seams 0.1.0

data/lib/generators/seams/admin/templates/app/dashboards/admin/team_dashboard.rb.tt

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require "administrate/base_dashboard"
+
+# Administrate dashboard for Teams::Team — the unit of multi-tenant
+# ownership inside the teams engine. Teams are peers to Accounts in
+# the Wave 9 architecture; the join from Team to Identity is direct
+# (Teams::Membership), not via Accounts::Membership.
+module Admin
+  class TeamDashboard < Administrate::BaseDashboard
+    ATTRIBUTE_TYPES = {
+      id:          Field::Number,
+      name:        Field::String,
+      slug:        Field::String,
+      memberships: Field::HasMany.with_options(class_name: "Teams::Membership"),
+      invitations: Field::HasMany.with_options(class_name: "Teams::Invitation"),
+      created_at:  Field::DateTime,
+      updated_at:  Field::DateTime
+    }.freeze
+
+    COLLECTION_ATTRIBUTES = %i[id name slug created_at].freeze
+
+    SHOW_PAGE_ATTRIBUTES = %i[
+      id
+      name
+      slug
+      memberships
+      invitations
+      created_at
+      updated_at
+    ].freeze
+
+    FORM_ATTRIBUTES = %i[name slug].freeze
+
+    def display_resource(team)
+      team.name.presence || "Team ##{team.id}"
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/dashboards/admin/teams_membership_dashboard.rb.tt

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+require "administrate/base_dashboard"
+
+# Administrate dashboard for Teams::Membership — joins a Teams::Team
+# to an Auth::Identity with a role.
+#
+# Class name is `Admin::TeamsMembershipDashboard` to disambiguate from
+# `Admin::AccountsMembershipDashboard`; both engines ship a Membership
+# model and Administrate's dashboard lookup resolves by class name.
+#
+# `identity_id` is a bare bigint FK — cross-engine model access is
+# forbidden by the NoCrossEngineModelAccess cop, so the admin surface
+# treats it as a typed integer reference rather than a belongs_to.
+module Admin
+  class TeamsMembershipDashboard < Administrate::BaseDashboard
+    ATTRIBUTE_TYPES = {
+      id:          Field::Number,
+      team:        Field::BelongsTo.with_options(class_name: "Teams::Team"),
+      identity_id: Field::Number,
+      role:        Field::Select.with_options(collection: %w[owner admin member]),
+      created_at:  Field::DateTime,
+      updated_at:  Field::DateTime
+    }.freeze
+
+    COLLECTION_ATTRIBUTES = %i[id team role created_at].freeze
+
+    SHOW_PAGE_ATTRIBUTES = %i[
+      id
+      team
+      identity_id
+      role
+      created_at
+      updated_at
+    ].freeze
+
+    FORM_ATTRIBUTES = %i[team identity_id role].freeze
+
+    def display_resource(membership)
+      "Team Membership ##{membership.id} (#{membership.role})"
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/account_policy.rb.tt

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Accounts::Account. Inherits the staff?
+    # gate from the base; Scope returns every Account in the system.
+    class AccountPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/accounts_membership_policy.rb.tt

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Accounts::Membership. All Memberships
+    # across every Account are visible.
+    class AccountsMembershipPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/application_policy.rb.tt

@@ -0,0 +1,85 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Abstract base for every platform-mode admin policy. Platform mode
+    # gates on `Auth::Identity#staff?` — a single boolean on the
+    # credential-only Identity model. There is no per-tenant scoping;
+    # the Scope inner class returns `scope.all`.
+    #
+    # `user` here is the value returned from
+    # `Seams::Admin::ApplicationController#pundit_user`. Phase 3 chose
+    # the `Seams::Admin::Context` Struct (identity + membership) as the
+    # pundit_user — both fields are nil-safe so the platform policies
+    # only need to read `user.identity&.staff?`.
+    #
+    # Hosts that need granular per-action gates (e.g. "non-staff support
+    # users may read but not destroy") eject the relevant per-model
+    # policy and override `destroy?` etc. there. The default surface
+    # here is intentionally uniform: any staff Identity can do anything.
+    class ApplicationPolicy
+      attr_reader :user, :record
+
+      def initialize(user, record)
+        @user   = user
+        @record = record
+      end
+
+      def index?
+        staff?
+      end
+
+      def show?
+        staff?
+      end
+
+      def new?
+        staff?
+      end
+
+      def create?
+        staff?
+      end
+
+      def edit?
+        staff?
+      end
+
+      def update?
+        staff?
+      end
+
+      def destroy?
+        staff?
+      end
+
+      class Scope
+        attr_reader :user, :scope
+
+        def initialize(user, scope)
+          @user  = user
+          @scope = scope
+        end
+
+        # Platform admins see every tenant's data — no account_id
+        # filter. The returned scope is the same `scope` Pundit handed
+        # in (typically `Model.all` or an Administrate-prepared scope),
+        # untouched.
+        def resolve
+          scope.all
+        end
+      end
+
+      private
+
+      # Reads `staff?` from the wrapped Identity. The pundit_user is a
+      # `Seams::Admin::Context` Struct in Phase 3 — `user.identity` is
+      # the actual Auth::Identity. Nil-safe so an unauthenticated
+      # request (which the gate already rejected) returns false instead
+      # of NoMethodError.
+      def staff?
+        user&.identity&.staff?
+      end
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/identity_policy.rb.tt

@@ -0,0 +1,18 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Auth::Identity.
+    #
+    # Defaults from Admin::Platform::ApplicationPolicy: every predicate
+    # gates on `staff?`. Scope returns `scope.all`. Platform admins see
+    # every Identity in the system — there is no per-tenant filter
+    # because Identity is global.
+    #
+    # Hosts that need a finer gate (e.g. "only senior-staff Identities
+    # can destroy other Identities") eject this file and override
+    # `destroy?`.
+    class IdentityPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/invitation_policy.rb.tt

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Teams::Invitation.
+    class InvitationPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/invoice_policy.rb.tt

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Billing::Invoice.
+    class InvoicePolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/lifetime_pass_policy.rb.tt

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Billing::LifetimePass.
+    class LifetimePassPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/notification_policy.rb.tt

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Notifications::Notification.
+    class NotificationPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/notification_preference_policy.rb.tt

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Notifications::NotificationPreference.
+    class NotificationPreferencePolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/plan_policy.rb.tt

@@ -0,0 +1,11 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Billing::Plan. Plans are global product
+    # rows (not account-scoped), so even tenant mode generally treats
+    # them as read-only globals.
+    class PlanPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/subscription_policy.rb.tt

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Billing::Subscription.
+    class SubscriptionPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/team_policy.rb.tt

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Teams::Team.
+    class TeamPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/platform/teams_membership_policy.rb.tt

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Admin
+  module Platform
+    # Platform-mode policy for Teams::Membership.
+    class TeamsMembershipPolicy < ApplicationPolicy
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/tenant/account_policy.rb.tt

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+module Admin
+  module Tenant
+    # Tenant-mode policy for Accounts::Account. The single Account row
+    # the admin can see is their own. Filter on `id`, not `account_id`,
+    # because Account is the tenant root.
+    #
+    # `record_in_tenant_scope?` is overridden here because the parent
+    # default reads `record.account_id`, which doesn't exist on
+    # Account. The matching column on Account is `id`.
+    class AccountPolicy < ApplicationPolicy
+      class Scope < ApplicationPolicy::Scope
+        def resolve
+          return scope.all if staff?
+          return scope.none if account_id.nil?
+
+          scope.where(id: account_id)
+        end
+      end
+
+      private
+
+      def record_in_tenant_scope?
+        return true if user&.identity&.staff?
+        return true if record.nil? || record.is_a?(Class)
+        return false if account_id.nil?
+
+        record.id == account_id
+      end
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/tenant/accounts_membership_policy.rb.tt

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Admin
+  module Tenant
+    # Tenant-mode policy for Accounts::Membership. Filter by
+    # `account_id` so admins only see Memberships in their own Account.
+    #
+    # `accounts_memberships` is one of the canonical seams tables that
+    # carries `account_id` directly. The column-presence guard is
+    # defensive: a host whose schema differs gets `scope.none` rather
+    # than `PG::UndefinedColumn`.
+    class AccountsMembershipPolicy < ApplicationPolicy
+      class Scope < ApplicationPolicy::Scope
+        def resolve
+          return scope.all if staff?
+          return scope.none if account_id.nil?
+          return scope.none unless account_id_column_present?
+
+          scope.where(account_id: account_id)
+        end
+      end
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/tenant/application_policy.rb.tt

@@ -0,0 +1,169 @@
+# frozen_string_literal: true
+
+module Admin
+  module Tenant
+    # Abstract base for every tenant-mode admin policy. Tenant mode
+    # gates on `Accounts::Membership.role` for the currently-resolved
+    # membership (`Seams::Admin::Context#membership`). Staff Identities
+    # always pass the gate too — a platform staff member can drop into
+    # any tenant's admin without rejoining as an account-admin.
+    #
+    # The `Scope` inner class is overridden per-policy; this base
+    # returns `scope.none` so a subclass that forgets to override gets
+    # an empty list rather than leaking another tenant's data. Fail
+    # closed.
+    #
+    # `user` is `Seams::Admin::Context.new(identity, membership)`.
+    # `user.identity`   — Auth::Identity (carries `staff?`)
+    # `user.membership` — Accounts::Membership for the current account
+    #                     (carries `account_id` and `role`)
+    #
+    # ## Two-stage gate (`permitted?` + Scope)
+    #
+    # `permitted?` here returns true when the user holds an
+    # admin/owner membership in ANY account; the per-resource `Scope`
+    # then filters the visible record set to that user's `account_id`.
+    # The split is intentional:
+    #   - `permitted?` answers "is this human allowed in the admin
+    #     surface at all?" (gate semantics).
+    #   - `Scope` answers "which rows can this human see?" (row-level
+    #     filter).
+    #
+    # The user-visible consequence: a tenant admin requesting
+    # `/admin/accounts/<other_account_id>` passes `permitted?` but the
+    # Scope filters out that row, so the controller raises
+    # `ActiveRecord::RecordNotFound` (rendered as a 404). The trade-off
+    # is that the admin surface doesn't leak the existence of another
+    # tenant's data via a different status code — both "row doesn't
+    # exist" and "row belongs to another tenant" produce a 404.
+    class ApplicationPolicy
+      attr_reader :user, :record
+
+      def initialize(user, record)
+        @user   = user
+        @record = record
+      end
+
+      def index?
+        permitted?
+      end
+
+      def show?
+        permitted? && record_in_tenant_scope?
+      end
+
+      def new?
+        permitted?
+      end
+
+      def create?
+        permitted? && record_in_tenant_scope?
+      end
+
+      def edit?
+        permitted? && record_in_tenant_scope?
+      end
+
+      def update?
+        permitted? && record_in_tenant_scope?
+      end
+
+      def destroy?
+        permitted? && record_in_tenant_scope?
+      end
+
+      class Scope
+        attr_reader :user, :scope
+
+        def initialize(user, scope)
+          @user  = user
+          @scope = scope
+        end
+
+        # Default fail-closed scope. Every concrete tenant policy
+        # overrides this to filter by `account_id`. Returning `none`
+        # here means a forgotten override never leaks another tenant's
+        # data — the worst case is "admin sees an empty list" rather
+        # than "admin sees everyone's data".
+        def resolve
+          scope.none
+        end
+
+        private
+
+        def account_id
+          user&.membership&.account_id
+        end
+
+        def staff?
+          user&.identity&.staff?
+        end
+
+        # Helper for subclasses: hosts may have ejected the
+        # `account_id` column off a model (or never had one — the
+        # canonical seams schema doesn't put `account_id` on
+        # `teams`, `team_memberships`, `team_invitations`,
+        # `notifications`, or `notification_preferences`).
+        # Subclasses that filter by `account_id` should consult this
+        # before issuing the where-clause; if the column is absent the
+        # safe fall-back is `scope.none` (refusing to leak rows we
+        # can't tenant-scope).
+        def account_id_column_present?
+          model = scope.respond_to?(:klass) ? scope.klass : scope
+          return false unless model.respond_to?(:column_names)
+
+          model.column_names.include?("account_id")
+        end
+      end
+
+      private
+
+      # Permitted when (a) the Identity is staff (platform admins drop
+      # into every tenant), or (b) the resolved Accounts::Membership
+      # carries an admin/owner role for the current Account.
+      def permitted?
+        return true if user&.identity&.staff?
+
+        membership = user&.membership
+        return false if membership.nil?
+
+        %w[owner admin].include?(membership.role.to_s)
+      end
+
+      def account_id
+        user&.membership&.account_id
+      end
+
+      # Per-record tenant guard. The `Scope` filters list views, but a
+      # show/update/destroy lookup of a record from another tenant
+      # (constructed by id-tampering) bypasses the Scope unless we
+      # check the record itself. Subclasses that filter by
+      # `record.account_id` get this default; subclasses with custom
+      # tenant boundaries (Account itself, Plan, Identity) override
+      # this method.
+      #
+      # Staff Identities always satisfy the per-record check — they
+      # admin every tenant.
+      def record_in_tenant_scope?
+        return true if user&.identity&.staff?
+        return true if record.nil? || record.is_a?(Class)
+        return false if account_id.nil?
+
+        record_account_id = if record.respond_to?(:account_id)
+                              record.account_id
+                            else
+                              # Record class doesn't carry an
+                              # account_id column. Fall through to
+                              # `true` so policies that override
+                              # `record_in_tenant_scope?` (Account,
+                              # Identity, Plan) handle this — and so
+                              # the default doesn't fail-closed for
+                              # global resources.
+                              return true
+                            end
+
+        record_account_id == account_id
+      end
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/tenant/identity_policy.rb.tt

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Admin
+  module Tenant
+    # Tenant-mode policy for Auth::Identity.
+    #
+    # Identity is the only canonical model that is NOT directly
+    # account-scoped — it has no `account_id` column, because an
+    # Identity can belong to multiple Accounts via Accounts::Membership.
+    # In tenant mode the admin should only see the Identities that hold
+    # a Membership in the current Account; everyone else is invisible.
+    #
+    # ## Why a subquery, not an association join
+    #
+    # The canonical `Auth::Identity` model in seams does NOT declare
+    # `has_many :memberships` (the auth engine deliberately keeps
+    # Identity credential-only and avoids reaching across the engine
+    # boundary into accounts). A policy that joined an association
+    # named `memberships` would raise
+    # `ActiveRecord::ConfigurationError` on a vanilla seams host.
+    #
+    # The subquery shape below depends on the `accounts_memberships`
+    # table existing and carrying `identity_id` + `account_id` columns
+    # — both canonical in the accounts engine since Wave 9 — without
+    # depending on any association being declared on `Auth::Identity`.
+    #
+    # Hosts whose Identity DOES declare an associations join to
+    # memberships may eject this policy and prefer an association
+    # join for index-friendly SQL; the subquery form is the safe
+    # default that works against a fresh seams install.
+    class IdentityPolicy < ApplicationPolicy
+      class Scope < ApplicationPolicy::Scope
+        def resolve
+          return scope.all if staff?
+          return scope.none if account_id.nil?
+
+          # Subquery on the accounts_memberships table — works
+          # without a `has_many :memberships` declaration on the
+          # Identity model. Distinct guards against an Identity
+          # appearing twice if the host model schema ever permitted
+          # duplicate (account_id, identity_id) pairs.
+          membership_subquery = ::Accounts::Membership
+                                .where(account_id: account_id)
+                                .select(:identity_id)
+          scope.where(id: membership_subquery).distinct
+        end
+      end
+
+      private
+
+      # Identity has no `account_id` column. Per-record tenant guard
+      # checks instead that the Identity holds a membership in the
+      # current Account.
+      def record_in_tenant_scope?
+        return true if user&.identity&.staff?
+        return true if record.nil? || record.is_a?(Class)
+        return false if account_id.nil?
+        return false unless record.respond_to?(:id) && record.id
+
+        ::Accounts::Membership.exists?(
+          account_id:  account_id,
+          identity_id: record.id
+        )
+      end
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/tenant/invitation_policy.rb.tt

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Admin
+  module Tenant
+    # Tenant-mode policy for Teams::Invitation. Filters by `account_id`.
+    #
+    # The canonical seams `team_invitations` table doesn't carry
+    # `account_id` directly (invitations are scoped through their
+    # Team). The default falls back to `scope.none` if the column is
+    # absent — fail-closed. Hosts whose schema differs eject this
+    # policy and replace `resolve` with a join through Teams::Team.
+    class InvitationPolicy < ApplicationPolicy
+      class Scope < ApplicationPolicy::Scope
+        def resolve
+          return scope.all if staff?
+          return scope.none if account_id.nil?
+          return scope.none unless account_id_column_present?
+
+          scope.where(account_id: account_id)
+        end
+      end
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/tenant/invoice_policy.rb.tt

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Admin
+  module Tenant
+    # Tenant-mode policy for Billing::Invoice. Filters by `account_id`
+    # — `billing_invoices` carries the column directly in the canonical
+    # seams schema. The column-presence guard is defensive for hosts
+    # whose schema differs.
+    class InvoicePolicy < ApplicationPolicy
+      class Scope < ApplicationPolicy::Scope
+        def resolve
+          return scope.all if staff?
+          return scope.none if account_id.nil?
+          return scope.none unless account_id_column_present?
+
+          scope.where(account_id: account_id)
+        end
+      end
+    end
+  end
+end

data/lib/generators/seams/admin/templates/app/policies/admin/tenant/lifetime_pass_policy.rb.tt

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Admin
+  module Tenant
+    # Tenant-mode policy for Billing::LifetimePass. Filters by
+    # `account_id` — `billing_lifetime_passes` carries the column
+    # directly in the canonical seams schema. The column-presence
+    # guard is defensive for hosts whose schema differs.
+    class LifetimePassPolicy < ApplicationPolicy
+      class Scope < ApplicationPolicy::Scope
+        def resolve
+          return scope.all if staff?
+          return scope.none if account_id.nil?
+          return scope.none unless account_id_column_present?
+
+          scope.where(account_id: account_id)
+        end
+      end
+    end
+  end
+end