@arcblock/did-connect-service 4.0.4 → 4.0.6

package/dist/team-handler.js

@@ -1,1225 +0,0 @@
-/**
- * TeamHandler — HTTP handler for team management API + page routes.
- *
- * API routes (/.well-known/service/api/team/*):
- *   GET    /members, /members/:did
- *   PUT    /members/:did/role, /members/:did/approval
- *   DELETE /members/:did
- *   GET    /invitations
- *   POST   /invitations
- *   DELETE /invitations/:id
- *   GET    /invitations/:id/info  (public, no auth)
- *   POST   /invitations/:id/accept (authenticated)
- *   GET    /audit-logs
- *   GET    /profile
- *   PUT    /profile
- *   POST   /transfer-ownership
- *
- * Page routes:
- *   GET /.well-known/service/admin/team  → admin SPA
- *   GET /.well-known/service/invite      → invite page
- */
-import { resolveAccessKeyCaller } from "./handlers/passkey-handler.js";
-import { resolveInstanceRole } from "./identity/instance-role.js";
-import { buildAdminPageHTML } from "./pages/admin/index.js";
-import { buildInvitePageHTML } from "./pages/invite-page.js";
-import { PermissionError, requirePermission } from "./access/rbac.js";
-const API_BASE = "/.well-known/service/api/team";
-const ADMIN_PAGE = "/.well-known/service/admin/team";
-const INVITE_PAGE = "/.well-known/service/invite";
-export class TeamHandler {
-    store;
-    passkey;
-    apiBase;
-    portalUrl;
-    instanceDid;
-    constructor(options) {
-        this.store = options.store;
-        this.passkey = options.passkey;
-        this.apiBase = options.basePath ?? API_BASE;
-        this.portalUrl = options.portalUrl ?? "";
-        this.instanceDid = options.instanceDid;
-    }
-    /** Resolve the portal base URL for building invitation links. */
-    resolvePortalUrl(request) {
-        if (this.portalUrl)
-            return this.portalUrl;
-        return new URL(request.url).origin;
-    }
-    /** Main HTTP router. Returns Response or null if path doesn't match. */
-    async fetch(request, instanceDid) {
-        const url = new URL(request.url);
-        const { pathname } = url;
-        // API routes
-        if (pathname.startsWith(this.apiBase)) {
-            const path = pathname.slice(this.apiBase.length) || "/";
-            return this.handleAPI(request, path, url, instanceDid);
-        }
-        // Page routes (Phase 2+)
-        // For now, return null for page routes — they'll be added later
-        if (pathname === ADMIN_PAGE || pathname.startsWith(`${ADMIN_PAGE}/`)) {
-            return this.serveAdminPage(request, instanceDid);
-        }
-        if (pathname === INVITE_PAGE) {
-            return this.serveInvitePage();
-        }
-        return null;
-    }
-    // ─── API Router ──────────────────────────────────────────────────────
-    async handleAPI(request, path, url, instanceDid) {
-        const method = request.method;
-        try {
-            // Public endpoint: invitation info (no auth required)
-            const infoMatch = path.match(/^\/invitations\/([^/]+)\/info$/);
-            if (method === "GET" && infoMatch) {
-                return await this.handleGetInvitationInfo(infoMatch[1]);
-            }
-            // All other endpoints require authentication
-            const caller = await this.verifyAndCheckApproval(request, instanceDid);
-            // Profile (any authenticated) — not applicable in instance mode
-            if (method === "GET" && path === "/profile") {
-                return await this.handleGetProfile(caller);
-            }
-            if (method === "PUT" && path === "/profile") {
-                return await this.handleUpdateProfile(caller, request);
-            }
-            // Members (admin+)
-            if (method === "GET" && path === "/members") {
-                return await this.handleListMembers(caller, url, instanceDid);
-            }
-            const memberMatch = path.match(/^\/members\/([^/]+)$/);
-            const roleMatch = path.match(/^\/members\/([^/]+)\/role$/);
-            const approvalMatch = path.match(/^\/members\/([^/]+)\/approval$/);
-            if (method === "PUT" && roleMatch) {
-                return await this.handleChangeRole(caller, roleMatch[1], request, instanceDid);
-            }
-            if (method === "PUT" && approvalMatch) {
-                return await this.handleToggleApproval(caller, approvalMatch[1], request, instanceDid);
-            }
-            if (method === "GET" && memberMatch) {
-                return await this.handleGetMember(caller, memberMatch[1], instanceDid);
-            }
-            if (method === "DELETE" && memberMatch) {
-                return await this.handleRemoveMember(caller, memberMatch[1], instanceDid);
-            }
-            // Invitations
-            if (method === "GET" && path === "/invitations") {
-                return await this.handleListInvitations(caller, url, request, instanceDid);
-            }
-            if (method === "POST" && path === "/invitations") {
-                return await this.handleCreateInvitation(caller, request, instanceDid);
-            }
-            const acceptMatch = path.match(/^\/invitations\/([^/]+)\/accept$/);
-            if (method === "POST" && acceptMatch) {
-                return await this.handleAcceptInvitation(caller, acceptMatch[1], instanceDid);
-            }
-            const deleteInvMatch = path.match(/^\/invitations\/([^/]+)$/);
-            if (method === "DELETE" && deleteInvMatch) {
-                return await this.handleDeleteInvitation(caller, deleteInvMatch[1], instanceDid);
-            }
-            // Audit logs
-            if (method === "GET" && path === "/audit-logs") {
-                return await this.handleListAuditLogs(caller, url, instanceDid);
-            }
-            // Ownership transfer
-            if (method === "POST" && path === "/transfer-ownership") {
-                return await this.handleTransferOwnership(caller, request, instanceDid);
-            }
-            // Access policies
-            if (method === "GET" && path === "/access-policies") {
-                return await this.handleListAccessPolicies(caller, instanceDid);
-            }
-            if (method === "POST" && path === "/access-policies") {
-                return await this.handleCreateAccessPolicy(caller, request, instanceDid);
-            }
-            const policyMatch = path.match(/^\/access-policies\/([^/]+)$/);
-            if (method === "PUT" && policyMatch) {
-                return await this.handleUpdateAccessPolicy(caller, policyMatch[1], request, instanceDid);
-            }
-            if (method === "DELETE" && policyMatch) {
-                return await this.handleDeleteAccessPolicy(caller, policyMatch[1], instanceDid);
-            }
-            // Security rules
-            if (method === "GET" && path === "/security-rules") {
-                return await this.handleListSecurityRules(caller, instanceDid);
-            }
-            if (method === "POST" && path === "/security-rules") {
-                return await this.handleCreateSecurityRule(caller, request, instanceDid);
-            }
-            const ruleMatch = path.match(/^\/security-rules\/([^/]+)$/);
-            if (method === "PUT" && ruleMatch) {
-                return await this.handleUpdateSecurityRule(caller, ruleMatch[1], request, instanceDid);
-            }
-            if (method === "DELETE" && ruleMatch) {
-                return await this.handleDeleteSecurityRule(caller, ruleMatch[1], instanceDid);
-            }
-            // Settings (owner-only)
-            if (method === "GET" && path === "/settings") {
-                return await this.handleGetSettings(caller);
-            }
-            const oauthMatch = path.match(/^\/settings\/oauth\/([a-z0-9-]+)$/);
-            if (method === "PUT" && oauthMatch) {
-                return await this.handleSaveOAuthProvider(caller, oauthMatch[1], request);
-            }
-            if (method === "DELETE" && oauthMatch) {
-                return await this.handleDeleteOAuthProvider(caller, oauthMatch[1]);
-            }
-            if (method === "PUT" && path === "/settings/builtin-providers") {
-                return await this.handleSaveBuiltinProviders(caller, request);
-            }
-            if (method === "PUT" && path === "/settings/session") {
-                return await this.handleSaveSessionConfig(caller, request);
-            }
-            if (method === "PUT" && path === "/settings/email") {
-                return await this.handleSaveEmailConfig(caller, request);
-            }
-            return this.errorResponse("Not found", 404, "NOT_FOUND");
-        }
-        catch (err) {
-            if (err instanceof PermissionError) {
-                return this.errorResponse("Insufficient permissions", 403, "FORBIDDEN");
-            }
-            if (err instanceof AuthError) {
-                return this.errorResponse(err.message, err.status, err.code);
-            }
-            const message = err instanceof Error ? err.message : "Internal error";
-            return this.errorResponse(message, 500, "INTERNAL_ERROR");
-        }
-    }
-    // ─── Auth middleware ─────────────────────────────────────────────────
-    async verifyAndCheckApproval(request, instanceDid) {
-        // Try access key auth first
-        const akCaller = await resolveAccessKeyCaller(request, this.store, instanceDid);
-        if (akCaller) {
-            if (akCaller.blocked) {
-                throw new AuthError("User is blocked", 403, "BLOCKED");
-            }
-            const ip = request.headers.get("CF-Connecting-IP") ?? undefined;
-            if (instanceDid) {
-                const effectiveRole = await resolveInstanceRole(this.store, akCaller.did, instanceDid, akCaller.role);
-                if (!effectiveRole) {
-                    throw new AuthError("Not a member of this instance", 403, "FORBIDDEN");
-                }
-                return {
-                    did: akCaller.did,
-                    pk: akCaller.pk,
-                    displayName: akCaller.displayName,
-                    role: effectiveRole,
-                    ip,
-                };
-            }
-            return {
-                did: akCaller.did,
-                pk: akCaller.pk,
-                displayName: akCaller.displayName,
-                role: akCaller.role,
-                ip,
-            };
-        }
-        // Fall back to JWT auth
-        const caller = await this.passkey.verify(request);
-        if (!caller) {
-            throw new AuthError("Authentication required", 401, "UNAUTHENTICATED");
-        }
-        const user = await this.store.getUserByDid(caller.did);
-        if (!user) {
-            throw new AuthError("User not found", 401, "UNAUTHENTICATED");
-        }
-        if (!user.approved) {
-            throw new AuthError("User is blocked", 403, "BLOCKED");
-        }
-        const ip = request.headers.get("CF-Connecting-IP") ?? undefined;
-        if (instanceDid) {
-            const effectiveRole = await resolveInstanceRole(this.store, caller.did, instanceDid, user.role ?? undefined);
-            if (!effectiveRole) {
-                throw new AuthError("Not a member of this instance", 403, "FORBIDDEN");
-            }
-            return { ...caller, role: effectiveRole, ip };
-        }
-        return {
-            ...caller,
-            role: user.role ?? "guest",
-            ip,
-        };
-    }
-    // ─── Profile handlers ───────────────────────────────────────────────
-    async handleGetProfile(caller) {
-        const user = await this.store.getMemberInfo(caller.did);
-        if (!user) {
-            return this.errorResponse("User not found", 404, "NOT_FOUND");
-        }
-        return this.jsonResponse({ ok: true, user });
-    }
-    async handleUpdateProfile(caller, request) {
-        const body = await this.parseJSON(request);
-        const fields = {};
-        if (body.fullName !== undefined)
-            fields.fullName = String(body.fullName).slice(0, 64);
-        if (body.email !== undefined)
-            fields.email = String(body.email).slice(0, 255);
-        if (body.avatar !== undefined)
-            fields.avatar = String(body.avatar).slice(0, 1024);
-        if (Object.keys(fields).length > 0) {
-            await this.store.updateUserProfile(caller.did, fields);
-            await this.store.createAuditLog({
-                action: "user.profile_update",
-                operatorDid: caller.did,
-                targetDid: caller.did,
-                metadata: { fields: Object.keys(fields) },
-                ip: caller.ip,
-            });
-        }
-        const user = await this.store.getMemberInfo(caller.did);
-        return this.jsonResponse({ ok: true, user });
-    }
-    // ─── Members handlers ──────────────────────────────────────────────
-    async handleListMembers(caller, url, instanceDid) {
-        requirePermission(caller.role, "team.list_members");
-        if (instanceDid) {
-            const members = await this.store.listMembershipsWithUserInfo(instanceDid);
-            return this.jsonResponse({
-                ok: true,
-                users: members,
-                paging: { total: members.length, page: 1, pageSize: members.length },
-            });
-        }
-        const page = Math.max(1, Number.parseInt(url.searchParams.get("page") ?? "1", 10) || 1);
-        const pageSize = Math.min(100, Math.max(1, Number.parseInt(url.searchParams.get("pageSize") ?? "20", 10) || 20));
-        const role = url.searchParams.get("role") || undefined;
-        const search = url.searchParams.get("search") || undefined;
-        const approvedParam = url.searchParams.get("approved");
-        const approved = approvedParam !== null ? Number.parseInt(approvedParam, 10) : undefined;
-        const sourceProvider = url.searchParams.get("sourceProvider") || undefined;
-        const { users, total } = await this.store.getUsers({ page, pageSize, role, search, approved, sourceProvider });
-        return this.jsonResponse({
-            ok: true,
-            users,
-            paging: { total, page, pageSize },
-        });
-    }
-    async handleGetMember(caller, did, instanceDid) {
-        requirePermission(caller.role, "team.view_member");
-        did = decodeURIComponent(did);
-        if (instanceDid) {
-            const membership = await this.store.getMembership(did, instanceDid);
-            if (!membership) {
-                return this.errorResponse("Member not found", 404, "NOT_FOUND");
-            }
-            const userInfo = await this.store.getUserByDid(did);
-            return this.jsonResponse({
-                ok: true,
-                user: {
-                    user_did: did,
-                    role: membership.role,
-                    joined_at: membership.joined_at,
-                    fullName: userInfo?.fullName ?? null,
-                    email: userInfo?.email ?? null,
-                    avatar: userInfo?.avatar ?? null,
-                    instanceDid,
-                },
-            });
-        }
-        const user = await this.store.getMemberInfo(did);
-        if (!user) {
-            return this.errorResponse("Member not found", 404, "NOT_FOUND");
-        }
-        return this.jsonResponse({ ok: true, user });
-    }
-    async handleChangeRole(caller, targetDid, request, instanceDid) {
-        requirePermission(caller.role, "team.change_role");
-        targetDid = decodeURIComponent(targetDid);
-        const body = await this.parseJSON(request);
-        const newRole = body.role;
-        if (!newRole || !["admin", "member", "guest"].includes(newRole)) {
-            return this.errorResponse("Invalid role. Must be 'admin', 'member', or 'guest'", 400, "VALIDATION_ERROR");
-        }
-        if (targetDid === caller.did) {
-            return this.errorResponse("Cannot change your own role", 409, "CONFLICT");
-        }
-        if (instanceDid) {
-            const membership = await this.store.getMembership(targetDid, instanceDid);
-            if (!membership) {
-                return this.errorResponse("Member not found", 404, "NOT_FOUND");
-            }
-            const oldRole = membership.role;
-            await this.store.updateMembershipRole(targetDid, instanceDid, newRole);
-            await this.store.createAuditLog({
-                action: "user.role_change",
-                operatorDid: caller.did,
-                targetDid,
-                metadata: { oldRole, newRole },
-                ip: caller.ip,
-                instanceDid,
-            });
-            const updated = await this.store.getMembership(targetDid, instanceDid);
-            return this.jsonResponse({ ok: true, user: updated });
-        }
-        const target = await this.store.getUserByDid(targetDid);
-        if (!target) {
-            return this.errorResponse("Member not found", 404, "NOT_FOUND");
-        }
-        const oldRole = target.role;
-        await this.store.updateUserRole(targetDid, newRole);
-        await this.store.createAuditLog({
-            action: "user.role_change",
-            operatorDid: caller.did,
-            targetDid,
-            metadata: { oldRole, newRole },
-            ip: caller.ip,
-        });
-        const user = await this.store.getMemberInfo(targetDid);
-        return this.jsonResponse({ ok: true, user });
-    }
-    async handleToggleApproval(caller, targetDid, request, instanceDid) {
-        if (instanceDid) {
-            return this.errorResponse("Not supported for instances", 501, "NOT_IMPLEMENTED");
-        }
-        targetDid = decodeURIComponent(targetDid);
-        const body = await this.parseJSON(request);
-        if (typeof body.approved !== "boolean") {
-            return this.errorResponse("'approved' must be a boolean", 400, "VALIDATION_ERROR");
-        }
-        if (targetDid === caller.did) {
-            return this.errorResponse("Cannot change your own approval status", 409, "CONFLICT");
-        }
-        const target = await this.store.getUserByDid(targetDid);
-        if (!target) {
-            return this.errorResponse("Member not found", 404, "NOT_FOUND");
-        }
-        if (target.role === "owner") {
-            return this.errorResponse("Cannot block the owner", 403, "FORBIDDEN");
-        }
-        const action = body.approved ? "team.unblock_member" : "team.block_member";
-        requirePermission(caller.role, action, target.role);
-        await this.store.updateUserApproval(targetDid, body.approved);
-        await this.store.createAuditLog({
-            action: body.approved ? "user.unblock" : "user.block",
-            operatorDid: caller.did,
-            targetDid,
-            ip: caller.ip,
-        });
-        const user = await this.store.getMemberInfo(targetDid);
-        return this.jsonResponse({ ok: true, user });
-    }
-    async handleRemoveMember(caller, targetDid, instanceDid) {
-        targetDid = decodeURIComponent(targetDid);
-        if (targetDid === caller.did) {
-            return this.errorResponse("Cannot remove yourself", 409, "CONFLICT");
-        }
-        if (instanceDid) {
-            const membership = await this.store.getMembership(targetDid, instanceDid);
-            if (!membership) {
-                return this.errorResponse("Member not found", 404, "NOT_FOUND");
-            }
-            if (membership.role === "owner") {
-                return this.errorResponse("Cannot remove the owner", 403, "FORBIDDEN");
-            }
-            requirePermission(caller.role, "team.remove_member", membership.role);
-            await this.store.deleteMembership(targetDid, instanceDid);
-            await this.store.createAuditLog({
-                action: "user.remove",
-                operatorDid: caller.did,
-                targetDid,
-                metadata: { removedRole: membership.role },
-                ip: caller.ip,
-                instanceDid,
-            });
-            return this.jsonResponse({ ok: true });
-        }
-        const target = await this.store.getUserByDid(targetDid);
-        if (!target) {
-            return this.errorResponse("Member not found", 404, "NOT_FOUND");
-        }
-        if (target.role === "owner") {
-            return this.errorResponse("Cannot remove the owner", 403, "FORBIDDEN");
-        }
-        requirePermission(caller.role, "team.remove_member", target.role);
-        await this.store.removeUser(targetDid);
-        await this.store.createAuditLog({
-            action: "user.remove",
-            operatorDid: caller.did,
-            targetDid,
-            metadata: { removedRole: target.role, removedName: target.fullName },
-            ip: caller.ip,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    // ─── Invitation handlers ────────────────────────────────────────────
-    async handleListInvitations(caller, url, request, instanceDid) {
-        requirePermission(caller.role, "team.list_members"); // same perm as viewing members
-        const page = Math.max(1, Number.parseInt(url.searchParams.get("page") ?? "1", 10) || 1);
-        const pageSize = Math.min(100, Math.max(1, Number.parseInt(url.searchParams.get("pageSize") ?? "20", 10) || 20));
-        // Lazy-purge expired invitations
-        this.store.purgeExpiredInvitations().catch(() => { });
-        const { invitations, total } = await this.store.getInvitations({ page, pageSize, instanceDid });
-        // Add link to each invitation
-        const baseUrl = this.resolvePortalUrl(request);
-        const withLinks = invitations.map((inv) => ({
-            ...inv,
-            link: `${baseUrl}/.well-known/service/invite?id=${inv.id}`,
-        }));
-        return this.jsonResponse({
-            ok: true,
-            invitations: withLinks,
-            paging: { total, page, pageSize },
-        });
-    }
-    async handleCreateInvitation(caller, request, instanceDid) {
-        requirePermission(caller.role, "team.create_invitation");
-        const body = await this.parseJSON(request);
-        if (!body.role || !["admin", "member", "guest"].includes(body.role)) {
-            return this.errorResponse("Invalid role. Must be 'admin', 'member', or 'guest'", 400, "VALIDATION_ERROR");
-        }
-        // Admin cannot create admin-role invitations
-        if (caller.role === "admin" && body.role === "admin") {
-            return this.errorResponse("Only the owner can create admin invitations", 403, "FORBIDDEN");
-        }
-        const remark = body.remark ? String(body.remark) : "";
-        if (remark.length > 500) {
-            return this.errorResponse("Remark must be 500 characters or fewer", 400, "VALIDATION_ERROR");
-        }
-        const expireHours = body.expireHours !== undefined ? Number(body.expireHours) : 168;
-        if (expireHours < 1 || expireHours > 720) {
-            return this.errorResponse("expireHours must be between 1 and 720", 400, "VALIDATION_ERROR");
-        }
-        const maxUses = body.maxUses !== undefined ? Number(body.maxUses) : 1;
-        if (maxUses < 1 || maxUses > 100) {
-            return this.errorResponse("maxUses must be between 1 and 100", 400, "VALIDATION_ERROR");
-        }
-        const invitation = await this.store.createInvitation({
-            role: body.role,
-            remark,
-            inviterDid: caller.did,
-            teamDid: caller.did, // Use caller DID as team DID for now
-            expireHours,
-            maxUses,
-            instanceDid,
-        });
-        await this.store.createAuditLog({
-            action: "invitation.create",
-            operatorDid: caller.did,
-            metadata: { role: body.role, maxUses, expireHours },
-            ip: caller.ip,
-            instanceDid,
-        });
-        const baseUrl = this.resolvePortalUrl(request);
-        const link = `${baseUrl}/.well-known/service/invite?id=${invitation.id}`;
-        // Resolve inviter name
-        const inviterUser = await this.store.getUserByDid(caller.did);
-        return this.jsonResponse({
-            ok: true,
-            invitation: {
-                ...invitation,
-                inviterName: inviterUser?.fullName ?? null,
-                link,
-            },
-        });
-    }
-    async handleDeleteInvitation(caller, invitationId, instanceDid) {
-        requirePermission(caller.role, "team.delete_invitation");
-        const invitation = await this.store.getInvitation(invitationId);
-        if (!invitation) {
-            return this.errorResponse("Invitation not found", 404, "NOT_FOUND");
-        }
-        // Instance context: verify invitation belongs to this instance
-        if (instanceDid && invitation.instance_did !== instanceDid) {
-            return this.errorResponse("Invitation not found", 404, "NOT_FOUND");
-        }
-        // Admin can only delete own invitations
-        if (caller.role === "admin" && invitation.inviterDid !== caller.did) {
-            return this.errorResponse("Admin can only delete own invitations", 403, "FORBIDDEN");
-        }
-        await this.store.deleteInvitation(invitationId);
-        await this.store.createAuditLog({
-            action: "invitation.delete",
-            operatorDid: caller.did,
-            metadata: { invitationId, role: invitation.role },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    async handleGetInvitationInfo(invitationId) {
-        const invitation = await this.store.getInvitation(invitationId);
-        if (!invitation) {
-            return this.jsonResponse({ valid: false, error: "not_found" });
-        }
-        // Check expiration
-        if (new Date(invitation.expireAt) < new Date()) {
-            return this.jsonResponse({ valid: false, error: "expired" });
-        }
-        // Check status
-        if (invitation.status === "closed" || invitation.useCount >= invitation.maxUses) {
-            return this.jsonResponse({ valid: false, error: "closed" });
-        }
-        if (invitation.status === "expired") {
-            return this.jsonResponse({ valid: false, error: "expired" });
-        }
-        return this.jsonResponse({
-            valid: true,
-            role: invitation.role,
-            remark: invitation.remark,
-            expireAt: invitation.expireAt,
-        });
-    }
-    async handleAcceptInvitation(caller, invitationId, instanceDid) {
-        const invitation = await this.store.getInvitation(invitationId);
-        if (!invitation) {
-            return this.errorResponse("Invitation not found", 404, "NOT_FOUND");
-        }
-        // Instance context: verify invitation belongs to this instance
-        const invInstanceDid = invitation.instance_did;
-        if (instanceDid && invInstanceDid && invInstanceDid !== instanceDid) {
-            return this.errorResponse("Invitation not found", 404, "NOT_FOUND");
-        }
-        // Validate invitation state
-        if (new Date(invitation.expireAt) < new Date()) {
-            return this.errorResponse("Invitation has expired", 410, "INVITATION_EXPIRED");
-        }
-        if (invitation.status === "expired") {
-            return this.errorResponse("Invitation has expired", 410, "INVITATION_EXPIRED");
-        }
-        if (invitation.status === "closed" || invitation.useCount >= invitation.maxUses) {
-            return this.errorResponse("Invitation is no longer available", 410, "INVITATION_CLOSED");
-        }
-        // Atomically increment use count
-        const incremented = await this.store.incrementInvitationUseCount(invitationId);
-        if (!incremented) {
-            return this.errorResponse("Invitation is no longer available", 410, "INVITATION_CLOSED");
-        }
-        // Close invitation if max uses reached
-        const updated = await this.store.getInvitation(invitationId);
-        if (updated && updated.useCount >= updated.maxUses) {
-            await this.store.updateInvitationStatus(invitationId, "closed");
-        }
-        const invitedRole = invitation.role;
-        const ROLE_LEVEL = { owner: 3, admin: 2, member: 1, guest: 0 };
-        const invitedLevel = ROLE_LEVEL[invitedRole] ?? 0;
-        // Instance-scoped invitation → create/upgrade membership
-        // Only use the invitation's own instance_did — a system-level invitation
-        // (instance_did=NULL) accepted on an instance domain should NOT create
-        // a membership for that instance; it should fall through to system-level logic.
-        if (invInstanceDid) {
-            const existing = await this.store.getMembership(caller.did, invInstanceDid);
-            if (existing) {
-                const existingLevel = ROLE_LEVEL[existing.role] ?? 0;
-                if (invitedLevel > existingLevel) {
-                    await this.store.updateMembershipRole(caller.did, invInstanceDid, invitedRole);
-                }
-            }
-            else {
-                await this.store.createMembership(caller.did, invInstanceDid, invitedRole, invitation.inviterDid);
-            }
-            await this.store.createAuditLog({
-                action: "user.accept_invitation",
-                operatorDid: caller.did,
-                metadata: { invitationId, role: invitedRole },
-                ip: caller.ip,
-                instanceDid: invInstanceDid,
-            });
-            const finalMembership = await this.store.getMembership(caller.did, invInstanceDid);
-            return this.jsonResponse({ ok: true, role: finalMembership?.role ?? invitedRole });
-        }
-        // System-level invitation → upgrade system role
-        const user = await this.store.getUserByDid(caller.did);
-        const currentRole = user?.role;
-        const currentLevel = ROLE_LEVEL[currentRole ?? ""] ?? 0;
-        if (invitedLevel > currentLevel) {
-            await this.store.updateUserRole(caller.did, invitedRole);
-        }
-        // Set inviter (only if not already set)
-        await this.store.setUserInviter(caller.did, invitation.inviterDid);
-        // Audit log
-        await this.store.createAuditLog({
-            action: "user.accept_invitation",
-            operatorDid: caller.did,
-            metadata: { invitationId, role: invitedRole },
-            ip: caller.ip,
-        });
-        const finalRole = invitedLevel > currentLevel ? invitedRole : (currentRole ?? invitedRole);
-        return this.jsonResponse({ ok: true, role: finalRole });
-    }
-    // ─── Audit logs handler ─────────────────────────────────────────────
-    async handleListAuditLogs(caller, url, instanceDid) {
-        requirePermission(caller.role, "team.view_audit_logs");
-        const page = Math.max(1, Number.parseInt(url.searchParams.get("page") ?? "1", 10) || 1);
-        const pageSize = Math.min(100, Math.max(1, Number.parseInt(url.searchParams.get("pageSize") ?? "50", 10) || 50));
-        const action = url.searchParams.get("action") || undefined;
-        const { logs, total } = await this.store.getAuditLogs({ page, pageSize, action, instanceDid });
-        return this.jsonResponse({
-            ok: true,
-            logs,
-            paging: { total, page, pageSize },
-        });
-    }
-    // ─── Ownership transfer handler ─────────────────────────────────────
-    async handleTransferOwnership(caller, request, instanceDid) {
-        if (instanceDid) {
-            return this.errorResponse("Not supported for instances", 501, "NOT_IMPLEMENTED");
-        }
-        requirePermission(caller.role, "team.transfer_ownership");
-        const body = await this.parseJSON(request);
-        if (!body.targetDid) {
-            return this.errorResponse("targetDid is required", 400, "VALIDATION_ERROR");
-        }
-        const targetDid = body.targetDid;
-        if (targetDid === caller.did) {
-            return this.errorResponse("Cannot transfer ownership to yourself", 400, "VALIDATION_ERROR");
-        }
-        const target = await this.store.getUserByDid(targetDid);
-        if (!target) {
-            return this.errorResponse("Target member not found", 404, "NOT_FOUND");
-        }
-        if (!target.approved) {
-            return this.errorResponse("Cannot transfer ownership to a blocked user", 400, "VALIDATION_ERROR");
-        }
-        await this.store.transferOwnership(caller.did, targetDid);
-        await this.store.createAuditLog({
-            action: "user.transfer_ownership",
-            operatorDid: caller.did,
-            targetDid,
-            metadata: { newOwner: target.fullName },
-            ip: caller.ip,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    // ─── Access policy handlers ─────────────────────────────────────────
-    async handleListAccessPolicies(caller, instanceDid) {
-        requirePermission(caller.role, "access_policy.list");
-        const policies = await this.store.getAccessPolicies(instanceDid);
-        return this.jsonResponse({ ok: true, policies });
-    }
-    async handleCreateAccessPolicy(caller, request, instanceDid) {
-        requirePermission(caller.role, "access_policy.create");
-        const body = await this.parseJSON(request);
-        if (!body.name || body.name.length > 32) {
-            return this.errorResponse("Name is required (max 32 chars)", 400, "VALIDATION_ERROR");
-        }
-        const validTypes = ["public", "invited", "owner", "admin", "roles", "roles_reverse"];
-        if (!body.accessType || !validTypes.includes(body.accessType)) {
-            return this.errorResponse("Invalid accessType", 400, "VALIDATION_ERROR");
-        }
-        if (body.accessType === "roles" || body.accessType === "roles_reverse") {
-            if (!body.roles || body.roles.length === 0) {
-                return this.errorResponse("Roles required for this access type", 400, "VALIDATION_ERROR");
-            }
-            const validRoles = ["owner", "admin", "member", "guest"];
-            if (body.roles.some((r) => !validRoles.includes(r))) {
-                return this.errorResponse("Invalid role name", 400, "VALIDATION_ERROR");
-            }
-        }
-        const policy = await this.store.createAccessPolicy({
-            name: body.name,
-            description: body.description?.slice(0, 256),
-            accessType: body.accessType,
-            roles: body.roles,
-            instanceDid,
-        });
-        await this.store.createAuditLog({
-            action: "access_policy.create",
-            operatorDid: caller.did,
-            metadata: { policyId: policy.id, name: body.name },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse({ ok: true, policy });
-    }
-    async handleUpdateAccessPolicy(caller, id, request, instanceDid) {
-        requirePermission(caller.role, "access_policy.update");
-        const existing = await this.store.getAccessPolicy(id);
-        if (!existing) {
-            return this.errorResponse("Policy not found", 404, "NOT_FOUND");
-        }
-        if (existing.isProtected) {
-            return this.errorResponse("Cannot update protected policies", 403, "FORBIDDEN");
-        }
-        // Instance context: can only modify own instance's policies, not global
-        if (instanceDid && existing.instanceDid === null) {
-            return this.errorResponse("Cannot modify global policies from instance context", 403, "FORBIDDEN");
-        }
-        if (instanceDid && existing.instanceDid !== null && existing.instanceDid !== instanceDid) {
-            return this.errorResponse("Policy not found", 404, "NOT_FOUND");
-        }
-        const body = await this.parseJSON(request);
-        if (body.name !== undefined && (body.name.length === 0 || body.name.length > 32)) {
-            return this.errorResponse("Name must be 1-32 chars", 400, "VALIDATION_ERROR");
-        }
-        if (body.accessType !== undefined) {
-            const validTypes = ["public", "invited", "owner", "admin", "roles", "roles_reverse"];
-            if (!validTypes.includes(body.accessType)) {
-                return this.errorResponse("Invalid accessType", 400, "VALIDATION_ERROR");
-            }
-            if (body.accessType === "roles" || body.accessType === "roles_reverse") {
-                if (!body.roles || body.roles.length === 0) {
-                    return this.errorResponse("Roles required for this access type", 400, "VALIDATION_ERROR");
-                }
-                const validRoles = ["owner", "admin", "member", "guest"];
-                if (body.roles.some((r) => !validRoles.includes(r))) {
-                    return this.errorResponse("Invalid role name", 400, "VALIDATION_ERROR");
-                }
-            }
-        }
-        const policy = await this.store.updateAccessPolicy(id, {
-            name: body.name,
-            description: body.description?.slice(0, 256),
-            accessType: body.accessType,
-            roles: body.roles,
-        });
-        await this.store.createAuditLog({
-            action: "access_policy.update",
-            operatorDid: caller.did,
-            metadata: { policyId: id },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse({ ok: true, policy });
-    }
-    async handleDeleteAccessPolicy(caller, id, instanceDid) {
-        requirePermission(caller.role, "access_policy.delete");
-        const existing = await this.store.getAccessPolicy(id);
-        if (!existing) {
-            return this.errorResponse("Policy not found", 404, "NOT_FOUND");
-        }
-        if (existing.isProtected) {
-            return this.errorResponse("Cannot delete protected policies", 403, "FORBIDDEN");
-        }
-        // Instance context: can only delete own instance's policies
-        if (instanceDid && existing.instanceDid === null) {
-            return this.errorResponse("Cannot delete global policies from instance context", 403, "FORBIDDEN");
-        }
-        if (instanceDid && existing.instanceDid !== null && existing.instanceDid !== instanceDid) {
-            return this.errorResponse("Policy not found", 404, "NOT_FOUND");
-        }
-        const ruleCount = await this.store.getAccessPolicyRuleCount(id);
-        if (ruleCount > 0) {
-            return this.errorResponse("Cannot delete policy referenced by security rules", 409, "CONFLICT");
-        }
-        await this.store.deleteAccessPolicy(id);
-        await this.store.createAuditLog({
-            action: "access_policy.delete",
-            operatorDid: caller.did,
-            metadata: { policyId: id, name: existing.name },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    // ─── Security rule handlers ────────────────────────────────────────
-    async handleListSecurityRules(caller, instanceDid) {
-        requirePermission(caller.role, "security_rule.list");
-        const rules = await this.store.getSecurityRules(instanceDid);
-        return this.jsonResponse({ ok: true, rules });
-    }
-    async handleCreateSecurityRule(caller, request, instanceDid) {
-        requirePermission(caller.role, "security_rule.create");
-        const body = await this.parseJSON(request);
-        if (!body.pathPattern) {
-            return this.errorResponse("pathPattern is required", 400, "VALIDATION_ERROR");
-        }
-        if (!body.accessPolicyId) {
-            return this.errorResponse("accessPolicyId is required", 400, "VALIDATION_ERROR");
-        }
-        // Validate policy exists
-        const policy = await this.store.getAccessPolicy(body.accessPolicyId);
-        if (!policy) {
-            return this.errorResponse("Access policy not found", 400, "VALIDATION_ERROR");
-        }
-        // Priority must be >= 0
-        if (body.priority !== undefined && body.priority < 0) {
-            return this.errorResponse("Priority must be >= 0", 400, "VALIDATION_ERROR");
-        }
-        const rule = await this.store.createSecurityRule({
-            pathPattern: body.pathPattern,
-            accessPolicyId: body.accessPolicyId,
-            priority: body.priority,
-            remark: body.remark,
-            instanceDid,
-        });
-        await this.store.createAuditLog({
-            action: "security_rule.create",
-            operatorDid: caller.did,
-            metadata: { ruleId: rule.id, pathPattern: body.pathPattern },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse({ ok: true, rule });
-    }
-    async handleUpdateSecurityRule(caller, id, request, instanceDid) {
-        requirePermission(caller.role, "security_rule.update");
-        const existing = await this.store.getSecurityRule(id);
-        if (!existing) {
-            return this.errorResponse("Rule not found", 404, "NOT_FOUND");
-        }
-        // Instance context: can only modify own instance's rules, not global
-        if (instanceDid && existing.instanceDid === null) {
-            return this.errorResponse("Cannot modify global rules from instance context", 403, "FORBIDDEN");
-        }
-        if (instanceDid && existing.instanceDid !== null && existing.instanceDid !== instanceDid) {
-            return this.errorResponse("Rule not found", 404, "NOT_FOUND");
-        }
-        const body = await this.parseJSON(request);
-        // Default rule constraints
-        if (id === "default") {
-            if (body.pathPattern !== undefined) {
-                return this.errorResponse("Cannot change default rule pattern", 400, "VALIDATION_ERROR");
-            }
-            if (body.priority !== undefined) {
-                return this.errorResponse("Cannot change default rule priority", 400, "VALIDATION_ERROR");
-            }
-        }
-        // Validate policy exists if changing it
-        if (body.accessPolicyId !== undefined) {
-            const policy = await this.store.getAccessPolicy(body.accessPolicyId);
-            if (!policy) {
-                return this.errorResponse("Access policy not found", 400, "VALIDATION_ERROR");
-            }
-        }
-        if (body.priority !== undefined && body.priority < 0) {
-            return this.errorResponse("Priority must be >= 0", 400, "VALIDATION_ERROR");
-        }
-        const rule = await this.store.updateSecurityRule(id, {
-            pathPattern: body.pathPattern,
-            accessPolicyId: body.accessPolicyId,
-            priority: body.priority,
-            enabled: body.enabled,
-            remark: body.remark,
-        });
-        await this.store.createAuditLog({
-            action: "security_rule.update",
-            operatorDid: caller.did,
-            metadata: { ruleId: id },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse({ ok: true, rule });
-    }
-    async handleDeleteSecurityRule(caller, id, instanceDid) {
-        requirePermission(caller.role, "security_rule.delete");
-        if (id === "default") {
-            return this.errorResponse("Cannot delete the default rule", 403, "FORBIDDEN");
-        }
-        const existing = await this.store.getSecurityRule(id);
-        if (!existing) {
-            return this.errorResponse("Rule not found", 404, "NOT_FOUND");
-        }
-        // Instance context: can only delete own instance's rules, not global
-        if (instanceDid && existing.instanceDid === null) {
-            return this.errorResponse("Cannot delete global rules from instance context", 403, "FORBIDDEN");
-        }
-        if (instanceDid && existing.instanceDid !== null && existing.instanceDid !== instanceDid) {
-            return this.errorResponse("Rule not found", 404, "NOT_FOUND");
-        }
-        await this.store.deleteSecurityRule(id);
-        await this.store.createAuditLog({
-            action: "security_rule.delete",
-            operatorDid: caller.did,
-            metadata: { ruleId: id, pathPattern: existing.pathPattern },
-            ip: caller.ip,
-            instanceDid,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    // ─── Settings handlers ─────────────────────────────────────────────
-    /** Resolve the effective instanceDid for settings operations. */
-    get settingsInstanceDid() {
-        return this.instanceDid ?? "_global_";
-    }
-    /** Mask a sensitive value: show last 4 chars, prefix with ***. Values ≤4 chars → just ***. */
-    maskSecret(value) {
-        if (value == null)
-            return undefined;
-        if (value.length <= 4)
-            return "***";
-        return `***${value.slice(-4)}`;
-    }
-    /** Valid OAuth provider names (aligned with ADAPTERS constant). */
-    static VALID_OAUTH_PROVIDERS = [
-        "google", "github", "apple", "twitter", "facebook", "auth0", "auth0-legacy",
-    ];
-    /** Check if a value is a masked placeholder that should preserve the old value. */
-    isMaskedValue(value) {
-        return typeof value === "string" && /^\*{3}/.test(value);
-    }
-    /** Sanitize object keys to prevent prototype pollution. */
-    sanitizeKeys(obj) {
-        const dangerous = ["__proto__", "constructor", "prototype"];
-        const result = {};
-        for (const [key, value] of Object.entries(obj)) {
-            if (!dangerous.includes(key)) {
-                result[key] = value;
-            }
-        }
-        return result;
-    }
-    async handleGetSettings(caller) {
-        requirePermission(caller.role, "settings.view");
-        const did = this.settingsInstanceDid;
-        const allSettings = await this.store.listSettings(did);
-        // Aggregate settings by category
-        const oauthProviders = {};
-        let builtinProviders = {};
-        let session = {};
-        let email = {};
-        for (const s of allSettings) {
-            if (!s.value)
-                continue;
-            try {
-                if (s.key.startsWith("oauth:")) {
-                    const provider = s.key.slice(6);
-                    const parsed = JSON.parse(s.value);
-                    // Mask sensitive fields
-                    if (parsed.clientSecret)
-                        parsed.clientSecret = this.maskSecret(parsed.clientSecret);
-                    if (parsed.privateKey)
-                        parsed.privateKey = this.maskSecret(parsed.privateKey);
-                    // Apply defaults for management fields
-                    parsed.enabled = parsed.enabled ?? true;
-                    parsed.order = parsed.order ?? 999;
-                    oauthProviders[provider] = parsed;
-                }
-                else if (s.key === "auth:builtin-providers") {
-                    builtinProviders = JSON.parse(s.value);
-                }
-                else if (s.key === "session:config") {
-                    session = JSON.parse(s.value);
-                }
-                else if (s.key === "email:config") {
-                    const parsed = JSON.parse(s.value);
-                    if (parsed.resendApiKey)
-                        parsed.resendApiKey = this.maskSecret(parsed.resendApiKey);
-                    email = parsed;
-                }
-            }
-            catch {
-                // Skip invalid JSON
-            }
-        }
-        return this.jsonResponse({
-            ok: true,
-            settings: { oauthProviders, builtinProviders, session, email },
-        });
-    }
-    async handleSaveOAuthProvider(caller, provider, request) {
-        requirePermission(caller.role, "settings.edit");
-        if (!TeamHandler.VALID_OAUTH_PROVIDERS.includes(provider)) {
-            return this.errorResponse(`Invalid provider: ${provider}`, 400, "VALIDATION_ERROR");
-        }
-        const body = this.sanitizeKeys(await this.parseJSON(request));
-        // Validate required fields based on provider
-        if (provider === "apple") {
-            if (!body.teamId || !body.keyId || !body.serviceId) {
-                return this.errorResponse("Apple requires teamId, keyId, and serviceId", 400, "VALIDATION_ERROR");
-            }
-        }
-        else if (provider === "auth0" || provider === "auth0-legacy") {
-            if (!body.clientId || !body.domain) {
-                return this.errorResponse("Auth0 requires clientId and domain", 400, "VALIDATION_ERROR");
-            }
-        }
-        else {
-            if (!body.clientId) {
-                return this.errorResponse("clientId is required", 400, "VALIDATION_ERROR");
-            }
-        }
-        // If secret fields are masked, preserve old values
-        const did = this.settingsInstanceDid;
-        const settingKey = `oauth:${provider}`;
-        if (this.isMaskedValue(body.clientSecret) || this.isMaskedValue(body.privateKey)) {
-            const oldRaw = await this.store.getSetting(did, settingKey);
-            if (oldRaw) {
-                try {
-                    const old = JSON.parse(oldRaw);
-                    if (this.isMaskedValue(body.clientSecret) && old.clientSecret) {
-                        body.clientSecret = old.clientSecret;
-                    }
-                    if (this.isMaskedValue(body.privateKey) && old.privateKey) {
-                        body.privateKey = old.privateKey;
-                    }
-                }
-                catch {
-                    // ignore
-                }
-            }
-        }
-        await this.store.setSetting(did, settingKey, JSON.stringify(body));
-        await this.store.createAuditLog({
-            action: "settings.oauth_update",
-            operatorDid: caller.did,
-            metadata: { provider, action: "save" },
-            ip: caller.ip,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    async handleDeleteOAuthProvider(caller, provider) {
-        requirePermission(caller.role, "settings.edit");
-        const did = this.settingsInstanceDid;
-        const settingKey = `oauth:${provider}`;
-        const existing = await this.store.getSetting(did, settingKey);
-        if (!existing) {
-            return this.errorResponse("Provider not found", 404, "NOT_FOUND");
-        }
-        await this.store.deleteSetting(did, settingKey);
-        await this.store.createAuditLog({
-            action: "settings.oauth_delete",
-            operatorDid: caller.did,
-            metadata: { provider },
-            ip: caller.ip,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    async handleSaveBuiltinProviders(caller, request) {
-        requirePermission(caller.role, "settings.edit");
-        const body = this.sanitizeKeys(await this.parseJSON(request));
-        // Validate structure: each provider must have { enabled: boolean }
-        for (const key of ["passkey", "email", "wallet"]) {
-            const entry = body[key];
-            if (entry && typeof entry.enabled !== "boolean") {
-                return this.errorResponse(`${key}.enabled must be a boolean`, 400, "VALIDATION_ERROR");
-            }
-        }
-        const did = this.settingsInstanceDid;
-        await this.store.setSetting(did, "auth:builtin-providers", JSON.stringify(body));
-        await this.store.createAuditLog({
-            action: "settings.builtin_providers_update",
-            operatorDid: caller.did,
-            metadata: { providers: body },
-            ip: caller.ip,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    async handleSaveSessionConfig(caller, request) {
-        requirePermission(caller.role, "settings.edit");
-        const body = await this.parseJSON(request);
-        const ttl = body.jwtTtlDays;
-        if (typeof ttl !== "number" || !Number.isInteger(ttl) || ttl < 1 || ttl > 30) {
-            return this.errorResponse("jwtTtlDays must be an integer between 1 and 30", 400, "VALIDATION_ERROR");
-        }
-        const did = this.settingsInstanceDid;
-        await this.store.setSetting(did, "session:config", JSON.stringify({ jwtTtlDays: ttl }));
-        await this.store.createAuditLog({
-            action: "settings.session_update",
-            operatorDid: caller.did,
-            metadata: { jwtTtlDays: ttl },
-            ip: caller.ip,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    async handleSaveEmailConfig(caller, request) {
-        requirePermission(caller.role, "settings.edit");
-        const body = this.sanitizeKeys(await this.parseJSON(request));
-        const { resendApiKey, fromAddress } = body;
-        // Validate email format
-        if (!fromAddress || !/^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(fromAddress)) {
-            return this.errorResponse("Invalid email address", 400, "VALIDATION_ERROR");
-        }
-        // If API key is masked, preserve old value
-        const did = this.settingsInstanceDid;
-        let finalApiKey = resendApiKey;
-        if (this.isMaskedValue(resendApiKey)) {
-            const oldRaw = await this.store.getSetting(did, "email:config");
-            if (oldRaw) {
-                try {
-                    const old = JSON.parse(oldRaw);
-                    if (old.resendApiKey)
-                        finalApiKey = old.resendApiKey;
-                }
-                catch {
-                    // ignore
-                }
-            }
-        }
-        if (!finalApiKey) {
-            return this.errorResponse("resendApiKey is required", 400, "VALIDATION_ERROR");
-        }
-        await this.store.setSetting(did, "email:config", JSON.stringify({ resendApiKey: finalApiKey, fromAddress }));
-        await this.store.createAuditLog({
-            action: "settings.email_update",
-            operatorDid: caller.did,
-            metadata: { fromAddress },
-            ip: caller.ip,
-        });
-        return this.jsonResponse({ ok: true });
-    }
-    // ─── Page handlers ─────────────────────────────────────────────────
-    async serveAdminPage(request, instanceDid) {
-        // Verify JWT — if not authenticated, return login page
-        const caller = await this.passkey.verify(request);
-        if (!caller) {
-            return await this.passkey.getLoginPage(this.instanceDid);
-        }
-        // Look up user to get role
-        const user = await this.store.getUserByDid(caller.did);
-        if (!user || !user.approved) {
-            return await this.passkey.getLoginPage(this.instanceDid);
-        }
-        // Resolve effective role for instance context
-        let effectiveRole = user.role ?? "member";
-        if (instanceDid) {
-            const resolved = await resolveInstanceRole(this.store, caller.did, instanceDid, user.role ?? undefined);
-            if (!resolved) {
-                return await this.passkey.getLoginPage(this.instanceDid);
-            }
-            effectiveRole = resolved;
-        }
-        const html = buildAdminPageHTML({
-            caller: {
-                did: caller.did,
-                fullName: user.fullName ?? undefined,
-                role: effectiveRole,
-                avatar: user.avatar ?? undefined,
-            },
-            basePath: this.apiBase,
-            instanceDid,
-        });
-        return new Response(html, {
-            headers: {
-                "Content-Type": "text/html; charset=utf-8",
-                "Cache-Control": "private, no-store",
-            },
-        });
-    }
-    serveInvitePage() {
-        const html = buildInvitePageHTML(this.apiBase);
-        return new Response(html, {
-            headers: {
-                "Content-Type": "text/html; charset=utf-8",
-                "Cache-Control": "private, no-store",
-            },
-        });
-    }
-    // ─── Helpers ────────────────────────────────────────────────────────
-    jsonResponse(data, status = 200) {
-        return new Response(JSON.stringify(data), {
-            status,
-            headers: {
-                "Content-Type": "application/json",
-                "Cache-Control": "private, no-store",
-            },
-        });
-    }
-    errorResponse(message, status, code) {
-        return this.jsonResponse({ ok: false, error: message, code }, status);
-    }
-    async parseJSON(request) {
-        try {
-            return (await request.json());
-        }
-        catch {
-            throw new AuthError("Invalid JSON body", 400, "VALIDATION_ERROR");
-        }
-    }
-}
-class AuthError extends Error {
-    status;
-    code;
-    constructor(message, status, code) {
-        super(message);
-        this.status = status;
-        this.code = code;
-        this.name = "AuthError";
-    }
-}
-export function createTeamHandler(options) {
-    return new TeamHandler(options);
-}
-//# sourceMappingURL=team-handler.js.map