@spotto/contract 1.0.69-alpha.27 → 1.0.69-alpha.29

package/dist/organisations/[id]/get.d.ts

@@ -10,4 +10,20 @@ export interface GetOrganisationResponse {
     integrations?: Integrations;
     meta?: IEntityMeta;
     children?: number;
+    /**
+     * Lightweight SSO state for the org, surfaced so the admin UI can decide
+     * whether to show add/remove user flows on SSO-managed orgs without
+     * needing the super-user-only `GET /sso/orgs/:id` endpoint. Present only
+     * when the caller holds `users:view` — the same gate as the user
+     * management UI that consumes it.
+     *
+     * `allowGuestUsers` reflects the mixed-mode opt-in: when `true`, the
+     * org accepts both SSO-managed users and native guest users; the FE
+     * should keep the "add user" flow available (for guest emails outside
+     * `emailDomains`). When `false`, all users come exclusively from the IdP.
+     */
+    sso?: {
+        enabled: boolean;
+        allowGuestUsers: boolean;
+    };
 }

package/dist/organisations/sso/types.d.ts

@@ -66,6 +66,14 @@ export interface SsoEnabledBase<TRoleId = string> {
      * through to `unknownRoleAction`. See `RoleMapping`.
      */
     roleMappings: RoleMapping<TRoleId>[];
+    /**
+     * Mixed-mode opt-in: when `true`, the org accepts both SSO-managed users
+     * (via federation) AND native "guest" users created through `POST /users`
+     * with password login. Guest emails must be OUTSIDE `emailDomains` — the
+     * staff-domain space is reserved for the IdP. Defaults to `false`
+     * (SSO-only) when absent.
+     */
+    allowGuestUsers?: boolean;
 }
 export interface SsoEnabledOidc<TRoleId = string> extends SsoEnabledBase<TRoleId> {
     mode: 'oidc';

package/dist/sso/onboard/request.d.ts

@@ -31,6 +31,12 @@ interface OnboardSsoOrgWireBase {
      * mappings via `PUT /sso/orgs/:id/sso-mappings`.
      */
     roleMappings?: RoleMappingInput[];
+    /**
+     * Opt-in to mixed-mode: allow native "guest" users alongside SSO-managed
+     * users in the same org. Guests authenticate by password and must use an
+     * email domain OUTSIDE `emailDomains`. Defaults to `false`.
+     */
+    allowGuestUsers?: boolean;
 }
 export interface OnboardSsoOrgOidcRequest extends OnboardSsoOrgWireBase {
     mode: 'oidc';

package/dist/sso/revert/response.d.ts

@@ -5,6 +5,9 @@
  *   their original pre-SSO password.
  * - `noPriorAccount` — user was JIT-created post-SSO; no native record to
  *   restore. Loses access. Operator must manually re-add.
+ * - `skippedGuest` — user is a mixed-mode guest (`authProvider: 'native'`).
+ *   They were never IdP-managed; their native Cognito record is intact
+ *   and they retain access. No Mongo write needed.
  * - `failed` — Mongo update threw mid-loop; see `error`. The revert as a
  *   whole continues processing other users; an operator can retry the
  *   failed ones.
@@ -13,7 +16,7 @@ export interface RevertedUserResult {
     /** Mongo user `_id` as 24-char hex. */
     userId: string;
     email: string;
-    status: 'reverted' | 'noPriorAccount' | 'failed';
+    status: 'reverted' | 'noPriorAccount' | 'skippedGuest' | 'failed';
     error?: string;
 }
 /**

package/dist/users/[id]/get/response.d.ts

@@ -26,10 +26,14 @@ export interface GetInternalUserResponse extends BaseGetUserResponse {
      */
     invitePending?: boolean;
     /**
-     * Present-and-`'sso'` for users currently authenticated via SSO; absent for
-     * native (password / invite) users. Lets the admin UI distinguish SSO
-     * users without having to join against `organisation.sso.enabled`.
+     * Auth-source marker.
+     * - `'sso'` — managed by the org's IdP (federated).
+     * - `'native'` — explicit mixed-mode guest (password login on an SSO org).
+     * - `undefined` — legacy native user (non-SSO org, or pre-SSO).
+     *
+     * Lets the admin UI distinguish SSO users from guests without having to
+     * join against `organisation.sso.enabled`.
      */
-    authProvider?: 'sso';
+    authProvider?: 'sso' | 'native';
 }
 export declare type GetUserResponse = GetExternalUserResponse | GetInternalUserResponse;

package/dist/users/current.d.ts

@@ -22,12 +22,12 @@ export interface CurrentUserResponse {
     meta?: IEntityMeta;
     systemSettings: System;
     /**
-     * Present-and-`'sso'` if the current user is signed in via SSO; absent for
-     * native (password) users. Lets the FE conditionally drive things like the
-     * sign-out flow (RP-initiated logout vs. plain Cognito sign-out) without
-     * having to check `organisation.sso`.
+     * Auth-source marker, mirroring the persisted user field.
+     * - `'sso'` — current session is via SSO (FE may want RP-initiated logout).
+     * - `'native'` — explicit mixed-mode guest (password login on an SSO org).
+     * - `undefined` — legacy native user (non-SSO org, or pre-SSO).
      */
-    authProvider?: 'sso';
+    authProvider?: 'sso' | 'native';
 }
 export interface CurrentUserPublicResponse {
     id: string;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@spotto/contract",
   "license": "ISC",
-  "version": "1.0.69-alpha.27",
+  "version": "1.0.69-alpha.29",
   "description": "Spotto's API Contract type definitions",
   "main": "./dist/index.js",
   "files": [
@@ -18,5 +18,5 @@
     "@types/geojson": "^7946.0.11",
     "shx": "^0.3.4"
   },
-  "gitHead": "c8b22d77af2952f711eb68c129f7007b8c61e4af"
+  "gitHead": "a9ff090ef4f24d4067f9ee212ffd0ab458c8af66"
 }