@fiado/type-kit 3.41.0 → 3.43.1

package/bin/platformRbac/auth/VerifyChallengeResponse.js

@@ -0,0 +1,20 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VerifyChallengeResponse = void 0;
+const class_validator_1 = require("class-validator");
+class VerifyChallengeResponse {
+}
+exports.VerifyChallengeResponse = VerifyChallengeResponse;
+__decorate([
+    (0, class_validator_1.IsBoolean)(),
+    __metadata("design:type", Boolean)
+], VerifyChallengeResponse.prototype, "answerCorrect", void 0);

package/bin/platformRbac/enums/ChallengeNameEnum.d.ts

@@ -0,0 +1,7 @@
+export declare enum ChallengeNameEnum {
+    PASSWORD = "PASSWORD",
+    EMAIL_OTP = "EMAIL_OTP",
+    TOTP = "TOTP",
+    NEW_PASSWORD_REQUIRED = "NEW_PASSWORD_REQUIRED",
+    RESET_PASSWORD = "RESET_PASSWORD"
+}

package/bin/platformRbac/enums/ChallengeNameEnum.js

@@ -0,0 +1,11 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChallengeNameEnum = void 0;
+var ChallengeNameEnum;
+(function (ChallengeNameEnum) {
+    ChallengeNameEnum["PASSWORD"] = "PASSWORD";
+    ChallengeNameEnum["EMAIL_OTP"] = "EMAIL_OTP";
+    ChallengeNameEnum["TOTP"] = "TOTP";
+    ChallengeNameEnum["NEW_PASSWORD_REQUIRED"] = "NEW_PASSWORD_REQUIRED";
+    ChallengeNameEnum["RESET_PASSWORD"] = "RESET_PASSWORD";
+})(ChallengeNameEnum || (exports.ChallengeNameEnum = ChallengeNameEnum = {}));

package/bin/platformRbac/enums/MfaMethodEnum.d.ts

@@ -0,0 +1,4 @@
+export declare enum MfaMethodEnum {
+    EMAIL_OTP = "EMAIL_OTP",
+    TOTP = "TOTP"
+}

package/bin/platformRbac/enums/MfaMethodEnum.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MfaMethodEnum = void 0;
+var MfaMethodEnum;
+(function (MfaMethodEnum) {
+    MfaMethodEnum["EMAIL_OTP"] = "EMAIL_OTP";
+    MfaMethodEnum["TOTP"] = "TOTP";
+})(MfaMethodEnum || (exports.MfaMethodEnum = MfaMethodEnum = {}));

package/bin/platformRbac/index.d.ts

@@ -4,3 +4,17 @@ export { PermissionCategory } from './enums/PermissionCategory';
 export type { AuthContext } from './dtos/AuthContext';
 export type { RoleAssignmentInfo } from './dtos/RoleAssignmentInfo';
 export type { PermissionMeta } from './dtos/PermissionMeta';
+export * from './enums/MfaMethodEnum';
+export * from './enums/ChallengeNameEnum';
+export * from './auth/DefineNextChallengeRequest';
+export * from './auth/DefineNextChallengeResponse';
+export * from './auth/PrepareChallengeRequest';
+export * from './auth/PrepareChallengeResponse';
+export * from './auth/VerifyChallengeRequest';
+export * from './auth/VerifyChallengeResponse';
+export * from './auth/NewPasswordRequest';
+export * from './auth/ResetPasswordRequest';
+export * from './mfa/EnrollTotpResponse';
+export * from './mfa/VerifyTotpEnrollmentRequest';
+export * from './mfa/ChangeMfaMethodRequest';
+export * from './mfa/MfaStatusResponse';

package/bin/platformRbac/index.js

@@ -8,6 +8,20 @@
 // En Fase 1.A los DTOs propios del rbac-business (CreateTenantRequest, AssignRoleRequest,
 // EffectivePermissionsResponse, etc.) NO viven en este módulo todavía — se agregan en
 // Fase 1.B cuando los managers que los consumen se implementen.
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PermissionCategory = exports.PermissionScope = exports.Permission = void 0;
 var Permission_1 = require("./enums/Permission");
@@ -16,3 +30,19 @@ var PermissionScope_1 = require("./enums/PermissionScope");
 Object.defineProperty(exports, "PermissionScope", { enumerable: true, get: function () { return PermissionScope_1.PermissionScope; } });
 var PermissionCategory_1 = require("./enums/PermissionCategory");
 Object.defineProperty(exports, "PermissionCategory", { enumerable: true, get: function () { return PermissionCategory_1.PermissionCategory; } });
+// Fase 1 — Custom Auth Challenge (Email OTP + TOTP) + MFA self-service.
+// Class values (no type-only) — los DTOs llevan decoradores class-validator y se hidratan con plainToInstance en runtime.
+__exportStar(require("./enums/MfaMethodEnum"), exports);
+__exportStar(require("./enums/ChallengeNameEnum"), exports);
+__exportStar(require("./auth/DefineNextChallengeRequest"), exports);
+__exportStar(require("./auth/DefineNextChallengeResponse"), exports);
+__exportStar(require("./auth/PrepareChallengeRequest"), exports);
+__exportStar(require("./auth/PrepareChallengeResponse"), exports);
+__exportStar(require("./auth/VerifyChallengeRequest"), exports);
+__exportStar(require("./auth/VerifyChallengeResponse"), exports);
+__exportStar(require("./auth/NewPasswordRequest"), exports);
+__exportStar(require("./auth/ResetPasswordRequest"), exports);
+__exportStar(require("./mfa/EnrollTotpResponse"), exports);
+__exportStar(require("./mfa/VerifyTotpEnrollmentRequest"), exports);
+__exportStar(require("./mfa/ChangeMfaMethodRequest"), exports);
+__exportStar(require("./mfa/MfaStatusResponse"), exports);

package/bin/platformRbac/mfa/ChangeMfaMethodRequest.d.ts

@@ -0,0 +1,5 @@
+import { MfaMethodEnum } from '../enums/MfaMethodEnum';
+export declare class ChangeMfaMethodRequest {
+    newMethod: MfaMethodEnum;
+    verificationCode: string;
+}

package/bin/platformRbac/mfa/ChangeMfaMethodRequest.js

@@ -0,0 +1,25 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ChangeMfaMethodRequest = void 0;
+const class_validator_1 = require("class-validator");
+const MfaMethodEnum_1 = require("../enums/MfaMethodEnum");
+class ChangeMfaMethodRequest {
+}
+exports.ChangeMfaMethodRequest = ChangeMfaMethodRequest;
+__decorate([
+    (0, class_validator_1.IsEnum)(MfaMethodEnum_1.MfaMethodEnum),
+    __metadata("design:type", String)
+], ChangeMfaMethodRequest.prototype, "newMethod", void 0);
+__decorate([
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], ChangeMfaMethodRequest.prototype, "verificationCode", void 0);

package/bin/platformRbac/mfa/EnrollTotpResponse.d.ts

@@ -0,0 +1,5 @@
+export declare class EnrollTotpResponse {
+    qrCodeDataUrl: string;
+    secret: string;
+    issuer: string;
+}

package/bin/platformRbac/mfa/EnrollTotpResponse.js

@@ -0,0 +1,28 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EnrollTotpResponse = void 0;
+const class_validator_1 = require("class-validator");
+class EnrollTotpResponse {
+}
+exports.EnrollTotpResponse = EnrollTotpResponse;
+__decorate([
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], EnrollTotpResponse.prototype, "qrCodeDataUrl", void 0);
+__decorate([
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], EnrollTotpResponse.prototype, "secret", void 0);
+__decorate([
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], EnrollTotpResponse.prototype, "issuer", void 0);

package/bin/platformRbac/mfa/MfaStatusResponse.d.ts

@@ -0,0 +1,6 @@
+import { MfaMethodEnum } from '../enums/MfaMethodEnum';
+export declare class MfaStatusResponse {
+    currentMethod: MfaMethodEnum;
+    availableMethods: MfaMethodEnum[];
+    recoveryCodesRemaining: number;
+}

package/bin/platformRbac/mfa/MfaStatusResponse.js

@@ -0,0 +1,30 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MfaStatusResponse = void 0;
+const class_validator_1 = require("class-validator");
+const MfaMethodEnum_1 = require("../enums/MfaMethodEnum");
+class MfaStatusResponse {
+}
+exports.MfaStatusResponse = MfaStatusResponse;
+__decorate([
+    (0, class_validator_1.IsEnum)(MfaMethodEnum_1.MfaMethodEnum),
+    __metadata("design:type", String)
+], MfaStatusResponse.prototype, "currentMethod", void 0);
+__decorate([
+    (0, class_validator_1.IsArray)(),
+    (0, class_validator_1.IsEnum)(MfaMethodEnum_1.MfaMethodEnum, { each: true }),
+    __metadata("design:type", Array)
+], MfaStatusResponse.prototype, "availableMethods", void 0);
+__decorate([
+    (0, class_validator_1.IsNumber)(),
+    __metadata("design:type", Number)
+], MfaStatusResponse.prototype, "recoveryCodesRemaining", void 0);

package/bin/platformRbac/mfa/VerifyTotpEnrollmentRequest.d.ts

@@ -0,0 +1,3 @@
+export declare class VerifyTotpEnrollmentRequest {
+    totpCode: string;
+}

package/bin/platformRbac/mfa/VerifyTotpEnrollmentRequest.js

@@ -0,0 +1,21 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.VerifyTotpEnrollmentRequest = void 0;
+const class_validator_1 = require("class-validator");
+class VerifyTotpEnrollmentRequest {
+}
+exports.VerifyTotpEnrollmentRequest = VerifyTotpEnrollmentRequest;
+__decorate([
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Length)(6, 6),
+    __metadata("design:type", String)
+], VerifyTotpEnrollmentRequest.prototype, "totpCode", void 0);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fiado/type-kit",
-  "version": "3.41.0",
+  "version": "3.43.1",
   "description": "",
   "main": "bin/index.js",
   "types": "bin/index.d.ts",

package/src/benefitCenter/dtos/BackofficeLeafCreateRequest.ts

@@ -0,0 +1,90 @@
+import {
+    ArrayNotEmpty,
+    IsArray,
+    IsBoolean,
+    IsEnum,
+    IsInt,
+    IsNotEmpty,
+    IsOptional,
+    IsString,
+    Min,
+    ValidateNested,
+} from "class-validator";
+import { Type } from "class-transformer";
+import { Provider } from "../../provider/enums/Provider";
+import { BackofficeProductCreateItem } from "./BackofficeProductCreateItem";
+
+/**
+ * Body de POST /backoffice/leaves — alta manual de un servicio nuevo en el
+ * catálogo, en forma estándar. bmb rutea por `provider` al conector destino,
+ * que traduce a su forma nativa y persiste.
+ *
+ * `serviceId` (idServicio) y los `productId` vienen del Excel del proveedor
+ * (ids reales). Si el `serviceId` ya existe → 409 (no sobrescribe).
+ */
+export class BackofficeLeafCreateRequest {
+    /** Determina el conector destino (STP vs multicomm). */
+    @IsEnum(Provider)
+    provider!: Provider;
+
+    /** "ben-3" (recargas) | "ben-6" (pagos). */
+    @IsString()
+    @IsNotEmpty()
+    benefitId!: string;
+
+    /** idServicio real del proveedor (del Excel). */
+    @IsString()
+    @IsNotEmpty()
+    serviceId!: string;
+
+    @IsString()
+    @IsNotEmpty()
+    serviceName!: string;
+
+    @IsString()
+    @IsNotEmpty()
+    category!: string;
+
+    @IsString()
+    @IsNotEmpty()
+    subcategory!: string;
+
+    /** Código de moneda ISO (ej. "MXN", "USD"). */
+    @IsString()
+    @IsNotEmpty()
+    currency!: string;
+
+    /** Código ISO numérico del país destino (ej. "484"). */
+    @IsString()
+    @IsNotEmpty()
+    countryId!: string;
+
+    /** Logo del servicio (→ logoSrc). */
+    @IsOptional()
+    @IsString()
+    logo?: string;
+
+    /** Orden del servicio dentro de su subcategoría. Default 1. */
+    @IsOptional()
+    @IsInt()
+    @Min(0)
+    serviceOrder?: number;
+
+    /** Orden de la subcategoría. Default 1. */
+    @IsOptional()
+    @IsInt()
+    @Min(0)
+    subcategoryOrder?: number;
+
+    /** Habilitado en el catálogo público. Default true. */
+    @IsOptional()
+    @IsBoolean()
+    enabled?: boolean;
+
+    /** Productos del servicio (≥1). */
+    @IsArray()
+    @ArrayNotEmpty()
+    @ValidateNested({ each: true })
+    @Type(() => BackofficeProductCreateItem)
+    products!: BackofficeProductCreateItem[];
+}

package/src/benefitCenter/dtos/BackofficeProductCreateItem.ts

@@ -0,0 +1,77 @@
+import {
+    IsBoolean,
+    IsEnum,
+    IsNotEmpty,
+    IsNumber,
+    IsOptional,
+    IsString,
+    Min,
+} from "class-validator";
+import { AmountTypeEnum } from "../../servicePayment/enums/AmountTypeEnum";
+import { ReferenceTypeEnum } from "../enums/ReferenceTypeEnum";
+
+/**
+ * Un producto que la jefa captura al crear un servicio manualmente. Forma
+ * estándar: el conector lo traduce a su `productoDTOList` nativo.
+ *
+ * `productId` es el id real del proveedor (viene en el Excel), igual que el
+ * `serviceId` del servicio.
+ */
+export class BackofficeProductCreateItem {
+    /** idProducto real del proveedor (del Excel). */
+    @IsString()
+    @IsNotEmpty()
+    productId!: string;
+
+    @IsString()
+    @IsNotEmpty()
+    productName!: string;
+
+    /** Precio del producto (0 para monto VARIABLE). */
+    @IsNumber()
+    @Min(0)
+    price!: number;
+
+    /** Comisión. Default 0 si se omite. */
+    @IsOptional()
+    @IsNumber()
+    @Min(0)
+    fee?: number;
+
+    @IsEnum(AmountTypeEnum)
+    amountType!: AmountTypeEnum;
+
+    /** Tipo de referencia (→ tipoReferencia nativo; define el input de la app). */
+    @IsEnum(ReferenceTypeEnum)
+    referenceType!: ReferenceTypeEnum;
+
+    /** Si la referencia lleva dígito verificador (→ hasDigitoVerificador). Default false. */
+    @IsOptional()
+    @IsBoolean()
+    hasCheckDigit?: boolean;
+
+    /** Si la referencia se verifica antes de pagar (→ verificateReference). Default false. */
+    @IsOptional()
+    @IsBoolean()
+    verifyReference?: boolean;
+
+    /** Texto de ayuda (→ legend). */
+    @IsOptional()
+    @IsString()
+    helpText?: string;
+
+    /** Imagen de ayuda / dónde escanear (→ refSrc). */
+    @IsOptional()
+    @IsString()
+    helpImage?: string;
+
+    /** Logo del producto (→ logoSrc). */
+    @IsOptional()
+    @IsString()
+    logo?: string;
+
+    /** Habilitado. Default true (ausencia = habilitado). */
+    @IsOptional()
+    @IsBoolean()
+    enabled?: boolean;
+}

package/src/benefitCenter/enums/ReferenceTypeEnum.ts

@@ -0,0 +1,14 @@
+/**
+ * Tipo de referencia que la app pide al usuario para un producto. Determina el
+ * input del `inputSchema` y mapea al `tipoReferencia` nativo del conector.
+ *
+ * Solo valores modernos (las altas manuales usan estos). Los códigos legacy de
+ * STP (`a`, `b`, `bc`, `c`) existen en datos viejos pero no se ofrecen al crear.
+ */
+export enum ReferenceTypeEnum {
+    PHONE = "PHONE",
+    CLIENT_NUMBER = "CLIENT_NUMBER",
+    BARCODE = "BARCODE",
+    REFERENCE_AND_BARCODE = "REFERENCE_AND_BARCODE",
+    PHONE_AND_REFERENCE = "PHONE_AND_REFERENCE",
+}

package/src/benefitCenter/index.ts

@@ -79,6 +79,10 @@ export * from "./dtos/BackofficeLeafHelpImageUpdateRequest";
 export * from "./dtos/BackofficeProductHelpImageUpdateRequest";
 export * from "./dtos/BackofficeProductEnabledUpdateRequest";
 export * from "./dtos/BackofficeInputLabelsUpdateRequest";
+//Admin leaves iteration-4 v2: alta manual de servicio (create from scratch)
+export * from "./enums/ReferenceTypeEnum";
+export * from "./dtos/BackofficeProductCreateItem";
+export * from "./dtos/BackofficeLeafCreateRequest";
 //Banner assets upload (presigned PUT)
 export * from "./dtos/BannerUploadUrlRequest";
 export * from "./dtos/BannerUploadUrlResponse";

package/src/platformRbac/auth/DefineNextChallengeRequest.ts

@@ -0,0 +1,25 @@
+import 'reflect-metadata';
+import { Type } from 'class-transformer';
+import { IsArray, IsBoolean, IsEnum, IsString, ValidateNested } from 'class-validator';
+import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
+
+export class ChallengeResultEntry {
+    @IsEnum(ChallengeNameEnum)
+    challengeName!: ChallengeNameEnum;
+
+    @IsBoolean()
+    challengeResult!: boolean;
+}
+
+export class DefineNextChallengeRequest {
+    @IsString()
+    cognitoSub!: string;
+
+    @IsBoolean()
+    userNotFound!: boolean;
+
+    @IsArray()
+    @ValidateNested({ each: true })
+    @Type(() => ChallengeResultEntry)
+    session!: ChallengeResultEntry[];
+}

package/src/platformRbac/auth/DefineNextChallengeResponse.ts

@@ -0,0 +1,14 @@
+import { IsBoolean, IsEnum, IsOptional } from 'class-validator';
+import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
+
+export class DefineNextChallengeResponse {
+    @IsOptional()
+    @IsEnum(ChallengeNameEnum)
+    nextChallenge?: ChallengeNameEnum;
+
+    @IsBoolean()
+    issueTokens!: boolean;
+
+    @IsBoolean()
+    failAuthentication!: boolean;
+}

package/src/platformRbac/auth/NewPasswordRequest.ts

@@ -0,0 +1,10 @@
+import { IsString, MinLength } from 'class-validator';
+
+export class NewPasswordRequest {
+    @IsString()
+    cognitoSub!: string;
+
+    @IsString()
+    @MinLength(8)
+    newPassword!: string;
+}

package/src/platformRbac/auth/PrepareChallengeRequest.ts

@@ -0,0 +1,13 @@
+import { IsEmail, IsEnum, IsString } from 'class-validator';
+import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
+
+export class PrepareChallengeRequest {
+    @IsString()
+    cognitoSub!: string;
+
+    @IsEnum(ChallengeNameEnum)
+    challengeName!: ChallengeNameEnum;
+
+    @IsEmail()
+    email!: string;
+}

package/src/platformRbac/auth/PrepareChallengeResponse.ts

@@ -0,0 +1,9 @@
+import { IsObject, IsString } from 'class-validator';
+
+export class PrepareChallengeResponse {
+    @IsString()
+    publicChallengeParameters!: string;
+
+    @IsObject()
+    privateChallengeParameters!: Record<string, string>;
+}

package/src/platformRbac/auth/ResetPasswordRequest.ts

@@ -0,0 +1,14 @@
+import { IsEmail, IsString, Length, MinLength } from 'class-validator';
+
+export class ResetPasswordRequest {
+    @IsEmail()
+    email!: string;
+
+    @IsString()
+    @Length(6, 6)
+    otpCode!: string;
+
+    @IsString()
+    @MinLength(8)
+    newPassword!: string;
+}

package/src/platformRbac/auth/VerifyChallengeRequest.ts

@@ -0,0 +1,16 @@
+import { IsEnum, IsObject, IsString } from 'class-validator';
+import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
+
+export class VerifyChallengeRequest {
+    @IsString()
+    cognitoSub!: string;
+
+    @IsEnum(ChallengeNameEnum)
+    challengeName!: ChallengeNameEnum;
+
+    @IsString()
+    challengeAnswer!: string;
+
+    @IsObject()
+    privateChallengeParameters!: Record<string, string>;
+}

package/src/platformRbac/auth/VerifyChallengeResponse.ts

@@ -0,0 +1,6 @@
+import { IsBoolean } from 'class-validator';
+
+export class VerifyChallengeResponse {
+    @IsBoolean()
+    answerCorrect!: boolean;
+}

package/src/platformRbac/enums/ChallengeNameEnum.ts

@@ -0,0 +1,7 @@
+export enum ChallengeNameEnum {
+    PASSWORD = 'PASSWORD',
+    EMAIL_OTP = 'EMAIL_OTP',
+    TOTP = 'TOTP',
+    NEW_PASSWORD_REQUIRED = 'NEW_PASSWORD_REQUIRED',
+    RESET_PASSWORD = 'RESET_PASSWORD',
+}

package/src/platformRbac/enums/MfaMethodEnum.ts

@@ -0,0 +1,4 @@
+export enum MfaMethodEnum {
+    EMAIL_OTP = 'EMAIL_OTP',
+    TOTP = 'TOTP',
+}

package/src/platformRbac/index.ts

@@ -15,3 +15,20 @@ export { PermissionCategory } from './enums/PermissionCategory';
 export type { AuthContext } from './dtos/AuthContext';
 export type { RoleAssignmentInfo } from './dtos/RoleAssignmentInfo';
 export type { PermissionMeta } from './dtos/PermissionMeta';
+
+// Fase 1 — Custom Auth Challenge (Email OTP + TOTP) + MFA self-service.
+// Class values (no type-only) — los DTOs llevan decoradores class-validator y se hidratan con plainToInstance en runtime.
+export * from './enums/MfaMethodEnum';
+export * from './enums/ChallengeNameEnum';
+export * from './auth/DefineNextChallengeRequest';
+export * from './auth/DefineNextChallengeResponse';
+export * from './auth/PrepareChallengeRequest';
+export * from './auth/PrepareChallengeResponse';
+export * from './auth/VerifyChallengeRequest';
+export * from './auth/VerifyChallengeResponse';
+export * from './auth/NewPasswordRequest';
+export * from './auth/ResetPasswordRequest';
+export * from './mfa/EnrollTotpResponse';
+export * from './mfa/VerifyTotpEnrollmentRequest';
+export * from './mfa/ChangeMfaMethodRequest';
+export * from './mfa/MfaStatusResponse';

package/src/platformRbac/mfa/ChangeMfaMethodRequest.ts

@@ -0,0 +1,10 @@
+import { IsEnum, IsString } from 'class-validator';
+import { MfaMethodEnum } from '../enums/MfaMethodEnum';
+
+export class ChangeMfaMethodRequest {
+    @IsEnum(MfaMethodEnum)
+    newMethod!: MfaMethodEnum;
+
+    @IsString()
+    verificationCode!: string;
+}

package/src/platformRbac/mfa/EnrollTotpResponse.ts

@@ -0,0 +1,12 @@
+import { IsString } from 'class-validator';
+
+export class EnrollTotpResponse {
+    @IsString()
+    qrCodeDataUrl!: string;
+
+    @IsString()
+    secret!: string;
+
+    @IsString()
+    issuer!: string;
+}

package/src/platformRbac/mfa/MfaStatusResponse.ts

@@ -0,0 +1,14 @@
+import { IsArray, IsEnum, IsNumber } from 'class-validator';
+import { MfaMethodEnum } from '../enums/MfaMethodEnum';
+
+export class MfaStatusResponse {
+    @IsEnum(MfaMethodEnum)
+    currentMethod!: MfaMethodEnum;
+
+    @IsArray()
+    @IsEnum(MfaMethodEnum, { each: true })
+    availableMethods!: MfaMethodEnum[];
+
+    @IsNumber()
+    recoveryCodesRemaining!: number;
+}