIEW_CLOUD_ACCOUNTS";
+    // Billing within org
+    OrgPermission["VIEW_BILLING"] = "VIEW_BILLING";
+    OrgPermission["MANAGE_BILLING"] = "MANAGE_BILLING";
+})(OrgPermission || (exports.OrgPermission = OrgPermission = {}));

package/dist/errors/app-error.d.ts

@@ -1,6 +1,23 @@
+/**
+ * APP ERROR
+ * ──────────
+ * Base class for all known operational errors.
+ * Subclasses map to specific HTTP status codes and error codes.
+ *
+ * GlobalErrorHandler catches instanceof AppError and maps it to a
+ * structured error response — no duck-typing, no accidental matches.
+ *
+ * Changes vs original:
+ *   - details?: any → details?: unknown
+ *     `any` disabled TypeScript's type checking on the most variable field.
+ *     Callers that need a specific details shape should cast after instanceof.
+ *   - Object.freeze(this) retained — prevents accidental mutation of thrown errors.
+ *     Note: freeze is shallow. If details is an object, its contents are mutable.
+ *     This is acceptable — details is for logging/response context, not program logic.
+ */
 export declare class AppError extends Error {
     readonly code: string;
     readonly statusCode: number;
-    readonly details?: any;
-    constructor(code: string, statusCode: number, message: string, details?: any);
+    readonly details?: unknown;
+    constructor(code: string, statusCode: number, message: string, details?: unknown);
 }

package/dist/errors/app-error.js

@@ -1,6 +1,23 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.AppError = void 0;
+/**
+ * APP ERROR
+ * ──────────
+ * Base class for all known operational errors.
+ * Subclasses map to specific HTTP status codes and error codes.
+ *
+ * GlobalErrorHandler catches instanceof AppError and maps it to a
+ * structured error response — no duck-typing, no accidental matches.
+ *
+ * Changes vs original:
+ *   - details?: any → details?: unknown
+ *     `any` disabled TypeScript's type checking on the most variable field.
+ *     Callers that need a specific details shape should cast after instanceof.
+ *   - Object.freeze(this) retained — prevents accidental mutation of thrown errors.
+ *     Note: freeze is shallow. If details is an object, its contents are mutable.
+ *     This is acceptable — details is for logging/response context, not program logic.
+ */
 class AppError extends Error {
     constructor(code, statusCode, message, details) {
         super(message);
@@ -8,8 +25,6 @@ class AppError extends Error {
         this.statusCode = statusCode;
         this.details = details;
         this.name = this.constructor.name;
-        // A simple runtime check is all you need now.
-        // TypeScript knows this exists because of @types/node.
         if (typeof Error.captureStackTrace === "function") {
             Error.captureStackTrace(this, this.constructor);
         }

package/dist/errors/http-errors.d.ts

@@ -1,4 +1,16 @@
 import { AppError } from "./app-error";
+/**
+ * HTTP ERRORS
+ * ────────────
+ * Typed subclasses of AppError for every common HTTP error status.
+ * GlobalErrorHandler catches these via instanceof AppError and maps
+ * statusCode + code directly to the response.
+ *
+ * Usage:
+ *   throw new NotFoundError("Account not found");
+ *   throw new ConflictError("Email already in use");
+ *   throw new BadRequestError("Invalid input", { field: "email" });
+ */
 export declare class BadRequestError extends AppError {
     constructor(message?: string, details?: unknown);
 }
@@ -17,6 +29,12 @@ export declare class ConflictError extends AppError {
 export declare class UnprocessableEntityError extends AppError {
     constructor(message?: string, details?: unknown);
 }
+export declare class TooManyRequestsError extends AppError {
+    constructor(message?: string, details?: unknown);
+}
 export declare class InternalServerError extends AppError {
     constructor(message?: string, details?: unknown);
 }
+export declare class ServiceUnavailableError extends AppError {
+    constructor(message?: string, details?: unknown);
+}