npm - @fiado/type-kit - Versions diffs - 3.50.0 → 3.51.0 - Mend

@fiado/type-kit 3.50.0 → 3.51.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (21) hide show

package/_test_/unit/cognitoBackofficeConnector/dtos/CreatePoolRequest.test.ts ADDED Viewed

@@ -0,0 +1,33 @@
+import 'reflect-metadata';
+import { plainToInstance } from 'class-transformer';
+import { CreatePoolRequest } from '../../../../src/cognitoBackofficeConnector/dtos/CreatePoolRequest';
+describe('CreatePoolRequest', () => {
+    it('ya NO expone mfaConfig (pool MFA nativo OFF cerrado a nivel contrato — F-11 D2)', () => {
+        const instance = plainToInstance(
+            CreatePoolRequest,
+            {
+                region: 'us-east-1',
+                displayName: 'Tenant Demo',
+                mfaConfig: { requireMfa: true, mfaTypes: ['SOFTWARE_TOKEN_MFA'] },
+                passwordPolicy: {},
+                customAttributes: [],
+                appClientConfig: {},
+            },
+            { excludeExtraneousValues: true },
+        );
+        expect((instance as { mfaConfig?: unknown }).mfaConfig).toBeUndefined();
+    });
+    it('preserva los campos legítimos del request', () => {
+        const instance = plainToInstance(
+            CreatePoolRequest,
+            { region: 'us-east-1', displayName: 'Tenant Demo' },
+            { excludeExtraneousValues: true },
+        );
+        expect(instance.region).toBe('us-east-1');
+        expect(instance.displayName).toBe('Tenant Demo');
+    });
+});

package/_test_/unit/platformRbac/dtos/CreateTenantRequest.test.ts ADDED Viewed

@@ -0,0 +1,68 @@
+import 'reflect-metadata';
+import { plainToInstance } from 'class-transformer';
+import { validate } from 'class-validator';
+import { CreateTenantRequest } from '../../../../src/platformRbac/dtos/CreateTenantRequest';
+describe('CreateTenantRequest', () => {
+    const valid = {
+        tenantId: 'acme-mx',
+        displayName: 'Acme México',
+        emailDomain: 'acme.com',
+        tablePrefix: 'acme',
+        adminEmail: 'admin@acme.com',
+        adminName: 'Admin Acme',
+        region: 'us-east-1',
+        mfaRequired: true,
+        passwordMinLength: 12,
+    };
+    it('valida happy path (0 errores)', async () => {
+        const dto = plainToInstance(CreateTenantRequest, valid);
+        const errors = await validate(dto);
+        expect(errors).toEqual([]);
+    });
+    it('valida sin campos opcionales (mfaRequired / passwordMinLength)', async () => {
+        const { mfaRequired, passwordMinLength, ...sinOpcionales } = valid;
+        const dto = plainToInstance(CreateTenantRequest, sinOpcionales);
+        const errors = await validate(dto);
+        expect(errors).toEqual([]);
+    });
+    it('falla si adminEmail es inválido', async () => {
+        const dto = plainToInstance(CreateTenantRequest, { ...valid, adminEmail: 'no-es-email' });
+        const errors = await validate(dto);
+        expect(errors.some(e => e.property === 'adminEmail')).toBe(true);
+    });
+    it('falla si tenantId tiene mayúsculas', async () => {
+        const dto = plainToInstance(CreateTenantRequest, { ...valid, tenantId: 'Acme-MX' });
+        const errors = await validate(dto);
+        expect(errors.some(e => e.property === 'tenantId')).toBe(true);
+    });
+    it('falla si tenantId tiene caracteres inválidos (espacios / underscore)', async () => {
+        const dto = plainToInstance(CreateTenantRequest, { ...valid, tenantId: 'acme_mx 01' });
+        const errors = await validate(dto);
+        expect(errors.some(e => e.property === 'tenantId')).toBe(true);
+    });
+    it('falla si passwordMinLength es menor a 8', async () => {
+        const dto = plainToInstance(CreateTenantRequest, { ...valid, passwordMinLength: 6 });
+        const errors = await validate(dto);
+        expect(errors.some(e => e.property === 'passwordMinLength')).toBe(true);
+    });
+    it('NO expone temporaryPassword en el request (campo del response, no del body)', () => {
+        // El request NO debe llevar temporaryPassword (es solo del response, fallback out-of-band F-11).
+        // Con excludeExtraneousValues solo sobreviven las props @Expose() del DTO → el contrato lo excluye.
+        const dto = plainToInstance(
+            CreateTenantRequest,
+            { ...valid, temporaryPassword: 'Secreto123!' },
+            { excludeExtraneousValues: true },
+        );
+        expect((dto as unknown as Record<string, unknown>).temporaryPassword).toBeUndefined();
+        // sanity: una prop sí declarada en el contrato sí sobrevive
+        expect(dto.tenantId).toBe('acme-mx');
+    });
+});

package/bin/cognitoBackofficeConnector/dtos/CreatePoolRequest.d.ts CHANGED Viewed

@@ -1,4 +1,3 @@
-import { MfaPoolConfig } from './MfaPoolConfig';
 import { PasswordPolicyConfig } from './PasswordPolicyConfig';
 import { CustomAttributeSpec } from './CustomAttributeSpec';
 import { AppClientConfig } from './AppClientConfig';
@@ -8,11 +7,15 @@ import { AppClientConfig } from './AppClientConfig';
  * (Flujo 2 v1.2, PASO 4 de la saga). El connector ejecuta CreateUserPool +
  * CreateUserPoolClient en secuencia. Si CreateUserPoolClient falla DESPUÉS de
  * CreateUserPool exitoso, el connector hace DeleteUserPool de cleanup.
+ *
+ * El request NO expone configuración de MFA nativo del pool (F-11 D2): el 2º
+ * factor del backoffice va por custom-auth (EMAIL OTP / TOTP), nunca por MFA
+ * nativo del pool. El connector fuerza `MfaConfiguration: 'OFF'` como invariante
+ * de código al crear el pool — no es negociable vía contrato.
  */
 export declare class CreatePoolRequest {
     region: string;
     displayName: string;
-    mfaConfig: MfaPoolConfig;
     passwordPolicy: PasswordPolicyConfig;
     customAttributes: CustomAttributeSpec[];
     appClientConfig: AppClientConfig;

package/bin/cognitoBackofficeConnector/dtos/CreatePoolRequest.js CHANGED Viewed

@@ -12,7 +12,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.CreatePoolRequest = void 0;
 const class_transformer_1 = require("class-transformer");
 const class_validator_1 = require("class-validator");
-const MfaPoolConfig_1 = require("./MfaPoolConfig");
 const PasswordPolicyConfig_1 = require("./PasswordPolicyConfig");
 const CustomAttributeSpec_1 = require("./CustomAttributeSpec");
 const AppClientConfig_1 = require("./AppClientConfig");
@@ -22,6 +21,11 @@ const AppClientConfig_1 = require("./AppClientConfig");
  * (Flujo 2 v1.2, PASO 4 de la saga). El connector ejecuta CreateUserPool +
  * CreateUserPoolClient en secuencia. Si CreateUserPoolClient falla DESPUÉS de
  * CreateUserPool exitoso, el connector hace DeleteUserPool de cleanup.
+ *
+ * El request NO expone configuración de MFA nativo del pool (F-11 D2): el 2º
+ * factor del backoffice va por custom-auth (EMAIL OTP / TOTP), nunca por MFA
+ * nativo del pool. El connector fuerza `MfaConfiguration: 'OFF'` como invariante
+ * de código al crear el pool — no es negociable vía contrato.
  */
 class CreatePoolRequest {
 }
@@ -36,12 +40,6 @@ __decorate([
     (0, class_validator_1.IsString)(),
     __metadata("design:type", String)
 ], CreatePoolRequest.prototype, "displayName", void 0);
-__decorate([
-    (0, class_transformer_1.Expose)(),
-    (0, class_validator_1.ValidateNested)(),
-    (0, class_transformer_1.Type)(() => MfaPoolConfig_1.MfaPoolConfig),
-    __metadata("design:type", MfaPoolConfig_1.MfaPoolConfig)
-], CreatePoolRequest.prototype, "mfaConfig", void 0);
 __decorate([
     (0, class_transformer_1.Expose)(),
     (0, class_validator_1.ValidateNested)(),

package/bin/cognitoBackofficeConnector/index.d.ts CHANGED Viewed

@@ -10,7 +10,6 @@
 export * from './enums/CognitoChallengeType';
 export * from './enums/CognitoUserStatus';
 export * from './validators/NoTenantIdInCustomAttrs';
-export * from './validators/MfaTypesRequiresOne';
 export * from './dtos/CreateUserRequest';
 export * from './dtos/CreateUserResponse';
 export * from './dtos/UpdateUserAttributesRequest';
@@ -43,7 +42,6 @@ export * from './dtos/UpdateEmailRequest';
 export * from './dtos/VerifyEmailRequest';
 export * from './dtos/UpdateProfileRequest';
 export * from './dtos/HealthcheckResponse';
-export * from './dtos/MfaPoolConfig';
 export * from './dtos/PasswordPolicyConfig';
 export * from './dtos/CustomAttributeSpec';
 export * from './dtos/AppClientConfig';

package/bin/cognitoBackofficeConnector/index.js CHANGED Viewed

@@ -26,7 +26,6 @@ Object.defineProperty(exports, "__esModule", { value: true });
 __exportStar(require("./enums/CognitoChallengeType"), exports);
 __exportStar(require("./enums/CognitoUserStatus"), exports);
 __exportStar(require("./validators/NoTenantIdInCustomAttrs"), exports);
-__exportStar(require("./validators/MfaTypesRequiresOne"), exports);
 __exportStar(require("./dtos/CreateUserRequest"), exports);
 __exportStar(require("./dtos/CreateUserResponse"), exports);
 __exportStar(require("./dtos/UpdateUserAttributesRequest"), exports);
@@ -59,7 +58,6 @@ __exportStar(require("./dtos/UpdateEmailRequest"), exports);
 __exportStar(require("./dtos/VerifyEmailRequest"), exports);
 __exportStar(require("./dtos/UpdateProfileRequest"), exports);
 __exportStar(require("./dtos/HealthcheckResponse"), exports);
-__exportStar(require("./dtos/MfaPoolConfig"), exports);
 __exportStar(require("./dtos/PasswordPolicyConfig"), exports);
 __exportStar(require("./dtos/CustomAttributeSpec"), exports);
 __exportStar(require("./dtos/AppClientConfig"), exports);

package/bin/platformRbac/dtos/CreateTenantRequest.d.ts ADDED Viewed

@@ -0,0 +1,18 @@
+/**
+ * Input del POST backoffice de creación de tenant (F-11 — onboarding de tenant en SureKeep).
+ * Consumido por el controller `backofficeCreateTenant` del platform-rbac-business y, a futuro,
+ * por el frontend de staff. La `idempotencyKey` viaja en header HTTP (no en el body).
+ * El `temporaryPassword` NO viaja en el request: vive solo en el response como fallback
+ * out-of-band mientras el correo de invitación no entrega.
+ */
+export declare class CreateTenantRequest {
+    tenantId: string;
+    displayName: string;
+    emailDomain: string;
+    tablePrefix: string;
+    adminEmail: string;
+    adminName: string;
+    region: string;
+    mfaRequired?: boolean;
+    passwordMinLength?: number;
+}

package/bin/platformRbac/dtos/CreateTenantRequest.js ADDED Viewed

@@ -0,0 +1,73 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateTenantRequest = void 0;
+const class_transformer_1 = require("class-transformer");
+const class_validator_1 = require("class-validator");
+/**
+ * Input del POST backoffice de creación de tenant (F-11 — onboarding de tenant en SureKeep).
+ * Consumido por el controller `backofficeCreateTenant` del platform-rbac-business y, a futuro,
+ * por el frontend de staff. La `idempotencyKey` viaja en header HTTP (no en el body).
+ * El `temporaryPassword` NO viaja en el request: vive solo en el response como fallback
+ * out-of-band mientras el correo de invitación no entrega.
+ */
+class CreateTenantRequest {
+}
+exports.CreateTenantRequest = CreateTenantRequest;
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.Matches)(/^[a-z0-9-]+$/),
+    __metadata("design:type", String)
+], CreateTenantRequest.prototype, "tenantId", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], CreateTenantRequest.prototype, "displayName", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], CreateTenantRequest.prototype, "emailDomain", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], CreateTenantRequest.prototype, "tablePrefix", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsEmail)(),
+    __metadata("design:type", String)
+], CreateTenantRequest.prototype, "adminEmail", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], CreateTenantRequest.prototype, "adminName", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsString)(),
+    __metadata("design:type", String)
+], CreateTenantRequest.prototype, "region", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsBoolean)(),
+    __metadata("design:type", Boolean)
+], CreateTenantRequest.prototype, "mfaRequired", void 0);
+__decorate([
+    (0, class_transformer_1.Expose)(),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsInt)(),
+    (0, class_validator_1.Min)(8),
+    __metadata("design:type", Number)
+], CreateTenantRequest.prototype, "passwordMinLength", void 0);

package/bin/platformRbac/dtos/CreateTenantResponse.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Output del POST backoffice de creación de tenant (F-11). Response plain sin validators
+ * (no validamos lo que mandamos al cliente — fiado-validation-and-dtos § 7).
+ */
+export interface CreateTenantResponse {
+    tenantId: string;
+    userPoolId: string;
+    appClientId: string;
+    adminCognitoSub: string;
+    /** Fallback out-of-band mientras el correo de invitación no entrega (F-11). */
+    temporaryPassword: string;
+}

package/bin/platformRbac/dtos/CreateTenantResponse.js ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ "use strict";
2	+ Object.defineProperty(exports, "__esModule", { value: true });

package/bin/platformRbac/index.d.ts CHANGED Viewed

@@ -21,3 +21,5 @@ export * from './mfa/MfaStatusResponse';
 export { AuthorizeDenyReason } from './enums/AuthorizeDenyReason';
 export * from './dtos/AuthorizeRequest';
 export * from './dtos/AuthorizeResponse';
+export * from './dtos/CreateTenantRequest';
+export type { CreateTenantResponse } from './dtos/CreateTenantResponse';

package/bin/platformRbac/index.js CHANGED Viewed

@@ -51,3 +51,6 @@ var AuthorizeDenyReason_1 = require("./enums/AuthorizeDenyReason");
 Object.defineProperty(exports, "AuthorizeDenyReason", { enumerable: true, get: function () { return AuthorizeDenyReason_1.AuthorizeDenyReason; } });
 __exportStar(require("./dtos/AuthorizeRequest"), exports);
 __exportStar(require("./dtos/AuthorizeResponse"), exports);
+// F-11 — onboarding de tenant (POST backoffice createTenant). CreateTenantRequest lleva
+// decoradores class-validator → export de valor; CreateTenantResponse es interface → type-only.
+__exportStar(require("./dtos/CreateTenantRequest"), exports);

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@fiado/type-kit",
-  "version": "3.50.0",
+  "version": "3.51.0",
   "description": "",
   "main": "bin/index.js",
   "types": "bin/index.d.ts",

package/src/cognitoBackofficeConnector/dtos/CreatePoolRequest.ts CHANGED Viewed

@@ -1,6 +1,5 @@
 import { Expose, Type } from 'class-transformer';
 import { IsArray, IsString, ValidateNested } from 'class-validator';
-import { MfaPoolConfig } from './MfaPoolConfig';
 import { PasswordPolicyConfig } from './PasswordPolicyConfig';
 import { CustomAttributeSpec } from './CustomAttributeSpec';
 import { AppClientConfig } from './AppClientConfig';
@@ -11,14 +10,16 @@ import { AppClientConfig } from './AppClientConfig';
  * (Flujo 2 v1.2, PASO 4 de la saga). El connector ejecuta CreateUserPool +
  * CreateUserPoolClient en secuencia. Si CreateUserPoolClient falla DESPUÉS de
  * CreateUserPool exitoso, el connector hace DeleteUserPool de cleanup.
+ *
+ * El request NO expone configuración de MFA nativo del pool (F-11 D2): el 2º
+ * factor del backoffice va por custom-auth (EMAIL OTP / TOTP), nunca por MFA
+ * nativo del pool. El connector fuerza `MfaConfiguration: 'OFF'` como invariante
+ * de código al crear el pool — no es negociable vía contrato.
  */
 export class CreatePoolRequest {
     @Expose() @IsString() region!: string;
     @Expose() @IsString() displayName!: string;
-    @Expose() @ValidateNested() @Type(() => MfaPoolConfig)
-    mfaConfig!: MfaPoolConfig;
     @Expose() @ValidateNested() @Type(() => PasswordPolicyConfig)
     passwordPolicy!: PasswordPolicyConfig;

package/src/cognitoBackofficeConnector/index.ts CHANGED Viewed

@@ -10,7 +10,6 @@
 export * from './enums/CognitoChallengeType';
 export * from './enums/CognitoUserStatus';
 export * from './validators/NoTenantIdInCustomAttrs';
-export * from './validators/MfaTypesRequiresOne';
 export * from './dtos/CreateUserRequest';
 export * from './dtos/CreateUserResponse';
 export * from './dtos/UpdateUserAttributesRequest';
@@ -43,7 +42,6 @@ export * from './dtos/UpdateEmailRequest';
 export * from './dtos/VerifyEmailRequest';
 export * from './dtos/UpdateProfileRequest';
 export * from './dtos/HealthcheckResponse';
-export * from './dtos/MfaPoolConfig';
 export * from './dtos/PasswordPolicyConfig';
 export * from './dtos/CustomAttributeSpec';
 export * from './dtos/AppClientConfig';

package/src/platformRbac/dtos/CreateTenantRequest.ts ADDED Viewed

@@ -0,0 +1,21 @@
+import { Expose } from 'class-transformer';
+import { IsBoolean, IsEmail, IsInt, IsOptional, IsString, Matches, Min } from 'class-validator';
+/**
+ * Input del POST backoffice de creación de tenant (F-11 — onboarding de tenant en SureKeep).
+ * Consumido por el controller `backofficeCreateTenant` del platform-rbac-business y, a futuro,
+ * por el frontend de staff. La `idempotencyKey` viaja en header HTTP (no en el body).
+ * El `temporaryPassword` NO viaja en el request: vive solo en el response como fallback
+ * out-of-band mientras el correo de invitación no entrega.
+ */
+export class CreateTenantRequest {
+    @Expose() @IsString() @Matches(/^[a-z0-9-]+$/) tenantId!: string;
+    @Expose() @IsString() displayName!: string;
+    @Expose() @IsString() emailDomain!: string;
+    @Expose() @IsString() tablePrefix!: string;
+    @Expose() @IsEmail() adminEmail!: string;
+    @Expose() @IsString() adminName!: string;
+    @Expose() @IsString() region!: string;
+    @Expose() @IsOptional() @IsBoolean() mfaRequired?: boolean;
+    @Expose() @IsOptional() @IsInt() @Min(8) passwordMinLength?: number;
+}

package/src/platformRbac/dtos/CreateTenantResponse.ts ADDED Viewed

@@ -0,0 +1,12 @@
+/**
+ * Output del POST backoffice de creación de tenant (F-11). Response plain sin validators
+ * (no validamos lo que mandamos al cliente — fiado-validation-and-dtos § 7).
+ */
+export interface CreateTenantResponse {
+    tenantId: string;
+    userPoolId: string;
+    appClientId: string;
+    adminCognitoSub: string;
+    /** Fallback out-of-band mientras el correo de invitación no entrega (F-11). */
+    temporaryPassword: string;
+}

package/src/platformRbac/index.ts CHANGED Viewed

@@ -37,3 +37,8 @@ export * from './mfa/MfaStatusResponse';
 export { AuthorizeDenyReason } from './enums/AuthorizeDenyReason';
 export * from './dtos/AuthorizeRequest';
 export * from './dtos/AuthorizeResponse';
+// F-11 — onboarding de tenant (POST backoffice createTenant). CreateTenantRequest lleva
+// decoradores class-validator → export de valor; CreateTenantResponse es interface → type-only.
+export * from './dtos/CreateTenantRequest';
+export type { CreateTenantResponse } from './dtos/CreateTenantResponse';

package/_test_/cognitoBackofficeConnector/validators/MfaTypesRequiresOne.test.ts DELETED Viewed

@@ -1,77 +0,0 @@
-import 'reflect-metadata';
-import { plainToInstance } from 'class-transformer';
-import { validate } from 'class-validator';
-import { MfaPoolConfig } from '../../../src/cognitoBackofficeConnector/dtos/MfaPoolConfig';
-describe('MfaTypesRequiresOne validator (cross-field validation)', () => {
-    async function validateMfaConfig(data: unknown) {
-        const instance = plainToInstance(MfaPoolConfig, data, { excludeExtraneousValues: true });
-        return validate(instance as object, { whitelist: true });
-    }
-    describe('requireMfa: true', () => {
-        it('mfaTypes con 1 elemento (SOFTWARE_TOKEN_MFA) → válido', async () => {
-            const errors = await validateMfaConfig({
-                requireMfa: true,
-                mfaTypes: ['SOFTWARE_TOKEN_MFA'],
-            });
-            expect(errors).toHaveLength(0);
-        });
-        it('mfaTypes con 1 elemento (EMAIL_OTP) → válido', async () => {
-            const errors = await validateMfaConfig({
-                requireMfa: true,
-                mfaTypes: ['EMAIL_OTP'],
-            });
-            expect(errors).toHaveLength(0);
-        });
-        it('mfaTypes con ambos elementos → válido (MFA exclusivo A17 se decide por user en login)', async () => {
-            const errors = await validateMfaConfig({
-                requireMfa: true,
-                mfaTypes: ['SOFTWARE_TOKEN_MFA', 'EMAIL_OTP'],
-            });
-            expect(errors).toHaveLength(0);
-        });
-        it('mfaTypes vacío → INVÁLIDO (MfaTypesRequiresOne)', async () => {
-            const errors = await validateMfaConfig({
-                requireMfa: true,
-                mfaTypes: [],
-            });
-            expect(errors.length).toBeGreaterThan(0);
-            const constraints = errors[0]?.constraints ?? {};
-            expect(Object.keys(constraints)).toContain('MfaTypesRequiresOneWhenMfaRequired');
-        });
-    });
-    describe('requireMfa: false', () => {
-        it('mfaTypes vacío → válido (cuando MFA no se requiere, no hace falta tipo)', async () => {
-            const errors = await validateMfaConfig({
-                requireMfa: false,
-                mfaTypes: [],
-            });
-            expect(errors).toHaveLength(0);
-        });
-        it('mfaTypes con elementos → válido también (caller decidió pasar tipos pero no requiere MFA — ok)', async () => {
-            const errors = await validateMfaConfig({
-                requireMfa: false,
-                mfaTypes: ['SOFTWARE_TOKEN_MFA'],
-            });
-            expect(errors).toHaveLength(0);
-        });
-    });
-    describe('mfaTypes con valor inválido fuera del enum', () => {
-        it('mfaTypes con "SMS_MFA" → INVÁLIDO (IsIn rechaza)', async () => {
-            const errors = await validateMfaConfig({
-                requireMfa: true,
-                mfaTypes: ['SMS_MFA'],
-            });
-            expect(errors.length).toBeGreaterThan(0);
-            const constraints = errors[0]?.constraints ?? {};
-            expect(Object.keys(constraints).join(',')).toMatch(/isIn/i);
-        });
-    });
-});

package/src/cognitoBackofficeConnector/dtos/MfaPoolConfig.ts DELETED Viewed

@@ -1,21 +0,0 @@
-import { Expose } from 'class-transformer';
-import { IsArray, IsBoolean, IsIn, Validate } from 'class-validator';
-import { MfaTypesRequiresOne } from '../validators/MfaTypesRequiresOne';
-// EMAIL_OTP removido (3.41.0): el cognito-backoffice-connector no provisiona
-// EmailMfaConfiguration a nivel pool (requiere infra SES que no está montada
-// y la integración con messages-lambda aún no tiene diseño). Ver TD-020 +
-// DEC-001 en cognito-backoffice-connector/docs/. Si se reintroduce, agregar
-// 'EMAIL_OTP' a este array.
-const ALLOWED_MFA_TYPES = ['SOFTWARE_TOKEN_MFA'] as const;
-export type AllowedMfaType = (typeof ALLOWED_MFA_TYPES)[number];
-export class MfaPoolConfig {
-    @Expose() @IsBoolean() requireMfa!: boolean;
-    @Expose()
-    @IsArray()
-    @IsIn(ALLOWED_MFA_TYPES, { each: true })
-    @Validate(MfaTypesRequiresOne)
-    mfaTypes!: AllowedMfaType[];
-}

package/src/cognitoBackofficeConnector/validators/MfaTypesRequiresOne.ts DELETED Viewed

@@ -1,29 +0,0 @@
-import { ValidatorConstraint, ValidatorConstraintInterface, ValidationArguments } from 'class-validator';
-/**
- * Cross-field validator: si `requireMfa: true`, entonces `mfaTypes` debe tener
- * al menos 1 elemento. Si `requireMfa: false`, `mfaTypes` puede ser vacío.
- *
- * Razón: cuando el pool nace con MFA habilitado, el connector llama
- * `SetUserPoolMfaConfigCommand` con la lista de tipos del DTO. Si el array
- * llega vacío con `requireMfa: true`, el SDK rechaza con InvalidParameterException
- * y el pool queda en estado inconsistente (MfaConfiguration:'ON' sin tipos).
- * Mejor rechazar en validación del DTO antes de tocar AWS.
- *
- * Ver pivote v1.4.1 TD-017 cerrado + spec doc §1 R3.
- */
-@ValidatorConstraint({ name: 'MfaTypesRequiresOneWhenMfaRequired', async: false })
-export class MfaTypesRequiresOne implements ValidatorConstraintInterface {
-    validate(mfaTypes: unknown, args: ValidationArguments): boolean {
-        const obj = args.object as { requireMfa?: boolean };
-        if (obj.requireMfa === true) {
-            return Array.isArray(mfaTypes) && mfaTypes.length >= 1;
-        }
-        // requireMfa: false → cualquier mfaTypes pasa.
-        return true;
-    }
-    defaultMessage(): string {
-        return 'mfaTypes requiere al menos un tipo cuando requireMfa=true';
-    }
-}