tychat-contracts 1.0.47 → 1.0.49

package/README.md

@@ -4,7 +4,8 @@ DTOs compartilhados com **class-validator** usados pela **tychat-api** e pelos m
 
 ## Estrutura
 
-- **auth**: `LoginDto`
+- **auth**: `LoginDto`, `RefreshTokenDto`, payloads Kafka (`LoginPayload`, etc.)
+- **users**: `CreateUserDto`, `UserListItemDto`, `UpdateSelfUserDto`, `UpdateUserByAdminDto`, `UpdatedUserDto` (atualização de perfil e por administrador)
 
 ## Uso
 

package/dist/auth/auth-kafka.payloads.d.ts

@@ -1,5 +1,5 @@
-import { LoginDto } from "./login.dto";
-import { RefreshTokenDto } from "./refresh-token.dto";
+import { LoginDto } from './login.dto';
+import { RefreshTokenDto } from './refresh-token.dto';
 export declare class LoginPayload extends LoginDto {
     tenant: string;
 }
@@ -10,4 +10,13 @@ export declare class ValidatePayload {
 export declare class RefreshPayload extends RefreshTokenDto {
     tenant: string;
 }
+export declare class RequestPasswordResetPayload {
+    tenant: string;
+    email: string;
+}
+export declare class ConfirmPasswordResetPayload {
+    tenant: string;
+    verify_token: string;
+    password: string;
+}
 //# sourceMappingURL=auth-kafka.payloads.d.ts.map

package/dist/auth/auth-kafka.payloads.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"auth-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/auth/auth-kafka.payloads.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAEvC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,qBAAa,YAAa,SAAQ,QAAQ;IAKxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,cAAe,SAAQ,eAAe;IAKjD,MAAM,EAAE,MAAM,CAAC;CAChB"}
+{"version":3,"file":"auth-kafka.payloads.d.ts","sourceRoot":"","sources":["../../src/auth/auth-kafka.payloads.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAEtD,qBAAa,YAAa,SAAQ,QAAQ;IAKxC,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,eAAe;IAK1B,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;CACtB;AAED,qBAAa,cAAe,SAAQ,eAAe;IAKjD,MAAM,EAAE,MAAM,CAAC;CAChB;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,KAAK,EAAE,MAAM,CAAC;CACf;AAED,qBAAa,2BAA2B;IAKtC,MAAM,EAAE,MAAM,CAAC;IAMf,YAAY,EAAE,MAAM,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;CAClB"}

package/dist/auth/auth-kafka.payloads.js

@@ -9,10 +9,10 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RefreshPayload = exports.ValidatePayload = exports.LoginPayload = void 0;
+exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.RefreshPayload = exports.ValidatePayload = exports.LoginPayload = void 0;
 const swagger_1 = require("@nestjs/swagger");
-const login_dto_1 = require("./login.dto");
 const class_validator_1 = require("class-validator");
+const login_dto_1 = require("./login.dto");
 const refresh_token_dto_1 = require("./refresh-token.dto");
 class LoginPayload extends login_dto_1.LoginDto {
     tenant;
@@ -55,3 +55,49 @@ __decorate([
     (0, class_validator_1.MaxLength)(255),
     __metadata("design:type", String)
 ], RefreshPayload.prototype, "tenant", void 0);
+class RequestPasswordResetPayload {
+    tenant;
+    email;
+}
+exports.RequestPasswordResetPayload = RequestPasswordResetPayload;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'ID do tenant', example: 'tenant1' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'tenant não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], RequestPasswordResetPayload.prototype, "tenant", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'E-mail do usuário', example: 'usuario@empresa.com' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'email não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], RequestPasswordResetPayload.prototype, "email", void 0);
+class ConfirmPasswordResetPayload {
+    tenant;
+    verify_token;
+    password;
+}
+exports.ConfirmPasswordResetPayload = ConfirmPasswordResetPayload;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'ID do tenant', example: 'tenant1' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'tenant não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], ConfirmPasswordResetPayload.prototype, "tenant", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Token de verificação para reset de senha', example: 'a3b5f3c1...' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'verify_token não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], ConfirmPasswordResetPayload.prototype, "verify_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Nova senha do usuário', example: 'senha123' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6, { message: 'password deve ter no mínimo 6 caracteres' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], ConfirmPasswordResetPayload.prototype, "password", void 0);

package/dist/auth/auth-login-response.dto.d.ts

@@ -0,0 +1,6 @@
+export declare class AuthLoginResponseDto {
+    access_token: string;
+    refresh_token: string;
+    force_change_password: boolean;
+}
+//# sourceMappingURL=auth-login-response.dto.d.ts.map

package/dist/auth/auth-login-response.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-login-response.dto.d.ts","sourceRoot":"","sources":["../../src/auth/auth-login-response.dto.ts"],"names":[],"mappings":"AAEA,qBAAa,oBAAoB;IAE/B,YAAY,EAAE,MAAM,CAAC;IAGrB,aAAa,EAAE,MAAM,CAAC;IAMtB,qBAAqB,EAAE,OAAO,CAAC;CAChC"}

package/dist/auth/auth-login-response.dto.js

@@ -0,0 +1,34 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthLoginResponseDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+class AuthLoginResponseDto {
+    access_token;
+    refresh_token;
+    force_change_password;
+}
+exports.AuthLoginResponseDto = AuthLoginResponseDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Token de acesso JWT' }),
+    __metadata("design:type", String)
+], AuthLoginResponseDto.prototype, "access_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Token de refresh JWT' }),
+    __metadata("design:type", String)
+], AuthLoginResponseDto.prototype, "refresh_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({
+        description: 'Indica se o usuário deve alterar a senha no primeiro acesso',
+        example: true,
+    }),
+    __metadata("design:type", Boolean)
+], AuthLoginResponseDto.prototype, "force_change_password", void 0);

package/dist/auth/confirm-password-reset.dto.d.ts

@@ -0,0 +1,6 @@
+export declare class ConfirmPasswordResetDto {
+    verify_token: string;
+    password: string;
+    password_confirmation: string;
+}
+//# sourceMappingURL=confirm-password-reset.dto.d.ts.map

package/dist/auth/confirm-password-reset.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"confirm-password-reset.dto.d.ts","sourceRoot":"","sources":["../../src/auth/confirm-password-reset.dto.ts"],"names":[],"mappings":"AAIA,qBAAa,uBAAuB;IAQlC,YAAY,EAAE,MAAM,CAAC;IAMrB,QAAQ,EAAE,MAAM,CAAC;IAajB,qBAAqB,EAAE,MAAM,CAAC;CAC/B"}

package/dist/auth/confirm-password-reset.dto.js

@@ -0,0 +1,52 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ConfirmPasswordResetDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+const match_field_decorator_1 = require("./match-field.decorator");
+class ConfirmPasswordResetDto {
+    verify_token;
+    password;
+    password_confirmation;
+}
+exports.ConfirmPasswordResetDto = ConfirmPasswordResetDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({
+        description: 'Token de verificação recebido para troca de senha',
+        example: 'a3b5f3c1ef65...',
+    }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'verify_token não pode ser vazio' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], ConfirmPasswordResetDto.prototype, "verify_token", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Nova senha', example: 'senha123', minLength: 6 }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6, { message: 'password deve ter no mínimo 6 caracteres' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], ConfirmPasswordResetDto.prototype, "password", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({
+        description: 'Confirmação da nova senha',
+        example: 'senha123',
+        minLength: 6,
+    }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6, { message: 'password_confirmation deve ter no mínimo 6 caracteres' }),
+    (0, class_validator_1.MaxLength)(255),
+    (0, match_field_decorator_1.MatchField)('password', {
+        message: 'password_confirmation deve ser igual a password',
+    }),
+    __metadata("design:type", String)
+], ConfirmPasswordResetDto.prototype, "password_confirmation", void 0);

package/dist/auth/index.d.ts

@@ -1,4 +1,7 @@
 export { LoginDto } from './login.dto';
-export type { LoginPayload, ValidatePayload, RefreshPayload, } from './auth-kafka.payloads';
+export { LoginPayload, ValidatePayload, RefreshPayload, RequestPasswordResetPayload, ConfirmPasswordResetPayload, } from './auth-kafka.payloads';
 export { RefreshTokenDto } from './refresh-token.dto';
+export { RequestPasswordResetDto } from './request-password-reset.dto';
+export { ConfirmPasswordResetDto } from './confirm-password-reset.dto';
+export { AuthLoginResponseDto } from './auth-login-response.dto';
 //# sourceMappingURL=index.d.ts.map

package/dist/auth/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,YAAY,EACV,YAAY,EACZ,eAAe,EACf,cAAc,GACf,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/auth/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AACvC,OAAO,EACL,YAAY,EACZ,eAAe,EACf,cAAc,EACd,2BAA2B,EAC3B,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,8BAA8B,CAAC;AACvE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2BAA2B,CAAC"}

package/dist/auth/index.js

@@ -1,7 +1,19 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.RefreshTokenDto = exports.LoginDto = void 0;
+exports.AuthLoginResponseDto = exports.ConfirmPasswordResetDto = exports.RequestPasswordResetDto = exports.RefreshTokenDto = exports.ConfirmPasswordResetPayload = exports.RequestPasswordResetPayload = exports.RefreshPayload = exports.ValidatePayload = exports.LoginPayload = exports.LoginDto = void 0;
 var login_dto_1 = require("./login.dto");
 Object.defineProperty(exports, "LoginDto", { enumerable: true, get: function () { return login_dto_1.LoginDto; } });
+var auth_kafka_payloads_1 = require("./auth-kafka.payloads");
+Object.defineProperty(exports, "LoginPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.LoginPayload; } });
+Object.defineProperty(exports, "ValidatePayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.ValidatePayload; } });
+Object.defineProperty(exports, "RefreshPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.RefreshPayload; } });
+Object.defineProperty(exports, "RequestPasswordResetPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.RequestPasswordResetPayload; } });
+Object.defineProperty(exports, "ConfirmPasswordResetPayload", { enumerable: true, get: function () { return auth_kafka_payloads_1.ConfirmPasswordResetPayload; } });
 var refresh_token_dto_1 = require("./refresh-token.dto");
 Object.defineProperty(exports, "RefreshTokenDto", { enumerable: true, get: function () { return refresh_token_dto_1.RefreshTokenDto; } });
+var request_password_reset_dto_1 = require("./request-password-reset.dto");
+Object.defineProperty(exports, "RequestPasswordResetDto", { enumerable: true, get: function () { return request_password_reset_dto_1.RequestPasswordResetDto; } });
+var confirm_password_reset_dto_1 = require("./confirm-password-reset.dto");
+Object.defineProperty(exports, "ConfirmPasswordResetDto", { enumerable: true, get: function () { return confirm_password_reset_dto_1.ConfirmPasswordResetDto; } });
+var auth_login_response_dto_1 = require("./auth-login-response.dto");
+Object.defineProperty(exports, "AuthLoginResponseDto", { enumerable: true, get: function () { return auth_login_response_dto_1.AuthLoginResponseDto; } });

package/dist/auth/match-field.decorator.d.ts

@@ -0,0 +1,3 @@
+import { ValidationOptions } from 'class-validator';
+export declare function MatchField(sourceField: string, validationOptions?: ValidationOptions): (object: object, propertyName: string) => void;
+//# sourceMappingURL=match-field.decorator.d.ts.map

package/dist/auth/match-field.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"match-field.decorator.d.ts","sourceRoot":"","sources":["../../src/auth/match-field.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,iBAAiB,EAClB,MAAM,iBAAiB,CAAC;AAEzB,wBAAgB,UAAU,CACxB,WAAW,EAAE,MAAM,EACnB,iBAAiB,CAAC,EAAE,iBAAiB,IAEpB,QAAQ,MAAM,EAAE,cAAc,MAAM,UAmBtD"}

package/dist/auth/match-field.decorator.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MatchField = MatchField;
+const class_validator_1 = require("class-validator");
+function MatchField(sourceField, validationOptions) {
+    return function (object, propertyName) {
+        (0, class_validator_1.registerDecorator)({
+            name: 'matchField',
+            target: object.constructor,
+            propertyName,
+            constraints: [sourceField],
+            options: validationOptions,
+            validator: {
+                validate(value, args) {
+                    const [field] = args.constraints;
+                    return value === args.object[field];
+                },
+                defaultMessage(args) {
+                    const [field] = args.constraints;
+                    return `${args.property} must match ${field}`;
+                },
+            },
+        });
+    };
+}

package/dist/auth/request-password-reset.dto.d.ts

@@ -0,0 +1,4 @@
+export declare class RequestPasswordResetDto {
+    email: string;
+}
+//# sourceMappingURL=request-password-reset.dto.d.ts.map

package/dist/auth/request-password-reset.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"request-password-reset.dto.d.ts","sourceRoot":"","sources":["../../src/auth/request-password-reset.dto.ts"],"names":[],"mappings":"AAGA,qBAAa,uBAAuB;IAKlC,KAAK,EAAE,MAAM,CAAC;CACf"}

package/dist/auth/request-password-reset.dto.js

@@ -0,0 +1,25 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.RequestPasswordResetDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+class RequestPasswordResetDto {
+    email;
+}
+exports.RequestPasswordResetDto = RequestPasswordResetDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'E-mail do usuário', example: 'usuario@empresa.com' }),
+    (0, class_validator_1.IsEmail)({}, { message: 'email deve ser um e-mail válido' }),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'email não pode ser vazio' }),
+    __metadata("design:type", String)
+], RequestPasswordResetDto.prototype, "email", void 0);

package/dist/users/at-least-one-of.decorator.d.ts

@@ -0,0 +1,7 @@
+import { ValidationOptions } from 'class-validator';
+/**
+ * Ensures at least one of the listed properties is present and non-empty on the object.
+ * Apply to a dummy property (e.g. `_atLeastOne`) that is not sent by clients.
+ */
+export declare function AtLeastOneOf(propertyNames: string[], validationOptions?: ValidationOptions): (object: object, propertyName: string) => void;
+//# sourceMappingURL=at-least-one-of.decorator.d.ts.map

package/dist/users/at-least-one-of.decorator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"at-least-one-of.decorator.d.ts","sourceRoot":"","sources":["../../src/users/at-least-one-of.decorator.ts"],"names":[],"mappings":"AAAA,OAAO,EAGL,iBAAiB,EAClB,MAAM,iBAAiB,CAAC;AAEzB;;;GAGG;AACH,wBAAgB,YAAY,CAC1B,aAAa,EAAE,MAAM,EAAE,EACvB,iBAAiB,CAAC,EAAE,iBAAiB,IAEpB,QAAQ,MAAM,EAAE,cAAc,MAAM,UAyBtD"}

package/dist/users/at-least-one-of.decorator.js

@@ -0,0 +1,37 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AtLeastOneOf = AtLeastOneOf;
+const class_validator_1 = require("class-validator");
+/**
+ * Ensures at least one of the listed properties is present and non-empty on the object.
+ * Apply to a dummy property (e.g. `_atLeastOne`) that is not sent by clients.
+ */
+function AtLeastOneOf(propertyNames, validationOptions) {
+    return function (object, propertyName) {
+        (0, class_validator_1.registerDecorator)({
+            name: 'atLeastOneOf',
+            target: object.constructor,
+            propertyName,
+            constraints: [propertyNames],
+            options: validationOptions,
+            validator: {
+                validate(_value, args) {
+                    const obj = args.object;
+                    const props = args.constraints[0];
+                    return props.some((prop) => {
+                        const v = obj[prop];
+                        if (v == null)
+                            return false;
+                        if (typeof v === 'string')
+                            return v.trim().length > 0;
+                        return true;
+                    });
+                },
+                defaultMessage(args) {
+                    const props = args.constraints[0];
+                    return `Provide at least one of: ${props.join(', ')}`;
+                },
+            },
+        });
+    };
+}

package/dist/users/index.d.ts

@@ -1,3 +1,7 @@
 export { CreateUserDto, CREATABLE_USER_ROLES, type CreatableUserRole, } from './create-user.dto';
 export { UserListItemDto } from './user-list-item.dto';
+export { UpdateSelfUserDto } from './update-self-user.dto';
+export { UpdateUserByAdminDto, ALL_USER_ROLES, type AllUserRole, } from './update-user-by-admin.dto';
+export { UpdatedUserDto } from './updated-user.dto';
+export type { AuthUpdateSelfPayload, AuthUpdateUserAdminPayload, } from './user-update-kafka-payloads';
 //# sourceMappingURL=index.d.ts.map

package/dist/users/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/users/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/users/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,aAAa,EACb,oBAAoB,EACpB,KAAK,iBAAiB,GACvB,MAAM,mBAAmB,CAAC;AAC3B,OAAO,EAAE,eAAe,EAAE,MAAM,sBAAsB,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,wBAAwB,CAAC;AAC3D,OAAO,EACL,oBAAoB,EACpB,cAAc,EACd,KAAK,WAAW,GACjB,MAAM,4BAA4B,CAAC;AACpC,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,YAAY,EACV,qBAAqB,EACrB,0BAA0B,GAC3B,MAAM,8BAA8B,CAAC"}

package/dist/users/index.js

@@ -1,8 +1,15 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.UserListItemDto = exports.CREATABLE_USER_ROLES = exports.CreateUserDto = void 0;
+exports.UpdatedUserDto = exports.ALL_USER_ROLES = exports.UpdateUserByAdminDto = exports.UpdateSelfUserDto = exports.UserListItemDto = exports.CREATABLE_USER_ROLES = exports.CreateUserDto = void 0;
 var create_user_dto_1 = require("./create-user.dto");
 Object.defineProperty(exports, "CreateUserDto", { enumerable: true, get: function () { return create_user_dto_1.CreateUserDto; } });
 Object.defineProperty(exports, "CREATABLE_USER_ROLES", { enumerable: true, get: function () { return create_user_dto_1.CREATABLE_USER_ROLES; } });
 var user_list_item_dto_1 = require("./user-list-item.dto");
 Object.defineProperty(exports, "UserListItemDto", { enumerable: true, get: function () { return user_list_item_dto_1.UserListItemDto; } });
+var update_self_user_dto_1 = require("./update-self-user.dto");
+Object.defineProperty(exports, "UpdateSelfUserDto", { enumerable: true, get: function () { return update_self_user_dto_1.UpdateSelfUserDto; } });
+var update_user_by_admin_dto_1 = require("./update-user-by-admin.dto");
+Object.defineProperty(exports, "UpdateUserByAdminDto", { enumerable: true, get: function () { return update_user_by_admin_dto_1.UpdateUserByAdminDto; } });
+Object.defineProperty(exports, "ALL_USER_ROLES", { enumerable: true, get: function () { return update_user_by_admin_dto_1.ALL_USER_ROLES; } });
+var updated_user_dto_1 = require("./updated-user.dto");
+Object.defineProperty(exports, "UpdatedUserDto", { enumerable: true, get: function () { return updated_user_dto_1.UpdatedUserDto; } });

package/dist/users/update-self-user.dto.d.ts

@@ -0,0 +1,8 @@
+/** Fields the authenticated user may change on their own profile (no role change). */
+export declare class UpdateSelfUserDto {
+    _atLeastOne?: string;
+    name?: string;
+    email?: string;
+    password?: string;
+}
+//# sourceMappingURL=update-self-user.dto.d.ts.map

package/dist/users/update-self-user.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"update-self-user.dto.d.ts","sourceRoot":"","sources":["../../src/users/update-self-user.dto.ts"],"names":[],"mappings":"AAIA,sFAAsF;AACtF,qBAAa,iBAAiB;IAG5B,WAAW,CAAC,EAAE,MAAM,CAAC;IAWrB,IAAI,CAAC,EAAE,MAAM,CAAC;IAUd,KAAK,CAAC,EAAE,MAAM,CAAC;IAWf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB"}

package/dist/users/update-self-user.dto.js

@@ -0,0 +1,63 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UpdateSelfUserDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+const at_least_one_of_decorator_1 = require("./at-least-one-of.decorator");
+/** Fields the authenticated user may change on their own profile (no role change). */
+class UpdateSelfUserDto {
+    _atLeastOne;
+    name;
+    email;
+    password;
+}
+exports.UpdateSelfUserDto = UpdateSelfUserDto;
+__decorate([
+    (0, swagger_1.ApiHideProperty)(),
+    (0, at_least_one_of_decorator_1.AtLeastOneOf)(['name', 'email', 'password']),
+    __metadata("design:type", String)
+], UpdateSelfUserDto.prototype, "_atLeastOne", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'Full name',
+        example: 'Maria da Silva',
+        maxLength: 255,
+    }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'name cannot be empty when provided' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], UpdateSelfUserDto.prototype, "name", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'E-mail (unique per tenant)',
+        example: 'maria@empresa.com',
+        maxLength: 255,
+    }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsEmail)({}, { message: 'email must be a valid e-mail' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], UpdateSelfUserDto.prototype, "email", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'New password (bcrypt-hashed on the auth service)',
+        example: 'senha123',
+        minLength: 6,
+    }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6, { message: 'password must be at least 6 characters' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], UpdateSelfUserDto.prototype, "password", void 0);

package/dist/users/update-user-by-admin.dto.d.ts

@@ -0,0 +1,11 @@
+export declare const ALL_USER_ROLES: readonly ["administrator", "attendant", "health_professional"];
+export type AllUserRole = (typeof ALL_USER_ROLES)[number];
+/** Fields an administrator may change for any user (including role). */
+export declare class UpdateUserByAdminDto {
+    _atLeastOne?: string;
+    name?: string;
+    email?: string;
+    password?: string;
+    role?: AllUserRole;
+}
+//# sourceMappingURL=update-user-by-admin.dto.d.ts.map

package/dist/users/update-user-by-admin.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"update-user-by-admin.dto.d.ts","sourceRoot":"","sources":["../../src/users/update-user-by-admin.dto.ts"],"names":[],"mappings":"AAIA,eAAO,MAAM,cAAc,gEAIjB,CAAC;AACX,MAAM,MAAM,WAAW,GAAG,CAAC,OAAO,cAAc,CAAC,CAAC,MAAM,CAAC,CAAC;AAE1D,wEAAwE;AACxE,qBAAa,oBAAoB;IAG/B,WAAW,CAAC,EAAE,MAAM,CAAC;IAWrB,IAAI,CAAC,EAAE,MAAM,CAAC;IAUd,KAAK,CAAC,EAAE,MAAM,CAAC;IAWf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAYlB,IAAI,CAAC,EAAE,WAAW,CAAC;CACpB"}

package/dist/users/update-user-by-admin.dto.js

@@ -0,0 +1,82 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UpdateUserByAdminDto = exports.ALL_USER_ROLES = void 0;
+const swagger_1 = require("@nestjs/swagger");
+const class_validator_1 = require("class-validator");
+const at_least_one_of_decorator_1 = require("./at-least-one-of.decorator");
+exports.ALL_USER_ROLES = [
+    'administrator',
+    'attendant',
+    'health_professional',
+];
+/** Fields an administrator may change for any user (including role). */
+class UpdateUserByAdminDto {
+    _atLeastOne;
+    name;
+    email;
+    password;
+    role;
+}
+exports.UpdateUserByAdminDto = UpdateUserByAdminDto;
+__decorate([
+    (0, swagger_1.ApiHideProperty)(),
+    (0, at_least_one_of_decorator_1.AtLeastOneOf)(['name', 'email', 'password', 'role']),
+    __metadata("design:type", String)
+], UpdateUserByAdminDto.prototype, "_atLeastOne", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'Full name',
+        example: 'Maria da Silva',
+        maxLength: 255,
+    }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(1, { message: 'name cannot be empty when provided' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], UpdateUserByAdminDto.prototype, "name", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'E-mail (unique per tenant)',
+        example: 'maria@empresa.com',
+        maxLength: 255,
+    }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsEmail)({}, { message: 'email must be a valid e-mail' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], UpdateUserByAdminDto.prototype, "email", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'New password (bcrypt-hashed on the auth service)',
+        example: 'senha123',
+        minLength: 6,
+    }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.MinLength)(6, { message: 'password must be at least 6 characters' }),
+    (0, class_validator_1.MaxLength)(255),
+    __metadata("design:type", String)
+], UpdateUserByAdminDto.prototype, "password", void 0);
+__decorate([
+    (0, swagger_1.ApiPropertyOptional)({
+        description: 'User role',
+        enum: exports.ALL_USER_ROLES,
+        example: 'attendant',
+    }),
+    (0, class_validator_1.IsOptional)(),
+    (0, class_validator_1.IsString)(),
+    (0, class_validator_1.IsIn)(exports.ALL_USER_ROLES, {
+        message: 'role must be administrator, attendant, or health_professional',
+    }),
+    __metadata("design:type", String)
+], UpdateUserByAdminDto.prototype, "role", void 0);

package/dist/users/updated-user.dto.d.ts

@@ -0,0 +1,10 @@
+/** User payload returned after create or update (no password). */
+export declare class UpdatedUserDto {
+    userId: string;
+    name: string;
+    email: string;
+    role: 'administrator' | 'attendant' | 'health_professional';
+    createdAt: Date;
+    updatedAt: Date;
+}
+//# sourceMappingURL=updated-user.dto.d.ts.map

package/dist/users/updated-user.dto.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"updated-user.dto.d.ts","sourceRoot":"","sources":["../../src/users/updated-user.dto.ts"],"names":[],"mappings":"AAEA,kEAAkE;AAClE,qBAAa,cAAc;IAMzB,MAAM,EAAE,MAAM,CAAC;IAGf,IAAI,EAAE,MAAM,CAAC;IAGb,KAAK,EAAE,MAAM,CAAC;IAOd,IAAI,EAAE,eAAe,GAAG,WAAW,GAAG,qBAAqB,CAAC;IAG5D,SAAS,EAAE,IAAI,CAAC;IAGhB,SAAS,EAAE,IAAI,CAAC;CACjB"}

package/dist/users/updated-user.dto.js

@@ -0,0 +1,55 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UpdatedUserDto = void 0;
+const swagger_1 = require("@nestjs/swagger");
+/** User payload returned after create or update (no password). */
+class UpdatedUserDto {
+    userId;
+    name;
+    email;
+    role;
+    createdAt;
+    updatedAt;
+}
+exports.UpdatedUserDto = UpdatedUserDto;
+__decorate([
+    (0, swagger_1.ApiProperty)({
+        format: 'uuid',
+        description: 'User identifier',
+        example: '550e8400-e29b-41d4-a716-446655440000',
+    }),
+    __metadata("design:type", String)
+], UpdatedUserDto.prototype, "userId", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Full name', example: 'Maria da Silva' }),
+    __metadata("design:type", String)
+], UpdatedUserDto.prototype, "name", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'E-mail (unique per tenant)', example: 'maria@empresa.com' }),
+    __metadata("design:type", String)
+], UpdatedUserDto.prototype, "email", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({
+        description: 'User role',
+        enum: ['administrator', 'attendant', 'health_professional'],
+        example: 'attendant',
+    }),
+    __metadata("design:type", String)
+], UpdatedUserDto.prototype, "role", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Creation timestamp' }),
+    __metadata("design:type", Date)
+], UpdatedUserDto.prototype, "createdAt", void 0);
+__decorate([
+    (0, swagger_1.ApiProperty)({ description: 'Last update timestamp' }),
+    __metadata("design:type", Date)
+], UpdatedUserDto.prototype, "updatedAt", void 0);

package/dist/users/user-update-kafka-payloads.d.ts

@@ -0,0 +1,24 @@
+/**
+ * Kafka payload for auth.update_self (tychat-api → tychat-auth-service).
+ */
+export interface AuthUpdateSelfPayload {
+    tenant?: string;
+    userId: string;
+    name?: string;
+    email?: string;
+    password?: string;
+}
+/**
+ * Kafka payload for auth.update_user_admin (tychat-api → tychat-auth-service).
+ * actorRole must be "administrator" or the handler rejects the request.
+ */
+export interface AuthUpdateUserAdminPayload {
+    tenant?: string;
+    actorRole: string;
+    targetUserId: string;
+    name?: string;
+    email?: string;
+    password?: string;
+    role?: 'administrator' | 'attendant' | 'health_professional';
+}
+//# sourceMappingURL=user-update-kafka-payloads.d.ts.map

package/dist/users/user-update-kafka-payloads.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-update-kafka-payloads.d.ts","sourceRoot":"","sources":["../../src/users/user-update-kafka-payloads.ts"],"names":[],"mappings":"AAAA;;GAEG;AACH,MAAM,WAAW,qBAAqB;IACpC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,0BAA0B;IACzC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,IAAI,CAAC,EAAE,eAAe,GAAG,WAAW,GAAG,qBAAqB,CAAC;CAC9D"}

package/dist/users/user-update-kafka-payloads.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "tychat-contracts",
-  "version": "1.0.47",
+  "version": "1.0.49",
   "description": "DTOs compartilhados com class-validator (API e microserviços)",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/src/auth/auth-kafka.payloads.ts

@@ -1,7 +1,7 @@
-import { ApiProperty } from "@nestjs/swagger";
-import { LoginDto } from "./login.dto";
-import { IsString, MaxLength, MinLength } from "class-validator";
-import { RefreshTokenDto } from "./refresh-token.dto";
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, MaxLength, MinLength } from 'class-validator';
+import { LoginDto } from './login.dto';
+import { RefreshTokenDto } from './refresh-token.dto';
 
 export class LoginPayload extends LoginDto {
   @ApiProperty({ description: 'ID do tenant', example: 'tenant1' })
@@ -31,4 +31,38 @@ export class RefreshPayload extends RefreshTokenDto {
   @MinLength(1, { message: 'tenant não pode ser vazio' })
   @MaxLength(255)
   tenant: string;
+}
+
+export class RequestPasswordResetPayload {
+  @ApiProperty({ description: 'ID do tenant', example: 'tenant1' })
+  @IsString()
+  @MinLength(1, { message: 'tenant não pode ser vazio' })
+  @MaxLength(255)
+  tenant: string;
+
+  @ApiProperty({ description: 'E-mail do usuário', example: 'usuario@empresa.com' })
+  @IsString()
+  @MinLength(1, { message: 'email não pode ser vazio' })
+  @MaxLength(255)
+  email: string;
+}
+
+export class ConfirmPasswordResetPayload {
+  @ApiProperty({ description: 'ID do tenant', example: 'tenant1' })
+  @IsString()
+  @MinLength(1, { message: 'tenant não pode ser vazio' })
+  @MaxLength(255)
+  tenant: string;
+
+  @ApiProperty({ description: 'Token de verificação para reset de senha', example: 'a3b5f3c1...' })
+  @IsString()
+  @MinLength(1, { message: 'verify_token não pode ser vazio' })
+  @MaxLength(255)
+  verify_token: string;
+
+  @ApiProperty({ description: 'Nova senha do usuário', example: 'senha123' })
+  @IsString()
+  @MinLength(6, { message: 'password deve ter no mínimo 6 caracteres' })
+  @MaxLength(255)
+  password: string;
 }

package/src/auth/auth-login-response.dto.ts

@@ -0,0 +1,15 @@
+import { ApiProperty } from '@nestjs/swagger';
+
+export class AuthLoginResponseDto {
+  @ApiProperty({ description: 'Token de acesso JWT' })
+  access_token: string;
+
+  @ApiProperty({ description: 'Token de refresh JWT' })
+  refresh_token: string;
+
+  @ApiProperty({
+    description: 'Indica se o usuário deve alterar a senha no primeiro acesso',
+    example: true,
+  })
+  force_change_password: boolean;
+}

package/src/auth/confirm-password-reset.dto.ts

@@ -0,0 +1,33 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsString, MaxLength, MinLength } from 'class-validator';
+import { MatchField } from './match-field.decorator';
+
+export class ConfirmPasswordResetDto {
+  @ApiProperty({
+    description: 'Token de verificação recebido para troca de senha',
+    example: 'a3b5f3c1ef65...',
+  })
+  @IsString()
+  @MinLength(1, { message: 'verify_token não pode ser vazio' })
+  @MaxLength(255)
+  verify_token: string;
+
+  @ApiProperty({ description: 'Nova senha', example: 'senha123', minLength: 6 })
+  @IsString()
+  @MinLength(6, { message: 'password deve ter no mínimo 6 caracteres' })
+  @MaxLength(255)
+  password: string;
+
+  @ApiProperty({
+    description: 'Confirmação da nova senha',
+    example: 'senha123',
+    minLength: 6,
+  })
+  @IsString()
+  @MinLength(6, { message: 'password_confirmation deve ter no mínimo 6 caracteres' })
+  @MaxLength(255)
+  @MatchField('password', {
+    message: 'password_confirmation deve ser igual a password',
+  })
+  password_confirmation: string;
+}

package/src/auth/index.ts

@@ -1,7 +1,12 @@
 export { LoginDto } from './login.dto';
-export type {
+export {
   LoginPayload,
   ValidatePayload,
   RefreshPayload,
+  RequestPasswordResetPayload,
+  ConfirmPasswordResetPayload,
 } from './auth-kafka.payloads';
 export { RefreshTokenDto } from './refresh-token.dto';
+export { RequestPasswordResetDto } from './request-password-reset.dto';
+export { ConfirmPasswordResetDto } from './confirm-password-reset.dto';
+export { AuthLoginResponseDto } from './auth-login-response.dto';

package/src/auth/match-field.decorator.ts

@@ -0,0 +1,30 @@
+import {
+  registerDecorator,
+  ValidationArguments,
+  ValidationOptions,
+} from 'class-validator';
+
+export function MatchField(
+  sourceField: string,
+  validationOptions?: ValidationOptions,
+) {
+  return function (object: object, propertyName: string) {
+    registerDecorator({
+      name: 'matchField',
+      target: object.constructor,
+      propertyName,
+      constraints: [sourceField],
+      options: validationOptions,
+      validator: {
+        validate(value: unknown, args: ValidationArguments) {
+          const [field] = args.constraints as [string];
+          return value === (args.object as Record<string, unknown>)[field];
+        },
+        defaultMessage(args: ValidationArguments) {
+          const [field] = args.constraints as [string];
+          return `${args.property} must match ${field}`;
+        },
+      },
+    });
+  };
+}

package/src/auth/request-password-reset.dto.ts

@@ -0,0 +1,10 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsEmail, IsString, MinLength } from 'class-validator';
+
+export class RequestPasswordResetDto {
+  @ApiProperty({ description: 'E-mail do usuário', example: 'usuario@empresa.com' })
+  @IsEmail({}, { message: 'email deve ser um e-mail válido' })
+  @IsString()
+  @MinLength(1, { message: 'email não pode ser vazio' })
+  email: string;
+}

package/src/users/at-least-one-of.decorator.ts

@@ -0,0 +1,40 @@
+import {
+  registerDecorator,
+  ValidationArguments,
+  ValidationOptions,
+} from 'class-validator';
+
+/**
+ * Ensures at least one of the listed properties is present and non-empty on the object.
+ * Apply to a dummy property (e.g. `_atLeastOne`) that is not sent by clients.
+ */
+export function AtLeastOneOf(
+  propertyNames: string[],
+  validationOptions?: ValidationOptions,
+) {
+  return function (object: object, propertyName: string) {
+    registerDecorator({
+      name: 'atLeastOneOf',
+      target: object.constructor,
+      propertyName,
+      constraints: [propertyNames],
+      options: validationOptions,
+      validator: {
+        validate(_value: unknown, args: ValidationArguments) {
+          const obj = args.object as Record<string, unknown>;
+          const props = args.constraints[0] as string[];
+          return props.some((prop) => {
+            const v = obj[prop];
+            if (v == null) return false;
+            if (typeof v === 'string') return v.trim().length > 0;
+            return true;
+          });
+        },
+        defaultMessage(args: ValidationArguments) {
+          const props = args.constraints[0] as string[];
+          return `Provide at least one of: ${props.join(', ')}`;
+        },
+      },
+    });
+  };
+}

package/src/users/index.ts

@@ -4,3 +4,14 @@ export {
   type CreatableUserRole,
 } from './create-user.dto';
 export { UserListItemDto } from './user-list-item.dto';
+export { UpdateSelfUserDto } from './update-self-user.dto';
+export {
+  UpdateUserByAdminDto,
+  ALL_USER_ROLES,
+  type AllUserRole,
+} from './update-user-by-admin.dto';
+export { UpdatedUserDto } from './updated-user.dto';
+export type {
+  AuthUpdateSelfPayload,
+  AuthUpdateUserAdminPayload,
+} from './user-update-kafka-payloads';

package/src/users/update-self-user.dto.ts

@@ -0,0 +1,42 @@
+import { ApiHideProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import { IsEmail, IsOptional, IsString, MaxLength, MinLength } from 'class-validator';
+import { AtLeastOneOf } from './at-least-one-of.decorator';
+
+/** Fields the authenticated user may change on their own profile (no role change). */
+export class UpdateSelfUserDto {
+  @ApiHideProperty()
+  @AtLeastOneOf(['name', 'email', 'password'])
+  _atLeastOne?: string;
+
+  @ApiPropertyOptional({
+    description: 'Full name',
+    example: 'Maria da Silva',
+    maxLength: 255,
+  })
+  @IsOptional()
+  @IsString()
+  @MinLength(1, { message: 'name cannot be empty when provided' })
+  @MaxLength(255)
+  name?: string;
+
+  @ApiPropertyOptional({
+    description: 'E-mail (unique per tenant)',
+    example: 'maria@empresa.com',
+    maxLength: 255,
+  })
+  @IsOptional()
+  @IsEmail({}, { message: 'email must be a valid e-mail' })
+  @MaxLength(255)
+  email?: string;
+
+  @ApiPropertyOptional({
+    description: 'New password (bcrypt-hashed on the auth service)',
+    example: 'senha123',
+    minLength: 6,
+  })
+  @IsOptional()
+  @IsString()
+  @MinLength(6, { message: 'password must be at least 6 characters' })
+  @MaxLength(255)
+  password?: string;
+}

package/src/users/update-user-by-admin.dto.ts

@@ -0,0 +1,61 @@
+import { ApiHideProperty, ApiPropertyOptional } from '@nestjs/swagger';
+import { IsEmail, IsIn, IsOptional, IsString, MaxLength, MinLength } from 'class-validator';
+import { AtLeastOneOf } from './at-least-one-of.decorator';
+
+export const ALL_USER_ROLES = [
+  'administrator',
+  'attendant',
+  'health_professional',
+] as const;
+export type AllUserRole = (typeof ALL_USER_ROLES)[number];
+
+/** Fields an administrator may change for any user (including role). */
+export class UpdateUserByAdminDto {
+  @ApiHideProperty()
+  @AtLeastOneOf(['name', 'email', 'password', 'role'])
+  _atLeastOne?: string;
+
+  @ApiPropertyOptional({
+    description: 'Full name',
+    example: 'Maria da Silva',
+    maxLength: 255,
+  })
+  @IsOptional()
+  @IsString()
+  @MinLength(1, { message: 'name cannot be empty when provided' })
+  @MaxLength(255)
+  name?: string;
+
+  @ApiPropertyOptional({
+    description: 'E-mail (unique per tenant)',
+    example: 'maria@empresa.com',
+    maxLength: 255,
+  })
+  @IsOptional()
+  @IsEmail({}, { message: 'email must be a valid e-mail' })
+  @MaxLength(255)
+  email?: string;
+
+  @ApiPropertyOptional({
+    description: 'New password (bcrypt-hashed on the auth service)',
+    example: 'senha123',
+    minLength: 6,
+  })
+  @IsOptional()
+  @IsString()
+  @MinLength(6, { message: 'password must be at least 6 characters' })
+  @MaxLength(255)
+  password?: string;
+
+  @ApiPropertyOptional({
+    description: 'User role',
+    enum: ALL_USER_ROLES,
+    example: 'attendant',
+  })
+  @IsOptional()
+  @IsString()
+  @IsIn(ALL_USER_ROLES, {
+    message: 'role must be administrator, attendant, or health_professional',
+  })
+  role?: AllUserRole;
+}

package/src/users/updated-user.dto.ts

@@ -0,0 +1,30 @@
+import { ApiProperty } from '@nestjs/swagger';
+
+/** User payload returned after create or update (no password). */
+export class UpdatedUserDto {
+  @ApiProperty({
+    format: 'uuid',
+    description: 'User identifier',
+    example: '550e8400-e29b-41d4-a716-446655440000',
+  })
+  userId: string;
+
+  @ApiProperty({ description: 'Full name', example: 'Maria da Silva' })
+  name: string;
+
+  @ApiProperty({ description: 'E-mail (unique per tenant)', example: 'maria@empresa.com' })
+  email: string;
+
+  @ApiProperty({
+    description: 'User role',
+    enum: ['administrator', 'attendant', 'health_professional'],
+    example: 'attendant',
+  })
+  role: 'administrator' | 'attendant' | 'health_professional';
+
+  @ApiProperty({ description: 'Creation timestamp' })
+  createdAt: Date;
+
+  @ApiProperty({ description: 'Last update timestamp' })
+  updatedAt: Date;
+}

package/src/users/user-update-kafka-payloads.ts

@@ -0,0 +1,24 @@
+/**
+ * Kafka payload for auth.update_self (tychat-api → tychat-auth-service).
+ */
+export interface AuthUpdateSelfPayload {
+  tenant?: string;
+  userId: string;
+  name?: string;
+  email?: string;
+  password?: string;
+}
+
+/**
+ * Kafka payload for auth.update_user_admin (tychat-api → tychat-auth-service).
+ * actorRole must be "administrator" or the handler rejects the request.
+ */
+export interface AuthUpdateUserAdminPayload {
+  tenant?: string;
+  actorRole: string;
+  targetUserId: string;
+  name?: string;
+  email?: string;
+  password?: string;
+  role?: 'administrator' | 'attendant' | 'health_professional';
+}