@halix/action-sdk 1.0.43 → 1.0.45

package/lib/cjs/access.js

@@ -0,0 +1,279 @@
+"use strict";
+// Halix SDK License v1.0
+// Copyright (c) 2025 halix.io LLC.
+//
+// This source code is licensed for use **only** within applications
+// running on the Halix platform, in accordance with Halix SDK guidelines.
+//
+// Unauthorized use outside the Halix platform is prohibited.
+// Full license terms available in the LICENSE file.
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listRoles = listRoles;
+exports.listRolesAsObservable = listRolesAsObservable;
+exports.listBusinessPrivileges = listBusinessPrivileges;
+exports.listBusinessPrivilegesAsObservable = listBusinessPrivilegesAsObservable;
+exports.listSandboxUsers = listSandboxUsers;
+exports.listSandboxUsersAsObservable = listSandboxUsersAsObservable;
+exports.getUserAccess = getUserAccess;
+exports.getUserAccessAsObservable = getUserAccessAsObservable;
+exports.inviteUser = inviteUser;
+exports.inviteUserAsObservable = inviteUserAsObservable;
+exports.updateUserAccess = updateUserAccess;
+exports.updateUserAccessAsObservable = updateUserAccessAsObservable;
+exports.removeUserAccess = removeUserAccess;
+exports.removeUserAccessAsObservable = removeUserAccessAsObservable;
+exports.hasBusinessPrivilege = hasBusinessPrivilege;
+exports.userPrivileges = userPrivileges;
+/**
+ * @module @halix/action-sdk/access
+ * @description Access, roles, business privileges, invitations, and user scope assignment for the Halix Platform action SDK.
+ * This module lets custom code inspect role and privilege metadata, invite users, and update a user's access inside the
+ * current sandbox.
+ *
+ * Key concepts:
+ * - `Role.id` is the stable semantic role identifier used by configuration and generated code.
+ * - `Role.objKey` is the persisted role object key. APIs that accept `roleKeys` require `Role.objKey`, not `Role.id`.
+ * - `BusinessPrivilege.id` is the stable privilege identifier used by privilege checks such as `hasBusinessPrivilege`.
+ * - `ScopeKeyItem` entries define the data scope a user receives for an organization, user proxy, or custom data scope.
+ *
+ * @usage
+ * ## When to Use
+ * - **Build role assignment UI** -> `listRoles`, then submit matching `role.objKey` values as `roleKeys`
+ * - **Show or check business privileges** -> `listBusinessPrivileges`, `hasBusinessPrivilege`, `userPrivileges`
+ * - **List users in the current sandbox** -> `listSandboxUsers`
+ * - **Inspect one user's access** -> `getUserAccess`
+ * - **Invite a user by email** -> `inviteUser`
+ * - **Add or update a user's scope entry** -> `updateUserAccess`
+ * - **Remove one user scope entry** -> `removeUserAccess`
+ *
+ * ## Role Key Rule
+ * Never submit semantic role IDs as `roleKeys`. Resolve them first:
+ * 1. call `listRoles()`
+ * 2. find the role where `role.id` matches the semantic ID
+ * 3. submit `role.objKey` in `InviteUserRequest.roleKeys` or `UpdateAccessRequest.roleKeys`
+ *
+ * ## Key Functions
+ * | Function | Use For |
+ * |----------|---------|
+ * | `listRoles` | Read assignable roles for the current sandbox |
+ * | `listBusinessPrivileges` | Read business privilege metadata |
+ * | `listSandboxUsers` | Read users with access to the current sandbox |
+ * | `getUserAccess` | Read one user's current scope entries and roles |
+ * | `inviteUser` | Invite a new user and assign initial role keys/scopes |
+ * | `updateUserAccess` | Add or update one user scope entry |
+ * | `removeUserAccess` | Remove one user scope entry |
+ * | `hasBusinessPrivilege` | Check whether the current user has a privilege ID |
+ * | `userPrivileges` | Return the current user's privilege IDs |
+ *
+ * @example
+ * // Resolve a semantic role ID to the persisted object key before assignment
+ * const roles = await hx.listRoles();
+ * const memberRole = roles.find((role) => role.id === 'householdMember');
+ * if (!memberRole?.objKey) {
+ *   throw new Error('Required role not found.');
+ * }
+ * await hx.updateUserAccess(userKey, {
+ *   roleKeys: [memberRole.objKey],
+ *   scopeKeyItems: [{ scopeKey: orgKey, dataElementId: 'family' }],
+ * });
+ *
+ * @example
+ * // Check the current user's business privilege
+ * if (hx.hasBusinessPrivilege('manageSharedLists')) {
+ *   // Show controls for sharing list access
+ * }
+ */
+const axios_1 = __importDefault(require("axios"));
+const rxjs_1 = require("rxjs");
+const sdk_general_1 = require("./sdk-general");
+function authHeaders() {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (!sdk_general_1.getAuthToken) {
+            throw new Error('SDK not initialized.');
+        }
+        const authToken = yield (0, rxjs_1.lastValueFrom)((0, sdk_general_1.getAuthToken)());
+        return { Authorization: `Bearer ${authToken}` };
+    });
+}
+/**
+ * Lists roles available in the current sandbox.
+ *
+ * Use this before assigning roles so semantic role IDs can be resolved to persisted `objKey` values. Assignment
+ * requests must send `Role.objKey` values in `roleKeys`.
+ *
+ * @returns Promise resolving to role metadata for the current sandbox
+ */
+function listRoles() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const response = yield axios_1.default.get(`${sdk_general_1.serviceAddress}/access/sandboxes/${sdk_general_1.sandboxKey}/allRoles`, {
+            headers: yield authHeaders(),
+        });
+        return response.data;
+    });
+}
+/**
+ * Observable version of `listRoles`. See `listRoles` for details.
+ */
+function listRolesAsObservable() {
+    return (0, rxjs_1.from)(listRoles());
+}
+/**
+ * Lists business privileges available in the current sandbox.
+ *
+ * Business privilege IDs are used by `hasBusinessPrivilege`, current-user privilege checks, and role
+ * `businessPrivilegeIds`.
+ *
+ * @returns Promise resolving to business privilege metadata
+ */
+function listBusinessPrivileges() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const response = yield axios_1.default.get(`${sdk_general_1.serviceAddress}/access/sandboxes/${sdk_general_1.sandboxKey}/businessPrivileges`, {
+            headers: yield authHeaders(),
+        });
+        return response.data;
+    });
+}
+/**
+ * Observable version of `listBusinessPrivileges`. See `listBusinessPrivileges` for details.
+ */
+function listBusinessPrivilegesAsObservable() {
+    return (0, rxjs_1.from)(listBusinessPrivileges());
+}
+/**
+ * Lists users with access to the current sandbox.
+ *
+ * Use `getUserAccess` when full scope-entry details are needed for a specific user.
+ *
+ * @returns Promise resolving to sandbox user summaries
+ */
+function listSandboxUsers() {
+    return __awaiter(this, void 0, void 0, function* () {
+        const response = yield axios_1.default.get(`${sdk_general_1.serviceAddress}/access/sandboxes/${sdk_general_1.sandboxKey}/users`, {
+            headers: yield authHeaders(),
+        });
+        return response.data;
+    });
+}
+/**
+ * Observable version of `listSandboxUsers`. See `listSandboxUsers` for details.
+ */
+function listSandboxUsersAsObservable() {
+    return (0, rxjs_1.from)(listSandboxUsers());
+}
+/**
+ * Gets one user's current sandbox access, including scope entries and any role metadata returned by the access service.
+ *
+ * @param userKey - Persisted user object key
+ * @returns Promise resolving to the user's access wrapper
+ */
+function getUserAccess(userKey) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const response = yield axios_1.default.get(`${sdk_general_1.serviceAddress}/access/sandboxes/${sdk_general_1.sandboxKey}/user/${userKey}/access`, {
+            headers: yield authHeaders(),
+        });
+        return response.data;
+    });
+}
+/**
+ * Observable version of `getUserAccess`. See `getUserAccess` for details.
+ */
+function getUserAccessAsObservable(userKey) {
+    return (0, rxjs_1.from)(getUserAccess(userKey));
+}
+/**
+ * Invites a user by email and assigns initial sandbox access.
+ *
+ * `req.roleKeys` must contain persisted role object keys from `Role.objKey`, not semantic role IDs. Resolve desired
+ * semantic IDs with `listRoles` before calling this function.
+ *
+ * @param req - Invitation and initial access request
+ * @returns Promise resolving to invitation result metadata
+ */
+function inviteUser(req) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const response = yield axios_1.default.post(`${sdk_general_1.serviceAddress}/access/sandboxes/${sdk_general_1.sandboxKey}/inviteByEmail`, req, {
+            headers: yield authHeaders(),
+        });
+        return response.data;
+    });
+}
+/**
+ * Observable version of `inviteUser`. See `inviteUser` for details.
+ */
+function inviteUserAsObservable(req) {
+    return (0, rxjs_1.from)(inviteUser(req));
+}
+/**
+ * Adds or updates one user's sandbox scope entry.
+ *
+ * If `req.scopeElementId` is present, the existing scope entry is updated. If it is omitted, a new scope entry is
+ * added. `req.roleKeys` must contain persisted role object keys from `Role.objKey`, not semantic role IDs.
+ *
+ * @param userKey - Persisted user object key
+ * @param req - Scope-entry access update request
+ */
+function updateUserAccess(userKey, req) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const path = req.scopeElementId ? 'updateScopeElement' : 'addScopeElement';
+        yield axios_1.default.post(`${sdk_general_1.serviceAddress}/access/sandboxes/${sdk_general_1.sandboxKey}/user/${userKey}/${path}`, req, {
+            headers: yield authHeaders(),
+        });
+    });
+}
+/**
+ * Observable version of `updateUserAccess`. See `updateUserAccess` for details.
+ */
+function updateUserAccessAsObservable(userKey, req) {
+    return (0, rxjs_1.from)(updateUserAccess(userKey, req));
+}
+/**
+ * Removes one sandbox scope entry from a user.
+ *
+ * @param userKey - Persisted user object key
+ * @param scopeElementId - Scope element ID to remove from the user
+ */
+function removeUserAccess(userKey, scopeElementId) {
+    return __awaiter(this, void 0, void 0, function* () {
+        yield axios_1.default.delete(`${sdk_general_1.serviceAddress}/access/sandboxes/${sdk_general_1.sandboxKey}/user/${userKey}/removeScopeElements`, {
+            headers: yield authHeaders(),
+            data: { scopeElementIds: [scopeElementId] },
+        });
+    });
+}
+/**
+ * Observable version of `removeUserAccess`. See `removeUserAccess` for details.
+ */
+function removeUserAccessAsObservable(userKey, scopeElementId) {
+    return (0, rxjs_1.from)(removeUserAccess(userKey, scopeElementId));
+}
+/**
+ * Checks whether the current user context contains a business privilege ID.
+ *
+ * @param privilegeId - Stable business privilege ID
+ * @returns True when the current user has the privilege
+ */
+function hasBusinessPrivilege(privilegeId) {
+    var _a, _b;
+    return (_b = (_a = sdk_general_1.userContext === null || sdk_general_1.userContext === void 0 ? void 0 : sdk_general_1.userContext.businessPrivileges) === null || _a === void 0 ? void 0 : _a.includes(privilegeId)) !== null && _b !== void 0 ? _b : false;
+}
+/**
+ * Returns the current user's business privilege IDs from the SDK user context.
+ *
+ * @returns Business privilege IDs for the current user, or an empty array when none are available
+ */
+function userPrivileges() {
+    var _a;
+    return (_a = sdk_general_1.userContext === null || sdk_general_1.userContext === void 0 ? void 0 : sdk_general_1.userContext.businessPrivileges) !== null && _a !== void 0 ? _a : [];
+}

package/lib/cjs/content.js

@@ -28,6 +28,8 @@ exports.sendFileContents = sendFileContents;
 exports.sendFileContentsAsObservable = sendFileContentsAsObservable;
 exports.createOrUpdateResource = createOrUpdateResource;
 exports.createOrUpdateResourceAsObservable = createOrUpdateResourceAsObservable;
+exports.downloadResource = downloadResource;
+exports.downloadResourceAsObservable = downloadResourceAsObservable;
 /**
  * @module @halix/action-sdk/content
  * @description Content resource management functions for the Halix Platform action SDK. This module
@@ -36,6 +38,7 @@ exports.createOrUpdateResourceAsObservable = createOrUpdateResourceAsObservable;
  * Key features:
  * - Retrieve content resources (images, documents, etc.)
  * - Upload/save content resources (images, documents, etc.)
+ * - Download file resources in the browser (e.g. as a button click handler)
  */
 const axios_1 = __importDefault(require("axios"));
 const rxjs_1 = require("rxjs");
@@ -197,3 +200,62 @@ function createOrUpdateResource(resourceKey, fileToUpload, publicFlag, resourceT
 function createOrUpdateResourceAsObservable(resourceKey, fileToUpload, publicFlag, resourceType, tags) {
     return (0, rxjs_1.from)(createOrUpdateResource(resourceKey, fileToUpload, publicFlag, resourceType, tags));
 }
+/**
+ * Fetches a file resource from the Halix content service and returns it as a `Blob` along with
+ * the filename derived from the `Content-Disposition` response header (falling back to
+ * `resourceKey` when the header is absent).
+ *
+ * This function is environment-agnostic: it performs only the authenticated HTTP fetch and leaves
+ * all presentation logic to the caller.
+ *
+ * **Browser download example** — trigger the native Save dialog from a click handler:
+ * ```js
+ * button.addEventListener('click', async () => {
+ *     const { blob, fileName } = await downloadResource(recipe.attachmentKey);
+ *     const url = URL.createObjectURL(blob);
+ *     const a = document.createElement('a');
+ *     a.href = url;
+ *     a.download = fileName;
+ *     a.click();
+ *     URL.revokeObjectURL(url);
+ * });
+ * ```
+ *
+ * **Node.js example** — write the blob to disk:
+ * ```js
+ * const { blob } = await downloadResource(recipe.attachmentKey);
+ * const buffer = Buffer.from(await blob.arrayBuffer());
+ * fs.writeFileSync('attachment.pdf', buffer);
+ * ```
+ *
+ * @param resourceKey - Key of the content resource to fetch
+ * @returns Promise resolving to `{ blob, fileName }`
+ */
+function downloadResource(resourceKey) {
+    return __awaiter(this, void 0, void 0, function* () {
+        var _a, _b;
+        if (!sdk_general_1.getAuthToken) {
+            const errorMessage = 'SDK not initialized.';
+            console.error(errorMessage);
+            throw new Error(errorMessage);
+        }
+        const url = `${sdk_general_1.serviceAddress}/filecontent/${sdk_general_1.sandboxKey}/${resourceKey}`;
+        const authToken = yield (0, rxjs_1.lastValueFrom)((0, sdk_general_1.getAuthToken)());
+        console.log("Sending GET request to " + url + " with token " + authToken);
+        const response = yield axios_1.default.get(url, {
+            headers: { "Authorization": `Bearer ${authToken}` },
+            responseType: 'blob',
+        });
+        const blob = response.data;
+        const disposition = (_a = response.headers['content-disposition']) !== null && _a !== void 0 ? _a : '';
+        const match = disposition.match(/filename[^;=\n]*=((['"]).*?\2|[^;\n]*)/);
+        const fileName = ((_b = match === null || match === void 0 ? void 0 : match[1]) !== null && _b !== void 0 ? _b : '').replace(/['"]/g, '') || resourceKey;
+        return { blob, fileName };
+    });
+}
+/**
+ * Observable version of downloadResource. See downloadResource for details.
+ */
+function downloadResourceAsObservable(resourceKey) {
+    return (0, rxjs_1.from)(downloadResource(resourceKey));
+}

package/lib/cjs/index.js

@@ -8,8 +8,8 @@
 // Unauthorized use outside the Halix platform is prohibited.
 // Full license terms available in the LICENSE file.
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.AggregationResponse = exports.massDeleteAsObservable = exports.massDelete = exports.massEditAsObservable = exports.massEdit = exports.getListDataAsObservable = exports.getListData = exports.getOrganizationPreferenceAsObservable = exports.getUserPreferenceAsObservable = exports.getOrganizationPreference = exports.getUserPreference = exports.sendMessageAsObservable = exports.sendMessage = exports.MessageMethod = exports.createOrUpdateResourceAsObservable = exports.createOrUpdateResource = exports.sendFileContentsAsObservable = exports.sendFileContents = exports.saveResourceAsObservable = exports.saveResource = exports.getOrCreateResourceAsObservable = exports.getOrCreateResource = exports.deleteRelatedObjectsAsObservable = exports.deleteRelatedObjects = exports.deleteRelatedObjectAsObservable = exports.deleteRelatedObject = exports.deleteObjectAsObservable = exports.deleteObject = exports.saveRelatedObjectAsObservable = exports.saveRelatedObject = exports.saveObjectAsObservable = exports.saveObject = exports.getObjectsAsObservable = exports.getObjects = exports.getAccessibleObjectsAsObservable = exports.getAccessibleObjects = exports.getRelatedObjectsAsObservable = exports.getRelatedObjects = exports.getObjectAsObservable = exports.getObject = exports.prepareErrorResponse = exports.prepareSuccessResponse = exports.initialize = exports.useBody = exports.params = exports.userContext = exports.actionSubject = exports.serviceAddress = exports.sandboxKey = exports.getAuthToken = void 0;
-exports.debounceFn = exports.getValueFromObject = exports.compareValues = exports.sortObjectArray = exports.sendAIMessageAsObservable = exports.sendAIMessage = exports.submitStandalonePaymentAsObservable = exports.submitStandalonePayment = exports.getAggregateDataAsObservable = exports.getAggregateData = void 0;
+exports.sendFileContentsAsObservable = exports.sendFileContents = exports.saveResourceAsObservable = exports.saveResource = exports.getOrCreateResourceAsObservable = exports.getOrCreateResource = exports.userPrivileges = exports.hasBusinessPrivilege = exports.removeUserAccessAsObservable = exports.removeUserAccess = exports.updateUserAccessAsObservable = exports.updateUserAccess = exports.inviteUserAsObservable = exports.inviteUser = exports.getUserAccessAsObservable = exports.getUserAccess = exports.listSandboxUsersAsObservable = exports.listSandboxUsers = exports.listBusinessPrivilegesAsObservable = exports.listBusinessPrivileges = exports.listRolesAsObservable = exports.listRoles = exports.deleteRelatedObjectsAsObservable = exports.deleteRelatedObjects = exports.deleteRelatedObjectAsObservable = exports.deleteRelatedObject = exports.deleteObjectAsObservable = exports.deleteObject = exports.saveRelatedObjectAsObservable = exports.saveRelatedObject = exports.saveObjectAsObservable = exports.saveObject = exports.getObjectsAsObservable = exports.getObjects = exports.getAccessibleObjectsAsObservable = exports.getAccessibleObjects = exports.getRelatedObjectsAsObservable = exports.getRelatedObjects = exports.getObjectAsObservable = exports.getObject = exports.prepareErrorResponse = exports.prepareSuccessResponse = exports.initialize = exports.useBody = exports.params = exports.userContext = exports.actionSubject = exports.serviceAddress = exports.sandboxKey = exports.getAuthToken = void 0;
+exports.debounceFn = exports.getValueFromObject = exports.compareValues = exports.sortObjectArray = exports.sendAIMessageAsObservable = exports.sendAIMessage = exports.submitStandalonePaymentAsObservable = exports.submitStandalonePayment = exports.getAggregateDataAsObservable = exports.getAggregateData = exports.AggregationResponse = exports.massDeleteAsObservable = exports.massDelete = exports.massEditAsObservable = exports.massEdit = exports.getListDataAsObservable = exports.getListData = exports.getOrganizationPreferenceAsObservable = exports.getUserPreferenceAsObservable = exports.getOrganizationPreference = exports.getUserPreference = exports.sendMessageAsObservable = exports.sendMessage = exports.MessageMethod = exports.downloadResourceAsObservable = exports.downloadResource = exports.createOrUpdateResourceAsObservable = exports.createOrUpdateResource = void 0;
 /**
  * @module @halix/action-sdk
  * @description Halix Platform action SDK for developing NodeJS Lambda-based actions on the Halix
@@ -58,6 +58,26 @@ Object.defineProperty(exports, "deleteRelatedObjectAsObservable", { enumerable:
 Object.defineProperty(exports, "deleteRelatedObjects", { enumerable: true, get: function () { return data_crud_1.deleteRelatedObjects; } });
 Object.defineProperty(exports, "deleteRelatedObjectsAsObservable", { enumerable: true, get: function () { return data_crud_1.deleteRelatedObjectsAsObservable; } });
 // ================================================================================
+// ACCESS FUNCTIONS
+// ================================================================================
+var access_1 = require("./access");
+Object.defineProperty(exports, "listRoles", { enumerable: true, get: function () { return access_1.listRoles; } });
+Object.defineProperty(exports, "listRolesAsObservable", { enumerable: true, get: function () { return access_1.listRolesAsObservable; } });
+Object.defineProperty(exports, "listBusinessPrivileges", { enumerable: true, get: function () { return access_1.listBusinessPrivileges; } });
+Object.defineProperty(exports, "listBusinessPrivilegesAsObservable", { enumerable: true, get: function () { return access_1.listBusinessPrivilegesAsObservable; } });
+Object.defineProperty(exports, "listSandboxUsers", { enumerable: true, get: function () { return access_1.listSandboxUsers; } });
+Object.defineProperty(exports, "listSandboxUsersAsObservable", { enumerable: true, get: function () { return access_1.listSandboxUsersAsObservable; } });
+Object.defineProperty(exports, "getUserAccess", { enumerable: true, get: function () { return access_1.getUserAccess; } });
+Object.defineProperty(exports, "getUserAccessAsObservable", { enumerable: true, get: function () { return access_1.getUserAccessAsObservable; } });
+Object.defineProperty(exports, "inviteUser", { enumerable: true, get: function () { return access_1.inviteUser; } });
+Object.defineProperty(exports, "inviteUserAsObservable", { enumerable: true, get: function () { return access_1.inviteUserAsObservable; } });
+Object.defineProperty(exports, "updateUserAccess", { enumerable: true, get: function () { return access_1.updateUserAccess; } });
+Object.defineProperty(exports, "updateUserAccessAsObservable", { enumerable: true, get: function () { return access_1.updateUserAccessAsObservable; } });
+Object.defineProperty(exports, "removeUserAccess", { enumerable: true, get: function () { return access_1.removeUserAccess; } });
+Object.defineProperty(exports, "removeUserAccessAsObservable", { enumerable: true, get: function () { return access_1.removeUserAccessAsObservable; } });
+Object.defineProperty(exports, "hasBusinessPrivilege", { enumerable: true, get: function () { return access_1.hasBusinessPrivilege; } });
+Object.defineProperty(exports, "userPrivileges", { enumerable: true, get: function () { return access_1.userPrivileges; } });
+// ================================================================================
 // CONTENT FUNCTIONS
 // ================================================================================
 var content_1 = require("./content");
@@ -70,6 +90,8 @@ Object.defineProperty(exports, "sendFileContents", { enumerable: true, get: func
 Object.defineProperty(exports, "sendFileContentsAsObservable", { enumerable: true, get: function () { return content_1.sendFileContentsAsObservable; } });
 Object.defineProperty(exports, "createOrUpdateResource", { enumerable: true, get: function () { return content_1.createOrUpdateResource; } });
 Object.defineProperty(exports, "createOrUpdateResourceAsObservable", { enumerable: true, get: function () { return content_1.createOrUpdateResourceAsObservable; } });
+Object.defineProperty(exports, "downloadResource", { enumerable: true, get: function () { return content_1.downloadResource; } });
+Object.defineProperty(exports, "downloadResourceAsObservable", { enumerable: true, get: function () { return content_1.downloadResourceAsObservable; } });
 // ================================================================================
 // MESSAGING FUNCTIONS
 // ================================================================================

package/lib/cjs/sdk-general.js

@@ -39,6 +39,9 @@ function initialize(event) {
     }
     if (body) {
         ({ sandboxKey: exports.sandboxKey, serviceAddress: exports.serviceAddress, actionSubject: exports.actionSubject, userContext: exports.userContext, params: exports.params } = body);
+        if (exports.userContext && !exports.userContext.businessPrivileges) {
+            exports.userContext.businessPrivileges = [];
+        }
         if (body.authToken) {
             exports.getAuthToken = () => (0, rxjs_1.of)(body.authToken);
         }

package/lib/cjs/types/access.d.ts

@@ -0,0 +1,230 @@
+import { Observable } from 'rxjs';
+/**
+ * A data scope assigned to a user as part of a sandbox scope entry.
+ */
+export interface ScopeKeyItem {
+    /** Object key for the scoped record, such as an organization or user proxy object key. */
+    scopeKey: string;
+    /** Data element ID for the scoped object. */
+    dataElementId: string;
+    /** Optional display label for the scope entry. */
+    label?: string;
+    /** Optional custom data scope identifier when assigning a custom scope. */
+    customDataScopeId?: string;
+}
+/**
+ * Role metadata available in the current sandbox.
+ *
+ * Use `id` to identify the intended role in code. Use `objKey` when assigning the role to a user through `roleKeys`.
+ */
+export interface Role {
+    /** Persisted role object key. Required when assigning roles through `roleKeys`. */
+    objKey?: string;
+    /** Stable semantic role identifier. Do not submit this as a role key. */
+    id: string;
+    /** Human-readable role name. */
+    name: string;
+    /** Human-readable role description. */
+    description?: string;
+    /** Navigation object keys granted to this role. */
+    navigationKeys?: string[];
+    /** Data element object keys readable by this role. */
+    readDataElementKeys?: string[];
+    /** Data element object keys writable by this role. */
+    writeDataElementKeys?: string[];
+    /** Data element object keys deletable by this role. */
+    deleteDataElementKeys?: string[];
+    /** Platform system roles granted to this role. */
+    systemRoles?: string[];
+    /** Business privilege IDs granted to this role. */
+    businessPrivilegeIds?: string[];
+    /** Optional role grouping labels. */
+    categories?: string[];
+}
+/**
+ * Business privilege metadata available in the current sandbox.
+ */
+export interface BusinessPrivilege {
+    /** Persisted privilege object key, when included by the API. */
+    objKey?: string;
+    /** Stable business privilege identifier used for checks and role grants. */
+    id: string;
+    /** Human-readable privilege name. */
+    name: string;
+    /** Human-readable privilege description. */
+    description?: string;
+    /** Optional privilege grouping labels. */
+    categories?: string[];
+}
+/**
+ * User summary for a user with access to the current sandbox.
+ */
+export interface SandboxUser {
+    /** Persisted user object key. */
+    userKey: string;
+    /** Display name, when available. */
+    name?: string;
+    /** Email address, when available. */
+    email?: string;
+    /** Raw scope entries returned by the access service. */
+    scopeElements?: unknown[];
+}
+/**
+ * Full access wrapper for one user, including scope entries and role metadata when returned by the access service.
+ */
+export interface UserAccessWrapper {
+    /** Raw user payload returned by the access service. */
+    user: unknown;
+    /** Raw scope entries for the user. */
+    scopeElements: unknown[];
+    /** Role metadata associated with the user's access, when returned. */
+    roles?: Role[];
+}
+/**
+ * Request body for inviting a user and assigning initial sandbox access.
+ */
+export interface InviteUserRequest {
+    /** Email address for the invited user. */
+    email: string;
+    /** Optional first name for the invited user. */
+    firstName?: string;
+    /** Optional last name for the invited user. */
+    lastName?: string;
+    /** User proxy data element ID used to create or link the user proxy record. */
+    userProxyElementId: string;
+    /** Optional organization proxy object key for organization-scoped invitations. */
+    orgProxyKey?: string;
+    /** Persisted role object keys (`Role.objKey`). Never pass semantic `Role.id` values here. */
+    roleKeys: string[];
+    /** Optional data scopes granted to the invited user. */
+    scopeKeyItems?: ScopeKeyItem[];
+    /** Optional notification template identifier. */
+    notificationTemplate?: string;
+}
+/**
+ * Result returned from an invitation request.
+ */
+export interface InviteResult {
+    /** Invitation/user token key, when returned by the access service. */
+    userTokenKey?: string;
+    /** Persisted user object key, when a user was created or resolved. */
+    userKey?: string;
+    /** Invited email address. */
+    email?: string;
+    [key: string]: unknown;
+}
+/**
+ * Request body for adding or updating one user scope entry.
+ */
+export interface UpdateAccessRequest {
+    /** Existing scope element ID. When omitted, a new scope entry is added. */
+    scopeElementId?: string;
+    /** Persisted role object keys (`Role.objKey`). Never pass semantic `Role.id` values here. */
+    roleKeys: string[];
+    /** Data scopes to store on the scope entry. */
+    scopeKeyItems: ScopeKeyItem[];
+    /** Whether this scope entry should apply globally instead of being limited to the provided scopes. */
+    globalAccess?: boolean;
+}
+/**
+ * Lists roles available in the current sandbox.
+ *
+ * Use this before assigning roles so semantic role IDs can be resolved to persisted `objKey` values. Assignment
+ * requests must send `Role.objKey` values in `roleKeys`.
+ *
+ * @returns Promise resolving to role metadata for the current sandbox
+ */
+export declare function listRoles(): Promise<Role[]>;
+/**
+ * Observable version of `listRoles`. See `listRoles` for details.
+ */
+export declare function listRolesAsObservable(): Observable<Role[]>;
+/**
+ * Lists business privileges available in the current sandbox.
+ *
+ * Business privilege IDs are used by `hasBusinessPrivilege`, current-user privilege checks, and role
+ * `businessPrivilegeIds`.
+ *
+ * @returns Promise resolving to business privilege metadata
+ */
+export declare function listBusinessPrivileges(): Promise<BusinessPrivilege[]>;
+/**
+ * Observable version of `listBusinessPrivileges`. See `listBusinessPrivileges` for details.
+ */
+export declare function listBusinessPrivilegesAsObservable(): Observable<BusinessPrivilege[]>;
+/**
+ * Lists users with access to the current sandbox.
+ *
+ * Use `getUserAccess` when full scope-entry details are needed for a specific user.
+ *
+ * @returns Promise resolving to sandbox user summaries
+ */
+export declare function listSandboxUsers(): Promise<SandboxUser[]>;
+/**
+ * Observable version of `listSandboxUsers`. See `listSandboxUsers` for details.
+ */
+export declare function listSandboxUsersAsObservable(): Observable<SandboxUser[]>;
+/**
+ * Gets one user's current sandbox access, including scope entries and any role metadata returned by the access service.
+ *
+ * @param userKey - Persisted user object key
+ * @returns Promise resolving to the user's access wrapper
+ */
+export declare function getUserAccess(userKey: string): Promise<UserAccessWrapper>;
+/**
+ * Observable version of `getUserAccess`. See `getUserAccess` for details.
+ */
+export declare function getUserAccessAsObservable(userKey: string): Observable<UserAccessWrapper>;
+/**
+ * Invites a user by email and assigns initial sandbox access.
+ *
+ * `req.roleKeys` must contain persisted role object keys from `Role.objKey`, not semantic role IDs. Resolve desired
+ * semantic IDs with `listRoles` before calling this function.
+ *
+ * @param req - Invitation and initial access request
+ * @returns Promise resolving to invitation result metadata
+ */
+export declare function inviteUser(req: InviteUserRequest): Promise<InviteResult>;
+/**
+ * Observable version of `inviteUser`. See `inviteUser` for details.
+ */
+export declare function inviteUserAsObservable(req: InviteUserRequest): Observable<InviteResult>;
+/**
+ * Adds or updates one user's sandbox scope entry.
+ *
+ * If `req.scopeElementId` is present, the existing scope entry is updated. If it is omitted, a new scope entry is
+ * added. `req.roleKeys` must contain persisted role object keys from `Role.objKey`, not semantic role IDs.
+ *
+ * @param userKey - Persisted user object key
+ * @param req - Scope-entry access update request
+ */
+export declare function updateUserAccess(userKey: string, req: UpdateAccessRequest): Promise<void>;
+/**
+ * Observable version of `updateUserAccess`. See `updateUserAccess` for details.
+ */
+export declare function updateUserAccessAsObservable(userKey: string, req: UpdateAccessRequest): Observable<void>;
+/**
+ * Removes one sandbox scope entry from a user.
+ *
+ * @param userKey - Persisted user object key
+ * @param scopeElementId - Scope element ID to remove from the user
+ */
+export declare function removeUserAccess(userKey: string, scopeElementId: string): Promise<void>;
+/**
+ * Observable version of `removeUserAccess`. See `removeUserAccess` for details.
+ */
+export declare function removeUserAccessAsObservable(userKey: string, scopeElementId: string): Observable<void>;
+/**
+ * Checks whether the current user context contains a business privilege ID.
+ *
+ * @param privilegeId - Stable business privilege ID
+ * @returns True when the current user has the privilege
+ */
+export declare function hasBusinessPrivilege(privilegeId: string): boolean;
+/**
+ * Returns the current user's business privilege IDs from the SDK user context.
+ *
+ * @returns Business privilege IDs for the current user, or an empty array when none are available
+ */
+export declare function userPrivileges(): string[];
+//# sourceMappingURL=access.d.ts.map

package/lib/cjs/types/access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../../src/access.ts"],"names":[],"mappings":"AAsEA,OAAO,EAAuB,UAAU,EAAE,MAAM,MAAM,CAAC;AAGvD;;GAEG;AACH,MAAM,WAAW,YAAY;IACzB,0FAA0F;IAC1F,QAAQ,EAAE,MAAM,CAAC;IACjB,6CAA6C;IAC7C,aAAa,EAAE,MAAM,CAAC;IACtB,kDAAkD;IAClD,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,2EAA2E;IAC3E,iBAAiB,CAAC,EAAE,MAAM,CAAC;CAC9B;AAED;;;;GAIG;AACH,MAAM,WAAW,IAAI;IACjB,mFAAmF;IACnF,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,yEAAyE;IACzE,EAAE,EAAE,MAAM,CAAC;IACX,gCAAgC;IAChC,IAAI,EAAE,MAAM,CAAC;IACb,uCAAuC;IACvC,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,mDAAmD;IACnD,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;IAC1B,sDAAsD;IACtD,mBAAmB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC/B,sDAAsD;IACtD,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,uDAAuD;IACvD,qBAAqB,CAAC,EAAE,MAAM,EAAE,CAAC;IACjC,kDAAkD;IAClD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,mDAAmD;IACnD,oBAAoB,CAAC,EAAE,MAAM,EAAE,CAAC;IAChC,qCAAqC;IACrC,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAC9B,gEAAgE;IAChE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4EAA4E;IAC5E,EAAE,EAAE,MAAM,CAAC;IACX,qCAAqC;IACrC,IAAI,EAAE,MAAM,CAAC;IACb,4CAA4C;IAC5C,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,0CAA0C;IAC1C,UAAU,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IACxB,iCAAiC;IACjC,OAAO,EAAE,MAAM,CAAC;IAChB,oCAAoC;IACpC,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,qCAAqC;IACrC,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,wDAAwD;IACxD,aAAa,CAAC,EAAE,OAAO,EAAE,CAAC;CAC7B;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAC9B,uDAAuD;IACvD,IAAI,EAAE,OAAO,CAAC;IACd,sCAAsC;IACtC,aAAa,EAAE,OAAO,EAAE,CAAC;IACzB,sEAAsE;IACtE,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC;CAClB;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAC9B,0CAA0C;IAC1C,KAAK,EAAE,MAAM,CAAC;IACd,gDAAgD;IAChD,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,+CAA+C;IAC/C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,+EAA+E;IAC/E,kBAAkB,EAAE,MAAM,CAAC;IAC3B,kFAAkF;IAClF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,6FAA6F;IAC7F,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,wDAAwD;IACxD,aAAa,CAAC,EAAE,YAAY,EAAE,CAAC;IAC/B,iDAAiD;IACjD,oBAAoB,CAAC,EAAE,MAAM,CAAC;CACjC;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IACzB,sEAAsE;IACtE,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,sEAAsE;IACtE,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,6BAA6B;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CAC1B;AAED;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAChC,2EAA2E;IAC3E,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,6FAA6F;IAC7F,QAAQ,EAAE,MAAM,EAAE,CAAC;IACnB,+CAA+C;IAC/C,aAAa,EAAE,YAAY,EAAE,CAAC;IAC9B,sGAAsG;IACtG,YAAY,CAAC,EAAE,OAAO,CAAC;CAC1B;AAWD;;;;;;;GAOG;AACH,wBAAsB,SAAS,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAKjD;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,UAAU,CAAC,IAAI,EAAE,CAAC,CAE1D;AAED;;;;;;;GAOG;AACH,wBAAsB,sBAAsB,IAAI,OAAO,CAAC,iBAAiB,EAAE,CAAC,CAK3E;AAED;;GAEG;AACH,wBAAgB,kCAAkC,IAAI,UAAU,CAAC,iBAAiB,EAAE,CAAC,CAEpF;AAED;;;;;;GAMG;AACH,wBAAsB,gBAAgB,IAAI,OAAO,CAAC,WAAW,EAAE,CAAC,CAK/D;AAED;;GAEG;AACH,wBAAgB,4BAA4B,IAAI,UAAU,CAAC,WAAW,EAAE,CAAC,CAExE;AAED;;;;;GAKG;AACH,wBAAsB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,iBAAiB,CAAC,CAK/E;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,MAAM,GAAG,UAAU,CAAC,iBAAiB,CAAC,CAExF;AAED;;;;;;;;GAQG;AACH,wBAAsB,UAAU,CAAC,GAAG,EAAE,iBAAiB,GAAG,OAAO,CAAC,YAAY,CAAC,CAK9E;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,iBAAiB,GAAG,UAAU,CAAC,YAAY,CAAC,CAEvF;AAED;;;;;;;;GAQG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAK/F;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,GAAG,EAAE,mBAAmB,GAAG,UAAU,CAAC,IAAI,CAAC,CAExG;AAED;;;;;GAKG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAK7F;AAED;;GAEG;AACH,wBAAgB,4BAA4B,CAAC,OAAO,EAAE,MAAM,EAAE,cAAc,EAAE,MAAM,GAAG,UAAU,CAAC,IAAI,CAAC,CAEtG;AAED;;;;;GAKG;AACH,wBAAgB,oBAAoB,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAEjE;AAED;;;;GAIG;AACH,wBAAgB,cAAc,IAAI,MAAM,EAAE,CAEzC"}