npm - @eide/foir-cli - Versions diffs - 0.53.0 → 0.54.0 - Mend

@eide/foir-cli 0.53.0 → 0.54.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/cli.js +721 -368
package/dist/lib/config-helpers.d.ts +41 -1
package/package.json +3 -3

package/dist/lib/config-helpers.d.ts CHANGED Viewed

@@ -412,6 +412,39 @@ interface ApplyConfigApiKeyInput {
     /** Restrict file uploads to specific MIME types (e.g. ["image/*", "video/*"]). */
     allowedFileTypes?: string[];
 }
+/**
+ * A customer RBAC role declared in foir.config.ts and reconciled by
+ * `foir push`. The role's `permissions` become a customer access token's
+ * scope set at mint time (EID-125). Roles are matched by `key` within the
+ * project — a declared key that already exists is updated in place; a new
+ * key is created. (Roles present on the platform but absent from the config
+ * are left untouched — never auto-disabled.)
+ *
+ * Without a role, a consumer app's customers get read-only tokens after the
+ * Model B auth change (EID-17): the public `pk_` key can no longer grant
+ * write/execute, so the only source of those scopes is the customer's role.
+ */
+interface ApplyConfigCustomerRoleInput {
+    /** Stable key, unique per project (e.g. "default", "member"). */
+    key: string;
+    /** Human-readable name (e.g. "Default Customer"). */
+    name: string;
+    /**
+     * Scopes granted to customers holding this role. Reuses the scoped-token
+     * grammar (records:read:<model>, records:write:<model>, operations:execute,
+     * files:read, …). The `self:*` macro expands at mint time to
+     * records:{read,write}:<model> for every customer-writable model in the
+     * project — but does NOT include operations:execute, so list that
+     * explicitly when the app's customers run operations.
+     */
+    permissions: string[];
+    /**
+     * When true, every customer in the project inherits this role with no
+     * per-customer assignment. An app's baseline customer grant should be a
+     * single `isDefault: true` role. Defaults to false.
+     */
+    isDefault?: boolean;
+}
 /**
  * Source-type mapping entry for an app install. Maps a manifest-declared
  * source type onto a project model. See docs/platform/apps.md §Mapping step.
@@ -562,6 +595,13 @@ interface ApplyConfigInput {
     relyingParties?: ApplyConfigRelyingPartyInput[];
     placements?: ApplyConfigPlacementInput[];
     apiKeys?: ApplyConfigApiKeyInput[];
+    /**
+     * Customer RBAC roles, reconciled by `foir push`. Declare an
+     * `isDefault: true` role to grant every customer the write/execute scopes
+     * their tokens need (EID-125) — without one, customers get read-only
+     * tokens after the Model B auth change (EID-17).
+     */
+    customerRoles?: ApplyConfigCustomerRoleInput[];
     /** Per-project app declarations, keyed by app name. */
     apps?: Record<string, AppInput>;
     /**
@@ -637,4 +677,4 @@ interface FoirSecretsConfig {
  */
 declare function defineSecrets(config: FoirSecretsConfig): FoirSecretsConfig;
-export { type AppInput, type AppPlacementFieldChoiceInput, type AppSinkMappingInput, type AppSourceMappingInput, type ApplyConfigApiKeyInput, type ApplyConfigAuthProviderInput, type ApplyConfigDesignTokensInput, type ApplyConfigHookInput, type ApplyConfigInput, type ApplyConfigModelInput, type ApplyConfigOperationInput, type ApplyConfigPlacementInput, type ApplyConfigProjectInput, type ApplyConfigProjectSettingsInput, type ApplyConfigRelyingPartyInput, type ApplyConfigRelyingPartyLoginMethods, type ApplyConfigScheduleInput, type ApplyConfigSegmentInput, type EnumFieldConfig, type EnumFieldDefinitionInput, type EnumFieldOption, type FieldAccessInput, type FieldDefinitionInput, type FoirSecretsConfig, type LookupDefinitionInput, type QuotaRule, type SecretDeclaration, type SecretOwnerKind, type SelectFieldConfig, type SelectFieldDefinitionInput, defineAuthProvider, defineConfig, defineDesignTokens, defineEnumField, defineField, defineHook, defineModel, defineOperation, definePlacement, defineRelyingParty, defineSchedule, defineSecrets, defineSegment, defineSelectField };
+export { type AppInput, type AppPlacementFieldChoiceInput, type AppSinkMappingInput, type AppSourceMappingInput, type ApplyConfigApiKeyInput, type ApplyConfigAuthProviderInput, type ApplyConfigCustomerRoleInput, type ApplyConfigDesignTokensInput, type ApplyConfigHookInput, type ApplyConfigInput, type ApplyConfigModelInput, type ApplyConfigOperationInput, type ApplyConfigPlacementInput, type ApplyConfigProjectInput, type ApplyConfigProjectSettingsInput, type ApplyConfigRelyingPartyInput, type ApplyConfigRelyingPartyLoginMethods, type ApplyConfigScheduleInput, type ApplyConfigSegmentInput, type EnumFieldConfig, type EnumFieldDefinitionInput, type EnumFieldOption, type FieldAccessInput, type FieldDefinitionInput, type FoirSecretsConfig, type LookupDefinitionInput, type QuotaRule, type SecretDeclaration, type SecretOwnerKind, type SelectFieldConfig, type SelectFieldDefinitionInput, defineAuthProvider, defineConfig, defineDesignTokens, defineEnumField, defineField, defineHook, defineModel, defineOperation, definePlacement, defineRelyingParty, defineSchedule, defineSecrets, defineSegment, defineSelectField };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@eide/foir-cli",
-  "version": "0.53.0",
+  "version": "0.54.0",
   "description": "Universal platform CLI for Foir platform",
   "type": "module",
   "publishConfig": {
@@ -55,8 +55,8 @@
     "tsx": "^4.20.0",
     "typescript": "5.9.2",
     "vitest": "^3.2.4",
-    "@foir/proto-ts": "0.106.0",
-    "@foir/rpc-node": "0.0.0"
+    "@foir/rpc-node": "0.0.0",
+    "@foir/proto-ts": "0.108.0"
   },
   "engines": {
     "node": ">=18.0.0"