npm - @elevasis/core - Versions diffs - 0.23.0 → 0.24.0 - Mend

@elevasis/core 0.23.0 → 0.24.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (241) hide show

package/dist/index.d.ts +1326 -552
package/dist/index.js +869 -154
package/dist/knowledge/index.d.ts +487 -209
package/dist/knowledge/index.js +104 -1
package/dist/organization-model/index.d.ts +1326 -552
package/dist/organization-model/index.js +869 -154
package/dist/test-utils/index.d.ts +357 -72
package/dist/test-utils/index.js +795 -142
package/package.json +5 -5
package/src/README.md +14 -14
package/src/__tests__/publish.test.ts +24 -24
package/src/__tests__/template-core-compatibility.test.ts +9 -12
package/src/_gen/__tests__/__snapshots__/contracts.md.snap +2102 -2096
package/src/_gen/__tests__/scaffold-contracts.test.ts +30 -30
package/src/auth/multi-tenancy/credentials/__tests__/encryption.test.ts +217 -217
package/src/auth/multi-tenancy/credentials/server/encryption.ts +69 -69
package/src/auth/multi-tenancy/credentials/server/kek-loader.ts +37 -37
package/src/auth/multi-tenancy/index.ts +26 -26
package/src/auth/multi-tenancy/invitations/api-schemas.ts +104 -104
package/src/auth/multi-tenancy/memberships/api-schemas.ts +143 -143
package/src/auth/multi-tenancy/memberships/index.ts +26 -26
package/src/auth/multi-tenancy/memberships/membership.ts +130 -130
package/src/auth/multi-tenancy/organizations/__tests__/api-schemas.test.ts +194 -194
package/src/auth/multi-tenancy/organizations/api-schemas.ts +136 -136
package/src/auth/multi-tenancy/permissions.test.ts +42 -42
package/src/auth/multi-tenancy/permissions.ts +123 -123
package/src/auth/multi-tenancy/role-management/api-schemas.ts +78 -78
package/src/auth/multi-tenancy/role-management/index.ts +16 -16
package/src/auth/multi-tenancy/theme-presets.ts +45 -45
package/src/auth/multi-tenancy/types.ts +57 -57
package/src/auth/multi-tenancy/users/api-schemas.ts +165 -165
package/src/business/README.md +2 -2
package/src/business/acquisition/activity-events.test.ts +250 -250
package/src/business/acquisition/activity-events.ts +93 -93
package/src/business/acquisition/api-schemas.test.ts +1883 -1843
package/src/business/acquisition/api-schemas.ts +1492 -1497
package/src/business/acquisition/build-templates.test.ts +240 -240
package/src/business/acquisition/build-templates.ts +98 -98
package/src/business/acquisition/crm-next-action.test.ts +262 -262
package/src/business/acquisition/crm-next-action.ts +220 -220
package/src/business/acquisition/crm-priority.test.ts +216 -216
package/src/business/acquisition/crm-priority.ts +349 -349
package/src/business/acquisition/crm-state-actions.test.ts +153 -153
package/src/business/acquisition/deal-ownership.test.ts +351 -351
package/src/business/acquisition/deal-ownership.ts +120 -120
package/src/business/acquisition/derive-actions.test.ts +129 -104
package/src/business/acquisition/derive-actions.ts +74 -84
package/src/business/acquisition/index.ts +171 -170
package/src/business/acquisition/ontology-validation.ts +309 -0
package/src/business/acquisition/stateful.ts +30 -30
package/src/business/acquisition/types.ts +396 -396
package/src/business/clients/api-schemas.test.ts +115 -115
package/src/business/clients/api-schemas.ts +158 -158
package/src/business/clients/index.ts +1 -1
package/src/business/crm/api-schemas.ts +40 -40
package/src/business/crm/index.ts +1 -1
package/src/business/deals/api-schemas.ts +87 -87
package/src/business/deals/index.ts +1 -1
package/src/business/index.ts +5 -5
package/src/business/projects/types.ts +144 -144
package/src/commands/queue/types/task.ts +15 -15
package/src/execution/core/runner-types.ts +61 -61
package/src/execution/core/sse-executions.ts +7 -7
package/src/execution/engine/__tests__/fixtures/test-agents.ts +10 -10
package/src/execution/engine/agent/core/__tests__/agent.test.ts +16 -16
package/src/execution/engine/agent/core/__tests__/error-passthrough.test.ts +4 -4
package/src/execution/engine/agent/core/types.ts +25 -25
package/src/execution/engine/agent/index.ts +6 -6
package/src/execution/engine/agent/reasoning/__tests__/request-builder.test.ts +24 -24
package/src/execution/engine/index.ts +443 -443
package/src/execution/engine/tools/integration/server/adapters/apify/__tests__/apify-run-actor.integration.test.ts +298 -298
package/src/execution/engine/tools/integration/server/adapters/apify/apify-adapter.test.ts +55 -55
package/src/execution/engine/tools/integration/server/adapters/apify/apify-adapter.ts +107 -107
package/src/execution/engine/tools/integration/server/adapters/apollo/apollo-adapter.test.ts +48 -48
package/src/execution/engine/tools/integration/server/adapters/apollo/apollo-adapter.ts +99 -99
package/src/execution/engine/tools/integration/server/adapters/apollo/index.ts +1 -1
package/src/execution/engine/tools/integration/server/adapters/attio/__tests__/attio-crud.integration.test.ts +363 -363
package/src/execution/engine/tools/integration/server/adapters/attio/fetch/get-record/index.test.ts +162 -162
package/src/execution/engine/tools/integration/server/adapters/attio/fetch/list-records/index.test.ts +316 -316
package/src/execution/engine/tools/integration/server/adapters/clickup/clickup-adapter.test.ts +18 -18
package/src/execution/engine/tools/integration/server/adapters/clickup/clickup-adapter.ts +194 -194
package/src/execution/engine/tools/integration/server/adapters/clickup/index.ts +7 -7
package/src/execution/engine/tools/integration/server/adapters/gmail/gmail-adapter.ts +204 -204
package/src/execution/engine/tools/integration/server/adapters/gmail/gmail-tools.ts +105 -105
package/src/execution/engine/tools/integration/server/adapters/google-calendar/google-calendar-adapter.ts +428 -428
package/src/execution/engine/tools/integration/server/adapters/google-calendar/index.ts +2 -2
package/src/execution/engine/tools/integration/server/adapters/google-sheets/__tests__/google-sheets.integration.test.ts +261 -261
package/src/execution/engine/tools/integration/server/adapters/instantly/instantly-tools.ts +1474 -1474
package/src/execution/engine/tools/integration/server/adapters/millionverifier/millionverifier-tools.ts +103 -103
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/send-email/index.test.ts +88 -88
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/send-email/index.ts +141 -141
package/src/execution/engine/tools/integration/server/adapters/resend/fetch/utils/types.ts +76 -76
package/src/execution/engine/tools/integration/server/adapters/signature-api/signature-api-tools.ts +182 -182
package/src/execution/engine/tools/integration/server/adapters/stripe/stripe-tools.ts +310 -310
package/src/execution/engine/tools/integration/service.test.ts +239 -239
package/src/execution/engine/tools/integration/service.ts +172 -172
package/src/execution/engine/tools/integration/tool.ts +255 -255
package/src/execution/engine/tools/lead-service-types.ts +1005 -1005
package/src/execution/engine/tools/messages.ts +43 -43
package/src/execution/engine/tools/platform/acquisition/company-tools.ts +7 -7
package/src/execution/engine/tools/platform/acquisition/contact-tools.ts +6 -6
package/src/execution/engine/tools/platform/acquisition/list-tools.ts +6 -6
package/src/execution/engine/tools/platform/acquisition/types.ts +280 -280
package/src/execution/engine/tools/platform/email/types.ts +97 -97
package/src/execution/engine/tools/registry.ts +704 -704
package/src/execution/engine/tools/tool-maps.ts +831 -831
package/src/execution/engine/tools/types.ts +234 -234
package/src/execution/engine/workflow/types.ts +202 -202
package/src/execution/external/__tests__/api-schemas.test.ts +127 -127
package/src/execution/external/api-schemas.ts +40 -40
package/src/execution/external/index.ts +1 -1
package/src/index.ts +18 -18
package/src/integrations/credentials/__tests__/api-schemas.test.ts +420 -420
package/src/integrations/credentials/api-schemas.ts +146 -146
package/src/integrations/credentials/schemas.ts +200 -200
package/src/integrations/oauth/__tests__/provider-registry.test.ts +7 -7
package/src/integrations/oauth/provider-registry.ts +74 -74
package/src/integrations/oauth/server/credentials.ts +43 -43
package/src/integrations/webhook-endpoints/__tests__/api-schemas.test.ts +327 -327
package/src/integrations/webhook-endpoints/api-schemas.ts +103 -103
package/src/integrations/webhook-endpoints/types.ts +58 -58
package/src/knowledge/README.md +32 -32
package/src/knowledge/__tests__/queries.test.ts +626 -535
package/src/knowledge/format.ts +99 -99
package/src/knowledge/index.ts +5 -5
package/src/knowledge/published.ts +5 -5
package/src/knowledge/queries.ts +269 -218
package/src/operations/activities/api-schemas.ts +80 -80
package/src/operations/activities/types.ts +64 -64
package/src/organization-model/README.md +149 -149
package/src/organization-model/__tests__/content-kinds-registry.test.ts +210 -210
package/src/organization-model/__tests__/defaults.test.ts +168 -168
package/src/organization-model/__tests__/domains/actions.test.ts +78 -56
package/src/organization-model/__tests__/domains/customers.test.ts +299 -299
package/src/organization-model/__tests__/domains/entities.test.ts +56 -56
package/src/organization-model/__tests__/domains/goals.test.ts +493 -493
package/src/organization-model/__tests__/domains/identity.test.ts +280 -280
package/src/organization-model/__tests__/domains/navigation.test.ts +268 -268
package/src/organization-model/__tests__/domains/offerings.test.ts +414 -414
package/src/organization-model/__tests__/domains/policies.test.ts +323 -323
package/src/organization-model/__tests__/domains/resource-mappings.test.ts +293 -293
package/src/organization-model/__tests__/domains/resources.test.ts +382 -283
package/src/organization-model/__tests__/domains/roles.test.ts +463 -463
package/src/organization-model/__tests__/domains/statuses.test.ts +246 -246
package/src/organization-model/__tests__/domains/systems.test.ts +209 -209
package/src/organization-model/__tests__/flatten-additive-merge.test.ts +362 -361
package/src/organization-model/__tests__/foundation.test.ts +77 -77
package/src/organization-model/__tests__/get-resources-for-system.test.ts +144 -144
package/src/organization-model/__tests__/graph.test.ts +1246 -887
package/src/organization-model/__tests__/icons.test.ts +10 -1
package/src/organization-model/__tests__/knowledge.test.ts +251 -15
package/src/organization-model/__tests__/lookup-helpers.test.ts +438 -438
package/src/organization-model/__tests__/migration-helpers.test.ts +591 -591
package/src/organization-model/__tests__/prospecting-ssot.test.ts +103 -103
package/src/organization-model/__tests__/recursive-system-schema.test.ts +535 -506
package/src/organization-model/__tests__/resolve.test.ts +274 -164
package/src/organization-model/__tests__/schema.test.ts +834 -301
package/src/organization-model/__tests__/surface-projection.test.ts +284 -284
package/src/organization-model/catalogs/lead-gen.ts +144 -144
package/src/organization-model/content-kinds/config.ts +36 -36
package/src/organization-model/content-kinds/index.ts +76 -72
package/src/organization-model/content-kinds/pipeline.ts +68 -68
package/src/organization-model/content-kinds/registry.ts +44 -44
package/src/organization-model/content-kinds/status.ts +71 -71
package/src/organization-model/content-kinds/template.ts +83 -83
package/src/organization-model/content-kinds/types.ts +117 -117
package/src/organization-model/contracts.ts +27 -27
package/src/organization-model/defaults.ts +40 -50
package/src/organization-model/domains/actions.ts +333 -239
package/src/organization-model/domains/customers.ts +78 -78
package/src/organization-model/domains/entities.ts +144 -144
package/src/organization-model/domains/goals.ts +83 -83
package/src/organization-model/domains/knowledge.ts +117 -101
package/src/organization-model/domains/navigation.ts +139 -139
package/src/organization-model/domains/offerings.ts +71 -71
package/src/organization-model/domains/policies.ts +102 -102
package/src/organization-model/domains/projects.ts +14 -14
package/src/organization-model/domains/prospecting.ts +395 -395
package/src/organization-model/domains/resources.ts +167 -132
package/src/organization-model/domains/roles.ts +96 -96
package/src/organization-model/domains/sales.test.ts +218 -218
package/src/organization-model/domains/sales.ts +380 -380
package/src/organization-model/domains/shared.ts +63 -63
package/src/organization-model/domains/statuses.ts +339 -339
package/src/organization-model/domains/systems.ts +217 -172
package/src/organization-model/foundation.ts +75 -75
package/src/organization-model/graph/build.ts +1016 -888
package/src/organization-model/graph/index.ts +4 -4
package/src/organization-model/graph/link.ts +10 -10
package/src/organization-model/graph/schema.ts +76 -70
package/src/organization-model/graph/types.ts +73 -67
package/src/organization-model/helpers.ts +289 -241
package/src/organization-model/icons.ts +78 -66
package/src/organization-model/index.ts +130 -128
package/src/organization-model/migration-helpers.ts +247 -244
package/src/organization-model/ontology.ts +661 -0
package/src/organization-model/organization-graph.mdx +110 -90
package/src/organization-model/organization-model.mdx +226 -219
package/src/organization-model/published.ts +289 -235
package/src/organization-model/resolve.ts +146 -91
package/src/organization-model/schema.ts +790 -671
package/src/organization-model/surface-projection.ts +212 -212
package/src/organization-model/types.ts +177 -167
package/src/platform/api/types.ts +38 -38
package/src/platform/constants/versions.ts +3 -3
package/src/platform/index.ts +23 -23
package/src/platform/registry/__tests__/command-view.test.ts +10 -10
package/src/platform/registry/__tests__/resource-link.test.ts +35 -35
package/src/platform/registry/__tests__/resource-registry.integration.test.ts +20 -20
package/src/platform/registry/__tests__/resource-registry.nested-systems.test.ts +245 -245
package/src/platform/registry/__tests__/resource-registry.test.ts +2053 -2053
package/src/platform/registry/__tests__/validation.test.ts +1347 -1347
package/src/platform/registry/command-view.ts +10 -10
package/src/platform/registry/index.ts +103 -103
package/src/platform/registry/resource-link.ts +32 -32
package/src/platform/registry/resource-registry.ts +890 -890
package/src/platform/registry/serialization.ts +295 -295
package/src/platform/registry/serialized-types.ts +166 -166
package/src/platform/registry/stats-types.ts +68 -68
package/src/platform/registry/types.ts +425 -425
package/src/platform/registry/validation.ts +745 -745
package/src/platform/utils/__tests__/validation.test.ts +1084 -1084
package/src/platform/utils/validation.ts +425 -425
package/src/projects/api-schemas.test.ts +39 -39
package/src/projects/api-schemas.ts +291 -291
package/src/reference/_generated/contracts.md +2101 -2096
package/src/reference/glossary.md +76 -76
package/src/scaffold-registry/__tests__/index.test.ts +206 -206
package/src/scaffold-registry/__tests__/schema.test.ts +166 -166
package/src/scaffold-registry/index.ts +392 -392
package/src/scaffold-registry/schema.ts +243 -243
package/src/server.ts +289 -289
package/src/supabase/database.types.ts +3153 -3153
package/src/test-utils/README.md +37 -37
package/src/test-utils/entities.ts +108 -108
package/src/test-utils/fixtures/memberships.ts +82 -82
package/src/test-utils/index.ts +12 -12
package/src/test-utils/organization-model.ts +65 -65
package/src/test-utils/published.ts +6 -6
package/src/test-utils/rls/RLSTestContext.ts +588 -588
package/src/test-utils/test-utils.test.ts +44 -44

package/src/auth/multi-tenancy/types.ts CHANGED Viewed

@@ -1,57 +1,57 @@
-/**
- * Multi-tenancy configuration types
- *
- * Config is stored in dedicated `config` columns (NOT nested in metadata):
- * - organizations.config: Org-level config (no feature toggles -- all features available by default)
- * - org_memberships.config: Per-user-per-org feature overrides
- * - users.config: User-global config
- */
-import type { ThemePresetName } from './theme-presets'
-/**
- * Per-user-per-org config (stored in org_memberships.config)
- * Controls which features a specific member can access within their org.
- * Keys are feature IDs from the organization model (e.g. crm, lead-gen, projects, seo).
- */
-export interface MembershipFeatureConfig {
-  features?: Record<string, boolean>
-}
-/**
- * User-global config (stored in users.config)
- * Theme and onboarding are user-specific, NOT org-specific
- */
-export interface UserConfig {
-  theme?: {
-    preset?: ThemePresetName
-    colorScheme?: 'light' | 'dark' | 'auto'
-  }
-  onboarding?: {
-    completed?: boolean
-    completedAt?: string // ISO date
-    role?: string
-    primaryUseCase?: string[]
-    experienceLevel?: string
-    /** Onboarding guide system state (set by checklist/tour system) */
-    guides?: {
-      completedIds?: string[] // e.g. ["explore-dashboard", "view-workflow"]
-      dismissed?: boolean // user manually dismissed checklist
-      completedAt?: string // ISO date — all guides finished
-    }
-  }
-}
-/**
- * OrgMetadata - Contains WorkOS sync data only
- * Note: This is kept separate from config for clarity
- */
-export interface OrgMetadata {
-  domains?: {
-    verified: string[]
-    pending: string[]
-    all: string[]
-  }
-  workos_created_at?: string
-  workos_updated_at?: string
-}
+/**
+ * Multi-tenancy configuration types
+ *
+ * Config is stored in dedicated `config` columns (NOT nested in metadata):
+ * - organizations.config: Org-level config (no feature toggles -- all features available by default)
+ * - org_memberships.config: Per-user-per-org feature overrides
+ * - users.config: User-global config
+ */
+import type { ThemePresetName } from './theme-presets'
+/**
+ * Per-user-per-org config (stored in org_memberships.config)
+ * Controls which features a specific member can access within their org.
+ * Keys are feature IDs from the organization model (e.g. crm, lead-gen, projects, seo).
+ */
+export interface MembershipFeatureConfig {
+  features?: Record<string, boolean>
+}
+/**
+ * User-global config (stored in users.config)
+ * Theme and onboarding are user-specific, NOT org-specific
+ */
+export interface UserConfig {
+  theme?: {
+    preset?: ThemePresetName
+    colorScheme?: 'light' | 'dark' | 'auto'
+  }
+  onboarding?: {
+    completed?: boolean
+    completedAt?: string // ISO date
+    role?: string
+    primaryUseCase?: string[]
+    experienceLevel?: string
+    /** Onboarding guide system state (set by checklist/tour system) */
+    guides?: {
+      completedIds?: string[] // e.g. ["explore-dashboard", "view-workflow"]
+      dismissed?: boolean // user manually dismissed checklist
+      completedAt?: string // ISO date — all guides finished
+    }
+  }
+}
+/**
+ * OrgMetadata - Contains WorkOS sync data only
+ * Note: This is kept separate from config for clarity
+ */
+export interface OrgMetadata {
+  domains?: {
+    verified: string[]
+    pending: string[]
+    all: string[]
+  }
+  workos_created_at?: string
+  workos_updated_at?: string
+}

package/src/auth/multi-tenancy/users/api-schemas.ts CHANGED Viewed

@@ -1,165 +1,165 @@
-/**
- * Users Domain - Zod Validation Schemas
- *
- * Validation schemas for user management endpoints.
- * Includes request bodies, query params, and path params.
- *
- * Security:
- * - All schemas use .strict() to prevent mass assignment attacks
- * - UUID validation prevents invalid references
- * - Email validation prevents email injection attacks
- * - emailVerified field excluded from create/update (admin-only)
- * - String length limits prevent DoS
- */
-import { z } from 'zod'
-import { EmailSchema, createStringSchema } from '../../../platform/utils/validation'
-import { ThemePresetEnum } from '../theme-presets'
-// ============================================================================
-// Path Parameters
-// ============================================================================
-/**
- * Validate user ID in URL path
- * Used by: GET/PUT/DELETE /users/:id
- */
-export const UserIdParamSchema = z
-  .object({
-    id: z.string().min(1) // WorkOS user IDs can be UUID or 'user_' prefixed strings
-  })
-  .strict()
-/**
- * Validate external ID in URL path
- * Used by: GET /users/external/:externalId
- */
-export const ExternalIdParamSchema = z
-  .object({
-    externalId: z.string().min(1)
-  })
-  .strict()
-// ============================================================================
-// Request Bodies
-// ============================================================================
-/**
- * Update user profile
- * PUT /users/:id
- *
- * Security:
- * - All fields optional (partial update)
- * - Email format validated
- * - emailVerified NOT accepted (managed by WorkOS only)
- * - Strict mode prevents unknown field injection
- */
-export const UpdateUserSchema = z
-  .object({
-    email: EmailSchema.optional(),
-    firstName: createStringSchema(1, 100, 'First name').optional(),
-    lastName: createStringSchema(1, 100, 'Last name').optional()
-  })
-  .strict()
-// ============================================================================
-// Self-Service Profile
-// ============================================================================
-/**
- * Self-service profile update (subset of admin UpdateUserSchema)
- * PATCH /users/me
- *
- * Security:
- * - All fields optional (partial update)
- * - Server identifies user from JWT (no user ID in body)
- * - Config restricted to theme and onboarding only
- * - Strict mode prevents unknown field injection
- */
-export const UpdateMyProfileSchema = z
-  .object({
-    firstName: createStringSchema(1, 100, 'First name').optional(),
-    lastName: createStringSchema(1, 100, 'Last name').optional(),
-    profilePictureUrl: z
-      .string()
-      .url()
-      .refine((url) => url.startsWith('https://'), { message: 'Only HTTPS URLs are allowed' })
-      .optional(),
-    lastVisitedOrg: z.string().uuid().optional(),
-    config: z
-      .object({
-        theme: z
-          .object({
-            // `.catch('default')` makes the write path tolerant of stale/unknown preset strings.
-            // Any value that fails enum validation silently coerces to 'default' instead of 400ing.
-            // This protects against preset renames (e.g. cyber-punk → cyber-chrome) and drift between
-            // the enum and legacy DB values. Paired with a read-path sync-back in main.tsx that
-            // persists the corrected value back to DB on next profile load.
-            // ThemePresetEnum is derived from THEME_PRESETS — the single source of truth in
-            // packages/core/src/auth/multi-tenancy/theme-presets.ts.
-            preset: ThemePresetEnum.catch('default').optional(),
-            colorScheme: z.enum(['light', 'dark', 'auto']).catch('auto').optional()
-          })
-          .strict()
-          .optional(),
-        onboarding: z
-          .object({
-            completed: z.boolean().optional(),
-            completedAt: z.string().datetime().nullable().optional(),
-            role: z.string().max(100).nullable().optional(),
-            primaryUseCase: z.array(z.string().max(100)).max(10).nullable().optional(),
-            experienceLevel: z.string().max(100).nullable().optional(),
-            guides: z
-              .object({
-                completedIds: z.array(z.string().max(100)).max(20).optional(),
-                dismissed: z.boolean().optional(),
-                completedAt: z.string().datetime().nullable().optional()
-              })
-              .strict()
-              .optional()
-          })
-          .strict()
-          .optional()
-      })
-      .strict()
-      .optional()
-  })
-  .strict()
-// ============================================================================
-// Query Parameters
-// ============================================================================
-/**
- * List users with filters
- * GET /users
- *
- * Filters:
- * - email: Filter by email
- * - organizationId: Filter by organization
- * - limit: Max results (pagination handled by WorkOS)
- *
- * Security:
- * - Email validated (prevents injection)
- * - organizationId validated (UUID format)
- */
-export const ListUsersQuerySchema = z
-  .object({
-    email: EmailSchema.optional(),
-    organizationId: z.string().optional(), // WorkOS org IDs can be UUID or 'org_' prefixed
-    limit: z.coerce.number().int().min(1).max(100).optional(),
-    before: z.string().optional(), // WorkOS pagination cursor
-    after: z.string().optional() // WorkOS pagination cursor
-  })
-  .strict()
-// ============================================================================
-// TypeScript Type Exports
-// ============================================================================
-// Export inferred types for use in route handlers
-export type UpdateUserInput = z.infer<typeof UpdateUserSchema>
-export type UpdateMyProfileInput = z.infer<typeof UpdateMyProfileSchema>
-export type ListUsersQuery = z.infer<typeof ListUsersQuerySchema>
-export type UserIdParam = z.infer<typeof UserIdParamSchema>
-export type ExternalIdParam = z.infer<typeof ExternalIdParamSchema>
+/**
+ * Users Domain - Zod Validation Schemas
+ *
+ * Validation schemas for user management endpoints.
+ * Includes request bodies, query params, and path params.
+ *
+ * Security:
+ * - All schemas use .strict() to prevent mass assignment attacks
+ * - UUID validation prevents invalid references
+ * - Email validation prevents email injection attacks
+ * - emailVerified field excluded from create/update (admin-only)
+ * - String length limits prevent DoS
+ */
+import { z } from 'zod'
+import { EmailSchema, createStringSchema } from '../../../platform/utils/validation'
+import { ThemePresetEnum } from '../theme-presets'
+// ============================================================================
+// Path Parameters
+// ============================================================================
+/**
+ * Validate user ID in URL path
+ * Used by: GET/PUT/DELETE /users/:id
+ */
+export const UserIdParamSchema = z
+  .object({
+    id: z.string().min(1) // WorkOS user IDs can be UUID or 'user_' prefixed strings
+  })
+  .strict()
+/**
+ * Validate external ID in URL path
+ * Used by: GET /users/external/:externalId
+ */
+export const ExternalIdParamSchema = z
+  .object({
+    externalId: z.string().min(1)
+  })
+  .strict()
+// ============================================================================
+// Request Bodies
+// ============================================================================
+/**
+ * Update user profile
+ * PUT /users/:id
+ *
+ * Security:
+ * - All fields optional (partial update)
+ * - Email format validated
+ * - emailVerified NOT accepted (managed by WorkOS only)
+ * - Strict mode prevents unknown field injection
+ */
+export const UpdateUserSchema = z
+  .object({
+    email: EmailSchema.optional(),
+    firstName: createStringSchema(1, 100, 'First name').optional(),
+    lastName: createStringSchema(1, 100, 'Last name').optional()
+  })
+  .strict()
+// ============================================================================
+// Self-Service Profile
+// ============================================================================
+/**
+ * Self-service profile update (subset of admin UpdateUserSchema)
+ * PATCH /users/me
+ *
+ * Security:
+ * - All fields optional (partial update)
+ * - Server identifies user from JWT (no user ID in body)
+ * - Config restricted to theme and onboarding only
+ * - Strict mode prevents unknown field injection
+ */
+export const UpdateMyProfileSchema = z
+  .object({
+    firstName: createStringSchema(1, 100, 'First name').optional(),
+    lastName: createStringSchema(1, 100, 'Last name').optional(),
+    profilePictureUrl: z
+      .string()
+      .url()
+      .refine((url) => url.startsWith('https://'), { message: 'Only HTTPS URLs are allowed' })
+      .optional(),
+    lastVisitedOrg: z.string().uuid().optional(),
+    config: z
+      .object({
+        theme: z
+          .object({
+            // `.catch('default')` makes the write path tolerant of stale/unknown preset strings.
+            // Any value that fails enum validation silently coerces to 'default' instead of 400ing.
+            // This protects against preset renames (e.g. cyber-punk → cyber-chrome) and drift between
+            // the enum and legacy DB values. Paired with a read-path sync-back in main.tsx that
+            // persists the corrected value back to DB on next profile load.
+            // ThemePresetEnum is derived from THEME_PRESETS — the single source of truth in
+            // packages/core/src/auth/multi-tenancy/theme-presets.ts.
+            preset: ThemePresetEnum.catch('default').optional(),
+            colorScheme: z.enum(['light', 'dark', 'auto']).catch('auto').optional()
+          })
+          .strict()
+          .optional(),
+        onboarding: z
+          .object({
+            completed: z.boolean().optional(),
+            completedAt: z.string().datetime().nullable().optional(),
+            role: z.string().max(100).nullable().optional(),
+            primaryUseCase: z.array(z.string().max(100)).max(10).nullable().optional(),
+            experienceLevel: z.string().max(100).nullable().optional(),
+            guides: z
+              .object({
+                completedIds: z.array(z.string().max(100)).max(20).optional(),
+                dismissed: z.boolean().optional(),
+                completedAt: z.string().datetime().nullable().optional()
+              })
+              .strict()
+              .optional()
+          })
+          .strict()
+          .optional()
+      })
+      .strict()
+      .optional()
+  })
+  .strict()
+// ============================================================================
+// Query Parameters
+// ============================================================================
+/**
+ * List users with filters
+ * GET /users
+ *
+ * Filters:
+ * - email: Filter by email
+ * - organizationId: Filter by organization
+ * - limit: Max results (pagination handled by WorkOS)
+ *
+ * Security:
+ * - Email validated (prevents injection)
+ * - organizationId validated (UUID format)
+ */
+export const ListUsersQuerySchema = z
+  .object({
+    email: EmailSchema.optional(),
+    organizationId: z.string().optional(), // WorkOS org IDs can be UUID or 'org_' prefixed
+    limit: z.coerce.number().int().min(1).max(100).optional(),
+    before: z.string().optional(), // WorkOS pagination cursor
+    after: z.string().optional() // WorkOS pagination cursor
+  })
+  .strict()
+// ============================================================================
+// TypeScript Type Exports
+// ============================================================================
+// Export inferred types for use in route handlers
+export type UpdateUserInput = z.infer<typeof UpdateUserSchema>
+export type UpdateMyProfileInput = z.infer<typeof UpdateMyProfileSchema>
+export type ListUsersQuery = z.infer<typeof ListUsersQuerySchema>
+export type UserIdParam = z.infer<typeof UserIdParamSchema>
+export type ExternalIdParam = z.infer<typeof ExternalIdParamSchema>

package/src/business/README.md CHANGED Viewed

@@ -2,7 +2,7 @@
 Published base entity contracts for the Elevasis platform. Each entity ships as a TypeScript interface, a matching Zod schema, and an inferred `Input` type, generic over a `<TMeta>` extension slot.
-External projects extend these in `core/types/entities.ts` to attach project-specific metadata while keeping the canonical shape stable.
+External projects extend these in `core/types/entities.ts` to attach project-specific metadata while keeping the canonical shape stable.
 ## Published Exports
@@ -49,4 +49,4 @@ export type Deal = BaseDeal
 The full pattern is documented in the SDK scaffold bundle: `node_modules/@elevasis/sdk/reference/scaffold/recipes/extend-a-base-entity.md`.
-The canonical template demo lives at `external/_template/core/types/entities.ts`.
+The canonical template demo lives at `external/_template/core/types/entities.ts`.