evo360-types 1.3.152 → 1.3.154

package/dist/apps/evo-chat/chatbee/zod-schemas.d.ts

@@ -35,11 +35,11 @@ export declare const zChatBeeChannelConfigSchema: z.ZodObject<z.objectUtil.exten
         allow_reply_mode: boolean;
         transcribe_audio_when_ai_disabled: boolean;
         suggest_agenda_action: boolean;
-        task_creation: "suggestion" | "disabled" | "create";
+        task_creation: "disabled" | "suggestion" | "create";
         system_message_prompt: string;
     }, {
         default_operation_mode: "reply" | "suggestion";
-        task_creation: "suggestion" | "disabled" | "create";
+        task_creation: "disabled" | "suggestion" | "create";
         system_message_prompt: string;
         active?: boolean | undefined;
         enabled_for_new_contacts?: boolean | undefined;
@@ -89,11 +89,11 @@ export declare const zChatBeeChannelConfigSchema: z.ZodObject<z.objectUtil.exten
         allow_reply_mode: boolean;
         transcribe_audio_when_ai_disabled: boolean;
         suggest_agenda_action: boolean;
-        task_creation: "suggestion" | "disabled" | "create";
+        task_creation: "disabled" | "suggestion" | "create";
         system_message_prompt: string;
     }, {
         default_operation_mode: "reply" | "suggestion";
-        task_creation: "suggestion" | "disabled" | "create";
+        task_creation: "disabled" | "suggestion" | "create";
         system_message_prompt: string;
         active?: boolean | undefined;
         enabled_for_new_contacts?: boolean | undefined;
@@ -143,11 +143,11 @@ export declare const zChatBeeChannelConfigSchema: z.ZodObject<z.objectUtil.exten
         allow_reply_mode: boolean;
         transcribe_audio_when_ai_disabled: boolean;
         suggest_agenda_action: boolean;
-        task_creation: "suggestion" | "disabled" | "create";
+        task_creation: "disabled" | "suggestion" | "create";
         system_message_prompt: string;
     }, {
         default_operation_mode: "reply" | "suggestion";
-        task_creation: "suggestion" | "disabled" | "create";
+        task_creation: "disabled" | "suggestion" | "create";
         system_message_prompt: string;
         active?: boolean | undefined;
         enabled_for_new_contacts?: boolean | undefined;

package/dist/apps/evo-core/zod-schemas.d.ts

@@ -12,3 +12,210 @@ export declare const zActionArgsSchema: z.ZodObject<{
     old_values?: Record<string, any> | undefined;
     new_values?: Record<string, any> | undefined;
 }>;
+/**
+ * Schema for RbacPermValue (tri-state permission value)
+ */
+export declare const zRbacPermValueSchema: z.ZodEnum<["allow", "deny", "forbid"]>;
+/**
+ * Schema for TenantUserStatus
+ */
+export declare const zTenantUserStatusSchema: z.ZodEnum<["active", "invited", "disabled", "removed"]>;
+/**
+ * Schema for UserTenantIndexStatus
+ */
+export declare const zUserTenantIndexStatusSchema: z.ZodEnum<["active", "invited", "disabled"]>;
+/**
+ * Schema for ITenantUser (membership document)
+ * Note: id, tenant, created_at, updated_at come from zFireDocSchema
+ */
+export declare const zTenantUserSchema: z.ZodObject<z.objectUtil.extendShape<{
+    id: z.ZodString;
+    ref: z.ZodAny;
+    tenant: z.ZodString;
+    model_ver: z.ZodDefault<z.ZodNumber>;
+    created_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    updated_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    deleted_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, {
+    status: z.ZodEnum<["active", "invited", "disabled", "removed"]>;
+    roles: z.ZodArray<z.ZodString, "many">;
+    perms: z.ZodRecord<z.ZodString, z.ZodBoolean>;
+}>, "passthrough", z.ZodTypeAny, z.objectOutputType<z.objectUtil.extendShape<{
+    id: z.ZodString;
+    ref: z.ZodAny;
+    tenant: z.ZodString;
+    model_ver: z.ZodDefault<z.ZodNumber>;
+    created_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    updated_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    deleted_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, {
+    status: z.ZodEnum<["active", "invited", "disabled", "removed"]>;
+    roles: z.ZodArray<z.ZodString, "many">;
+    perms: z.ZodRecord<z.ZodString, z.ZodBoolean>;
+}>, z.ZodTypeAny, "passthrough">, z.objectInputType<z.objectUtil.extendShape<{
+    id: z.ZodString;
+    ref: z.ZodAny;
+    tenant: z.ZodString;
+    model_ver: z.ZodDefault<z.ZodNumber>;
+    created_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    updated_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    deleted_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, {
+    status: z.ZodEnum<["active", "invited", "disabled", "removed"]>;
+    roles: z.ZodArray<z.ZodString, "many">;
+    perms: z.ZodRecord<z.ZodString, z.ZodBoolean>;
+}>, z.ZodTypeAny, "passthrough">>;
+/**
+ * Schema for IUserTenantIndex (inverted index)
+ * Note: id, tenant, created_at, updated_at come from zFireDocSchema
+ */
+export declare const zUserTenantIndexSchema: z.ZodObject<z.objectUtil.extendShape<{
+    id: z.ZodString;
+    ref: z.ZodAny;
+    tenant: z.ZodString;
+    model_ver: z.ZodDefault<z.ZodNumber>;
+    created_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    updated_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    deleted_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, {
+    status: z.ZodEnum<["active", "invited", "disabled"]>;
+    tenant_name: z.ZodString;
+    tenant_deleted_at: z.ZodNullable<z.ZodEffects<z.ZodDate, Date, unknown>>;
+}>, "passthrough", z.ZodTypeAny, z.objectOutputType<z.objectUtil.extendShape<{
+    id: z.ZodString;
+    ref: z.ZodAny;
+    tenant: z.ZodString;
+    model_ver: z.ZodDefault<z.ZodNumber>;
+    created_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    updated_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    deleted_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, {
+    status: z.ZodEnum<["active", "invited", "disabled"]>;
+    tenant_name: z.ZodString;
+    tenant_deleted_at: z.ZodNullable<z.ZodEffects<z.ZodDate, Date, unknown>>;
+}>, z.ZodTypeAny, "passthrough">, z.objectInputType<z.objectUtil.extendShape<{
+    id: z.ZodString;
+    ref: z.ZodAny;
+    tenant: z.ZodString;
+    model_ver: z.ZodDefault<z.ZodNumber>;
+    created_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    updated_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+    deleted_at: z.ZodOptional<z.ZodNullable<z.ZodDate>>;
+}, {
+    status: z.ZodEnum<["active", "invited", "disabled"]>;
+    tenant_name: z.ZodString;
+    tenant_deleted_at: z.ZodNullable<z.ZodEffects<z.ZodDate, Date, unknown>>;
+}>, z.ZodTypeAny, "passthrough">>;
+/**
+ * Schema for role permission mapping in IRbacGroup
+ */
+export declare const zRbacRolePermsSchema: z.ZodRecord<z.ZodString, z.ZodEnum<["allow", "deny", "forbid"]>>;
+/**
+ * Schema for role definition in IRbacGroup
+ */
+export declare const zRbacRoleSchema: z.ZodObject<{
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    perms: z.ZodRecord<z.ZodString, z.ZodEnum<["allow", "deny", "forbid"]>>;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    perms: Record<string, "allow" | "deny" | "forbid">;
+    description?: string | undefined;
+}, {
+    name: string;
+    perms: Record<string, "allow" | "deny" | "forbid">;
+    description?: string | undefined;
+}>;
+/**
+ * Schema for permission metadata in IRbacGroup
+ */
+export declare const zRbacPermissionMetadataSchema: z.ZodObject<{
+    description: z.ZodOptional<z.ZodString>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    description: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    description: z.ZodOptional<z.ZodString>;
+}, z.ZodTypeAny, "passthrough">>;
+/**
+ * Schema for IRbacGroup (RBAC catalog)
+ * Note: IRbacGroup does NOT extend IFireDoc (global document, not tenant-scoped)
+ */
+export declare const zRbacGroupSchema: z.ZodObject<{
+    id: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    permissions: z.ZodRecord<z.ZodString, z.ZodObject<{
+        description: z.ZodOptional<z.ZodString>;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        description: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        description: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">>>;
+    roles: z.ZodRecord<z.ZodString, z.ZodObject<{
+        name: z.ZodString;
+        description: z.ZodOptional<z.ZodString>;
+        perms: z.ZodRecord<z.ZodString, z.ZodEnum<["allow", "deny", "forbid"]>>;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        perms: Record<string, "allow" | "deny" | "forbid">;
+        description?: string | undefined;
+    }, {
+        name: string;
+        perms: Record<string, "allow" | "deny" | "forbid">;
+        description?: string | undefined;
+    }>>;
+    created_at: z.ZodEffects<z.ZodDate, Date, unknown>;
+    updated_at: z.ZodEffects<z.ZodDate, Date, unknown>;
+}, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+    id: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    permissions: z.ZodRecord<z.ZodString, z.ZodObject<{
+        description: z.ZodOptional<z.ZodString>;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        description: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        description: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">>>;
+    roles: z.ZodRecord<z.ZodString, z.ZodObject<{
+        name: z.ZodString;
+        description: z.ZodOptional<z.ZodString>;
+        perms: z.ZodRecord<z.ZodString, z.ZodEnum<["allow", "deny", "forbid"]>>;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        perms: Record<string, "allow" | "deny" | "forbid">;
+        description?: string | undefined;
+    }, {
+        name: string;
+        perms: Record<string, "allow" | "deny" | "forbid">;
+        description?: string | undefined;
+    }>>;
+    created_at: z.ZodEffects<z.ZodDate, Date, unknown>;
+    updated_at: z.ZodEffects<z.ZodDate, Date, unknown>;
+}, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+    id: z.ZodString;
+    name: z.ZodString;
+    description: z.ZodOptional<z.ZodString>;
+    permissions: z.ZodRecord<z.ZodString, z.ZodObject<{
+        description: z.ZodOptional<z.ZodString>;
+    }, "passthrough", z.ZodTypeAny, z.objectOutputType<{
+        description: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">, z.objectInputType<{
+        description: z.ZodOptional<z.ZodString>;
+    }, z.ZodTypeAny, "passthrough">>>;
+    roles: z.ZodRecord<z.ZodString, z.ZodObject<{
+        name: z.ZodString;
+        description: z.ZodOptional<z.ZodString>;
+        perms: z.ZodRecord<z.ZodString, z.ZodEnum<["allow", "deny", "forbid"]>>;
+    }, "strip", z.ZodTypeAny, {
+        name: string;
+        perms: Record<string, "allow" | "deny" | "forbid">;
+        description?: string | undefined;
+    }, {
+        name: string;
+        perms: Record<string, "allow" | "deny" | "forbid">;
+        description?: string | undefined;
+    }>>;
+    created_at: z.ZodEffects<z.ZodDate, Date, unknown>;
+    updated_at: z.ZodEffects<z.ZodDate, Date, unknown>;
+}, z.ZodTypeAny, "passthrough">>;

package/dist/apps/evo-core/zod-schemas.js

@@ -1,9 +1,89 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.zActionArgsSchema = void 0;
+exports.zRbacGroupSchema = exports.zRbacPermissionMetadataSchema = exports.zRbacRoleSchema = exports.zRbacRolePermsSchema = exports.zUserTenantIndexSchema = exports.zTenantUserSchema = exports.zUserTenantIndexStatusSchema = exports.zTenantUserStatusSchema = exports.zRbacPermValueSchema = exports.zActionArgsSchema = void 0;
 const zod_1 = require("zod");
+const zod_schemas_1 = require("../shared/zod-schemas");
 exports.zActionArgsSchema = zod_1.z.object({
     old_values: zod_1.z.record(zod_1.z.any()).optional(),
     new_values: zod_1.z.record(zod_1.z.any()).optional(),
     deleted_at: zod_1.z.coerce.date().optional(),
 });
+// ----- RBAC Zod Schemas
+/**
+ * Schema for RbacPermValue (tri-state permission value)
+ */
+exports.zRbacPermValueSchema = zod_1.z.enum(["allow", "deny", "forbid"]);
+/**
+ * Schema for TenantUserStatus
+ */
+exports.zTenantUserStatusSchema = zod_1.z.enum([
+    "active",
+    "invited",
+    "disabled",
+    "removed",
+]);
+/**
+ * Schema for UserTenantIndexStatus
+ */
+exports.zUserTenantIndexStatusSchema = zod_1.z.enum([
+    "active",
+    "invited",
+    "disabled",
+]);
+/**
+ * Schema for ITenantUser (membership document)
+ * Note: id, tenant, created_at, updated_at come from zFireDocSchema
+ */
+exports.zTenantUserSchema = zod_schemas_1.zFireDocSchema
+    .extend({
+    status: exports.zTenantUserStatusSchema,
+    roles: zod_1.z.array(zod_1.z.string()),
+    perms: zod_1.z.record(zod_1.z.boolean()),
+})
+    .passthrough();
+/**
+ * Schema for IUserTenantIndex (inverted index)
+ * Note: id, tenant, created_at, updated_at come from zFireDocSchema
+ */
+exports.zUserTenantIndexSchema = zod_schemas_1.zFireDocSchema
+    .extend({
+    status: exports.zUserTenantIndexStatusSchema,
+    tenant_name: zod_1.z.string(),
+    tenant_deleted_at: zod_schemas_1.zFirestoreDateSchema.nullable(),
+})
+    .passthrough();
+/**
+ * Schema for role permission mapping in IRbacGroup
+ */
+exports.zRbacRolePermsSchema = zod_1.z.record(exports.zRbacPermValueSchema);
+/**
+ * Schema for role definition in IRbacGroup
+ */
+exports.zRbacRoleSchema = zod_1.z.object({
+    name: zod_1.z.string(),
+    description: zod_1.z.string().optional(),
+    perms: exports.zRbacRolePermsSchema,
+});
+/**
+ * Schema for permission metadata in IRbacGroup
+ */
+exports.zRbacPermissionMetadataSchema = zod_1.z
+    .object({
+    description: zod_1.z.string().optional(),
+})
+    .passthrough();
+/**
+ * Schema for IRbacGroup (RBAC catalog)
+ * Note: IRbacGroup does NOT extend IFireDoc (global document, not tenant-scoped)
+ */
+exports.zRbacGroupSchema = zod_1.z
+    .object({
+    id: zod_1.z.string(),
+    name: zod_1.z.string(),
+    description: zod_1.z.string().optional(),
+    permissions: zod_1.z.record(exports.zRbacPermissionMetadataSchema),
+    roles: zod_1.z.record(exports.zRbacRoleSchema),
+    created_at: zod_schemas_1.zFirestoreDateSchema,
+    updated_at: zod_schemas_1.zFirestoreDateSchema,
+})
+    .passthrough();

package/dist/apps/evo-core/zod-schemas.ts

@@ -1,7 +1,97 @@
 import { z } from "zod";
+import { zFireDocSchema, zFirestoreDateSchema } from "../shared/zod-schemas";
 
 export const zActionArgsSchema = z.object({
   old_values: z.record(z.any()).optional(),
   new_values: z.record(z.any()).optional(),
   deleted_at: z.coerce.date().optional(),
 });
+
+// ----- RBAC Zod Schemas
+
+/**
+ * Schema for RbacPermValue (tri-state permission value)
+ */
+export const zRbacPermValueSchema = z.enum(["allow", "deny", "forbid"]);
+
+/**
+ * Schema for TenantUserStatus
+ */
+export const zTenantUserStatusSchema = z.enum([
+  "active",
+  "invited",
+  "disabled",
+  "removed",
+]);
+
+/**
+ * Schema for UserTenantIndexStatus
+ */
+export const zUserTenantIndexStatusSchema = z.enum([
+  "active",
+  "invited",
+  "disabled",
+]);
+
+/**
+ * Schema for ITenantUser (membership document)
+ * Note: id, tenant, created_at, updated_at come from zFireDocSchema
+ */
+export const zTenantUserSchema = zFireDocSchema
+  .extend({
+    status: zTenantUserStatusSchema,
+    roles: z.array(z.string()),
+    perms: z.record(z.boolean()),
+  })
+  .passthrough();
+
+/**
+ * Schema for IUserTenantIndex (inverted index)
+ * Note: id, tenant, created_at, updated_at come from zFireDocSchema
+ */
+export const zUserTenantIndexSchema = zFireDocSchema
+  .extend({
+    status: zUserTenantIndexStatusSchema,
+    tenant_name: z.string(),
+    tenant_deleted_at: zFirestoreDateSchema.nullable(),
+  })
+  .passthrough();
+
+/**
+ * Schema for role permission mapping in IRbacGroup
+ */
+export const zRbacRolePermsSchema = z.record(zRbacPermValueSchema);
+
+/**
+ * Schema for role definition in IRbacGroup
+ */
+export const zRbacRoleSchema = z.object({
+  name: z.string(),
+  description: z.string().optional(),
+  perms: zRbacRolePermsSchema,
+});
+
+/**
+ * Schema for permission metadata in IRbacGroup
+ */
+export const zRbacPermissionMetadataSchema = z
+  .object({
+    description: z.string().optional(),
+  })
+  .passthrough();
+
+/**
+ * Schema for IRbacGroup (RBAC catalog)
+ * Note: IRbacGroup does NOT extend IFireDoc (global document, not tenant-scoped)
+ */
+export const zRbacGroupSchema = z
+  .object({
+    id: z.string(),
+    name: z.string(),
+    description: z.string().optional(),
+    permissions: z.record(zRbacPermissionMetadataSchema),
+    roles: z.record(zRbacRoleSchema),
+    created_at: zFirestoreDateSchema,
+    updated_at: zFirestoreDateSchema,
+  })
+  .passthrough();

package/dist/apps/evo-hub-ia/channel/zod-schemas.d.ts

@@ -23,11 +23,11 @@ export declare const zHubIAConfigSchema: z.ZodObject<{
     allow_reply_mode: boolean;
     transcribe_audio_when_ai_disabled: boolean;
     suggest_agenda_action: boolean;
-    task_creation: "suggestion" | "disabled" | "create";
+    task_creation: "disabled" | "suggestion" | "create";
     system_message_prompt: string;
 }, {
     default_operation_mode: "reply" | "suggestion";
-    task_creation: "suggestion" | "disabled" | "create";
+    task_creation: "disabled" | "suggestion" | "create";
     system_message_prompt: string;
     active?: boolean | undefined;
     enabled_for_new_contacts?: boolean | undefined;

package/dist/apps/evo-survey/zod-schemas.d.ts

@@ -1197,9 +1197,9 @@ export declare const zSurveyInviteeSchema: z.ZodObject<z.objectUtil.extendShape<
     created_at?: Date | null | undefined;
     updated_at?: Date | null | undefined;
     deleted_at?: Date | null | undefined;
+    description?: string | undefined;
     email?: string | undefined;
     photo_url?: string | null | undefined;
-    description?: string | undefined;
     invitedUserId?: string | undefined;
     submissionId?: string | undefined;
 }, {
@@ -1211,10 +1211,10 @@ export declare const zSurveyInviteeSchema: z.ZodObject<z.objectUtil.extendShape<
     created_at?: Date | null | undefined;
     updated_at?: Date | null | undefined;
     deleted_at?: Date | null | undefined;
+    description?: string | undefined;
     email?: string | undefined;
     photo_url?: string | null | undefined;
     phone?: string | undefined;
-    description?: string | undefined;
     invitedUserId?: string | undefined;
     isAnonymous?: boolean | undefined;
     submissionId?: string | undefined;
@@ -1374,9 +1374,9 @@ export declare const zSurveyDeploymentSchema: z.ZodObject<z.objectUtil.extendSha
         created_at?: Date | null | undefined;
         updated_at?: Date | null | undefined;
         deleted_at?: Date | null | undefined;
+        description?: string | undefined;
         email?: string | undefined;
         photo_url?: string | null | undefined;
-        description?: string | undefined;
         invitedUserId?: string | undefined;
         submissionId?: string | undefined;
     }, {
@@ -1388,10 +1388,10 @@ export declare const zSurveyDeploymentSchema: z.ZodObject<z.objectUtil.extendSha
         created_at?: Date | null | undefined;
         updated_at?: Date | null | undefined;
         deleted_at?: Date | null | undefined;
+        description?: string | undefined;
         email?: string | undefined;
         photo_url?: string | null | undefined;
         phone?: string | undefined;
-        description?: string | undefined;
         invitedUserId?: string | undefined;
         isAnonymous?: boolean | undefined;
         submissionId?: string | undefined;
@@ -1555,6 +1555,7 @@ export declare const zSurveyDeploymentSchema: z.ZodObject<z.objectUtil.extendSha
     created_at?: Date | null | undefined;
     updated_at?: Date | null | undefined;
     deleted_at?: Date | null | undefined;
+    description?: string | undefined;
     surveys?: z.objectOutputType<z.objectUtil.extendShape<{
         id: z.ZodString;
         ref: z.ZodAny;
@@ -1623,7 +1624,6 @@ export declare const zSurveyDeploymentSchema: z.ZodObject<z.objectUtil.extendSha
         submission_date?: Date | undefined;
         inviteeId?: string | undefined;
     }[] | null | undefined;
-    description?: string | undefined;
     invitees?: {
         name: string;
         id: string;
@@ -1636,9 +1636,9 @@ export declare const zSurveyDeploymentSchema: z.ZodObject<z.objectUtil.extendSha
         created_at?: Date | null | undefined;
         updated_at?: Date | null | undefined;
         deleted_at?: Date | null | undefined;
+        description?: string | undefined;
         email?: string | undefined;
         photo_url?: string | null | undefined;
-        description?: string | undefined;
         invitedUserId?: string | undefined;
         submissionId?: string | undefined;
     }[] | null | undefined;
@@ -1656,6 +1656,7 @@ export declare const zSurveyDeploymentSchema: z.ZodObject<z.objectUtil.extendSha
     created_at?: Date | null | undefined;
     updated_at?: Date | null | undefined;
     deleted_at?: Date | null | undefined;
+    description?: string | undefined;
     surveys?: z.objectInputType<z.objectUtil.extendShape<{
         id: z.ZodString;
         ref: z.ZodAny;
@@ -1724,7 +1725,6 @@ export declare const zSurveyDeploymentSchema: z.ZodObject<z.objectUtil.extendSha
         answer_count?: number | undefined;
         submission_count?: number | undefined;
     }[] | null | undefined;
-    description?: string | undefined;
     submission_count?: number | undefined;
     section_count?: number | undefined;
     question_count?: number | undefined;
@@ -1737,10 +1737,10 @@ export declare const zSurveyDeploymentSchema: z.ZodObject<z.objectUtil.extendSha
         created_at?: Date | null | undefined;
         updated_at?: Date | null | undefined;
         deleted_at?: Date | null | undefined;
+        description?: string | undefined;
         email?: string | undefined;
         photo_url?: string | null | undefined;
         phone?: string | undefined;
-        description?: string | undefined;
         invitedUserId?: string | undefined;
         isAnonymous?: boolean | undefined;
         submissionId?: string | undefined;

package/dist/apps/evo-task/zod-schemas.d.ts

@@ -14,13 +14,16 @@ export declare const zTaskExternalLinkSchema: z.ZodObject<{
     type: z.ZodEnum<["crm_lead", "med_patient", "med_professional", "med_appointment", "chat_contact"]>;
     id: z.ZodString;
     label: z.ZodOptional<z.ZodString>;
+    ref: z.ZodOptional<z.ZodAny>;
 }, "strip", z.ZodTypeAny, {
     id: string;
     type: "crm_lead" | "med_patient" | "med_professional" | "med_appointment" | "chat_contact";
+    ref?: any;
     label?: string | undefined;
 }, {
     id: string;
     type: "crm_lead" | "med_patient" | "med_professional" | "med_appointment" | "chat_contact";
+    ref?: any;
     label?: string | undefined;
 }>;
 export declare const zTaskScheduleSchema: z.ZodObject<{
@@ -185,6 +188,7 @@ export declare const zTaskOnFailureSchema: z.ZodObject<{
             category?: string | null | undefined;
         }>, "many">>>;
     }, "strip", z.ZodTypeAny, {
+        description?: string | undefined;
         tags?: {
             name: string;
             hidden: boolean;
@@ -193,9 +197,9 @@ export declare const zTaskOnFailureSchema: z.ZodObject<{
             category?: string | null | undefined;
         }[] | null | undefined;
         title?: string | undefined;
-        description?: string | undefined;
         priority?: "low" | "medium" | "high" | undefined;
     }, {
+        description?: string | undefined;
         tags?: {
             name: string;
             hidden: boolean;
@@ -204,7 +208,6 @@ export declare const zTaskOnFailureSchema: z.ZodObject<{
             category?: string | null | undefined;
         }[] | null | undefined;
         title?: string | undefined;
-        description?: string | undefined;
         priority?: "low" | "medium" | "high" | undefined;
     }>>;
     auto_fallbacks: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -226,6 +229,7 @@ export declare const zTaskOnFailureSchema: z.ZodObject<{
         ref?: any;
     } | undefined;
     create_handoff_task?: {
+        description?: string | undefined;
         tags?: {
             name: string;
             hidden: boolean;
@@ -234,7 +238,6 @@ export declare const zTaskOnFailureSchema: z.ZodObject<{
             category?: string | null | undefined;
         }[] | null | undefined;
         title?: string | undefined;
-        description?: string | undefined;
         priority?: "low" | "medium" | "high" | undefined;
     } | undefined;
     auto_fallbacks?: {
@@ -248,6 +251,7 @@ export declare const zTaskOnFailureSchema: z.ZodObject<{
         ref?: any;
     } | undefined;
     create_handoff_task?: {
+        description?: string | undefined;
         tags?: {
             name: string;
             hidden: boolean;
@@ -256,7 +260,6 @@ export declare const zTaskOnFailureSchema: z.ZodObject<{
             category?: string | null | undefined;
         }[] | null | undefined;
         title?: string | undefined;
-        description?: string | undefined;
         priority?: "low" | "medium" | "high" | undefined;
     } | undefined;
     auto_fallbacks?: {
@@ -336,13 +339,16 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
         type: z.ZodEnum<["crm_lead", "med_patient", "med_professional", "med_appointment", "chat_contact"]>;
         id: z.ZodString;
         label: z.ZodOptional<z.ZodString>;
+        ref: z.ZodOptional<z.ZodAny>;
     }, "strip", z.ZodTypeAny, {
         id: string;
         type: "crm_lead" | "med_patient" | "med_professional" | "med_appointment" | "chat_contact";
+        ref?: any;
         label?: string | undefined;
     }, {
         id: string;
         type: "crm_lead" | "med_patient" | "med_professional" | "med_appointment" | "chat_contact";
+        ref?: any;
         label?: string | undefined;
     }>, "many">>;
     idempotency_key: z.ZodOptional<z.ZodString>;
@@ -478,6 +484,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }>, "many">>>;
         }, "strip", z.ZodTypeAny, {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -486,9 +493,9 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         }, {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -497,7 +504,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         }>>;
         auto_fallbacks: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -519,6 +525,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
             ref?: any;
         } | undefined;
         create_handoff_task?: {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -527,7 +534,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         } | undefined;
         auto_fallbacks?: {
@@ -541,6 +547,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
             ref?: any;
         } | undefined;
         create_handoff_task?: {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -549,7 +556,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         } | undefined;
         auto_fallbacks?: {
@@ -638,13 +644,16 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
         type: z.ZodEnum<["crm_lead", "med_patient", "med_professional", "med_appointment", "chat_contact"]>;
         id: z.ZodString;
         label: z.ZodOptional<z.ZodString>;
+        ref: z.ZodOptional<z.ZodAny>;
     }, "strip", z.ZodTypeAny, {
         id: string;
         type: "crm_lead" | "med_patient" | "med_professional" | "med_appointment" | "chat_contact";
+        ref?: any;
         label?: string | undefined;
     }, {
         id: string;
         type: "crm_lead" | "med_patient" | "med_professional" | "med_appointment" | "chat_contact";
+        ref?: any;
         label?: string | undefined;
     }>, "many">>;
     idempotency_key: z.ZodOptional<z.ZodString>;
@@ -780,6 +789,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }>, "many">>>;
         }, "strip", z.ZodTypeAny, {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -788,9 +798,9 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         }, {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -799,7 +809,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         }>>;
         auto_fallbacks: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -821,6 +830,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
             ref?: any;
         } | undefined;
         create_handoff_task?: {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -829,7 +839,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         } | undefined;
         auto_fallbacks?: {
@@ -843,6 +852,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
             ref?: any;
         } | undefined;
         create_handoff_task?: {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -851,7 +861,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         } | undefined;
         auto_fallbacks?: {
@@ -940,13 +949,16 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
         type: z.ZodEnum<["crm_lead", "med_patient", "med_professional", "med_appointment", "chat_contact"]>;
         id: z.ZodString;
         label: z.ZodOptional<z.ZodString>;
+        ref: z.ZodOptional<z.ZodAny>;
     }, "strip", z.ZodTypeAny, {
         id: string;
         type: "crm_lead" | "med_patient" | "med_professional" | "med_appointment" | "chat_contact";
+        ref?: any;
         label?: string | undefined;
     }, {
         id: string;
         type: "crm_lead" | "med_patient" | "med_professional" | "med_appointment" | "chat_contact";
+        ref?: any;
         label?: string | undefined;
     }>, "many">>;
     idempotency_key: z.ZodOptional<z.ZodString>;
@@ -1082,6 +1094,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }>, "many">>>;
         }, "strip", z.ZodTypeAny, {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -1090,9 +1103,9 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         }, {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -1101,7 +1114,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         }>>;
         auto_fallbacks: z.ZodOptional<z.ZodArray<z.ZodObject<{
@@ -1123,6 +1135,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
             ref?: any;
         } | undefined;
         create_handoff_task?: {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -1131,7 +1144,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         } | undefined;
         auto_fallbacks?: {
@@ -1145,6 +1157,7 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
             ref?: any;
         } | undefined;
         create_handoff_task?: {
+            description?: string | undefined;
             tags?: {
                 name: string;
                 hidden: boolean;
@@ -1153,7 +1166,6 @@ export declare const zTaskSchema: z.ZodObject<z.objectUtil.extendShape<{
                 category?: string | null | undefined;
             }[] | null | undefined;
             title?: string | undefined;
-            description?: string | undefined;
             priority?: "low" | "medium" | "high" | undefined;
         } | undefined;
         auto_fallbacks?: {

package/dist/apps/evo-task/zod-schemas.js

@@ -47,6 +47,7 @@ exports.zTaskExternalLinkSchema = zod_1.z.object({
     type: exports.zTaskExternalObjectTypeSchema,
     id: zod_1.z.string(),
     label: zod_1.z.string().optional(),
+    ref: zod_1.z.any().optional(), // FirestoreDocumentReference
 });
 // Schema para ITaskSchedule
 exports.zTaskScheduleSchema = zod_1.z.object({

package/dist/apps/evo-task/zod-schemas.ts

@@ -56,6 +56,7 @@ export const zTaskExternalLinkSchema = z.object({
   type: zTaskExternalObjectTypeSchema,
   id: z.string(),
   label: z.string().optional(),
+  ref: z.any().optional(), // FirestoreDocumentReference
 });
 
 // Schema para ITaskSchedule

package/dist/apps/evo-tenant/zod-schemas.d.ts

@@ -26,8 +26,8 @@ export declare const zTenantSchema: z.ZodObject<z.objectUtil.extendShape<{
     id: string;
     tenant: string;
     model_ver: number;
-    url_alias: string;
     status: "draft" | "published" | "archived";
+    url_alias: string;
     ref?: any;
     created_at?: Date | null | undefined;
     updated_at?: Date | null | undefined;
@@ -43,8 +43,8 @@ export declare const zTenantSchema: z.ZodObject<z.objectUtil.extendShape<{
     name: string;
     id: string;
     tenant: string;
-    url_alias: string;
     status: "draft" | "published" | "archived";
+    url_alias: string;
     ref?: any;
     model_ver?: number | undefined;
     created_at?: Date | null | undefined;

package/dist/types/evo-core/index.d.ts

@@ -43,3 +43,4 @@ export interface IActionArgs {
     new_values?: Record<string, any>;
     deleted_at?: Date;
 }
+export * from "./rbac";

package/dist/types/evo-core/index.js

@@ -1,2 +1,18 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
 Object.defineProperty(exports, "__esModule", { value: true });
+// RBAC Types
+__exportStar(require("./rbac"), exports);

package/dist/types/evo-core/index.ts

@@ -50,3 +50,6 @@ export interface IActionArgs {
   new_values?: Record<string, any>;
   deleted_at?: Date;
 }
+
+// RBAC Types
+export * from "./rbac";

package/dist/types/evo-core/rbac/fb_collections.d.ts

@@ -0,0 +1,4 @@
+export declare const RBAC_COLLECTION = "rbac";
+export declare const RBAC_GROUPS_COLLECTION = "groups";
+export declare const TENANT_USERS_COLLECTION = "users";
+export declare const USER_TENANTS_COLLECTION = "tenants";

package/dist/types/evo-core/rbac/fb_collections.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.USER_TENANTS_COLLECTION = exports.TENANT_USERS_COLLECTION = exports.RBAC_GROUPS_COLLECTION = exports.RBAC_COLLECTION = void 0;
+// RBAC Firestore Collections
+exports.RBAC_COLLECTION = "rbac";
+exports.RBAC_GROUPS_COLLECTION = "groups";
+exports.TENANT_USERS_COLLECTION = "users";
+exports.USER_TENANTS_COLLECTION = "tenants";

package/dist/types/evo-core/rbac/fb_collections.ts

@@ -0,0 +1,5 @@
+// RBAC Firestore Collections
+export const RBAC_COLLECTION = "rbac";
+export const RBAC_GROUPS_COLLECTION = "groups";
+export const TENANT_USERS_COLLECTION = "users";
+export const USER_TENANTS_COLLECTION = "tenants";

package/dist/types/evo-core/rbac/index.d.ts

@@ -0,0 +1,135 @@
+export * from "./fb_collections";
+import type { IFireDoc } from "../../shared";
+/**
+ * Tri-state permission value for role definitions.
+ * - 'allow': grants the permission
+ * - 'deny': does not grant (can be overridden by another role with 'allow')
+ * - 'forbid': explicitly denies and overrides any 'allow'
+ */
+export type RbacPermValue = "allow" | "deny" | "forbid";
+/**
+ * Membership status for a user in a tenant.
+ */
+export type TenantUserStatus = "active" | "invited" | "disabled" | "removed";
+/**
+ * Status for user tenant index (simplified, no 'removed').
+ */
+export type UserTenantIndexStatus = "active" | "invited" | "disabled";
+/**
+ * Membership document representing a user's access to a tenant.
+ * This is the PRIMARY authorization document for the system.
+ *
+ * Path: /tenants/{tenantId}/users/{userId}
+ */
+export interface ITenantUser extends IFireDoc {
+    status: TenantUserStatus;
+    /**
+     * Array of role IDs assigned to the user in this tenant.
+     * Example: ['crm_admin', 'sales']
+     */
+    roles: string[];
+    /**
+     * Effective permissions (already resolved from roles).
+     * This is a boolean map where each key is a permission identifier.
+     *
+     * Example:
+     * {
+     *   crm_read: true,
+     *   crm_write: true,
+     *   billing_read: false
+     * }
+     *
+     * IMPORTANT: Security Rules and backend should NEVER calculate
+     * roles → perms dynamically. Always use this materialized object.
+     */
+    perms: {
+        [permissionKey: string]: boolean;
+    };
+}
+/**
+ * Inverted index for listing tenants accessible by a user.
+ * Used exclusively for performant listing without expensive queries.
+ *
+ * Path: /users/{userId}/tenants/{tenantId}
+ */
+export interface IUserTenantIndex extends IFireDoc {
+    status: UserTenantIndexStatus;
+    /**
+     * Tenant name for display purposes.
+     */
+    tenant_name: string;
+    /**
+     * Timestamp when tenant was deleted (soft delete).
+     * null if tenant is active.
+     */
+    tenant_deleted_at: Date | null;
+}
+/**
+ * RBAC group definition (catalog).
+ * Represents a module's roles and permissions (e.g., 'evo-crm', 'evo-med').
+ *
+ * Path: /rbac/groups/{groupKey}
+ *
+ * IMPORTANT: This catalog does NOT participate in real-time authorization.
+ * It exists to facilitate registration, consistency, and evolution.
+ *
+ * Note: This does NOT extend IFireDoc because it's a global document
+ * (not tenant-scoped). It has its own structure.
+ */
+export interface IRbacGroup {
+    /**
+     * Document ID.
+     */
+    id: string;
+    /**
+     * Human-readable name.
+     * Example: "Evo CRM"
+     */
+    name: string;
+    /**
+     * Optional description of the module/group.
+     */
+    description?: string;
+    /**
+     * Catalog of permissions for this module (documentation/UI).
+     * Maps permission keys to metadata.
+     */
+    permissions: {
+        [permissionKey: string]: {
+            description?: string;
+            [key: string]: unknown;
+        };
+    };
+    /**
+     * Roles defined in this module.
+     * Maps role IDs to role definitions (name, description, permissions).
+     */
+    roles: {
+        [roleId: string]: {
+            name: string;
+            description?: string;
+            /**
+             * Permissions for this role (tri-state).
+             * Each permission can be 'allow', 'deny', or 'forbid'.
+             */
+            perms: {
+                [permissionKey: string]: RbacPermValue;
+            };
+        };
+    };
+    created_at: Date;
+    updated_at: Date;
+}
+/**
+ * Extended tenant configuration that includes RBAC groups.
+ * This should be added to ITenant interface in evo-tenant module.
+ *
+ * For now, we define it here as a type that can be merged.
+ */
+export interface ITenantRbacConfig {
+    /**
+     * Array of RBAC group keys that this tenant inherits.
+     * Example: ['evo-crm', 'evo-med']
+     */
+    rbac_groups?: string[];
+}

package/dist/types/evo-core/rbac/index.js

@@ -0,0 +1,17 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./fb_collections"), exports);

package/dist/types/evo-core/rbac/index.ts

@@ -0,0 +1,168 @@
+export * from "./fb_collections";
+import type { FirestoreDocumentReference, IFireDoc } from "../../shared";
+
+// ----- RBAC Types
+
+/**
+ * Tri-state permission value for role definitions.
+ * - 'allow': grants the permission
+ * - 'deny': does not grant (can be overridden by another role with 'allow')
+ * - 'forbid': explicitly denies and overrides any 'allow'
+ */
+export type RbacPermValue = "allow" | "deny" | "forbid";
+
+/**
+ * Membership status for a user in a tenant.
+ */
+export type TenantUserStatus = "active" | "invited" | "disabled" | "removed";
+
+/**
+ * Status for user tenant index (simplified, no 'removed').
+ */
+export type UserTenantIndexStatus = "active" | "invited" | "disabled";
+
+// ----- Tenant User Membership (AUTORIZAÇÃO PRINCIPAL)
+// Path: /tenants/{tenantId}/users/{userId}
+
+/**
+ * Membership document representing a user's access to a tenant.
+ * This is the PRIMARY authorization document for the system.
+ *
+ * Path: /tenants/{tenantId}/users/{userId}
+ */
+export interface ITenantUser extends IFireDoc {
+  status: TenantUserStatus;
+  // tenant field from IFireDoc represents the tenantId
+
+  /**
+   * Array of role IDs assigned to the user in this tenant.
+   * Example: ['crm_admin', 'sales']
+   */
+  roles: string[];
+
+  /**
+   * Effective permissions (already resolved from roles).
+   * This is a boolean map where each key is a permission identifier.
+   *
+   * Example:
+   * {
+   *   crm_read: true,
+   *   crm_write: true,
+   *   billing_read: false
+   * }
+   *
+   * IMPORTANT: Security Rules and backend should NEVER calculate
+   * roles → perms dynamically. Always use this materialized object.
+   */
+  perms: {
+    [permissionKey: string]: boolean;
+  };
+}
+
+// ----- User Tenant Index (ÍNDICE INVERTIDO)
+// Path: /users/{userId}/tenants/{tenantId}
+
+/**
+ * Inverted index for listing tenants accessible by a user.
+ * Used exclusively for performant listing without expensive queries.
+ *
+ * Path: /users/{userId}/tenants/{tenantId}
+ */
+export interface IUserTenantIndex extends IFireDoc {
+  status: UserTenantIndexStatus;
+  // tenant field from IFireDoc represents the tenantId
+
+  /**
+   * Tenant name for display purposes.
+   */
+  tenant_name: string;
+
+  /**
+   * Timestamp when tenant was deleted (soft delete).
+   * null if tenant is active.
+   */
+  tenant_deleted_at: Date | null;
+}
+
+// ----- RBAC Group (DICIONÁRIO RBAC GLOBAL)
+// Path: /rbac/groups/{groupKey}
+
+/**
+ * RBAC group definition (catalog).
+ * Represents a module's roles and permissions (e.g., 'evo-crm', 'evo-med').
+ *
+ * Path: /rbac/groups/{groupKey}
+ *
+ * IMPORTANT: This catalog does NOT participate in real-time authorization.
+ * It exists to facilitate registration, consistency, and evolution.
+ *
+ * Note: This does NOT extend IFireDoc because it's a global document
+ * (not tenant-scoped). It has its own structure.
+ */
+export interface IRbacGroup {
+  /**
+   * Document ID.
+   */
+  id: string;
+
+  /**
+   * Human-readable name.
+   * Example: "Evo CRM"
+   */
+  name: string;
+
+  /**
+   * Optional description of the module/group.
+   */
+  description?: string;
+
+  /**
+   * Catalog of permissions for this module (documentation/UI).
+   * Maps permission keys to metadata.
+   */
+  permissions: {
+    [permissionKey: string]: {
+      description?: string;
+      // Optional: tags, category, level, etc.
+      [key: string]: unknown;
+    };
+  };
+
+  /**
+   * Roles defined in this module.
+   * Maps role IDs to role definitions (name, description, permissions).
+   */
+  roles: {
+    [roleId: string]: {
+      name: string;
+      description?: string;
+      /**
+       * Permissions for this role (tri-state).
+       * Each permission can be 'allow', 'deny', or 'forbid'.
+       */
+      perms: {
+        [permissionKey: string]: RbacPermValue;
+      };
+    };
+  };
+
+  created_at: Date;
+  updated_at: Date;
+}
+
+// ----- Tenant Configuration Extension
+// This extends ITenant to include rbac_groups field
+
+/**
+ * Extended tenant configuration that includes RBAC groups.
+ * This should be added to ITenant interface in evo-tenant module.
+ *
+ * For now, we define it here as a type that can be merged.
+ */
+export interface ITenantRbacConfig {
+  /**
+   * Array of RBAC group keys that this tenant inherits.
+   * Example: ['evo-crm', 'evo-med']
+   */
+  rbac_groups?: string[];
+}

package/dist/types/evo-task/index.d.ts

@@ -99,6 +99,7 @@ export interface ITaskExternalLink {
     type: TaskExternalObjectType;
     id: string;
     label?: string;
+    ref?: FirestoreDocumentReference;
     [key: string]: unknown;
 }
 export interface ITaskUserAssignee {

package/dist/types/evo-task/index.ts

@@ -152,6 +152,7 @@ export interface ITaskExternalLink {
   type: TaskExternalObjectType;
   id: string;
   label?: string;
+  ref?: FirestoreDocumentReference;
   [key: string]: unknown;
 }
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "evo360-types",
-  "version": "1.3.152",
+  "version": "1.3.154",
   "description": "HREVO360 Shared Types",
   "main": "./dist/index.js",
   "types": "./dist/index.d.ts",