Namespace Tharga.Team
Classes
- ApiKeyLifecycleContext
Information handed to an IApiKeyLifecycleHandler when an API key is created, recycled, or deleted. On Created and Recycled the PrivateToken carries the raw key value — the only moment it is available programmatically. The host is responsible for protecting anything it captures; Tharga Team never persists, logs, or exposes the token elsewhere.
- ApiKeyOptions
Configuration options for API key management.
- ApiKeyScopes
Scope constants for API key management.
- AuditScopes
Scope constants for the audit log.
- MemberNameChangedArgs
Arguments for the
OnMemberNameChangedcallback fired byTeamComponentafter a successful inline edit of Name.
- RequireAccessLevelAttribute
Declares the minimum access level required to call this method.
- RequireScopeAttribute
Declares the scope required to call this method.
- ResilientMemberLookup
Resilient lookup against in-memory sequences that are expected to contain at most one match but where duplicate rows have been observed in production data (see GitHub issue Tharga/Platform#64). Returns the first match and logs a warning when more than one match is present, instead of throwing the way Single<TSource>(IEnumerable<TSource>, Func<TSource, bool>) would. Duplicates are surfaced via
ILoggerso they can be found and cleaned up out of band.
- ScopeDefinition
Defines a scope with its default minimum access level and an optional human-readable description (shown as a tooltip in the scope picker).
- ScopeRegistry
Stores scope definitions and resolves effective scopes for a given access level. Owner and Administrator get all registered scopes. User gets scopes registered at User or Viewer level. Viewer gets only scopes registered at Viewer level. Custom gets no base scopes at all (exempt from the Owner/Administrator all-scopes rule); its effective scopes come solely from roles and scope overrides. Role scopes are unioned with access level scopes.
- SystemRoleRegistry
Maps app/global role names to system scopes. Role names are matched case-insensitively.
- SystemScopeDefinition
Defines a system-level scope (a global capability granted to system API keys and, via role mapping, to privileged users). Unlike team scopes, system scopes have no access-level hierarchy — they are a flat set.
- SystemScopeRegistry
Stores system-level scope definitions. A flat set (no access level) — system keys carry an explicit list, and privileged roles map to a subset.
- Tag
A system-set key-value tag on an API key. Tags are a list (not a map), so the same Key may appear more than once (e.g. a combination key tagged with multiple types). Each tag is surfaced as a
tag.{Key}claim on the authenticated principal.
- TeamClaimTypes
Claim type constants for team-based authorization.
- TeamManagementService<TMember>
Delegates to ITeamService for all operations. Scope enforcement is handled by
ScopeProxy<T>in Tharga.Team.Service. Generic methods (GetTeamsAsync, DeleteTeamAsync, RenameTeamAsync) call non-generic internal versions since the proxy resolves the member type from the team data.
- TeamScopes
Scope constants for team and member management.
- TenantRoleDefinition
Defines a tenant role with its associated scopes and an optional human-readable description (shown as a tooltip in the role picker, alongside the scopes the role grants).
- TenantRoleRegistry
Stores tenant role definitions and resolves scopes for assigned roles.
- TenantRoleServiceCollectionExtensions
Extension methods for registering tenant roles.
Interfaces
- IApiKey
Represents an API key with associated metadata.
- IApiKeyAdministrationService
Service for managing and validating API keys.
- IApiKeyLifecycleHandler
Opt-in hook that receives an API key's private token at the moment it exists — on create and on recycle/regenerate — plus a tokenless signal on delete. Register one or more implementations with
AddThargaApiKeyLifecycleHandler<T>(); they are invoked after the corresponding operation succeeds.The token is handed only to in-process code the host explicitly registered. If the handler throws, the originating operation (create/recycle/delete) throws too — capture failures are not swallowed.
- IApiKeyManagementService
User-facing service for API key management. All methods require the apikey:manage scope.
- IScopeRegistry
Registry of all known scopes. Used at runtime to resolve effective scopes for an access level.
- ISystemRoleRegistry
Maps app/global roles (e.g. "Developer", "Administrator") to system-level scopes, so privileged users gain those scopes as claims — the user-side counterpart to a system API key's explicit scope list.
- ISystemScopeRegistry
Registry of system-level (global) scopes — the capabilities a system API key (or a privileged role) may hold. Separate from the team IScopeRegistry, which is access-level based and team-scoped.
- ITeamClaimsEnricher
Implement to inject custom claims (e.g. global roles) before team consent evaluation. Register via
AddClaimsEnricher<T>()onThargaBlazorOptions. Called once per request inside TeamServerClaimsTransformation, before member lookup and consent check.
- ITeamEmailSender
Abstraction for sending team-related emails. Consumers can implement this to use their own email infrastructure (SendGrid, Azure, etc.). When not registered, invite dialogs fall back to manual link copying.
- ITeamManagementService
Scope-enforced service for team management mutations. Read operations use ITeamService directly.
- ITenantRoleRegistry
Registry of tenant role definitions. Used at runtime to resolve scopes for assigned roles.
Enums
- ApiKeyLifecycleReason
Why an IApiKeyLifecycleHandler is being invoked.