npm - @lssm/lib.identity-rbac - Versions diffs - 0.0.0-canary-20251217083314 → 0.0.0-canary-20251220002821 - Mend

@lssm/lib.identity-rbac 0.0.0-canary-20251217083314 → 0.0.0-canary-20251220002821

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (182) hide show

package/dist/contracts/rbac.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac.d.ts","names":[],"sources":["../../src/contracts/rbac.ts"],"sourcesContent":[],"mappings":";;;;;cAQa,WAAS;;UAcpB,mBAAA,CAAA;;EAdW,CAAA;EAcX,IAAA,EAAA;;;;;;IAdoB,UAAA,EAAA,IAAA;EAAA,CAAA;EAgBT,WAAA,EAAA;IAYX,IAAA,+BAAA,CAAA,MAAA,EAAA,MAAA,CAAA;;;;;;;;;cAZW,oBAAkB;;UAY7B,mBAAA,CAAA;;;;IAZ6B,IAAA,+BAAA,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;EAclB,CAAA;EAQX,UAAA,EAAA;;;EARqC,CAAA;EAAA,QAAA,EAAA;IAU1B,IAAA,+BAYX,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;;IAZ+B,IAAA,+BAAA,KAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,IAAA;EAcpB,CAAA;EAaX,SAAA,EAAA;;;;EAb+B,IAAA,EAAA;IAAA,IAAA,aAAA,CAAA;MAepB,EAAA,EAAA;QAQA,IAAA,+BAMX,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,KAAA;;;;;;;QAN+B,IAAA,+BAAA,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,IAAA;MAQpB,CAAA;MASX,WAAA,EAAA;;;;;MAT+B,SAAA,EAAA;QAAA,IAAA,+BAAA,KAAA,EAAA,MAAA,CAAA;QAWpB,UAAA,EAMX,KAAA;MAEW,CAAA;IAQA,CAAA,CAAA;IAQX,UAAA,EAAA,KAAA;;;AARoC,cAlFzB,0BAkFyB,EAlFC,WAkFD,CAAA;EAAA,OAAA,EAAA;IAUzB,IAAA,EApFX,mBAAA,CAAA,SA2FA,CAAA,OAAA,EAAA,OAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;EAPwC,MAAA,EAAA;IAAA,IAAA,+BAAA,CAAA,MAAA,EAAA,MAAA,CAAA;IAS7B,UAAA,EAAA,IAAA;EAWX,CAAA;;;;;;cAtGW,sBAAoB;;IA2FU,IAAA,EA/EzC,mBAAA,CAAA,SA+EyC,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;EAkB9B,CAAA;EA6BX,WAAA,EAAA;;;EA7B6B,CAAA;EAAA,WAAA,EAAA;;;;;;cA/FlB,sBAAoB;;IA+FF,IAAA,EAlF7B,mBAAA,CAAA,SAkF6B,CAAA,MAAA,EAAA,MAAA,CAAA;IAkClB,UAAA,EAAA,KAqBX;EAAA,CAAA;;;;EArB6B,CAAA;EAAA,WAAA,EAAA;;;;;;;;EAAA,CAAA;AA0B/B,CAAA,CAAA;AA6BE,cAzKW,oBAyKX,EAzK+B,WAyK/B,CAAA;EA7B6B,MAAA,EAAA;IAAA,IAAA,EAtI7B,mBAAA,CAAA,SAsI6B,CAAA,MAAA,EAAA,MAAA,CAAA;;;CAAA,CAAA;AAkClB,cAtKA,oBAwLX,EAxL+B,WAwL/B,CAAA;EAAA,KAAA,EAAA;IAlB4B,IAAA,aAAA,CAAA;;cAhK5B,mBAAA,CAAA;;;;;QAgK4B,UAAA,EAAA,KAAA;MAAA,CAAA;MAAA,WAAA,EAAA;QAuBjB,IAAA,+BA2CX,CAAA,MAAA,EAAA,MAAA,CAAA;QAAA,UAAA,EAAA,IAAA;;;;;QA3C6B,OAAA,EAAA,IAAA;MAAA,CAAA;;;;;;;;;;cArLlB,sBAAoB;;UAS/B,mBAAA,CAAA;;;;;;;;;;;;;;;;cAEW,sBAAoB;;UAM/B,mBAAA,CAAA;;;CAoK6B,CAAA;AAgDlB,cAlNA,qBAuPX,EAvPgC,WAuPhC,CAAA;EAAA,SAAA,EAAA;IArC6B,IAAA,EA5M7B,mBAAA,CAAA,SA4M6B,CAAA,MAAA,EAAA,MAAA,CAAA;IAAA,UAAA,EAAA,KAAA;;;cA1MlB,2BAAyB;;IA0MP,IAAA,EAlM7B,mBAAA,CAAA,SAkM6B,CAAA,MAAA,EAAA,MAAA,CAAA;IA0ClB,UAAA,EAAA,KAAA;EAkBX,CAAA;;;IAlBkC,UAAA,EAAA,IAAA;EAAA,CAAA;;;;;CAAA,CAAA;AAuBvB,cAjQA,6BAmRX,EAnRwC,WAmRxC,CAAA;EAAA,MAAA,EAAA;UA5QA,mBAAA,CAAA;IA0PsC,UAAA,EAAA,KAAA;EAAA,CAAA;;;;;;cAxP3B,gCAA8B;;UAWzC,mBAAA,CAAA;qBA6OsC;IAAA,OAAA,EAAA,IAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAtO3B,0CAAkB,aAAA;;UA6B7B,mBAAA,CAAA;;;;;;;;;;;;;;UA7B6B,mBAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;cAkClB,0CAAkB,aAAA;;UAqB7B,mBAAA,CAAA;;;;;;;;;;;;;;;;;;UArB6B,mBAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;cA0BlB,0CAAkB,aAAA;;UA6B7B,mBAAA,CAAA;;;;;UA7B6B,mBAAA,CAAA;;;;;;;cAkClB,mBAAiB,qBAAA,CAAA,aAkB5B,mBAAA,CAlB4B,cAAA,EAAA;;;;cAAA,mBAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAuBjB,0CAAkB,aAAA;;UA2C7B,mBAAA,CAAA;;;;;;;;;;;;;;;;;UA3C6B,mBAAA,CAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAgDlB,0CAAkB,aAAA;;UAqC7B,mBAAA,CAAA;;;;;UArC6B,mBAAA,CAAA;;;;;;;;;;;;;;;;;cA0ClB,+CAAuB,aAAA;;UAkBlC,mBAAA,CAAA;;;;;;;;;;;;;UAlBkC,mBAAA,CAAA;;;;;;;;;;;;;;;cAuBvB,mDAA2B,aAAA;;UAkBtC,mBAAA,CAAA;;;;;;;;;UAlBsC,mBAAA,CAAA"}

package/dist/contracts/rbac.js CHANGED Viewed

@@ -1,65 +1,63 @@
-import { ScalarTypeEnum } from "../schema/dist/ScalarTypeEnum.js";
-import { SchemaModel } from "../schema/dist/SchemaModel.js";
-import "../schema/dist/index.js";
+import { E5, x8 } from "../schema/dist/index.js";
 import { defineCommand, defineQuery } from "./dist/spec.js";
 import "./dist/index.js";
 import { SuccessResultModel } from "./user.js";
 //#region src/contracts/rbac.ts
 const OWNERS = ["platform.identity-rbac"];
-const RoleModel = new SchemaModel({
+const RoleModel = new x8({
 	name: "Role",
 	description: "RBAC role definition",
 	fields: {
 		id: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		name: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		description: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true
 		},
 		permissions: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false,
 			isArray: true
 		},
 		createdAt: {
-			type: ScalarTypeEnum.DateTime(),
+			type: E5.DateTime(),
 			isOptional: false
 		}
 	}
 });
-const PolicyBindingModel = new SchemaModel({
+const PolicyBindingModel = new x8({
 	name: "PolicyBinding",
 	description: "Role assignment to a target",
 	fields: {
 		id: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		roleId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		targetType: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		targetId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		expiresAt: {
-			type: ScalarTypeEnum.DateTime(),
+			type: E5.DateTime(),
 			isOptional: true
 		},
 		createdAt: {
-			type: ScalarTypeEnum.DateTime(),
+			type: E5.DateTime(),
 			isOptional: false
 		},
 		role: {
@@ -68,75 +66,75 @@ const PolicyBindingModel = new SchemaModel({
 		}
 	}
 });
-const PermissionCheckResultModel = new SchemaModel({
+const PermissionCheckResultModel = new x8({
 	name: "PermissionCheckResult",
 	description: "Result of a permission check",
 	fields: {
 		allowed: {
-			type: ScalarTypeEnum.Boolean(),
+			type: E5.Boolean(),
 			isOptional: false
 		},
 		reason: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true
 		},
 		matchedRole: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true
 		}
 	}
 });
-const CreateRoleInputModel = new SchemaModel({
+const CreateRoleInputModel = new x8({
 	name: "CreateRoleInput",
 	description: "Input for creating a role",
 	fields: {
 		name: {
-			type: ScalarTypeEnum.NonEmptyString(),
+			type: E5.NonEmptyString(),
 			isOptional: false
 		},
 		description: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true
 		},
 		permissions: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false,
 			isArray: true
 		}
 	}
 });
-const UpdateRoleInputModel = new SchemaModel({
+const UpdateRoleInputModel = new x8({
 	name: "UpdateRoleInput",
 	description: "Input for updating a role",
 	fields: {
 		roleId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		name: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true
 		},
 		description: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true
 		},
 		permissions: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true,
 			isArray: true
 		}
 	}
 });
-const DeleteRoleInputModel = new SchemaModel({
+const DeleteRoleInputModel = new x8({
 	name: "DeleteRoleInput",
 	description: "Input for deleting a role",
 	fields: { roleId: {
-		type: ScalarTypeEnum.String_unsecure(),
+		type: E5.String_unsecure(),
 		isOptional: false
 	} }
 });
-const ListRolesOutputModel = new SchemaModel({
+const ListRolesOutputModel = new x8({
 	name: "ListRolesOutput",
 	description: "Output for listing roles",
 	fields: { roles: {
@@ -145,82 +143,82 @@ const ListRolesOutputModel = new SchemaModel({
 		isArray: true
 	} }
 });
-const AssignRoleInputModel = new SchemaModel({
+const AssignRoleInputModel = new x8({
 	name: "AssignRoleInput",
 	description: "Input for assigning a role",
 	fields: {
 		roleId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		targetType: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		targetId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		expiresAt: {
-			type: ScalarTypeEnum.DateTime(),
+			type: E5.DateTime(),
 			isOptional: true
 		}
 	}
 });
-const RevokeRoleInputModel = new SchemaModel({
+const RevokeRoleInputModel = new x8({
 	name: "RevokeRoleInput",
 	description: "Input for revoking a role",
 	fields: { bindingId: {
-		type: ScalarTypeEnum.String_unsecure(),
+		type: E5.String_unsecure(),
 		isOptional: false
 	} }
 });
-const BindingIdPayloadModel = new SchemaModel({
+const BindingIdPayloadModel = new x8({
 	name: "BindingIdPayload",
 	description: "Payload with binding ID",
 	fields: { bindingId: {
-		type: ScalarTypeEnum.String_unsecure(),
+		type: E5.String_unsecure(),
 		isOptional: false
 	} }
 });
-const CheckPermissionInputModel = new SchemaModel({
+const CheckPermissionInputModel = new x8({
 	name: "CheckPermissionInput",
 	description: "Input for checking a permission",
 	fields: {
 		userId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		orgId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true
 		},
 		permission: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		}
 	}
 });
-const ListUserPermissionsInputModel = new SchemaModel({
+const ListUserPermissionsInputModel = new x8({
 	name: "ListUserPermissionsInput",
 	description: "Input for listing user permissions",
 	fields: {
 		userId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false
 		},
 		orgId: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: true
 		}
 	}
 });
-const ListUserPermissionsOutputModel = new SchemaModel({
+const ListUserPermissionsOutputModel = new x8({
 	name: "ListUserPermissionsOutput",
 	description: "Output for listing user permissions",
 	fields: {
 		permissions: {
-			type: ScalarTypeEnum.String_unsecure(),
+			type: E5.String_unsecure(),
 			isOptional: false,
 			isArray: true
 		},
@@ -484,4 +482,5 @@ const ListUserPermissionsContract = defineQuery({
 });
 //#endregion
-export { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel };
+export { AssignRoleContract, AssignRoleInputModel, BindingIdPayloadModel, CheckPermissionContract, CheckPermissionInputModel, CreateRoleContract, CreateRoleInputModel, DeleteRoleContract, DeleteRoleInputModel, ListRolesContract, ListRolesOutputModel, ListUserPermissionsContract, ListUserPermissionsInputModel, ListUserPermissionsOutputModel, PermissionCheckResultModel, PolicyBindingModel, RevokeRoleContract, RevokeRoleInputModel, RoleModel, UpdateRoleContract, UpdateRoleInputModel };
+//# sourceMappingURL=rbac.js.map

package/dist/contracts/rbac.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"rbac.js","names":["SchemaModel","ScalarTypeEnum"],"sources":["../../src/contracts/rbac.ts"],"sourcesContent":["import { SchemaModel, ScalarTypeEnum } from '@lssm/lib.schema';\nimport { defineCommand, defineQuery } from '@lssm/lib.contracts';\nimport { SuccessResultModel } from './user';\n\nconst OWNERS = ['platform.identity-rbac'] as const;\n\n// ============ SchemaModels ============\n\nexport const RoleModel = new SchemaModel({\n name: 'Role',\n description: 'RBAC role definition',\n fields: {\n id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n },\n});\n\nexport const PolicyBindingModel = new SchemaModel({\n name: 'PolicyBinding',\n description: 'Role assignment to a target',\n fields: {\n id: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n createdAt: { type: ScalarTypeEnum.DateTime(), isOptional: false },\n role: { type: RoleModel, isOptional: false },\n },\n});\n\nexport const PermissionCheckResultModel = new SchemaModel({\n name: 'PermissionCheckResult',\n description: 'Result of a permission check',\n fields: {\n allowed: { type: ScalarTypeEnum.Boolean(), isOptional: false },\n reason: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n matchedRole: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n },\n});\n\nexport const CreateRoleInputModel = new SchemaModel({\n name: 'CreateRoleInput',\n description: 'Input for creating a role',\n fields: {\n name: { type: ScalarTypeEnum.NonEmptyString(), isOptional: false },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n },\n});\n\nexport const UpdateRoleInputModel = new SchemaModel({\n name: 'UpdateRoleInput',\n description: 'Input for updating a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n name: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n description: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: true,\n isArray: true,\n },\n },\n});\n\nexport const DeleteRoleInputModel = new SchemaModel({\n name: 'DeleteRoleInput',\n description: 'Input for deleting a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const ListRolesOutputModel = new SchemaModel({\n name: 'ListRolesOutput',\n description: 'Output for listing roles',\n fields: {\n roles: { type: RoleModel, isOptional: false, isArray: true },\n },\n});\n\nexport const AssignRoleInputModel = new SchemaModel({\n name: 'AssignRoleInput',\n description: 'Input for assigning a role',\n fields: {\n roleId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n targetType: { type: ScalarTypeEnum.String_unsecure(), isOptional: false }, // user | organization\n targetId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n expiresAt: { type: ScalarTypeEnum.DateTime(), isOptional: true },\n },\n});\n\nexport const RevokeRoleInputModel = new SchemaModel({\n name: 'RevokeRoleInput',\n description: 'Input for revoking a role',\n fields: {\n bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const BindingIdPayloadModel = new SchemaModel({\n name: 'BindingIdPayload',\n description: 'Payload with binding ID',\n fields: {\n bindingId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const CheckPermissionInputModel = new SchemaModel({\n name: 'CheckPermissionInput',\n description: 'Input for checking a permission',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n permission: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n },\n});\n\nexport const ListUserPermissionsInputModel = new SchemaModel({\n name: 'ListUserPermissionsInput',\n description: 'Input for listing user permissions',\n fields: {\n userId: { type: ScalarTypeEnum.String_unsecure(), isOptional: false },\n orgId: { type: ScalarTypeEnum.String_unsecure(), isOptional: true },\n },\n});\n\nexport const ListUserPermissionsOutputModel = new SchemaModel({\n name: 'ListUserPermissionsOutput',\n description: 'Output for listing user permissions',\n fields: {\n permissions: {\n type: ScalarTypeEnum.String_unsecure(),\n isOptional: false,\n isArray: true,\n },\n roles: { type: RoleModel, isOptional: false, isArray: true },\n },\n});\n\n// ============ Contracts ============\n\n/**\n * Create a new role.\n */\nexport const CreateRoleContract = defineCommand({\n meta: {\n name: 'identity.rbac.role.create',\n version: 1,\n stability: 'stable',\n owners: [...OWNERS],\n tags: ['identity', 'rbac', 'role', 'create'],\n description: 'Create a new role with permissions.',\n goal: 'Allow admins to define custom roles.',\n context: 'Role management in admin settings.',\n },\n io: {\n input: CreateRoleInputModel,\n output: RoleModel,\n errors: {\n ROLE_EXISTS: {\n description: 'A role with this name already exists',\n http: 409,\n gqlCode: 'ROLE_EXISTS',\n when: 'Role name is taken',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.created'],\n },\n});\n\n/**\n * Update a role.\n */\nexport const UpdateRoleContract = defineCommand({\n meta: {\n name: 'identity.rbac.role.update',\n version: 1,\n stability: 'stable',\n owners: [...OWNERS],\n tags: ['identity', 'rbac', 'role', 'update'],\n description: 'Update an existing role.',\n goal: 'Allow admins to modify role permissions.',\n context: 'Role management in admin settings.',\n },\n io: {\n input: UpdateRoleInputModel,\n output: RoleModel,\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.updated'],\n },\n});\n\n/**\n * Delete a role.\n */\nexport const DeleteRoleContract = defineCommand({\n meta: {\n name: 'identity.rbac.role.delete',\n version: 1,\n stability: 'stable',\n owners: [...OWNERS],\n tags: ['identity', 'rbac', 'role', 'delete'],\n description: 'Delete an existing role.',\n goal: 'Allow admins to remove unused roles.',\n context: 'Role management. Removes all policy bindings using this role.',\n },\n io: {\n input: DeleteRoleInputModel,\n output: SuccessResultModel,\n errors: {\n ROLE_IN_USE: {\n description: 'Role is still assigned to users or organizations',\n http: 409,\n gqlCode: 'ROLE_IN_USE',\n when: 'Role has active bindings',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n audit: ['role.deleted'],\n },\n});\n\n/**\n * List all roles.\n */\nexport const ListRolesContract = defineQuery({\n meta: {\n name: 'identity.rbac.role.list',\n version: 1,\n stability: 'stable',\n owners: [...OWNERS],\n tags: ['identity', 'rbac', 'role', 'list'],\n description: 'List all available roles.',\n goal: 'Show available roles for assignment.',\n context: 'Role assignment UI.',\n },\n io: {\n input: null,\n output: ListRolesOutputModel,\n },\n policy: {\n auth: 'user',\n },\n});\n\n/**\n * Assign a role to a user or organization.\n */\nexport const AssignRoleContract = defineCommand({\n meta: {\n name: 'identity.rbac.assign',\n version: 1,\n stability: 'stable',\n owners: [...OWNERS],\n tags: ['identity', 'rbac', 'assign'],\n description: 'Assign a role to a user or organization.',\n goal: 'Grant permissions via role assignment.',\n context: 'User/org permission management.',\n },\n io: {\n input: AssignRoleInputModel,\n output: PolicyBindingModel,\n errors: {\n ROLE_NOT_FOUND: {\n description: 'The specified role does not exist',\n http: 404,\n gqlCode: 'ROLE_NOT_FOUND',\n when: 'Role ID is invalid',\n },\n ALREADY_ASSIGNED: {\n description: 'This role is already assigned to the target',\n http: 409,\n gqlCode: 'ALREADY_ASSIGNED',\n when: 'Binding already exists',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n emits: [\n {\n name: 'role.assigned',\n version: 1,\n when: 'Role is assigned',\n payload: PolicyBindingModel,\n },\n ],\n audit: ['role.assigned'],\n },\n});\n\n/**\n * Revoke a role from a user or organization.\n */\nexport const RevokeRoleContract = defineCommand({\n meta: {\n name: 'identity.rbac.revoke',\n version: 1,\n stability: 'stable',\n owners: [...OWNERS],\n tags: ['identity', 'rbac', 'revoke'],\n description: 'Revoke a role from a user or organization.',\n goal: 'Remove permissions via role revocation.',\n context: 'User/org permission management.',\n },\n io: {\n input: RevokeRoleInputModel,\n output: SuccessResultModel,\n errors: {\n BINDING_NOT_FOUND: {\n description: 'The policy binding does not exist',\n http: 404,\n gqlCode: 'BINDING_NOT_FOUND',\n when: 'Binding ID is invalid',\n },\n },\n },\n policy: {\n auth: 'admin',\n },\n sideEffects: {\n emits: [\n {\n name: 'role.revoked',\n version: 1,\n when: 'Role is revoked',\n payload: BindingIdPayloadModel,\n },\n ],\n audit: ['role.revoked'],\n },\n});\n\n/**\n * Check if a user has a specific permission.\n */\nexport const CheckPermissionContract = defineQuery({\n meta: {\n name: 'identity.rbac.check',\n version: 1,\n stability: 'stable',\n owners: [...OWNERS],\n tags: ['identity', 'rbac', 'check', 'permission'],\n description: 'Check if a user has a specific permission.',\n goal: 'Authorization check before sensitive operations.',\n context: 'Called by other services to verify permissions.',\n },\n io: {\n input: CheckPermissionInputModel,\n output: PermissionCheckResultModel,\n },\n policy: {\n auth: 'user',\n },\n});\n\n/**\n * List permissions for a user.\n */\nexport const ListUserPermissionsContract = defineQuery({\n meta: {\n name: 'identity.rbac.permissions',\n version: 1,\n stability: 'stable',\n owners: [...OWNERS],\n tags: ['identity', 'rbac', 'permissions', 'user'],\n description: 'List all permissions for a user in a context.',\n goal: 'Show what a user can do in an org.',\n context: 'UI permission display, debugging.',\n },\n io: {\n input: ListUserPermissionsInputModel,\n output: ListUserPermissionsOutputModel,\n },\n policy: {\n auth: 'user',\n },\n});\n"],"mappings":";;;;;;AAIA,MAAM,SAAS,CAAC,yBAAyB;AAIzC,MAAa,YAAY,IAAIA,GAAY;CACvC,MAAM;CACN,aAAa;CACb,QAAQ;EACN,IAAI;GAAE,MAAMC,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACnE,aAAa;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAMA,GAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,WAAW;GAAE,MAAMA,GAAe,UAAU;GAAE,YAAY;GAAO;EAClE;CACF,CAAC;AAEF,MAAa,qBAAqB,IAAID,GAAY;CAChD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,IAAI;GAAE,MAAMC,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACjE,QAAQ;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAMA,GAAe,UAAU;GAAE,YAAY;GAAM;EAChE,WAAW;GAAE,MAAMA,GAAe,UAAU;GAAE,YAAY;GAAO;EACjE,MAAM;GAAE,MAAM;GAAW,YAAY;GAAO;EAC7C;CACF,CAAC;AAEF,MAAa,6BAA6B,IAAID,GAAY;CACxD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,SAAS;GAAE,MAAMC,GAAe,SAAS;GAAE,YAAY;GAAO;EAC9D,QAAQ;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE,aAAa;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAM;EAC1E;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAID,GAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,MAAM;GAAE,MAAMC,GAAe,gBAAgB;GAAE,YAAY;GAAO;EAClE,aAAa;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAMA,GAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACF;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAID,GAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAMC,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,MAAM;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAM;EAClE,aAAa;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAM;EACzE,aAAa;GACX,MAAMA,GAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACF;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAID,GAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,QAAQ;EAAE,MAAMC,GAAe,iBAAiB;EAAE,YAAY;EAAO,EACtE;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAID,GAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,OAAO;EAAE,MAAM;EAAW,YAAY;EAAO,SAAS;EAAM,EAC7D;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAIA,GAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAMC,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,YAAY;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACzE,UAAU;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACvE,WAAW;GAAE,MAAMA,GAAe,UAAU;GAAE,YAAY;GAAM;EACjE;CACF,CAAC;AAEF,MAAa,uBAAuB,IAAID,GAAY;CAClD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,WAAW;EAAE,MAAMC,GAAe,iBAAiB;EAAE,YAAY;EAAO,EACzE;CACF,CAAC;AAEF,MAAa,wBAAwB,IAAID,GAAY;CACnD,MAAM;CACN,aAAa;CACb,QAAQ,EACN,WAAW;EAAE,MAAMC,GAAe,iBAAiB;EAAE,YAAY;EAAO,EACzE;CACF,CAAC;AAEF,MAAa,4BAA4B,IAAID,GAAY;CACvD,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAMC,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAM;EACnE,YAAY;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAO;EAC1E;CACF,CAAC;AAEF,MAAa,gCAAgC,IAAID,GAAY;CAC3D,MAAM;CACN,aAAa;CACb,QAAQ;EACN,QAAQ;GAAE,MAAMC,GAAe,iBAAiB;GAAE,YAAY;GAAO;EACrE,OAAO;GAAE,MAAMA,GAAe,iBAAiB;GAAE,YAAY;GAAM;EACpE;CACF,CAAC;AAEF,MAAa,iCAAiC,IAAID,GAAY;CAC5D,MAAM;CACN,aAAa;CACb,QAAQ;EACN,aAAa;GACX,MAAMC,GAAe,iBAAiB;GACtC,YAAY;GACZ,SAAS;GACV;EACD,OAAO;GAAE,MAAM;GAAW,YAAY;GAAO,SAAS;GAAM;EAC7D;CACF,CAAC;;;;AAOF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,GAAG,OAAO;EACnB,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,aAAa;GACX,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,GAAG,OAAO;EACnB,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,GAAG,OAAO;EACnB,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAS;EAC5C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,aAAa;GACX,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa,EACX,OAAO,CAAC,eAAe,EACxB;CACF,CAAC;;;;AAKF,MAAa,oBAAoB,YAAY;CAC3C,MAAM;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,GAAG,OAAO;EACnB,MAAM;GAAC;GAAY;GAAQ;GAAQ;GAAO;EAC1C,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,GAAG,OAAO;EACnB,MAAM;GAAC;GAAY;GAAQ;GAAS;EACpC,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ;GACN,gBAAgB;IACd,aAAa;IACb,MAAM;IACN,SAAS;IACT,MAAM;IACP;GACD,kBAAkB;IAChB,aAAa;IACb,MAAM;IACN,SAAS;IACT,MAAM;IACP;GACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa;EACX,OAAO,CACL;GACE,MAAM;GACN,SAAS;GACT,MAAM;GACN,SAAS;GACV,CACF;EACD,OAAO,CAAC,gBAAgB;EACzB;CACF,CAAC;;;;AAKF,MAAa,qBAAqB,cAAc;CAC9C,MAAM;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,GAAG,OAAO;EACnB,MAAM;GAAC;GAAY;GAAQ;GAAS;EACpC,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACR,QAAQ,EACN,mBAAmB;GACjB,aAAa;GACb,MAAM;GACN,SAAS;GACT,MAAM;GACP,EACF;EACF;CACD,QAAQ,EACN,MAAM,SACP;CACD,aAAa;EACX,OAAO,CACL;GACE,MAAM;GACN,SAAS;GACT,MAAM;GACN,SAAS;GACV,CACF;EACD,OAAO,CAAC,eAAe;EACxB;CACF,CAAC;;;;AAKF,MAAa,0BAA0B,YAAY;CACjD,MAAM;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,GAAG,OAAO;EACnB,MAAM;GAAC;GAAY;GAAQ;GAAS;GAAa;EACjD,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC;;;;AAKF,MAAa,8BAA8B,YAAY;CACrD,MAAM;EACJ,MAAM;EACN,SAAS;EACT,WAAW;EACX,QAAQ,CAAC,GAAG,OAAO;EACnB,MAAM;GAAC;GAAY;GAAQ;GAAe;GAAO;EACjD,aAAa;EACb,MAAM;EACN,SAAS;EACV;CACD,IAAI;EACF,OAAO;EACP,QAAQ;EACT;CACD,QAAQ,EACN,MAAM,QACP;CACF,CAAC"}