@fiado/type-kit 3.48.0 → 3.50.0

package/src/messaging/validators/IsDestinationByChannel.ts

@@ -1,61 +1,61 @@
-import { ValidatorConstraint, ValidatorConstraintInterface, ValidationArguments } from 'class-validator';
-import { DeliveryChannelEnum } from '../enums/DeliveryChannelEnum';
-
-/**
- * Valida que `destination` matchee el formato correcto segun el `deliveryChannel`
- * declarado en el mismo DTO.
- *
- * Por que un custom validator en lugar de dos `@ValidateIf` + `@IsEmail`/`@Matches`:
- * - `@ValidateIf` afecta a **toda la propiedad**, no solo a los decoradores que
- *   vienen despues. Cuando se ponen dos `@ValidateIf` consecutivos sobre la
- *   misma propiedad, el segundo sobrescribe al primero y class-validator
- *   ignora silenciosamente los validators afectados.
- * - Originalmente descubierto en `sns-ses-connector/tests/RUN_LOG.md` T7/T10/T11
- *   (2026-05-21) — la version anterior del DTO dejaba pasar
- *   `destination: "12345"` con canal SMS y `destination: "no-es-email"` con
- *   canal MAIL. Validator migrado del connector al type-kit en 3.29.0 para
- *   eliminar el DTO_LOCAL del connector y exponer la regla a todos los
- *   callers de `MessageDeliveryRequest`.
- *
- * Reglas:
- * - Canal `SMS` → `destination` debe matchear E.164: `^\+\d{10,15}$`
- * - Canal `MAIL` → `destination` debe matchear formato email
- * - Canal invalido o ausente → falla (el `@IsEnum` del DTO genera su propio mensaje aparte)
- * - String vacio o whitespace → falla
- *
- * Uso tipico:
- * ```ts
- *   @Validate(IsDestinationByChannel)
- *   destination: string;
- * ```
- */
-const E164_REGEX = /^\+\d{10,15}$/;
-const EMAIL_REGEX = /^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/;
-
-@ValidatorConstraint({ name: 'IsDestinationByChannel', async: false })
-export class IsDestinationByChannel implements ValidatorConstraintInterface {
-    validate(value: unknown, args: ValidationArguments): boolean {
-        if (typeof value !== 'string' || value.trim().length === 0) return false;
-
-        const obj = args.object as { deliveryChannel?: unknown };
-        const channel = obj.deliveryChannel;
-
-        if (channel === DeliveryChannelEnum.SMS) return E164_REGEX.test(value);
-        if (channel === DeliveryChannelEnum.MAIL) return EMAIL_REGEX.test(value);
-
-        return false;
-    }
-
-    defaultMessage(args: ValidationArguments): string {
-        const obj = args.object as { deliveryChannel?: unknown };
-        const channel = obj.deliveryChannel;
-
-        if (channel === DeliveryChannelEnum.SMS) {
-            return 'destination debe ser un telefono en formato E.164 (ej. +5215512345678) para canal SMS';
-        }
-        if (channel === DeliveryChannelEnum.MAIL) {
-            return 'destination debe ser un email valido para canal MAIL';
-        }
-        return 'destination requerido y debe corresponder al deliveryChannel';
-    }
-}
+import { ValidatorConstraint, ValidatorConstraintInterface, ValidationArguments } from 'class-validator';
+import { DeliveryChannelEnum } from '../enums/DeliveryChannelEnum';
+
+/**
+ * Valida que `destination` matchee el formato correcto segun el `deliveryChannel`
+ * declarado en el mismo DTO.
+ *
+ * Por que un custom validator en lugar de dos `@ValidateIf` + `@IsEmail`/`@Matches`:
+ * - `@ValidateIf` afecta a **toda la propiedad**, no solo a los decoradores que
+ *   vienen despues. Cuando se ponen dos `@ValidateIf` consecutivos sobre la
+ *   misma propiedad, el segundo sobrescribe al primero y class-validator
+ *   ignora silenciosamente los validators afectados.
+ * - Originalmente descubierto en `sns-ses-connector/tests/RUN_LOG.md` T7/T10/T11
+ *   (2026-05-21) — la version anterior del DTO dejaba pasar
+ *   `destination: "12345"` con canal SMS y `destination: "no-es-email"` con
+ *   canal MAIL. Validator migrado del connector al type-kit en 3.29.0 para
+ *   eliminar el DTO_LOCAL del connector y exponer la regla a todos los
+ *   callers de `MessageDeliveryRequest`.
+ *
+ * Reglas:
+ * - Canal `SMS` → `destination` debe matchear E.164: `^\+\d{10,15}$`
+ * - Canal `MAIL` → `destination` debe matchear formato email
+ * - Canal invalido o ausente → falla (el `@IsEnum` del DTO genera su propio mensaje aparte)
+ * - String vacio o whitespace → falla
+ *
+ * Uso tipico:
+ * ```ts
+ *   @Validate(IsDestinationByChannel)
+ *   destination: string;
+ * ```
+ */
+const E164_REGEX = /^\+\d{10,15}$/;
+const EMAIL_REGEX = /^[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,}$/;
+
+@ValidatorConstraint({ name: 'IsDestinationByChannel', async: false })
+export class IsDestinationByChannel implements ValidatorConstraintInterface {
+    validate(value: unknown, args: ValidationArguments): boolean {
+        if (typeof value !== 'string' || value.trim().length === 0) return false;
+
+        const obj = args.object as { deliveryChannel?: unknown };
+        const channel = obj.deliveryChannel;
+
+        if (channel === DeliveryChannelEnum.SMS) return E164_REGEX.test(value);
+        if (channel === DeliveryChannelEnum.MAIL) return EMAIL_REGEX.test(value);
+
+        return false;
+    }
+
+    defaultMessage(args: ValidationArguments): string {
+        const obj = args.object as { deliveryChannel?: unknown };
+        const channel = obj.deliveryChannel;
+
+        if (channel === DeliveryChannelEnum.SMS) {
+            return 'destination debe ser un telefono en formato E.164 (ej. +5215512345678) para canal SMS';
+        }
+        if (channel === DeliveryChannelEnum.MAIL) {
+            return 'destination debe ser un email valido para canal MAIL';
+        }
+        return 'destination requerido y debe corresponder al deliveryChannel';
+    }
+}

package/src/messaging/validators/IsNotBlank.ts

@@ -1,31 +1,31 @@
-import { ValidatorConstraint, ValidatorConstraintInterface, ValidationArguments } from 'class-validator';
-
-/**
- * Valida que el valor sea un string con al menos un caracter no-whitespace.
- *
- * Por que no usar `@IsNotEmpty()` de class-validator:
- * - `@IsNotEmpty()` solo rechaza `""`, `null`, `undefined`, `false`, `0`.
- * - **No** rechaza strings de solo whitespace (`"   "`).
- *
- * En el sns-ses-connector eso era un bug latente: un `message: "   "` pasaba la
- * validacion, llegaba al SDK de SNS/SES, y se enviaba un SMS o email con
- * contenido vacio al usuario final (y AWS cobraba). Originalmente descubierto
- * en `sns-ses-connector/tests/RUN_LOG.md` T8b (2026-05-21). Validator migrado
- * al type-kit en 3.29.0 para eliminar el DTO_LOCAL del connector.
- *
- * Uso tipico:
- * ```ts
- *   @Validate(IsNotBlank)
- *   message: string;
- * ```
- */
-@ValidatorConstraint({ name: 'IsNotBlank', async: false })
-export class IsNotBlank implements ValidatorConstraintInterface {
-    validate(value: unknown, _args: ValidationArguments): boolean {
-        return typeof value === 'string' && value.trim().length > 0;
-    }
-
-    defaultMessage(args: ValidationArguments): string {
-        return `${args.property} no puede ser vacio ni solo espacios en blanco`;
-    }
-}
+import { ValidatorConstraint, ValidatorConstraintInterface, ValidationArguments } from 'class-validator';
+
+/**
+ * Valida que el valor sea un string con al menos un caracter no-whitespace.
+ *
+ * Por que no usar `@IsNotEmpty()` de class-validator:
+ * - `@IsNotEmpty()` solo rechaza `""`, `null`, `undefined`, `false`, `0`.
+ * - **No** rechaza strings de solo whitespace (`"   "`).
+ *
+ * En el sns-ses-connector eso era un bug latente: un `message: "   "` pasaba la
+ * validacion, llegaba al SDK de SNS/SES, y se enviaba un SMS o email con
+ * contenido vacio al usuario final (y AWS cobraba). Originalmente descubierto
+ * en `sns-ses-connector/tests/RUN_LOG.md` T8b (2026-05-21). Validator migrado
+ * al type-kit en 3.29.0 para eliminar el DTO_LOCAL del connector.
+ *
+ * Uso tipico:
+ * ```ts
+ *   @Validate(IsNotBlank)
+ *   message: string;
+ * ```
+ */
+@ValidatorConstraint({ name: 'IsNotBlank', async: false })
+export class IsNotBlank implements ValidatorConstraintInterface {
+    validate(value: unknown, _args: ValidationArguments): boolean {
+        return typeof value === 'string' && value.trim().length > 0;
+    }
+
+    defaultMessage(args: ValidationArguments): string {
+        return `${args.property} no puede ser vacio ni solo espacios en blanco`;
+    }
+}

package/src/platformRbac/auth/DefineNextChallengeRequest.ts

@@ -1,25 +1,25 @@
-import 'reflect-metadata';
-import { Type } from 'class-transformer';
-import { IsArray, IsBoolean, IsEnum, IsString, ValidateNested } from 'class-validator';
-import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
-
-export class ChallengeResultEntry {
-    @IsEnum(ChallengeNameEnum)
-    challengeName!: ChallengeNameEnum;
-
-    @IsBoolean()
-    challengeResult!: boolean;
-}
-
-export class DefineNextChallengeRequest {
-    @IsString()
-    cognitoSub!: string;
-
-    @IsBoolean()
-    userNotFound!: boolean;
-
-    @IsArray()
-    @ValidateNested({ each: true })
-    @Type(() => ChallengeResultEntry)
-    session!: ChallengeResultEntry[];
-}
+import 'reflect-metadata';
+import { Type } from 'class-transformer';
+import { IsArray, IsBoolean, IsEnum, IsString, ValidateNested } from 'class-validator';
+import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
+
+export class ChallengeResultEntry {
+    @IsEnum(ChallengeNameEnum)
+    challengeName!: ChallengeNameEnum;
+
+    @IsBoolean()
+    challengeResult!: boolean;
+}
+
+export class DefineNextChallengeRequest {
+    @IsString()
+    cognitoSub!: string;
+
+    @IsBoolean()
+    userNotFound!: boolean;
+
+    @IsArray()
+    @ValidateNested({ each: true })
+    @Type(() => ChallengeResultEntry)
+    session!: ChallengeResultEntry[];
+}

package/src/platformRbac/auth/DefineNextChallengeResponse.ts

@@ -1,14 +1,14 @@
-import { IsBoolean, IsEnum, IsOptional } from 'class-validator';
-import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
-
-export class DefineNextChallengeResponse {
-    @IsOptional()
-    @IsEnum(ChallengeNameEnum)
-    nextChallenge?: ChallengeNameEnum;
-
-    @IsBoolean()
-    issueTokens!: boolean;
-
-    @IsBoolean()
-    failAuthentication!: boolean;
-}
+import { IsBoolean, IsEnum, IsOptional } from 'class-validator';
+import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
+
+export class DefineNextChallengeResponse {
+    @IsOptional()
+    @IsEnum(ChallengeNameEnum)
+    nextChallenge?: ChallengeNameEnum;
+
+    @IsBoolean()
+    issueTokens!: boolean;
+
+    @IsBoolean()
+    failAuthentication!: boolean;
+}

package/src/platformRbac/auth/NewPasswordRequest.ts

@@ -1,10 +1,10 @@
-import { IsString, MinLength } from 'class-validator';
-
-export class NewPasswordRequest {
-    @IsString()
-    cognitoSub!: string;
-
-    @IsString()
-    @MinLength(8)
-    newPassword!: string;
-}
+import { IsString, MinLength } from 'class-validator';
+
+export class NewPasswordRequest {
+    @IsString()
+    cognitoSub!: string;
+
+    @IsString()
+    @MinLength(8)
+    newPassword!: string;
+}

package/src/platformRbac/auth/PrepareChallengeRequest.ts

@@ -1,13 +1,13 @@
-import { IsEmail, IsEnum, IsString } from 'class-validator';
-import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
-
-export class PrepareChallengeRequest {
-    @IsString()
-    cognitoSub!: string;
-
-    @IsEnum(ChallengeNameEnum)
-    challengeName!: ChallengeNameEnum;
-
-    @IsEmail()
-    email!: string;
-}
+import { IsEmail, IsEnum, IsString } from 'class-validator';
+import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
+
+export class PrepareChallengeRequest {
+    @IsString()
+    cognitoSub!: string;
+
+    @IsEnum(ChallengeNameEnum)
+    challengeName!: ChallengeNameEnum;
+
+    @IsEmail()
+    email!: string;
+}

package/src/platformRbac/auth/PrepareChallengeResponse.ts

@@ -1,9 +1,9 @@
-import { IsObject, IsString } from 'class-validator';
-
-export class PrepareChallengeResponse {
-    @IsString()
-    publicChallengeParameters!: string;
-
-    @IsObject()
-    privateChallengeParameters!: Record<string, string>;
-}
+import { IsObject, IsString } from 'class-validator';
+
+export class PrepareChallengeResponse {
+    @IsString()
+    publicChallengeParameters!: string;
+
+    @IsObject()
+    privateChallengeParameters!: Record<string, string>;
+}

package/src/platformRbac/auth/ResetPasswordRequest.ts

@@ -1,14 +1,14 @@
-import { IsEmail, IsString, Length, MinLength } from 'class-validator';
-
-export class ResetPasswordRequest {
-    @IsEmail()
-    email!: string;
-
-    @IsString()
-    @Length(6, 6)
-    otpCode!: string;
-
-    @IsString()
-    @MinLength(8)
-    newPassword!: string;
-}
+import { IsEmail, IsString, Length, MinLength } from 'class-validator';
+
+export class ResetPasswordRequest {
+    @IsEmail()
+    email!: string;
+
+    @IsString()
+    @Length(6, 6)
+    otpCode!: string;
+
+    @IsString()
+    @MinLength(8)
+    newPassword!: string;
+}

package/src/platformRbac/auth/VerifyChallengeRequest.ts

@@ -1,16 +1,16 @@
-import { IsEnum, IsObject, IsString } from 'class-validator';
-import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
-
-export class VerifyChallengeRequest {
-    @IsString()
-    cognitoSub!: string;
-
-    @IsEnum(ChallengeNameEnum)
-    challengeName!: ChallengeNameEnum;
-
-    @IsString()
-    challengeAnswer!: string;
-
-    @IsObject()
-    privateChallengeParameters!: Record<string, string>;
-}
+import { IsEnum, IsObject, IsString } from 'class-validator';
+import { ChallengeNameEnum } from '../enums/ChallengeNameEnum';
+
+export class VerifyChallengeRequest {
+    @IsString()
+    cognitoSub!: string;
+
+    @IsEnum(ChallengeNameEnum)
+    challengeName!: ChallengeNameEnum;
+
+    @IsString()
+    challengeAnswer!: string;
+
+    @IsObject()
+    privateChallengeParameters!: Record<string, string>;
+}

package/src/platformRbac/auth/VerifyChallengeResponse.ts

@@ -1,6 +1,6 @@
-import { IsBoolean } from 'class-validator';
-
-export class VerifyChallengeResponse {
-    @IsBoolean()
-    answerCorrect!: boolean;
-}
+import { IsBoolean } from 'class-validator';
+
+export class VerifyChallengeResponse {
+    @IsBoolean()
+    answerCorrect!: boolean;
+}

package/src/platformRbac/dtos/AuthorizeRequest.ts

@@ -1,14 +1,14 @@
-import { Expose } from 'class-transformer';
-import { IsEnum, IsNotEmpty, IsOptional, IsString } from 'class-validator';
-import { PermissionScope } from '../enums/PermissionScope';
-
-/**
- * Input del POST /internal/authorize. El decorador @RequirePermission lo construye:
- * token (del cookie session), permission requerida, y scope+scopeRef opcionales.
- */
-export class AuthorizeRequest {
-    @Expose() @IsString() @IsNotEmpty() token!: string;
-    @Expose() @IsString() @IsNotEmpty() permission!: string;
-    @Expose() @IsOptional() @IsEnum(PermissionScope) scope?: PermissionScope;
-    @Expose() @IsOptional() @IsString() scopeRef?: string;
-}
+import { Expose } from 'class-transformer';
+import { IsEnum, IsNotEmpty, IsOptional, IsString } from 'class-validator';
+import { PermissionScope } from '../enums/PermissionScope';
+
+/**
+ * Input del POST /internal/authorize. El decorador @RequirePermission lo construye:
+ * token (del cookie session), permission requerida, y scope+scopeRef opcionales.
+ */
+export class AuthorizeRequest {
+    @Expose() @IsString() @IsNotEmpty() token!: string;
+    @Expose() @IsString() @IsNotEmpty() permission!: string;
+    @Expose() @IsOptional() @IsEnum(PermissionScope) scope?: PermissionScope;
+    @Expose() @IsOptional() @IsString() scopeRef?: string;
+}

package/src/platformRbac/dtos/AuthorizeResponse.ts

@@ -1,16 +1,16 @@
-import { Expose } from 'class-transformer';
-import { IsBoolean, IsEnum, IsOptional } from 'class-validator';
-import { AuthorizeDenyReason } from '../enums/AuthorizeDenyReason';
-import type { AuthContext } from './AuthContext';
-
-/**
- * Output del POST /internal/authorize. Si allow=true trae el context resuelto
- * (para que el decorador lo populé en el request). Si allow=false trae el reason.
- * `context` es solo contrato TS de salida (AuthContext es interface, no clase) → SIN @Expose,
- * es passthrough; los responses no se validan (fiado-validation-and-dtos § 7).
- */
-export class AuthorizeResponse {
-    @Expose() @IsBoolean() allow!: boolean;
-    @Expose() @IsOptional() @IsEnum(AuthorizeDenyReason) reason?: AuthorizeDenyReason;
-    context?: AuthContext;
-}
+import { Expose } from 'class-transformer';
+import { IsBoolean, IsEnum, IsOptional } from 'class-validator';
+import { AuthorizeDenyReason } from '../enums/AuthorizeDenyReason';
+import type { AuthContext } from './AuthContext';
+
+/**
+ * Output del POST /internal/authorize. Si allow=true trae el context resuelto
+ * (para que el decorador lo populé en el request). Si allow=false trae el reason.
+ * `context` es solo contrato TS de salida (AuthContext es interface, no clase) → SIN @Expose,
+ * es passthrough; los responses no se validan (fiado-validation-and-dtos § 7).
+ */
+export class AuthorizeResponse {
+    @Expose() @IsBoolean() allow!: boolean;
+    @Expose() @IsOptional() @IsEnum(AuthorizeDenyReason) reason?: AuthorizeDenyReason;
+    context?: AuthContext;
+}

package/src/platformRbac/enums/AuthorizeDenyReason.ts

@@ -1,10 +1,10 @@
-/**
- * Razón de denegación del endpoint POST /internal/authorize del platform-rbac-business.
- * Consumido por el decorador @RequirePermission del @fiado/gateway-adapter.
- */
-export enum AuthorizeDenyReason {
-    INVALID_TOKEN = 'INVALID_TOKEN',
-    NO_PERMISSION = 'NO_PERMISSION',
-    SCOPE_DENIED = 'SCOPE_DENIED',
-    USER_NOT_FOUND = 'USER_NOT_FOUND',
-}
+/**
+ * Razón de denegación del endpoint POST /internal/authorize del platform-rbac-business.
+ * Consumido por el decorador @RequirePermission del @fiado/gateway-adapter.
+ */
+export enum AuthorizeDenyReason {
+    INVALID_TOKEN = 'INVALID_TOKEN',
+    NO_PERMISSION = 'NO_PERMISSION',
+    SCOPE_DENIED = 'SCOPE_DENIED',
+    USER_NOT_FOUND = 'USER_NOT_FOUND',
+}

package/src/platformRbac/enums/ChallengeNameEnum.ts

@@ -1,7 +1,7 @@
-export enum ChallengeNameEnum {
-    PASSWORD = 'PASSWORD',
-    EMAIL_OTP = 'EMAIL_OTP',
-    TOTP = 'TOTP',
-    NEW_PASSWORD_REQUIRED = 'NEW_PASSWORD_REQUIRED',
-    RESET_PASSWORD = 'RESET_PASSWORD',
-}
+export enum ChallengeNameEnum {
+    PASSWORD = 'PASSWORD',
+    EMAIL_OTP = 'EMAIL_OTP',
+    TOTP = 'TOTP',
+    NEW_PASSWORD_REQUIRED = 'NEW_PASSWORD_REQUIRED',
+    RESET_PASSWORD = 'RESET_PASSWORD',
+}

package/src/platformRbac/enums/MfaMethodEnum.ts

@@ -1,4 +1,4 @@
-export enum MfaMethodEnum {
-    EMAIL_OTP = 'EMAIL_OTP',
-    TOTP = 'TOTP',
-}
+export enum MfaMethodEnum {
+    EMAIL_OTP = 'EMAIL_OTP',
+    TOTP = 'TOTP',
+}

package/src/platformRbac/mfa/ChangeMfaMethodRequest.ts

@@ -1,10 +1,10 @@
-import { IsEnum, IsString } from 'class-validator';
-import { MfaMethodEnum } from '../enums/MfaMethodEnum';
-
-export class ChangeMfaMethodRequest {
-    @IsEnum(MfaMethodEnum)
-    newMethod!: MfaMethodEnum;
-
-    @IsString()
-    verificationCode!: string;
-}
+import { IsEnum, IsString } from 'class-validator';
+import { MfaMethodEnum } from '../enums/MfaMethodEnum';
+
+export class ChangeMfaMethodRequest {
+    @IsEnum(MfaMethodEnum)
+    newMethod!: MfaMethodEnum;
+
+    @IsString()
+    verificationCode!: string;
+}

package/src/platformRbac/mfa/EnrollTotpResponse.ts

@@ -1,12 +1,12 @@
-import { IsString } from 'class-validator';
-
-export class EnrollTotpResponse {
-    @IsString()
-    qrCodeDataUrl!: string;
-
-    @IsString()
-    secret!: string;
-
-    @IsString()
-    issuer!: string;
-}
+import { IsString } from 'class-validator';
+
+export class EnrollTotpResponse {
+    @IsString()
+    qrCodeDataUrl!: string;
+
+    @IsString()
+    secret!: string;
+
+    @IsString()
+    issuer!: string;
+}

package/src/platformRbac/mfa/MfaStatusResponse.ts

@@ -1,14 +1,14 @@
-import { IsArray, IsEnum, IsNumber } from 'class-validator';
-import { MfaMethodEnum } from '../enums/MfaMethodEnum';
-
-export class MfaStatusResponse {
-    @IsEnum(MfaMethodEnum)
-    currentMethod!: MfaMethodEnum;
-
-    @IsArray()
-    @IsEnum(MfaMethodEnum, { each: true })
-    availableMethods!: MfaMethodEnum[];
-
-    @IsNumber()
-    recoveryCodesRemaining!: number;
-}
+import { IsArray, IsEnum, IsNumber } from 'class-validator';
+import { MfaMethodEnum } from '../enums/MfaMethodEnum';
+
+export class MfaStatusResponse {
+    @IsEnum(MfaMethodEnum)
+    currentMethod!: MfaMethodEnum;
+
+    @IsArray()
+    @IsEnum(MfaMethodEnum, { each: true })
+    availableMethods!: MfaMethodEnum[];
+
+    @IsNumber()
+    recoveryCodesRemaining!: number;
+}

package/src/platformRbac/mfa/VerifyTotpEnrollmentRequest.ts

@@ -1,7 +1,15 @@
-import { IsString, Length } from 'class-validator';
-
-export class VerifyTotpEnrollmentRequest {
-    @IsString()
-    @Length(6, 6)
-    totpCode!: string;
-}
+import { IsString, Length } from 'class-validator';
+
+export class VerifyTotpEnrollmentRequest {
+    @IsString()
+    @Length(6, 6)
+    totpCode!: string;
+
+    /**
+     * Blob opaco (JWT cifrado con KMS) que devuelve el enroll de totp-security; el cliente
+     * lo reenvía en el verify-enrollment para que totp-security recupere el secret y persista.
+     * Requerido: sin él totp-security no puede confirmar el enrollment.
+     */
+    @IsString()
+    enrollmentToken!: string;
+}

package/src/provider/enums/Provider.ts

@@ -7,5 +7,6 @@ export enum Provider {
     ESTAFETA = "ESTAFETA",
     STP_SERVICE_PAYMENT = "STP_SERVICE_PAYMENT",
     MULTICOMM_SERVICE_PAYMENT = "MULTICOMM_SERVICE_PAYMENT",
-    MULTICENTER_SERVICE_PAYMENT = "MULTICENTER_SERVICE_PAYMENT"
+    MULTICENTER_SERVICE_PAYMENT = "MULTICENTER_SERVICE_PAYMENT",
+    UNITELLER = "UNITELLER"
 }