@tolinax/ayoune-interfaces 2026.37.1 → 2026.40.0

package/api/IAPIResult.d.ts

@@ -49,9 +49,13 @@ export interface IAPIResultMeta {
     model?: string;
     rateLimit?: IResponseRateLimit;
     pageInfo?: {
-        totalPages: number;
         page: number;
-        totalEntries: number;
+        /** Total page count. `undefined` when the caller opted out via `?skipCount=true` — pair with `countSkipped`. */
+        totalPages?: number;
+        /** Total entry count. `undefined` when the caller opted out via `?skipCount=true` — pair with `countSkipped`. */
+        totalEntries?: number;
+        /** `true` when the server skipped `countDocuments()` to avoid a slow scan on a large collection. Consumers should paginate until the returned page is shorter than `limit` instead of relying on `totalPages`. */
+        countSkipped?: boolean;
     };
     debugId?: string;
     audit?: any;

package/data/modelNames.d.ts

@@ -642,8 +642,10 @@ export declare enum aMN {
     Warehouses = "Warehouses",
     Watchers = "Watchers",
     Watchlists = "Watchlists",
+    WebAuthnCredentials = "WebAuthnCredentials",
     WebPages = "WebPages",
     WebPushSubscribers = "WebPushSubscribers",
+    WebhookLogs = "WebhookLogs",
     WebReceiverLogs = "WebReceiverLogs",
     WebReceivers = "WebReceivers",
     WebsiteMenus = "WebsiteMenus",

package/data/modelNames.js

@@ -646,8 +646,10 @@ var aMN;
     aMN["Warehouses"] = "Warehouses";
     aMN["Watchers"] = "Watchers";
     aMN["Watchlists"] = "Watchlists";
+    aMN["WebAuthnCredentials"] = "WebAuthnCredentials";
     aMN["WebPages"] = "WebPages";
     aMN["WebPushSubscribers"] = "WebPushSubscribers";
+    aMN["WebhookLogs"] = "WebhookLogs";
     aMN["WebReceiverLogs"] = "WebReceiverLogs";
     aMN["WebReceivers"] = "WebReceivers";
     aMN["WebsiteMenus"] = "WebsiteMenus";

package/data/modelsAndRights.js

@@ -7268,6 +7268,18 @@ const modelsAndRights = [
         updateBy: "_id",
         availableInSDK: false,
     },
+    {
+        plural: "WebAuthnCredentials",
+        singular: "WebAuthnCredential",
+        module: "su",
+        right: "su.users",
+        readOnly: false,
+        importable: false,
+        allowDuplicate: false,
+        updateBy: "_id",
+        availableInSDK: false,
+        piiLevel: "high",
+    },
     {
         plural: "WebPages",
         singular: "WebPage",
@@ -7301,6 +7313,17 @@ const modelsAndRights = [
         updateBy: "_id",
         availableInSDK: false,
     },
+    {
+        plural: "WebhookLogs",
+        singular: "WebhookLog",
+        module: "automation",
+        right: "automation.webhooklogs",
+        readOnly: true,
+        importable: false,
+        allowDuplicate: false,
+        updateBy: "_id",
+        availableInSDK: false,
+    },
     {
         plural: "WebReceivers",
         singular: "WebReceiver",

package/interfaces/ICredential.d.ts

@@ -3,6 +3,9 @@ export interface ICredential extends IDefaultFields {
     _customerID: ObjectId;
     _clientID?: ObjectId[];
     _subID?: ObjectId[];
+    _consumerID?: ObjectId;
+    _entityType?: string;
+    _entityID?: ObjectId;
     name: string;
     provider: string;
     type: string;

package/interfaces/IWebAuthnCredential.d.ts

@@ -0,0 +1,50 @@
+import { IDefaultFields } from "./IDefaultFields";
+/**
+ * One enrolled WebAuthn / passkey credential bound to an `aYOUneUser`.
+ *
+ * Created by `platform/auth` when a user completes a
+ * `POST /webauthn/register/verify` flow. Looked up by `credentialID` (which is
+ * whatever the authenticator returns, base64url-encoded) during
+ * `POST /webauthn/authenticate/verify` and `POST /webauthn/2factor/verify`.
+ *
+ * `publicKey` is the COSE-encoded public key material — stored as a `Buffer`
+ * so we don't re-encode on every verification. Treat as high-PII / credential
+ * material: `select: false` in the Mongoose schema so it never leaks into a
+ * default query projection.
+ *
+ * `counter` tracks the authenticator's signature counter to detect cloned
+ * authenticators (must strictly increase on each successful assertion, unless
+ * the authenticator reports 0 — several platform authenticators do).
+ *
+ * Not exposed to the Custom Functions SDK (`availableInSDK: false`). Admin-only
+ * CRUD; normal users manage their own credentials via the dedicated
+ * `/webauthn/credentials` endpoints.
+ */
+export interface IWebAuthnCredential extends IDefaultFields {
+    /** User that owns the credential */
+    _userID: ObjectId;
+    /** Tenant scope at enrollment time (optional — some users are tenant-less, e.g. su admins) */
+    _customerID?: ObjectId;
+    /** Base64url-encoded credential identifier returned by the authenticator. Unique. */
+    credentialID: string;
+    /**
+     * COSE public key bytes (select: false in schema).
+     * Typed as `Uint8Array` to keep `@tolinax/ayoune-interfaces` runtime-free;
+     * Mongoose persists via `Buffer`, which is itself a `Uint8Array` at runtime.
+     */
+    publicKey: Uint8Array;
+    /** Signature counter from the authenticator; must strictly increase. */
+    counter: number;
+    /** Single-device passkey (e.g. hardware key) vs multi-device (iCloud Keychain, Google Password Manager, etc.) */
+    deviceType: "singleDevice" | "multiDevice";
+    /** Whether the credential is backed up to an external service */
+    backedUp: boolean;
+    /** Hints for how the authenticator communicates ("usb", "nfc", "ble", "internal", "hybrid") */
+    transports?: string[];
+    /** User-friendly label shown in the "Manage passkeys" UI */
+    nickname?: string;
+    /** Authenticator Attestation GUID (if available from the attestation) */
+    aaguid?: string;
+    /** Bumped on every successful assertion */
+    lastUsedAt?: Date;
+}

package/interfaces/IWebAuthnCredential.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/interfaces/IWebhookLog.d.ts

@@ -0,0 +1,25 @@
+import { IDefaultFields } from "./IDefaultFields";
+export interface IWebhookLog extends IDefaultFields {
+    _customerID: ObjectId;
+    _consumerID?: ObjectId;
+    _contract?: ObjectId;
+    _clientID?: ObjectId[];
+    _subID?: ObjectId[];
+    _trigger?: ObjectId;
+    _triggerActionId?: ObjectId;
+    actionIndex?: number;
+    url?: string;
+    method?: "POST" | "GET" | "PUT" | "PATCH" | "DELETE";
+    requestHeaders?: any;
+    requestBody?: string;
+    requestBodyType?: "raw" | "form";
+    responseStatus?: number;
+    responseHeaders?: any;
+    responseBody?: string;
+    durationMs?: number;
+    status?: "pending" | "success" | "failed";
+    error?: string;
+    attempt?: number;
+    retryOf?: ObjectId;
+    snapshot?: any;
+}

package/interfaces/IWebhookLog.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/interfaces/IaYOUneUser.d.ts

@@ -28,7 +28,16 @@ export interface IaYOUneUser extends IDefaultFields {
     auth?: any;
     _ayouneid?: string;
     token?: string;
+    /**
+     * SHA-256 hex digest of the single-use password-reset token.
+     * The raw token is only ever sent in the reset email; the DB stores the hash
+     * so a DB read cannot grant reset access.
+     */
     resetToken?: string;
+    /** Absolute expiry for `resetToken` (typically +30 min from issuance). */
+    resetTokenExpiresAt?: Date;
+    /** Set when a reset is successfully consumed; prevents replay. */
+    resetTokenUsedAt?: Date;
     refreshTokens?: string[];
     salutation?: string;
     position?: string;

package/interfaces/index.d.ts

@@ -688,10 +688,12 @@ export * from "./IWarehouse";
 export * from "./IWarning";
 export * from "./IWatcher";
 export * from "./IWatchlist";
+export * from "./IWebAuthnCredential";
 export * from "./IWebPage";
 export * from "./IWebPushSubscriber";
 export * from "./IWebReceiver";
 export * from "./IWebReceiverLog";
+export * from "./IWebhookLog";
 export * from "./IWebsite";
 export * from "./IWebsiteMenu";
 export * from "./IWebsiteTemplate";

package/interfaces/index.js

@@ -704,10 +704,12 @@ __exportStar(require("./IWarehouse"), exports);
 __exportStar(require("./IWarning"), exports);
 __exportStar(require("./IWatcher"), exports);
 __exportStar(require("./IWatchlist"), exports);
+__exportStar(require("./IWebAuthnCredential"), exports);
 __exportStar(require("./IWebPage"), exports);
 __exportStar(require("./IWebPushSubscriber"), exports);
 __exportStar(require("./IWebReceiver"), exports);
 __exportStar(require("./IWebReceiverLog"), exports);
+__exportStar(require("./IWebhookLog"), exports);
 __exportStar(require("./IWebsite"), exports);
 __exportStar(require("./IWebsiteMenu"), exports);
 __exportStar(require("./IWebsiteTemplate"), exports);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@tolinax/ayoune-interfaces",
-  "version": "2026.37.1",
+  "version": "2026.40.0",
   "description": "Houses TypeScript interfaces for aYOUne",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",