@logto/schemas 1.12.0 → 1.13.1

package/lib/types/domain.d.ts

@@ -15,71 +15,27 @@ export declare const domainResponseGuard: z.ZodObject<Pick<{
         value: string;
         name: string;
     }[]>;
-    cloudflareData: z.ZodType<z.objectOutputType<{
-        id: z.ZodString;
-        status: z.ZodString;
-        ssl: z.ZodObject<{
-            status: z.ZodString;
-            validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
-                message: z.ZodString;
-            }, "strip", z.ZodUnknown, z.objectOutputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">, z.objectInputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">>, "many">>;
-        }, "strip", z.ZodUnknown, z.objectOutputType<{
-            status: z.ZodString;
-            validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
-                message: z.ZodString;
-            }, "strip", z.ZodUnknown, z.objectOutputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">, z.objectInputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">>, "many">>;
-        }, z.ZodUnknown, "strip">, z.objectInputType<{
-            status: z.ZodString;
-            validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
-                message: z.ZodString;
-            }, "strip", z.ZodUnknown, z.objectOutputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">, z.objectInputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">>, "many">>;
-        }, z.ZodUnknown, "strip">>;
-        verification_errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, z.ZodUnknown, "strip"> | null, z.ZodTypeDef, z.objectOutputType<{
-        id: z.ZodString;
-        status: z.ZodString;
-        ssl: z.ZodObject<{
-            status: z.ZodString;
-            validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
-                message: z.ZodString;
-            }, "strip", z.ZodUnknown, z.objectOutputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">, z.objectInputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">>, "many">>;
-        }, "strip", z.ZodUnknown, z.objectOutputType<{
-            status: z.ZodString;
-            validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
-                message: z.ZodString;
-            }, "strip", z.ZodUnknown, z.objectOutputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">, z.objectInputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">>, "many">>;
-        }, z.ZodUnknown, "strip">, z.objectInputType<{
-            status: z.ZodString;
-            validation_errors: z.ZodOptional<z.ZodArray<z.ZodObject<{
-                message: z.ZodString;
-            }, "strip", z.ZodUnknown, z.objectOutputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">, z.objectInputType<{
-                message: z.ZodString;
-            }, z.ZodUnknown, "strip">>, "many">>;
-        }, z.ZodUnknown, "strip">>;
-        verification_errors: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
-    }, z.ZodUnknown, "strip"> | null>;
+    cloudflareData: z.ZodType<{
+        status: string;
+        id: string;
+        ssl: {
+            status: string;
+            validation_errors?: {
+                message: string;
+            }[] | undefined;
+        };
+        verification_errors?: string[] | undefined;
+    } | null, z.ZodTypeDef, {
+        status: string;
+        id: string;
+        ssl: {
+            status: string;
+            validation_errors?: {
+                message: string;
+            }[] | undefined;
+        };
+        verification_errors?: string[] | undefined;
+    } | null>;
     updatedAt: z.ZodType<number, z.ZodTypeDef, number>;
     createdAt: z.ZodType<number, z.ZodTypeDef, number>;
 }, "status" | "id" | "domain" | "errorMessage" | "dnsRecords">, "strip", z.ZodTypeAny, {

package/lib/types/index.d.ts

@@ -23,3 +23,6 @@ export * from './mfa.js';
 export * from './organization.js';
 export * from './sso-connector.js';
 export * from './tenant.js';
+export * from './tenant-organization.js';
+export * from './mapi-proxy.js';
+export * from './consent.js';

package/lib/types/index.js

@@ -23,3 +23,6 @@ export * from './mfa.js';
 export * from './organization.js';
 export * from './sso-connector.js';
 export * from './tenant.js';
+export * from './tenant-organization.js';
+export * from './mapi-proxy.js';
+export * from './consent.js';

package/lib/types/interactions.d.ts

@@ -39,13 +39,13 @@ export declare const phonePasswordPayloadGuard: z.ZodObject<{
 export type PhonePasswordPayload = z.infer<typeof phonePasswordPayloadGuard>;
 export declare const socialConnectorPayloadGuard: z.ZodObject<{
     connectorId: z.ZodString;
-    connectorData: z.ZodRecord<z.ZodString, z.ZodType<import("../foundations/index.js").Json, z.ZodTypeDef, import("../foundations/index.js").Json>>;
+    connectorData: z.ZodRecord<z.ZodString, z.ZodType<import("@withtyped/server/lib/types.js").Json, z.ZodTypeDef, import("@withtyped/server/lib/types.js").Json>>;
 }, "strip", z.ZodTypeAny, {
     connectorId: string;
-    connectorData: Record<string, import("../foundations/index.js").Json>;
+    connectorData: Record<string, import("@withtyped/server/lib/types.js").Json>;
 }, {
     connectorId: string;
-    connectorData: Record<string, import("../foundations/index.js").Json>;
+    connectorData: Record<string, import("@withtyped/server/lib/types.js").Json>;
 }>;
 export type SocialConnectorPayload = z.infer<typeof socialConnectorPayloadGuard>;
 export declare const socialEmailPayloadGuard: z.ZodObject<{
@@ -123,13 +123,13 @@ export declare const identifierPayloadGuard: z.ZodUnion<[z.ZodObject<{
     verificationCode: string;
 }>, z.ZodObject<{
     connectorId: z.ZodString;
-    connectorData: z.ZodRecord<z.ZodString, z.ZodType<import("../foundations/index.js").Json, z.ZodTypeDef, import("../foundations/index.js").Json>>;
+    connectorData: z.ZodRecord<z.ZodString, z.ZodType<import("@withtyped/server/lib/types.js").Json, z.ZodTypeDef, import("@withtyped/server/lib/types.js").Json>>;
 }, "strip", z.ZodTypeAny, {
     connectorId: string;
-    connectorData: Record<string, import("../foundations/index.js").Json>;
+    connectorData: Record<string, import("@withtyped/server/lib/types.js").Json>;
 }, {
     connectorId: string;
-    connectorData: Record<string, import("../foundations/index.js").Json>;
+    connectorData: Record<string, import("@withtyped/server/lib/types.js").Json>;
 }>, z.ZodObject<{
     connectorId: z.ZodString;
     email: z.ZodString;

package/lib/types/logto-config.d.ts

@@ -1,6 +1,5 @@
 import type { ZodType } from 'zod';
 import { z } from 'zod';
-import { TenantTag } from './tenant.js';
 /**
  * Logto OIDC signing key types, used mainly in REST API routes.
  */
@@ -48,33 +47,60 @@ export declare const adminConsoleDataGuard: z.ZodObject<{
     organizationCreated: z.ZodBoolean;
     developmentTenantMigrationNotification: z.ZodOptional<z.ZodObject<{
         isPaidTenant: z.ZodBoolean;
-        tag: z.ZodNativeEnum<typeof TenantTag>;
+        /**
+         * Tag is used to store the original tenant tag before dev tenant migration.
+         * This field is only used for DB rollback and because the `TenantTag` may change, so we don't guard it as the `TenantTag` type.
+         */
+        tag: z.ZodString;
         readAt: z.ZodOptional<z.ZodNumber>;
     }, "strip", z.ZodTypeAny, {
         isPaidTenant: boolean;
-        tag: TenantTag;
+        tag: string;
         readAt?: number | undefined;
     }, {
         isPaidTenant: boolean;
-        tag: TenantTag;
+        tag: string;
         readAt?: number | undefined;
     }>>;
+    checkedChargeNotification: z.ZodOptional<z.ZodObject<{
+        token: z.ZodOptional<z.ZodBoolean>;
+        apiResource: z.ZodOptional<z.ZodBoolean>;
+        machineToMachineApp: z.ZodOptional<z.ZodBoolean>;
+    }, "strip", z.ZodTypeAny, {
+        token?: boolean | undefined;
+        apiResource?: boolean | undefined;
+        machineToMachineApp?: boolean | undefined;
+    }, {
+        token?: boolean | undefined;
+        apiResource?: boolean | undefined;
+        machineToMachineApp?: boolean | undefined;
+    }>>;
 }, "strip", z.ZodTypeAny, {
     signInExperienceCustomized: boolean;
     organizationCreated: boolean;
     developmentTenantMigrationNotification?: {
         isPaidTenant: boolean;
-        tag: TenantTag;
+        tag: string;
         readAt?: number | undefined;
     } | undefined;
+    checkedChargeNotification?: {
+        token?: boolean | undefined;
+        apiResource?: boolean | undefined;
+        machineToMachineApp?: boolean | undefined;
+    } | undefined;
 }, {
     signInExperienceCustomized: boolean;
     organizationCreated: boolean;
     developmentTenantMigrationNotification?: {
         isPaidTenant: boolean;
-        tag: TenantTag;
+        tag: string;
         readAt?: number | undefined;
     } | undefined;
+    checkedChargeNotification?: {
+        token?: boolean | undefined;
+        apiResource?: boolean | undefined;
+        machineToMachineApp?: boolean | undefined;
+    } | undefined;
 }>;
 export type AdminConsoleData = z.infer<typeof adminConsoleDataGuard>;
 export declare const cloudConnectionDataGuard: z.ZodObject<{

package/lib/types/logto-config.js

@@ -1,5 +1,4 @@
 import { z } from 'zod';
-import { TenantTag } from './tenant.js';
 /**
  * Logto OIDC signing key types, used mainly in REST API routes.
  */
@@ -40,10 +39,21 @@ export const adminConsoleDataGuard = z.object({
     developmentTenantMigrationNotification: z
         .object({
         isPaidTenant: z.boolean(),
-        tag: z.nativeEnum(TenantTag),
+        /**
+         * Tag is used to store the original tenant tag before dev tenant migration.
+         * This field is only used for DB rollback and because the `TenantTag` may change, so we don't guard it as the `TenantTag` type.
+         */
+        tag: z.string(),
         readAt: z.number().optional(),
     })
         .optional(),
+    checkedChargeNotification: z
+        .object({
+        token: z.boolean().optional(),
+        apiResource: z.boolean().optional(),
+        machineToMachineApp: z.boolean().optional(),
+    })
+        .optional(),
 });
 /* --- Logto tenant cloud connection config --- */
 export const cloudConnectionDataGuard = z.object({

package/lib/types/mapi-proxy.d.ts

@@ -0,0 +1,30 @@
+/**
+ * @fileoverview
+ * Mapi (Management API) proxy is an endpoint in Logto Cloud that proxies the requests to the
+ * corresponding Management API. It has the following benefits:
+ *
+ * - When we migrate the tenant management from API resources to tenant organizations, we can
+ *   migrate Console to use the mapi proxy endpoint by changing only the base URL.
+ * - It decouples the access control of Cloud user collaboration from the machine-to-machine access
+ *   control of the Management API.
+ * - The mapi proxy endpoint shares the same domain with Logto Cloud, so it can be used in the
+ *   browser without CORS.
+ *
+ * This module provides utilities to manage mapi proxy.
+ */
+import { type Role, type CreateApplication } from '../db-entries/index.js';
+/**
+ * Given a tenant ID, return the role data for the mapi proxy.
+ *
+ * It follows a convention to generate all the fields which can be used across the system. See
+ * source code for details.
+ */
+export declare const getMapiProxyRole: (tenantId: string) => Readonly<Role>;
+/**
+ * Given a tenant ID, return the application create data for the mapi proxy. The proxy will use the
+ * application to access the Management API.
+ *
+ * It follows a convention to generate all the fields which can be used across the system. See
+ * source code for details.
+ */
+export declare const getMapiProxyM2mApp: (tenantId: string) => Readonly<CreateApplication>;

package/lib/types/mapi-proxy.js

@@ -0,0 +1,49 @@
+/**
+ * @fileoverview
+ * Mapi (Management API) proxy is an endpoint in Logto Cloud that proxies the requests to the
+ * corresponding Management API. It has the following benefits:
+ *
+ * - When we migrate the tenant management from API resources to tenant organizations, we can
+ *   migrate Console to use the mapi proxy endpoint by changing only the base URL.
+ * - It decouples the access control of Cloud user collaboration from the machine-to-machine access
+ *   control of the Management API.
+ * - The mapi proxy endpoint shares the same domain with Logto Cloud, so it can be used in the
+ *   browser without CORS.
+ *
+ * This module provides utilities to manage mapi proxy.
+ */
+import { generateStandardSecret } from '@logto/shared/universal';
+import { RoleType, ApplicationType, } from '../db-entries/index.js';
+import { adminTenantId } from '../seeds/tenant.js';
+/**
+ * Given a tenant ID, return the role data for the mapi proxy.
+ *
+ * It follows a convention to generate all the fields which can be used across the system. See
+ * source code for details.
+ */
+export const getMapiProxyRole = (tenantId) => Object.freeze({
+    tenantId: adminTenantId,
+    id: `m-${tenantId}`,
+    name: `machine:mapi:${tenantId}`,
+    description: `Machine-to-machine role for accessing Management API of tenant '${tenantId}'.`,
+    type: RoleType.MachineToMachine,
+});
+/**
+ * Given a tenant ID, return the application create data for the mapi proxy. The proxy will use the
+ * application to access the Management API.
+ *
+ * It follows a convention to generate all the fields which can be used across the system. See
+ * source code for details.
+ */
+export const getMapiProxyM2mApp = (tenantId) => Object.freeze({
+    tenantId: adminTenantId,
+    id: `m-${tenantId}`,
+    secret: generateStandardSecret(32),
+    name: `Management API access for ${tenantId}`,
+    description: `Machine-to-machine app for accessing Management API of tenant '${tenantId}'.`,
+    type: ApplicationType.MachineToMachine,
+    oidcClientMetadata: {
+        redirectUris: [],
+        postLogoutRedirectUris: [],
+    },
+});

package/lib/types/organization.d.ts

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { type OrganizationRole, type Organization } from '../db-entries/index.js';
+import { type OrganizationRole, type Organization, type OrganizationInvitation } from '../db-entries/index.js';
 import { type UserInfo, type FeaturedUser } from './user.js';
 /**
  * The simplified organization scope entity that is returned for some endpoints.
@@ -46,3 +46,12 @@ export type OrganizationWithFeatured = Organization & {
     usersCount?: number;
     featuredUsers?: FeaturedUser[];
 };
+/**
+ * The organization invitation with additional fields:
+ *
+ * - `organizationRoles`: The roles to be assigned to the user when accepting the invitation.
+ */
+export type OrganizationInvitationEntity = OrganizationInvitation & {
+    organizationRoles: OrganizationRoleEntity[];
+};
+export declare const organizationInvitationEntityGuard: z.ZodType<OrganizationInvitationEntity>;

package/lib/types/organization.js

@@ -1,5 +1,5 @@
 import { z } from 'zod';
-import { OrganizationRoles, Organizations, } from '../db-entries/index.js';
+import { OrganizationRoles, Organizations, OrganizationInvitations, } from '../db-entries/index.js';
 import { userInfoGuard } from './user.js';
 export const organizationRoleWithScopesGuard = OrganizationRoles.guard.extend({
     scopes: z
@@ -19,3 +19,6 @@ export const organizationWithOrganizationRolesGuard = Organizations.guard.extend
 export const userWithOrganizationRolesGuard = userInfoGuard.extend({
     organizationRoles: organizationRoleEntityGuard.array(),
 });
+export const organizationInvitationEntityGuard = OrganizationInvitations.guard.extend({
+    organizationRoles: organizationRoleEntityGuard.array(),
+});

package/lib/types/sso-connector.d.ts

@@ -75,9 +75,6 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<{
     id: z.ZodType<string, z.ZodTypeDef, string>;
     tenantId: z.ZodType<string, z.ZodTypeDef, string>;
     createdAt: z.ZodType<number, z.ZodTypeDef, number>;
-    syncProfile: z.ZodType<boolean, z.ZodTypeDef, boolean>;
-    config: z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>;
-    domains: z.ZodType<string[], z.ZodTypeDef, string[]>;
     branding: z.ZodType<{
         displayName?: string | undefined;
         logo?: string | undefined;
@@ -87,6 +84,9 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<{
         logo?: string | undefined;
         darkLogo?: string | undefined;
     }>;
+    syncProfile: z.ZodType<boolean, z.ZodTypeDef, boolean>;
+    config: z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>;
+    domains: z.ZodType<string[], z.ZodTypeDef, string[]>;
     connectorName: z.ZodType<string, z.ZodTypeDef, string>;
     name: z.ZodString;
     providerName: z.ZodNativeEnum<typeof SsoProviderName>;
@@ -98,14 +98,14 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<{
     id: string;
     tenantId: string;
     createdAt: number;
-    syncProfile: boolean;
-    config: import("@withtyped/server").JsonObject;
-    domains: string[];
     branding: {
         displayName?: string | undefined;
         logo?: string | undefined;
         darkLogo?: string | undefined;
     };
+    syncProfile: boolean;
+    config: import("@withtyped/server").JsonObject;
+    domains: string[];
     providerName: SsoProviderName;
     connectorName: string;
     providerLogo: string;
@@ -116,14 +116,14 @@ export declare const ssoConnectorWithProviderConfigGuard: z.ZodObject<{
     id: string;
     tenantId: string;
     createdAt: number;
-    syncProfile: boolean;
-    config: import("@withtyped/server").JsonObject;
-    domains: string[];
     branding: {
         displayName?: string | undefined;
         logo?: string | undefined;
         darkLogo?: string | undefined;
     };
+    syncProfile: boolean;
+    config: import("@withtyped/server").JsonObject;
+    domains: string[];
     providerName: SsoProviderName;
     connectorName: string;
     providerLogo: string;

package/lib/types/sso-connector.js

@@ -50,7 +50,7 @@ export const ssoConnectorProvidersResponseGuard = z.array(ssoConnectorProviderDe
 export const ssoConnectorWithProviderConfigGuard = SsoConnectors.guard
     .omit({ providerName: true })
     .merge(z.object({
-    name: z.string(),
+    name: z.string(), // For display purpose, generate from i18n key name defined by SSO factory.
     providerName: z.nativeEnum(SsoProviderName),
     providerLogo: z.string(),
     providerLogoDark: z.string(),

package/lib/types/system.d.ts

@@ -175,19 +175,46 @@ export declare const demoSocialGuard: Readonly<{
 export declare const hostnameProviderDataGuard: z.ZodObject<{
     zoneId: z.ZodString;
     apiToken: z.ZodString;
+    blockedDomains: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
 }, "strip", z.ZodTypeAny, {
     zoneId: string;
     apiToken: string;
+    blockedDomains?: string[] | undefined;
 }, {
     zoneId: string;
     apiToken: string;
+    blockedDomains?: string[] | undefined;
 }>;
 export type HostnameProviderData = z.infer<typeof hostnameProviderDataGuard>;
+export declare const protectedAppConfigProviderDataGuard: z.ZodObject<{
+    accountIdentifier: z.ZodString;
+    namespaceIdentifier: z.ZodString;
+    keyName: z.ZodString;
+    domain: z.ZodString;
+    apiToken: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    domain: string;
+    apiToken: string;
+    accountIdentifier: string;
+    namespaceIdentifier: string;
+    keyName: string;
+}, {
+    domain: string;
+    apiToken: string;
+    accountIdentifier: string;
+    namespaceIdentifier: string;
+    keyName: string;
+}>;
+export type ProtectedAppConfigProviderData = z.infer<typeof protectedAppConfigProviderDataGuard>;
 export declare enum CloudflareKey {
-    HostnameProvider = "cloudflareHostnameProvider"
+    HostnameProvider = "cloudflareHostnameProvider",
+    ProtectedAppConfigProvider = "cloudflareProtectedAppConfigProvider",
+    ProtectedAppHostnameProvider = "cloudflareProtectedAppHostnameProvider"
 }
 export type CloudflareType = {
     [CloudflareKey.HostnameProvider]: HostnameProviderData;
+    [CloudflareKey.ProtectedAppConfigProvider]: ProtectedAppConfigProviderData;
+    [CloudflareKey.ProtectedAppHostnameProvider]: HostnameProviderData;
 };
 export declare const cloudflareGuard: Readonly<{
     [key in CloudflareKey]: ZodType<CloudflareType[key]>;

package/lib/types/system.js

@@ -100,13 +100,30 @@ export const demoSocialGuard = Object.freeze({
 export const hostnameProviderDataGuard = z.object({
     zoneId: z.string(),
     apiToken: z.string(), // Requires zone permission for "SSL and Certificates Edit"
+    blockedDomains: z.string().array().optional(), // Optional list of blocked domains
+});
+// Cloudflare KV for protected app config
+export const protectedAppConfigProviderDataGuard = z.object({
+    /* Cloudflare Workers & Pages account ID */
+    accountIdentifier: z.string(),
+    /* KV namespace ID */
+    namespaceIdentifier: z.string(),
+    /* Key prefix for protected app config */
+    keyName: z.string(),
+    /* The default domain (e.g protected.app) for the protected app */
+    domain: z.string(),
+    apiToken: z.string(), // Requires account permission for "KV Storage Edit"
 });
 export var CloudflareKey;
 (function (CloudflareKey) {
     CloudflareKey["HostnameProvider"] = "cloudflareHostnameProvider";
+    CloudflareKey["ProtectedAppConfigProvider"] = "cloudflareProtectedAppConfigProvider";
+    CloudflareKey["ProtectedAppHostnameProvider"] = "cloudflareProtectedAppHostnameProvider";
 })(CloudflareKey || (CloudflareKey = {}));
 export const cloudflareGuard = Object.freeze({
     [CloudflareKey.HostnameProvider]: hostnameProviderDataGuard,
+    [CloudflareKey.ProtectedAppConfigProvider]: protectedAppConfigProviderDataGuard,
+    [CloudflareKey.ProtectedAppHostnameProvider]: hostnameProviderDataGuard,
 });
 export const systemKeys = Object.freeze([
     ...Object.values(AlterationStateKey),

package/lib/types/tenant-organization.d.ts

@@ -0,0 +1,107 @@
+/**
+ * @fileoverview
+ * Tenant organizations are organizations in the admin tenant that represent tenants. They are
+ * created when a tenant is created, and are used to define the roles and scopes for the users in
+ * the tenant.
+ *
+ * This module provides utilities to manage tenant organizations.
+ */
+import { type CreateOrganization, type OrganizationRole, type OrganizationScope } from '../db-entries/index.js';
+/** Given a tenant ID, return the corresponding organization ID in the admin tenant. */
+export declare const getTenantOrganizationId: (tenantId: string) => string;
+/**
+ * Given a tenant ID, return the organization create data for the admin tenant. It follows a
+ * convention to generate the organization ID and name which can be used across the system.
+ *
+ * @example
+ * ```ts
+ * const tenantId = 'test-tenant';
+ * const createData = getCreateData(tenantId);
+ *
+ * expect(createData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 't-test-tenant',
+ *   name: 'Tenant test-tenant',
+ * });
+ * ```
+ *
+ * @see {@link getId} for the convention of generating the organization ID.
+ */
+export declare const getTenantOrganizationCreateData: (tenantId: string) => Readonly<CreateOrganization>;
+/**
+ * Scope names in organization template for managing tenants.
+ *
+ * @remarks
+ * Should sync JSDoc descriptions with {@link tenantScopeDescriptions}.
+ */
+export declare enum TenantScope {
+    /** Read the tenant data. */
+    ReadData = "read:data",
+    /** Write the tenant data, including creating and updating the tenant. */
+    WriteData = "write:data",
+    /** Delete data of the tenant. */
+    DeleteData = "delete:data",
+    /** Invite members to the tenant. */
+    InviteMember = "invite:member",
+    /** Remove members from the tenant. */
+    RemoveMember = "remove:member",
+    /** Update the role of a member in the tenant. */
+    UpdateMemberRole = "update:member:role",
+    /** Manage the tenant settings, including name, billing, etc. */
+    ManageTenant = "manage:tenant"
+}
+/**
+ * Given a tenant scope, return the corresponding organization scope data in the admin tenant.
+ *
+ * @example
+ * ```ts
+ * const scope = TenantScope.ReadData; // 'read:data'
+ * const scopeData = getTenantScope(scope);
+ *
+ * expect(scopeData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 'read-data',
+ *   name: 'read:data',
+ *   description: 'Read the tenant data.',
+ * });
+ * ```
+ *
+ * @see {@link tenantScopeDescriptions} for scope descriptions of each scope.
+ */
+export declare const getTenantScope: (scope: TenantScope) => Readonly<OrganizationScope>;
+/**
+ * Role names in organization template for managing tenants.
+ *
+ * @remarks
+ * Should sync JSDoc descriptions with {@link tenantRoleDescriptions}.
+ */
+export declare enum TenantRole {
+    /** Admin of the tenant, who has all permissions. */
+    Admin = "admin",
+    /** Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings. */
+    Member = "member"
+}
+/**
+ * Given a tenant role, return the corresponding organization role data in the admin tenant.
+ *
+ * @example
+ * ```ts
+ * const role = TenantRole.Member; // 'member'
+ * const roleData = getTenantRole(role);
+ *
+ * expect(roleData).toEqual({
+ *   tenantId: 'admin',
+ *   id: 'member',
+ *   name: 'member',
+ *   description: 'Member of the tenant, who has permissions to operate the tenant data, but not the tenant settings.',
+ * });
+ * ```
+ *
+ * @see {@link tenantRoleDescriptions} for scope descriptions of each role.
+ */
+export declare const getTenantRole: (role: TenantRole) => Readonly<OrganizationRole>;
+/**
+ * The dictionary of tenant roles and their corresponding scopes.
+ * @see {TenantRole} for scope descriptions of each role.
+ */
+export declare const tenantRoleScopes: Readonly<Record<TenantRole, Readonly<TenantScope[]>>>;