@fiado/type-kit 3.112.0 → 3.114.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,6 +1,6 @@
1
1
  // Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
2
2
 
3
- exports[`PERMISSION_BIT_ORDER PERMS_VERSION es número estable 1`] = `488222087`;
3
+ exports[`PERMISSION_BIT_ORDER PERMS_VERSION es número estable 1`] = `643213674`;
4
4
 
5
5
  exports[`PERMISSION_BIT_ORDER append-only: snapshot del ORDEN COMPLETO (rompe ante cualquier reorden/inserción) 1`] = `
6
6
  [
@@ -124,5 +124,6 @@ exports[`PERMISSION_BIT_ORDER append-only: snapshot del ORDEN COMPLETO (rompe an
124
124
  "agents.app.access",
125
125
  "platform.user.create.lateral",
126
126
  "platform.application.manage",
127
+ "tenant.level.manage",
127
128
  ]
128
129
  `;
@@ -0,0 +1,9 @@
1
+ /**
2
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
3
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
4
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
5
+ */
6
+ export declare class CompleteMyProfileRequest {
7
+ displayName: string;
8
+ customFields?: Record<string, string>;
9
+ }
@@ -0,0 +1,34 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.CompleteMyProfileRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
17
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
18
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
19
+ */
20
+ class CompleteMyProfileRequest {
21
+ }
22
+ exports.CompleteMyProfileRequest = CompleteMyProfileRequest;
23
+ __decorate([
24
+ (0, class_transformer_1.Expose)(),
25
+ (0, class_validator_1.IsString)(),
26
+ (0, class_validator_1.IsNotEmpty)(),
27
+ __metadata("design:type", String)
28
+ ], CompleteMyProfileRequest.prototype, "displayName", void 0);
29
+ __decorate([
30
+ (0, class_transformer_1.Expose)(),
31
+ (0, class_validator_1.IsOptional)(),
32
+ (0, class_validator_1.IsObject)(),
33
+ __metadata("design:type", Object)
34
+ ], CompleteMyProfileRequest.prototype, "customFields", void 0);
@@ -0,0 +1,21 @@
1
+ /**
2
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
3
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
4
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
5
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
6
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
7
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
8
+ */
9
+ export declare class SelfRegisterCompleteRequest {
10
+ tenantId: string;
11
+ email: string;
12
+ completionToken: string;
13
+ password: string;
14
+ displayName?: string;
15
+ customFields?: Record<string, string>;
16
+ }
17
+ /** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
18
+ export interface SelfRegisterCompleteResponse {
19
+ cognitoSub: string;
20
+ profileComplete: boolean;
21
+ }
@@ -0,0 +1,60 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterCompleteRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
17
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
18
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
19
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
20
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
21
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
22
+ */
23
+ class SelfRegisterCompleteRequest {
24
+ }
25
+ exports.SelfRegisterCompleteRequest = SelfRegisterCompleteRequest;
26
+ __decorate([
27
+ (0, class_transformer_1.Expose)(),
28
+ (0, class_validator_1.IsString)(),
29
+ (0, class_validator_1.IsNotEmpty)(),
30
+ __metadata("design:type", String)
31
+ ], SelfRegisterCompleteRequest.prototype, "tenantId", void 0);
32
+ __decorate([
33
+ (0, class_transformer_1.Expose)(),
34
+ (0, class_validator_1.IsEmail)(),
35
+ __metadata("design:type", String)
36
+ ], SelfRegisterCompleteRequest.prototype, "email", void 0);
37
+ __decorate([
38
+ (0, class_transformer_1.Expose)(),
39
+ (0, class_validator_1.IsString)(),
40
+ (0, class_validator_1.IsNotEmpty)(),
41
+ __metadata("design:type", String)
42
+ ], SelfRegisterCompleteRequest.prototype, "completionToken", void 0);
43
+ __decorate([
44
+ (0, class_transformer_1.Expose)(),
45
+ (0, class_validator_1.IsString)(),
46
+ (0, class_validator_1.MinLength)(8),
47
+ __metadata("design:type", String)
48
+ ], SelfRegisterCompleteRequest.prototype, "password", void 0);
49
+ __decorate([
50
+ (0, class_transformer_1.Expose)(),
51
+ (0, class_validator_1.IsOptional)(),
52
+ (0, class_validator_1.IsString)(),
53
+ __metadata("design:type", String)
54
+ ], SelfRegisterCompleteRequest.prototype, "displayName", void 0);
55
+ __decorate([
56
+ (0, class_transformer_1.Expose)(),
57
+ (0, class_validator_1.IsOptional)(),
58
+ (0, class_validator_1.IsObject)(),
59
+ __metadata("design:type", Object)
60
+ ], SelfRegisterCompleteRequest.prototype, "customFields", void 0);
@@ -0,0 +1,18 @@
1
+ import { PermissionScope } from '../enums/PermissionScope';
2
+ /**
3
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
4
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
5
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
6
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
7
+ */
8
+ export declare class SelfRegisterStartRequest {
9
+ tenantId: string;
10
+ email: string;
11
+ roleId: string;
12
+ scope: PermissionScope;
13
+ scopeRef: string;
14
+ }
15
+ /** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
16
+ export interface SelfRegisterStartResponse {
17
+ expiresAt: number;
18
+ }
@@ -0,0 +1,52 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterStartRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ const PermissionScope_1 = require("../enums/PermissionScope");
16
+ /**
17
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
18
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
19
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
20
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
21
+ */
22
+ class SelfRegisterStartRequest {
23
+ }
24
+ exports.SelfRegisterStartRequest = SelfRegisterStartRequest;
25
+ __decorate([
26
+ (0, class_transformer_1.Expose)(),
27
+ (0, class_validator_1.IsString)(),
28
+ (0, class_validator_1.IsNotEmpty)(),
29
+ __metadata("design:type", String)
30
+ ], SelfRegisterStartRequest.prototype, "tenantId", void 0);
31
+ __decorate([
32
+ (0, class_transformer_1.Expose)(),
33
+ (0, class_validator_1.IsEmail)(),
34
+ __metadata("design:type", String)
35
+ ], SelfRegisterStartRequest.prototype, "email", void 0);
36
+ __decorate([
37
+ (0, class_transformer_1.Expose)(),
38
+ (0, class_validator_1.IsString)(),
39
+ (0, class_validator_1.IsNotEmpty)(),
40
+ __metadata("design:type", String)
41
+ ], SelfRegisterStartRequest.prototype, "roleId", void 0);
42
+ __decorate([
43
+ (0, class_transformer_1.Expose)(),
44
+ (0, class_validator_1.IsEnum)(PermissionScope_1.PermissionScope),
45
+ __metadata("design:type", String)
46
+ ], SelfRegisterStartRequest.prototype, "scope", void 0);
47
+ __decorate([
48
+ (0, class_transformer_1.Expose)(),
49
+ (0, class_validator_1.IsString)(),
50
+ (0, class_validator_1.IsNotEmpty)(),
51
+ __metadata("design:type", String)
52
+ ], SelfRegisterStartRequest.prototype, "scopeRef", void 0);
@@ -0,0 +1,14 @@
1
+ /**
2
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
3
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
4
+ * `completionToken` one-time que `complete` debe presentar.
5
+ */
6
+ export declare class SelfRegisterVerifyOtpRequest {
7
+ tenantId: string;
8
+ email: string;
9
+ otp: string;
10
+ }
11
+ /** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
12
+ export interface SelfRegisterVerifyOtpResponse {
13
+ completionToken: string;
14
+ }
@@ -0,0 +1,39 @@
1
+ "use strict";
2
+ var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
3
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
4
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
5
+ else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
6
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
7
+ };
8
+ var __metadata = (this && this.__metadata) || function (k, v) {
9
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
10
+ };
11
+ Object.defineProperty(exports, "__esModule", { value: true });
12
+ exports.SelfRegisterVerifyOtpRequest = void 0;
13
+ const class_transformer_1 = require("class-transformer");
14
+ const class_validator_1 = require("class-validator");
15
+ /**
16
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
17
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
18
+ * `completionToken` one-time que `complete` debe presentar.
19
+ */
20
+ class SelfRegisterVerifyOtpRequest {
21
+ }
22
+ exports.SelfRegisterVerifyOtpRequest = SelfRegisterVerifyOtpRequest;
23
+ __decorate([
24
+ (0, class_transformer_1.Expose)(),
25
+ (0, class_validator_1.IsString)(),
26
+ (0, class_validator_1.IsNotEmpty)(),
27
+ __metadata("design:type", String)
28
+ ], SelfRegisterVerifyOtpRequest.prototype, "tenantId", void 0);
29
+ __decorate([
30
+ (0, class_transformer_1.Expose)(),
31
+ (0, class_validator_1.IsEmail)(),
32
+ __metadata("design:type", String)
33
+ ], SelfRegisterVerifyOtpRequest.prototype, "email", void 0);
34
+ __decorate([
35
+ (0, class_transformer_1.Expose)(),
36
+ (0, class_validator_1.IsString)(),
37
+ (0, class_validator_1.IsNotEmpty)(),
38
+ __metadata("design:type", String)
39
+ ], SelfRegisterVerifyOtpRequest.prototype, "otp", void 0);
@@ -77,6 +77,7 @@ export declare enum Permission {
77
77
  TENANT_SECURITY_POLICY_MANAGE = "tenant.security.policy.manage",
78
78
  TENANT_BRANDING_MANAGE = "tenant.branding.manage",
79
79
  TENANT_AUDIT_VIEW = "tenant.audit.view",
80
+ TENANT_LEVEL_MANAGE = "tenant.level.manage",
80
81
  RETAIL_USER_CREATE = "retail.user.create",
81
82
  RETAIL_USER_CREATE_LATERAL = "retail.user.create.lateral",
82
83
  RETAIL_USER_READ = "retail.user.read",
@@ -101,6 +101,8 @@ var Permission;
101
101
  Permission["TENANT_SECURITY_POLICY_MANAGE"] = "tenant.security.policy.manage";
102
102
  Permission["TENANT_BRANDING_MANAGE"] = "tenant.branding.manage";
103
103
  Permission["TENANT_AUDIT_VIEW"] = "tenant.audit.view";
104
+ // DEC-RBAC-038: gestión de scope-entities de nivel genérico — crear/editar/borrar entidades del nivel inferior; scope-bound.
105
+ Permission["TENANT_LEVEL_MANAGE"] = "tenant.level.manage";
104
106
  // ====================================================
105
107
  // RETAIL — catálogo + inventario + ventas
106
108
  // ====================================================
@@ -344,6 +346,9 @@ exports.PERMISSION_BIT_ORDER = [
344
346
  // Append-only 2026-06-24 (DEC-RBAC-036): gate dedicada de gestión de aplicaciones (plantillas).
345
347
  // Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
346
348
  Permission.PLATFORM_APPLICATION_MANAGE,
349
+ // Append-only 2026-06-24 (DEC-RBAC-038): gestión de scope-entities de nivel genérico (scope-bound).
350
+ // Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
351
+ Permission.TENANT_LEVEL_MANAGE,
347
352
  ];
348
353
  function djb2(input) {
349
354
  let h = 5381;
@@ -39,3 +39,7 @@ export * from './enums/PermissionKind';
39
39
  export type { LevelDef, ApplicationSecurityPolicyDefault, ApplicationBrandingDefault, ApplicationDefaults, SeedRole, Application, } from './application/Application';
40
40
  export type { ApplicationPermission } from './application/ApplicationPermission';
41
41
  export type { CreateApplicationRequest, UpdateApplicationRequest, UpsertApplicationPermissionRequest, } from './application/requests';
42
+ export * from './dtos/SelfRegisterStartRequest';
43
+ export * from './dtos/SelfRegisterVerifyOtpRequest';
44
+ export * from './dtos/SelfRegisterCompleteRequest';
45
+ export * from './dtos/CompleteMyProfileRequest';
@@ -86,3 +86,10 @@ __exportStar(require("./dtos/UpdateUserFieldRequest"), exports);
86
86
  // los requests son interfaces plain (sin decoradores class-validator) → type-only.
87
87
  __exportStar(require("./enums/ApplicationStatus"), exports);
88
88
  __exportStar(require("./enums/PermissionKind"), exports);
89
+ // Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
90
+ // class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
91
+ // plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
92
+ __exportStar(require("./dtos/SelfRegisterStartRequest"), exports);
93
+ __exportStar(require("./dtos/SelfRegisterVerifyOtpRequest"), exports);
94
+ __exportStar(require("./dtos/SelfRegisterCompleteRequest"), exports);
95
+ __exportStar(require("./dtos/CompleteMyProfileRequest"), exports);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@fiado/type-kit",
3
- "version": "3.112.0",
3
+ "version": "3.114.0",
4
4
  "description": "",
5
5
  "main": "bin/index.js",
6
6
  "types": "bin/index.d.ts",
@@ -0,0 +1,12 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsNotEmpty, IsObject, IsOptional, IsString } from 'class-validator';
3
+
4
+ /**
5
+ * Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
6
+ * Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
7
+ * del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
8
+ */
9
+ export class CompleteMyProfileRequest {
10
+ @Expose() @IsString() @IsNotEmpty() displayName!: string;
11
+ @Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
12
+ }
@@ -0,0 +1,25 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsNotEmpty, IsObject, IsOptional, IsString, MinLength } from 'class-validator';
3
+
4
+ /**
5
+ * Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
6
+ * Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
7
+ * doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
8
+ * y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
9
+ * el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
10
+ * La password NUNCA se persiste: viaja solo acá, directo a Cognito.
11
+ */
12
+ export class SelfRegisterCompleteRequest {
13
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
14
+ @Expose() @IsEmail() email!: string;
15
+ @Expose() @IsString() @IsNotEmpty() completionToken!: string;
16
+ @Expose() @IsString() @MinLength(8) password!: string;
17
+ @Expose() @IsOptional() @IsString() displayName?: string;
18
+ @Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
19
+ }
20
+
21
+ /** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
22
+ export interface SelfRegisterCompleteResponse {
23
+ cognitoSub: string;
24
+ profileComplete: boolean;
25
+ }
@@ -0,0 +1,22 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsEnum, IsNotEmpty, IsString } from 'class-validator';
3
+ import { PermissionScope } from '../enums/PermissionScope';
4
+
5
+ /**
6
+ * Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
7
+ * El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
8
+ * del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
9
+ * se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
10
+ */
11
+ export class SelfRegisterStartRequest {
12
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
13
+ @Expose() @IsEmail() email!: string;
14
+ @Expose() @IsString() @IsNotEmpty() roleId!: string;
15
+ @Expose() @IsEnum(PermissionScope) scope!: PermissionScope;
16
+ @Expose() @IsString() @IsNotEmpty() scopeRef!: string;
17
+ }
18
+
19
+ /** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
20
+ export interface SelfRegisterStartResponse {
21
+ expiresAt: number;
22
+ }
@@ -0,0 +1,18 @@
1
+ import { Expose } from 'class-transformer';
2
+ import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
3
+
4
+ /**
5
+ * Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
6
+ * El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
7
+ * `completionToken` one-time que `complete` debe presentar.
8
+ */
9
+ export class SelfRegisterVerifyOtpRequest {
10
+ @Expose() @IsString() @IsNotEmpty() tenantId!: string;
11
+ @Expose() @IsEmail() email!: string;
12
+ @Expose() @IsString() @IsNotEmpty() otp!: string;
13
+ }
14
+
15
+ /** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
16
+ export interface SelfRegisterVerifyOtpResponse {
17
+ completionToken: string;
18
+ }
@@ -97,6 +97,8 @@ export enum Permission {
97
97
  TENANT_SECURITY_POLICY_MANAGE = 'tenant.security.policy.manage',
98
98
  TENANT_BRANDING_MANAGE = 'tenant.branding.manage',
99
99
  TENANT_AUDIT_VIEW = 'tenant.audit.view',
100
+ // DEC-RBAC-038: gestión de scope-entities de nivel genérico — crear/editar/borrar entidades del nivel inferior; scope-bound.
101
+ TENANT_LEVEL_MANAGE = 'tenant.level.manage',
100
102
 
101
103
  // ====================================================
102
104
  // RETAIL — catálogo + inventario + ventas
@@ -346,6 +348,9 @@ export const PERMISSION_BIT_ORDER: readonly Permission[] = [
346
348
  // Append-only 2026-06-24 (DEC-RBAC-036): gate dedicada de gestión de aplicaciones (plantillas).
347
349
  // Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
348
350
  Permission.PLATFORM_APPLICATION_MANAGE,
351
+ // Append-only 2026-06-24 (DEC-RBAC-038): gestión de scope-entities de nivel genérico (scope-bound).
352
+ // Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
353
+ Permission.TENANT_LEVEL_MANAGE,
349
354
  ] as const;
350
355
 
351
356
  function djb2(input: string): number {
@@ -93,3 +93,11 @@ export type {
93
93
  UpdateApplicationRequest,
94
94
  UpsertApplicationPermissionRequest,
95
95
  } from './application/requests';
96
+
97
+ // Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
98
+ // class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
99
+ // plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
100
+ export * from './dtos/SelfRegisterStartRequest';
101
+ export * from './dtos/SelfRegisterVerifyOtpRequest';
102
+ export * from './dtos/SelfRegisterCompleteRequest';
103
+ export * from './dtos/CompleteMyProfileRequest';