@fiado/type-kit 3.112.0 → 3.113.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,9 @@
1
+ /**
2
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
3
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
4
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
5
+ */
6
+ export declare class CompleteMyProfileRequest {
7
+ displayName: string;
8
+ customFields?: Record<string, string>;
9
+ }
@@ -0,0 +1,34 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.CompleteMyProfileRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
17
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
18
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
19
+ */
20
+ class CompleteMyProfileRequest {
21
+ }
22
+ exports.CompleteMyProfileRequest = CompleteMyProfileRequest;
23
+ __decorate([
24
+ (0, class_transformer_1.Expose)(),
25
+ (0, class_validator_1.IsString)(),
26
+ (0, class_validator_1.IsNotEmpty)(),
27
+ __metadata("design:type", String)
28
+ ], CompleteMyProfileRequest.prototype, "displayName", void 0);
29
+ __decorate([
30
+ (0, class_transformer_1.Expose)(),
31
+ (0, class_validator_1.IsOptional)(),
32
+ (0, class_validator_1.IsObject)(),
33
+ __metadata("design:type", Object)
34
+ ], CompleteMyProfileRequest.prototype, "customFields", void 0);
@@ -0,0 +1,21 @@
1
+ /**
2
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
3
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
4
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
5
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
6
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
7
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
8
+ */
9
+ export declare class SelfRegisterCompleteRequest {
10
+ tenantId: string;
11
+ email: string;
12
+ completionToken: string;
13
+ password: string;
14
+ displayName?: string;
15
+ customFields?: Record<string, string>;
16
+ }
17
+ /** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
18
+ export interface SelfRegisterCompleteResponse {
19
+ cognitoSub: string;
20
+ profileComplete: boolean;
21
+ }
@@ -0,0 +1,60 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterCompleteRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
17
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
18
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
19
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
20
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
21
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
22
+ */
23
+ class SelfRegisterCompleteRequest {
24
+ }
25
+ exports.SelfRegisterCompleteRequest = SelfRegisterCompleteRequest;
26
+ __decorate([
27
+ (0, class_transformer_1.Expose)(),
28
+ (0, class_validator_1.IsString)(),
29
+ (0, class_validator_1.IsNotEmpty)(),
30
+ __metadata("design:type", String)
31
+ ], SelfRegisterCompleteRequest.prototype, "tenantId", void 0);
32
+ __decorate([
33
+ (0, class_transformer_1.Expose)(),
34
+ (0, class_validator_1.IsEmail)(),
35
+ __metadata("design:type", String)
36
+ ], SelfRegisterCompleteRequest.prototype, "email", void 0);
37
+ __decorate([
38
+ (0, class_transformer_1.Expose)(),
39
+ (0, class_validator_1.IsString)(),
40
+ (0, class_validator_1.IsNotEmpty)(),
41
+ __metadata("design:type", String)
42
+ ], SelfRegisterCompleteRequest.prototype, "completionToken", void 0);
43
+ __decorate([
44
+ (0, class_transformer_1.Expose)(),
45
+ (0, class_validator_1.IsString)(),
46
+ (0, class_validator_1.MinLength)(8),
47
+ __metadata("design:type", String)
48
+ ], SelfRegisterCompleteRequest.prototype, "password", void 0);
49
+ __decorate([
50
+ (0, class_transformer_1.Expose)(),
51
+ (0, class_validator_1.IsOptional)(),
52
+ (0, class_validator_1.IsString)(),
53
+ __metadata("design:type", String)
54
+ ], SelfRegisterCompleteRequest.prototype, "displayName", void 0);
55
+ __decorate([
56
+ (0, class_transformer_1.Expose)(),
57
+ (0, class_validator_1.IsOptional)(),
58
+ (0, class_validator_1.IsObject)(),
59
+ __metadata("design:type", Object)
60
+ ], SelfRegisterCompleteRequest.prototype, "customFields", void 0);
@@ -0,0 +1,18 @@
1
+ import { PermissionScope } from '../enums/PermissionScope';
2
+ /**
3
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
4
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
5
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
6
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
7
+ */
8
+ export declare class SelfRegisterStartRequest {
9
+ tenantId: string;
10
+ email: string;
11
+ roleId: string;
12
+ scope: PermissionScope;
13
+ scopeRef: string;
14
+ }
15
+ /** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
16
+ export interface SelfRegisterStartResponse {
17
+ expiresAt: number;
18
+ }
@@ -0,0 +1,52 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterStartRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ const PermissionScope_1 = require("../enums/PermissionScope");
16
+ /**
17
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
18
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
19
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
20
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
21
+ */
22
+ class SelfRegisterStartRequest {
23
+ }
24
+ exports.SelfRegisterStartRequest = SelfRegisterStartRequest;
25
+ __decorate([
26
+ (0, class_transformer_1.Expose)(),
27
+ (0, class_validator_1.IsString)(),
28
+ (0, class_validator_1.IsNotEmpty)(),
29
+ __metadata("design:type", String)
30
+ ], SelfRegisterStartRequest.prototype, "tenantId", void 0);
31
+ __decorate([
32
+ (0, class_transformer_1.Expose)(),
33
+ (0, class_validator_1.IsEmail)(),
34
+ __metadata("design:type", String)
35
+ ], SelfRegisterStartRequest.prototype, "email", void 0);
36
+ __decorate([
37
+ (0, class_transformer_1.Expose)(),
38
+ (0, class_validator_1.IsString)(),
39
+ (0, class_validator_1.IsNotEmpty)(),
40
+ __metadata("design:type", String)
41
+ ], SelfRegisterStartRequest.prototype, "roleId", void 0);
42
+ __decorate([
43
+ (0, class_transformer_1.Expose)(),
44
+ (0, class_validator_1.IsEnum)(PermissionScope_1.PermissionScope),
45
+ __metadata("design:type", String)
46
+ ], SelfRegisterStartRequest.prototype, "scope", void 0);
47
+ __decorate([
48
+ (0, class_transformer_1.Expose)(),
49
+ (0, class_validator_1.IsString)(),
50
+ (0, class_validator_1.IsNotEmpty)(),
51
+ __metadata("design:type", String)
52
+ ], SelfRegisterStartRequest.prototype, "scopeRef", void 0);
@@ -0,0 +1,14 @@
1
+ /**
2
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
3
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
4
+ * `completionToken` one-time que `complete` debe presentar.
5
+ */
6
+ export declare class SelfRegisterVerifyOtpRequest {
7
+ tenantId: string;
8
+ email: string;
9
+ otp: string;
10
+ }
11
+ /** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
12
+ export interface SelfRegisterVerifyOtpResponse {
13
+ completionToken: string;
14
+ }
@@ -0,0 +1,39 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterVerifyOtpRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
17
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
18
+ * `completionToken` one-time que `complete` debe presentar.
19
+ */
20
+ class SelfRegisterVerifyOtpRequest {
21
+ }
22
+ exports.SelfRegisterVerifyOtpRequest = SelfRegisterVerifyOtpRequest;
23
+ __decorate([
24
+ (0, class_transformer_1.Expose)(),
25
+ (0, class_validator_1.IsString)(),
26
+ (0, class_validator_1.IsNotEmpty)(),
27
+ __metadata("design:type", String)
28
+ ], SelfRegisterVerifyOtpRequest.prototype, "tenantId", void 0);
29
+ __decorate([
30
+ (0, class_transformer_1.Expose)(),
31
+ (0, class_validator_1.IsEmail)(),
32
+ __metadata("design:type", String)
33
+ ], SelfRegisterVerifyOtpRequest.prototype, "email", void 0);
34
+ __decorate([
35
+ (0, class_transformer_1.Expose)(),
36
+ (0, class_validator_1.IsString)(),
37
+ (0, class_validator_1.IsNotEmpty)(),
38
+ __metadata("design:type", String)
39
+ ], SelfRegisterVerifyOtpRequest.prototype, "otp", void 0);
@@ -39,3 +39,7 @@ export * from './enums/PermissionKind';
39
39
  export type { LevelDef, ApplicationSecurityPolicyDefault, ApplicationBrandingDefault, ApplicationDefaults, SeedRole, Application, } from './application/Application';
40
40
  export type { ApplicationPermission } from './application/ApplicationPermission';
41
41
  export type { CreateApplicationRequest, UpdateApplicationRequest, UpsertApplicationPermissionRequest, } from './application/requests';
42
+ export * from './dtos/SelfRegisterStartRequest';
43
+ export * from './dtos/SelfRegisterVerifyOtpRequest';
44
+ export * from './dtos/SelfRegisterCompleteRequest';
45
+ export * from './dtos/CompleteMyProfileRequest';
@@ -86,3 +86,10 @@ __exportStar(require("./dtos/UpdateUserFieldRequest"), exports);
86
86
  // los requests son interfaces plain (sin decoradores class-validator) → type-only.
87
87
  __exportStar(require("./enums/ApplicationStatus"), exports);
88
88
  __exportStar(require("./enums/PermissionKind"), exports);
89
+ // Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
90
+ // class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
91
+ // plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
92
+ __exportStar(require("./dtos/SelfRegisterStartRequest"), exports);
93
+ __exportStar(require("./dtos/SelfRegisterVerifyOtpRequest"), exports);
94
+ __exportStar(require("./dtos/SelfRegisterCompleteRequest"), exports);
95
+ __exportStar(require("./dtos/CompleteMyProfileRequest"), exports);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fiado/type-kit",
3
- "version": "3.112.0",
3
+ "version": "3.113.0",
4
4
  "description": "",
5
5
  "main": "bin/index.js",
6
6
  "types": "bin/index.d.ts",
@@ -0,0 +1,12 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsNotEmpty, IsObject, IsOptional, IsString } from 'class-validator';
3
+
4
+ /**
5
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
6
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
7
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
8
+ */
9
+ export class CompleteMyProfileRequest {
10
+ @Expose() @IsString() @IsNotEmpty() displayName!: string;
11
+ @Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
12
+ }
@@ -0,0 +1,25 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsNotEmpty, IsObject, IsOptional, IsString, MinLength } from 'class-validator';
3
+
4
+ /**
5
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
6
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
7
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
8
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
9
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
10
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
11
+ */
12
+ export class SelfRegisterCompleteRequest {
13
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
14
+ @Expose() @IsEmail() email!: string;
15
+ @Expose() @IsString() @IsNotEmpty() completionToken!: string;
16
+ @Expose() @IsString() @MinLength(8) password!: string;
17
+ @Expose() @IsOptional() @IsString() displayName?: string;
18
+ @Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
19
+ }
20
+
21
+ /** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
22
+ export interface SelfRegisterCompleteResponse {
23
+ cognitoSub: string;
24
+ profileComplete: boolean;
25
+ }
@@ -0,0 +1,22 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsEnum, IsNotEmpty, IsString } from 'class-validator';
3
+ import { PermissionScope } from '../enums/PermissionScope';
4
+
5
+ /**
6
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
7
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
8
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
9
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
10
+ */
11
+ export class SelfRegisterStartRequest {
12
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
13
+ @Expose() @IsEmail() email!: string;
14
+ @Expose() @IsString() @IsNotEmpty() roleId!: string;
15
+ @Expose() @IsEnum(PermissionScope) scope!: PermissionScope;
16
+ @Expose() @IsString() @IsNotEmpty() scopeRef!: string;
17
+ }
18
+
19
+ /** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
20
+ export interface SelfRegisterStartResponse {
21
+ expiresAt: number;
22
+ }
@@ -0,0 +1,18 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
3
+
4
+ /**
5
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
6
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
7
+ * `completionToken` one-time que `complete` debe presentar.
8
+ */
9
+ export class SelfRegisterVerifyOtpRequest {
10
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
11
+ @Expose() @IsEmail() email!: string;
12
+ @Expose() @IsString() @IsNotEmpty() otp!: string;
13
+ }
14
+
15
+ /** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
16
+ export interface SelfRegisterVerifyOtpResponse {
17
+ completionToken: string;
18
+ }
@@ -93,3 +93,11 @@ export type {
93
93
  UpdateApplicationRequest,
94
94
  UpsertApplicationPermissionRequest,
95
95
  } from './application/requests';
96
+
97
+ // Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
98
+ // class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
99
+ // plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
100
+ export * from './dtos/SelfRegisterStartRequest';
101
+ export * from './dtos/SelfRegisterVerifyOtpRequest';
102
+ export * from './dtos/SelfRegisterCompleteRequest';
103
+ export * from './dtos/CompleteMyProfileRequest';