@startsimpli/api 0.5.19 → 0.5.21

package/src/lib/vault-api.ts

@@ -0,0 +1,155 @@
+/** Vault API client — environments, secrets, access keys, audit (startsim-d30.3.1).
+
+Mirrors the other @startsimpli/api wrappers. The client auto-transforms
+snake_case <-> camelCase, so types here are camelCase. Secret values are
+write-only on create/update and only returned by `revealSecret`.
+*/
+
+import type { PaginatedResponse } from '../types';
+import type { ApiClient } from './api-client';
+
+const E = {
+  environments: 'api/v1/vault/environments',
+  environment: (slug: string) => `api/v1/vault/environments/${slug}`,
+  secrets: (slug: string) => `api/v1/vault/environments/${slug}/secrets`,
+  secret: (slug: string, id: string) => `api/v1/vault/environments/${slug}/secrets/${id}`,
+  reveal: (slug: string, id: string) => `api/v1/vault/environments/${slug}/secrets/${id}/reveal`,
+  accessKeys: (slug: string) => `api/v1/vault/environments/${slug}/access-keys`,
+  accessKey: (slug: string, id: string) => `api/v1/vault/environments/${slug}/access-keys/${id}`,
+  audit: (slug: string) => `api/v1/vault/environments/${slug}/audit`,
+};
+
+export interface VaultEnvironment {
+  id: string;
+  slug: string;
+  name: string;
+  description: string;
+  secretCount: number;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface VaultEnvironmentInput {
+  slug: string;
+  name: string;
+  description?: string;
+}
+
+export interface VaultSecret {
+  id: string;
+  key: string;
+  hasValue: boolean;
+  valueType: string;
+  metadata: Record<string, unknown>;
+  lastRotatedAt: string | null;
+  createdAt: string;
+  updatedAt: string;
+}
+
+export interface VaultSecretInput {
+  key: string;
+  value?: string;
+  valueType?: string;
+  metadata?: Record<string, unknown>;
+}
+
+export interface VaultSecretReveal {
+  key: string;
+  value: string;
+}
+
+export interface VaultAccessKey {
+  id: string;
+  name: string;
+  prefix: string;
+  scopes: string[];
+  isActive: boolean;
+  lastUsedAt: string | null;
+  expiresAt: string | null;
+  createdAt: string;
+}
+
+/** Returned only by createAccessKey — carries the raw key, shown exactly once. */
+export interface VaultAccessKeyCreated extends VaultAccessKey {
+  key: string;
+}
+
+export interface VaultAccessKeyInput {
+  name: string;
+  scopes?: string[];
+  expiresAt?: string | null;
+}
+
+export interface VaultAuditEntry {
+  id: string;
+  action: string;
+  secretKey: string | null;
+  actorEmail: string | null;
+  accessKeyName: string | null;
+  ipAddress: string | null;
+  metadata: Record<string, unknown>;
+  createdAt: string;
+}
+
+export interface VaultListParams {
+  page?: number;
+  pageSize?: number;
+  search?: string;
+  ordering?: string;
+  // Index signature so this satisfies the client's query-params type.
+  [key: string]: unknown;
+}
+
+export class VaultApi {
+  constructor(private client: ApiClient) {}
+
+  // --- Environments ---
+  listEnvironments(params?: VaultListParams): Promise<PaginatedResponse<VaultEnvironment>> {
+    return this.client.fetch.get<PaginatedResponse<VaultEnvironment>>(E.environments, { params });
+  }
+  getEnvironment(slug: string): Promise<VaultEnvironment> {
+    return this.client.fetch.get<VaultEnvironment>(E.environment(slug));
+  }
+  createEnvironment(data: VaultEnvironmentInput): Promise<VaultEnvironment> {
+    return this.client.fetch.post<VaultEnvironment>(E.environments, data);
+  }
+  updateEnvironment(slug: string, data: Partial<VaultEnvironmentInput>): Promise<VaultEnvironment> {
+    return this.client.fetch.patch<VaultEnvironment>(E.environment(slug), data);
+  }
+  deleteEnvironment(slug: string): Promise<void> {
+    return this.client.fetch.delete<void>(E.environment(slug));
+  }
+
+  // --- Secrets (value write-only; reveal is separate + audited) ---
+  listSecrets(slug: string, params?: VaultListParams): Promise<PaginatedResponse<VaultSecret>> {
+    return this.client.fetch.get<PaginatedResponse<VaultSecret>>(E.secrets(slug), { params });
+  }
+  createSecret(slug: string, data: VaultSecretInput): Promise<VaultSecret> {
+    return this.client.fetch.post<VaultSecret>(E.secrets(slug), data);
+  }
+  updateSecret(slug: string, id: string, data: Partial<VaultSecretInput>): Promise<VaultSecret> {
+    return this.client.fetch.patch<VaultSecret>(E.secret(slug, id), data);
+  }
+  deleteSecret(slug: string, id: string): Promise<void> {
+    return this.client.fetch.delete<void>(E.secret(slug, id));
+  }
+  revealSecret(slug: string, id: string): Promise<VaultSecretReveal> {
+    return this.client.fetch.get<VaultSecretReveal>(E.reveal(slug, id));
+  }
+
+  // --- Access keys ---
+  listAccessKeys(slug: string, params?: VaultListParams): Promise<PaginatedResponse<VaultAccessKey>> {
+    return this.client.fetch.get<PaginatedResponse<VaultAccessKey>>(E.accessKeys(slug), { params });
+  }
+  createAccessKey(slug: string, data: VaultAccessKeyInput): Promise<VaultAccessKeyCreated> {
+    return this.client.fetch.post<VaultAccessKeyCreated>(E.accessKeys(slug), data);
+  }
+  deleteAccessKey(slug: string, id: string): Promise<void> {
+    return this.client.fetch.delete<void>(E.accessKey(slug, id));
+  }
+
+  // --- Audit ---
+  listAudit(slug: string, params?: VaultListParams): Promise<PaginatedResponse<VaultAuditEntry>> {
+    return this.client.fetch.get<PaginatedResponse<VaultAuditEntry>>(E.audit(slug), { params });
+  }
+}

package/src/types/api.ts

@@ -15,6 +15,12 @@ export interface ApiError {
   errors?: Record<string, string[]>;
   status?: number;
   statusText?: string;
+  /** Machine-readable code from the standardized response (limit_reached,
+   * no_company, …). Set when the backend uses apps.core.exceptions. */
+  code?: string;
+  /** Extra structured context attached to the error (e.g. limit_reached
+   * carries { feature_key, limit, current }). */
+  details?: Record<string, unknown>;
 }
 
 export interface PaginationParams {

package/src/types/index.ts

@@ -98,6 +98,28 @@ export type {
   ApolloEnrichmentSummary,
 } from './enrichment';
 
+// Team / Company / Invitation / Domain-claim types (startsim-o7s)
+export type {
+  Company,
+  AuthUserLike,
+  TeamRole,
+  Team,
+  TeamMember,
+  TeamInvitation,
+  DomainVerificationMethod,
+  EmailDomainClaim,
+  CompanyListParams,
+  UpdateCompanyInput,
+  TeamListParams,
+  BulkInviteEntry,
+  BulkInviteResult,
+  TeamInvitationListParams,
+  CreateTeamInvitationInput,
+  DomainClaimListParams,
+  CreateDomainClaimInput,
+  DomainVerifyEmailInitiateResponse,
+} from './team';
+
 // Error types
 export type {
   FieldError,

package/src/types/team.ts

@@ -0,0 +1,175 @@
+/**
+ * Team / Company / Invitation / Domain-claim types.
+ *
+ * Mirrors the Django serializers in apps.companies / apps.teams /
+ * apps.email_domain_claims. The FetchWrapper transforms snake_case ↔ camelCase
+ * at the boundary, so types here are camelCase. startsim-o7s.
+ */
+
+/** A Company is the top-level org tenant in StartSimpli. */
+export interface Company {
+  id: string;
+  slug: string;
+  name: string;
+  /** Free-form per-company settings blob (feature flags + product prefs). */
+  settings: Record<string, unknown>;
+  /** Hydrated by `?expand=owner`; otherwise just present as a foreign-key id. */
+  owner?: AuthUserLike | null;
+  ownerId?: string;
+  createdAt: string;
+  updatedAt: string;
+}
+
+/**
+ * Trimmed AuthUser used by the team-mgmt serializers.
+ *
+ * Imported from @startsimpli/auth in practice, but we keep an internal shape
+ * here so @startsimpli/api stays decoupled from the auth package's exports.
+ * The real AuthUser is structurally compatible.
+ */
+export interface AuthUserLike {
+  id: string;
+  email: string;
+  firstName?: string;
+  lastName?: string;
+  fullName?: string;
+}
+
+/** Role hierarchy on a TeamMember (mirrors backend `Role` choices). */
+export type TeamRole = 'owner' | 'admin' | 'member' | 'viewer';
+
+/** A Team scopes role assignments inside a Company. */
+export interface Team {
+  id: string;
+  slug: string;
+  name: string;
+  companyId: string;
+  settings: Record<string, unknown>;
+  createdAt: string;
+  updatedAt: string;
+}
+
+/** A TeamMember pins a user into a Team at a specific role. */
+export interface TeamMember {
+  id: string;
+  userId: string;
+  teamId: string;
+  role: TeamRole;
+  invitedById?: string | null;
+  joinedAt: string;
+  /** Optional hydrated user (when serializer expands it). */
+  user?: AuthUserLike;
+}
+
+/**
+ * Pending or accepted invitation to join a Team.
+ * `token` is write-only after create — surfaced only in the create response
+ * so apps can build accept-links.
+ */
+export interface TeamInvitation {
+  id: string;
+  email: string;
+  teamId: string;
+  role: TeamRole;
+  /** Only present in the create-response. Backend redacts on subsequent reads. */
+  token?: string;
+  invitedById: string;
+  expiresAt: string;
+  acceptedAt?: string | null;
+  revokedAt?: string | null;
+  isExpired: boolean;
+  isAccepted: boolean;
+  createdAt: string;
+  updatedAt: string;
+}
+
+/** Verification method used for an EmailDomainClaim. */
+export type DomainVerificationMethod = 'dns_txt' | 'email_attestation';
+
+/**
+ * A Company's claim on an email domain — gates "anyone @acme.com auto-joins"
+ * behavior once verified. See startsim-gpu.
+ */
+export interface EmailDomainClaim {
+  id: string;
+  companyId: string;
+  domain: string;
+  verified: boolean;
+  verificationMethod?: DomainVerificationMethod | null;
+  /** Only visible to the creator on POST — otherwise null/absent. */
+  verificationToken?: string | null;
+  verifiedAt?: string | null;
+  verifiedById?: string | null;
+  lastVerifiedCheckAt?: string | null;
+  createdAt: string;
+  updatedAt: string;
+}
+
+// ---- API request/payload shapes -------------------------------------------
+
+export interface CompanyListParams {
+  page?: number;
+  pageSize?: number;
+  search?: string;
+  ordering?: string;
+  [key: string]: unknown;
+}
+
+export interface UpdateCompanyInput {
+  name?: string;
+  slug?: string;
+  settings?: Record<string, unknown>;
+}
+
+export interface TeamListParams {
+  page?: number;
+  pageSize?: number;
+  search?: string;
+  companyId?: string;
+  ordering?: string;
+  [key: string]: unknown;
+}
+
+export interface BulkInviteEntry {
+  email: string;
+  role: TeamRole;
+}
+
+export interface BulkInviteResult {
+  invited: TeamInvitation[];
+  /** Backend may return duplicates / failures per the bulk endpoint. */
+  skipped?: Array<{ email: string; reason: string }>;
+}
+
+export interface TeamInvitationListParams {
+  page?: number;
+  pageSize?: number;
+  teamId?: string;
+  ordering?: string;
+  [key: string]: unknown;
+}
+
+export interface CreateTeamInvitationInput {
+  email: string;
+  teamId: string;
+  role: TeamRole;
+}
+
+export interface DomainClaimListParams {
+  page?: number;
+  pageSize?: number;
+  companyId?: string;
+  verified?: boolean;
+  ordering?: string;
+  [key: string]: unknown;
+}
+
+export interface CreateDomainClaimInput {
+  companyId: string;
+  domain: string;
+}
+
+export interface DomainVerifyEmailInitiateResponse {
+  /** Backend confirms an attestation email has been queued. */
+  detail: string;
+}

package/src/types/user.ts

@@ -24,9 +24,28 @@ export interface UpdateProfileRequest {
 export interface ChangePasswordRequest {
   oldPassword: string;
   newPassword: string;
-  newPasswordConfirm: string;
 }
 
 export interface ChangePasswordResponse {
   detail: string;
 }
+
+/**
+ * Passwordless early-access registration — name + email only.
+ * Hits POST /api/v1/auth/early-register/ (public, no auth).
+ */
+export interface EarlyRegisterRequest {
+  email: string;
+  firstName?: string;
+  lastName?: string;
+}
+
+export interface EarlyRegisterResponse {
+  user: {
+    id: string;
+    email: string;
+    firstName: string;
+    lastName: string;
+  };
+  message: string;
+}