@spotto/contract 1.0.69-alpha.22 → 1.0.69-alpha.24

package/dist/assets/get/query.d.ts

@@ -49,6 +49,7 @@ export interface AssetFilters {
     manifestIds?: string[];
     supportsWith?: boolean;
     withAsset?: boolean;
+    dispatched?: boolean;
     createdAt?: DateCondition[];
     updatedAt?: DateCondition[];
     lastSeen?: DateCondition[];

package/dist/index.d.ts

@@ -19,4 +19,5 @@ export * from './fields';
 export * from './workflows';
 export * from './system';
 export * from './reports';
+export * from './sso';
 export * from './views';

package/dist/index.js

@@ -35,5 +35,6 @@ __exportStar(require("./fields"), exports);
 __exportStar(require("./workflows"), exports);
 __exportStar(require("./system"), exports);
 __exportStar(require("./reports"), exports);
+__exportStar(require("./sso"), exports);
 __exportStar(require("./views"), exports);
 //# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAwB;AACxB,2CAAwB;AACxB,iDAA8B;AAC9B,2CAAwB;AACxB,2CAAwB;AACxB,8CAA2B;AAC3B,6CAA0B;AAC1B,kDAA+B;AAC/B,4CAAyB;AACzB,0CAAuB;AACvB,yCAAsB;AACtB,8CAA2B;AAC3B,0CAAuB;AACvB,8CAA2B;AAC3B,0CAAuB;AACvB,2CAAwB;AACxB,8CAA2B;AAC3B,2CAAwB;AACxB,8CAA2B;AAC3B,2CAAwB;AACxB,4CAAyB;AACzB,0CAAuB"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAwB;AACxB,2CAAwB;AACxB,iDAA8B;AAC9B,2CAAwB;AACxB,2CAAwB;AACxB,8CAA2B;AAC3B,6CAA0B;AAC1B,kDAA+B;AAC/B,4CAAyB;AACzB,0CAAuB;AACvB,yCAAsB;AACtB,8CAA2B;AAC3B,0CAAuB;AACvB,8CAA2B;AAC3B,0CAAuB;AACvB,2CAAwB;AACxB,8CAA2B;AAC3B,2CAAwB;AACxB,8CAA2B;AAC3B,2CAAwB;AACxB,4CAAyB;AACzB,wCAAqB;AACrB,0CAAuB"}

package/dist/organisations/index.d.ts

@@ -2,3 +2,4 @@ export * from './[id]';
 export * from './get';
 export * from './post';
 export * from './constants';
+export * from './sso';

package/dist/organisations/index.js

@@ -18,4 +18,5 @@ __exportStar(require("./[id]"), exports);
 __exportStar(require("./get"), exports);
 __exportStar(require("./post"), exports);
 __exportStar(require("./constants"), exports);
+__exportStar(require("./sso"), exports);
 //# sourceMappingURL=index.js.map

package/dist/organisations/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/organisations/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yCAAsB;AACtB,wCAAqB;AACrB,yCAAsB;AACtB,8CAA2B"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/organisations/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,yCAAsB;AACtB,wCAAqB;AACrB,yCAAsB;AACtB,8CAA2B;AAC3B,wCAAqB"}

package/dist/organisations/sso/constants.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Supported SSO protocol modes for an organisation's per-customer Cognito IdP.
+ */
+export declare const SSO_MODES: readonly ["oidc", "saml"];
+export declare type SsoMode = (typeof SSO_MODES)[number];
+/**
+ * Per-org policy when the IdP-emitted role claim is missing or its value
+ * isn't a recognised Spotto role. `deny` rejects the login;
+ * `defaultRole` falls back to a configured role id.
+ */
+export declare const UNKNOWN_ROLE_ACTION_TYPES: readonly ["deny", "defaultRole"];
+export declare type UnknownRoleActionType = (typeof UNKNOWN_ROLE_ACTION_TYPES)[number];
+/**
+ * Cognito user attribute that carries the IdP-emitted Spotto role string.
+ * Fixed across all SSO orgs — every per-customer IdP attribute mapping wires
+ * the customer's role claim into this attribute, and every read site (auth
+ * bootstrap, role-refresh) reads from it.
+ *
+ * Cognito custom-attribute names are restricted to `[a-zA-Z][a-zA-Z0-9_]*`
+ * (no hyphens), so this is the canonical underscore form.
+ *
+ * Operational note: each User Pool (dev / staging / prod) needs the
+ * corresponding `g2g_role` custom attribute defined once before any SSO org
+ * can be onboarded against it. This is a manual one-off via the AWS console.
+ */
+export declare const DEFAULT_ROLE_CLAIM_ATTRIBUTE = "custom:g2g_role";
+/**
+ * The IdP-side claim name customers MUST emit. Mandated rather than
+ * configurable per-customer — every onboarded IdP gets the same Cognito
+ * attribute mapping (`custom:g2g_role` ← `g2g_role`), so customers configure
+ * their IdP to emit a claim with this exact name.
+ *
+ * - OIDC: a top-level claim called `g2g_role` in the userinfo / ID token.
+ * - SAML: an Attribute with `Name="g2g_role"` (bare name, not URI form). All
+ *   mainstream IdPs accept bare-name attributes; ADFS may need a custom
+ *   claim rule.
+ */
+export declare const DEFAULT_IDP_ROLE_CLAIM = "g2g_role";
+/**
+ * Builds the deterministic Cognito IdP / Client name for an org's SSO
+ * provisioning. Same input → same name, so re-onboarding (after offboard)
+ * regenerates the exact name; any partial debris in Cognito is found and
+ * updated by the describe-then-create-or-update path.
+ *
+ * Uses the org's Mongo `_id` hex (24 chars). With the `sso-` prefix the
+ * total is 28 chars, well within Cognito's IdP-name length limit.
+ */
+export declare const buildSsoProviderName: (orgIdHex: string) => string;

package/dist/organisations/sso/constants.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.buildSsoProviderName = exports.DEFAULT_IDP_ROLE_CLAIM = exports.DEFAULT_ROLE_CLAIM_ATTRIBUTE = exports.UNKNOWN_ROLE_ACTION_TYPES = exports.SSO_MODES = void 0;
+/**
+ * Supported SSO protocol modes for an organisation's per-customer Cognito IdP.
+ */
+exports.SSO_MODES = ['oidc', 'saml'];
+/**
+ * Per-org policy when the IdP-emitted role claim is missing or its value
+ * isn't a recognised Spotto role. `deny` rejects the login;
+ * `defaultRole` falls back to a configured role id.
+ */
+exports.UNKNOWN_ROLE_ACTION_TYPES = ['deny', 'defaultRole'];
+/**
+ * Cognito user attribute that carries the IdP-emitted Spotto role string.
+ * Fixed across all SSO orgs — every per-customer IdP attribute mapping wires
+ * the customer's role claim into this attribute, and every read site (auth
+ * bootstrap, role-refresh) reads from it.
+ *
+ * Cognito custom-attribute names are restricted to `[a-zA-Z][a-zA-Z0-9_]*`
+ * (no hyphens), so this is the canonical underscore form.
+ *
+ * Operational note: each User Pool (dev / staging / prod) needs the
+ * corresponding `g2g_role` custom attribute defined once before any SSO org
+ * can be onboarded against it. This is a manual one-off via the AWS console.
+ */
+exports.DEFAULT_ROLE_CLAIM_ATTRIBUTE = 'custom:g2g_role';
+/**
+ * The IdP-side claim name customers MUST emit. Mandated rather than
+ * configurable per-customer — every onboarded IdP gets the same Cognito
+ * attribute mapping (`custom:g2g_role` ← `g2g_role`), so customers configure
+ * their IdP to emit a claim with this exact name.
+ *
+ * - OIDC: a top-level claim called `g2g_role` in the userinfo / ID token.
+ * - SAML: an Attribute with `Name="g2g_role"` (bare name, not URI form). All
+ *   mainstream IdPs accept bare-name attributes; ADFS may need a custom
+ *   claim rule.
+ */
+exports.DEFAULT_IDP_ROLE_CLAIM = 'g2g_role';
+/**
+ * Builds the deterministic Cognito IdP / Client name for an org's SSO
+ * provisioning. Same input → same name, so re-onboarding (after offboard)
+ * regenerates the exact name; any partial debris in Cognito is found and
+ * updated by the describe-then-create-or-update path.
+ *
+ * Uses the org's Mongo `_id` hex (24 chars). With the `sso-` prefix the
+ * total is 28 chars, well within Cognito's IdP-name length limit.
+ */
+const buildSsoProviderName = (orgIdHex) => `sso-${orgIdHex}`;
+exports.buildSsoProviderName = buildSsoProviderName;
+//# sourceMappingURL=constants.js.map

package/dist/organisations/sso/constants.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"constants.js","sourceRoot":"","sources":["../../../src/organisations/sso/constants.ts"],"names":[],"mappings":";;;AAAA;;GAEG;AACU,QAAA,SAAS,GAAG,CAAC,MAAM,EAAE,MAAM,CAAU,CAAA;AAIlD;;;;GAIG;AACU,QAAA,yBAAyB,GAAG,CAAC,MAAM,EAAE,aAAa,CAAU,CAAA;AAIzE;;;;;;;;;;;;GAYG;AACU,QAAA,4BAA4B,GAAG,iBAAiB,CAAA;AAE7D;;;;;;;;;;GAUG;AACU,QAAA,sBAAsB,GAAG,UAAU,CAAA;AAEhD;;;;;;;;GAQG;AACI,MAAM,oBAAoB,GAAG,CAAC,QAAgB,EAAU,EAAE,CAC/D,OAAO,QAAQ,EAAE,CAAA;AADN,QAAA,oBAAoB,wBACd"}

package/dist/organisations/sso/index.d.ts

@@ -0,0 +1,2 @@
+export * from './constants';
+export * from './types';

package/dist/organisations/sso/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./constants"), exports);
+__exportStar(require("./types"), exports);
+//# sourceMappingURL=index.js.map

package/dist/organisations/sso/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/organisations/sso/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,8CAA2B;AAC3B,0CAAuB"}

package/dist/organisations/sso/types.d.ts

@@ -0,0 +1,48 @@
+/**
+ * Wire-level SSO config types. Used by validators (which see string IDs from
+ * inbound admin requests) and by the discovery endpoint response.
+ *
+ * The Mongo storage shape (`IMongoSSO`) mirrors these but uses ObjectId where
+ * roles are referenced; see `packages/mongo/src/adapters/entities/organisation.ts`.
+ *
+ * Generic over `TRoleId` so the same shape can serve both the wire layer
+ * (string) and the Mongo layer (ObjectId) without duplication.
+ */
+export declare type UnknownRoleAction<TRoleId = string> = {
+    type: 'deny';
+} | {
+    type: 'defaultRole';
+    roleId: TRoleId;
+};
+export interface SsoEnabledBase<TRoleId = string> {
+    enabled: true;
+    /** Email domains owned by this org. One domain → one org (enforced at write time). */
+    emailDomains: string[];
+    /** Cognito IdP name (unique within the User Pool). */
+    cognitoProviderName: string;
+    /** Per-customer User Pool Client. One Cognito Client per SSO org. */
+    cognitoClientId: string;
+    /** Frontend inactivity timer. Absent ⇒ no timer. */
+    inactivityTimeoutMinutes?: number;
+    /** What to do when the role claim is missing or its value isn't a known Spotto role. */
+    unknownRoleAction: UnknownRoleAction<TRoleId>;
+}
+export interface SsoEnabledOidc<TRoleId = string> extends SsoEnabledBase<TRoleId> {
+    mode: 'oidc';
+    /** Kept on the org doc for audit / debugging visibility; client_id and
+     *  client_secret live in Cognito after onboarding and aren't persisted here. */
+    oidcIssuer: string;
+}
+export interface SsoEnabledSaml<TRoleId = string> extends SsoEnabledBase<TRoleId> {
+    mode: 'saml';
+    /** Cognito auto-refreshes from this URL — handles signing-cert rotation
+     *  for us. */
+    metadataUrl: string;
+    /** Controls Cognito's IDPSignout flag for SAML SLO. */
+    enableSamlLogout: boolean;
+}
+export interface SsoDisabled {
+    enabled: false;
+}
+export declare type SsoConfig<TRoleId = string> = SsoEnabledOidc<TRoleId> | SsoEnabledSaml<TRoleId> | SsoDisabled;
+export type { SsoMode } from './constants';

package/dist/organisations/sso/types.js

@@ -0,0 +1,13 @@
+"use strict";
+/**
+ * Wire-level SSO config types. Used by validators (which see string IDs from
+ * inbound admin requests) and by the discovery endpoint response.
+ *
+ * The Mongo storage shape (`IMongoSSO`) mirrors these but uses ObjectId where
+ * roles are referenced; see `packages/mongo/src/adapters/entities/organisation.ts`.
+ *
+ * Generic over `TRoleId` so the same shape can serve both the wire layer
+ * (string) and the Mongo layer (ObjectId) without duplication.
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=types.js.map

package/dist/organisations/sso/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/organisations/sso/types.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG"}

package/dist/sso/discover/index.d.ts

@@ -0,0 +1,2 @@
+export * from './request';
+export * from './response';

package/dist/sso/discover/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./request"), exports);
+__exportStar(require("./response"), exports);
+//# sourceMappingURL=index.js.map

package/dist/sso/discover/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/sso/discover/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,4CAAyB;AACzB,6CAA0B"}

package/dist/sso/discover/request.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Query string for `GET /sso/discover`. The frontend (PWA / Next.js console)
+ * splits the user's typed email locally and sends only the domain, so the
+ * full email never lands in API Gateway / WAF access logs. Public,
+ * unauthenticated endpoint.
+ */
+export interface DiscoverSsoQuery {
+    domain: string;
+}

package/dist/sso/discover/request.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=request.js.map

package/dist/sso/discover/request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.js","sourceRoot":"","sources":["../../../src/sso/discover/request.ts"],"names":[],"mappings":""}

package/dist/sso/discover/response.d.ts

@@ -0,0 +1,17 @@
+/**
+ * Response shape for `GET /sso/discover`. Discriminated on `ssoEnabled` so the
+ * frontend can branch into federated sign-in (when true) or password sign-in
+ * (when false). The shape never reveals whether the email or org actually
+ * exists — `ssoEnabled: false` covers both "non-SSO domain" and "unknown email
+ * domain" cases.
+ */
+export interface DiscoverSsoEnabledResponse {
+    ssoEnabled: true;
+    cognitoProviderName: string;
+    cognitoClientId: string;
+    inactivityTimeoutMinutes?: number;
+}
+export interface DiscoverSsoDisabledResponse {
+    ssoEnabled: false;
+}
+export declare type DiscoverSsoResponse = DiscoverSsoEnabledResponse | DiscoverSsoDisabledResponse;

package/dist/sso/discover/response.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=response.js.map

package/dist/sso/discover/response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response.js","sourceRoot":"","sources":["../../../src/sso/discover/response.ts"],"names":[],"mappings":""}

package/dist/sso/get/index.d.ts

@@ -0,0 +1 @@
+export * from './response';

package/dist/sso/get/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./response"), exports);
+//# sourceMappingURL=index.js.map

package/dist/sso/get/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/sso/get/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,6CAA0B"}

package/dist/sso/get/response.d.ts

@@ -0,0 +1,12 @@
+import { SsoConfig } from '../../organisations/sso';
+/**
+ * Response shape for `GET /sso/orgs/:id`. Always returns a discriminated
+ * `SsoConfig` — for orgs without SSO, the response is `{ enabled: false }`
+ * rather than 404, so the FE can drive its UI from the discriminator
+ * without separate "exists" handling.
+ *
+ * Scoped to super-users only (via `sso:admin` + cross-account ancestry).
+ * The customer-facing `GET /organisations/:id` deliberately does NOT
+ * include this — SSO config is super-user-only data in the short term.
+ */
+export declare type GetSsoOrgResponse = SsoConfig;

package/dist/sso/get/response.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=response.js.map

package/dist/sso/get/response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response.js","sourceRoot":"","sources":["../../../src/sso/get/response.ts"],"names":[],"mappings":""}

package/dist/sso/index.d.ts

@@ -0,0 +1,5 @@
+export * from './discover';
+export * from './get';
+export * from './onboard';
+export * from './offboard';
+export * from './revert';

package/dist/sso/index.js

@@ -0,0 +1,22 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./discover"), exports);
+__exportStar(require("./get"), exports);
+__exportStar(require("./onboard"), exports);
+__exportStar(require("./offboard"), exports);
+__exportStar(require("./revert"), exports);
+//# sourceMappingURL=index.js.map

package/dist/sso/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/sso/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,6CAA0B;AAC1B,wCAAqB;AACrB,4CAAyB;AACzB,6CAA0B;AAC1B,2CAAwB"}

package/dist/sso/offboard/index.d.ts

@@ -0,0 +1 @@
+export * from './response';

package/dist/sso/offboard/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./response"), exports);
+//# sourceMappingURL=index.js.map

package/dist/sso/offboard/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/sso/offboard/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,6CAA0B"}

package/dist/sso/offboard/response.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Response shape for `POST /sso/orgs/:id/offboard`. No body fields beyond
+ * the audit correlationId — the offboard is fire-and-forget from the
+ * caller's perspective; outcomes are queryable by correlationId in the
+ * audit logs.
+ */
+export interface OffboardSsoOrgResponse {
+    correlationId: string;
+}

package/dist/sso/offboard/response.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=response.js.map

package/dist/sso/offboard/response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response.js","sourceRoot":"","sources":["../../../src/sso/offboard/response.ts"],"names":[],"mappings":""}

package/dist/sso/onboard/index.d.ts

@@ -0,0 +1,2 @@
+export * from './request';
+export * from './response';

package/dist/sso/onboard/index.js

@@ -0,0 +1,19 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./request"), exports);
+__exportStar(require("./response"), exports);
+//# sourceMappingURL=index.js.map

package/dist/sso/onboard/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/sso/onboard/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,4CAAyB;AACzB,6CAA0B"}

package/dist/sso/onboard/request.d.ts

@@ -0,0 +1,38 @@
+/**
+ * Wire shape for `POST /sso/orgs/:id/onboard`. Operator-supplied fields only.
+ *
+ * Two persisted-shape fields are NOT wire inputs:
+ *
+ * - `cognitoProviderName` — orchestrator computes it deterministically from
+ *   the org's `_id` (`buildSsoProviderName` → `sso-{orgId}`).
+ * - `cognitoClientId` — orchestrator returns the Client ID it created.
+ *
+ * The IdP-side role claim name is also NOT a wire input: customers must
+ * configure their IdP to emit a claim named `g2g_role`
+ * (see `DEFAULT_IDP_ROLE_CLAIM`).
+ */
+interface OnboardSsoOrgWireBase {
+    emailDomains: string[];
+    inactivityTimeoutMinutes?: number;
+    unknownRoleAction: {
+        type: 'deny';
+    } | {
+        type: 'defaultRole';
+        roleId: string;
+    };
+    callbackUrls: string[];
+    logoutUrls: string[];
+}
+export interface OnboardSsoOrgOidcRequest extends OnboardSsoOrgWireBase {
+    mode: 'oidc';
+    oidcIssuer: string;
+    oidcClientId: string;
+    oidcClientSecret: string;
+}
+export interface OnboardSsoOrgSamlRequest extends OnboardSsoOrgWireBase {
+    mode: 'saml';
+    metadataUrl: string;
+    enableSamlLogout: boolean;
+}
+export declare type OnboardSsoOrgRequest = OnboardSsoOrgOidcRequest | OnboardSsoOrgSamlRequest;
+export {};

package/dist/sso/onboard/request.js

@@ -0,0 +1,16 @@
+"use strict";
+/**
+ * Wire shape for `POST /sso/orgs/:id/onboard`. Operator-supplied fields only.
+ *
+ * Two persisted-shape fields are NOT wire inputs:
+ *
+ * - `cognitoProviderName` — orchestrator computes it deterministically from
+ *   the org's `_id` (`buildSsoProviderName` → `sso-{orgId}`).
+ * - `cognitoClientId` — orchestrator returns the Client ID it created.
+ *
+ * The IdP-side role claim name is also NOT a wire input: customers must
+ * configure their IdP to emit a claim named `g2g_role`
+ * (see `DEFAULT_IDP_ROLE_CLAIM`).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=request.js.map

package/dist/sso/onboard/request.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"request.js","sourceRoot":"","sources":["../../../src/sso/onboard/request.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;GAYG"}

package/dist/sso/onboard/response.d.ts

@@ -0,0 +1,18 @@
+/**
+ * Response shape for `POST /sso/orgs/:id/onboard`. Returned on the success
+ * path; on failure the standard ValidationError / DatabaseError envelope
+ * is used.
+ *
+ * `cognitoProviderName` and `cognitoClientId` are what the frontend needs
+ * to construct the federated sign-in redirect URL — return them so the
+ * super-user UI can display them after a successful onboard without an
+ * extra round-trip.
+ *
+ * `correlationId` threads through every audit log entry for this onboard
+ * — useful to surface in the UI for ops to copy-paste when investigating.
+ */
+export interface OnboardSsoOrgResponse {
+    cognitoProviderName: string;
+    cognitoClientId: string;
+    correlationId: string;
+}

package/dist/sso/onboard/response.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=response.js.map

package/dist/sso/onboard/response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response.js","sourceRoot":"","sources":["../../../src/sso/onboard/response.ts"],"names":[],"mappings":""}

package/dist/sso/revert/index.d.ts

@@ -0,0 +1 @@
+export * from './response';

package/dist/sso/revert/index.js

@@ -0,0 +1,18 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./response"), exports);
+//# sourceMappingURL=index.js.map

package/dist/sso/revert/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/sso/revert/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,6CAA0B"}

package/dist/sso/revert/response.d.ts

@@ -0,0 +1,28 @@
+/**
+ * Per-user revert outcome.
+ *
+ * - `reverted` — pre-SSO native Cognito record restored. User logs in with
+ *   their original pre-SSO password.
+ * - `noPriorAccount` — user was JIT-created post-SSO; no native record to
+ *   restore. Loses access. Operator must manually re-add.
+ * - `failed` — Mongo update threw mid-loop; see `error`. The revert as a
+ *   whole continues processing other users; an operator can retry the
+ *   failed ones.
+ */
+export interface RevertedUserResult {
+    /** Mongo user `_id` as 24-char hex. */
+    userId: string;
+    email: string;
+    status: 'reverted' | 'noPriorAccount' | 'failed';
+    error?: string;
+}
+/**
+ * Response shape for `POST /sso/orgs/:id/revert`. Use the `users` array to
+ * surface the per-user outcome in the UI — particularly the
+ * `noPriorAccount` rows so the operator knows which users they need to
+ * manually re-add.
+ */
+export interface RevertSsoOrgResponse {
+    correlationId: string;
+    users: RevertedUserResult[];
+}

package/dist/sso/revert/response.js

@@ -0,0 +1,3 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+//# sourceMappingURL=response.js.map

package/dist/sso/revert/response.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"response.js","sourceRoot":"","sources":["../../../src/sso/revert/response.ts"],"names":[],"mappings":""}

package/dist/views/shared.d.ts

@@ -1,6 +1,5 @@
 import { SortOrders } from '../shared';
 import { AssetSortField } from '../assets/get/query';
-import { LocationStatus } from '../locations/constants';
 export declare type ViewEntityType = 'asset';
 export declare type ViewVisibility = 'private' | 'organisation';
 export interface AssetViewFilters {
@@ -13,7 +12,7 @@ export interface AssetViewFilters {
     createdAt?: string;
     updatedAt?: string;
     lastSeen?: string;
-    locationStatus?: LocationStatus[];
+    dispatched?: boolean;
 }
 export declare type ViewFilters = AssetViewFilters;
 interface BaseViewDisplay {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@spotto/contract",
   "license": "ISC",
-  "version": "1.0.69-alpha.22",
+  "version": "1.0.69-alpha.24",
   "description": "Spotto's API Contract type definitions",
   "main": "./dist/index.js",
   "files": [
@@ -18,5 +18,5 @@
     "@types/geojson": "^7946.0.11",
     "shx": "^0.3.4"
   },
-  "gitHead": "549c46d509801128f4849a0c3bec63868b02d83b"
+  "gitHead": "892aa327162a98a8547b9e5142afabbe3a814ccd"
 }