@blackcode_sa/metaestetics-api 1.15.17-staging.0 → 1.15.17-staging.10

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@blackcode_sa/metaestetics-api",
   "private": false,
-  "version": "1.15.17-staging.0",
+  "version": "1.15.17-staging.10",
   "description": "Firebase authentication service with anonymous upgrade support",
   "main": "dist/index.js",
   "module": "dist/index.mjs",

package/src/admin/aggregation/clinic/clinic.aggregation.service.ts

@@ -59,7 +59,7 @@ export class ClinicAggregationService {
     try {
       await groupRef.update({
         clinicsInfo: admin.firestore.FieldValue.arrayUnion(clinicInfo),
-        clinicIds: admin.firestore.FieldValue.arrayUnion(clinicId),
+        clinics: admin.firestore.FieldValue.arrayUnion(clinicId),
         updatedAt: admin.firestore.FieldValue.serverTimestamp(),
       });
 

package/src/config/index.ts

@@ -12,6 +12,9 @@ export {
   PERMISSION_KEYS,
   TIER_CONFIG,
   DEFAULT_ROLE_PERMISSIONS,
+  DEFAULT_PLAN_CONFIG,
+  PERMISSION_LABELS,
+  PERMISSION_CATEGORIES,
   resolveEffectiveTier,
 } from "./tiers.config";
 export type { PermissionKey } from "./tiers.config";

package/src/config/tiers.config.ts

@@ -1,21 +1,37 @@
 import { ClinicRole } from '../types/clinic/rbac.types';
 import type { TierConfig } from '../types/clinic/rbac.types';
+import type { PlanConfigDocument } from '../types/system/planConfig.types';
 
 /**
  * Permission keys used for role-based access control.
  * Every feature is available on every tier — these only control
- * what a given role (owner/admin/doctor/etc.) can do.
+ * what a given role (owner/admin/receptionist/assistant) can do.
+ * New roles can be added by extending the ClinicRole enum and adding
+ * a corresponding entry here.
+ *
+ * v2 (2026-03-31): Expanded from 23 to 40 permissions.
+ *   - providers.manage → providers.create, providers.invite, providers.edit
+ *   - staff.manage → staff.view, staff.edit, staff.invite, staff.delete, staff.viewTokens, staff.deleteTokens
+ *   - Added: clinic.create, calendar.addEvent, calendar.editEvent, calendar.deleteEvent,
+ *     appointments.reschedule, patients.viewDetails, patients.create, patients.manageTokens, billing.view
  */
 export const PERMISSION_KEYS = {
-  // Listing & profile
+  // Clinic
   'clinic.view': true,
   'clinic.edit': true,
+  'clinic.create': true,
   'reviews.view': true,
 
-  // Calendar & Appointments
+  // Calendar
   'calendar.view': true,
+  'calendar.addEvent': true,
+  'calendar.editEvent': true,
+  'calendar.deleteEvent': true,
+
+  // Appointments
   'appointments.view': true,
   'appointments.confirm': true,
+  'appointments.reschedule': true,
   'appointments.cancel': true,
 
   // Messaging
@@ -35,20 +51,31 @@ export const PERMISSION_KEYS = {
 
   // Patients
   'patients.view': true,
+  'patients.viewDetails': true,
+  'patients.create': true,
   'patients.edit': true,
+  'patients.manageTokens': true,
 
   // Providers (doctors, nurses, laser assistants, etc.)
   'providers.view': true,
-  'providers.manage': true,
+  'providers.create': true,
+  'providers.invite': true,
+  'providers.edit': true,
 
   // Analytics
   'analytics.view': true,
 
   // Staff management
-  'staff.manage': true,
+  'staff.view': true,
+  'staff.edit': true,
+  'staff.invite': true,
+  'staff.delete': true,
+  'staff.viewTokens': true,
+  'staff.deleteTokens': true,
 
   // Settings / Admin
   'settings.manage': true,
+  'billing.view': true,
   'billing.manage': true,
 } as const;
 
@@ -107,10 +134,15 @@ export const DEFAULT_ROLE_PERMISSIONS: Record<ClinicRole, Record<string, boolean
   [ClinicRole.OWNER]: {
     'clinic.view': true,
     'clinic.edit': true,
+    'clinic.create': true,
     'reviews.view': true,
     'calendar.view': true,
+    'calendar.addEvent': true,
+    'calendar.editEvent': true,
+    'calendar.deleteEvent': true,
     'appointments.view': true,
     'appointments.confirm': true,
+    'appointments.reschedule': true,
     'appointments.cancel': true,
     'messaging': true,
     'procedures.view': true,
@@ -122,21 +154,37 @@ export const DEFAULT_ROLE_PERMISSIONS: Record<ClinicRole, Record<string, boolean
     'resources.edit': true,
     'resources.delete': true,
     'patients.view': true,
+    'patients.viewDetails': true,
+    'patients.create': true,
     'patients.edit': true,
+    'patients.manageTokens': true,
     'providers.view': true,
-    'providers.manage': true,
+    'providers.create': true,
+    'providers.invite': true,
+    'providers.edit': true,
     'analytics.view': true,
-    'staff.manage': true,
+    'staff.view': true,
+    'staff.edit': true,
+    'staff.invite': true,
+    'staff.delete': true,
+    'staff.viewTokens': true,
+    'staff.deleteTokens': true,
     'settings.manage': true,
+    'billing.view': true,
     'billing.manage': true,
   },
   [ClinicRole.ADMIN]: {
     'clinic.view': true,
     'clinic.edit': true,
+    'clinic.create': false,
     'reviews.view': true,
     'calendar.view': true,
+    'calendar.addEvent': true,
+    'calendar.editEvent': true,
+    'calendar.deleteEvent': true,
     'appointments.view': true,
     'appointments.confirm': true,
+    'appointments.reschedule': true,
     'appointments.cancel': true,
     'messaging': true,
     'procedures.view': true,
@@ -148,47 +196,37 @@ export const DEFAULT_ROLE_PERMISSIONS: Record<ClinicRole, Record<string, boolean
     'resources.edit': true,
     'resources.delete': true,
     'patients.view': true,
+    'patients.viewDetails': true,
+    'patients.create': true,
     'patients.edit': true,
+    'patients.manageTokens': true,
     'providers.view': true,
-    'providers.manage': true,
+    'providers.create': true,
+    'providers.invite': true,
+    'providers.edit': true,
     'analytics.view': true,
-    'staff.manage': false,
+    'staff.view': true,
+    'staff.edit': false,
+    'staff.invite': false,
+    'staff.delete': false,
+    'staff.viewTokens': false,
+    'staff.deleteTokens': false,
     'settings.manage': true,
-    'billing.manage': false,
-  },
-  [ClinicRole.DOCTOR]: {
-    'clinic.view': true,
-    'clinic.edit': false,
-    'reviews.view': true,
-    'calendar.view': true,
-    'appointments.view': true,
-    'appointments.confirm': true,
-    'appointments.cancel': true,
-    'messaging': true,
-    'procedures.view': true,
-    'procedures.create': false,
-    'procedures.edit': false,
-    'procedures.delete': false,
-    'resources.view': true,
-    'resources.create': false,
-    'resources.edit': false,
-    'resources.delete': false,
-    'patients.view': true,
-    'patients.edit': true,
-    'providers.view': true,
-    'providers.manage': false,
-    'analytics.view': true,
-    'staff.manage': false,
-    'settings.manage': false,
+    'billing.view': true,
     'billing.manage': false,
   },
   [ClinicRole.RECEPTIONIST]: {
     'clinic.view': true,
     'clinic.edit': false,
+    'clinic.create': false,
     'reviews.view': true,
     'calendar.view': true,
+    'calendar.addEvent': true,
+    'calendar.editEvent': false,
+    'calendar.deleteEvent': false,
     'appointments.view': true,
     'appointments.confirm': true,
+    'appointments.reschedule': true,
     'appointments.cancel': false,
     'messaging': true,
     'procedures.view': true,
@@ -200,21 +238,37 @@ export const DEFAULT_ROLE_PERMISSIONS: Record<ClinicRole, Record<string, boolean
     'resources.edit': false,
     'resources.delete': false,
     'patients.view': true,
+    'patients.viewDetails': true,
+    'patients.create': true,
     'patients.edit': false,
+    'patients.manageTokens': false,
     'providers.view': true,
-    'providers.manage': false,
+    'providers.create': false,
+    'providers.invite': false,
+    'providers.edit': false,
     'analytics.view': false,
-    'staff.manage': false,
+    'staff.view': false,
+    'staff.edit': false,
+    'staff.invite': false,
+    'staff.delete': false,
+    'staff.viewTokens': false,
+    'staff.deleteTokens': false,
     'settings.manage': false,
+    'billing.view': false,
     'billing.manage': false,
   },
   [ClinicRole.ASSISTANT]: {
     'clinic.view': true,
     'clinic.edit': false,
+    'clinic.create': false,
     'reviews.view': true,
     'calendar.view': true,
+    'calendar.addEvent': false,
+    'calendar.editEvent': false,
+    'calendar.deleteEvent': false,
     'appointments.view': true,
     'appointments.confirm': false,
+    'appointments.reschedule': false,
     'appointments.cancel': false,
     'messaging': false,
     'procedures.view': true,
@@ -226,16 +280,181 @@ export const DEFAULT_ROLE_PERMISSIONS: Record<ClinicRole, Record<string, boolean
     'resources.edit': false,
     'resources.delete': false,
     'patients.view': true,
+    'patients.viewDetails': false,
+    'patients.create': false,
     'patients.edit': false,
+    'patients.manageTokens': false,
     'providers.view': true,
-    'providers.manage': false,
+    'providers.create': false,
+    'providers.invite': false,
+    'providers.edit': false,
     'analytics.view': false,
-    'staff.manage': false,
+    'staff.view': false,
+    'staff.edit': false,
+    'staff.invite': false,
+    'staff.delete': false,
+    'staff.viewTokens': false,
+    'staff.deleteTokens': false,
     'settings.manage': false,
+    'billing.view': false,
     'billing.manage': false,
   },
 };
 
+/**
+ * Default PlanConfigDocument — used as fallback when Firestore `system/planConfig`
+ * doesn't exist or is unavailable. Also used as the seed value.
+ *
+ * Stripe price IDs reference the SKS Innovation SA sandbox account.
+ */
+export const DEFAULT_PLAN_CONFIG: PlanConfigDocument = {
+  version: 1,
+  updatedAt: null,
+  updatedBy: 'system',
+
+  tiers: {
+    free: {
+      name: 'Free',
+      limits: { maxProvidersPerBranch: 1, maxProceduresPerProvider: 3, maxBranches: 1 },
+    },
+    connect: {
+      name: 'Connect',
+      limits: { maxProvidersPerBranch: 3, maxProceduresPerProvider: 10, maxBranches: 1 },
+    },
+    pro: {
+      name: 'Pro',
+      limits: { maxProvidersPerBranch: 5, maxProceduresPerProvider: 20, maxBranches: 3 },
+    },
+  },
+
+  plans: {
+    FREE: {
+      priceId: null,
+      priceMonthly: 0,
+      currency: 'CHF',
+      description: 'Get started with basic access',
+      stripeProductId: null,
+    },
+    CONNECT: {
+      priceId: 'price_1TD0l7AaFI0fqFWNC8Lg3QJG',
+      priceMonthly: 199,
+      currency: 'CHF',
+      description: 'Consultation tools and integrated booking',
+      stripeProductId: null,
+    },
+    PRO: {
+      priceId: 'price_1TD0lEAaFI0fqFWN3tzCrfUb',
+      priceMonthly: 449,
+      currency: 'CHF',
+      description: 'Complete clinic management with CRM and analytics',
+      stripeProductId: null,
+    },
+  },
+
+  addons: {
+    seat: {
+      priceId: 'price_1TD0lKAaFI0fqFWNH9pQgTzI',
+      pricePerUnit: 39,
+      currency: 'CHF',
+      allowedTiers: ['connect', 'pro'],
+    },
+    branch: {
+      connect: { priceId: 'price_1TD0lSAaFI0fqFWNjsPvzW1T', pricePerUnit: 119, currency: 'CHF' },
+      pro: { priceId: 'price_1TD0lTAaFI0fqFWNYxUnvUxH', pricePerUnit: 279, currency: 'CHF' },
+      allowedTiers: ['connect', 'pro'],
+    },
+    procedure: {
+      priceId: 'price_1TCL3eAaFI0fqFWNJVuMYjii',
+      pricePerBlock: 19,
+      proceduresPerBlock: 5,
+      currency: 'CHF',
+      allowedTiers: ['connect', 'pro'],
+    },
+  },
+
+  priceToModel: {
+    'price_1TD0l7AaFI0fqFWNC8Lg3QJG': 'connect',
+    'price_1TD0lEAaFI0fqFWN3tzCrfUb': 'pro',
+  },
+
+  priceToType: {
+    'price_1TD0l7AaFI0fqFWNC8Lg3QJG': 'CONNECT',
+    'price_1TD0lEAaFI0fqFWN3tzCrfUb': 'PRO',
+  },
+
+  addonPriceIds: [
+    'price_1TD0lKAaFI0fqFWNH9pQgTzI',  // seat
+    'price_1TD0lSAaFI0fqFWNjsPvzW1T',  // branch connect
+    'price_1TD0lTAaFI0fqFWNYxUnvUxH',  // branch pro
+    'price_1TCL3eAaFI0fqFWNJVuMYjii',  // procedure
+  ],
+};
+
+/**
+ * Human-readable labels and grouping for permission keys.
+ * Used by the staff management UI for role/permission display.
+ */
+export const PERMISSION_LABELS: Record<
+  string,
+  { label: string; description: string; category: string }
+> = {
+  'clinic.view': { label: 'View Clinic', description: 'See clinic information and profile', category: 'Clinic' },
+  'clinic.edit': { label: 'Edit Clinic', description: 'Modify clinic settings and profile', category: 'Clinic' },
+  'clinic.create': { label: 'Create Clinic', description: 'Create new clinic branches', category: 'Clinic' },
+  'reviews.view': { label: 'View Reviews', description: 'See patient reviews and ratings', category: 'Clinic' },
+  'calendar.view': { label: 'View Calendar', description: 'See the clinic calendar and schedules', category: 'Calendar' },
+  'calendar.addEvent': { label: 'Add Events', description: 'Create appointments and blocking events on the calendar', category: 'Calendar' },
+  'calendar.editEvent': { label: 'Edit Events', description: 'Edit blocking events on the calendar', category: 'Calendar' },
+  'calendar.deleteEvent': { label: 'Delete Events', description: 'Delete blocking events from the calendar', category: 'Calendar' },
+  'appointments.view': { label: 'View Appointments', description: 'See appointment list and details', category: 'Appointments' },
+  'appointments.confirm': { label: 'Confirm Appointments', description: 'Confirm, reject, check in, and manage appointment status', category: 'Appointments' },
+  'appointments.reschedule': { label: 'Reschedule Appointments', description: 'Reschedule confirmed appointments to a new time', category: 'Appointments' },
+  'appointments.cancel': { label: 'Cancel Appointments', description: 'Cancel existing appointments', category: 'Appointments' },
+  'messaging': { label: 'Messaging', description: 'Send and receive messages with patients', category: 'Messaging' },
+  'procedures.view': { label: 'View Procedures', description: 'See the procedures catalog', category: 'Procedures' },
+  'procedures.create': { label: 'Create Procedures', description: 'Add new procedures and assign to practitioners', category: 'Procedures' },
+  'procedures.edit': { label: 'Edit Procedures', description: 'Modify existing procedures', category: 'Procedures' },
+  'procedures.delete': { label: 'Delete Procedures', description: 'Remove procedures from the catalog', category: 'Procedures' },
+  'resources.view': { label: 'View Resources', description: 'See clinic resources and equipment', category: 'Resources' },
+  'resources.create': { label: 'Create Resources', description: 'Add new resources', category: 'Resources' },
+  'resources.edit': { label: 'Edit Resources', description: 'Modify existing resources and activate instances', category: 'Resources' },
+  'resources.delete': { label: 'Delete Resources', description: 'Deactivate resources and delete instances', category: 'Resources' },
+  'patients.view': { label: 'View Patients', description: 'See patient list', category: 'Patients' },
+  'patients.viewDetails': { label: 'View Patient Details', description: 'Open patient file and detailed profile', category: 'Patients' },
+  'patients.create': { label: 'Create Patients', description: 'Add new patients', category: 'Patients' },
+  'patients.edit': { label: 'Edit Patients', description: 'Modify patient records and schedule appointments', category: 'Patients' },
+  'patients.manageTokens': { label: 'Manage Patient Tokens', description: 'Create and manage patient invitation tokens', category: 'Patients' },
+  'providers.view': { label: 'View Providers', description: 'See the practitioners/providers list', category: 'Providers' },
+  'providers.create': { label: 'Create Providers', description: 'Add new practitioners to the clinic', category: 'Providers' },
+  'providers.invite': { label: 'Invite Providers', description: 'Invite existing practitioners to the clinic', category: 'Providers' },
+  'providers.edit': { label: 'Edit Providers', description: 'Edit practitioner profiles and manage tokens', category: 'Providers' },
+  'analytics.view': { label: 'View Analytics', description: 'Access analytics dashboards and reports', category: 'Analytics' },
+  'staff.view': { label: 'View Staff', description: 'See staff management page and team members', category: 'Staff Management' },
+  'staff.edit': { label: 'Edit Staff', description: 'Edit roles, permissions, and clinic assignments', category: 'Staff Management' },
+  'staff.invite': { label: 'Invite Staff', description: 'Invite new team members', category: 'Staff Management' },
+  'staff.delete': { label: 'Delete Staff', description: 'Remove team members and cancel invitations', category: 'Staff Management' },
+  'staff.viewTokens': { label: 'View Tokens', description: 'See registration tokens', category: 'Staff Management' },
+  'staff.deleteTokens': { label: 'Delete Tokens', description: 'Delete registration tokens', category: 'Staff Management' },
+  'settings.manage': { label: 'Manage Settings', description: 'Modify clinic group settings', category: 'Administration' },
+  'billing.view': { label: 'View Billing', description: 'View subscription plans and billing history', category: 'Administration' },
+  'billing.manage': { label: 'Manage Billing', description: 'Manage subscriptions, upgrades, and payments', category: 'Administration' },
+};
+
+/** All unique permission categories in display order. */
+export const PERMISSION_CATEGORIES = [
+  'Clinic',
+  'Calendar',
+  'Appointments',
+  'Messaging',
+  'Procedures',
+  'Resources',
+  'Patients',
+  'Providers',
+  'Analytics',
+  'Staff Management',
+  'Administration',
+] as const;
+
 /**
  * Maps subscription model strings to tier keys.
  */

package/src/services/auth/auth.service.ts

@@ -319,11 +319,12 @@ export class AuthService extends BaseService {
           // Now update the admin with the group ID
           console.log('[AUTH] Updating admin with clinic group ID');
           await clinicAdminService.updateClinicAdmin(adminProfile.id, {
-            // Use admin profile ID, not user UID
             clinicGroupId: clinicGroup.id,
           });
           console.log('[AUTH] Admin updated with clinic group ID successfully');
 
+          // adminsInfo is populated by onCreateClinicAdmin Firestore trigger
+
           // Get the updated admin profile
           adminProfile = await clinicAdminService.getClinicAdmin(adminProfile.id);
         } catch (groupCreationError) {
@@ -341,57 +342,23 @@ export class AuthService extends BaseService {
           token: data.inviteToken,
         });
 
-        // Find the token in the database
-        console.log('[AUTH] Searching for token in clinic groups');
-        const groupsRef = collection(this.db, CLINIC_GROUPS_COLLECTION);
-        const q = query(groupsRef);
-        const querySnapshot = await getDocs(q);
-
-        let foundGroup: ClinicGroup | null = null;
-        let foundToken: AdminToken | null = null;
-
-        console.log('[AUTH] Found', querySnapshot.size, 'clinic groups to check');
-        for (const docSnapshot of querySnapshot.docs) {
-          const group = docSnapshot.data() as ClinicGroup;
-          console.log('[AUTH] Checking group', {
-            groupId: group.id,
-            groupName: group.name,
-          });
-
-          // Find the token in the group's tokens
-          const token = group.adminTokens.find(t => {
-            const isMatch =
-              t.token === data.inviteToken &&
-              t.status === AdminTokenStatus.ACTIVE &&
-              new Date(t.expiresAt.toDate()) > new Date();
-
-            console.log('[AUTH] Checking token', {
-              tokenId: t.id,
-              tokenMatch: t.token === data.inviteToken,
-              tokenStatus: t.status,
-              tokenActive: t.status === AdminTokenStatus.ACTIVE,
-              tokenExpiry: new Date(t.expiresAt.toDate()),
-              tokenExpired: new Date(t.expiresAt.toDate()) <= new Date(),
-              isMatch,
-            });
-
-            return isMatch;
-          });
+        // Find the token using collection group query (O(1) instead of scanning all groups)
+        console.log('[AUTH] Searching for token via collection group query');
+        const tokenResult = await clinicGroupService.findAdminTokenByValue(data.inviteToken);
 
-          if (token) {
-            foundGroup = group;
-            foundToken = token;
-            console.log('[AUTH] Found matching token in group', {
-              groupId: group.id,
-              tokenId: token.id,
-            });
-            break;
-          }
+        if (!tokenResult) {
+          console.error('[AUTH] No valid active token found');
+          throw new Error('Invalid or expired invite token');
         }
 
-        if (!foundGroup || !foundToken) {
-          console.error('[AUTH] No valid token found in any clinic group');
-          throw new Error('Invalid or expired invite token');
+        console.log('[AUTH] Found matching token', {
+          tokenId: tokenResult.token.id,
+          clinicGroupId: tokenResult.clinicGroupId,
+        });
+
+        const foundGroup = await clinicGroupService.getClinicGroup(tokenResult.clinicGroupId);
+        if (!foundGroup) {
+          throw new Error('Clinic group not found for token');
         }
 
         clinicGroup = foundGroup;

package/src/services/clinic/clinic-group.service.ts

@@ -198,13 +198,20 @@ export class ClinicGroupService extends BaseService {
     return ClinicGroupUtils.getActiveAdminTokens(this.db, groupId, adminId, this.app);
   }
 
-  // TODO: Add a method to get all admin tokens for a clinic group (not just active ones)
-
-  // TODO: Refactor admin token methods not to add tokens to the clinicGroup document,
-  // but to add them to a subcollection called adminTokens that belongs to a specific clinicGroup document
+  /**
+   * Gets ALL admin tokens for a clinic group (all statuses)
+   */
+  async getAllAdminTokens(groupId: string, adminId: string): Promise<AdminToken[]> {
+    return ClinicGroupUtils.getAllAdminTokens(this.db, groupId, adminId, this.app);
+  }
 
-  // TODO: Add granular control over admin permissions, e.g. only allow admins to manage certain clinics to tokens directly
-  // TODO: Generally refactor admin tokens and invites, also create cloud function to send invites and send updates when sombody uses the token
+  /**
+   * Finds an admin token by its value across all clinic groups.
+   * Uses a collection group query for O(1) lookup.
+   */
+  async findAdminTokenByValue(tokenValue: string): Promise<{ token: AdminToken; clinicGroupId: string } | null> {
+    return ClinicGroupUtils.findAdminTokenByValue(this.db, tokenValue);
+  }
 
   /**
    * Updates the onboarding status for a clinic group