@fiado/type-kit 3.111.0 → 3.113.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,6 @@
1
1
  // Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
2
2
 
3
- exports[`PERMISSION_BIT_ORDER PERMS_VERSION es número estable 1`] = `785870733`;
3
+ exports[`PERMISSION_BIT_ORDER PERMS_VERSION es número estable 1`] = `488222087`;
4
4
 
5
5
  exports[`PERMISSION_BIT_ORDER append-only: snapshot del ORDEN COMPLETO (rompe ante cualquier reorden/inserción) 1`] = `
6
6
  [
@@ -123,5 +123,6 @@ exports[`PERMISSION_BIT_ORDER append-only: snapshot del ORDEN COMPLETO (rompe an
123
123
  "platform.tenant.userfields.manage",
124
124
  "agents.app.access",
125
125
  "platform.user.create.lateral",
126
+ "platform.application.manage",
126
127
  ]
127
128
  `;
@@ -0,0 +1,9 @@
1
+ /**
2
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
3
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
4
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
5
+ */
6
+ export declare class CompleteMyProfileRequest {
7
+ displayName: string;
8
+ customFields?: Record<string, string>;
9
+ }
@@ -0,0 +1,34 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.CompleteMyProfileRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
17
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
18
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
19
+ */
20
+ class CompleteMyProfileRequest {
21
+ }
22
+ exports.CompleteMyProfileRequest = CompleteMyProfileRequest;
23
+ __decorate([
24
+ (0, class_transformer_1.Expose)(),
25
+ (0, class_validator_1.IsString)(),
26
+ (0, class_validator_1.IsNotEmpty)(),
27
+ __metadata("design:type", String)
28
+ ], CompleteMyProfileRequest.prototype, "displayName", void 0);
29
+ __decorate([
30
+ (0, class_transformer_1.Expose)(),
31
+ (0, class_validator_1.IsOptional)(),
32
+ (0, class_validator_1.IsObject)(),
33
+ __metadata("design:type", Object)
34
+ ], CompleteMyProfileRequest.prototype, "customFields", void 0);
@@ -19,4 +19,6 @@ export declare class CreateTenantRequest {
19
19
  tokenValidationMode?: TokenValidationMode;
20
20
  /** Tipo de tenant a crear. Si se omite, el onboarding aplica su default (hoy: retail). */
21
21
  tenantType?: TenantType;
22
+ /** DEC-RBAC-034: aplicación (plantilla) de la que se crea el tenant; opcional, fallback a tenantType (back-compat). */
23
+ applicationId?: string;
22
24
  }
@@ -80,3 +80,9 @@ __decorate([
80
80
  (0, class_validator_1.IsEnum)(tenantTypes_1.TenantType),
81
81
  __metadata("design:type", String)
82
82
  ], CreateTenantRequest.prototype, "tenantType", void 0);
83
+ __decorate([
84
+ (0, class_transformer_1.Expose)(),
85
+ (0, class_validator_1.IsOptional)(),
86
+ (0, class_validator_1.IsString)(),
87
+ __metadata("design:type", String)
88
+ ], CreateTenantRequest.prototype, "applicationId", void 0);
@@ -0,0 +1,21 @@
1
+ /**
2
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
3
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
4
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
5
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
6
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
7
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
8
+ */
9
+ export declare class SelfRegisterCompleteRequest {
10
+ tenantId: string;
11
+ email: string;
12
+ completionToken: string;
13
+ password: string;
14
+ displayName?: string;
15
+ customFields?: Record<string, string>;
16
+ }
17
+ /** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
18
+ export interface SelfRegisterCompleteResponse {
19
+ cognitoSub: string;
20
+ profileComplete: boolean;
21
+ }
@@ -0,0 +1,60 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterCompleteRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
17
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
18
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
19
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
20
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
21
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
22
+ */
23
+ class SelfRegisterCompleteRequest {
24
+ }
25
+ exports.SelfRegisterCompleteRequest = SelfRegisterCompleteRequest;
26
+ __decorate([
27
+ (0, class_transformer_1.Expose)(),
28
+ (0, class_validator_1.IsString)(),
29
+ (0, class_validator_1.IsNotEmpty)(),
30
+ __metadata("design:type", String)
31
+ ], SelfRegisterCompleteRequest.prototype, "tenantId", void 0);
32
+ __decorate([
33
+ (0, class_transformer_1.Expose)(),
34
+ (0, class_validator_1.IsEmail)(),
35
+ __metadata("design:type", String)
36
+ ], SelfRegisterCompleteRequest.prototype, "email", void 0);
37
+ __decorate([
38
+ (0, class_transformer_1.Expose)(),
39
+ (0, class_validator_1.IsString)(),
40
+ (0, class_validator_1.IsNotEmpty)(),
41
+ __metadata("design:type", String)
42
+ ], SelfRegisterCompleteRequest.prototype, "completionToken", void 0);
43
+ __decorate([
44
+ (0, class_transformer_1.Expose)(),
45
+ (0, class_validator_1.IsString)(),
46
+ (0, class_validator_1.MinLength)(8),
47
+ __metadata("design:type", String)
48
+ ], SelfRegisterCompleteRequest.prototype, "password", void 0);
49
+ __decorate([
50
+ (0, class_transformer_1.Expose)(),
51
+ (0, class_validator_1.IsOptional)(),
52
+ (0, class_validator_1.IsString)(),
53
+ __metadata("design:type", String)
54
+ ], SelfRegisterCompleteRequest.prototype, "displayName", void 0);
55
+ __decorate([
56
+ (0, class_transformer_1.Expose)(),
57
+ (0, class_validator_1.IsOptional)(),
58
+ (0, class_validator_1.IsObject)(),
59
+ __metadata("design:type", Object)
60
+ ], SelfRegisterCompleteRequest.prototype, "customFields", void 0);
@@ -0,0 +1,18 @@
1
+ import { PermissionScope } from '../enums/PermissionScope';
2
+ /**
3
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
4
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
5
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
6
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
7
+ */
8
+ export declare class SelfRegisterStartRequest {
9
+ tenantId: string;
10
+ email: string;
11
+ roleId: string;
12
+ scope: PermissionScope;
13
+ scopeRef: string;
14
+ }
15
+ /** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
16
+ export interface SelfRegisterStartResponse {
17
+ expiresAt: number;
18
+ }
@@ -0,0 +1,52 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterStartRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ const PermissionScope_1 = require("../enums/PermissionScope");
16
+ /**
17
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
18
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
19
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
20
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
21
+ */
22
+ class SelfRegisterStartRequest {
23
+ }
24
+ exports.SelfRegisterStartRequest = SelfRegisterStartRequest;
25
+ __decorate([
26
+ (0, class_transformer_1.Expose)(),
27
+ (0, class_validator_1.IsString)(),
28
+ (0, class_validator_1.IsNotEmpty)(),
29
+ __metadata("design:type", String)
30
+ ], SelfRegisterStartRequest.prototype, "tenantId", void 0);
31
+ __decorate([
32
+ (0, class_transformer_1.Expose)(),
33
+ (0, class_validator_1.IsEmail)(),
34
+ __metadata("design:type", String)
35
+ ], SelfRegisterStartRequest.prototype, "email", void 0);
36
+ __decorate([
37
+ (0, class_transformer_1.Expose)(),
38
+ (0, class_validator_1.IsString)(),
39
+ (0, class_validator_1.IsNotEmpty)(),
40
+ __metadata("design:type", String)
41
+ ], SelfRegisterStartRequest.prototype, "roleId", void 0);
42
+ __decorate([
43
+ (0, class_transformer_1.Expose)(),
44
+ (0, class_validator_1.IsEnum)(PermissionScope_1.PermissionScope),
45
+ __metadata("design:type", String)
46
+ ], SelfRegisterStartRequest.prototype, "scope", void 0);
47
+ __decorate([
48
+ (0, class_transformer_1.Expose)(),
49
+ (0, class_validator_1.IsString)(),
50
+ (0, class_validator_1.IsNotEmpty)(),
51
+ __metadata("design:type", String)
52
+ ], SelfRegisterStartRequest.prototype, "scopeRef", void 0);
@@ -0,0 +1,14 @@
1
+ /**
2
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
3
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
4
+ * `completionToken` one-time que `complete` debe presentar.
5
+ */
6
+ export declare class SelfRegisterVerifyOtpRequest {
7
+ tenantId: string;
8
+ email: string;
9
+ otp: string;
10
+ }
11
+ /** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
12
+ export interface SelfRegisterVerifyOtpResponse {
13
+ completionToken: string;
14
+ }
@@ -0,0 +1,39 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterVerifyOtpRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
17
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
18
+ * `completionToken` one-time que `complete` debe presentar.
19
+ */
20
+ class SelfRegisterVerifyOtpRequest {
21
+ }
22
+ exports.SelfRegisterVerifyOtpRequest = SelfRegisterVerifyOtpRequest;
23
+ __decorate([
24
+ (0, class_transformer_1.Expose)(),
25
+ (0, class_validator_1.IsString)(),
26
+ (0, class_validator_1.IsNotEmpty)(),
27
+ __metadata("design:type", String)
28
+ ], SelfRegisterVerifyOtpRequest.prototype, "tenantId", void 0);
29
+ __decorate([
30
+ (0, class_transformer_1.Expose)(),
31
+ (0, class_validator_1.IsEmail)(),
32
+ __metadata("design:type", String)
33
+ ], SelfRegisterVerifyOtpRequest.prototype, "email", void 0);
34
+ __decorate([
35
+ (0, class_transformer_1.Expose)(),
36
+ (0, class_validator_1.IsString)(),
37
+ (0, class_validator_1.IsNotEmpty)(),
38
+ __metadata("design:type", String)
39
+ ], SelfRegisterVerifyOtpRequest.prototype, "otp", void 0);
@@ -53,6 +53,7 @@ export declare enum Permission {
53
53
  PLATFORM_ROLE_DELETE = "platform.role.delete",
54
54
  PLATFORM_AUDIT_VIEW = "platform.audit.view",
55
55
  PLATFORM_TENANT_USERFIELDS_MANAGE = "platform.tenant.userfields.manage",
56
+ PLATFORM_APPLICATION_MANAGE = "platform.application.manage",
56
57
  TENANT_USER_CREATE = "tenant.user.create",
57
58
  TENANT_USER_CREATE_LATERAL = "tenant.user.create.lateral",
58
59
  TENANT_USER_READ = "tenant.user.read",
@@ -68,6 +68,8 @@ var Permission;
68
68
  Permission["PLATFORM_ROLE_DELETE"] = "platform.role.delete";
69
69
  Permission["PLATFORM_AUDIT_VIEW"] = "platform.audit.view";
70
70
  Permission["PLATFORM_TENANT_USERFIELDS_MANAGE"] = "platform.tenant.userfields.manage";
71
+ // DEC-RBAC-036: gestión de aplicaciones (plantillas) — reemplaza el reuso de rbac.catalog.manage en /applications.
72
+ Permission["PLATFORM_APPLICATION_MANAGE"] = "platform.application.manage";
71
73
  // ====================================================
72
74
  // TENANT — operaciones dentro del silo de un tenant
73
75
  // ====================================================
@@ -339,6 +341,9 @@ exports.PERMISSION_BIT_ORDER = [
339
341
  // Append-only 2026-06-19: lateral platform (platform_super_admin asigna roles scope PLATFORM).
340
342
  // Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
341
343
  Permission.PLATFORM_USER_CREATE_LATERAL,
344
+ // Append-only 2026-06-24 (DEC-RBAC-036): gate dedicada de gestión de aplicaciones (plantillas).
345
+ // Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
346
+ Permission.PLATFORM_APPLICATION_MANAGE,
342
347
  ];
343
348
  function djb2(input) {
344
349
  let h = 5381;
@@ -39,3 +39,7 @@ export * from './enums/PermissionKind';
39
39
  export type { LevelDef, ApplicationSecurityPolicyDefault, ApplicationBrandingDefault, ApplicationDefaults, SeedRole, Application, } from './application/Application';
40
40
  export type { ApplicationPermission } from './application/ApplicationPermission';
41
41
  export type { CreateApplicationRequest, UpdateApplicationRequest, UpsertApplicationPermissionRequest, } from './application/requests';
42
+ export * from './dtos/SelfRegisterStartRequest';
43
+ export * from './dtos/SelfRegisterVerifyOtpRequest';
44
+ export * from './dtos/SelfRegisterCompleteRequest';
45
+ export * from './dtos/CompleteMyProfileRequest';
@@ -86,3 +86,10 @@ __exportStar(require("./dtos/UpdateUserFieldRequest"), exports);
86
86
  // los requests son interfaces plain (sin decoradores class-validator) → type-only.
87
87
  __exportStar(require("./enums/ApplicationStatus"), exports);
88
88
  __exportStar(require("./enums/PermissionKind"), exports);
89
+ // Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
90
+ // class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
91
+ // plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
92
+ __exportStar(require("./dtos/SelfRegisterStartRequest"), exports);
93
+ __exportStar(require("./dtos/SelfRegisterVerifyOtpRequest"), exports);
94
+ __exportStar(require("./dtos/SelfRegisterCompleteRequest"), exports);
95
+ __exportStar(require("./dtos/CompleteMyProfileRequest"), exports);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fiado/type-kit",
3
- "version": "3.111.0",
3
+ "version": "3.113.0",
4
4
  "description": "",
5
5
  "main": "bin/index.js",
6
6
  "types": "bin/index.d.ts",
@@ -0,0 +1,12 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsNotEmpty, IsObject, IsOptional, IsString } from 'class-validator';
3
+
4
+ /**
5
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
6
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
7
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
8
+ */
9
+ export class CompleteMyProfileRequest {
10
+ @Expose() @IsString() @IsNotEmpty() displayName!: string;
11
+ @Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
12
+ }
@@ -22,4 +22,6 @@ export class CreateTenantRequest {
22
22
  @Expose() @IsOptional() @IsEnum(TokenValidationMode) tokenValidationMode?: TokenValidationMode;
23
23
  /** Tipo de tenant a crear. Si se omite, el onboarding aplica su default (hoy: retail). */
24
24
  @Expose() @IsOptional() @IsEnum(TenantType) tenantType?: TenantType;
25
+ /** DEC-RBAC-034: aplicación (plantilla) de la que se crea el tenant; opcional, fallback a tenantType (back-compat). */
26
+ @Expose() @IsOptional() @IsString() applicationId?: string;
25
27
  }
@@ -0,0 +1,25 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsNotEmpty, IsObject, IsOptional, IsString, MinLength } from 'class-validator';
3
+
4
+ /**
5
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
6
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
7
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
8
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
9
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
10
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
11
+ */
12
+ export class SelfRegisterCompleteRequest {
13
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
14
+ @Expose() @IsEmail() email!: string;
15
+ @Expose() @IsString() @IsNotEmpty() completionToken!: string;
16
+ @Expose() @IsString() @MinLength(8) password!: string;
17
+ @Expose() @IsOptional() @IsString() displayName?: string;
18
+ @Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
19
+ }
20
+
21
+ /** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
22
+ export interface SelfRegisterCompleteResponse {
23
+ cognitoSub: string;
24
+ profileComplete: boolean;
25
+ }
@@ -0,0 +1,22 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsEnum, IsNotEmpty, IsString } from 'class-validator';
3
+ import { PermissionScope } from '../enums/PermissionScope';
4
+
5
+ /**
6
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
7
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
8
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
9
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
10
+ */
11
+ export class SelfRegisterStartRequest {
12
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
13
+ @Expose() @IsEmail() email!: string;
14
+ @Expose() @IsString() @IsNotEmpty() roleId!: string;
15
+ @Expose() @IsEnum(PermissionScope) scope!: PermissionScope;
16
+ @Expose() @IsString() @IsNotEmpty() scopeRef!: string;
17
+ }
18
+
19
+ /** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
20
+ export interface SelfRegisterStartResponse {
21
+ expiresAt: number;
22
+ }
@@ -0,0 +1,18 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
3
+
4
+ /**
5
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
6
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
7
+ * `completionToken` one-time que `complete` debe presentar.
8
+ */
9
+ export class SelfRegisterVerifyOtpRequest {
10
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
11
+ @Expose() @IsEmail() email!: string;
12
+ @Expose() @IsString() @IsNotEmpty() otp!: string;
13
+ }
14
+
15
+ /** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
16
+ export interface SelfRegisterVerifyOtpResponse {
17
+ completionToken: string;
18
+ }
@@ -63,6 +63,8 @@ export enum Permission {
63
63
  PLATFORM_ROLE_DELETE = 'platform.role.delete',
64
64
  PLATFORM_AUDIT_VIEW = 'platform.audit.view',
65
65
  PLATFORM_TENANT_USERFIELDS_MANAGE = 'platform.tenant.userfields.manage',
66
+ // DEC-RBAC-036: gestión de aplicaciones (plantillas) — reemplaza el reuso de rbac.catalog.manage en /applications.
67
+ PLATFORM_APPLICATION_MANAGE = 'platform.application.manage',
66
68
 
67
69
  // ====================================================
68
70
  // TENANT — operaciones dentro del silo de un tenant
@@ -341,6 +343,9 @@ export const PERMISSION_BIT_ORDER: readonly Permission[] = [
341
343
  // Append-only 2026-06-19: lateral platform (platform_super_admin asigna roles scope PLATFORM).
342
344
  // Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
343
345
  Permission.PLATFORM_USER_CREATE_LATERAL,
346
+ // Append-only 2026-06-24 (DEC-RBAC-036): gate dedicada de gestión de aplicaciones (plantillas).
347
+ // Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
348
+ Permission.PLATFORM_APPLICATION_MANAGE,
344
349
  ] as const;
345
350
 
346
351
  function djb2(input: string): number {
@@ -93,3 +93,11 @@ export type {
93
93
  UpdateApplicationRequest,
94
94
  UpsertApplicationPermissionRequest,
95
95
  } from './application/requests';
96
+
97
+ // Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
98
+ // class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
99
+ // plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
100
+ export * from './dtos/SelfRegisterStartRequest';
101
+ export * from './dtos/SelfRegisterVerifyOtpRequest';
102
+ export * from './dtos/SelfRegisterCompleteRequest';
103
+ export * from './dtos/CompleteMyProfileRequest';