@vertesia/common 1.1.1-dev.20260505.163000Z → 1.3.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vertesia/common",
-  "version": "1.1.1-dev.20260505.163000Z",
+  "version": "1.3.0",
   "license": "Apache-2.0",
   "type": "module",
   "types": "./lib/types/index.d.ts",
@@ -26,7 +26,7 @@
   },
   "dependencies": {
     "ajv": "^8.17.1",
-    "@llumiverse/common": "1.1.1-dev.20260505.151157Z"
+    "@llumiverse/common": "1.3.0"
   },
   "repository": {
     "type": "git",

package/src/access-control.ts

@@ -58,22 +58,64 @@ export enum AccessControlResourceType {
     account = "account",
     interaction = "interaction",
     app = "application",
+    /** Dynamic resource matching by content properties at query time. */
+    content_set = "content_set",
 }
 
 export enum AccessControlPrincipalType {
     user = "user",
     group = "group",
     apikey = "apikey",
+    /** Dynamic principal matching by user/group properties at token time. */
+    principal_set = "principal_set",
 }
 
 
 
+/**
+ * MongoDB query syntax subset for matching properties.
+ * Keys are property names, values are either direct match values or operator objects.
+ * Supported operators: `$eq`, `$ne`, `$gt`, `$gte`, `$lt`, `$lte`, `$in`, `$nin`, `$exists`.
+ *
+ * In `resource_props`, values can reference principal properties using the `$principal.` prefix.
+ * These are resolved at token time by substituting the user's merged property value.
+ * If the referenced property is missing, a type-appropriate default is used (0, "", false).
+ *
+ * @example
+ * { department: "engineering" }                              // exact match (literal)
+ * { level: { $gte: 5 } }                                    // comparison (literal)
+ * { region: { $in: ["us-east", "eu-west"] } }               // set membership (literal)
+ * { security_level: { $lte: "$principal.access_level" } }   // cross-reference (resolved at token time)
+ */
+/** A single condition value: literal, or operator object (e.g. { $lte: 3 }) */
+export type PropertyConditionValue = string | number | boolean | Record<string, any>;
+
+export type PropertyConditions = Record<string, PropertyConditionValue>;
+
+/**
+ * Conditions attached to an ACE for dynamic matching.
+ * - `principal_props`: matched against user/group properties at token time (PrincipalSet).
+ * - `resource_props`: matched against content properties at query time (ContentSet).
+ */
+export interface AceConditions {
+    /** Property conditions matched against user/group properties at token time (PrincipalSet). */
+    principal_props?: PropertyConditions;
+    /** Property conditions matched against content properties at query time (ContentSet). */
+    resource_props?: PropertyConditions;
+}
+
 export interface AccessControlEntry {
     role: ProjectRoles;
     resource_type: AccessControlResourceType;
     resource: string; //objectId
     principal_type: AccessControlPrincipalType;
     principal: string; //objectId
+    /** Account scope — required for principal_set/content_set ACEs. */
+    account?: string;
+    /** Project scope — narrows a principal_set/content_set ACE to a single project. */
+    project?: string;
+    /** Dynamic matching conditions for principal_set/content_set ACEs. */
+    conditions?: AceConditions;
     tags?: string[];
     expires_at?: string;
     created_at?: string;
@@ -93,6 +135,37 @@ export interface RoleDefinition {
     permissions: Permission[];
 }
 
+// ============================================================================
+// BLP Security Levels
+// ============================================================================
+
+/**
+ * Default sensitivity/clearance levels for the Bell-LaPadula security model.
+ * The numeric value is the index in the array (0 = lowest, 4 = highest).
+ * Projects can override these labels via project settings.
+ */
+export enum SecurityLevel {
+    public = 0,
+    internal = 1,
+    confidential = 2,
+    restricted = 3,
+    secret = 4,
+}
+
+/** Human-readable labels for each security level, indexed by numeric value. */
+export const SecurityLevelLabels: readonly string[] = [
+    'Public',
+    'Internal',
+    'Confidential',
+    'Restricted',
+    'Secret',
+];
+
+/** Get the label for a security level value. Returns "Unknown" for out-of-range values. */
+export function getSecurityLevelLabel(level: number): string {
+    return SecurityLevelLabels[level] ?? 'Unknown';
+}
+
 export interface AcesQueryOptions {
 
     level?: 'resource' | 'project' | 'projects' | 'account'

package/src/apikey.ts

@@ -1,7 +1,19 @@
+import { PropertyConditions } from "./access-control.js";
 import { UserGroupRef } from "./group.js";
 import { ProjectRef, ProjectRoles } from "./project.js";
 import { AccountRef } from "./user.js";
 
+/**
+ * Content security conditions in the JWT, keyed by permission type.
+ * Each key maps to an array of condition sets — at query time, any matching set grants access ($or).
+ * Presence of this object in the JWT switches content access from allow-all to restrict mode.
+ */
+export interface ContentSecurity {
+    read?: PropertyConditions[];
+    write?: PropertyConditions[];
+    delete?: PropertyConditions[];
+}
+
 export enum ApiKeyTypes {
     secret = "sk",
 }
@@ -80,6 +92,10 @@ export interface AuthTokenPayload {
     /** groups */
     groups?: UserGroupRef[]; //group ids
 
+    /** Content security conditions keyed by permission (read/write/delete).
+     *  Presence triggers restrict mode: project:* is dropped from security filters. */
+    content_security?: ContentSecurity;
+
     /**
      * API endpoints information to be used with this token.
      * Either a n API domain like 'api.vertesia.io' | 'api-preview.vertesia.io' | 'api-staging.vertesia.io' | 'local'

package/src/group.ts

@@ -11,6 +11,12 @@ export interface UserGroup {
     updated_at: Date;
     created_by?: string;
     updated_by?: string;
+    /** Custom properties for dynamic permission matching */
+    properties?: Record<string, any>;
+    /** BLP clearance level — merged with user clearance using max() */
+    clearance?: number;
+    /** Compartments — merged with user compartments using array union */
+    compartments?: string[];
 }
 
 export interface PopulatesUserGroup extends UserGroup {
@@ -27,14 +33,20 @@ export interface UpdateUserGroupPayload {
     name: string;
     description?: string;
     tags?: string[];
+    properties?: Record<string, any>;
+    clearance?: number;
+    compartments?: string[];
 }
 
 export interface UserGroupRef {
     id: string;
     name: string;
     tags?: string[];
+    properties?: Record<string, any>;
+    clearance?: number;
+    compartments?: string[];
 }
 
-export const UserGroupRefPopulate = 'id name tags description';
+export const UserGroupRefPopulate = 'id name tags description properties clearance compartments';
 
 export const MEMBERS_GROUP_NAME = 'members';

package/src/oauth-server.ts

@@ -256,3 +256,21 @@ export interface OAuthAccessTokenPayload extends Omit<AuthTokenPayload, 'type' |
     allowed_collections?: string[];
     resource?: string;
 }
+
+export interface OAuthIdTokenPayload {
+    sub: string;
+    user_id: string;
+    name: string;
+    email?: string;
+    picture?: string;
+    type: 'oauth_id';
+    client_id: string;
+    account: AuthTokenPayload['account'];
+    accounts: AuthTokenPayload['accounts'];
+    project?: ProjectRef;
+    /** User groups */
+    groups?: AuthTokenPayload['groups'];
+    iss: string;
+    aud: string;
+    exp: number;
+}

package/src/project.ts

@@ -211,6 +211,13 @@ export interface ProjectConfiguration {
      */
     main_language?: string;
 
+    /**
+     * Object ID of a content object containing a custom LaTeX template (.latex file)
+     * to use as the branded PDF template. When set, "Export as Branded PDF" uses this
+     * template instead of the built-in Vertesia default template.
+     */
+    pdf_template_object_id?: string;
+
 }
 
 // export interface ProjectConfigurationEmbeddings {
@@ -321,40 +328,32 @@ export interface IndexingStatusResponse {
     reindex_in_progress: boolean;
     /** Reindex progress (if reindex is in progress) */
     reindex_progress?: {
-        /** Total documents to reindex */
-        total: number;
-        /** Documents processed so far */
-        processed: number;
-        /** Successfully indexed documents */
-        successful: number;
-        /** Failed documents */
-        failed: number;
-        /** Current status (e.g., "indexing", "complete") */
+        /** Total shards to process */
+        total_shards: number;
+        /** Shards completed so far */
+        completed_shards: number;
+        /** Shards that failed */
+        failed_shards: number;
+        /** Current status (e.g., "computing_shards", "indexing", "completed") */
         status: string;
-        /** Current batch number */
-        current_batch: number;
-        /** Total number of batches */
-        total_batches: number;
-        /** Percentage complete (0-100) */
-        percent_complete: number;
-        /** Batches processed per second */
-        batches_per_second: number;
+        /** Documents scanned from source */
+        scanned: number;
+        /** Documents written to target index */
+        written: number;
+        /** Documents that failed to index */
+        errors: number;
         /** Documents processed per second */
         docs_per_second: number;
         /** Elapsed time in seconds */
         elapsed_seconds: number;
         /** Estimated seconds remaining (null if unknown) */
         estimated_seconds_remaining: number | null;
-        /** Total bytes sent to ES */
-        total_bytes?: number;
-        /** Total ES bulk flushes */
-        bulk_flushes?: number;
-        /** Average bytes per ES bulk flush */
-        avg_flush_bytes?: number;
-        /** Configured batch size */
-        batch_size?: number;
-        /** Configured parallel batch count */
-        parallel_batch_count?: number;
+        /** Percentage complete (0-100) */
+        percent_complete: number;
+        /** Source alias */
+        alias: string;
+        /** Target index name */
+        target_index: string;
     };
 }
 

package/src/store/collections.ts

@@ -20,6 +20,10 @@ export interface CreateCollectionPayload {
     allowed_types?: string[];
     updated_by?: string,
     shared_properties?: string[];
+    /** BLP sensitivity level for member documents */
+    sensitivity?: number;
+    /** Compartments for member documents */
+    compartments?: string[];
 }
 
 export interface CollectionItem extends BaseObject {
@@ -58,6 +62,10 @@ export interface Collection extends CollectionItem {
     properties: Record<string, any>;
     query?: Record<string, any>;
     security?: Record<string, string[]>; // ACL for collection access
+    /** BLP sensitivity level — propagated to member documents (max across collections) */
+    sensitivity?: number;
+    /** Compartments — propagated to member documents (union across collections) */
+    compartments?: string[];
     /**
      * List of property names from the collection's properties that should be shared with (injected into) member objects.
      * These properties will be propagated to all members of this collection and merged as arrays.

package/src/store/store.ts

@@ -151,6 +151,10 @@ export interface ContentObject<T = any> extends ContentObjectItem<T> {
     parts_etag?: string; // the etag of the text used for the parts list
     transcript?: Transcript;
     security?: Record<string, string[]>; // Security field for granular permissions
+    /** BLP sensitivity level — set directly or inherited from collections (max across collections). */
+    sensitivity?: number;
+    /** Compartments — set directly or inherited from collections (union across collections). */
+    compartments?: string[];
 
     /**
      * Inherited properties metadata - tracks which properties were inherited from parent collections.

package/src/user.ts

@@ -19,6 +19,12 @@ export interface User {
     last_selected_account?: string;
     source?: 'firebase' | 'scim';
     updated_by?: string;
+    /** Custom properties for dynamic permission matching */
+    properties?: Record<string, any>;
+    /** BLP clearance level — determines max document sensitivity the user can access */
+    clearance?: number;
+    /** Compartments the user belongs to — restricts access to documents in matching compartments */
+    compartments?: string[];
 }
 
 
@@ -29,6 +35,9 @@ export interface UpdateUserPayload {
     language?: string;
     phone?: string;
     last_selected_account?: string;
+    properties?: Record<string, any>;
+    clearance?: number;
+    compartments?: string[];
 }