@fiado/type-kit 3.112.0 → 3.114.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_test_/unit/platformRbac/enums/__snapshots__/permissionBits.test.ts.snap +2 -1
- package/bin/platformRbac/dtos/CompleteMyProfileRequest.d.ts +9 -0
- package/bin/platformRbac/dtos/CompleteMyProfileRequest.js +34 -0
- package/bin/platformRbac/dtos/SelfRegisterCompleteRequest.d.ts +21 -0
- package/bin/platformRbac/dtos/SelfRegisterCompleteRequest.js +60 -0
- package/bin/platformRbac/dtos/SelfRegisterStartRequest.d.ts +18 -0
- package/bin/platformRbac/dtos/SelfRegisterStartRequest.js +52 -0
- package/bin/platformRbac/dtos/SelfRegisterVerifyOtpRequest.d.ts +14 -0
- package/bin/platformRbac/dtos/SelfRegisterVerifyOtpRequest.js +39 -0
- package/bin/platformRbac/enums/Permission.d.ts +1 -0
- package/bin/platformRbac/enums/Permission.js +5 -0
- package/bin/platformRbac/index.d.ts +4 -0
- package/bin/platformRbac/index.js +7 -0
- package/package.json +1 -1
- package/src/platformRbac/dtos/CompleteMyProfileRequest.ts +12 -0
- package/src/platformRbac/dtos/SelfRegisterCompleteRequest.ts +25 -0
- package/src/platformRbac/dtos/SelfRegisterStartRequest.ts +22 -0
- package/src/platformRbac/dtos/SelfRegisterVerifyOtpRequest.ts +18 -0
- package/src/platformRbac/enums/Permission.ts +5 -0
- package/src/platformRbac/index.ts +8 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
|
|
2
2
|
|
|
3
|
-
exports[`PERMISSION_BIT_ORDER PERMS_VERSION es número estable 1`] = `
|
|
3
|
+
exports[`PERMISSION_BIT_ORDER PERMS_VERSION es número estable 1`] = `643213674`;
|
|
4
4
|
|
|
5
5
|
exports[`PERMISSION_BIT_ORDER append-only: snapshot del ORDEN COMPLETO (rompe ante cualquier reorden/inserción) 1`] = `
|
|
6
6
|
[
|
|
@@ -124,5 +124,6 @@ exports[`PERMISSION_BIT_ORDER append-only: snapshot del ORDEN COMPLETO (rompe an
|
|
|
124
124
|
"agents.app.access",
|
|
125
125
|
"platform.user.create.lateral",
|
|
126
126
|
"platform.application.manage",
|
|
127
|
+
"tenant.level.manage",
|
|
127
128
|
]
|
|
128
129
|
`;
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
|
|
3
|
+
* Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
|
|
4
|
+
* del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
|
|
5
|
+
*/
|
|
6
|
+
export declare class CompleteMyProfileRequest {
|
|
7
|
+
displayName: string;
|
|
8
|
+
customFields?: Record<string, string>;
|
|
9
|
+
}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.CompleteMyProfileRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
14
|
+
const class_validator_1 = require("class-validator");
|
|
15
|
+
/**
|
|
16
|
+
* Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
|
|
17
|
+
* Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
|
|
18
|
+
* del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
|
|
19
|
+
*/
|
|
20
|
+
class CompleteMyProfileRequest {
|
|
21
|
+
}
|
|
22
|
+
exports.CompleteMyProfileRequest = CompleteMyProfileRequest;
|
|
23
|
+
__decorate([
|
|
24
|
+
(0, class_transformer_1.Expose)(),
|
|
25
|
+
(0, class_validator_1.IsString)(),
|
|
26
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
27
|
+
__metadata("design:type", String)
|
|
28
|
+
], CompleteMyProfileRequest.prototype, "displayName", void 0);
|
|
29
|
+
__decorate([
|
|
30
|
+
(0, class_transformer_1.Expose)(),
|
|
31
|
+
(0, class_validator_1.IsOptional)(),
|
|
32
|
+
(0, class_validator_1.IsObject)(),
|
|
33
|
+
__metadata("design:type", Object)
|
|
34
|
+
], CompleteMyProfileRequest.prototype, "customFields", void 0);
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
|
|
3
|
+
* Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
|
|
4
|
+
* doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
|
|
5
|
+
* y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
|
|
6
|
+
* el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
|
|
7
|
+
* La password NUNCA se persiste: viaja solo acá, directo a Cognito.
|
|
8
|
+
*/
|
|
9
|
+
export declare class SelfRegisterCompleteRequest {
|
|
10
|
+
tenantId: string;
|
|
11
|
+
email: string;
|
|
12
|
+
completionToken: string;
|
|
13
|
+
password: string;
|
|
14
|
+
displayName?: string;
|
|
15
|
+
customFields?: Record<string, string>;
|
|
16
|
+
}
|
|
17
|
+
/** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
|
|
18
|
+
export interface SelfRegisterCompleteResponse {
|
|
19
|
+
cognitoSub: string;
|
|
20
|
+
profileComplete: boolean;
|
|
21
|
+
}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.SelfRegisterCompleteRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
14
|
+
const class_validator_1 = require("class-validator");
|
|
15
|
+
/**
|
|
16
|
+
* Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
|
|
17
|
+
* Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
|
|
18
|
+
* doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
|
|
19
|
+
* y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
|
|
20
|
+
* el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
|
|
21
|
+
* La password NUNCA se persiste: viaja solo acá, directo a Cognito.
|
|
22
|
+
*/
|
|
23
|
+
class SelfRegisterCompleteRequest {
|
|
24
|
+
}
|
|
25
|
+
exports.SelfRegisterCompleteRequest = SelfRegisterCompleteRequest;
|
|
26
|
+
__decorate([
|
|
27
|
+
(0, class_transformer_1.Expose)(),
|
|
28
|
+
(0, class_validator_1.IsString)(),
|
|
29
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
30
|
+
__metadata("design:type", String)
|
|
31
|
+
], SelfRegisterCompleteRequest.prototype, "tenantId", void 0);
|
|
32
|
+
__decorate([
|
|
33
|
+
(0, class_transformer_1.Expose)(),
|
|
34
|
+
(0, class_validator_1.IsEmail)(),
|
|
35
|
+
__metadata("design:type", String)
|
|
36
|
+
], SelfRegisterCompleteRequest.prototype, "email", void 0);
|
|
37
|
+
__decorate([
|
|
38
|
+
(0, class_transformer_1.Expose)(),
|
|
39
|
+
(0, class_validator_1.IsString)(),
|
|
40
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
41
|
+
__metadata("design:type", String)
|
|
42
|
+
], SelfRegisterCompleteRequest.prototype, "completionToken", void 0);
|
|
43
|
+
__decorate([
|
|
44
|
+
(0, class_transformer_1.Expose)(),
|
|
45
|
+
(0, class_validator_1.IsString)(),
|
|
46
|
+
(0, class_validator_1.MinLength)(8),
|
|
47
|
+
__metadata("design:type", String)
|
|
48
|
+
], SelfRegisterCompleteRequest.prototype, "password", void 0);
|
|
49
|
+
__decorate([
|
|
50
|
+
(0, class_transformer_1.Expose)(),
|
|
51
|
+
(0, class_validator_1.IsOptional)(),
|
|
52
|
+
(0, class_validator_1.IsString)(),
|
|
53
|
+
__metadata("design:type", String)
|
|
54
|
+
], SelfRegisterCompleteRequest.prototype, "displayName", void 0);
|
|
55
|
+
__decorate([
|
|
56
|
+
(0, class_transformer_1.Expose)(),
|
|
57
|
+
(0, class_validator_1.IsOptional)(),
|
|
58
|
+
(0, class_validator_1.IsObject)(),
|
|
59
|
+
__metadata("design:type", Object)
|
|
60
|
+
], SelfRegisterCompleteRequest.prototype, "customFields", void 0);
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import { PermissionScope } from '../enums/PermissionScope';
|
|
2
|
+
/**
|
|
3
|
+
* Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
|
|
4
|
+
* El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
|
|
5
|
+
* del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
|
|
6
|
+
* se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
|
|
7
|
+
*/
|
|
8
|
+
export declare class SelfRegisterStartRequest {
|
|
9
|
+
tenantId: string;
|
|
10
|
+
email: string;
|
|
11
|
+
roleId: string;
|
|
12
|
+
scope: PermissionScope;
|
|
13
|
+
scopeRef: string;
|
|
14
|
+
}
|
|
15
|
+
/** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
|
|
16
|
+
export interface SelfRegisterStartResponse {
|
|
17
|
+
expiresAt: number;
|
|
18
|
+
}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.SelfRegisterStartRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
14
|
+
const class_validator_1 = require("class-validator");
|
|
15
|
+
const PermissionScope_1 = require("../enums/PermissionScope");
|
|
16
|
+
/**
|
|
17
|
+
* Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
|
|
18
|
+
* El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
|
|
19
|
+
* del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
|
|
20
|
+
* se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
|
|
21
|
+
*/
|
|
22
|
+
class SelfRegisterStartRequest {
|
|
23
|
+
}
|
|
24
|
+
exports.SelfRegisterStartRequest = SelfRegisterStartRequest;
|
|
25
|
+
__decorate([
|
|
26
|
+
(0, class_transformer_1.Expose)(),
|
|
27
|
+
(0, class_validator_1.IsString)(),
|
|
28
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
29
|
+
__metadata("design:type", String)
|
|
30
|
+
], SelfRegisterStartRequest.prototype, "tenantId", void 0);
|
|
31
|
+
__decorate([
|
|
32
|
+
(0, class_transformer_1.Expose)(),
|
|
33
|
+
(0, class_validator_1.IsEmail)(),
|
|
34
|
+
__metadata("design:type", String)
|
|
35
|
+
], SelfRegisterStartRequest.prototype, "email", void 0);
|
|
36
|
+
__decorate([
|
|
37
|
+
(0, class_transformer_1.Expose)(),
|
|
38
|
+
(0, class_validator_1.IsString)(),
|
|
39
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
40
|
+
__metadata("design:type", String)
|
|
41
|
+
], SelfRegisterStartRequest.prototype, "roleId", void 0);
|
|
42
|
+
__decorate([
|
|
43
|
+
(0, class_transformer_1.Expose)(),
|
|
44
|
+
(0, class_validator_1.IsEnum)(PermissionScope_1.PermissionScope),
|
|
45
|
+
__metadata("design:type", String)
|
|
46
|
+
], SelfRegisterStartRequest.prototype, "scope", void 0);
|
|
47
|
+
__decorate([
|
|
48
|
+
(0, class_transformer_1.Expose)(),
|
|
49
|
+
(0, class_validator_1.IsString)(),
|
|
50
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
51
|
+
__metadata("design:type", String)
|
|
52
|
+
], SelfRegisterStartRequest.prototype, "scopeRef", void 0);
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
|
|
3
|
+
* El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
|
|
4
|
+
* `completionToken` one-time que `complete` debe presentar.
|
|
5
|
+
*/
|
|
6
|
+
export declare class SelfRegisterVerifyOtpRequest {
|
|
7
|
+
tenantId: string;
|
|
8
|
+
email: string;
|
|
9
|
+
otp: string;
|
|
10
|
+
}
|
|
11
|
+
/** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
|
|
12
|
+
export interface SelfRegisterVerifyOtpResponse {
|
|
13
|
+
completionToken: string;
|
|
14
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.SelfRegisterVerifyOtpRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
14
|
+
const class_validator_1 = require("class-validator");
|
|
15
|
+
/**
|
|
16
|
+
* Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
|
|
17
|
+
* El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
|
|
18
|
+
* `completionToken` one-time que `complete` debe presentar.
|
|
19
|
+
*/
|
|
20
|
+
class SelfRegisterVerifyOtpRequest {
|
|
21
|
+
}
|
|
22
|
+
exports.SelfRegisterVerifyOtpRequest = SelfRegisterVerifyOtpRequest;
|
|
23
|
+
__decorate([
|
|
24
|
+
(0, class_transformer_1.Expose)(),
|
|
25
|
+
(0, class_validator_1.IsString)(),
|
|
26
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
27
|
+
__metadata("design:type", String)
|
|
28
|
+
], SelfRegisterVerifyOtpRequest.prototype, "tenantId", void 0);
|
|
29
|
+
__decorate([
|
|
30
|
+
(0, class_transformer_1.Expose)(),
|
|
31
|
+
(0, class_validator_1.IsEmail)(),
|
|
32
|
+
__metadata("design:type", String)
|
|
33
|
+
], SelfRegisterVerifyOtpRequest.prototype, "email", void 0);
|
|
34
|
+
__decorate([
|
|
35
|
+
(0, class_transformer_1.Expose)(),
|
|
36
|
+
(0, class_validator_1.IsString)(),
|
|
37
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
38
|
+
__metadata("design:type", String)
|
|
39
|
+
], SelfRegisterVerifyOtpRequest.prototype, "otp", void 0);
|
|
@@ -77,6 +77,7 @@ export declare enum Permission {
|
|
|
77
77
|
TENANT_SECURITY_POLICY_MANAGE = "tenant.security.policy.manage",
|
|
78
78
|
TENANT_BRANDING_MANAGE = "tenant.branding.manage",
|
|
79
79
|
TENANT_AUDIT_VIEW = "tenant.audit.view",
|
|
80
|
+
TENANT_LEVEL_MANAGE = "tenant.level.manage",
|
|
80
81
|
RETAIL_USER_CREATE = "retail.user.create",
|
|
81
82
|
RETAIL_USER_CREATE_LATERAL = "retail.user.create.lateral",
|
|
82
83
|
RETAIL_USER_READ = "retail.user.read",
|
|
@@ -101,6 +101,8 @@ var Permission;
|
|
|
101
101
|
Permission["TENANT_SECURITY_POLICY_MANAGE"] = "tenant.security.policy.manage";
|
|
102
102
|
Permission["TENANT_BRANDING_MANAGE"] = "tenant.branding.manage";
|
|
103
103
|
Permission["TENANT_AUDIT_VIEW"] = "tenant.audit.view";
|
|
104
|
+
// DEC-RBAC-038: gestión de scope-entities de nivel genérico — crear/editar/borrar entidades del nivel inferior; scope-bound.
|
|
105
|
+
Permission["TENANT_LEVEL_MANAGE"] = "tenant.level.manage";
|
|
104
106
|
// ====================================================
|
|
105
107
|
// RETAIL — catálogo + inventario + ventas
|
|
106
108
|
// ====================================================
|
|
@@ -344,6 +346,9 @@ exports.PERMISSION_BIT_ORDER = [
|
|
|
344
346
|
// Append-only 2026-06-24 (DEC-RBAC-036): gate dedicada de gestión de aplicaciones (plantillas).
|
|
345
347
|
// Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
|
|
346
348
|
Permission.PLATFORM_APPLICATION_MANAGE,
|
|
349
|
+
// Append-only 2026-06-24 (DEC-RBAC-038): gestión de scope-entities de nivel genérico (scope-bound).
|
|
350
|
+
// Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
|
|
351
|
+
Permission.TENANT_LEVEL_MANAGE,
|
|
347
352
|
];
|
|
348
353
|
function djb2(input) {
|
|
349
354
|
let h = 5381;
|
|
@@ -39,3 +39,7 @@ export * from './enums/PermissionKind';
|
|
|
39
39
|
export type { LevelDef, ApplicationSecurityPolicyDefault, ApplicationBrandingDefault, ApplicationDefaults, SeedRole, Application, } from './application/Application';
|
|
40
40
|
export type { ApplicationPermission } from './application/ApplicationPermission';
|
|
41
41
|
export type { CreateApplicationRequest, UpdateApplicationRequest, UpsertApplicationPermissionRequest, } from './application/requests';
|
|
42
|
+
export * from './dtos/SelfRegisterStartRequest';
|
|
43
|
+
export * from './dtos/SelfRegisterVerifyOtpRequest';
|
|
44
|
+
export * from './dtos/SelfRegisterCompleteRequest';
|
|
45
|
+
export * from './dtos/CompleteMyProfileRequest';
|
|
@@ -86,3 +86,10 @@ __exportStar(require("./dtos/UpdateUserFieldRequest"), exports);
|
|
|
86
86
|
// los requests son interfaces plain (sin decoradores class-validator) → type-only.
|
|
87
87
|
__exportStar(require("./enums/ApplicationStatus"), exports);
|
|
88
88
|
__exportStar(require("./enums/PermissionKind"), exports);
|
|
89
|
+
// Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
|
|
90
|
+
// class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
|
|
91
|
+
// plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
|
|
92
|
+
__exportStar(require("./dtos/SelfRegisterStartRequest"), exports);
|
|
93
|
+
__exportStar(require("./dtos/SelfRegisterVerifyOtpRequest"), exports);
|
|
94
|
+
__exportStar(require("./dtos/SelfRegisterCompleteRequest"), exports);
|
|
95
|
+
__exportStar(require("./dtos/CompleteMyProfileRequest"), exports);
|
package/package.json
CHANGED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { Expose } from 'class-transformer';
|
|
2
|
+
import { IsNotEmpty, IsObject, IsOptional, IsString } from 'class-validator';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
|
|
6
|
+
* Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
|
|
7
|
+
* del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
|
|
8
|
+
*/
|
|
9
|
+
export class CompleteMyProfileRequest {
|
|
10
|
+
@Expose() @IsString() @IsNotEmpty() displayName!: string;
|
|
11
|
+
@Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
|
|
12
|
+
}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import { Expose } from 'class-transformer';
|
|
2
|
+
import { IsEmail, IsNotEmpty, IsObject, IsOptional, IsString, MinLength } from 'class-validator';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
|
|
6
|
+
* Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
|
|
7
|
+
* doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
|
|
8
|
+
* y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
|
|
9
|
+
* el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
|
|
10
|
+
* La password NUNCA se persiste: viaja solo acá, directo a Cognito.
|
|
11
|
+
*/
|
|
12
|
+
export class SelfRegisterCompleteRequest {
|
|
13
|
+
@Expose() @IsString() @IsNotEmpty() tenantId!: string;
|
|
14
|
+
@Expose() @IsEmail() email!: string;
|
|
15
|
+
@Expose() @IsString() @IsNotEmpty() completionToken!: string;
|
|
16
|
+
@Expose() @IsString() @MinLength(8) password!: string;
|
|
17
|
+
@Expose() @IsOptional() @IsString() displayName?: string;
|
|
18
|
+
@Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
/** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
|
|
22
|
+
export interface SelfRegisterCompleteResponse {
|
|
23
|
+
cognitoSub: string;
|
|
24
|
+
profileComplete: boolean;
|
|
25
|
+
}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
import { Expose } from 'class-transformer';
|
|
2
|
+
import { IsEmail, IsEnum, IsNotEmpty, IsString } from 'class-validator';
|
|
3
|
+
import { PermissionScope } from '../enums/PermissionScope';
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
|
|
7
|
+
* El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
|
|
8
|
+
* del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
|
|
9
|
+
* se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
|
|
10
|
+
*/
|
|
11
|
+
export class SelfRegisterStartRequest {
|
|
12
|
+
@Expose() @IsString() @IsNotEmpty() tenantId!: string;
|
|
13
|
+
@Expose() @IsEmail() email!: string;
|
|
14
|
+
@Expose() @IsString() @IsNotEmpty() roleId!: string;
|
|
15
|
+
@Expose() @IsEnum(PermissionScope) scope!: PermissionScope;
|
|
16
|
+
@Expose() @IsString() @IsNotEmpty() scopeRef!: string;
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
/** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
|
|
20
|
+
export interface SelfRegisterStartResponse {
|
|
21
|
+
expiresAt: number;
|
|
22
|
+
}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import { Expose } from 'class-transformer';
|
|
2
|
+
import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
|
|
6
|
+
* El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
|
|
7
|
+
* `completionToken` one-time que `complete` debe presentar.
|
|
8
|
+
*/
|
|
9
|
+
export class SelfRegisterVerifyOtpRequest {
|
|
10
|
+
@Expose() @IsString() @IsNotEmpty() tenantId!: string;
|
|
11
|
+
@Expose() @IsEmail() email!: string;
|
|
12
|
+
@Expose() @IsString() @IsNotEmpty() otp!: string;
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
/** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
|
|
16
|
+
export interface SelfRegisterVerifyOtpResponse {
|
|
17
|
+
completionToken: string;
|
|
18
|
+
}
|
|
@@ -97,6 +97,8 @@ export enum Permission {
|
|
|
97
97
|
TENANT_SECURITY_POLICY_MANAGE = 'tenant.security.policy.manage',
|
|
98
98
|
TENANT_BRANDING_MANAGE = 'tenant.branding.manage',
|
|
99
99
|
TENANT_AUDIT_VIEW = 'tenant.audit.view',
|
|
100
|
+
// DEC-RBAC-038: gestión de scope-entities de nivel genérico — crear/editar/borrar entidades del nivel inferior; scope-bound.
|
|
101
|
+
TENANT_LEVEL_MANAGE = 'tenant.level.manage',
|
|
100
102
|
|
|
101
103
|
// ====================================================
|
|
102
104
|
// RETAIL — catálogo + inventario + ventas
|
|
@@ -346,6 +348,9 @@ export const PERMISSION_BIT_ORDER: readonly Permission[] = [
|
|
|
346
348
|
// Append-only 2026-06-24 (DEC-RBAC-036): gate dedicada de gestión de aplicaciones (plantillas).
|
|
347
349
|
// Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
|
|
348
350
|
Permission.PLATFORM_APPLICATION_MANAGE,
|
|
351
|
+
// Append-only 2026-06-24 (DEC-RBAC-038): gestión de scope-entities de nivel genérico (scope-bound).
|
|
352
|
+
// Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
|
|
353
|
+
Permission.TENANT_LEVEL_MANAGE,
|
|
349
354
|
] as const;
|
|
350
355
|
|
|
351
356
|
function djb2(input: string): number {
|
|
@@ -93,3 +93,11 @@ export type {
|
|
|
93
93
|
UpdateApplicationRequest,
|
|
94
94
|
UpsertApplicationPermissionRequest,
|
|
95
95
|
} from './application/requests';
|
|
96
|
+
|
|
97
|
+
// Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
|
|
98
|
+
// class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
|
|
99
|
+
// plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
|
|
100
|
+
export * from './dtos/SelfRegisterStartRequest';
|
|
101
|
+
export * from './dtos/SelfRegisterVerifyOtpRequest';
|
|
102
|
+
export * from './dtos/SelfRegisterCompleteRequest';
|
|
103
|
+
export * from './dtos/CompleteMyProfileRequest';
|