@logto/schemas 1.39.0 → 1.40.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (70) hide show
  1. package/alterations/1.40.0-1776516232-add-account-center-profile-fields.ts +20 -0
  2. package/alterations/1.40.0-1778318116-add-custom-ui-csp-to-sie.ts +20 -0
  3. package/alterations/1.40.0-1778500000-add-organization-user-relations-user-id-index.ts +41 -0
  4. package/alterations/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.ts +43 -0
  5. package/alterations/1.40.0-1779421396-add-application-access-control-schema.ts +90 -0
  6. package/alterations-js/1.40.0-1776516232-add-account-center-profile-fields.js +16 -0
  7. package/alterations-js/1.40.0-1778318116-add-custom-ui-csp-to-sie.js +16 -0
  8. package/alterations-js/1.40.0-1778500000-add-organization-user-relations-user-id-index.js +37 -0
  9. package/alterations-js/1.40.0-1778500001-add-organization-role-user-relations-org-user-index.js +39 -0
  10. package/alterations-js/1.40.0-1779421396-add-application-access-control-schema.js +82 -0
  11. package/lib/consts/application.d.ts +1 -0
  12. package/lib/consts/application.js +1 -0
  13. package/lib/consts/index.d.ts +1 -0
  14. package/lib/consts/index.js +1 -0
  15. package/lib/db-entries/account-center.d.ts +6 -2
  16. package/lib/db-entries/account-center.js +5 -1
  17. package/lib/db-entries/application-access-control-org-role-relation.d.ts +22 -0
  18. package/lib/db-entries/application-access-control-org-role-relation.js +33 -0
  19. package/lib/db-entries/application-access-control-organization-relation.d.ts +20 -0
  20. package/lib/db-entries/application-access-control-organization-relation.js +29 -0
  21. package/lib/db-entries/application-access-control-user-relation.d.ts +20 -0
  22. package/lib/db-entries/application-access-control-user-relation.js +29 -0
  23. package/lib/db-entries/application-access-control-user-role-relation.d.ts +20 -0
  24. package/lib/db-entries/application-access-control-user-role-relation.js +29 -0
  25. package/lib/db-entries/application.d.ts +3 -1
  26. package/lib/db-entries/application.js +4 -0
  27. package/lib/db-entries/index.d.ts +4 -0
  28. package/lib/db-entries/index.js +4 -0
  29. package/lib/db-entries/sign-in-experience.d.ts +4 -2
  30. package/lib/db-entries/sign-in-experience.js +5 -1
  31. package/lib/foundations/jsonb-types/account-centers.d.ts +26 -0
  32. package/lib/foundations/jsonb-types/account-centers.js +4 -0
  33. package/lib/foundations/jsonb-types/applications.d.ts +3 -0
  34. package/lib/foundations/jsonb-types/applications.js +4 -0
  35. package/lib/foundations/jsonb-types/applications.test.d.ts +1 -0
  36. package/lib/foundations/jsonb-types/applications.test.js +23 -0
  37. package/lib/foundations/jsonb-types/sign-in-experience.d.ts +1 -1
  38. package/lib/foundations/jsonb-types/sign-in-experience.js +1 -0
  39. package/lib/foundations/jsonb-types/sign-in-experience.test.d.ts +1 -0
  40. package/lib/foundations/jsonb-types/sign-in-experience.test.js +18 -0
  41. package/lib/seeds/application.js +2 -0
  42. package/lib/seeds/sign-in-experience.d.ts +13 -1
  43. package/lib/seeds/sign-in-experience.js +10 -1
  44. package/lib/seeds/sign-in-experience.test.d.ts +1 -0
  45. package/lib/seeds/sign-in-experience.test.js +27 -0
  46. package/lib/types/application.d.ts +99 -0
  47. package/lib/types/application.js +55 -0
  48. package/lib/types/application.test.d.ts +1 -0
  49. package/lib/types/application.test.js +120 -0
  50. package/lib/types/consent.d.ts +6 -0
  51. package/lib/types/logto-config/index.d.ts +38 -0
  52. package/lib/types/logto-config/jwt-customizer.d.ts +65 -0
  53. package/lib/types/saml-application.d.ts +3 -0
  54. package/lib/types/sign-in-experience.d.ts +14 -0
  55. package/lib/types/sign-in-experience.js +1 -0
  56. package/lib/types/system.d.ts +46 -7
  57. package/lib/types/system.js +9 -0
  58. package/lib/types/user-assets.d.ts +1 -1
  59. package/lib/types/user-sessions.d.ts +2516 -0
  60. package/lib/types/user-sessions.js +21 -0
  61. package/package.json +4 -4
  62. package/tables/account_centers.sql +2 -0
  63. package/tables/application_access_control_org_role_relations.sql +16 -0
  64. package/tables/application_access_control_organization_relations.sql +12 -0
  65. package/tables/application_access_control_user_relations.sql +12 -0
  66. package/tables/application_access_control_user_role_relations.sql +14 -0
  67. package/tables/applications.sql +1 -0
  68. package/tables/organization_role_user_relations.sql +3 -0
  69. package/tables/organization_user_relations.sql +3 -0
  70. package/tables/sign_in_experiences.sql +1 -0
@@ -9,6 +9,7 @@ export const featuredApplicationGuard = Applications.guard.pick({
9
9
  });
10
10
  export const applicationCreateGuard = Applications.createGuard
11
11
  .omit({
12
+ appLevelAccessControlEnabled: true,
12
13
  id: true,
13
14
  createdAt: true,
14
15
  secret: true,
@@ -20,6 +21,60 @@ export const applicationPatchGuard = applicationCreateGuard.partial().omit({
20
21
  type: true,
21
22
  isThirdParty: true,
22
23
  });
24
+ const applicationAccessControlRuleLimit = 1000;
25
+ const applicationAccessControlRawRuleLimit = applicationAccessControlRuleLimit * 2;
26
+ const uniqueStringArrayGuard = z
27
+ .array(z.string())
28
+ .max(applicationAccessControlRawRuleLimit)
29
+ .transform((values) => [...new Set(values)])
30
+ .pipe(z.array(z.string()).max(applicationAccessControlRuleLimit));
31
+ /** The guard for one organization role access-control rule group. */
32
+ export const applicationAccessControlOrganizationRoleRuleGuard = z.object({
33
+ organizationId: z.string(),
34
+ organizationRoleIds: uniqueStringArrayGuard,
35
+ });
36
+ /** The guard for application-level access control rule payloads. */
37
+ export const applicationAccessControlGuard = z
38
+ .object({
39
+ userIds: uniqueStringArrayGuard,
40
+ userRoleIds: uniqueStringArrayGuard,
41
+ organizationIds: uniqueStringArrayGuard,
42
+ organizationRoleRules: z
43
+ .array(applicationAccessControlOrganizationRoleRuleGuard)
44
+ .max(applicationAccessControlRawRuleLimit),
45
+ })
46
+ .transform(({ organizationRoleRules, ...rest }) => {
47
+ const organizationRoleRulesMap = new Map();
48
+ for (const { organizationId, organizationRoleIds } of organizationRoleRules) {
49
+ const roleIds = organizationRoleRulesMap.get(organizationId) ?? new Set();
50
+ for (const roleId of organizationRoleIds) {
51
+ roleIds.add(roleId);
52
+ }
53
+ organizationRoleRulesMap.set(organizationId, roleIds);
54
+ }
55
+ return {
56
+ ...rest,
57
+ organizationRoleRules: [...organizationRoleRulesMap.entries()].map(([organizationId, organizationRoleIds]) => ({
58
+ organizationId,
59
+ organizationRoleIds: [...organizationRoleIds],
60
+ })),
61
+ };
62
+ })
63
+ .pipe(z.object({
64
+ userIds: z.array(z.string()).max(applicationAccessControlRuleLimit),
65
+ userRoleIds: z.array(z.string()).max(applicationAccessControlRuleLimit),
66
+ organizationIds: z.array(z.string()).max(applicationAccessControlRuleLimit),
67
+ organizationRoleRules: z
68
+ .array(applicationAccessControlOrganizationRoleRuleGuard)
69
+ .max(applicationAccessControlRuleLimit),
70
+ }));
71
+ /** Create an empty application-level access control rule set. */
72
+ export const createDefaultApplicationAccessControl = () => ({
73
+ userIds: [],
74
+ userRoleIds: [],
75
+ organizationIds: [],
76
+ organizationRoleRules: [],
77
+ });
23
78
  const resourceScopesGuard = z.array(z.object({
24
79
  resource: Resources.guard.pick({ id: true, name: true, indicator: true }),
25
80
  scopes: z.array(Scopes.guard.pick({ id: true, name: true, description: true })),
@@ -0,0 +1 @@
1
+ export {};
@@ -0,0 +1,120 @@
1
+ import { describe, expect, it } from 'vitest';
2
+ import { applicationAccessControlGuard, createDefaultApplicationAccessControl, } from './application.js';
3
+ describe('applicationAccessControlGuard', () => {
4
+ it('deduplicates direct user and role rules', () => {
5
+ expect(applicationAccessControlGuard.parse({
6
+ userIds: ['user-1', 'user-2', 'user-1'],
7
+ userRoleIds: ['role-1', 'role-1', 'role-2'],
8
+ organizationIds: ['organization-1', 'organization-1', 'organization-2'],
9
+ organizationRoleRules: [],
10
+ })).toMatchObject({
11
+ userIds: ['user-1', 'user-2'],
12
+ userRoleIds: ['role-1', 'role-2'],
13
+ organizationIds: ['organization-1', 'organization-2'],
14
+ organizationRoleRules: [],
15
+ });
16
+ });
17
+ it('merges organization role rules by organization', () => {
18
+ expect(applicationAccessControlGuard.parse({
19
+ userIds: [],
20
+ userRoleIds: [],
21
+ organizationIds: [],
22
+ organizationRoleRules: [
23
+ {
24
+ organizationId: 'organization-1',
25
+ organizationRoleIds: ['organization-role-1', 'organization-role-2'],
26
+ },
27
+ {
28
+ organizationId: 'organization-1',
29
+ organizationRoleIds: ['organization-role-1', 'organization-role-3'],
30
+ },
31
+ {
32
+ organizationId: 'organization-2',
33
+ organizationRoleIds: ['organization-role-1'],
34
+ },
35
+ ],
36
+ })).toMatchObject({
37
+ userIds: [],
38
+ userRoleIds: [],
39
+ organizationIds: [],
40
+ organizationRoleRules: [
41
+ {
42
+ organizationId: 'organization-1',
43
+ organizationRoleIds: [
44
+ 'organization-role-1',
45
+ 'organization-role-2',
46
+ 'organization-role-3',
47
+ ],
48
+ },
49
+ {
50
+ organizationId: 'organization-2',
51
+ organizationRoleIds: ['organization-role-1'],
52
+ },
53
+ ],
54
+ });
55
+ });
56
+ it('creates a fresh default rule set', () => {
57
+ const first = createDefaultApplicationAccessControl();
58
+ const second = createDefaultApplicationAccessControl();
59
+ expect(first).not.toBe(second);
60
+ expect(first.userIds).not.toBe(second.userIds);
61
+ expect(first.userRoleIds).not.toBe(second.userRoleIds);
62
+ expect(first.organizationIds).not.toBe(second.organizationIds);
63
+ expect(first.organizationRoleRules).not.toBe(second.organizationRoleRules);
64
+ });
65
+ it('rejects oversized rule lists', () => {
66
+ const oversizedIds = Array.from({ length: 1001 }, (_, index) => `id-${index}`);
67
+ const emptyAccessControl = createDefaultApplicationAccessControl();
68
+ expect(() => applicationAccessControlGuard.parse({ ...emptyAccessControl, userIds: oversizedIds })).toThrow();
69
+ expect(() => applicationAccessControlGuard.parse({
70
+ ...emptyAccessControl,
71
+ organizationRoleRules: oversizedIds.map((organizationId) => ({
72
+ organizationId,
73
+ organizationRoleIds: [],
74
+ })),
75
+ })).toThrow();
76
+ expect(() => applicationAccessControlGuard.parse({
77
+ ...emptyAccessControl,
78
+ organizationRoleRules: [
79
+ { organizationId: 'organization-1', organizationRoleIds: oversizedIds },
80
+ ],
81
+ })).toThrow();
82
+ });
83
+ it('enforces rule list limits after normalization', () => {
84
+ const emptyAccessControl = createDefaultApplicationAccessControl();
85
+ const duplicateHeavyIds = Array.from({ length: 1001 }, () => 'user-1');
86
+ const mergedOrganizationRoleRules = [
87
+ {
88
+ organizationId: 'organization-1',
89
+ organizationRoleIds: Array.from({ length: 1000 }, (_, index) => `role-${index}`),
90
+ },
91
+ {
92
+ organizationId: 'organization-1',
93
+ organizationRoleIds: ['role-1000'],
94
+ },
95
+ ];
96
+ expect(applicationAccessControlGuard.parse({ ...emptyAccessControl, userIds: duplicateHeavyIds })).toMatchObject({ userIds: ['user-1'] });
97
+ expect(() => applicationAccessControlGuard.parse({
98
+ ...emptyAccessControl,
99
+ organizationRoleRules: mergedOrganizationRoleRules,
100
+ })).toThrow();
101
+ });
102
+ it('rejects overly large raw rule inputs before normalization', () => {
103
+ const emptyAccessControl = createDefaultApplicationAccessControl();
104
+ const oversizedDuplicateIds = Array.from({ length: 2001 }, () => 'id-1');
105
+ expect(() => applicationAccessControlGuard.parse({ ...emptyAccessControl, userIds: oversizedDuplicateIds })).toThrow();
106
+ expect(() => applicationAccessControlGuard.parse({
107
+ ...emptyAccessControl,
108
+ organizationRoleRules: oversizedDuplicateIds.map(() => ({
109
+ organizationId: 'organization-1',
110
+ organizationRoleIds: [],
111
+ })),
112
+ })).toThrow();
113
+ expect(() => applicationAccessControlGuard.parse({
114
+ ...emptyAccessControl,
115
+ organizationRoleRules: [
116
+ { organizationId: 'organization-1', organizationRoleIds: oversizedDuplicateIds },
117
+ ],
118
+ })).toThrow();
119
+ });
120
+ });
@@ -179,6 +179,7 @@ export declare const publicApplicationGuard: z.ZodObject<Pick<{
179
179
  pageRules: {
180
180
  path: string;
181
181
  }[];
182
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
182
183
  customDomains?: {
183
184
  status: import("../index.js").DomainStatus;
184
185
  domain: string;
@@ -207,6 +208,7 @@ export declare const publicApplicationGuard: z.ZodObject<Pick<{
207
208
  pageRules: {
208
209
  path: string;
209
210
  }[];
211
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
210
212
  customDomains?: {
211
213
  status: import("../index.js").DomainStatus;
212
214
  domain: string;
@@ -231,6 +233,7 @@ export declare const publicApplicationGuard: z.ZodObject<Pick<{
231
233
  } | null>;
232
234
  customData: z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>;
233
235
  isThirdParty: z.ZodType<boolean, z.ZodTypeDef, boolean>;
236
+ appLevelAccessControlEnabled: z.ZodType<boolean, z.ZodTypeDef, boolean>;
234
237
  createdAt: z.ZodType<number, z.ZodTypeDef, number>;
235
238
  }, "name" | "id">, "strip", z.ZodTypeAny, {
236
239
  name: string;
@@ -502,6 +505,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
502
505
  pageRules: {
503
506
  path: string;
504
507
  }[];
508
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
505
509
  customDomains?: {
506
510
  status: import("../index.js").DomainStatus;
507
511
  domain: string;
@@ -530,6 +534,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
530
534
  pageRules: {
531
535
  path: string;
532
536
  }[];
537
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
533
538
  customDomains?: {
534
539
  status: import("../index.js").DomainStatus;
535
540
  domain: string;
@@ -554,6 +559,7 @@ export declare const consentInfoResponseGuard: z.ZodObject<{
554
559
  } | null>;
555
560
  customData: z.ZodType<import("@withtyped/server").JsonObject, z.ZodTypeDef, import("@withtyped/server").JsonObject>;
556
561
  isThirdParty: z.ZodType<boolean, z.ZodTypeDef, boolean>;
562
+ appLevelAccessControlEnabled: z.ZodType<boolean, z.ZodTypeDef, boolean>;
557
563
  createdAt: z.ZodType<number, z.ZodTypeDef, number>;
558
564
  }, "name" | "id"> & {
559
565
  displayName: z.ZodOptional<z.ZodType<string | null, z.ZodTypeDef, string | null>>;
@@ -1270,6 +1270,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1270
1270
  pageRules: {
1271
1271
  path: string;
1272
1272
  }[];
1273
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1273
1274
  customDomains?: {
1274
1275
  status: import("../../index.js").DomainStatus;
1275
1276
  domain: string;
@@ -1298,6 +1299,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1298
1299
  pageRules: {
1299
1300
  path: string;
1300
1301
  }[];
1302
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1301
1303
  customDomains?: {
1302
1304
  status: import("../../index.js").DomainStatus;
1303
1305
  domain: string;
@@ -1321,6 +1323,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1321
1323
  }[] | undefined;
1322
1324
  } | null>>;
1323
1325
  isThirdParty: z.ZodOptional<ZodType<boolean, z.ZodTypeDef, boolean>>;
1326
+ appLevelAccessControlEnabled: z.ZodOptional<ZodType<boolean, z.ZodTypeDef, boolean>>;
1324
1327
  }, "strip", z.ZodTypeAny, {
1325
1328
  type?: import("../../index.js").ApplicationType | undefined;
1326
1329
  name?: string | undefined;
@@ -1349,6 +1352,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1349
1352
  pageRules: {
1350
1353
  path: string;
1351
1354
  }[];
1355
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1352
1356
  customDomains?: {
1353
1357
  status: import("../../index.js").DomainStatus;
1354
1358
  domain: string;
@@ -1372,6 +1376,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1372
1376
  }[] | undefined;
1373
1377
  } | null | undefined;
1374
1378
  isThirdParty?: boolean | undefined;
1379
+ appLevelAccessControlEnabled?: boolean | undefined;
1375
1380
  }, {
1376
1381
  type?: import("../../index.js").ApplicationType | undefined;
1377
1382
  name?: string | undefined;
@@ -1400,6 +1405,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1400
1405
  pageRules: {
1401
1406
  path: string;
1402
1407
  }[];
1408
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1403
1409
  customDomains?: {
1404
1410
  status: import("../../index.js").DomainStatus;
1405
1411
  domain: string;
@@ -1423,6 +1429,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1423
1429
  }[] | undefined;
1424
1430
  } | null | undefined;
1425
1431
  isThirdParty?: boolean | undefined;
1432
+ appLevelAccessControlEnabled?: boolean | undefined;
1426
1433
  }>>;
1427
1434
  }, "strip", z.ZodTypeAny, {
1428
1435
  user: {
@@ -1521,6 +1528,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1521
1528
  pageRules: {
1522
1529
  path: string;
1523
1530
  }[];
1531
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1524
1532
  customDomains?: {
1525
1533
  status: import("../../index.js").DomainStatus;
1526
1534
  domain: string;
@@ -1544,6 +1552,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1544
1552
  }[] | undefined;
1545
1553
  } | null | undefined;
1546
1554
  isThirdParty?: boolean | undefined;
1555
+ appLevelAccessControlEnabled?: boolean | undefined;
1547
1556
  } | undefined;
1548
1557
  grant?: {
1549
1558
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -1761,6 +1770,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1761
1770
  pageRules: {
1762
1771
  path: string;
1763
1772
  }[];
1773
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
1764
1774
  customDomains?: {
1765
1775
  status: import("../../index.js").DomainStatus;
1766
1776
  domain: string;
@@ -1784,6 +1794,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
1784
1794
  }[] | undefined;
1785
1795
  } | null | undefined;
1786
1796
  isThirdParty?: boolean | undefined;
1797
+ appLevelAccessControlEnabled?: boolean | undefined;
1787
1798
  } | undefined;
1788
1799
  grant?: {
1789
1800
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -2005,6 +2016,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2005
2016
  pageRules: {
2006
2017
  path: string;
2007
2018
  }[];
2019
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
2008
2020
  customDomains?: {
2009
2021
  status: import("../../index.js").DomainStatus;
2010
2022
  domain: string;
@@ -2028,6 +2040,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2028
2040
  }[] | undefined;
2029
2041
  } | null | undefined;
2030
2042
  isThirdParty?: boolean | undefined;
2043
+ appLevelAccessControlEnabled?: boolean | undefined;
2031
2044
  } | undefined;
2032
2045
  grant?: {
2033
2046
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -2263,6 +2276,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2263
2276
  pageRules: {
2264
2277
  path: string;
2265
2278
  }[];
2279
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
2266
2280
  customDomains?: {
2267
2281
  status: import("../../index.js").DomainStatus;
2268
2282
  domain: string;
@@ -2286,6 +2300,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2286
2300
  }[] | undefined;
2287
2301
  } | null | undefined;
2288
2302
  isThirdParty?: boolean | undefined;
2303
+ appLevelAccessControlEnabled?: boolean | undefined;
2289
2304
  } | undefined;
2290
2305
  grant?: {
2291
2306
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -2523,6 +2538,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2523
2538
  pageRules: {
2524
2539
  path: string;
2525
2540
  }[];
2541
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
2526
2542
  customDomains?: {
2527
2543
  status: import("../../index.js").DomainStatus;
2528
2544
  domain: string;
@@ -2546,6 +2562,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2546
2562
  }[] | undefined;
2547
2563
  } | null | undefined;
2548
2564
  isThirdParty?: boolean | undefined;
2565
+ appLevelAccessControlEnabled?: boolean | undefined;
2549
2566
  } | undefined;
2550
2567
  grant?: {
2551
2568
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -2784,6 +2801,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2784
2801
  pageRules: {
2785
2802
  path: string;
2786
2803
  }[];
2804
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
2787
2805
  customDomains?: {
2788
2806
  status: import("../../index.js").DomainStatus;
2789
2807
  domain: string;
@@ -2807,6 +2825,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
2807
2825
  }[] | undefined;
2808
2826
  } | null | undefined;
2809
2827
  isThirdParty?: boolean | undefined;
2828
+ appLevelAccessControlEnabled?: boolean | undefined;
2810
2829
  } | undefined;
2811
2830
  grant?: {
2812
2831
  type?: import("../oidc-config.js").GrantType.TokenExchange | undefined;
@@ -3010,6 +3029,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3010
3029
  pageRules: {
3011
3030
  path: string;
3012
3031
  }[];
3032
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3013
3033
  customDomains?: {
3014
3034
  status: import("../../index.js").DomainStatus;
3015
3035
  domain: string;
@@ -3038,6 +3058,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3038
3058
  pageRules: {
3039
3059
  path: string;
3040
3060
  }[];
3061
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3041
3062
  customDomains?: {
3042
3063
  status: import("../../index.js").DomainStatus;
3043
3064
  domain: string;
@@ -3061,6 +3082,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3061
3082
  }[] | undefined;
3062
3083
  } | null>>;
3063
3084
  isThirdParty: z.ZodOptional<ZodType<boolean, z.ZodTypeDef, boolean>>;
3085
+ appLevelAccessControlEnabled: z.ZodOptional<ZodType<boolean, z.ZodTypeDef, boolean>>;
3064
3086
  }, "strip", z.ZodTypeAny, {
3065
3087
  type?: import("../../index.js").ApplicationType | undefined;
3066
3088
  name?: string | undefined;
@@ -3089,6 +3111,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3089
3111
  pageRules: {
3090
3112
  path: string;
3091
3113
  }[];
3114
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3092
3115
  customDomains?: {
3093
3116
  status: import("../../index.js").DomainStatus;
3094
3117
  domain: string;
@@ -3112,6 +3135,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3112
3135
  }[] | undefined;
3113
3136
  } | null | undefined;
3114
3137
  isThirdParty?: boolean | undefined;
3138
+ appLevelAccessControlEnabled?: boolean | undefined;
3115
3139
  }, {
3116
3140
  type?: import("../../index.js").ApplicationType | undefined;
3117
3141
  name?: string | undefined;
@@ -3140,6 +3164,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3140
3164
  pageRules: {
3141
3165
  path: string;
3142
3166
  }[];
3167
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3143
3168
  customDomains?: {
3144
3169
  status: import("../../index.js").DomainStatus;
3145
3170
  domain: string;
@@ -3163,6 +3188,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3163
3188
  }[] | undefined;
3164
3189
  } | null | undefined;
3165
3190
  isThirdParty?: boolean | undefined;
3191
+ appLevelAccessControlEnabled?: boolean | undefined;
3166
3192
  }>>;
3167
3193
  }, "strip", z.ZodTypeAny, {
3168
3194
  application?: {
@@ -3193,6 +3219,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3193
3219
  pageRules: {
3194
3220
  path: string;
3195
3221
  }[];
3222
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3196
3223
  customDomains?: {
3197
3224
  status: import("../../index.js").DomainStatus;
3198
3225
  domain: string;
@@ -3216,6 +3243,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3216
3243
  }[] | undefined;
3217
3244
  } | null | undefined;
3218
3245
  isThirdParty?: boolean | undefined;
3246
+ appLevelAccessControlEnabled?: boolean | undefined;
3219
3247
  } | undefined;
3220
3248
  }, {
3221
3249
  application?: {
@@ -3246,6 +3274,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3246
3274
  pageRules: {
3247
3275
  path: string;
3248
3276
  }[];
3277
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3249
3278
  customDomains?: {
3250
3279
  status: import("../../index.js").DomainStatus;
3251
3280
  domain: string;
@@ -3269,6 +3298,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3269
3298
  }[] | undefined;
3270
3299
  } | null | undefined;
3271
3300
  isThirdParty?: boolean | undefined;
3301
+ appLevelAccessControlEnabled?: boolean | undefined;
3272
3302
  } | undefined;
3273
3303
  }>>;
3274
3304
  }, "strict", z.ZodTypeAny, {
@@ -3303,6 +3333,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3303
3333
  pageRules: {
3304
3334
  path: string;
3305
3335
  }[];
3336
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3306
3337
  customDomains?: {
3307
3338
  status: import("../../index.js").DomainStatus;
3308
3339
  domain: string;
@@ -3326,6 +3357,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3326
3357
  }[] | undefined;
3327
3358
  } | null | undefined;
3328
3359
  isThirdParty?: boolean | undefined;
3360
+ appLevelAccessControlEnabled?: boolean | undefined;
3329
3361
  } | undefined;
3330
3362
  } | undefined;
3331
3363
  blockIssuanceOnError?: boolean | undefined;
@@ -3368,6 +3400,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3368
3400
  pageRules: {
3369
3401
  path: string;
3370
3402
  }[];
3403
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3371
3404
  customDomains?: {
3372
3405
  status: import("../../index.js").DomainStatus;
3373
3406
  domain: string;
@@ -3391,6 +3424,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3391
3424
  }[] | undefined;
3392
3425
  } | null | undefined;
3393
3426
  isThirdParty?: boolean | undefined;
3427
+ appLevelAccessControlEnabled?: boolean | undefined;
3394
3428
  } | undefined;
3395
3429
  } | undefined;
3396
3430
  blockIssuanceOnError?: boolean | undefined;
@@ -3435,6 +3469,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3435
3469
  pageRules: {
3436
3470
  path: string;
3437
3471
  }[];
3472
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3438
3473
  customDomains?: {
3439
3474
  status: import("../../index.js").DomainStatus;
3440
3475
  domain: string;
@@ -3458,6 +3493,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3458
3493
  }[] | undefined;
3459
3494
  } | null | undefined;
3460
3495
  isThirdParty?: boolean | undefined;
3496
+ appLevelAccessControlEnabled?: boolean | undefined;
3461
3497
  } | undefined;
3462
3498
  } | undefined;
3463
3499
  blockIssuanceOnError?: boolean | undefined;
@@ -3503,6 +3539,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3503
3539
  pageRules: {
3504
3540
  path: string;
3505
3541
  }[];
3542
+ additionalScopes?: (import("@logto/core-kit").UserScope.CustomData | import("@logto/core-kit").UserScope.Identities | import("@logto/core-kit").UserScope.Roles | import("@logto/core-kit").UserScope.Organizations | import("@logto/core-kit").UserScope.OrganizationRoles)[] | undefined;
3506
3543
  customDomains?: {
3507
3544
  status: import("../../index.js").DomainStatus;
3508
3545
  domain: string;
@@ -3526,6 +3563,7 @@ export declare const jwtCustomizerConfigsGuard: z.ZodDiscriminatedUnion<"key", [
3526
3563
  }[] | undefined;
3527
3564
  } | null | undefined;
3528
3565
  isThirdParty?: boolean | undefined;
3566
+ appLevelAccessControlEnabled?: boolean | undefined;
3529
3567
  } | undefined;
3530
3568
  } | undefined;
3531
3569
  blockIssuanceOnError?: boolean | undefined;