@eide/foir-cli 0.52.0 → 0.54.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/cli.js +733 -376
- package/dist/lib/config-helpers.d.ts +48 -2
- package/package.json +3 -3
|
@@ -340,7 +340,7 @@ interface ApplyConfigRelyingPartyInput {
|
|
|
340
340
|
* platform-managed and not part of project config.
|
|
341
341
|
*/
|
|
342
342
|
kind?: 'customer' | 'admin';
|
|
343
|
-
/** Public RP slug, unique per project (e.g. `
|
|
343
|
+
/** Public RP slug, unique per project (e.g. `acme-storefront`). */
|
|
344
344
|
clientId: string;
|
|
345
345
|
/** Display name shown on the hosted login. */
|
|
346
346
|
name: string;
|
|
@@ -362,6 +362,12 @@ interface ApplyConfigRelyingPartyInput {
|
|
|
362
362
|
* output prints, then verify. Customer-lane only.
|
|
363
363
|
*/
|
|
364
364
|
customDomains?: string[];
|
|
365
|
+
/**
|
|
366
|
+
* Where a bare custom-domain (front-door) login lands after Foir sets the
|
|
367
|
+
* first-party session cookie (EID-108) — the app's landing, not an OAuth
|
|
368
|
+
* callback. Empty falls back to the redirect URI. Customer-lane only.
|
|
369
|
+
*/
|
|
370
|
+
postLoginUrl?: string;
|
|
365
371
|
}
|
|
366
372
|
interface ApplyConfigPlacementInput {
|
|
367
373
|
type: string;
|
|
@@ -406,6 +412,39 @@ interface ApplyConfigApiKeyInput {
|
|
|
406
412
|
/** Restrict file uploads to specific MIME types (e.g. ["image/*", "video/*"]). */
|
|
407
413
|
allowedFileTypes?: string[];
|
|
408
414
|
}
|
|
415
|
+
/**
|
|
416
|
+
* A customer RBAC role declared in foir.config.ts and reconciled by
|
|
417
|
+
* `foir push`. The role's `permissions` become a customer access token's
|
|
418
|
+
* scope set at mint time (EID-125). Roles are matched by `key` within the
|
|
419
|
+
* project — a declared key that already exists is updated in place; a new
|
|
420
|
+
* key is created. (Roles present on the platform but absent from the config
|
|
421
|
+
* are left untouched — never auto-disabled.)
|
|
422
|
+
*
|
|
423
|
+
* Without a role, a consumer app's customers get read-only tokens after the
|
|
424
|
+
* Model B auth change (EID-17): the public `pk_` key can no longer grant
|
|
425
|
+
* write/execute, so the only source of those scopes is the customer's role.
|
|
426
|
+
*/
|
|
427
|
+
interface ApplyConfigCustomerRoleInput {
|
|
428
|
+
/** Stable key, unique per project (e.g. "default", "member"). */
|
|
429
|
+
key: string;
|
|
430
|
+
/** Human-readable name (e.g. "Default Customer"). */
|
|
431
|
+
name: string;
|
|
432
|
+
/**
|
|
433
|
+
* Scopes granted to customers holding this role. Reuses the scoped-token
|
|
434
|
+
* grammar (records:read:<model>, records:write:<model>, operations:execute,
|
|
435
|
+
* files:read, …). The `self:*` macro expands at mint time to
|
|
436
|
+
* records:{read,write}:<model> for every customer-writable model in the
|
|
437
|
+
* project — but does NOT include operations:execute, so list that
|
|
438
|
+
* explicitly when the app's customers run operations.
|
|
439
|
+
*/
|
|
440
|
+
permissions: string[];
|
|
441
|
+
/**
|
|
442
|
+
* When true, every customer in the project inherits this role with no
|
|
443
|
+
* per-customer assignment. An app's baseline customer grant should be a
|
|
444
|
+
* single `isDefault: true` role. Defaults to false.
|
|
445
|
+
*/
|
|
446
|
+
isDefault?: boolean;
|
|
447
|
+
}
|
|
409
448
|
/**
|
|
410
449
|
* Source-type mapping entry for an app install. Maps a manifest-declared
|
|
411
450
|
* source type onto a project model. See docs/platform/apps.md §Mapping step.
|
|
@@ -556,6 +595,13 @@ interface ApplyConfigInput {
|
|
|
556
595
|
relyingParties?: ApplyConfigRelyingPartyInput[];
|
|
557
596
|
placements?: ApplyConfigPlacementInput[];
|
|
558
597
|
apiKeys?: ApplyConfigApiKeyInput[];
|
|
598
|
+
/**
|
|
599
|
+
* Customer RBAC roles, reconciled by `foir push`. Declare an
|
|
600
|
+
* `isDefault: true` role to grant every customer the write/execute scopes
|
|
601
|
+
* their tokens need (EID-125) — without one, customers get read-only
|
|
602
|
+
* tokens after the Model B auth change (EID-17).
|
|
603
|
+
*/
|
|
604
|
+
customerRoles?: ApplyConfigCustomerRoleInput[];
|
|
559
605
|
/** Per-project app declarations, keyed by app name. */
|
|
560
606
|
apps?: Record<string, AppInput>;
|
|
561
607
|
/**
|
|
@@ -631,4 +677,4 @@ interface FoirSecretsConfig {
|
|
|
631
677
|
*/
|
|
632
678
|
declare function defineSecrets(config: FoirSecretsConfig): FoirSecretsConfig;
|
|
633
679
|
|
|
634
|
-
export { type AppInput, type AppPlacementFieldChoiceInput, type AppSinkMappingInput, type AppSourceMappingInput, type ApplyConfigApiKeyInput, type ApplyConfigAuthProviderInput, type ApplyConfigDesignTokensInput, type ApplyConfigHookInput, type ApplyConfigInput, type ApplyConfigModelInput, type ApplyConfigOperationInput, type ApplyConfigPlacementInput, type ApplyConfigProjectInput, type ApplyConfigProjectSettingsInput, type ApplyConfigRelyingPartyInput, type ApplyConfigRelyingPartyLoginMethods, type ApplyConfigScheduleInput, type ApplyConfigSegmentInput, type EnumFieldConfig, type EnumFieldDefinitionInput, type EnumFieldOption, type FieldAccessInput, type FieldDefinitionInput, type FoirSecretsConfig, type LookupDefinitionInput, type QuotaRule, type SecretDeclaration, type SecretOwnerKind, type SelectFieldConfig, type SelectFieldDefinitionInput, defineAuthProvider, defineConfig, defineDesignTokens, defineEnumField, defineField, defineHook, defineModel, defineOperation, definePlacement, defineRelyingParty, defineSchedule, defineSecrets, defineSegment, defineSelectField };
|
|
680
|
+
export { type AppInput, type AppPlacementFieldChoiceInput, type AppSinkMappingInput, type AppSourceMappingInput, type ApplyConfigApiKeyInput, type ApplyConfigAuthProviderInput, type ApplyConfigCustomerRoleInput, type ApplyConfigDesignTokensInput, type ApplyConfigHookInput, type ApplyConfigInput, type ApplyConfigModelInput, type ApplyConfigOperationInput, type ApplyConfigPlacementInput, type ApplyConfigProjectInput, type ApplyConfigProjectSettingsInput, type ApplyConfigRelyingPartyInput, type ApplyConfigRelyingPartyLoginMethods, type ApplyConfigScheduleInput, type ApplyConfigSegmentInput, type EnumFieldConfig, type EnumFieldDefinitionInput, type EnumFieldOption, type FieldAccessInput, type FieldDefinitionInput, type FoirSecretsConfig, type LookupDefinitionInput, type QuotaRule, type SecretDeclaration, type SecretOwnerKind, type SelectFieldConfig, type SelectFieldDefinitionInput, defineAuthProvider, defineConfig, defineDesignTokens, defineEnumField, defineField, defineHook, defineModel, defineOperation, definePlacement, defineRelyingParty, defineSchedule, defineSecrets, defineSegment, defineSelectField };
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@eide/foir-cli",
|
|
3
|
-
"version": "0.
|
|
3
|
+
"version": "0.54.0",
|
|
4
4
|
"description": "Universal platform CLI for Foir platform",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"publishConfig": {
|
|
@@ -55,8 +55,8 @@
|
|
|
55
55
|
"tsx": "^4.20.0",
|
|
56
56
|
"typescript": "5.9.2",
|
|
57
57
|
"vitest": "^3.2.4",
|
|
58
|
-
"@foir/
|
|
59
|
-
"@foir/
|
|
58
|
+
"@foir/rpc-node": "0.0.0",
|
|
59
|
+
"@foir/proto-ts": "0.108.0"
|
|
60
60
|
},
|
|
61
61
|
"engines": {
|
|
62
62
|
"node": ">=18.0.0"
|