@agenticmail/enterprise 0.5.291 → 0.5.293

package/src/admin/page-registry.ts

@@ -0,0 +1,204 @@
+/**
+ * Page & Tab Registry — Canonical map of all dashboard pages and their tabs.
+ * Used for access control, permission management, and frontend rendering.
+ *
+ * Structure:
+ *   pageId → { label, section, tabs?: { tabId → label } }
+ *
+ * Pages without tabs just have the page-level permission.
+ * Pages with tabs support granular tab-level control.
+ */
+
+export interface PageDef {
+  label: string;
+  section: 'overview' | 'management' | 'administration';
+  description?: string;
+  tabs?: Record<string, string>;  // tabId → label
+}
+
+export const PAGE_REGISTRY: Record<string, PageDef> = {
+  // ─── Overview ────────────────────────────────────
+  dashboard: {
+    label: 'Dashboard',
+    section: 'overview',
+    description: 'Main dashboard with key metrics and activity feed',
+  },
+
+  // ─── Management ──────────────────────────────────
+  agents: {
+    label: 'Agents',
+    section: 'management',
+    description: 'View and manage AI agents',
+    tabs: {
+      overview: 'Overview',
+      personal: 'Personal Details',
+      email: 'Email',
+      whatsapp: 'WhatsApp',
+      channels: 'Channels',
+      configuration: 'Configuration',
+      manager: 'Manager',
+      tools: 'Tools',
+      skills: 'Skills',
+      permissions: 'Permissions',
+      activity: 'Activity',
+      communication: 'Communication',
+      workforce: 'Workforce',
+      memory: 'Memory',
+      guardrails: 'Guardrails',
+      autonomy: 'Autonomy',
+      budget: 'Budget',
+      security: 'Security',
+      'tool-security': 'Tool Security',
+      deployment: 'Deployment',
+    },
+  },
+  skills: {
+    label: 'Skills',
+    section: 'management',
+    description: 'Manage agent skill packs',
+  },
+  'community-skills': {
+    label: 'Community Skills',
+    section: 'management',
+    description: 'Browse and install community skill marketplace',
+  },
+  'skill-connections': {
+    label: 'Integrations & MCP',
+    section: 'management',
+    description: 'MCP servers, built-in integrations, and community skills',
+  },
+  'database-access': {
+    label: 'Database Access',
+    section: 'management',
+    description: 'Manage database connections and agent access',
+    tabs: {
+      connections: 'Connections',
+      access: 'Agent Access',
+      audit: 'Audit Log',
+    },
+  },
+  knowledge: {
+    label: 'Knowledge Bases',
+    section: 'management',
+    description: 'Manage knowledge base documents and collections',
+  },
+  'knowledge-contributions': {
+    label: 'Knowledge Hub',
+    section: 'management',
+    description: 'Agent contributions to shared knowledge',
+  },
+  approvals: {
+    label: 'Approvals',
+    section: 'management',
+    description: 'Review and approve pending agent actions',
+  },
+  'org-chart': {
+    label: 'Org Chart',
+    section: 'management',
+    description: 'Visual agent hierarchy and reporting structure',
+  },
+  'task-pipeline': {
+    label: 'Task Pipeline',
+    section: 'management',
+    description: 'Track task lifecycle from creation to completion',
+  },
+  workforce: {
+    label: 'Workforce',
+    section: 'management',
+    description: 'Agent scheduling, workload, and availability',
+  },
+  messages: {
+    label: 'Messages',
+    section: 'management',
+    description: 'Inter-agent and external message logs',
+  },
+  guardrails: {
+    label: 'Guardrails',
+    section: 'management',
+    description: 'Global safety policies and content filters',
+  },
+  journal: {
+    label: 'Journal',
+    section: 'management',
+    description: 'System event journal and decision log',
+  },
+
+  // ─── Administration ──────────────────────────────
+  dlp: {
+    label: 'DLP',
+    section: 'administration',
+    description: 'Data loss prevention policies and alerts',
+  },
+  compliance: {
+    label: 'Compliance',
+    section: 'administration',
+    description: 'Regulatory compliance settings and reports',
+  },
+  'domain-status': {
+    label: 'Domain',
+    section: 'administration',
+    description: 'Domain configuration and deployment status',
+  },
+  users: {
+    label: 'Users',
+    section: 'administration',
+    description: 'Manage dashboard users, roles, and permissions',
+  },
+  vault: {
+    label: 'Vault',
+    section: 'administration',
+    description: 'Encrypted credential storage',
+  },
+  audit: {
+    label: 'Audit Log',
+    section: 'administration',
+    description: 'Full audit trail of all system actions',
+  },
+  settings: {
+    label: 'Settings',
+    section: 'administration',
+    description: 'Global platform configuration and branding',
+  },
+};
+
+/** Get all page IDs */
+export function getAllPageIds(): string[] {
+  return Object.keys(PAGE_REGISTRY);
+}
+
+/** Get all tab IDs for a page (empty array if page has no tabs) */
+export function getPageTabs(pageId: string): string[] {
+  const page = PAGE_REGISTRY[pageId];
+  return page?.tabs ? Object.keys(page.tabs) : [];
+}
+
+/**
+ * Permission grant structure stored per user.
+ * If pages is '*', user has access to everything (owner/admin default).
+ * Otherwise, it's a map of pageId → true (all tabs) | string[] (specific tabs).
+ */
+export type PermissionGrant = '*' | Record<string, true | string[]>;
+
+/** Check if a user has access to a specific page */
+export function hasPageAccess(grants: PermissionGrant, pageId: string): boolean {
+  if (grants === '*') return true;
+  return pageId in grants;
+}
+
+/** Check if a user has access to a specific tab within a page */
+export function hasTabAccess(grants: PermissionGrant, pageId: string, tabId: string): boolean {
+  if (grants === '*') return true;
+  const pageGrant = grants[pageId];
+  if (!pageGrant) return false;
+  if (pageGrant === true) return true; // all tabs
+  return pageGrant.includes(tabId);
+}
+
+/** Get accessible tab IDs for a page */
+export function getAccessibleTabs(grants: PermissionGrant, pageId: string): string[] | 'all' {
+  if (grants === '*') return 'all';
+  const pageGrant = grants[pageId];
+  if (!pageGrant) return [];
+  if (pageGrant === true) return 'all';
+  return pageGrant;
+}

package/src/admin/routes.ts

@@ -549,6 +549,86 @@ export function createAdminRoutes(db: DatabaseAdapter) {
     return c.json({ ok: true });
   });
 
+  // ─── Page Registry (for permission UI) ──────────────
+
+  api.get('/page-registry', requireRole('admin'), async (c) => {
+    const { PAGE_REGISTRY } = await import('./page-registry.js');
+    return c.json(PAGE_REGISTRY);
+  });
+
+  // ─── User Permissions ──────────────────────────────
+
+  api.get('/users/:id/permissions', requireRole('admin'), async (c) => {
+    const user = await db.getUser(c.req.param('id'));
+    if (!user) return c.json({ error: 'User not found' }, 404);
+    return c.json({ userId: c.req.param('id'), permissions: user.permissions ?? '*' });
+  });
+
+  api.put('/users/:id/permissions', requireRole('admin'), async (c) => {
+    const user = await db.getUser(c.req.param('id'));
+    if (!user) return c.json({ error: 'User not found' }, 404);
+
+    const body = await c.req.json();
+    const permissions = body.permissions;
+
+    // Validate: must be '*' or an object of pageId → true | string[]
+    if (permissions !== '*') {
+      if (typeof permissions !== 'object' || permissions === null || Array.isArray(permissions)) {
+        return c.json({ error: 'permissions must be "*" or an object mapping pageId to true or string[]' }, 400);
+      }
+      const { PAGE_REGISTRY } = await import('./page-registry.js');
+      for (const [pageId, grant] of Object.entries(permissions)) {
+        if (!(pageId in PAGE_REGISTRY)) {
+          return c.json({ error: `Unknown page: ${pageId}` }, 400);
+        }
+        if (grant !== true && !Array.isArray(grant)) {
+          return c.json({ error: `Permission for "${pageId}" must be true or string[]` }, 400);
+        }
+      }
+    }
+
+    const serialized = JSON.stringify(permissions);
+    try {
+      await (db as any).pool.query(
+        'UPDATE users SET permissions = $1, updated_at = NOW() WHERE id = $2',
+        [serialized, c.req.param('id')]
+      );
+    } catch {
+      // SQLite/other fallback
+      const edb = (db as any).db || (db as any).pool;
+      if (edb?.prepare) {
+        edb.prepare('UPDATE users SET permissions = ?, updated_at = CURRENT_TIMESTAMP WHERE id = ?').run(serialized, c.req.param('id'));
+      }
+    }
+
+    await db.logEvent({
+      actor: c.get('userId') || 'system',
+      actorType: 'user',
+      action: 'user.permissions_updated',
+      resource: `user:${c.req.param('id')}`,
+      details: { permissions, targetEmail: user.email },
+      ip: c.req.header('x-forwarded-for')?.split(',')[0]?.trim(),
+    }).catch(() => {});
+
+    return c.json({ ok: true, permissions });
+  });
+
+  // ─── Current User Permissions (for frontend filtering) ──
+
+  api.get('/me/permissions', async (c) => {
+    const userId = c.get('userId' as any);
+    const userRole = c.get('userRole' as any);
+    if (!userId) return c.json({ error: 'Not authenticated' }, 401);
+
+    // Owner and admin always get full access
+    if (userRole === 'owner' || userRole === 'admin') {
+      return c.json({ permissions: '*', role: userRole });
+    }
+
+    const user = await db.getUser(userId);
+    return c.json({ permissions: user?.permissions ?? '*', role: userRole });
+  });
+
   // ─── Platform Capabilities ──────────────────────────
 
   api.get('/platform-capabilities', requireRole('admin'), async (c) => {

package/src/dashboard/app.js

@@ -93,6 +93,7 @@ function App() {
   const [toasts, setToasts] = useState([]);
   const [user, setUser] = useState(null);
   const [pendingCount, setPendingCount] = useState(0);
+  const [permissions, setPermissions] = useState('*'); // '*' = full access, or { pageId: true | ['tab1','tab2'] }
   const [needsSetup, setNeedsSetup] = useState(null);
   const [sidebarPinned, setSidebarPinned] = useState(() => localStorage.getItem('em_sidebar_pinned') === 'true');
   const [sidebarHovered, setSidebarHovered] = useState(false);
@@ -136,6 +137,7 @@ function App() {
     if (!authed) return;
     engineCall('/approvals/pending').then(d => setPendingCount((d.requests || []).length)).catch(() => {});
     apiCall('/settings').then(d => { const s = d.settings || d || {}; if (s.primaryColor) applyBrandColor(s.primaryColor); if (s.orgId) setOrgId(s.orgId); }).catch(() => {});
+    apiCall('/me/permissions').then(d => { if (d && d.permissions) setPermissions(d.permissions); }).catch(() => {});
   }, [authed]);
 
   const logout = useCallback(() => { authCall('/logout', { method: 'POST' }).catch(() => {}).finally(() => { setAuthed(false); setUser(null); }); }, []);
@@ -208,10 +210,20 @@ function App() {
   };
 
   const navigateToAgent = (agentId) => { _setSelectedAgentId(agentId); history.pushState(null, '', '/dashboard/agents/' + agentId); };
-  const PageComponent = pages[page] || DashboardPage;
+
+  // Filter nav based on permissions
+  const hasAccess = (pageId) => permissions === '*' || (permissions && pageId in permissions);
+  const filteredNav = nav.map(section => ({
+    ...section,
+    items: section.items.filter(item => hasAccess(item.id))
+  })).filter(section => section.items.length > 0);
+
+  // Block access to pages user can't see — show unauthorized page
+  const canAccessPage = hasAccess(page);
+  const PageComponent = canAccessPage ? (pages[page] || DashboardPage) : null;
   const sidebarClass = 'sidebar' + (sidebarPinned ? ' expanded' : sidebarHovered ? ' hover-expanded' : '') + (mobileMenuOpen ? ' mobile-open' : '');
 
-  return h(AppContext.Provider, { value: { toast, toasts, user, theme, setPage } },
+  return h(AppContext.Provider, { value: { toast, toasts, user, theme, setPage, permissions } },
     h('div', { className: 'app-layout' },
       // Mobile hamburger
       h('button', { className: 'mobile-hamburger', onClick: () => setMobileMenuOpen(true) },
@@ -231,7 +243,7 @@ function App() {
           h('button', { className: 'sidebar-toggle' + (sidebarPinned ? ' pinned' : ''), onClick: toggleSidebarPin, title: sidebarPinned ? 'Unpin sidebar' : 'Pin sidebar' }, sidebarPinned ? I.chevronLeft() : I.panelLeft())
         ),
         h('div', { className: 'sidebar-nav' },
-          nav.map((section, si) =>
+          filteredNav.map((section, si) =>
             h('div', { key: section.section + si, className: 'sidebar-section' },
               h('div', { className: 'sidebar-section-title' }, section.section),
               section.items.map(item =>
@@ -271,7 +283,29 @@ function App() {
             ? h(AgentDetailPage, { agentId: selectedAgentId, onBack: () => { _setSelectedAgentId(null); _setPage('agents'); history.pushState(null, '', '/dashboard/agents'); } })
             : page === 'agents'
               ? h(AgentsPage, { onSelectAgent: navigateToAgent })
-              : h(PageComponent)
+              : PageComponent ? h(PageComponent)
+              : h('div', { style: { display: 'flex', flexDirection: 'column', alignItems: 'center', justifyContent: 'center', minHeight: '60vh', textAlign: 'center', padding: 40 } },
+                  h('div', { style: { width: 64, height: 64, borderRadius: '50%', background: 'var(--danger-soft, rgba(220,38,38,0.1))', display: 'flex', alignItems: 'center', justifyContent: 'center', marginBottom: 20 } },
+                    h('svg', { width: 32, height: 32, viewBox: '0 0 24 24', fill: 'none', stroke: 'var(--danger, #dc2626)', strokeWidth: 2, strokeLinecap: 'round', strokeLinejoin: 'round' },
+                      h('rect', { x: 3, y: 11, width: 18, height: 11, rx: 2, ry: 2 }),
+                      h('path', { d: 'M7 11V7a5 5 0 0 1 10 0v4' })
+                    )
+                  ),
+                  h('h2', { style: { fontSize: 20, fontWeight: 700, marginBottom: 8, color: 'var(--text-primary)' } }, 'Access Restricted'),
+                  h('p', { style: { fontSize: 14, color: 'var(--text-muted)', maxWidth: 400, lineHeight: 1.6, marginBottom: 24 } },
+                    'You don\'t have permission to access this page. If you believe this is an error, please contact your company administrator to request access.'
+                  ),
+                  h('div', { style: { display: 'flex', gap: 12 } },
+                    filteredNav[0]?.items[0] && h('button', {
+                      className: 'btn btn-primary',
+                      onClick: () => { setPage(filteredNav[0].items[0].id); history.pushState(null, '', '/dashboard/' + filteredNav[0].items[0].id); }
+                    }, 'Go to ' + filteredNav[0].items[0].label),
+                    h('button', {
+                      className: 'btn btn-secondary',
+                      onClick: () => { window.location.href = 'mailto:?subject=Access%20Request&body=I%20need%20access%20to%20the%20' + encodeURIComponent(page) + '%20page%20in%20the%20dashboard.'; }
+                    }, 'Request Access')
+                  )
+                )
         )
       )
     ),

package/src/dashboard/components/icons.js

@@ -54,5 +54,7 @@ export const I = {
   eyeOff: () => h('svg', S, h('path', { d: 'M17.94 17.94A10.07 10.07 0 0112 20c-7 0-11-8-11-8a18.45 18.45 0 015.06-5.94M9.9 4.24A9.12 9.12 0 0112 4c7 0 11 8 11 8a18.5 18.5 0 01-2.16 3.19m-6.72-1.07a3 3 0 11-4.24-4.24' }), h('line', { x1: 1, y1: 1, x2: 23, y2: 23 })),
   panelLeft: () => h('svg', S, h('rect', { x: 3, y: 3, width: 18, height: 18, rx: 2 }), h('line', { x1: 9, y1: 3, x2: 9, y2: 21 })),
   chevronLeft: () => h('svg', S, h('polyline', { points: '15 18 9 12 15 6' })),
+chevronRight: () => h('svg', S, h('polyline', { points: '9 18 15 12 9 6' })),
+chevronDown: () => h('svg', S, h('polyline', { points: '6 9 12 15 18 9' })),
   edit: () => h('svg', S, h('path', { d: 'M11 4H4a2 2 0 0 0-2 2v14a2 2 0 0 0 2 2h14a2 2 0 0 0 2-2v-7' }), h('path', { d: 'M18.5 2.5a2.121 2.121 0 0 1 3 3L12 15l-4 1 1-4 9.5-9.5z' })),
 };

package/src/dashboard/pages/agent-detail/index.js

@@ -44,9 +44,19 @@ export function AgentDetailPage(props) {
   var _agents = useState([]);
   var agents = _agents[0]; var setAgents = _agents[1];
 
-  var TABS = ['overview', 'personal', 'email', 'whatsapp', 'channels', 'configuration', 'manager', 'tools', 'skills', 'permissions', 'activity', 'communication', 'workforce', 'memory', 'guardrails', 'autonomy', 'budget', 'security', 'tool-security', 'deployment'];
+  var ALL_TABS = ['overview', 'personal', 'email', 'whatsapp', 'channels', 'configuration', 'manager', 'tools', 'skills', 'permissions', 'activity', 'communication', 'workforce', 'memory', 'guardrails', 'autonomy', 'budget', 'security', 'tool-security', 'deployment'];
   var TAB_LABELS = { 'security': 'Security', 'tool-security': 'Tool Security', 'manager': 'Manager', 'email': 'Email', 'whatsapp': 'WhatsApp', 'channels': 'Channels', 'tools': 'Tools', 'autonomy': 'Autonomy' };
 
+  // Filter tabs based on user permissions
+  var app = useApp();
+  var perms = app.permissions || '*';
+  var agentGrant = perms === '*' ? true : (perms.agents || false);
+  var TABS = ALL_TABS.filter(function(t) {
+    if (perms === '*' || agentGrant === true) return true;
+    if (Array.isArray(agentGrant)) return agentGrant.indexOf(t) !== -1;
+    return false;
+  });
+
   var load = function() {
     setLoading(true);
     Promise.all([