npm - @fiado/type-kit - Versions diffs - 3.37.0 → 3.39.0 - Mend

@fiado/type-kit 3.37.0 → 3.39.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (193) hide show

package/bin/cognitoBackofficeConnector/validators/NoTenantIdInCustomAttrs.d.ts ADDED Viewed

@@ -0,0 +1,27 @@
+import { ValidatorConstraintInterface, ValidationArguments } from 'class-validator';
+/**
+ * Bloquea que el cliente del backoffice envíe `tenantId` dentro del map
+ * `customAttributes` al actualizar atributos de un usuario Cognito (decisión D3
+ * del spec del proyecto `cognito-backoffice-connector`).
+ *
+ * Razón: el `tenantId` se determina por el pool donde vive el usuario y por
+ * el rol del caller — permitir overridearlo desde `customAttributes` habilitaría
+ * "tenant reassignment" por la puerta de atrás (escalación de privilegios
+ * cross-tenant).
+ *
+ * Acepta:
+ *  - `undefined` / `null` (el campo es opcional).
+ *  - Objeto vacío `{}`.
+ *  - Cualquier objeto que NO contenga la key `tenantId`.
+ *
+ * Rechaza:
+ *  - Objetos con la key `tenantId` presente (con cualquier valor).
+ *  - Valores que no son objeto (string, number, array, etc.).
+ *
+ * Uso en DTOs: `@Validate(NoTenantIdInCustomAttrs)` sobre el campo
+ * `customAttributes`.
+ */
+export declare class NoTenantIdInCustomAttrs implements ValidatorConstraintInterface {
+    validate(value: unknown, _args: ValidationArguments): boolean;
+    defaultMessage(args: ValidationArguments): string;
+}

package/bin/cognitoBackofficeConnector/validators/NoTenantIdInCustomAttrs.js ADDED Viewed

@@ -0,0 +1,48 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NoTenantIdInCustomAttrs = void 0;
+const class_validator_1 = require("class-validator");
+/**
+ * Bloquea que el cliente del backoffice envíe `tenantId` dentro del map
+ * `customAttributes` al actualizar atributos de un usuario Cognito (decisión D3
+ * del spec del proyecto `cognito-backoffice-connector`).
+ *
+ * Razón: el `tenantId` se determina por el pool donde vive el usuario y por
+ * el rol del caller — permitir overridearlo desde `customAttributes` habilitaría
+ * "tenant reassignment" por la puerta de atrás (escalación de privilegios
+ * cross-tenant).
+ *
+ * Acepta:
+ *  - `undefined` / `null` (el campo es opcional).
+ *  - Objeto vacío `{}`.
+ *  - Cualquier objeto que NO contenga la key `tenantId`.
+ *
+ * Rechaza:
+ *  - Objetos con la key `tenantId` presente (con cualquier valor).
+ *  - Valores que no son objeto (string, number, array, etc.).
+ *
+ * Uso en DTOs: `@Validate(NoTenantIdInCustomAttrs)` sobre el campo
+ * `customAttributes`.
+ */
+let NoTenantIdInCustomAttrs = class NoTenantIdInCustomAttrs {
+    validate(value, _args) {
+        if (value === undefined || value === null)
+            return true;
+        if (typeof value !== 'object' || Array.isArray(value))
+            return false;
+        return !Object.prototype.hasOwnProperty.call(value, 'tenantId');
+    }
+    defaultMessage(args) {
+        return `${args.property} must not contain a 'tenantId' key — tenant reassignment via customAttributes is forbidden`;
+    }
+};
+exports.NoTenantIdInCustomAttrs = NoTenantIdInCustomAttrs;
+exports.NoTenantIdInCustomAttrs = NoTenantIdInCustomAttrs = __decorate([
+    (0, class_validator_1.ValidatorConstraint)({ name: 'NoTenantIdInCustomAttrs', async: false })
+], NoTenantIdInCustomAttrs);

package/bin/index.d.ts CHANGED Viewed

@@ -73,5 +73,8 @@ export * as CirculoCredito from './circuloCredito';
 export * as MilestoneBusiness from './milestone-business';
 export * as Mdm from './mdm';
 export * as MessagesConnector from './messagesConnector';
+export * as CognitoBackofficeConnector from './cognitoBackofficeConnector';
+export * as Rbac from './rbac';
+export * as PlatformRbac from './platformRbac';
 export * as Remittance from './remittance';
 export * from './messaging';

package/bin/index.js CHANGED Viewed

@@ -37,7 +37,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.Pricelist = exports.Company = exports.Services = exports.AccountIssuanceBusiness = exports.AppSelectionData = exports.Device = exports.Observations = exports.IssuanceBusiness = exports.Blacklist = exports.CentralPayments = exports.Helpdesk = exports.FiadoApiResponse = exports.Auth = exports.LegalDocumentsBusiness = exports.Role = exports.STPAccount = exports.RiskProfile = exports.FraudPreventionEngine = exports.BBVARst = exports.Stp = exports.BenefitCenter = exports.BankAccount = exports.P2pContact = exports.CreditContract = exports.Contract = exports.ProductCatalog = exports.ContactInfo = exports.Transaction = exports.TransactionProcessor = exports.GenericMessage = exports.EventBridgeMessage = exports.SessionActivity = exports.NotificationMessages = exports.ServicePayment = exports.Header = exports.Identity = exports.Group = exports.File = exports.ExchangeRate = exports.Directory = exports.Currency = exports.Country = exports.Card = exports.Authentication = exports.App = exports.Address = exports.Beneficiary = exports.Activity = exports.Account = exports.Crypto = void 0;
-exports.Remittance = exports.MessagesConnector = exports.Mdm = exports.MilestoneBusiness = exports.CirculoCredito = exports.CreditStatements = exports.Sentry = exports.AiEngine = exports.Funnel = exports.TeamsConnector = exports.PlatformErrorEvents = exports.CustomerFile = exports.CreditBackoffice = exports.CreditDashboard = exports.CreditEngine = exports.Credit = exports.ComissionBusiness = exports.ReferralBusiness = exports.ZendeskMessaging = exports.NotificationWS = exports.Event = exports.PayrollBusiness = exports.Cnbv = exports.DirectorySetting = exports.InvoiceCollector = exports.Collector = void 0;
+exports.Remittance = exports.PlatformRbac = exports.Rbac = exports.CognitoBackofficeConnector = exports.MessagesConnector = exports.Mdm = exports.MilestoneBusiness = exports.CirculoCredito = exports.CreditStatements = exports.Sentry = exports.AiEngine = exports.Funnel = exports.TeamsConnector = exports.PlatformErrorEvents = exports.CustomerFile = exports.CreditBackoffice = exports.CreditDashboard = exports.CreditEngine = exports.Credit = exports.ComissionBusiness = exports.ReferralBusiness = exports.ZendeskMessaging = exports.NotificationWS = exports.Event = exports.PayrollBusiness = exports.Cnbv = exports.DirectorySetting = exports.InvoiceCollector = exports.Collector = void 0;
 exports.Crypto = __importStar(require("./crypto"));
 exports.Account = __importStar(require("./account"));
 exports.Activity = __importStar(require("./activity"));
@@ -113,5 +113,13 @@ exports.CirculoCredito = __importStar(require("./circuloCredito"));
 exports.MilestoneBusiness = __importStar(require("./milestone-business"));
 exports.Mdm = __importStar(require("./mdm"));
 exports.MessagesConnector = __importStar(require("./messagesConnector"));
+exports.CognitoBackofficeConnector = __importStar(require("./cognitoBackofficeConnector"));
+exports.Rbac = __importStar(require("./rbac"));
+// PlatformRbac: módulo del lambda platform-rbac-business (Fase 0 SureKeep).
+// Contiene Permission enum + AuthContext + RoleAssignmentInfo + PermissionScope +
+// PermissionCategory + PermissionMeta + (futuro Fase 1.B) DTOs propios del rbac-business.
+// Coexiste con `Rbac` oficial cuando yhonhansen publique componente 01.
+// Cleanup del `Rbac` viejo planeado en bloque 13 post-gate (TD-RBAC en platform-rbac-business).
+exports.PlatformRbac = __importStar(require("./platformRbac"));
 exports.Remittance = __importStar(require("./remittance"));
 __exportStar(require("./messaging"), exports);

package/bin/platformRbac/dtos/AuthContext.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import type { Permission } from '../enums/Permission';
+import type { RoleAssignmentInfo } from './RoleAssignmentInfo';
+/**
+ * Shape DESERIALIZADO del authorizer context.
+ * El authorizer Lambda (componente 07) lo construye + serializa; el helper
+ * `extractTenantContext` lo deserializa para los handlers business.
+ *
+ * En API Gateway authorizer.context todos los valores son strings:
+ * - `permissions` viaja como CSV (`"a.b.c,d.e.f,..."`).
+ * - `roleAssignments` viaja como JSON string.
+ * Este interface es la forma ya parseada.
+ */
+export interface AuthContext {
+    cognitoSub: string;
+    tenantId: string;
+    email: string;
+    roleAssignments: RoleAssignmentInfo[];
+    permissions: Permission[];
+    resolvedAt: string;
+    issuer?: string;
+}

package/bin/platformRbac/dtos/AuthContext.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/bin/platformRbac/dtos/PermissionMeta.d.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { Permission } from '../enums/Permission';
+import type { PermissionScope } from '../enums/PermissionScope';
+import type { PermissionCategory } from '../enums/PermissionCategory';
+/**
+ * Metadata enriquecida de una permission del catálogo.
+ * Usado para:
+ * - Sync del enum a DDB `PlatformPermission_GT` al deploy.
+ * - UI del módulo rbac-admin: selector de permissions agrupado.
+ * - Reporting / docs.
+ */
+export interface PermissionMeta {
+    permissionKey: Permission;
+    displayName: string;
+    description: string;
+    category: PermissionCategory;
+    scope: PermissionScope;
+    platforms: string[];
+    isDeprecated?: boolean;
+}

package/bin/platformRbac/dtos/PermissionMeta.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/bin/platformRbac/dtos/RoleAssignmentInfo.d.ts ADDED Viewed

@@ -0,0 +1,11 @@
+import type { PermissionScope } from '../enums/PermissionScope';
+/**
+ * Una asignación de role a un user con scope específico.
+ * Shape que el authorizer Lambda (componente 07) serializa como JSON string
+ * dentro del API Gateway authorizer context.
+ */
+export interface RoleAssignmentInfo {
+    roleId: string;
+    scope: PermissionScope;
+    scopeRef: string;
+}

package/bin/platformRbac/dtos/RoleAssignmentInfo.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/bin/platformRbac/enums/Permission.d.ts ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * Catálogo universal de permisos del sistema RBAC Fiado.
+ *
+ * Origen: componente 01 de Fase 0 SureKeep (spec maestro):
+ *   surekeep/docs/5_fases/00_fase0_cognito_rbac_users_mfa/componentes/01_typekit-rbac-additions.md
+ *
+ * Copy-paste literal de los 78 valores del spec (DEC-003).
+ * Convención: `<category>.<resource>.<action>` (snake_case en action si multi-palabra).
+ * Cualquier cambio aquí requiere PR + bump minor + redeploy de consumers.
+ *
+ * Coexiste con módulo `rbac/` oficial cuando yhonhansen publique componente 01 — TD-RBAC-002.
+ */
+export declare enum Permission {
+    RBAC_CATALOG_MANAGE = "rbac.catalog.manage",
+    PLATFORM_TENANT_CREATE = "platform.tenant.create",
+    PLATFORM_TENANT_LIST = "platform.tenant.list",
+    PLATFORM_TENANT_VIEW = "platform.tenant.view",
+    PLATFORM_TENANT_UPDATE = "platform.tenant.update",
+    PLATFORM_TENANT_SUSPEND = "platform.tenant.suspend",
+    PLATFORM_TENANT_ACTIVATE = "platform.tenant.activate",
+    PLATFORM_TENANT_ADMIN_REPLACE = "platform.tenant.admin.replace",
+    PLATFORM_COGNITO_POOL_MANAGE = "platform.cognito.pool.manage",
+    PLATFORM_COGNITO_POOL_LIST = "platform.cognito.pool.list",
+    PLATFORM_USER_CREATE = "platform.user.create",
+    PLATFORM_USER_LIST = "platform.user.list",
+    PLATFORM_USER_VIEW = "platform.user.view",
+    PLATFORM_USER_UPDATE = "platform.user.update",
+    PLATFORM_USER_DISABLE = "platform.user.disable",
+    PLATFORM_USER_ENABLE = "platform.user.enable",
+    PLATFORM_USER_DELETE = "platform.user.delete",
+    PLATFORM_ROLE_CREATE = "platform.role.create",
+    PLATFORM_ROLE_LIST = "platform.role.list",
+    PLATFORM_ROLE_UPDATE = "platform.role.update",
+    PLATFORM_ROLE_DELETE = "platform.role.delete",
+    PLATFORM_AUDIT_VIEW = "platform.audit.view",
+    TENANT_USER_CREATE = "tenant.user.create",
+    TENANT_USER_LIST = "tenant.user.list",
+    TENANT_USER_VIEW = "tenant.user.view",
+    TENANT_USER_UPDATE = "tenant.user.update",
+    TENANT_USER_DISABLE = "tenant.user.disable",
+    TENANT_USER_ENABLE = "tenant.user.enable",
+    TENANT_USER_DELETE = "tenant.user.delete",
+    TENANT_USER_MFA_RESET = "tenant.user.mfa.reset",
+    TENANT_USER_PASSWORD_RESET = "tenant.user.password.reset",
+    TENANT_ROLE_CREATE = "tenant.role.create",
+    TENANT_ROLE_LIST = "tenant.role.list",
+    TENANT_ROLE_UPDATE = "tenant.role.update",
+    TENANT_ROLE_DELETE = "tenant.role.delete",
+    TENANT_ROLE_VIEW = "tenant.role.view",
+    TENANT_ROLE_ASSIGN = "tenant.role.assign",
+    TENANT_ROLE_REVOKE = "tenant.role.revoke",
+    TENANT_SECURITY_POLICY_VIEW = "tenant.security.policy.view",
+    TENANT_SECURITY_POLICY_MANAGE = "tenant.security.policy.manage",
+    TENANT_BRANDING_MANAGE = "tenant.branding.manage",
+    TENANT_AUDIT_VIEW = "tenant.audit.view",
+    RETAIL_PRODUCT_CREATE = "retail.product.create",
+    RETAIL_PRODUCT_LIST = "retail.product.list",
+    RETAIL_PRODUCT_VIEW = "retail.product.view",
+    RETAIL_PRODUCT_UPDATE = "retail.product.update",
+    RETAIL_PRODUCT_DELETE = "retail.product.delete",
+    RETAIL_PRODUCT_MDM_CONFIG = "retail.product.mdm_config",
+    RETAIL_INVENTORY_LIST = "retail.inventory.list",
+    RETAIL_INVENTORY_VIEW = "retail.inventory.view",
+    RETAIL_INVENTORY_UPDATE = "retail.inventory.update",
+    RETAIL_SALE_CREATE = "retail.sale.create",
+    RETAIL_SALE_LIST = "retail.sale.list",
+    RETAIL_SALE_CANCEL = "retail.sale.cancel",
+    RETAIL_STORE_MANAGE = "retail.store.manage",
+    RETAIL_RETAILER_MANAGE = "retail.retailer.manage",
+    LEND_CREDIT_CREATE = "lend.credit.create",
+    LEND_CREDIT_LIST = "lend.credit.list",
+    LEND_CREDIT_VIEW = "lend.credit.view",
+    LEND_CREDIT_UPDATE = "lend.credit.update",
+    LEND_CREDIT_LIQUIDATE = "lend.credit.liquidate",
+    LEND_CREDIT_RESTRUCTURE = "lend.credit.restructure",
+    LEND_PAYMENT_APPLY = "lend.payment.apply",
+    LEND_PAYMENT_LIST = "lend.payment.list",
+    LEND_PAYMENT_REVERSE = "lend.payment.reverse",
+    LEND_INSTALLMENT_VIEW = "lend.installment.view",
+    MDM_DEVICE_ENROLL = "mdm.device.enroll",
+    MDM_DEVICE_RELEASE = "mdm.device.release",
+    MDM_DEVICE_ARCHIVE = "mdm.device.archive",
+    MDM_DEVICE_DEACTIVATE = "mdm.device.deactivate",
+    MDM_DEVICE_LOCK_MANUAL = "mdm.device.lock.manual",
+    MDM_DEVICE_UNLOCK_MANUAL = "mdm.device.unlock.manual",
+    MDM_DEVICE_PIN_UNLOCK = "mdm.device.pin_unlock",
+    MDM_DEVICE_EXTEND_VALIDITY = "mdm.device.extend_validity",
+    MDM_DEVICE_NOTIFY = "mdm.device.notify",
+    MDM_DEVICE_STATUS_VIEW = "mdm.device.status.view",
+    MDM_OPERATION_LOG_VIEW = "mdm.operation_log.view",
+    MDM_TEST = "mdm.test",
+    PAY_TRANSACTION_VIEW = "pay.transaction.view"
+}

package/bin/platformRbac/enums/Permission.js ADDED Viewed

@@ -0,0 +1,118 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.Permission = void 0;
+/**
+ * Catálogo universal de permisos del sistema RBAC Fiado.
+ *
+ * Origen: componente 01 de Fase 0 SureKeep (spec maestro):
+ *   surekeep/docs/5_fases/00_fase0_cognito_rbac_users_mfa/componentes/01_typekit-rbac-additions.md
+ *
+ * Copy-paste literal de los 78 valores del spec (DEC-003).
+ * Convención: `<category>.<resource>.<action>` (snake_case en action si multi-palabra).
+ * Cualquier cambio aquí requiere PR + bump minor + redeploy de consumers.
+ *
+ * Coexiste con módulo `rbac/` oficial cuando yhonhansen publique componente 01 — TD-RBAC-002.
+ */
+var Permission;
+(function (Permission) {
+    // ====================================================
+    // RBAC — gestión genérica del propio sistema RBAC
+    // ====================================================
+    Permission["RBAC_CATALOG_MANAGE"] = "rbac.catalog.manage";
+    // ====================================================
+    // PLATFORM — operaciones a nivel meta-plataforma (Fiado equipo)
+    // ====================================================
+    Permission["PLATFORM_TENANT_CREATE"] = "platform.tenant.create";
+    Permission["PLATFORM_TENANT_LIST"] = "platform.tenant.list";
+    Permission["PLATFORM_TENANT_VIEW"] = "platform.tenant.view";
+    Permission["PLATFORM_TENANT_UPDATE"] = "platform.tenant.update";
+    Permission["PLATFORM_TENANT_SUSPEND"] = "platform.tenant.suspend";
+    Permission["PLATFORM_TENANT_ACTIVATE"] = "platform.tenant.activate";
+    Permission["PLATFORM_TENANT_ADMIN_REPLACE"] = "platform.tenant.admin.replace";
+    Permission["PLATFORM_COGNITO_POOL_MANAGE"] = "platform.cognito.pool.manage";
+    Permission["PLATFORM_COGNITO_POOL_LIST"] = "platform.cognito.pool.list";
+    Permission["PLATFORM_USER_CREATE"] = "platform.user.create";
+    Permission["PLATFORM_USER_LIST"] = "platform.user.list";
+    Permission["PLATFORM_USER_VIEW"] = "platform.user.view";
+    Permission["PLATFORM_USER_UPDATE"] = "platform.user.update";
+    Permission["PLATFORM_USER_DISABLE"] = "platform.user.disable";
+    Permission["PLATFORM_USER_ENABLE"] = "platform.user.enable";
+    Permission["PLATFORM_USER_DELETE"] = "platform.user.delete";
+    Permission["PLATFORM_ROLE_CREATE"] = "platform.role.create";
+    Permission["PLATFORM_ROLE_LIST"] = "platform.role.list";
+    Permission["PLATFORM_ROLE_UPDATE"] = "platform.role.update";
+    Permission["PLATFORM_ROLE_DELETE"] = "platform.role.delete";
+    Permission["PLATFORM_AUDIT_VIEW"] = "platform.audit.view";
+    // ====================================================
+    // TENANT — operaciones dentro del silo de un tenant
+    // ====================================================
+    Permission["TENANT_USER_CREATE"] = "tenant.user.create";
+    Permission["TENANT_USER_LIST"] = "tenant.user.list";
+    Permission["TENANT_USER_VIEW"] = "tenant.user.view";
+    Permission["TENANT_USER_UPDATE"] = "tenant.user.update";
+    Permission["TENANT_USER_DISABLE"] = "tenant.user.disable";
+    Permission["TENANT_USER_ENABLE"] = "tenant.user.enable";
+    Permission["TENANT_USER_DELETE"] = "tenant.user.delete";
+    Permission["TENANT_USER_MFA_RESET"] = "tenant.user.mfa.reset";
+    Permission["TENANT_USER_PASSWORD_RESET"] = "tenant.user.password.reset";
+    Permission["TENANT_ROLE_CREATE"] = "tenant.role.create";
+    Permission["TENANT_ROLE_LIST"] = "tenant.role.list";
+    Permission["TENANT_ROLE_UPDATE"] = "tenant.role.update";
+    Permission["TENANT_ROLE_DELETE"] = "tenant.role.delete";
+    Permission["TENANT_ROLE_VIEW"] = "tenant.role.view";
+    Permission["TENANT_ROLE_ASSIGN"] = "tenant.role.assign";
+    Permission["TENANT_ROLE_REVOKE"] = "tenant.role.revoke";
+    Permission["TENANT_SECURITY_POLICY_VIEW"] = "tenant.security.policy.view";
+    Permission["TENANT_SECURITY_POLICY_MANAGE"] = "tenant.security.policy.manage";
+    Permission["TENANT_BRANDING_MANAGE"] = "tenant.branding.manage";
+    Permission["TENANT_AUDIT_VIEW"] = "tenant.audit.view";
+    // ====================================================
+    // RETAIL — catálogo + inventario + ventas
+    // ====================================================
+    Permission["RETAIL_PRODUCT_CREATE"] = "retail.product.create";
+    Permission["RETAIL_PRODUCT_LIST"] = "retail.product.list";
+    Permission["RETAIL_PRODUCT_VIEW"] = "retail.product.view";
+    Permission["RETAIL_PRODUCT_UPDATE"] = "retail.product.update";
+    Permission["RETAIL_PRODUCT_DELETE"] = "retail.product.delete";
+    Permission["RETAIL_PRODUCT_MDM_CONFIG"] = "retail.product.mdm_config";
+    Permission["RETAIL_INVENTORY_LIST"] = "retail.inventory.list";
+    Permission["RETAIL_INVENTORY_VIEW"] = "retail.inventory.view";
+    Permission["RETAIL_INVENTORY_UPDATE"] = "retail.inventory.update";
+    Permission["RETAIL_SALE_CREATE"] = "retail.sale.create";
+    Permission["RETAIL_SALE_LIST"] = "retail.sale.list";
+    Permission["RETAIL_SALE_CANCEL"] = "retail.sale.cancel";
+    Permission["RETAIL_STORE_MANAGE"] = "retail.store.manage";
+    Permission["RETAIL_RETAILER_MANAGE"] = "retail.retailer.manage";
+    // ====================================================
+    // LEND — créditos + cobranza
+    // ====================================================
+    Permission["LEND_CREDIT_CREATE"] = "lend.credit.create";
+    Permission["LEND_CREDIT_LIST"] = "lend.credit.list";
+    Permission["LEND_CREDIT_VIEW"] = "lend.credit.view";
+    Permission["LEND_CREDIT_UPDATE"] = "lend.credit.update";
+    Permission["LEND_CREDIT_LIQUIDATE"] = "lend.credit.liquidate";
+    Permission["LEND_CREDIT_RESTRUCTURE"] = "lend.credit.restructure";
+    Permission["LEND_PAYMENT_APPLY"] = "lend.payment.apply";
+    Permission["LEND_PAYMENT_LIST"] = "lend.payment.list";
+    Permission["LEND_PAYMENT_REVERSE"] = "lend.payment.reverse";
+    Permission["LEND_INSTALLMENT_VIEW"] = "lend.installment.view";
+    // ====================================================
+    // MDM — device management (subset especializado de LEND)
+    // ====================================================
+    Permission["MDM_DEVICE_ENROLL"] = "mdm.device.enroll";
+    Permission["MDM_DEVICE_RELEASE"] = "mdm.device.release";
+    Permission["MDM_DEVICE_ARCHIVE"] = "mdm.device.archive";
+    Permission["MDM_DEVICE_DEACTIVATE"] = "mdm.device.deactivate";
+    Permission["MDM_DEVICE_LOCK_MANUAL"] = "mdm.device.lock.manual";
+    Permission["MDM_DEVICE_UNLOCK_MANUAL"] = "mdm.device.unlock.manual";
+    Permission["MDM_DEVICE_PIN_UNLOCK"] = "mdm.device.pin_unlock";
+    Permission["MDM_DEVICE_EXTEND_VALIDITY"] = "mdm.device.extend_validity";
+    Permission["MDM_DEVICE_NOTIFY"] = "mdm.device.notify";
+    Permission["MDM_DEVICE_STATUS_VIEW"] = "mdm.device.status.view";
+    Permission["MDM_OPERATION_LOG_VIEW"] = "mdm.operation_log.view";
+    Permission["MDM_TEST"] = "mdm.test";
+    // ====================================================
+    // PAY — futuro FiadoPay (placeholder, no usado en MVP)
+    // ====================================================
+    Permission["PAY_TRANSACTION_VIEW"] = "pay.transaction.view";
+})(Permission || (exports.Permission = Permission = {}));

package/bin/platformRbac/enums/PermissionCategory.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+/**
+ * Categorías del catálogo de permissions (componente 01).
+ * TD-RBAC-005: `AUDIT` category sin permissions `audit.*` asociadas — drift consciente.
+ */
+export declare enum PermissionCategory {
+    RBAC = "rbac",
+    PLATFORM = "platform",
+    TENANT = "tenant",
+    RETAIL = "retail",
+    LEND = "lend",
+    MDM = "mdm",
+    AUDIT = "audit",
+    PAY = "pay"
+}

package/bin/platformRbac/enums/PermissionCategory.js ADDED Viewed

@@ -0,0 +1,18 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionCategory = void 0;
+/**
+ * Categorías del catálogo de permissions (componente 01).
+ * TD-RBAC-005: `AUDIT` category sin permissions `audit.*` asociadas — drift consciente.
+ */
+var PermissionCategory;
+(function (PermissionCategory) {
+    PermissionCategory["RBAC"] = "rbac";
+    PermissionCategory["PLATFORM"] = "platform";
+    PermissionCategory["TENANT"] = "tenant";
+    PermissionCategory["RETAIL"] = "retail";
+    PermissionCategory["LEND"] = "lend";
+    PermissionCategory["MDM"] = "mdm";
+    PermissionCategory["AUDIT"] = "audit";
+    PermissionCategory["PAY"] = "pay";
+})(PermissionCategory || (exports.PermissionCategory = PermissionCategory = {}));

package/bin/platformRbac/enums/PermissionScope.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * Jerarquía: PLATFORM > TENANT > RETAILER > STORE.
+ * Componente 01 spec — copia exacta.
+ */
+export declare enum PermissionScope {
+    PLATFORM = "PLATFORM",
+    TENANT = "TENANT",
+    RETAILER = "RETAILER",
+    STORE = "STORE"
+}

package/bin/platformRbac/enums/PermissionScope.js ADDED Viewed

@@ -0,0 +1,14 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionScope = void 0;
+/**
+ * Jerarquía: PLATFORM > TENANT > RETAILER > STORE.
+ * Componente 01 spec — copia exacta.
+ */
+var PermissionScope;
+(function (PermissionScope) {
+    PermissionScope["PLATFORM"] = "PLATFORM";
+    PermissionScope["TENANT"] = "TENANT";
+    PermissionScope["RETAILER"] = "RETAILER";
+    PermissionScope["STORE"] = "STORE";
+})(PermissionScope || (exports.PermissionScope = PermissionScope = {}));

package/bin/platformRbac/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export { Permission } from './enums/Permission';
+export { PermissionScope } from './enums/PermissionScope';
+export { PermissionCategory } from './enums/PermissionCategory';
+export type { AuthContext } from './dtos/AuthContext';
+export type { RoleAssignmentInfo } from './dtos/RoleAssignmentInfo';
+export type { PermissionMeta } from './dtos/PermissionMeta';

package/bin/platformRbac/index.js ADDED Viewed

@@ -0,0 +1,18 @@
+"use strict";
+// platformRbac — módulo del lambda platform-rbac-business (Fase 0 SureKeep).
+//
+// Coexiste con `Rbac` oficial cuando yhonhansen publique componente 01 — TD-RBAC-002
+// del platform-rbac-business documenta la migración futura de los 4 símbolos cross-cutting
+// (Permission, PermissionScope, AuthContext, RoleAssignmentInfo) de aquí a `rbac/`.
+//
+// En Fase 1.A los DTOs propios del rbac-business (CreateTenantRequest, AssignRoleRequest,
+// EffectivePermissionsResponse, etc.) NO viven en este módulo todavía — se agregan en
+// Fase 1.B cuando los managers que los consumen se implementen.
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PermissionCategory = exports.PermissionScope = exports.Permission = void 0;
+var Permission_1 = require("./enums/Permission");
+Object.defineProperty(exports, "Permission", { enumerable: true, get: function () { return Permission_1.Permission; } });
+var PermissionScope_1 = require("./enums/PermissionScope");
+Object.defineProperty(exports, "PermissionScope", { enumerable: true, get: function () { return PermissionScope_1.PermissionScope; } });
+var PermissionCategory_1 = require("./enums/PermissionCategory");
+Object.defineProperty(exports, "PermissionCategory", { enumerable: true, get: function () { return PermissionCategory_1.PermissionCategory; } });

package/bin/rbac/enums/PoolKind.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+/**
+ * Tipo de User Pool de Cognito desde la perspectiva del modelo RBAC Fiado.
+ *
+ * Origen: spec del proyecto `cognito-backoffice-connector` (Fase 0, componente 01
+ * documento `docs/superpowers/specs/2026-05-26-cognito-connector-decisiones-pendientes-design.md`).
+ *
+ * Decisión (TD-003): el proyecto converge en estos 2 valores. El documento componente 03
+ * lista 3 valores (incluyendo una variante adicional) pero queda como outlier — la
+ * decisión vigente en los 6 docs restantes y en el plan de implementación es 2 valores:
+ *  - BACKOFFICE_PLATFORM — pool del backoffice de plataforma (cross-tenant)
+ *  - BACKOFFICE_TENANT — pool por tenant (multi-tenant isolation)
+ */
+export declare enum PoolKind {
+    BACKOFFICE_PLATFORM = "BACKOFFICE_PLATFORM",
+    BACKOFFICE_TENANT = "BACKOFFICE_TENANT"
+}

package/bin/rbac/enums/PoolKind.js ADDED Viewed

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.PoolKind = void 0;
+/**
+ * Tipo de User Pool de Cognito desde la perspectiva del modelo RBAC Fiado.
+ *
+ * Origen: spec del proyecto `cognito-backoffice-connector` (Fase 0, componente 01
+ * documento `docs/superpowers/specs/2026-05-26-cognito-connector-decisiones-pendientes-design.md`).
+ *
+ * Decisión (TD-003): el proyecto converge en estos 2 valores. El documento componente 03
+ * lista 3 valores (incluyendo una variante adicional) pero queda como outlier — la
+ * decisión vigente en los 6 docs restantes y en el plan de implementación es 2 valores:
+ *  - BACKOFFICE_PLATFORM — pool del backoffice de plataforma (cross-tenant)
+ *  - BACKOFFICE_TENANT — pool por tenant (multi-tenant isolation)
+ */
+var PoolKind;
+(function (PoolKind) {
+    PoolKind["BACKOFFICE_PLATFORM"] = "BACKOFFICE_PLATFORM";
+    PoolKind["BACKOFFICE_TENANT"] = "BACKOFFICE_TENANT";
+})(PoolKind || (exports.PoolKind = PoolKind = {}));

package/bin/rbac/index.d.ts ADDED Viewed

	@@ -0,0 +1 @@
1	+ export * from './enums/PoolKind';

package/bin/rbac/index.js ADDED Viewed

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./enums/PoolKind"), exports);

package/jest.config.js ADDED Viewed

@@ -0,0 +1,8 @@
+/** @type {import('jest').Config} */
+module.exports = {
+    preset: 'ts-jest',
+    testEnvironment: 'node',
+    roots: ['<rootDir>/_test_'],
+    testMatch: ['**/*.test.ts'],
+    moduleFileExtensions: ['ts', 'js', 'json'],
+};

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fiado/type-kit",
-  "version": "3.37.0",
+  "version": "3.39.0",
   "description": "",
   "main": "bin/index.js",
   "types": "bin/index.d.ts",
@@ -13,8 +13,12 @@
   "author": "Fiado Inc",
   "license": "ISC",
   "devDependencies": {
+    "@types/jest": "^30.0.0",
     "@types/node": "^20.11.20",
     "install": "^0.13.0",
+    "jest": "^30.4.2",
+    "reflect-metadata": "^0.2.2",
+    "ts-jest": "^29.4.11",
     "typescript": "^5.3.3"
   },
   "dependencies": {

package/src/benefitCenter/dtos/BackofficeInputLabelsUpdateRequest.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { IsNotEmpty, IsObject } from "class-validator";
+/**
+ * Body de PUT /backoffice/leaves/{leafId}/input-labels.
+ *
+ * Override de los `label` del inputSchema, keyed por `key` de campo
+ * (ej. `{ "phoneNumber": "Tu número Telcel" }`). El conector guarda el map y
+ * lo aplica al construir el schema; los campos sin override mantienen el label
+ * generado.
+ */
+export class BackofficeInputLabelsUpdateRequest {
+    /** Map fieldKey → label. Los valores deben ser strings. */
+    @IsObject()
+    @IsNotEmpty()
+    labels!: Record<string, string>;
+}

package/src/benefitCenter/dtos/BackofficeLeafHelpImageUpdateRequest.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { IsNotEmpty, IsString } from "class-validator";
+/**
+ * Body de PUT /backoffice/leaves/{leafId}/help-image.
+ *
+ * Asigna la imagen de ayuda (`refSrc`) a TODOS los productos del servicio.
+ */
+export class BackofficeLeafHelpImageUpdateRequest {
+    /** URL pública de la imagen de ayuda (CloudFront) ya subida. */
+    @IsString()
+    @IsNotEmpty()
+    helpImage!: string;
+}

package/src/benefitCenter/dtos/BackofficeProductEnabledUpdateRequest.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { IsBoolean } from "class-validator";
+/**
+ * Body de PUT /backoffice/leaves/{leafId}/products/{productId}/enabled.
+ *
+ * Habilita/deshabilita UN producto. Un producto con `enabled=false` se oculta
+ * del catálogo público (la ausencia del campo = habilitado).
+ */
+export class BackofficeProductEnabledUpdateRequest {
+    @IsBoolean()
+    enabled!: boolean;
+}

package/src/benefitCenter/dtos/BackofficeProductHelpImageUpdateRequest.ts ADDED Viewed

@@ -0,0 +1,13 @@
+import { IsNotEmpty, IsString } from "class-validator";
+/**
+ * Body de PUT /backoffice/leaves/{leafId}/products/{productId}/help-image.
+ *
+ * Asigna la imagen de ayuda (`refSrc`) a UN producto específico del servicio.
+ */
+export class BackofficeProductHelpImageUpdateRequest {
+    /** URL pública de la imagen de ayuda (CloudFront) ya subida. */
+    @IsString()
+    @IsNotEmpty()
+    helpImage!: string;
+}