@adventurelabs/scout-core 1.4.74 → 1.4.75

package/dist/helpers/client_abilities_jwt_keys.d.ts

@@ -0,0 +1,10 @@
+import { SupabaseClient } from "@supabase/supabase-js";
+import { Database, Json } from "../types/supabase";
+import { IWebResponseCompatible } from "../types/requests";
+export type ClientAbilitiesPublicJwk = Record<string, Json | undefined> & {
+    kty: string;
+    kid?: string;
+};
+/** Register or rotate a verification key (service_role or platform superadmin). */
+export declare function server_upsert_client_abilities_jwt_public_key(kid: string, public_jwk: ClientAbilitiesPublicJwk, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<null>>;
+export declare function server_revoke_client_abilities_jwt_public_key(kid: string, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<null>>;

package/dist/helpers/client_abilities_jwt_keys.js

@@ -0,0 +1,25 @@
+"use server";
+import { IWebResponse } from "../types/requests";
+import { newServerClient } from "../supabase/server";
+/** Register or rotate a verification key (service_role or platform superadmin). */
+export async function server_upsert_client_abilities_jwt_public_key(kid, public_jwk, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { error } = await supabase.rpc("upsert_client_abilities_jwt_public_key", {
+        p_kid: kid,
+        p_public_jwk: public_jwk,
+    });
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(null).to_compatible();
+}
+export async function server_revoke_client_abilities_jwt_public_key(kid, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { error } = await supabase.rpc("revoke_client_abilities_jwt_public_key", {
+        p_kid: kid,
+    });
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(null).to_compatible();
+}

package/dist/helpers/client_abilities_token.d.ts

@@ -0,0 +1,8 @@
+import { SupabaseClient } from "@supabase/supabase-js";
+import { Database } from "../types/supabase";
+import { IClientAbilitiesJwtPublicKeyEntry, IClientAbilitiesTokenMint } from "../types/client_abilities_token";
+import { IWebResponseCompatible } from "../types/requests";
+export declare function mint_client_abilities_token(client: SupabaseClient<Database>): Promise<IWebResponseCompatible<IClientAbilitiesTokenMint>>;
+export declare function get_client_abilities_jwt_public_keys(client: SupabaseClient<Database>): Promise<IWebResponseCompatible<IClientAbilitiesJwtPublicKeyEntry[]>>;
+/** Cryptographic check only; returns the same mint envelope from the edge. */
+export declare function verify_client_abilities_token(mint: IClientAbilitiesTokenMint, publicKeys: IClientAbilitiesJwtPublicKeyEntry[]): Promise<IClientAbilitiesTokenMint>;

package/dist/helpers/client_abilities_token.js

@@ -0,0 +1,54 @@
+import * as jose from "jose";
+import { CLIENT_ABILITIES_JWT_AUDIENCE, } from "../types/client_abilities_token";
+import { IWebResponse } from "../types/requests";
+export async function mint_client_abilities_token(client) {
+    const { data, error } = await client.functions.invoke("mint-client-abilities-token", { method: "POST" });
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    const mint = data;
+    if (!mint?.token) {
+        return IWebResponse.error("mint-client-abilities-token returned no token").to_compatible();
+    }
+    return IWebResponse.success(mint).to_compatible();
+}
+export async function get_client_abilities_jwt_public_keys(client) {
+    const { data, error } = await client.rpc("get_client_abilities_jwt_public_keys");
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    const entries = Array.isArray(data) ? data : [];
+    const keys = [];
+    for (const row of entries) {
+        if (row &&
+            typeof row === "object" &&
+            "kid" in row &&
+            "jwk" in row &&
+            typeof row.kid === "string" &&
+            row.jwk &&
+            typeof row.jwk === "object") {
+            keys.push({ kid: row.kid, jwk: row.jwk });
+        }
+    }
+    return IWebResponse.success(keys).to_compatible();
+}
+/** Cryptographic check only; returns the same mint envelope from the edge. */
+export async function verify_client_abilities_token(mint, publicKeys) {
+    if (publicKeys.length === 0) {
+        throw new Error("no client abilities JWT public keys configured");
+    }
+    const kid = jose.decodeProtectedHeader(mint.token).kid;
+    if (!kid || typeof kid !== "string") {
+        throw new Error("client abilities JWT missing kid");
+    }
+    const entry = publicKeys.find((k) => k.kid === kid);
+    if (!entry) {
+        throw new Error(`unknown client abilities JWT kid: ${kid}`);
+    }
+    const verifyKey = await jose.importJWK(entry.jwk, "ES256");
+    await jose.jwtVerify(mint.token, verifyKey, {
+        algorithms: ["ES256"],
+        audience: CLIENT_ABILITIES_JWT_AUDIENCE,
+    });
+    return mint;
+}

package/dist/helpers/client_abilities_token_server.d.ts

@@ -0,0 +1,7 @@
+import { SupabaseClient } from "@supabase/supabase-js";
+import { Database } from "../types/supabase";
+import { IClientAbilitiesTokenMint } from "../types/client_abilities_token";
+import { IWebResponseCompatible } from "../types/requests";
+export declare function server_mint_client_abilities_token(options?: {
+    client?: SupabaseClient<Database>;
+}): Promise<IWebResponseCompatible<IClientAbilitiesTokenMint>>;

package/dist/helpers/client_abilities_token_server.js

@@ -0,0 +1,7 @@
+"use server";
+import { newServerClient } from "../supabase/server";
+import { mint_client_abilities_token } from "./client_abilities_token";
+export async function server_mint_client_abilities_token(options) {
+    const client = options?.client ?? (await newServerClient());
+    return mint_client_abilities_token(client);
+}

package/dist/helpers/herd_roles.d.ts

@@ -0,0 +1,14 @@
+import { SupabaseClient } from "@supabase/supabase-js";
+import { Database } from "../types/supabase";
+import { IAbility, IHerdRole, IHerdRoleAbilityRow, IHerdRoleWithAbilities } from "../types/db";
+import { IWebResponseCompatible } from "../types/requests";
+export declare function server_list_abilities(supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IAbility[]>>;
+export declare function server_get_herd_roles(herd_id: number, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IHerdRole[]>>;
+export declare function server_get_herd_roles_with_abilities(herd_id: number, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IHerdRoleWithAbilities[]>>;
+export declare function server_get_herd_role_by_system_name(herd_id: number, system_name: string, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IHerdRole | null>>;
+export declare function server_create_herd_role(herd_id: number, system_name: string, name: string, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IHerdRole | null>>;
+export declare function server_update_herd_role(herd_role_id: number, patch: {
+    name?: string;
+}, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IHerdRole | null>>;
+export declare function server_delete_herd_role(herd_role_id: number, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<null>>;
+export declare function server_set_herd_role_abilities(herd_role_id: number, ability_ids: number[], supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IHerdRoleAbilityRow[]>>;

package/dist/helpers/herd_roles.js

@@ -0,0 +1,134 @@
+"use server";
+import { IWebResponse } from "../types/requests";
+import { newServerClient } from "../supabase/server";
+export async function server_list_abilities(supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { data, error } = await supabase
+        .from("abilities")
+        .select("*")
+        .order("key", { ascending: true });
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(data ?? []).to_compatible();
+}
+export async function server_get_herd_roles(herd_id, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { data, error } = await supabase
+        .from("herd_roles")
+        .select("*")
+        .eq("herd_id", herd_id)
+        .order("system_name", { ascending: true });
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(data ?? []).to_compatible();
+}
+export async function server_get_herd_roles_with_abilities(herd_id, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { data, error } = await supabase
+        .from("herd_roles")
+        .select(`
+      *,
+      herd_role_abilities (
+        id,
+        ability_id,
+        abilities (*)
+      )
+    `)
+        .eq("herd_id", herd_id)
+        .order("system_name", { ascending: true });
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    const rows = (data ?? []).map((row) => {
+        const { herd_role_abilities: matrix, ...role } = row;
+        const links = matrix ?? [];
+        return {
+            ...role,
+            abilities: links
+                .map((m) => m.abilities)
+                .filter((a) => a != null),
+            ability_ids: links.map((m) => m.ability_id),
+        };
+    });
+    return IWebResponse.success(rows).to_compatible();
+}
+export async function server_get_herd_role_by_system_name(herd_id, system_name, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { data, error } = await supabase
+        .from("herd_roles")
+        .select("*")
+        .eq("herd_id", herd_id)
+        .eq("system_name", system_name)
+        .maybeSingle();
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(data).to_compatible();
+}
+export async function server_create_herd_role(herd_id, system_name, name, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { data, error } = await supabase
+        .from("herd_roles")
+        .insert({
+        herd_id,
+        system_name,
+        name,
+        is_system: false,
+    })
+        .select("*")
+        .single();
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(data).to_compatible();
+}
+export async function server_update_herd_role(herd_role_id, patch, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { data, error } = await supabase
+        .from("herd_roles")
+        .update(patch)
+        .eq("id", herd_role_id)
+        .select("*")
+        .single();
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(data).to_compatible();
+}
+export async function server_delete_herd_role(herd_role_id, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { error } = await supabase
+        .from("herd_roles")
+        .delete()
+        .eq("id", herd_role_id);
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(null).to_compatible();
+}
+export async function server_set_herd_role_abilities(herd_role_id, ability_ids, supabaseClient) {
+    const supabase = supabaseClient ?? (await newServerClient());
+    const { error: deleteError } = await supabase
+        .from("herd_role_abilities")
+        .delete()
+        .eq("herd_role_id", herd_role_id);
+    if (deleteError) {
+        return IWebResponse.error(deleteError.message).to_compatible();
+    }
+    if (ability_ids.length === 0) {
+        return IWebResponse.success([]).to_compatible();
+    }
+    const { data, error } = await supabase
+        .from("herd_role_abilities")
+        .insert(ability_ids.map((ability_id) => ({
+        herd_role_id,
+        ability_id,
+    })))
+        .select("*");
+    if (error) {
+        return IWebResponse.error(error.message).to_compatible();
+    }
+    return IWebResponse.success(data ?? []).to_compatible();
+}

package/dist/helpers/index.d.ts

@@ -33,4 +33,8 @@ export * from "./artifacts";
 export * from "./pins";
 export * from "./pubsub_token";
 export * from "./pubsub_token_server";
+export * from "./client_abilities_token";
+export * from "./client_abilities_token_server";
+export * from "./client_abilities_jwt_keys";
+export * from "./herd_roles";
 export * from "./storagePath";

package/dist/helpers/index.js

@@ -33,4 +33,8 @@ export * from "./artifacts";
 export * from "./pins";
 export * from "./pubsub_token";
 export * from "./pubsub_token_server";
+export * from "./client_abilities_token";
+export * from "./client_abilities_token_server";
+export * from "./client_abilities_jwt_keys";
+export * from "./herd_roles";
 export * from "./storagePath";

package/dist/helpers/invitations.d.ts

@@ -1,8 +1,8 @@
 import { Database } from "../types/supabase";
-import { IHerdInvitation, IHerdInvitationWithHerdSlug, Role } from "../types/db";
+import { IHerdInvitation, IHerdInvitationWithHerdSlug } from "../types/db";
 import { IWebResponseCompatible } from "../types/requests";
 import { SupabaseClient } from "@supabase/supabase-js";
-export declare function server_create_herd_invitation(herd_id: number, email: string, role: Role, expires_at?: string | null): Promise<IWebResponseCompatible<IHerdInvitation | null>>;
+export declare function server_create_herd_invitation(herd_id: number, email: string, herd_role_id: number, expires_at?: string | null): Promise<IWebResponseCompatible<IHerdInvitation | null>>;
 export declare function accept_herd_invitations_for_current_user(invitation_ids: number[], supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IHerdInvitation[]>>;
 export declare function server_get_herd_invitations_for_current_user(): Promise<IWebResponseCompatible<IHerdInvitationWithHerdSlug[]>>;
 export declare function server_get_herd_invitations_by_herd(herd_id: number, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IHerdInvitation[]>>;

package/dist/helpers/invitations.js

@@ -1,12 +1,12 @@
 "use server";
 import { newServerClient } from "../supabase/server";
 import { IWebResponse } from "../types/requests";
-export async function server_create_herd_invitation(herd_id, email, role, expires_at) {
+export async function server_create_herd_invitation(herd_id, email, herd_role_id, expires_at) {
     const supabase = await newServerClient();
     const { data, error } = await supabase.rpc("create_herd_invitation", {
         p_herd_id: herd_id,
         p_email: email,
-        p_role: role,
+        p_herd_role_id: herd_role_id,
         p_expires_at: expires_at ?? undefined,
     });
     if (error) {

package/dist/helpers/ui.d.ts

@@ -1,4 +1,5 @@
-import { Role } from "../types/db";
-export declare function formatRoleCasing(role: Role): string;
+import { IHerdRole } from "../types/db";
+/** Display label for a herd role (prefers `name`, falls back to `system_name`). */
+export declare function formatRoleCasing(role: Pick<IHerdRole, "name" | "system_name"> | string): string;
 export declare function formatUsernameInitials(username: string): string;
 export declare function roundToXDecimals(num: number, decimals: number): number;

package/dist/helpers/ui.js

@@ -1,5 +1,10 @@
+/** Display label for a herd role (prefers `name`, falls back to `system_name`). */
 export function formatRoleCasing(role) {
-    return role.charAt(0).toUpperCase() + role.slice(1);
+    const label = typeof role === "string" ? role : role.name || role.system_name;
+    if (!label) {
+        return "";
+    }
+    return label.charAt(0).toUpperCase() + label.slice(1);
 }
 export function formatUsernameInitials(username) {
     if (!username) {

package/dist/helpers/users.d.ts

@@ -1,11 +1,11 @@
-import { IUser, IUserAndRole, IUserProfileRow, IUserRolePerHerd, Role } from "../types/db";
+import { IUser, IUserAndRole, IUserProfileRow, IUserRolePerHerd } from "../types/db";
 import { IWebResponseCompatible } from "../types/requests";
 import { SupabaseClient } from "@supabase/supabase-js";
 import { Database } from "../types/supabase";
 export declare function server_get_user_roles(herd_id: number): Promise<IWebResponseCompatible<IUserRolePerHerd[]>>;
 export declare function server_get_user(): Promise<IWebResponseCompatible<IUser | null>>;
 export declare function server_get_users_with_herd_access(herd_id: number, supabaseClient?: SupabaseClient): Promise<IWebResponseCompatible<IUserAndRole[]>>;
-export declare function server_upsert_user_with_role(herd_id: number, username: string, role: Role): Promise<IWebResponseCompatible<IUserAndRole | null>>;
+export declare function server_upsert_user_herd_role(herd_id: number, username: string, herd_role_id: number): Promise<IWebResponseCompatible<IUserAndRole | null>>;
 export type UserProfileUpdate = Database["public"]["Tables"]["users"]["Update"];
 export declare function update_user_profile(client: SupabaseClient<Database>, user_id: string, patch: UserProfileUpdate): Promise<IWebResponseCompatible<IUserProfileRow | null>>;
 export declare function leave_herd_for_current_user(herd_id: number, supabaseClient?: SupabaseClient<Database>): Promise<IWebResponseCompatible<IUserRolePerHerd | null>>;

package/dist/helpers/users.js

@@ -30,7 +30,8 @@ export async function server_get_users_with_herd_access(herd_id, supabaseClient)
     const { data, error } = await supabase
         .from("users_roles_per_herd")
         .select(`
-      role,
+      herd_role_id,
+      herd_roles (*),
       users!users_roles_per_herd_user_id_fkey (*)
     `)
         .eq("herd_id", herd_id);
@@ -41,17 +42,15 @@ export async function server_get_users_with_herd_access(herd_id, supabaseClient)
             data: null,
         };
     }
-    else {
-        const transformedData = data.map((item) => ({
-            user: item.users,
-            role: item.role,
-        }));
-        return IWebResponse.success(transformedData).to_compatible();
-    }
+    const transformedData = (data ?? []).map((item) => ({
+        user: item.users,
+        herd_role_id: item.herd_role_id,
+        herd_role: item.herd_roles,
+    }));
+    return IWebResponse.success(transformedData).to_compatible();
 }
-export async function server_upsert_user_with_role(herd_id, username, role) {
+export async function server_upsert_user_herd_role(herd_id, username, herd_role_id) {
     const supabase = await newServerClient();
-    // first try to get user by username
     const { data: user, error: user_error } = await supabase
         .from("users")
         .select("*")
@@ -63,16 +62,28 @@ export async function server_upsert_user_with_role(herd_id, username, role) {
     if (!user) {
         return IWebResponse.error("User not found").to_compatible();
     }
-    const newRoleForDb = {
+    const { data: herdRole, error: role_error } = await supabase
+        .from("herd_roles")
+        .select("*")
+        .eq("id", herd_role_id)
+        .eq("herd_id", herd_id)
+        .single();
+    if (role_error || !herdRole) {
+        return IWebResponse.error("Invalid herd role for this herd").to_compatible();
+    }
+    const { error } = await supabase.from("users_roles_per_herd").upsert({
         user_id: user.id,
-        herd_id: herd_id,
-        role: role,
-    };
-    const { error } = await supabase.from("users_roles_per_herd").upsert(newRoleForDb);
+        herd_id,
+        herd_role_id,
+    });
     if (error) {
         return IWebResponse.error("Unable to update or add user with provided username. Ensure you have sufficient permissions.").to_compatible();
     }
-    return IWebResponse.success({ user, role }).to_compatible();
+    return IWebResponse.success({
+        user,
+        herd_role_id,
+        herd_role: herdRole,
+    }).to_compatible();
 }
 export async function update_user_profile(client, user_id, patch) {
     const { data, error } = await client

package/dist/index.d.ts

@@ -11,6 +11,7 @@ export * from "./types/bounding_boxes";
 export * from "./types/events";
 export * from "./types/connectivity";
 export * from "./types/pubsub_token";
+export * from "./types/client_abilities_token";
 export * from "./helpers/analysis_usage";
 export * from "./helpers/artifacts";
 export * from "./helpers/auth";
@@ -48,6 +49,10 @@ export * from "./helpers/heartbeats";
 export * from "./helpers/providers";
 export * from "./helpers/pubsub_token";
 export * from "./helpers/pubsub_token_server";
+export * from "./helpers/client_abilities_token";
+export * from "./helpers/client_abilities_token_server";
+export * from "./helpers/client_abilities_jwt_keys";
+export * from "./helpers/herd_roles";
 export * from "./helpers/observations";
 export * from "./helpers/operators";
 export * from "./helpers/versions_software";
@@ -76,5 +81,5 @@ export * from "./supabase/middleware";
 export * from "./supabase/server";
 export * from "./api_keys/actions";
 export type { HerdModule, IHerdModule } from "./types/herd_module";
-export type { IDevice, IEvent, IUser, IHerd, IHerdPrettyLocation, IEventWithTags, IZoneWithActions, ICredential, CredentialInsert, CredentialUpdate, ICertificate, CertificateInsert, CertificateUpdate, IUserAndRole, IUserProfileRow, IHerdInvitation, IHerdInvitationWithHerdSlug, IHerdAllowedDomain, IUserRolePerHerd, HerdInvitationStatus, IApiKeyScout, ILayer, IHeartbeat, IProvider, IConnectivity, ISession, ISessionWithCoordinates, IConnectivityWithCoordinates, IObservation, ObservationInsert, ObservationUpdate, IAnalysisJob, IAnalysisTask, AnalysisWorkStatus, } from "./types/db";
+export type { IDevice, IEvent, IUser, IHerd, IHerdPrettyLocation, IEventWithTags, IZoneWithActions, ICredential, CredentialInsert, CredentialUpdate, ICertificate, CertificateInsert, CertificateUpdate, IUserAndRole, IUserProfileRow, IHerdInvitation, IHerdInvitationWithHerdSlug, IHerdAllowedDomain, IUserRolePerHerd, IAbility, IHerdRole, IHerdRoleWithAbilities, HerdRoleSystemName, HerdInvitationStatus, IApiKeyScout, ILayer, IHeartbeat, IProvider, IConnectivity, ISession, ISessionWithCoordinates, IConnectivityWithCoordinates, IObservation, ObservationInsert, ObservationUpdate, IAnalysisJob, IAnalysisTask, AnalysisWorkStatus, } from "./types/db";
 export { EnumSessionsVisibility } from "./types/events";

package/dist/index.js

@@ -13,6 +13,7 @@ export * from "./types/bounding_boxes";
 export * from "./types/events";
 export * from "./types/connectivity";
 export * from "./types/pubsub_token";
+export * from "./types/client_abilities_token";
 // Helpers
 export * from "./helpers/analysis_usage";
 export * from "./helpers/artifacts";
@@ -51,6 +52,10 @@ export * from "./helpers/heartbeats";
 export * from "./helpers/providers";
 export * from "./helpers/pubsub_token";
 export * from "./helpers/pubsub_token_server";
+export * from "./helpers/client_abilities_token";
+export * from "./helpers/client_abilities_token_server";
+export * from "./helpers/client_abilities_jwt_keys";
+export * from "./helpers/herd_roles";
 export * from "./helpers/observations";
 export * from "./helpers/operators";
 export * from "./helpers/versions_software";