@fiado/type-kit 3.38.0 → 3.40.0

package/src/benefitCenter/dtos/LeafAssetUploadUrlRequest.ts

@@ -0,0 +1,23 @@
+import { IsEnum, IsNotEmpty, IsString } from "class-validator";
+import { LeafAssetKindEnum } from "../enums/LeafAssetKindEnum";
+
+/**
+ * Solicitud del backoffice para subir un asset de un leaf (logo o imagen de
+ * ayuda) directamente a S3. El backend responde con una presigned PUT URL y la
+ * URL pública final (CloudFront) que luego se asigna al leaf/producto.
+ */
+export class LeafAssetUploadUrlRequest {
+    /** Determina la subcarpeta S3 y el whitelist de MIME/tamaño. */
+    @IsEnum(LeafAssetKindEnum)
+    kind!: LeafAssetKindEnum;
+
+    /** MIME type del archivo (ej. "image/png"). Debe estar en el whitelist. */
+    @IsString()
+    @IsNotEmpty()
+    contentType!: string;
+
+    /** Extensión sin punto (ej. "png"). Se usa para componer la key en S3. */
+    @IsString()
+    @IsNotEmpty()
+    fileExtension!: string;
+}

package/src/benefitCenter/dtos/LeafAssetUploadUrlResponse.ts

@@ -0,0 +1,13 @@
+/**
+ * Respuesta con la presigned URL para subir el asset del leaf directamente a S3.
+ * El backoffice hace `PUT uploadUrl` con el `Content-Type` exacto solicitado y
+ * body binario (≤ maxSizeBytes). `publicUrl` (CloudFront) es la que se asigna
+ * luego al leaf (logo) o producto (helpImage).
+ */
+export class LeafAssetUploadUrlResponse {
+    uploadUrl: string;
+    publicUrl: string;
+    key: string;
+    expiresAt: string;
+    maxSizeBytes: number;
+}

package/src/benefitCenter/dtos/ProductItem.ts

@@ -8,4 +8,18 @@ export class ProductItem {
     amountType: AmountTypeEnum;
     logo: string;
     helpText: string;
+
+    /**
+     * Imagen de ayuda del producto (ej. dónde escanear la referencia/código).
+     * Mapea desde `refSrc` del catálogo nativo. Opcional/aditivo: ausente en
+     * datos viejos.
+     */
+    helpImage?: string;
+
+    /**
+     * Si el producto está habilitado. Opcional/aditivo: la AUSENCIA del campo
+     * se interpreta como habilitado (`true`). Solo `enabled === false` oculta
+     * el producto del catálogo público.
+     */
+    enabled?: boolean;
 }

package/src/benefitCenter/enums/LeafAssetKindEnum.ts

@@ -0,0 +1,12 @@
+/**
+ * Tipo de asset que el backoffice sube para un leaf del catálogo.
+ *
+ * Determina la subcarpeta en S3 (logos/ vs help-images/) y el whitelist de
+ * MIME types / tamaño de la presigned URL que devuelve el backend.
+ */
+export enum LeafAssetKindEnum {
+    /** Logo del servicio (ej. CALLPACKAGE). Va al campo `logo` del leaf. */
+    LOGO = "LOGO",
+    /** Imagen de ayuda del producto (dónde escanear la referencia). Va a `refSrc`. */
+    HELP_IMAGE = "HELP_IMAGE",
+}

package/src/benefitCenter/index.ts

@@ -12,6 +12,7 @@ export * from "./enums/FavoriteDisabledReasonEnum";
 export * from "./enums/BenefitPaymentStatusEnum";
 export * from "./enums/BenefitPaymentErrorCodeEnum";
 export * from "./enums/BannerAssetKindEnum";
+export * from "./enums/LeafAssetKindEnum";
 
 //DTOs
 export * from "./dtos/BenefitItem";
@@ -70,6 +71,14 @@ export * from "./dtos/BackofficeSubcategoryOrderUpdateRequest";
 export * from "./dtos/BackofficeSubcategoryOrdersResponse";
 //Admin leaves iteration-3 (v3.37.0): ordering por país + bulk reorder (drag-and-drop)
 export * from "./dtos/BackofficeSubcategoryReorderRequest";
+//Admin leaves iteration-4 (v3.39.0): assets (logo + help-image), product enable/disable, input label overrides
+export * from "./dtos/LeafAssetUploadUrlRequest";
+export * from "./dtos/LeafAssetUploadUrlResponse";
+export * from "./dtos/BackofficeSubcategoryLogoUpdateRequest";
+export * from "./dtos/BackofficeLeafHelpImageUpdateRequest";
+export * from "./dtos/BackofficeProductHelpImageUpdateRequest";
+export * from "./dtos/BackofficeProductEnabledUpdateRequest";
+export * from "./dtos/BackofficeInputLabelsUpdateRequest";
 //Banner assets upload (presigned PUT)
 export * from "./dtos/BannerUploadUrlRequest";
 export * from "./dtos/BannerUploadUrlResponse";

package/src/cognitoBackofficeConnector/dtos/AppClientConfig.ts

@@ -0,0 +1,22 @@
+import { Expose } from 'class-transformer';
+import { IsArray, IsBoolean, IsNumber, IsOptional, IsString } from 'class-validator';
+
+/**
+ * Config del único App Client del pool nuevo creado por POST /pools.
+ *
+ * NO expone `generateSecret` — el connector hardcodea `GenerateSecret: false`
+ * en el SDK call (BFF pattern: rbac llama al connector server-to-server vía
+ * api-invoker en VPC, sin SPA-to-Cognito directo que requiera client secret).
+ * Decisión arquitectónica A21 del connector. Si aparece consumer B2B/M2M con
+ * flow `client_credentials`, evaluar con líder + bump major del connector.
+ */
+export class AppClientConfig {
+    @Expose() @IsOptional() @IsString() clientName?: string;
+    @Expose() @IsArray() @IsString({ each: true }) explicitAuthFlows!: string[];
+    @Expose() @IsOptional() @IsString() tokenValidityUnits?: string;
+    @Expose() @IsOptional() @IsNumber() accessTokenValidity?: number;
+    @Expose() @IsOptional() @IsNumber() idTokenValidity?: number;
+    @Expose() @IsOptional() @IsNumber() refreshTokenValidity?: number;
+    @Expose() @IsOptional() @IsBoolean() preventUserExistenceErrors?: boolean;
+    @Expose() @IsOptional() @IsBoolean() enableTokenRevocation?: boolean;
+}

package/src/cognitoBackofficeConnector/dtos/AuthEventsRequest.ts

@@ -3,5 +3,6 @@ import { IsInt, IsNotEmpty, IsOptional, IsString, Max, Min } from 'class-validat
 
 export class AuthEventsRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsOptional() @IsInt() @Min(1) @Max(60) maxResults?: number;
 }

package/src/cognitoBackofficeConnector/dtos/ChangePasswordRequest.ts

@@ -2,6 +2,7 @@ import { Expose } from 'class-transformer';
 import { IsNotEmpty, IsString } from 'class-validator';
 
 export class ChangePasswordRequest {
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() accessToken!: string;
     @Expose() @IsString() @IsNotEmpty() previousPassword!: string;
     @Expose() @IsString() @IsNotEmpty() proposedPassword!: string;

package/src/cognitoBackofficeConnector/dtos/ConfirmForgotPasswordRequest.ts

@@ -3,6 +3,7 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class ConfirmForgotPasswordRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() clientId!: string;
     @Expose() @IsString() @IsNotEmpty() username!: string;
     @Expose() @IsString() @IsNotEmpty() confirmationCode!: string;

package/src/cognitoBackofficeConnector/dtos/CreatePoolRequest.ts

@@ -0,0 +1,30 @@
+import { Expose, Type } from 'class-transformer';
+import { IsArray, IsString, ValidateNested } from 'class-validator';
+import { MfaPoolConfig } from './MfaPoolConfig';
+import { PasswordPolicyConfig } from './PasswordPolicyConfig';
+import { CustomAttributeSpec } from './CustomAttributeSpec';
+import { AppClientConfig } from './AppClientConfig';
+
+/**
+ * Request del endpoint POST /pools (pivote v1.4.1 stateless).
+ * Consumido por la saga `TenantOnboardingManager` del `platform-rbac-business`
+ * (Flujo 2 v1.2, PASO 4 de la saga). El connector ejecuta CreateUserPool +
+ * CreateUserPoolClient en secuencia. Si CreateUserPoolClient falla DESPUÉS de
+ * CreateUserPool exitoso, el connector hace DeleteUserPool de cleanup.
+ */
+export class CreatePoolRequest {
+    @Expose() @IsString() region!: string;
+    @Expose() @IsString() displayName!: string;
+
+    @Expose() @ValidateNested() @Type(() => MfaPoolConfig)
+    mfaConfig!: MfaPoolConfig;
+
+    @Expose() @ValidateNested() @Type(() => PasswordPolicyConfig)
+    passwordPolicy!: PasswordPolicyConfig;
+
+    @Expose() @IsArray() @ValidateNested({ each: true }) @Type(() => CustomAttributeSpec)
+    customAttributes!: CustomAttributeSpec[];
+
+    @Expose() @ValidateNested() @Type(() => AppClientConfig)
+    appClientConfig!: AppClientConfig;
+}

package/src/cognitoBackofficeConnector/dtos/CreatePoolResponse.ts

@@ -0,0 +1,13 @@
+/**
+ * Response del endpoint POST /pools (pivote v1.4.1 stateless).
+ *
+ * NO expone `clientSecret` — el SDK Cognito no lo devuelve cuando
+ * `GenerateSecret: false` (BFF pattern A21). Si aparece consumer B2B/M2M
+ * que requiera client secret, evaluar con líder + bump major del connector.
+ */
+export class CreatePoolResponse {
+    userPoolId!: string;
+    userPoolArn!: string;
+    appClientId!: string;
+    region!: string;
+}

package/src/cognitoBackofficeConnector/dtos/CreateUserRequest.ts

@@ -3,6 +3,7 @@ import { IsBoolean, IsEmail, IsNotEmpty, IsOptional, IsString, IsUUID } from 'cl
 
 export class CreateUserRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsEmail() email!: string;
     @Expose() @IsOptional() @IsString() displayName?: string;
     @Expose() @IsUUID() tenantId!: string;

package/src/cognitoBackofficeConnector/dtos/CustomAttributeSpec.ts

@@ -0,0 +1,12 @@
+import { Expose } from 'class-transformer';
+import { IsBoolean, IsIn, IsString } from 'class-validator';
+
+const ALLOWED_ATTR_TYPES = ['String', 'Number', 'Boolean', 'DateTime'] as const;
+export type AllowedAttrType = (typeof ALLOWED_ATTR_TYPES)[number];
+
+export class CustomAttributeSpec {
+    @Expose() @IsString() name!: string;
+    @Expose() @IsIn(ALLOWED_ATTR_TYPES) type!: AllowedAttrType;
+    @Expose() @IsBoolean() mutable!: boolean;
+    @Expose() @IsBoolean() required!: boolean;
+}

package/src/cognitoBackofficeConnector/dtos/DeletePoolRequest.ts

@@ -0,0 +1,16 @@
+import { Expose } from 'class-transformer';
+import { IsString } from 'class-validator';
+
+/**
+ * Request del endpoint DELETE /pools/:userPoolId?region=X (pivote v1.4.1 stateless).
+ * Consumido por compensation chain de la saga `TenantOnboardingManager` del
+ * `platform-rbac-business` cuando falla el paso 5 (CreateUser) o paso 6
+ * (TransactWriteItems) — ver Flujo 2 v1.2 del rbac.
+ *
+ * Requiere pool VACÍO (sin users). Si tiene users, AWS rechaza con
+ * ResourceInUseException → CognitoPoolNotEmptyError 409.
+ */
+export class DeletePoolRequest {
+    @Expose() @IsString() userPoolId!: string;
+    @Expose() @IsString() region!: string;
+}

package/src/cognitoBackofficeConnector/dtos/DeleteUserRequest.ts

@@ -3,4 +3,5 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class DeleteUserRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
 }

package/src/cognitoBackofficeConnector/dtos/ForgotPasswordRequest.ts

@@ -3,6 +3,7 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class ForgotPasswordRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() clientId!: string;
     @Expose() @IsString() @IsNotEmpty() username!: string;
 }

package/src/cognitoBackofficeConnector/dtos/InitiateAuthRequest.ts

@@ -3,6 +3,7 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class InitiateAuthRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() clientId!: string;
     @Expose() @IsString() @IsNotEmpty() authFlow!: string;
     @Expose() @IsString() @IsNotEmpty() username!: string;

package/src/cognitoBackofficeConnector/dtos/MfaPoolConfig.ts

@@ -0,0 +1,16 @@
+import { Expose } from 'class-transformer';
+import { IsArray, IsBoolean, IsIn, Validate } from 'class-validator';
+import { MfaTypesRequiresOne } from '../validators/MfaTypesRequiresOne';
+
+const ALLOWED_MFA_TYPES = ['SOFTWARE_TOKEN_MFA', 'EMAIL_OTP'] as const;
+export type AllowedMfaType = (typeof ALLOWED_MFA_TYPES)[number];
+
+export class MfaPoolConfig {
+    @Expose() @IsBoolean() requireMfa!: boolean;
+
+    @Expose()
+    @IsArray()
+    @IsIn(ALLOWED_MFA_TYPES, { each: true })
+    @Validate(MfaTypesRequiresOne)
+    mfaTypes!: AllowedMfaType[];
+}

package/src/cognitoBackofficeConnector/dtos/MfaResetRequest.ts

@@ -3,4 +3,5 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class MfaResetRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
 }

package/src/cognitoBackofficeConnector/dtos/PasswordPolicyConfig.ts

@@ -0,0 +1,11 @@
+import { Expose } from 'class-transformer';
+import { IsBoolean, IsNumber, Max, Min } from 'class-validator';
+
+export class PasswordPolicyConfig {
+    @Expose() @IsNumber() @Min(6) @Max(99) minLength!: number;
+    @Expose() @IsBoolean() requireUppercase!: boolean;
+    @Expose() @IsBoolean() requireLowercase!: boolean;
+    @Expose() @IsBoolean() requireNumbers!: boolean;
+    @Expose() @IsBoolean() requireSymbols!: boolean;
+    @Expose() @IsNumber() @Min(1) @Max(365) temporaryPasswordValidityDays!: number;
+}

package/src/cognitoBackofficeConnector/dtos/RefreshTokensRequest.ts

@@ -3,6 +3,7 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class RefreshTokensRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() clientId!: string;
     @Expose() @IsString() @IsNotEmpty() refreshToken!: string;
 }

package/src/cognitoBackofficeConnector/dtos/ResendConfirmationRequest.ts

@@ -3,6 +3,7 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class ResendConfirmationRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() clientId!: string;
     @Expose() @IsString() @IsNotEmpty() username!: string;
 }

package/src/cognitoBackofficeConnector/dtos/ResendInvitationRequest.ts

@@ -3,4 +3,5 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class ResendInvitationRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
 }

package/src/cognitoBackofficeConnector/dtos/RespondToChallengeRequest.ts

@@ -4,6 +4,7 @@ import { CognitoChallengeType } from '../enums/CognitoChallengeType';
 
 export class RespondToChallengeRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() clientId!: string;
     @Expose() @IsEnum(CognitoChallengeType) challengeName!: CognitoChallengeType;
     @Expose() @IsString() @IsNotEmpty() session!: string;

package/src/cognitoBackofficeConnector/dtos/SetMfaPreferenceRequest.ts

@@ -3,6 +3,7 @@ import { IsBoolean, IsIn, IsNotEmpty, IsOptional, IsString } from 'class-validat
 
 export class SetMfaPreferenceRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() cognitoSub!: string;
     @Expose() @IsBoolean() softwareTokenEnabled!: boolean;
     @Expose() @IsBoolean() emailEnabled!: boolean;

package/src/cognitoBackofficeConnector/dtos/TotpBeginRequest.ts

@@ -3,5 +3,6 @@ import { IsNotEmpty, IsString } from 'class-validator';
 
 export class TotpBeginRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() accessToken!: string;
 }

package/src/cognitoBackofficeConnector/dtos/TotpVerifyRequest.ts

@@ -2,6 +2,7 @@ import { Expose } from 'class-transformer';
 import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
 
 export class TotpVerifyRequest {
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() accessToken!: string;
     @Expose() @IsString() @IsNotEmpty() userCode!: string;
     @Expose() @IsOptional() @IsString() friendlyDeviceName?: string;

package/src/cognitoBackofficeConnector/dtos/UpdateEmailRequest.ts

@@ -2,6 +2,7 @@ import { Expose } from 'class-transformer';
 import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
 
 export class UpdateEmailRequest {
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() accessToken!: string;
     @Expose() @IsEmail() newEmail!: string;
 }

package/src/cognitoBackofficeConnector/dtos/UpdateProfileRequest.ts

@@ -8,6 +8,7 @@ import { IsNotEmpty, IsOptional, IsString } from 'class-validator';
  * benignos.
  */
 export class UpdateProfileRequest {
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() accessToken!: string;
     @Expose() @IsOptional() @IsString() displayName?: string;
     @Expose() @IsOptional() @IsString() phoneNumber?: string;

package/src/cognitoBackofficeConnector/dtos/UpdateUserAttributesRequest.ts

@@ -4,6 +4,7 @@ import { NoTenantIdInCustomAttrs } from '../validators/NoTenantIdInCustomAttrs';
 
 export class UpdateUserAttributesRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsOptional() @IsString() displayName?: string;
     @Expose() @IsOptional() @IsString() phoneNumber?: string;
     @Expose() @IsOptional() @IsObject() @Validate(NoTenantIdInCustomAttrs)

package/src/cognitoBackofficeConnector/dtos/UserActionRequest.ts

@@ -8,4 +8,5 @@ import { IsNotEmpty, IsString } from 'class-validator';
  */
 export class UserActionRequest {
     @Expose() @IsString() @IsNotEmpty() userPoolId!: string;
+    @Expose() @IsString() @IsNotEmpty() region!: string;
 }

package/src/cognitoBackofficeConnector/dtos/VerifyEmailRequest.ts

@@ -2,6 +2,7 @@ import { Expose } from 'class-transformer';
 import { IsNotEmpty, IsString } from 'class-validator';
 
 export class VerifyEmailRequest {
+    @Expose() @IsString() @IsNotEmpty() region!: string;
     @Expose() @IsString() @IsNotEmpty() accessToken!: string;
     @Expose() @IsString() @IsNotEmpty() confirmationCode!: string;
 }

package/src/cognitoBackofficeConnector/index.ts

@@ -10,6 +10,7 @@
 export * from './enums/CognitoChallengeType';
 export * from './enums/CognitoUserStatus';
 export * from './validators/NoTenantIdInCustomAttrs';
+export * from './validators/MfaTypesRequiresOne';
 export * from './dtos/CreateUserRequest';
 export * from './dtos/CreateUserResponse';
 export * from './dtos/UpdateUserAttributesRequest';
@@ -39,6 +40,11 @@ export * from './dtos/MfaResetRequest';
 export * from './dtos/UpdateEmailRequest';
 export * from './dtos/VerifyEmailRequest';
 export * from './dtos/UpdateProfileRequest';
-export * from './dtos/PoolConfigResponse';
-export * from './dtos/PoolsListResponse';
 export * from './dtos/HealthcheckResponse';
+export * from './dtos/MfaPoolConfig';
+export * from './dtos/PasswordPolicyConfig';
+export * from './dtos/CustomAttributeSpec';
+export * from './dtos/AppClientConfig';
+export * from './dtos/CreatePoolRequest';
+export * from './dtos/CreatePoolResponse';
+export * from './dtos/DeletePoolRequest';

package/src/cognitoBackofficeConnector/validators/MfaTypesRequiresOne.ts

@@ -0,0 +1,29 @@
+import { ValidatorConstraint, ValidatorConstraintInterface, ValidationArguments } from 'class-validator';
+
+/**
+ * Cross-field validator: si `requireMfa: true`, entonces `mfaTypes` debe tener
+ * al menos 1 elemento. Si `requireMfa: false`, `mfaTypes` puede ser vacío.
+ *
+ * Razón: cuando el pool nace con MFA habilitado, el connector llama
+ * `SetUserPoolMfaConfigCommand` con la lista de tipos del DTO. Si el array
+ * llega vacío con `requireMfa: true`, el SDK rechaza con InvalidParameterException
+ * y el pool queda en estado inconsistente (MfaConfiguration:'ON' sin tipos).
+ * Mejor rechazar en validación del DTO antes de tocar AWS.
+ *
+ * Ver pivote v1.4.1 TD-017 cerrado + spec doc §1 R3.
+ */
+@ValidatorConstraint({ name: 'MfaTypesRequiresOneWhenMfaRequired', async: false })
+export class MfaTypesRequiresOne implements ValidatorConstraintInterface {
+    validate(mfaTypes: unknown, args: ValidationArguments): boolean {
+        const obj = args.object as { requireMfa?: boolean };
+        if (obj.requireMfa === true) {
+            return Array.isArray(mfaTypes) && mfaTypes.length >= 1;
+        }
+        // requireMfa: false → cualquier mfaTypes pasa.
+        return true;
+    }
+
+    defaultMessage(): string {
+        return 'mfaTypes requiere al menos un tipo cuando requireMfa=true';
+    }
+}

package/src/index.ts

@@ -75,5 +75,11 @@ export * as Mdm from './mdm';
 export * as MessagesConnector from './messagesConnector';
 export * as CognitoBackofficeConnector from './cognitoBackofficeConnector';
 export * as Rbac from './rbac';
+// PlatformRbac: módulo del lambda platform-rbac-business (Fase 0 SureKeep).
+// Contiene Permission enum + AuthContext + RoleAssignmentInfo + PermissionScope +
+// PermissionCategory + PermissionMeta + (futuro Fase 1.B) DTOs propios del rbac-business.
+// Coexiste con `Rbac` oficial cuando yhonhansen publique componente 01.
+// Cleanup del `Rbac` viejo planeado en bloque 13 post-gate (TD-RBAC en platform-rbac-business).
+export * as PlatformRbac from './platformRbac';
 export * as Remittance from './remittance';
 export * from './messaging';

package/src/platformRbac/dtos/AuthContext.ts

@@ -0,0 +1,22 @@
+import type { Permission } from '../enums/Permission';
+import type { RoleAssignmentInfo } from './RoleAssignmentInfo';
+
+/**
+ * Shape DESERIALIZADO del authorizer context.
+ * El authorizer Lambda (componente 07) lo construye + serializa; el helper
+ * `extractTenantContext` lo deserializa para los handlers business.
+ *
+ * En API Gateway authorizer.context todos los valores son strings:
+ * - `permissions` viaja como CSV (`"a.b.c,d.e.f,..."`).
+ * - `roleAssignments` viaja como JSON string.
+ * Este interface es la forma ya parseada.
+ */
+export interface AuthContext {
+    cognitoSub: string;
+    tenantId: string;
+    email: string;
+    roleAssignments: RoleAssignmentInfo[];
+    permissions: Permission[];
+    resolvedAt: string;
+    issuer?: string;
+}

package/src/platformRbac/dtos/PermissionMeta.ts

@@ -0,0 +1,20 @@
+import type { Permission } from '../enums/Permission';
+import type { PermissionScope } from '../enums/PermissionScope';
+import type { PermissionCategory } from '../enums/PermissionCategory';
+
+/**
+ * Metadata enriquecida de una permission del catálogo.
+ * Usado para:
+ * - Sync del enum a DDB `PlatformPermission_GT` al deploy.
+ * - UI del módulo rbac-admin: selector de permissions agrupado.
+ * - Reporting / docs.
+ */
+export interface PermissionMeta {
+    permissionKey: Permission;
+    displayName: string;
+    description: string;
+    category: PermissionCategory;
+    scope: PermissionScope;
+    platforms: string[];
+    isDeprecated?: boolean;
+}

package/src/platformRbac/dtos/RoleAssignmentInfo.ts

@@ -0,0 +1,12 @@
+import type { PermissionScope } from '../enums/PermissionScope';
+
+/**
+ * Una asignación de role a un user con scope específico.
+ * Shape que el authorizer Lambda (componente 07) serializa como JSON string
+ * dentro del API Gateway authorizer context.
+ */
+export interface RoleAssignmentInfo {
+    roleId: string;
+    scope: PermissionScope;
+    scopeRef: string;
+}