@lucern/contracts 0.3.0-alpha.11 → 0.3.0-alpha.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,74 @@
1
+ type PermitProjectionPlatformRole = "platform_admin" | "tenant_admin" | "workspace_admin" | "editor" | "viewer" | "auditor" | "service_agent";
2
+ type PermitPrincipalProjection = Record<string, unknown> & {
3
+ principalId?: string;
4
+ tenantId?: string;
5
+ workspaceId?: string;
6
+ principalType?: string;
7
+ status?: string;
8
+ displayName?: string;
9
+ metadata?: Record<string, unknown>;
10
+ createdAt?: number;
11
+ updatedAt?: number;
12
+ lastSeenAt?: number;
13
+ };
14
+ type PermitAliasProjection = Record<string, unknown> & {
15
+ principalId?: string;
16
+ tenantId?: string;
17
+ workspaceId?: string;
18
+ provider?: string;
19
+ providerSubjectId?: string;
20
+ alias?: string;
21
+ aliasKind?: string;
22
+ status?: string;
23
+ metadata?: Record<string, unknown>;
24
+ };
25
+ type PermitRoleAssignmentProjection = Record<string, unknown> & {
26
+ tenantId?: string;
27
+ workspaceId?: string;
28
+ role?: string;
29
+ targetType?: string;
30
+ targetId?: string;
31
+ resourceType?: string;
32
+ resourceKey?: string;
33
+ status?: string;
34
+ };
35
+ type PermitGroupMembershipProjection = Record<string, unknown> & {
36
+ tenantId?: string;
37
+ workspaceId?: string;
38
+ groupId?: string;
39
+ memberType?: string;
40
+ memberId?: string;
41
+ principalId?: string;
42
+ status?: string;
43
+ };
44
+ type PermitProjectedUserRecord = {
45
+ clerkId: string;
46
+ email: string;
47
+ name?: string;
48
+ lastSeenAt: number;
49
+ chatCount: number;
50
+ messageCount: number;
51
+ mcRole: PermitProjectionPlatformRole;
52
+ mcRoleSyncedAt: number;
53
+ defaultTenantId: string;
54
+ defaultWorkspaceId: string;
55
+ defaultPrincipalId: string;
56
+ principalGroupIds: string[];
57
+ governanceGrantsSyncedAt: number;
58
+ createdAt: number;
59
+ updatedAt: number;
60
+ };
61
+ type PermitProjectionRows = {
62
+ principals: PermitPrincipalProjection[];
63
+ aliases: PermitAliasProjection[];
64
+ roleAssignments: PermitRoleAssignmentProjection[];
65
+ groupMemberships: PermitGroupMembershipProjection[];
66
+ };
67
+ declare function readPermitProjectionString(value: unknown): string | undefined;
68
+ declare function isActivePermitProjectionStatus(value: unknown): boolean;
69
+ declare function mapPermitRoleToPlatformRole(role: unknown): PermitProjectionPlatformRole | undefined;
70
+ declare function buildProjectedUserFromPermitPrincipal(rows: PermitProjectionRows, principal: PermitPrincipalProjection, matchingAlias?: PermitAliasProjection, now?: number): PermitProjectedUserRecord | null;
71
+ declare function findProjectedUserByPermitPrincipalId(rows: PermitProjectionRows, principalId: string, now?: number): PermitProjectedUserRecord | null;
72
+ declare function findProjectedUserByPermitClerkId(rows: PermitProjectionRows, clerkId: string, now?: number): PermitProjectedUserRecord | null;
73
+
74
+ export { type PermitAliasProjection, type PermitGroupMembershipProjection, type PermitPrincipalProjection, type PermitProjectedUserRecord, type PermitProjectionPlatformRole, type PermitProjectionRows, type PermitRoleAssignmentProjection, buildProjectedUserFromPermitPrincipal, findProjectedUserByPermitClerkId, findProjectedUserByPermitPrincipalId, isActivePermitProjectionStatus, mapPermitRoleToPlatformRole, readPermitProjectionString };
@@ -0,0 +1,161 @@
1
+ // src/permit-principal-projection.contract.ts
2
+ var PLATFORM_ROLE_PRIORITY = {
3
+ platform_admin: 70,
4
+ tenant_admin: 60,
5
+ workspace_admin: 50,
6
+ editor: 40,
7
+ auditor: 30,
8
+ viewer: 20,
9
+ service_agent: 10
10
+ };
11
+ function readPermitProjectionString(value) {
12
+ return typeof value === "string" && value.trim() ? value.trim() : void 0;
13
+ }
14
+ function isActivePermitProjectionStatus(value) {
15
+ const status = readPermitProjectionString(value)?.toLowerCase();
16
+ return !status || status === "active" || status === "synced";
17
+ }
18
+ function mapPermitRoleToPlatformRole(role) {
19
+ switch (readPermitProjectionString(role)?.toLowerCase()) {
20
+ case "platform_admin":
21
+ return "platform_admin";
22
+ case "tenant_admin":
23
+ return "tenant_admin";
24
+ case "workspace_admin":
25
+ case "deployment_admin":
26
+ case "graph_admin":
27
+ return "workspace_admin";
28
+ case "editor":
29
+ case "workspace_member":
30
+ case "graph_editor":
31
+ case "evidence_contributor":
32
+ case "question_resolver":
33
+ case "theme_promoter":
34
+ return "editor";
35
+ case "auditor":
36
+ return "auditor";
37
+ case "viewer":
38
+ case "graph_viewer":
39
+ case "stakeholder_viewer":
40
+ case "stakeholder_summarizer":
41
+ case "source_drilldown_viewer":
42
+ case "restricted_data_viewer":
43
+ case "proprietary_data_viewer":
44
+ return "viewer";
45
+ case "service_agent":
46
+ case "agent_runner":
47
+ return "service_agent";
48
+ default:
49
+ return void 0;
50
+ }
51
+ }
52
+ function highestPlatformRole(roles) {
53
+ return roles.reduce(
54
+ (best, role) => PLATFORM_ROLE_PRIORITY[role] > PLATFORM_ROLE_PRIORITY[best] ? role : best,
55
+ "viewer"
56
+ );
57
+ }
58
+ function isClerkAliasFor(alias, clerkId) {
59
+ return isActivePermitProjectionStatus(alias.status) && readPermitProjectionString(alias.provider)?.toLowerCase() === "clerk" && (readPermitProjectionString(alias.providerSubjectId) === clerkId || readPermitProjectionString(alias.alias) === clerkId);
60
+ }
61
+ function emailFromAlias(aliases, principal) {
62
+ return aliases.find(
63
+ (alias) => readPermitProjectionString(alias.aliasKind)?.toLowerCase() === "email"
64
+ )?.alias ?? readPermitProjectionString(principal.metadata?.email);
65
+ }
66
+ function groupIdsForPrincipal(memberships, principal) {
67
+ const principalId = readPermitProjectionString(principal.principalId);
68
+ if (!principalId) return [];
69
+ return [
70
+ ...new Set(
71
+ memberships.filter(
72
+ (membership) => isActivePermitProjectionStatus(membership.status) && readPermitProjectionString(membership.tenantId) === readPermitProjectionString(principal.tenantId) && readPermitProjectionString(membership.memberType) === "principal" && (readPermitProjectionString(membership.memberId) === principalId || readPermitProjectionString(membership.principalId) === principalId)
73
+ ).map((membership) => readPermitProjectionString(membership.groupId)).filter((groupId) => Boolean(groupId))
74
+ )
75
+ ];
76
+ }
77
+ function rolesForPrincipal(assignments, principal, groupIds) {
78
+ const principalId = readPermitProjectionString(principal.principalId);
79
+ const tenantId = readPermitProjectionString(principal.tenantId);
80
+ const roles = assignments.filter(
81
+ (assignment) => isActivePermitProjectionStatus(assignment.status) && readPermitProjectionString(assignment.tenantId) === tenantId && (readPermitProjectionString(assignment.targetType) === "principal" && readPermitProjectionString(assignment.targetId) === principalId || readPermitProjectionString(assignment.targetType) === "group" && groupIds.includes(
82
+ readPermitProjectionString(assignment.targetId) ?? ""
83
+ ))
84
+ ).map((assignment) => mapPermitRoleToPlatformRole(assignment.role)).filter(
85
+ (role) => Boolean(role)
86
+ );
87
+ if (readPermitProjectionString(principal.principalType) === "agent" || readPermitProjectionString(principal.principalType) === "service_principal") {
88
+ roles.push("service_agent");
89
+ }
90
+ return [...new Set(roles)];
91
+ }
92
+ function workspaceFromPermitProjection(principal, alias, assignments) {
93
+ return readPermitProjectionString(principal.workspaceId) ?? readPermitProjectionString(alias?.workspaceId) ?? readPermitProjectionString(
94
+ assignments.find(
95
+ (assignment) => readPermitProjectionString(assignment.targetId) === readPermitProjectionString(principal.principalId) && readPermitProjectionString(assignment.resourceType) === "workspace"
96
+ )?.resourceKey
97
+ ) ?? readPermitProjectionString(
98
+ assignments.find((assignment) => assignment.workspaceId)?.workspaceId
99
+ );
100
+ }
101
+ function buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now = Date.now()) {
102
+ const principalId = readPermitProjectionString(principal.principalId);
103
+ const tenantId = readPermitProjectionString(principal.tenantId);
104
+ if (!principalId || !tenantId || !isActivePermitProjectionStatus(principal.status)) {
105
+ return null;
106
+ }
107
+ const aliases = rows.aliases.filter(
108
+ (alias2) => readPermitProjectionString(alias2.tenantId) === tenantId && readPermitProjectionString(alias2.principalId) === principalId && isActivePermitProjectionStatus(alias2.status)
109
+ );
110
+ const groupIds = groupIdsForPrincipal(rows.groupMemberships, principal);
111
+ const roles = rolesForPrincipal(rows.roleAssignments, principal, groupIds);
112
+ if (roles.length === 0) {
113
+ return null;
114
+ }
115
+ const alias = matchingAlias ?? aliases[0];
116
+ const clerkId = readPermitProjectionString(
117
+ aliases.find(
118
+ (entry) => readPermitProjectionString(entry.provider)?.toLowerCase() === "clerk"
119
+ )?.providerSubjectId
120
+ ) ?? principalId;
121
+ return {
122
+ clerkId,
123
+ email: emailFromAlias(aliases, principal) ?? `${principalId}@permit.local`,
124
+ name: readPermitProjectionString(principal.displayName),
125
+ lastSeenAt: principal.lastSeenAt ?? principal.updatedAt ?? now,
126
+ chatCount: 0,
127
+ messageCount: 0,
128
+ mcRole: highestPlatformRole(roles),
129
+ mcRoleSyncedAt: principal.updatedAt ?? now,
130
+ defaultTenantId: tenantId,
131
+ defaultWorkspaceId: workspaceFromPermitProjection(principal, alias, rows.roleAssignments) ?? tenantId,
132
+ defaultPrincipalId: principalId,
133
+ principalGroupIds: groupIds,
134
+ governanceGrantsSyncedAt: principal.updatedAt ?? now,
135
+ createdAt: principal.createdAt ?? now,
136
+ updatedAt: principal.updatedAt ?? now
137
+ };
138
+ }
139
+ function findProjectedUserByPermitPrincipalId(rows, principalId, now = Date.now()) {
140
+ const normalizedPrincipalId = principalId.trim();
141
+ const principal = rows.principals.find(
142
+ (row) => isActivePermitProjectionStatus(row.status) && readPermitProjectionString(row.principalId) === normalizedPrincipalId
143
+ );
144
+ return principal ? buildProjectedUserFromPermitPrincipal(rows, principal, void 0, now) : null;
145
+ }
146
+ function findProjectedUserByPermitClerkId(rows, clerkId, now = Date.now()) {
147
+ const normalizedClerkId = clerkId.trim();
148
+ const matchingAlias = rows.aliases.find(
149
+ (alias) => isClerkAliasFor(alias, normalizedClerkId)
150
+ );
151
+ const principal = matchingAlias ? rows.principals.find(
152
+ (row) => readPermitProjectionString(row.tenantId) === readPermitProjectionString(matchingAlias.tenantId) && readPermitProjectionString(row.principalId) === readPermitProjectionString(matchingAlias.principalId)
153
+ ) : rows.principals.find(
154
+ (row) => readPermitProjectionString(row.principalId) === normalizedClerkId || readPermitProjectionString(row.principalId) === `user:${normalizedClerkId}`
155
+ );
156
+ return principal ? buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now) : null;
157
+ }
158
+
159
+ export { buildProjectedUserFromPermitPrincipal, findProjectedUserByPermitClerkId, findProjectedUserByPermitPrincipalId, isActivePermitProjectionStatus, mapPermitRoleToPlatformRole, readPermitProjectionString };
160
+ //# sourceMappingURL=permit-principal-projection.contract.js.map
161
+ //# sourceMappingURL=permit-principal-projection.contract.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"sources":["../src/permit-principal-projection.contract.ts"],"names":["alias"],"mappings":";AAgFA,IAAM,sBAAA,GAAuE;AAAA,EAC3E,cAAA,EAAgB,EAAA;AAAA,EAChB,YAAA,EAAc,EAAA;AAAA,EACd,eAAA,EAAiB,EAAA;AAAA,EACjB,MAAA,EAAQ,EAAA;AAAA,EACR,OAAA,EAAS,EAAA;AAAA,EACT,MAAA,EAAQ,EAAA;AAAA,EACR,aAAA,EAAe;AACjB,CAAA;AAEO,SAAS,2BAA2B,KAAA,EAAoC;AAC7E,EAAA,OAAO,OAAO,UAAU,QAAA,IAAY,KAAA,CAAM,MAAK,GAAI,KAAA,CAAM,MAAK,GAAI,MAAA;AACpE;AAEO,SAAS,+BAA+B,KAAA,EAAyB;AACtE,EAAA,MAAM,MAAA,GAAS,0BAAA,CAA2B,KAAK,CAAA,EAAG,WAAA,EAAY;AAC9D,EAAA,OAAO,CAAC,MAAA,IAAU,MAAA,KAAW,QAAA,IAAY,MAAA,KAAW,QAAA;AACtD;AAEO,SAAS,4BACd,IAAA,EAC0C;AAC1C,EAAA,QAAQ,0BAAA,CAA2B,IAAI,CAAA,EAAG,WAAA,EAAY;AAAG,IACvD,KAAK,gBAAA;AACH,MAAA,OAAO,gBAAA;AAAA,IACT,KAAK,cAAA;AACH,MAAA,OAAO,cAAA;AAAA,IACT,KAAK,iBAAA;AAAA,IACL,KAAK,kBAAA;AAAA,IACL,KAAK,aAAA;AACH,MAAA,OAAO,iBAAA;AAAA,IACT,KAAK,QAAA;AAAA,IACL,KAAK,kBAAA;AAAA,IACL,KAAK,cAAA;AAAA,IACL,KAAK,sBAAA;AAAA,IACL,KAAK,mBAAA;AAAA,IACL,KAAK,gBAAA;AACH,MAAA,OAAO,QAAA;AAAA,IACT,KAAK,SAAA;AACH,MAAA,OAAO,SAAA;AAAA,IACT,KAAK,QAAA;AAAA,IACL,KAAK,cAAA;AAAA,IACL,KAAK,oBAAA;AAAA,IACL,KAAK,wBAAA;AAAA,IACL,KAAK,yBAAA;AAAA,IACL,KAAK,wBAAA;AAAA,IACL,KAAK,yBAAA;AACH,MAAA,OAAO,QAAA;AAAA,IACT,KAAK,eAAA;AAAA,IACL,KAAK,cAAA;AACH,MAAA,OAAO,eAAA;AAAA,IACT;AACE,MAAA,OAAO,MAAA;AAAA;AAEb;AAEA,SAAS,oBACP,KAAA,EAC8B;AAC9B,EAAA,OAAO,KAAA,CAAM,MAAA;AAAA,IACX,CAAC,MAAM,IAAA,KACL,sBAAA,CAAuB,IAAI,CAAA,GAAI,sBAAA,CAAuB,IAAI,CAAA,GAAI,IAAA,GAAO,IAAA;AAAA,IACvE;AAAA,GACF;AACF;AAEA,SAAS,eAAA,CAAgB,OAA8B,OAAA,EAA0B;AAC/E,EAAA,OACE,+BAA+B,KAAA,CAAM,MAAM,KAC3C,0BAAA,CAA2B,KAAA,CAAM,QAAQ,CAAA,EAAG,WAAA,OAAkB,OAAA,KAC7D,0BAAA,CAA2B,MAAM,iBAAiB,CAAA,KAAM,WACvD,0BAAA,CAA2B,KAAA,CAAM,KAAK,CAAA,KAAM,OAAA,CAAA;AAElD;AAEA,SAAS,cAAA,CACP,SACA,SAAA,EACoB;AACpB,EAAA,OACE,OAAA,CAAQ,IAAA;AAAA,IACN,CAAC,KAAA,KACC,0BAAA,CAA2B,MAAM,SAAS,CAAA,EAAG,aAAY,KAAM;AAAA,GACnE,EAAG,KAAA,IAAS,0BAAA,CAA2B,SAAA,CAAU,UAAU,KAAK,CAAA;AAEpE;AAEA,SAAS,oBAAA,CACP,aACA,SAAA,EACU;AACV,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,IAAI,CAAC,WAAA,EAAa,OAAO,EAAC;AAC1B,EAAA,OAAO;AAAA,IACL,GAAG,IAAI,GAAA;AAAA,MACL,WAAA,CACG,MAAA;AAAA,QACC,CAAC,UAAA,KACC,8BAAA,CAA+B,UAAA,CAAW,MAAM,CAAA,IAChD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAC5C,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA,IAC/C,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,WAAA,KACrD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,WAAA,IACnD,0BAAA,CAA2B,UAAA,CAAW,WAAW,CAAA,KAAM,WAAA;AAAA,OAC7D,CACC,GAAA,CAAI,CAAC,UAAA,KAAe,2BAA2B,UAAA,CAAW,OAAO,CAAC,CAAA,CAClE,MAAA,CAAO,CAAC,OAAA,KAA+B,OAAA,CAAQ,OAAO,CAAC;AAAA;AAC5D,GACF;AACF;AAEA,SAAS,iBAAA,CACP,WAAA,EACA,SAAA,EACA,QAAA,EACgC;AAChC,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,MAAM,QAAA,GAAW,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA;AAC9D,EAAA,MAAM,QAAQ,WAAA,CACX,MAAA;AAAA,IACC,CAAC,UAAA,KACC,8BAAA,CAA+B,UAAA,CAAW,MAAM,CAAA,IAChD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,QAAA,KAClD,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,WAAA,IACtD,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAAM,WAAA,IACnD,0BAAA,CAA2B,UAAA,CAAW,UAAU,CAAA,KAAM,OAAA,IACrD,QAAA,CAAS,QAAA;AAAA,MACP,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,IAAK;AAAA,KACrD;AAAA,GACR,CACC,IAAI,CAAC,UAAA,KAAe,4BAA4B,UAAA,CAAW,IAAI,CAAC,CAAA,CAChE,MAAA;AAAA,IACC,CAAC,IAAA,KAA+C,OAAA,CAAQ,IAAI;AAAA,GAC9D;AAEF,EAAA,IACE,0BAAA,CAA2B,UAAU,aAAa,CAAA,KAAM,WACxD,0BAAA,CAA2B,SAAA,CAAU,aAAa,CAAA,KAAM,mBAAA,EACxD;AACA,IAAA,KAAA,CAAM,KAAK,eAAe,CAAA;AAAA,EAC5B;AAEA,EAAA,OAAO,CAAC,GAAG,IAAI,GAAA,CAAI,KAAK,CAAC,CAAA;AAC3B;AAEA,SAAS,6BAAA,CACP,SAAA,EACA,KAAA,EACA,WAAA,EACoB;AACpB,EAAA,OACE,2BAA2B,SAAA,CAAU,WAAW,KAChD,0BAAA,CAA2B,KAAA,EAAO,WAAW,CAAA,IAC7C,0BAAA;AAAA,IACE,WAAA,CAAY,IAAA;AAAA,MACV,CAAC,UAAA,KACC,0BAAA,CAA2B,UAAA,CAAW,QAAQ,CAAA,KAC5C,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA,IAClD,0BAAA,CAA2B,UAAA,CAAW,YAAY,CAAA,KAAM;AAAA,KAC5D,EAAG;AAAA,GACL,IACA,0BAAA;AAAA,IACE,YAAY,IAAA,CAAK,CAAC,UAAA,KAAe,UAAA,CAAW,WAAW,CAAA,EAAG;AAAA,GAC5D;AAEJ;AAEO,SAAS,sCACd,IAAA,EACA,SAAA,EACA,eACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,WAAA,GAAc,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AACpE,EAAA,MAAM,QAAA,GAAW,0BAAA,CAA2B,SAAA,CAAU,QAAQ,CAAA;AAC9D,EAAA,IACE,CAAC,eACD,CAAC,QAAA,IACD,CAAC,8BAAA,CAA+B,SAAA,CAAU,MAAM,CAAA,EAChD;AACA,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,OAAA,GAAU,KAAK,OAAA,CAAQ,MAAA;AAAA,IAC3B,CAACA,MAAAA,KACC,0BAAA,CAA2BA,MAAAA,CAAM,QAAQ,CAAA,KAAM,QAAA,IAC/C,0BAAA,CAA2BA,MAAAA,CAAM,WAAW,CAAA,KAAM,WAAA,IAClD,8BAAA,CAA+BA,OAAM,MAAM;AAAA,GAC/C;AACA,EAAA,MAAM,QAAA,GAAW,oBAAA,CAAqB,IAAA,CAAK,gBAAA,EAAkB,SAAS,CAAA;AACtE,EAAA,MAAM,KAAA,GAAQ,iBAAA,CAAkB,IAAA,CAAK,eAAA,EAAiB,WAAW,QAAQ,CAAA;AACzE,EAAA,IAAI,KAAA,CAAM,WAAW,CAAA,EAAG;AACtB,IAAA,OAAO,IAAA;AAAA,EACT;AAEA,EAAA,MAAM,KAAA,GAAQ,aAAA,IAAiB,OAAA,CAAQ,CAAC,CAAA;AACxC,EAAA,MAAM,OAAA,GACJ,0BAAA;AAAA,IACE,OAAA,CAAQ,IAAA;AAAA,MACN,CAAC,KAAA,KACC,0BAAA,CAA2B,MAAM,QAAQ,CAAA,EAAG,aAAY,KAAM;AAAA,KAClE,EAAG;AAAA,GACL,IAAK,WAAA;AAEP,EAAA,OAAO;AAAA,IACL,OAAA;AAAA,IACA,OAAO,cAAA,CAAe,OAAA,EAAS,SAAS,CAAA,IAAK,GAAG,WAAW,CAAA,aAAA,CAAA;AAAA,IAC3D,IAAA,EAAM,0BAAA,CAA2B,SAAA,CAAU,WAAW,CAAA;AAAA,IACtD,UAAA,EAAY,SAAA,CAAU,UAAA,IAAc,SAAA,CAAU,SAAA,IAAa,GAAA;AAAA,IAC3D,SAAA,EAAW,CAAA;AAAA,IACX,YAAA,EAAc,CAAA;AAAA,IACd,MAAA,EAAQ,oBAAoB,KAAK,CAAA;AAAA,IACjC,cAAA,EAAgB,UAAU,SAAA,IAAa,GAAA;AAAA,IACvC,eAAA,EAAiB,QAAA;AAAA,IACjB,oBACE,6BAAA,CAA8B,SAAA,EAAW,KAAA,EAAO,IAAA,CAAK,eAAe,CAAA,IACpE,QAAA;AAAA,IACF,kBAAA,EAAoB,WAAA;AAAA,IACpB,iBAAA,EAAmB,QAAA;AAAA,IACnB,wBAAA,EAA0B,UAAU,SAAA,IAAa,GAAA;AAAA,IACjD,SAAA,EAAW,UAAU,SAAA,IAAa,GAAA;AAAA,IAClC,SAAA,EAAW,UAAU,SAAA,IAAa;AAAA,GACpC;AACF;AAEO,SAAS,qCACd,IAAA,EACA,WAAA,EACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,qBAAA,GAAwB,YAAY,IAAA,EAAK;AAC/C,EAAA,MAAM,SAAA,GAAY,KAAK,UAAA,CAAW,IAAA;AAAA,IAChC,CAAC,QACC,8BAAA,CAA+B,GAAA,CAAI,MAAM,CAAA,IACzC,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KAAM;AAAA,GACpD;AACA,EAAA,OAAO,YACH,qCAAA,CAAsC,IAAA,EAAM,SAAA,EAAW,MAAA,EAAW,GAAG,CAAA,GACrE,IAAA;AACN;AAEO,SAAS,iCACd,IAAA,EACA,OAAA,EACA,GAAA,GAAM,IAAA,CAAK,KAAI,EACmB;AAClC,EAAA,MAAM,iBAAA,GAAoB,QAAQ,IAAA,EAAK;AACvC,EAAA,MAAM,aAAA,GAAgB,KAAK,OAAA,CAAQ,IAAA;AAAA,IAAK,CAAC,KAAA,KACvC,eAAA,CAAgB,KAAA,EAAO,iBAAiB;AAAA,GAC1C;AACA,EAAA,MAAM,SAAA,GAAY,aAAA,GACd,IAAA,CAAK,UAAA,CAAW,IAAA;AAAA,IACd,CAAC,GAAA,KACC,0BAAA,CAA2B,GAAA,CAAI,QAAQ,MACrC,0BAAA,CAA2B,aAAA,CAAc,QAAQ,CAAA,IACnD,2BAA2B,GAAA,CAAI,WAAW,CAAA,KACxC,0BAAA,CAA2B,cAAc,WAAW;AAAA,GAC1D,GACA,KAAK,UAAA,CAAW,IAAA;AAAA,IACd,CAAC,GAAA,KACC,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KAAM,iBAAA,IAChD,0BAAA,CAA2B,GAAA,CAAI,WAAW,CAAA,KACxC,CAAA,KAAA,EAAQ,iBAAiB,CAAA;AAAA,GAC/B;AACJ,EAAA,OAAO,YACH,qCAAA,CAAsC,IAAA,EAAM,SAAA,EAAW,aAAA,EAAe,GAAG,CAAA,GACzE,IAAA;AACN","file":"permit-principal-projection.contract.js","sourcesContent":["export type PermitProjectionPlatformRole =\n | \"platform_admin\"\n | \"tenant_admin\"\n | \"workspace_admin\"\n | \"editor\"\n | \"viewer\"\n | \"auditor\"\n | \"service_agent\";\n\nexport type PermitPrincipalProjection = Record<string, unknown> & {\n principalId?: string;\n tenantId?: string;\n workspaceId?: string;\n principalType?: string;\n status?: string;\n displayName?: string;\n metadata?: Record<string, unknown>;\n createdAt?: number;\n updatedAt?: number;\n lastSeenAt?: number;\n};\n\nexport type PermitAliasProjection = Record<string, unknown> & {\n principalId?: string;\n tenantId?: string;\n workspaceId?: string;\n provider?: string;\n providerSubjectId?: string;\n alias?: string;\n aliasKind?: string;\n status?: string;\n metadata?: Record<string, unknown>;\n};\n\nexport type PermitRoleAssignmentProjection = Record<string, unknown> & {\n tenantId?: string;\n workspaceId?: string;\n role?: string;\n targetType?: string;\n targetId?: string;\n resourceType?: string;\n resourceKey?: string;\n status?: string;\n};\n\nexport type PermitGroupMembershipProjection = Record<string, unknown> & {\n tenantId?: string;\n workspaceId?: string;\n groupId?: string;\n memberType?: string;\n memberId?: string;\n principalId?: string;\n status?: string;\n};\n\nexport type PermitProjectedUserRecord = {\n clerkId: string;\n email: string;\n name?: string;\n lastSeenAt: number;\n chatCount: number;\n messageCount: number;\n mcRole: PermitProjectionPlatformRole;\n mcRoleSyncedAt: number;\n defaultTenantId: string;\n defaultWorkspaceId: string;\n defaultPrincipalId: string;\n principalGroupIds: string[];\n governanceGrantsSyncedAt: number;\n createdAt: number;\n updatedAt: number;\n};\n\nexport type PermitProjectionRows = {\n principals: PermitPrincipalProjection[];\n aliases: PermitAliasProjection[];\n roleAssignments: PermitRoleAssignmentProjection[];\n groupMemberships: PermitGroupMembershipProjection[];\n};\n\nconst PLATFORM_ROLE_PRIORITY: Record<PermitProjectionPlatformRole, number> = {\n platform_admin: 70,\n tenant_admin: 60,\n workspace_admin: 50,\n editor: 40,\n auditor: 30,\n viewer: 20,\n service_agent: 10,\n};\n\nexport function readPermitProjectionString(value: unknown): string | undefined {\n return typeof value === \"string\" && value.trim() ? value.trim() : undefined;\n}\n\nexport function isActivePermitProjectionStatus(value: unknown): boolean {\n const status = readPermitProjectionString(value)?.toLowerCase();\n return !status || status === \"active\" || status === \"synced\";\n}\n\nexport function mapPermitRoleToPlatformRole(\n role: unknown\n): PermitProjectionPlatformRole | undefined {\n switch (readPermitProjectionString(role)?.toLowerCase()) {\n case \"platform_admin\":\n return \"platform_admin\";\n case \"tenant_admin\":\n return \"tenant_admin\";\n case \"workspace_admin\":\n case \"deployment_admin\":\n case \"graph_admin\":\n return \"workspace_admin\";\n case \"editor\":\n case \"workspace_member\":\n case \"graph_editor\":\n case \"evidence_contributor\":\n case \"question_resolver\":\n case \"theme_promoter\":\n return \"editor\";\n case \"auditor\":\n return \"auditor\";\n case \"viewer\":\n case \"graph_viewer\":\n case \"stakeholder_viewer\":\n case \"stakeholder_summarizer\":\n case \"source_drilldown_viewer\":\n case \"restricted_data_viewer\":\n case \"proprietary_data_viewer\":\n return \"viewer\";\n case \"service_agent\":\n case \"agent_runner\":\n return \"service_agent\";\n default:\n return undefined;\n }\n}\n\nfunction highestPlatformRole(\n roles: PermitProjectionPlatformRole[]\n): PermitProjectionPlatformRole {\n return roles.reduce<PermitProjectionPlatformRole>(\n (best, role) =>\n PLATFORM_ROLE_PRIORITY[role] > PLATFORM_ROLE_PRIORITY[best] ? role : best,\n \"viewer\"\n );\n}\n\nfunction isClerkAliasFor(alias: PermitAliasProjection, clerkId: string): boolean {\n return (\n isActivePermitProjectionStatus(alias.status) &&\n readPermitProjectionString(alias.provider)?.toLowerCase() === \"clerk\" &&\n (readPermitProjectionString(alias.providerSubjectId) === clerkId ||\n readPermitProjectionString(alias.alias) === clerkId)\n );\n}\n\nfunction emailFromAlias(\n aliases: PermitAliasProjection[],\n principal: PermitPrincipalProjection\n): string | undefined {\n return (\n aliases.find(\n (alias) =>\n readPermitProjectionString(alias.aliasKind)?.toLowerCase() === \"email\"\n )?.alias ?? readPermitProjectionString(principal.metadata?.email)\n );\n}\n\nfunction groupIdsForPrincipal(\n memberships: PermitGroupMembershipProjection[],\n principal: PermitPrincipalProjection\n): string[] {\n const principalId = readPermitProjectionString(principal.principalId);\n if (!principalId) return [];\n return [\n ...new Set(\n memberships\n .filter(\n (membership) =>\n isActivePermitProjectionStatus(membership.status) &&\n readPermitProjectionString(membership.tenantId) ===\n readPermitProjectionString(principal.tenantId) &&\n readPermitProjectionString(membership.memberType) === \"principal\" &&\n (readPermitProjectionString(membership.memberId) === principalId ||\n readPermitProjectionString(membership.principalId) === principalId)\n )\n .map((membership) => readPermitProjectionString(membership.groupId))\n .filter((groupId): groupId is string => Boolean(groupId))\n ),\n ];\n}\n\nfunction rolesForPrincipal(\n assignments: PermitRoleAssignmentProjection[],\n principal: PermitPrincipalProjection,\n groupIds: string[]\n): PermitProjectionPlatformRole[] {\n const principalId = readPermitProjectionString(principal.principalId);\n const tenantId = readPermitProjectionString(principal.tenantId);\n const roles = assignments\n .filter(\n (assignment) =>\n isActivePermitProjectionStatus(assignment.status) &&\n readPermitProjectionString(assignment.tenantId) === tenantId &&\n ((readPermitProjectionString(assignment.targetType) === \"principal\" &&\n readPermitProjectionString(assignment.targetId) === principalId) ||\n (readPermitProjectionString(assignment.targetType) === \"group\" &&\n groupIds.includes(\n readPermitProjectionString(assignment.targetId) ?? \"\"\n )))\n )\n .map((assignment) => mapPermitRoleToPlatformRole(assignment.role))\n .filter(\n (role): role is PermitProjectionPlatformRole => Boolean(role)\n );\n\n if (\n readPermitProjectionString(principal.principalType) === \"agent\" ||\n readPermitProjectionString(principal.principalType) === \"service_principal\"\n ) {\n roles.push(\"service_agent\");\n }\n\n return [...new Set(roles)];\n}\n\nfunction workspaceFromPermitProjection(\n principal: PermitPrincipalProjection,\n alias: PermitAliasProjection | undefined,\n assignments: PermitRoleAssignmentProjection[]\n): string | undefined {\n return (\n readPermitProjectionString(principal.workspaceId) ??\n readPermitProjectionString(alias?.workspaceId) ??\n readPermitProjectionString(\n assignments.find(\n (assignment) =>\n readPermitProjectionString(assignment.targetId) ===\n readPermitProjectionString(principal.principalId) &&\n readPermitProjectionString(assignment.resourceType) === \"workspace\"\n )?.resourceKey\n ) ??\n readPermitProjectionString(\n assignments.find((assignment) => assignment.workspaceId)?.workspaceId\n )\n );\n}\n\nexport function buildProjectedUserFromPermitPrincipal(\n rows: PermitProjectionRows,\n principal: PermitPrincipalProjection,\n matchingAlias?: PermitAliasProjection,\n now = Date.now()\n): PermitProjectedUserRecord | null {\n const principalId = readPermitProjectionString(principal.principalId);\n const tenantId = readPermitProjectionString(principal.tenantId);\n if (\n !principalId ||\n !tenantId ||\n !isActivePermitProjectionStatus(principal.status)\n ) {\n return null;\n }\n\n const aliases = rows.aliases.filter(\n (alias) =>\n readPermitProjectionString(alias.tenantId) === tenantId &&\n readPermitProjectionString(alias.principalId) === principalId &&\n isActivePermitProjectionStatus(alias.status)\n );\n const groupIds = groupIdsForPrincipal(rows.groupMemberships, principal);\n const roles = rolesForPrincipal(rows.roleAssignments, principal, groupIds);\n if (roles.length === 0) {\n return null;\n }\n\n const alias = matchingAlias ?? aliases[0];\n const clerkId =\n readPermitProjectionString(\n aliases.find(\n (entry) =>\n readPermitProjectionString(entry.provider)?.toLowerCase() === \"clerk\"\n )?.providerSubjectId\n ) ?? principalId;\n\n return {\n clerkId,\n email: emailFromAlias(aliases, principal) ?? `${principalId}@permit.local`,\n name: readPermitProjectionString(principal.displayName),\n lastSeenAt: principal.lastSeenAt ?? principal.updatedAt ?? now,\n chatCount: 0,\n messageCount: 0,\n mcRole: highestPlatformRole(roles),\n mcRoleSyncedAt: principal.updatedAt ?? now,\n defaultTenantId: tenantId,\n defaultWorkspaceId:\n workspaceFromPermitProjection(principal, alias, rows.roleAssignments) ??\n tenantId,\n defaultPrincipalId: principalId,\n principalGroupIds: groupIds,\n governanceGrantsSyncedAt: principal.updatedAt ?? now,\n createdAt: principal.createdAt ?? now,\n updatedAt: principal.updatedAt ?? now,\n };\n}\n\nexport function findProjectedUserByPermitPrincipalId(\n rows: PermitProjectionRows,\n principalId: string,\n now = Date.now()\n): PermitProjectedUserRecord | null {\n const normalizedPrincipalId = principalId.trim();\n const principal = rows.principals.find(\n (row) =>\n isActivePermitProjectionStatus(row.status) &&\n readPermitProjectionString(row.principalId) === normalizedPrincipalId\n );\n return principal\n ? buildProjectedUserFromPermitPrincipal(rows, principal, undefined, now)\n : null;\n}\n\nexport function findProjectedUserByPermitClerkId(\n rows: PermitProjectionRows,\n clerkId: string,\n now = Date.now()\n): PermitProjectedUserRecord | null {\n const normalizedClerkId = clerkId.trim();\n const matchingAlias = rows.aliases.find((alias) =>\n isClerkAliasFor(alias, normalizedClerkId)\n );\n const principal = matchingAlias\n ? rows.principals.find(\n (row) =>\n readPermitProjectionString(row.tenantId) ===\n readPermitProjectionString(matchingAlias.tenantId) &&\n readPermitProjectionString(row.principalId) ===\n readPermitProjectionString(matchingAlias.principalId)\n )\n : rows.principals.find(\n (row) =>\n readPermitProjectionString(row.principalId) === normalizedClerkId ||\n readPermitProjectionString(row.principalId) ===\n `user:${normalizedClerkId}`\n );\n return principal\n ? buildProjectedUserFromPermitPrincipal(rows, principal, matchingAlias, now)\n : null;\n}\n"]}
@@ -41,5 +41,5 @@
41
41
  "convex-validators",
42
42
  "proof-attestation"
43
43
  ],
44
- "signedAt": 1778363337248
44
+ "signedAt": 1778435264704
45
45
  }
@@ -3791,7 +3791,9 @@ var permitObjectType = z.enum([
3791
3791
  "group",
3792
3792
  "resource_instance",
3793
3793
  "relationship_tuple",
3794
- "role_assignment"
3794
+ "role_assignment",
3795
+ "attribute_binding",
3796
+ "policy_bundle"
3795
3797
  ]);
3796
3798
  var permitOutboxOperation = z.enum([
3797
3799
  "upsert",