@discover-cloud/shared 1.0.5 → 1.0.7

package/dist/dtos/cloud-service.dto.d.ts

@@ -0,0 +1,40 @@
+import { CloudProvider, CloudAccountStatus, AwsAuthMethod, GcpAuthMethod, AzureAuthMethod, SyncStatus, SyncType } from "../enums";
+/**
+ * CLOUD SERVICE DTOs
+ * ───────────────────
+ * Shapes returned by the cloud service over HTTP.
+ *
+ * CloudAccountDto never includes encryptedCredentials — credentials
+ * are write-only. authMethod is the resolved union of whichever
+ * provider-specific method is set (only one is ever non-null).
+ *
+ * SyncJobDto is read-only — sync jobs are created internally by the
+ * orchestrator and exposed for status polling only.
+ */
+export interface CloudAccountDto {
+    id: string;
+    userId: string;
+    alias: string;
+    provider: CloudProvider;
+    status: CloudAccountStatus;
+    authMethod: AwsAuthMethod | GcpAuthMethod | AzureAuthMethod | null;
+    lastSyncAt: Date | null;
+    lastErrorAt: Date | null;
+    lastErrorMsg: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+export interface SyncJobDto {
+    id: string;
+    cloudAccountId: string;
+    type: SyncType;
+    status: SyncStatus;
+    startedAt: Date | null;
+    completedAt: Date | null;
+    errorMessage: string | null;
+    resourcesSynced: number;
+    costRecords: number;
+    budgetsSynced: number;
+    createdAt: Date;
+    updatedAt: Date;
+}

package/dist/dtos/cloud-service.dto.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/dist/dtos/index.d.ts

@@ -1,3 +1,4 @@
 export * from "./user-service.dto";
 export * from "./auth-service.dto";
+export * from "./cloud-service.dto";
 export * from "./response.dto";

package/dist/dtos/index.js

@@ -16,4 +16,5 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./user-service.dto"), exports);
 __exportStar(require("./auth-service.dto"), exports);
+__exportStar(require("./cloud-service.dto"), exports);
 __exportStar(require("./response.dto"), exports);

package/dist/enums/domain.enums.d.ts

@@ -6,19 +6,14 @@
  */
 export declare enum AccountStatus {
     ACTIVE = "ACTIVE",
-    SUSPENDED = "SUSPENDED",// Access revoked, data retained, reversible
+    SUSPENDED = "SUSPENDED",
     DELETED = "DELETED"
 }
 export declare enum OrganizationStatus {
     ACTIVE = "ACTIVE",
-    SUSPENDED = "SUSPENDED",// Platform-level suspension (non-payment, policy)
+    SUSPENDED = "SUSPENDED",
     CLOSED = "CLOSED"
 }
-/**
- * OrganizationRole lives in permissions.types.ts alongside OrgPermission
- * so the role → permission map stays co-located with the role definition.
- * Re-exported from enums/index.ts for convenience.
- */
 export declare enum MembershipStatus {
     PENDING = "PENDING",
     ACTIVE = "ACTIVE",
@@ -31,12 +26,53 @@ export declare enum Theme {
     SYSTEM = "SYSTEM"
 }
 export declare enum Currency {
-    USD = "USD",// US Dollar       — default, all cloud providers
-    EUR = "EUR",// Euro            — AWS/GCP/Azure EU regions
-    GBP = "GBP",// British Pound   — AWS/GCP/Azure UK regions
-    INR = "INR",// Indian Rupee    — AWS/GCP/Azure AP south regions
-    AUD = "AUD",// Australian Dollar
-    CAD = "CAD",// Canadian Dollar
-    JPY = "JPY",// Japanese Yen
+    USD = "USD",
+    EUR = "EUR",
+    GBP = "GBP",
+    INR = "INR",
+    AUD = "AUD",
+    CAD = "CAD",
+    JPY = "JPY",
     SGD = "SGD"
 }
+export declare enum CloudProvider {
+    AWS = "AWS",
+    GCP = "GCP",
+    AZURE = "AZURE"
+}
+export declare enum AwsAuthMethod {
+    ACCESS_KEY = "ACCESS_KEY",// Access Key ID + Secret
+    IAM_ROLE = "IAM_ROLE",// Role ARN + External ID
+    IAM_IDENTITY_CENTER = "IAM_IDENTITY_CENTER",// SSO
+    IAM_ROLES_ANYWHERE = "IAM_ROLES_ANYWHERE"
+}
+export declare enum GcpAuthMethod {
+    SERVICE_ACCOUNT_KEY = "SERVICE_ACCOUNT_KEY",
+    WORKLOAD_IDENTITY = "WORKLOAD_IDENTITY",
+    SERVICE_ACCOUNT_IMPERSONATION = "SERVICE_ACCOUNT_IMPERSONATION"
+}
+export declare enum AzureAuthMethod {
+    SERVICE_PRINCIPAL_SECRET = "SERVICE_PRINCIPAL_SECRET",
+    SERVICE_PRINCIPAL_CERTIFICATE = "SERVICE_PRINCIPAL_CERTIFICATE",
+    MANAGED_IDENTITY_USER = "MANAGED_IDENTITY_USER",
+    MANAGED_IDENTITY_SYSTEM = "MANAGED_IDENTITY_SYSTEM"
+}
+export declare enum CloudAccountStatus {
+    PENDING = "PENDING",// Connected, never synced
+    ACTIVE = "ACTIVE",// Last sync succeeded
+    ERROR = "ERROR",// Last sync failed
+    INACTIVE = "INACTIVE"
+}
+export declare enum SyncStatus {
+    PENDING = "PENDING",
+    RUNNING = "RUNNING",
+    SUCCESS = "SUCCESS",
+    FAILED = "FAILED",
+    PARTIAL = "PARTIAL"
+}
+export declare enum SyncType {
+    FULL = "FULL",// All data types
+    COSTS = "COSTS",// Cost records only
+    RESOURCES = "RESOURCES",// Resource inventory only
+    BUDGETS = "BUDGETS"
+}

package/dist/enums/domain.enums.js

@@ -6,11 +6,9 @@
  * configuration. Permission-related enums live in permissions.types.ts.
  */
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.Currency = exports.Theme = exports.MembershipStatus = exports.OrganizationStatus = exports.AccountStatus = void 0;
+exports.SyncType = exports.SyncStatus = exports.CloudAccountStatus = exports.AzureAuthMethod = exports.GcpAuthMethod = exports.AwsAuthMethod = exports.CloudProvider = exports.Currency = exports.Theme = exports.MembershipStatus = exports.OrganizationStatus = exports.AccountStatus = void 0;
 /* ====================================================================
    ACCOUNT
-   Lifecycle states for a platform account (auth domain).
-   Replaces the duplicate UserStatus — there is only Account in auth.
 ==================================================================== */
 var AccountStatus;
 (function (AccountStatus) {
@@ -19,7 +17,7 @@ var AccountStatus;
     AccountStatus["DELETED"] = "DELETED";
 })(AccountStatus || (exports.AccountStatus = AccountStatus = {}));
 /* ====================================================================
-   ORGANIZATION  (future work — defined now for type completeness)
+   ORGANIZATION
 ==================================================================== */
 var OrganizationStatus;
 (function (OrganizationStatus) {
@@ -27,21 +25,6 @@ var OrganizationStatus;
     OrganizationStatus["SUSPENDED"] = "SUSPENDED";
     OrganizationStatus["CLOSED"] = "CLOSED";
 })(OrganizationStatus || (exports.OrganizationStatus = OrganizationStatus = {}));
-/**
- * OrganizationRole lives in permissions.types.ts alongside OrgPermission
- * so the role → permission map stays co-located with the role definition.
- * Re-exported from enums/index.ts for convenience.
- */
-/* ====================================================================
-   MEMBERSHIP  (future work)
-   Tracks a user's membership state within an organization.
-
-   PENDING   — invite sent, not yet accepted
-   ACTIVE    — full org member
-   SUSPENDED — access revoked by org admin, invite not cancelled
-   REMOVED   — explicitly removed by admin (different from suspended —
-               removed members must be re-invited to regain access)
-==================================================================== */
 var MembershipStatus;
 (function (MembershipStatus) {
     MembershipStatus["PENDING"] = "PENDING";
@@ -58,14 +41,6 @@ var Theme;
     Theme["DARK"] = "DARK";
     Theme["SYSTEM"] = "SYSTEM";
 })(Theme || (exports.Theme = Theme = {}));
-/* ====================================================================
-   CURRENCY
-   Cloud cost monitoring — users see costs in their preferred currency.
-   Amounts are stored in USD (base currency) and converted at display time.
-
-   Expand this list as you add cloud provider regions:
-     AUD, CAD, JPY, SGD, BRL, KRW, SEK, NOK, CHF, MXN ...
-==================================================================== */
 var Currency;
 (function (Currency) {
     Currency["USD"] = "USD";
@@ -77,3 +52,67 @@ var Currency;
     Currency["JPY"] = "JPY";
     Currency["SGD"] = "SGD";
 })(Currency || (exports.Currency = Currency = {}));
+/* ====================================================================
+   CLOUD PROVIDERS
+   Used by cloud-service for account connections and insights-service
+   for storing normalized cost/resource data.
+==================================================================== */
+var CloudProvider;
+(function (CloudProvider) {
+    CloudProvider["AWS"] = "AWS";
+    CloudProvider["GCP"] = "GCP";
+    CloudProvider["AZURE"] = "AZURE";
+})(CloudProvider || (exports.CloudProvider = CloudProvider = {}));
+/* ====================================================================
+   CLOUD ACCOUNT AUTH METHODS
+   Discriminator for which credential shape is stored per provider.
+   Each provider has its own enum — only one is set per CloudAccount.
+==================================================================== */
+var AwsAuthMethod;
+(function (AwsAuthMethod) {
+    AwsAuthMethod["ACCESS_KEY"] = "ACCESS_KEY";
+    AwsAuthMethod["IAM_ROLE"] = "IAM_ROLE";
+    AwsAuthMethod["IAM_IDENTITY_CENTER"] = "IAM_IDENTITY_CENTER";
+    AwsAuthMethod["IAM_ROLES_ANYWHERE"] = "IAM_ROLES_ANYWHERE";
+})(AwsAuthMethod || (exports.AwsAuthMethod = AwsAuthMethod = {}));
+var GcpAuthMethod;
+(function (GcpAuthMethod) {
+    GcpAuthMethod["SERVICE_ACCOUNT_KEY"] = "SERVICE_ACCOUNT_KEY";
+    GcpAuthMethod["WORKLOAD_IDENTITY"] = "WORKLOAD_IDENTITY";
+    GcpAuthMethod["SERVICE_ACCOUNT_IMPERSONATION"] = "SERVICE_ACCOUNT_IMPERSONATION";
+})(GcpAuthMethod || (exports.GcpAuthMethod = GcpAuthMethod = {}));
+var AzureAuthMethod;
+(function (AzureAuthMethod) {
+    AzureAuthMethod["SERVICE_PRINCIPAL_SECRET"] = "SERVICE_PRINCIPAL_SECRET";
+    AzureAuthMethod["SERVICE_PRINCIPAL_CERTIFICATE"] = "SERVICE_PRINCIPAL_CERTIFICATE";
+    AzureAuthMethod["MANAGED_IDENTITY_USER"] = "MANAGED_IDENTITY_USER";
+    AzureAuthMethod["MANAGED_IDENTITY_SYSTEM"] = "MANAGED_IDENTITY_SYSTEM";
+})(AzureAuthMethod || (exports.AzureAuthMethod = AzureAuthMethod = {}));
+/* ====================================================================
+   CLOUD ACCOUNT STATUS
+==================================================================== */
+var CloudAccountStatus;
+(function (CloudAccountStatus) {
+    CloudAccountStatus["PENDING"] = "PENDING";
+    CloudAccountStatus["ACTIVE"] = "ACTIVE";
+    CloudAccountStatus["ERROR"] = "ERROR";
+    CloudAccountStatus["INACTIVE"] = "INACTIVE";
+})(CloudAccountStatus || (exports.CloudAccountStatus = CloudAccountStatus = {}));
+/* ====================================================================
+   SYNC JOB
+==================================================================== */
+var SyncStatus;
+(function (SyncStatus) {
+    SyncStatus["PENDING"] = "PENDING";
+    SyncStatus["RUNNING"] = "RUNNING";
+    SyncStatus["SUCCESS"] = "SUCCESS";
+    SyncStatus["FAILED"] = "FAILED";
+    SyncStatus["PARTIAL"] = "PARTIAL";
+})(SyncStatus || (exports.SyncStatus = SyncStatus = {}));
+var SyncType;
+(function (SyncType) {
+    SyncType["FULL"] = "FULL";
+    SyncType["COSTS"] = "COSTS";
+    SyncType["RESOURCES"] = "RESOURCES";
+    SyncType["BUDGETS"] = "BUDGETS";
+})(SyncType || (exports.SyncType = SyncType = {}));

package/dist/http/service-client.d.ts

@@ -3,29 +3,34 @@ import { Request } from "express";
 /**
  * SERVICE CLIENT
  * ───────────────
- * HTTP client for service-to-service calls.
- * Forwards the internal JWT and request ID from the current Express request.
+ * HTTP client for service-to-service communication.
  *
- * Fixes vs original:
- *   - Removed `validateStatus: () => true` — it silently swallowed 4xx/5xx,
- *     forcing every caller to manually check response.status. Removed so
- *     axios throws naturally on error responses.
- *   - `postWithAuth(url, data: any)` → `data: unknown` — no silent any
- *   - requestId fallback now consistent with requestId middleware logic
- *   - Added `patchWithAuth` and `deleteWithAuth` — common enough to include
- *   - Retry only on network errors + 5xx (not 4xx — those are caller errors)
+ * Two call patterns:
+ *
+ * 1. JWT-forwarding (user-initiated requests)
+ *    Pass the current Express Request — Authorization + x-request-id
+ *    are forwarded automatically.
+ *    Use: getWithAuth, postWithAuth, patchWithAuth, deleteWithAuth
+ *
+ * 2. Internal calls (service-to-service, no incoming request)
+ *    Pass explicit headers — used by UserServiceClient in auth service
+ *    where calls originate from service logic, not from an HTTP handler.
+ *    Use: get, post, patch, delete
+ *
+ * Retry strategy: network errors + 5xx only. Never retries 4xx —
+ * those are deterministic caller errors.
  */
 export declare class ServiceClient {
     readonly http: AxiosInstance;
     constructor(baseURL: string);
-    private setupRetry;
     getWithAuth<T = unknown>(url: string, req: Request, config?: AxiosRequestConfig): Promise<AxiosResponse<T>>;
     postWithAuth<T = unknown>(url: string, data: unknown, req: Request, config?: AxiosRequestConfig): Promise<AxiosResponse<T>>;
     patchWithAuth<T = unknown>(url: string, data: unknown, req: Request, config?: AxiosRequestConfig): Promise<AxiosResponse<T>>;
     deleteWithAuth<T = unknown>(url: string, req: Request, config?: AxiosRequestConfig): Promise<AxiosResponse<T>>;
-    /**
-     * Merges Authorization + x-request-id into any provided config.
-     * The internal JWT is forwarded as-is — the gateway already minted it.
-     */
+    get<T = unknown>(url: string, headers: Record<string, string>, config?: AxiosRequestConfig): Promise<AxiosResponse<T>>;
+    post<T = unknown>(url: string, data: unknown, headers: Record<string, string>, config?: AxiosRequestConfig): Promise<AxiosResponse<T>>;
+    patch<T = unknown>(url: string, data: unknown, headers: Record<string, string>, config?: AxiosRequestConfig): Promise<AxiosResponse<T>>;
+    delete<T = unknown>(url: string, headers: Record<string, string>, config?: AxiosRequestConfig): Promise<AxiosResponse<T>>;
     private mergeAuth;
+    private mergeHeaders;
 }

package/dist/http/service-client.js

@@ -9,17 +9,22 @@ const axios_retry_1 = __importDefault(require("axios-retry"));
 /**
  * SERVICE CLIENT
  * ───────────────
- * HTTP client for service-to-service calls.
- * Forwards the internal JWT and request ID from the current Express request.
+ * HTTP client for service-to-service communication.
  *
- * Fixes vs original:
- *   - Removed `validateStatus: () => true` — it silently swallowed 4xx/5xx,
- *     forcing every caller to manually check response.status. Removed so
- *     axios throws naturally on error responses.
- *   - `postWithAuth(url, data: any)` → `data: unknown` — no silent any
- *   - requestId fallback now consistent with requestId middleware logic
- *   - Added `patchWithAuth` and `deleteWithAuth` — common enough to include
- *   - Retry only on network errors + 5xx (not 4xx — those are caller errors)
+ * Two call patterns:
+ *
+ * 1. JWT-forwarding (user-initiated requests)
+ *    Pass the current Express Request — Authorization + x-request-id
+ *    are forwarded automatically.
+ *    Use: getWithAuth, postWithAuth, patchWithAuth, deleteWithAuth
+ *
+ * 2. Internal calls (service-to-service, no incoming request)
+ *    Pass explicit headers — used by UserServiceClient in auth service
+ *    where calls originate from service logic, not from an HTTP handler.
+ *    Use: get, post, patch, delete
+ *
+ * Retry strategy: network errors + 5xx only. Never retries 4xx —
+ * those are deterministic caller errors.
  */
 class ServiceClient {
     constructor(baseURL) {
@@ -27,15 +32,10 @@ class ServiceClient {
             baseURL,
             timeout: 8000,
         });
-        this.setupRetry();
-    }
-    setupRetry() {
         (0, axios_retry_1.default)(this.http, {
             retries: 3,
             retryDelay: axios_retry_1.default.exponentialDelay,
             retryCondition: (err) => {
-                // Retry on network errors or 5xx only
-                // Do NOT retry 4xx — those are deterministic failures
                 if (axios_retry_1.default.isNetworkError(err))
                     return true;
                 const status = err.response?.status ?? 0;
@@ -44,10 +44,8 @@ class ServiceClient {
         });
     }
     /* ----------------------------------------------------------------
-       Auth-forwarding methods
-       Pass the current Express Request to automatically forward:
-         - Authorization: Bearer <internal-jwt>
-         - x-request-id: <propagated request ID>
+       Pattern 1 — JWT-forwarding (pass Express req)
+       Forwards Authorization header + x-request-id automatically.
     ---------------------------------------------------------------- */
     async getWithAuth(url, req, config) {
         return this.http.get(url, this.mergeAuth(req, config));
@@ -61,17 +59,28 @@ class ServiceClient {
     async deleteWithAuth(url, req, config) {
         return this.http.delete(url, this.mergeAuth(req, config));
     }
+    /* ----------------------------------------------------------------
+       Pattern 2 — Internal calls (explicit headers, no Express req)
+       Used for service-initiated calls (e.g. auth service → user service)
+       where there is no incoming HTTP request to forward from.
+    ---------------------------------------------------------------- */
+    async get(url, headers, config) {
+        return this.http.get(url, this.mergeHeaders(headers, config));
+    }
+    async post(url, data, headers, config) {
+        return this.http.post(url, data, this.mergeHeaders(headers, config));
+    }
+    async patch(url, data, headers, config) {
+        return this.http.patch(url, data, this.mergeHeaders(headers, config));
+    }
+    async delete(url, headers, config) {
+        return this.http.delete(url, this.mergeHeaders(headers, config));
+    }
     /* ----------------------------------------------------------------
        Private helpers
     ---------------------------------------------------------------- */
-    /**
-     * Merges Authorization + x-request-id into any provided config.
-     * The internal JWT is forwarded as-is — the gateway already minted it.
-     */
     mergeAuth(req, config) {
         const authHeader = req.headers.authorization;
-        // req.id is set by requestId middleware — always a string at this point.
-        // Fall back to x-request-id header if somehow req.id isn't set yet.
         const upstream = req.headers["x-request-id"];
         const requestId = req.id
             ?? (Array.isArray(upstream) ? upstream[0] : upstream)
@@ -85,5 +94,14 @@ class ServiceClient {
             },
         };
     }
+    mergeHeaders(headers, config) {
+        return {
+            ...config,
+            headers: {
+                ...config?.headers,
+                ...headers,
+            },
+        };
+    }
 }
 exports.ServiceClient = ServiceClient;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@discover-cloud/shared",
-  "version": "1.0.5",
+  "version": "1.0.7",
   "private": false,
   "type": "commonjs",
   "main": "dist/index.js",