fix(ci): add missing policy providers and restore scalar policy payload typing

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>

Author: vitormattos

lib/Service/Policy/Provider/IdentifyMethods/IdentifyMethodsPolicy.php

@@ -0,0 +1,47 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Service\Policy\Provider\IdentifyMethods;
+
+use OCA\Libresign\Service\Policy\Contract\IPolicyDefinition;
+use OCA\Libresign\Service\Policy\Contract\IPolicyDefinitionProvider;
+use OCA\Libresign\Service\Policy\Model\PolicySpec;
+
+final class IdentifyMethodsPolicy implements IPolicyDefinitionProvider {
+	public const KEY = 'identify_methods';
+	public const SYSTEM_APP_CONFIG_KEY = self::KEY;
+
+	#[\Override]
+	public function keys(): array {
+		return [
+			self::KEY,
+		];
+	}
+
+	#[\Override]
+	public function get(string|\BackedEnum $policyKey): IPolicyDefinition {
+		return match ($this->normalizePolicyKey($policyKey)) {
+			self::KEY => new PolicySpec(
+				key: self::KEY,
+				defaultSystemValue: [],
+				allowedValues: static fn (): array => [],
+				normalizer: static fn (mixed $rawValue): array => \OCA\Libresign\Service\Policy\Provider\IdentifyMethods\IdentifyMethodsPolicyValue::normalize($rawValue),
+				appConfigKey: self::SYSTEM_APP_CONFIG_KEY,
+			),
+			default => throw new \InvalidArgumentException('Unknown policy key: ' . $this->normalizePolicyKey($policyKey)),
+		};
+	}
+
+	private function normalizePolicyKey(string|\BackedEnum $policyKey): string {
+		if ($policyKey instanceof \BackedEnum) {
+			return (string)$policyKey->value;
+		}
+
+		return $policyKey;
+	}
+}

lib/Service/Policy/Provider/IdentifyMethods/IdentifyMethodsPolicyValue.php

@@ -0,0 +1,87 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Service\Policy\Provider\IdentifyMethods;
+
+final class IdentifyMethodsPolicyValue {
+	/**
+	 * @return list<array<string, mixed>>
+	 */
+	public static function normalize(mixed $rawValue): array {
+		if (is_string($rawValue)) {
+			$decoded = json_decode($rawValue, true);
+			if (is_array($decoded)) {
+				$rawValue = $decoded;
+			}
+		}
+
+		if (!is_array($rawValue)) {
+			return [];
+		}
+
+		$normalized = [];
+		foreach ($rawValue as $entry) {
+			if (!is_array($entry)) {
+				continue;
+			}
+
+			$name = isset($entry['name']) && is_string($entry['name'])
+				? trim($entry['name'])
+				: '';
+			if ($name === '') {
+				continue;
+			}
+
+			$signatureMethods = [];
+			if (isset($entry['signatureMethods']) && is_array($entry['signatureMethods'])) {
+				foreach ($entry['signatureMethods'] as $signatureMethodName => $signatureMethodConfig) {
+					if (!is_string($signatureMethodName) || trim($signatureMethodName) === '' || !is_array($signatureMethodConfig)) {
+						continue;
+					}
+
+					$normalizedSignatureMethod = [];
+					if (array_key_exists('enabled', $signatureMethodConfig)) {
+						$normalizedSignatureMethod['enabled'] = (bool)$signatureMethodConfig['enabled'];
+					}
+
+					if (isset($signatureMethodConfig['label']) && is_string($signatureMethodConfig['label'])) {
+						$normalizedSignatureMethod['label'] = $signatureMethodConfig['label'];
+					}
+
+					$signatureMethods[$signatureMethodName] = $normalizedSignatureMethod;
+				}
+			}
+
+			$normalizedEntry = [
+				'name' => $name,
+				'enabled' => array_key_exists('enabled', $entry) ? (bool)$entry['enabled'] : true,
+				'signatureMethods' => $signatureMethods,
+			];
+
+			if (isset($entry['friendly_name']) && is_string($entry['friendly_name'])) {
+				$normalizedEntry['friendly_name'] = $entry['friendly_name'];
+			}
+
+			if (array_key_exists('can_create_account', $entry)) {
+				$normalizedEntry['can_create_account'] = (bool)$entry['can_create_account'];
+			}
+
+			if (array_key_exists('mandatory', $entry)) {
+				$normalizedEntry['mandatory'] = (bool)$entry['mandatory'];
+			}
+
+			if (isset($entry['signatureMethodEnabled']) && is_string($entry['signatureMethodEnabled'])) {
+				$normalizedEntry['signatureMethodEnabled'] = $entry['signatureMethodEnabled'];
+			}
+
+			$normalized[] = $normalizedEntry;
+		}
+
+		return $normalized;
+	}
+}

lib/Service/Policy/Provider/Tsa/TsaPolicy.php

@@ -0,0 +1,48 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Service\Policy\Provider\Tsa;
+
+use OCA\Libresign\Service\Policy\Contract\IPolicyDefinition;
+use OCA\Libresign\Service\Policy\Contract\IPolicyDefinitionProvider;
+use OCA\Libresign\Service\Policy\Model\PolicySpec;
+
+final class TsaPolicy implements IPolicyDefinitionProvider {
+	public const KEY = 'tsa_settings';
+	public const SYSTEM_APP_CONFIG_KEY = self::KEY;
+
+	#[\Override]
+	public function keys(): array {
+		return [
+			self::KEY,
+		];
+	}
+
+	#[\Override]
+	public function get(string|\BackedEnum $policyKey): IPolicyDefinition {
+		return match ($this->normalizePolicyKey($policyKey)) {
+			self::KEY => new PolicySpec(
+				key: self::KEY,
+				defaultSystemValue: TsaPolicyValue::encode(TsaPolicyValue::defaults()),
+				allowedValues: static fn (): array => [],
+				normalizer: static fn (mixed $rawValue): string => TsaPolicyValue::encode($rawValue),
+				appConfigKey: self::SYSTEM_APP_CONFIG_KEY,
+				supportsUserPreference: false,
+			),
+			default => throw new \InvalidArgumentException('Unknown policy key: ' . $this->normalizePolicyKey($policyKey)),
+		};
+	}
+
+	private function normalizePolicyKey(string|\BackedEnum $policyKey): string {
+		if ($policyKey instanceof \BackedEnum) {
+			return (string)$policyKey->value;
+		}
+
+		return $policyKey;
+	}
+}

lib/Service/Policy/Provider/Tsa/TsaPolicyValue.php

@@ -0,0 +1,73 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Service\Policy\Provider\Tsa;
+
+final class TsaPolicyValue {
+	/** @return array{url: string, policy_oid: string, auth_type: string, username: string} */
+	public static function defaults(): array {
+		return [
+			'url' => '',
+			'policy_oid' => '',
+			'auth_type' => 'none',
+			'username' => '',
+		];
+	}
+
+	/** @return array{url: string, policy_oid: string, auth_type: string, username: string} */
+	public static function decode(mixed $rawValue): array {
+		if (is_string($rawValue)) {
+			$decoded = json_decode($rawValue, true);
+			if (is_array($decoded)) {
+				$rawValue = $decoded;
+			}
+		}
+
+		if (!is_array($rawValue)) {
+			return self::defaults();
+		}
+
+		$url = isset($rawValue['url']) && is_string($rawValue['url'])
+			? trim($rawValue['url'])
+			: '';
+
+		$policyOid = isset($rawValue['policy_oid']) && is_string($rawValue['policy_oid'])
+			? trim($rawValue['policy_oid'])
+			: '';
+
+		if ($policyOid !== '' && !preg_match('/^[0-9]+(\.[0-9]+)*$/', $policyOid)) {
+			$policyOid = '';
+		}
+
+		$authType = isset($rawValue['auth_type']) && is_string($rawValue['auth_type'])
+			? trim($rawValue['auth_type'])
+			: 'none';
+		if (!in_array($authType, ['none', 'basic'], true)) {
+			$authType = 'none';
+		}
+
+		$username = isset($rawValue['username']) && is_string($rawValue['username'])
+			? trim($rawValue['username'])
+			: '';
+
+		if ($authType !== 'basic') {
+			$username = '';
+		}
+
+		return [
+			'url' => $url,
+			'policy_oid' => $policyOid,
+			'auth_type' => $authType,
+			'username' => $username,
+		];
+	}
+
+	public static function encode(mixed $rawValue): string {
+		return json_encode(self::decode($rawValue), JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES);
+	}
+}

src/types/index.ts

@@ -54,7 +54,7 @@ export type SignatureFlowValue = SignatureFlowMode | 0 | 1 | 2
 export type EffectivePoliciesResponse = ApiOcsResponseData<ApiOperations['policy-effective'], 200>
 export type EffectivePoliciesState = EffectivePoliciesResponse['policies']
 export type EffectivePolicyState = ApiRecordValue<EffectivePoliciesState>
-export type EffectivePolicyValue = Exclude<ApiRequestJsonBody<AdminOperations['policy-set-system']>['value'], undefined> | unknown[]
+export type EffectivePolicyValue = Exclude<ApiRequestJsonBody<AdminOperations['policy-set-system']>['value'], undefined>
 export type GroupPolicyResponse = ApiOcsResponseData<ApiOperations['policy-get-group'], 200>
 export type GroupPolicyState = GroupPolicyResponse['policy']
 

src/views/Settings/PolicyWorkbench/settings/identify-methods/IdentifyMethodsRuleEditor.vue

@@ -55,8 +55,8 @@ import type { EffectivePolicyValue } from '../../../../../types/index'
 import {
 	normalizeIdentifyMethodsPolicy,
 	serializeIdentifyMethodsPolicy,
-	type IdentifyMethodPolicyEntry,
 } from './model'
+import type { IdentifyMethodPolicyEntry } from './model'
 
 defineOptions({
 	name: 'IdentifyMethodsRuleEditor',
@@ -67,7 +67,7 @@ const props = defineProps<{
 }>()
 
 const emit = defineEmits<{
-	'update:modelValue': [value: IdentifyMethodPolicyEntry[]]
+	'update:modelValue': [value: EffectivePolicyValue]
 }>()
 
 const entries = computed(() => {

src/views/Settings/PolicyWorkbench/settings/identify-methods/model.ts

@@ -64,8 +64,8 @@ export function normalizeIdentifyMethodsPolicy(value: EffectivePolicyValue): Ide
 	return normalized
 }
 
-export function serializeIdentifyMethodsPolicy(entries: IdentifyMethodPolicyEntry[]): IdentifyMethodPolicyEntry[] {
-	return entries.map((entry) => {
+export function serializeIdentifyMethodsPolicy(entries: IdentifyMethodPolicyEntry[]): string {
+	const normalizedEntries = entries.map((entry) => {
 		const signatureMethods: Record<string, IdentifyMethodSignatureMethod> = {}
 
 		for (const [signatureMethodName, signatureMethod] of Object.entries(entry.signatureMethods)) {
@@ -98,6 +98,8 @@ export function serializeIdentifyMethodsPolicy(entries: IdentifyMethodPolicyEntr
 
 		return normalizedEntry
 	})
+
+	return JSON.stringify(normalizedEntries)
 }
 
 function normalizeSignatureMethods(value: unknown): Record<string, IdentifyMethodSignatureMethod> {

src/views/Settings/PolicyWorkbench/settings/identify-methods/realDefinition.ts

@@ -18,7 +18,7 @@ export const identifyMethodsRealDefinition: RealPolicySettingDefinition = {
 	supportedScopes: ['system', 'group', 'user'],
 	editor: IdentifyMethodsRuleEditor,
 	resolutionMode: 'precedence',
-	createEmptyValue: () => [],
+	createEmptyValue: () => serializeIdentifyMethodsPolicy([]),
 	normalizeDraftValue: (value: EffectivePolicyValue) => serializeIdentifyMethodsPolicy(normalizeIdentifyMethodsPolicy(value)),
 	hasSelectableDraftValue: () => true,
 	normalizeAllowChildOverride: (_scope, allowChildOverride: boolean) => allowChildOverride,
@@ -27,7 +27,7 @@ export const identifyMethodsRealDefinition: RealPolicySettingDefinition = {
 			return policyValue
 		}
 
-		return []
+		return serializeIdentifyMethodsPolicy([])
 	},
 	summarizeValue: (value: EffectivePolicyValue) => {
 		const normalized = normalizeIdentifyMethodsPolicy(value)

tests/php/Unit/Service/Policy/Provider/IdentifyMethods/IdentifyMethodsPolicyTest.php

@@ -0,0 +1,64 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Tests\Unit\Service\Policy\Provider\IdentifyMethods;
+
+use OCA\Libresign\Service\Policy\Provider\IdentifyMethods\IdentifyMethodsPolicy;
+use PHPUnit\Framework\TestCase;
+
+final class IdentifyMethodsPolicyTest extends TestCase {
+	public function testProviderBuildsIdentifyMethodsDefinition(): void {
+		$provider = new IdentifyMethodsPolicy();
+		$this->assertSame([IdentifyMethodsPolicy::KEY], $provider->keys());
+
+		$definition = $provider->get(IdentifyMethodsPolicy::KEY);
+		$this->assertSame(IdentifyMethodsPolicy::KEY, $definition->key());
+		$this->assertSame([], $definition->defaultSystemValue());
+	}
+
+	public function testProviderNormalizesIdentifyMethodsPayload(): void {
+		$provider = new IdentifyMethodsPolicy();
+		$definition = $provider->get(IdentifyMethodsPolicy::KEY);
+
+		$normalized = $definition->normalizeValue([
+			[
+				'name' => 'email',
+				'friendly_name' => 'Email',
+				'enabled' => 1,
+				'can_create_account' => '0',
+				'signatureMethods' => [
+					'email' => [
+						'enabled' => true,
+						'label' => 'Email token',
+					],
+					'clickToSign' => [
+						'enabled' => false,
+					],
+				],
+			],
+		]);
+
+		$this->assertSame([
+			[
+				'name' => 'email',
+				'enabled' => true,
+				'signatureMethods' => [
+					'email' => [
+						'enabled' => true,
+						'label' => 'Email token',
+					],
+					'clickToSign' => [
+						'enabled' => false,
+					],
+				],
+				'friendly_name' => 'Email',
+				'can_create_account' => false,
+			],
+		], $normalized);
+	}
+}