npm - @checkstack/auth-backend - Versions diffs - 0.0.3 → 0.2.0 - Mend

@checkstack/auth-backend 0.0.3 → 0.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/CHANGELOG.md +174 -0
package/drizzle/0002_lowly_squirrel_girl.sql +43 -0
package/drizzle/0003_tranquil_sally_floyd.sql +8 -0
package/drizzle/0004_lucky_power_man.sql +21 -0
package/drizzle/meta/0002_snapshot.json +1017 -0
package/drizzle/meta/0003_snapshot.json +1050 -0
package/drizzle/meta/0004_snapshot.json +1050 -0
package/drizzle/meta/_journal.json +21 -0
package/package.json +1 -1
package/src/index.ts +176 -162
package/src/router.test.ts +11 -11
package/src/router.ts +525 -90
package/src/schema.ts +125 -18
package/src/teams.test.ts +1985 -0
package/src/utils/user.test.ts +65 -46
package/src/utils/user.ts +21 -13

package/src/router.ts CHANGED Viewed

@@ -34,8 +34,8 @@ import {
 /**
  * Creates the auth router using contract-based implementation.
  *
- * Auth and permissions are automatically enforced via autoAuthMiddleware
- * based on the contract's meta.userType and meta.permissions.
+ * Auth and access rules are automatically enforced via autoAuthMiddleware
+ * based on the contract's meta.userType and meta.access.
  */
 const os = implement(authContract)
   .$context<RpcContext>()
@@ -117,12 +117,12 @@ export const createAuthRouter = (
   strategyRegistry: { getStrategies: () => AuthStrategy<unknown>[] },
   reloadAuthFn: () => Promise<void>,
   configService: ConfigService,
-  permissionRegistry: {
-    getPermissions: () => {
+  accessRuleRegistry: {
+    getAccessRules: () => {
       id: string;
       description?: string;
-      isAuthenticatedDefault?: boolean;
-      isPublicDefault?: boolean;
+      isDefault?: boolean;
+      isPublic?: boolean;
     }[];
   }
 ) => {
@@ -155,12 +155,12 @@ export const createAuthRouter = (
     return enabledStrategies.filter((s) => s.enabled);
   });
-  const permissions = os.permissions.handler(async ({ context }) => {
+  const accessRulesHandler = os.accessRules.handler(async ({ context }) => {
     const user = context.user;
     if (!isRealUser(user)) {
-      return { permissions: [] };
+      return { accessRules: [] };
     }
-    return { permissions: user.permissions || [] };
+    return { accessRules: user.accessRules || [] };
   });
   const getUsers = os.getUsers.handler(async () => {
@@ -214,42 +214,42 @@ export const createAuthRouter = (
   const getRoles = os.getRoles.handler(async () => {
     const roles = await internalDb.select().from(schema.role);
-    const rolePermissions = await internalDb
+    const roleAccessRules = await internalDb
       .select()
-      .from(schema.rolePermission);
+      .from(schema.roleAccessRule);
     return roles.map((role) => ({
       id: role.id,
       name: role.name,
       description: role.description,
-      permissions: rolePermissions
+      accessRules: roleAccessRules
         .filter((rp) => rp.roleId === role.id)
-        .map((rp) => rp.permissionId),
+        .map((rp) => rp.accessRuleId),
       isSystem: role.isSystem || false,
       // Anonymous role cannot be assigned to users - it's for unauthenticated access
       isAssignable: role.id !== "anonymous",
     }));
   });
-  const getPermissions = os.getPermissions.handler(async () => {
-    // Return only currently active permissions (registered by loaded plugins)
-    return permissionRegistry.getPermissions();
+  const getAccessRules = os.getAccessRules.handler(async () => {
+    // Return only currently active access rules (registered by loaded plugins)
+    return accessRuleRegistry.getAccessRules();
   });
   const createRole = os.createRole.handler(async ({ input }) => {
-    const { name, description, permissions: inputPermissions } = input;
+    const { name, description, accessRules: inputAccessRules } = input;
     // Generate UUID for new role
     const id = crypto.randomUUID();
-    // Get active permissions to filter input
-    const activePermissions = new Set(
-      permissionRegistry.getPermissions().map((p) => p.id)
+    // Get active access rules to filter input
+    const activeAccessRules = new Set(
+      accessRuleRegistry.getAccessRules().map((p) => p.id)
     );
-    // Filter to only include active permissions
-    const validPermissions = inputPermissions.filter((p) =>
-      activePermissions.has(p)
+    // Filter to only include active access rules
+    const validAccessRules = inputAccessRules.filter((p) =>
+      activeAccessRules.has(p)
     );
     await internalDb.transaction(async (tx) => {
@@ -261,12 +261,12 @@ export const createAuthRouter = (
         isSystem: false,
       });
-      // Create role-permission mappings
-      if (validPermissions.length > 0) {
-        await tx.insert(schema.rolePermission).values(
-          validPermissions.map((permissionId) => ({
+      // Create role-access rule mappings
+      if (validAccessRules.length > 0) {
+        await tx.insert(schema.roleAccessRule).values(
+          validAccessRules.map((accessRuleId) => ({
             roleId: id,
-            permissionId,
+            accessRuleId,
           }))
         );
       }
@@ -274,9 +274,9 @@ export const createAuthRouter = (
   });
   const updateRole = os.updateRole.handler(async ({ input, context }) => {
-    const { id, name, description, permissions: inputPermissions } = input;
+    const { id, name, description, accessRules: inputAccessRules } = input;
-    // Track if user has this role (for permission elevation prevention)
+    // Track if user has this role (for access elevation prevention)
     const userRoles = isRealUser(context.user) ? context.user.roles || [] : [];
     const isUserOwnRole = userRoles.includes(id);
@@ -296,87 +296,87 @@ export const createAuthRouter = (
     const isAdminRole = id === "admin";
     // System roles can have name/description edited, but not deleted
-    // Admin role: permissions cannot be changed (wildcard permission)
-    // Users role: permissions can be changed with default tracking
-    // User's own role: permissions cannot be changed (prevent self-elevation)
+    // Admin role: access rules cannot be changed (wildcard access)
+    // Users role: access rules can be changed with default tracking
+    // User's own role: access rules cannot be changed (prevent access elevation)
-    // Get active permissions to filter input
-    const activePermissions = new Set(
-      permissionRegistry.getPermissions().map((p) => p.id)
+    // Get active access rules to filter input
+    const activeAccessRules = new Set(
+      accessRuleRegistry.getAccessRules().map((p) => p.id)
     );
-    // Filter to only include active permissions
-    const validPermissions = inputPermissions.filter((p) =>
-      activePermissions.has(p)
+    // Filter to only include active access rules
+    const validAccessRules = inputAccessRules.filter((p) =>
+      activeAccessRules.has(p)
     );
-    // Track disabled authenticated default permissions for "users" role
+    // Track disabled authenticated default access rules for "users" role
     if (isUsersRole && !isUserOwnRole) {
-      const allPerms = permissionRegistry.getPermissions();
+      const allPerms = accessRuleRegistry.getAccessRules();
       const defaultPermIds = allPerms
-        .filter((p) => p.isAuthenticatedDefault)
+        .filter((p) => p.isDefault)
         .map((p) => p.id);
-      // Find authenticated default permissions that are being removed
+      // Find authenticated default access rules that are being removed
       const removedDefaults = defaultPermIds.filter(
-        (defId) => !validPermissions.includes(defId)
+        (defId) => !validAccessRules.includes(defId)
       );
-      // Insert into disabled_default_permission table
+      // Insert into disabled_default_access_rule table
       for (const permId of removedDefaults) {
         await internalDb
-          .insert(schema.disabledDefaultPermission)
+          .insert(schema.disabledDefaultAccessRule)
           .values({
-            permissionId: permId,
+            accessRuleId: permId,
             disabledAt: new Date(),
           })
           .onConflictDoNothing();
       }
       // Remove from disabled table if being re-added
-      const readdedDefaults = validPermissions.filter((p) =>
+      const readdedDefaults = validAccessRules.filter((p) =>
         defaultPermIds.includes(p)
       );
       for (const permId of readdedDefaults) {
         await internalDb
-          .delete(schema.disabledDefaultPermission)
-          .where(eq(schema.disabledDefaultPermission.permissionId, permId));
+          .delete(schema.disabledDefaultAccessRule)
+          .where(eq(schema.disabledDefaultAccessRule.accessRuleId, permId));
       }
     }
-    // Track disabled public default permissions for "anonymous" role
+    // Track disabled public default access rules for "anonymous" role
     const isAnonymousRole = id === "anonymous";
     if (isAnonymousRole) {
-      const allPerms = permissionRegistry.getPermissions();
+      const allPerms = accessRuleRegistry.getAccessRules();
       const publicDefaultPermIds = allPerms
-        .filter((p) => p.isPublicDefault)
+        .filter((p) => p.isPublic)
         .map((p) => p.id);
-      // Find public default permissions that are being removed
+      // Find public default access rules that are being removed
       const removedPublicDefaults = publicDefaultPermIds.filter(
-        (defId) => !validPermissions.includes(defId)
+        (defId) => !validAccessRules.includes(defId)
       );
-      // Insert into disabled_public_default_permission table
+      // Insert into disabled_public_default_access_rule table
       for (const permId of removedPublicDefaults) {
         await internalDb
-          .insert(schema.disabledPublicDefaultPermission)
+          .insert(schema.disabledPublicDefaultAccessRule)
           .values({
-            permissionId: permId,
+            accessRuleId: permId,
             disabledAt: new Date(),
           })
           .onConflictDoNothing();
       }
       // Remove from disabled table if being re-added
-      const readdedPublicDefaults = validPermissions.filter((p) =>
+      const readdedPublicDefaults = validAccessRules.filter((p) =>
         publicDefaultPermIds.includes(p)
       );
       for (const permId of readdedPublicDefaults) {
         await internalDb
-          .delete(schema.disabledPublicDefaultPermission)
+          .delete(schema.disabledPublicDefaultAccessRule)
           .where(
-            eq(schema.disabledPublicDefaultPermission.permissionId, permId)
+            eq(schema.disabledPublicDefaultAccessRule.accessRuleId, permId)
           );
       }
     }
@@ -391,21 +391,21 @@ export const createAuthRouter = (
         await tx.update(schema.role).set(updates).where(eq(schema.role.id, id));
       }
-      // Skip permission changes for admin role (wildcard) or user's own role (prevent self-elevation)
+      // Skip access rule changes for admin role (wildcard) or user's own role (prevent access elevation)
       if (isAdminRole || isUserOwnRole) {
-        return; // Don't modify permissions
+        return; // Don't modify access rules
       }
-      // Replace permission mappings for non-admin roles
+      // Replace access rule mappings for non-admin roles
       await tx
-        .delete(schema.rolePermission)
-        .where(eq(schema.rolePermission.roleId, id));
+        .delete(schema.roleAccessRule)
+        .where(eq(schema.roleAccessRule.roleId, id));
-      if (validPermissions.length > 0) {
-        await tx.insert(schema.rolePermission).values(
-          validPermissions.map((permissionId) => ({
+      if (validAccessRules.length > 0) {
+        await tx.insert(schema.roleAccessRule).values(
+          validAccessRules.map((accessRuleId) => ({
             roleId: id,
-            permissionId,
+            accessRuleId,
           }))
         );
       }
@@ -441,10 +441,10 @@ export const createAuthRouter = (
     // Delete role and related records in transaction
     await internalDb.transaction(async (tx) => {
-      // Delete role-permission mappings
+      // Delete role-access-rule mappings
       await tx
-        .delete(schema.rolePermission)
-        .where(eq(schema.rolePermission.roleId, id));
+        .delete(schema.roleAccessRule)
+        .where(eq(schema.roleAccessRule.roleId, id));
       // Delete user-role mappings
       await tx.delete(schema.userRole).where(eq(schema.userRole.roleId, id));
@@ -582,40 +582,40 @@ export const createAuthRouter = (
     }
   );
-  const getAnonymousPermissions = os.getAnonymousPermissions.handler(
+  const getAnonymousAccessRules = os.getAnonymousAccessRules.handler(
     async () => {
       const rolePerms = await internalDb
         .select()
-        .from(schema.rolePermission)
-        .where(eq(schema.rolePermission.roleId, "anonymous"));
-      return rolePerms.map((rp) => rp.permissionId);
+        .from(schema.roleAccessRule)
+        .where(eq(schema.roleAccessRule.roleId, "anonymous"));
+      return rolePerms.map((rp) => rp.accessRuleId);
     }
   );
-  const filterUsersByPermission = os.filterUsersByPermission.handler(
+  const filterUsersByAccessRule = os.filterUsersByAccessRule.handler(
     async ({ input }) => {
-      const { userIds, permission } = input;
+      const { userIds, accessRule } = input;
       if (userIds.length === 0) return [];
-      // Single efficient query: join user_role with role_permission
-      // and filter by both userIds AND the specific permission
-      const usersWithPermission = await internalDb
+      // Single efficient query: join user_role with role_access_rule
+      // and filter by both userIds AND the specific access rule
+      const usersWithAccess = await internalDb
         .select({ userId: schema.userRole.userId })
         .from(schema.userRole)
         .innerJoin(
-          schema.rolePermission,
-          eq(schema.userRole.roleId, schema.rolePermission.roleId)
+          schema.roleAccessRule,
+          eq(schema.userRole.roleId, schema.roleAccessRule.roleId)
         )
         .where(
           and(
             inArray(schema.userRole.userId, userIds),
-            eq(schema.rolePermission.permissionId, permission)
+            eq(schema.roleAccessRule.accessRuleId, accessRule)
           )
         )
         .groupBy(schema.userRole.userId);
-      return usersWithPermission.map((row) => row.userId);
+      return usersWithAccess.map((row) => row.userId);
     }
   );
@@ -1016,13 +1016,430 @@ export const createAuthRouter = (
     }
   );
+  // ==========================================================================
+  // TEAM MANAGEMENT HANDLERS
+  // ==========================================================================
+  const getTeams = os.getTeams.handler(async ({ context }) => {
+    const teams = await internalDb.select().from(schema.team);
+    const memberCounts = await internalDb
+      .select({ teamId: schema.userTeam.teamId })
+      .from(schema.userTeam);
+    const userId = isRealUser(context.user) ? context.user.id : undefined;
+    const managerRows = userId
+      ? await internalDb
+          .select()
+          .from(schema.teamManager)
+          .where(eq(schema.teamManager.userId, userId))
+      : [];
+    const managedTeamIds = new Set(managerRows.map((m) => m.teamId));
+    return teams.map((t) => ({
+      id: t.id,
+      name: t.name,
+      description: t.description,
+      memberCount: memberCounts.filter((m) => m.teamId === t.id).length,
+      isManager: managedTeamIds.has(t.id),
+    }));
+  });
+  const getTeam = os.getTeam.handler(async ({ input }) => {
+    const teams = await internalDb
+      .select()
+      .from(schema.team)
+      .where(eq(schema.team.id, input.teamId))
+      .limit(1);
+    if (teams.length === 0) return;
+    const team = teams[0];
+    const memberRows = await internalDb
+      .select({ userId: schema.userTeam.userId })
+      .from(schema.userTeam)
+      .where(eq(schema.userTeam.teamId, team.id));
+    const managerRows = await internalDb
+      .select({ userId: schema.teamManager.userId })
+      .from(schema.teamManager)
+      .where(eq(schema.teamManager.teamId, team.id));
+    const userIds = [
+      ...new Set([
+        ...memberRows.map((m) => m.userId),
+        ...managerRows.map((m) => m.userId),
+      ]),
+    ];
+    const users =
+      userIds.length > 0
+        ? await internalDb
+            .select({
+              id: schema.user.id,
+              name: schema.user.name,
+              email: schema.user.email,
+            })
+            .from(schema.user)
+            .where(inArray(schema.user.id, userIds))
+        : [];
+    const userMap = new Map(users.map((u) => [u.id, u]));
+    return {
+      id: team.id,
+      name: team.name,
+      description: team.description,
+      members: memberRows
+        .map((m) => userMap.get(m.userId))
+        .filter((u): u is NonNullable<typeof u> => u !== undefined),
+      managers: managerRows
+        .map((m) => userMap.get(m.userId))
+        .filter((u): u is NonNullable<typeof u> => u !== undefined),
+    };
+  });
+  const createTeam = os.createTeam.handler(async ({ input, context }) => {
+    const id = crypto.randomUUID();
+    const now = new Date();
+    await internalDb.insert(schema.team).values({
+      id,
+      name: input.name,
+      description: input.description,
+      createdAt: now,
+      updatedAt: now,
+    });
+    context.logger.info(`[auth-backend] Created team: ${input.name}`);
+    return { id };
+  });
+  const updateTeam = os.updateTeam.handler(async ({ input, context }) => {
+    const { id, name, description } = input;
+    // TODO: Check if user is manager or has teamsManage access
+    const updates: {
+      name?: string;
+      description?: string | null;
+      updatedAt: Date;
+    } = {
+      updatedAt: new Date(),
+    };
+    if (name !== undefined) updates.name = name;
+    if (description !== undefined) updates.description = description;
+    await internalDb
+      .update(schema.team)
+      .set(updates)
+      .where(eq(schema.team.id, id));
+    context.logger.info(`[auth-backend] Updated team: ${id}`);
+  });
+  const deleteTeam = os.deleteTeam.handler(async ({ input: id, context }) => {
+    await internalDb.transaction(async (tx) => {
+      await tx.delete(schema.userTeam).where(eq(schema.userTeam.teamId, id));
+      await tx
+        .delete(schema.teamManager)
+        .where(eq(schema.teamManager.teamId, id));
+      await tx
+        .delete(schema.applicationTeam)
+        .where(eq(schema.applicationTeam.teamId, id));
+      await tx
+        .delete(schema.resourceTeamAccess)
+        .where(eq(schema.resourceTeamAccess.teamId, id));
+      await tx.delete(schema.team).where(eq(schema.team.id, id));
+    });
+    context.logger.info(`[auth-backend] Deleted team: ${id}`);
+  });
+  const addUserToTeam = os.addUserToTeam.handler(async ({ input }) => {
+    await internalDb
+      .insert(schema.userTeam)
+      .values({ userId: input.userId, teamId: input.teamId })
+      .onConflictDoNothing();
+  });
+  const removeUserFromTeam = os.removeUserFromTeam.handler(
+    async ({ input }) => {
+      await internalDb
+        .delete(schema.userTeam)
+        .where(
+          and(
+            eq(schema.userTeam.userId, input.userId),
+            eq(schema.userTeam.teamId, input.teamId)
+          )
+        );
+    }
+  );
+  const addTeamManager = os.addTeamManager.handler(async ({ input }) => {
+    await internalDb
+      .insert(schema.teamManager)
+      .values({ userId: input.userId, teamId: input.teamId })
+      .onConflictDoNothing();
+  });
+  const removeTeamManager = os.removeTeamManager.handler(async ({ input }) => {
+    await internalDb
+      .delete(schema.teamManager)
+      .where(
+        and(
+          eq(schema.teamManager.userId, input.userId),
+          eq(schema.teamManager.teamId, input.teamId)
+        )
+      );
+  });
+  const getResourceTeamAccess = os.getResourceTeamAccess.handler(
+    async ({ input }) => {
+      const rows = await internalDb
+        .select()
+        .from(schema.resourceTeamAccess)
+        .innerJoin(
+          schema.team,
+          eq(schema.resourceTeamAccess.teamId, schema.team.id)
+        )
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, input.resourceType),
+            eq(schema.resourceTeamAccess.resourceId, input.resourceId)
+          )
+        );
+      return rows.map((r) => ({
+        teamId: r.resource_team_access.teamId,
+        teamName: r.team.name,
+        canRead: r.resource_team_access.canRead,
+        canManage: r.resource_team_access.canManage,
+      }));
+    }
+  );
+  const setResourceTeamAccess = os.setResourceTeamAccess.handler(
+    async ({ input }) => {
+      const { resourceType, resourceId, teamId, canRead, canManage } = input;
+      await internalDb
+        .insert(schema.resourceTeamAccess)
+        .values({
+          resourceType,
+          resourceId,
+          teamId,
+          canRead: canRead ?? true,
+          canManage: canManage ?? false,
+        })
+        .onConflictDoUpdate({
+          target: [
+            schema.resourceTeamAccess.resourceType,
+            schema.resourceTeamAccess.resourceId,
+            schema.resourceTeamAccess.teamId,
+          ],
+          set: {
+            canRead: canRead ?? true,
+            canManage: canManage ?? false,
+          },
+        });
+    }
+  );
+  const removeResourceTeamAccess = os.removeResourceTeamAccess.handler(
+    async ({ input }) => {
+      await internalDb
+        .delete(schema.resourceTeamAccess)
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, input.resourceType),
+            eq(schema.resourceTeamAccess.resourceId, input.resourceId),
+            eq(schema.resourceTeamAccess.teamId, input.teamId)
+          )
+        );
+    }
+  );
+  // Resource-level access settings
+  const getResourceAccessSettings = os.getResourceAccessSettings.handler(
+    async ({ input }) => {
+      const rows = await internalDb
+        .select()
+        .from(schema.resourceAccessSettings)
+        .where(
+          and(
+            eq(schema.resourceAccessSettings.resourceType, input.resourceType),
+            eq(schema.resourceAccessSettings.resourceId, input.resourceId)
+          )
+        )
+        .limit(1);
+      return { teamOnly: rows[0]?.teamOnly ?? false };
+    }
+  );
+  const setResourceAccessSettings = os.setResourceAccessSettings.handler(
+    async ({ input }) => {
+      const { resourceType, resourceId, teamOnly } = input;
+      await internalDb
+        .insert(schema.resourceAccessSettings)
+        .values({ resourceType, resourceId, teamOnly })
+        .onConflictDoUpdate({
+          target: [
+            schema.resourceAccessSettings.resourceType,
+            schema.resourceAccessSettings.resourceId,
+          ],
+          set: { teamOnly },
+        });
+    }
+  );
+  // S2S Endpoints for middleware
+  const checkResourceTeamAccess = os.checkResourceTeamAccess.handler(
+    async ({ input }) => {
+      const {
+        userId,
+        userType,
+        resourceType,
+        resourceId,
+        action,
+        hasGlobalAccess,
+      } = input;
+      const grants = await internalDb
+        .select()
+        .from(schema.resourceTeamAccess)
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, resourceType),
+            eq(schema.resourceTeamAccess.resourceId, resourceId)
+          )
+        );
+      // No grants = global access applies
+      if (grants.length === 0) return { hasAccess: hasGlobalAccess };
+      // Check resource-level settings for teamOnly
+      const settingsRows = await internalDb
+        .select()
+        .from(schema.resourceAccessSettings)
+        .where(
+          and(
+            eq(schema.resourceAccessSettings.resourceType, resourceType),
+            eq(schema.resourceAccessSettings.resourceId, resourceId)
+          )
+        )
+        .limit(1);
+      const isTeamOnly = settingsRows[0]?.teamOnly ?? false;
+      if (!isTeamOnly && hasGlobalAccess) return { hasAccess: true };
+      // Get user's teams
+      const teamTable =
+        userType === "user" ? schema.userTeam : schema.applicationTeam;
+      const userIdCol =
+        userType === "user"
+          ? schema.userTeam.userId
+          : schema.applicationTeam.applicationId;
+      const userTeams = await internalDb
+        .select({
+          teamId:
+            userType === "user"
+              ? schema.userTeam.teamId
+              : schema.applicationTeam.teamId,
+        })
+        .from(teamTable)
+        .where(eq(userIdCol, userId));
+      const userTeamIds = new Set(userTeams.map((t) => t.teamId));
+      const field = action === "manage" ? "canManage" : "canRead";
+      const hasAccess = grants.some(
+        (g) => userTeamIds.has(g.teamId) && g[field]
+      );
+      return { hasAccess };
+    }
+  );
+  const getAccessibleResourceIds = os.getAccessibleResourceIds.handler(
+    async ({ input }) => {
+      const {
+        userId,
+        userType,
+        resourceType,
+        resourceIds,
+        action,
+        hasGlobalAccess,
+      } = input;
+      if (resourceIds.length === 0) return [];
+      // Get all grants for these resources
+      const grants = await internalDb
+        .select()
+        .from(schema.resourceTeamAccess)
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, resourceType),
+            inArray(schema.resourceTeamAccess.resourceId, resourceIds)
+          )
+        );
+      // Get resource-level settings for teamOnly
+      const settingsRows = await internalDb
+        .select()
+        .from(schema.resourceAccessSettings)
+        .where(
+          and(
+            eq(schema.resourceAccessSettings.resourceType, resourceType),
+            inArray(schema.resourceAccessSettings.resourceId, resourceIds)
+          )
+        );
+      const teamOnlyByResource = new Map(
+        settingsRows.map((s) => [s.resourceId, s.teamOnly])
+      );
+      // Get user's teams
+      const teamTable =
+        userType === "user" ? schema.userTeam : schema.applicationTeam;
+      const userIdCol =
+        userType === "user"
+          ? schema.userTeam.userId
+          : schema.applicationTeam.applicationId;
+      const userTeams = await internalDb
+        .select({
+          teamId:
+            userType === "user"
+              ? schema.userTeam.teamId
+              : schema.applicationTeam.teamId,
+        })
+        .from(teamTable)
+        .where(eq(userIdCol, userId));
+      const userTeamIds = new Set(userTeams.map((t) => t.teamId));
+      const field = action === "manage" ? "canManage" : "canRead";
+      const grantsByResource = new Map<string, typeof grants>();
+      for (const g of grants) {
+        const existing = grantsByResource.get(g.resourceId) || [];
+        existing.push(g);
+        grantsByResource.set(g.resourceId, existing);
+      }
+      return resourceIds.filter((id) => {
+        const resourceGrants = grantsByResource.get(id) || [];
+        if (resourceGrants.length === 0) return hasGlobalAccess;
+        const isTeamOnly = teamOnlyByResource.get(id) ?? false;
+        if (!isTeamOnly && hasGlobalAccess) return true;
+        return resourceGrants.some(
+          (g) => userTeamIds.has(g.teamId) && g[field]
+        );
+      });
+    }
+  );
+  const deleteResourceGrants = os.deleteResourceGrants.handler(
+    async ({ input }) => {
+      await internalDb
+        .delete(schema.resourceTeamAccess)
+        .where(
+          and(
+            eq(schema.resourceTeamAccess.resourceType, input.resourceType),
+            eq(schema.resourceTeamAccess.resourceId, input.resourceId)
+          )
+        );
+    }
+  );
   return os.router({
     getEnabledStrategies,
-    permissions,
+    accessRules: accessRulesHandler,
     getUsers,
     deleteUser,
     getRoles,
-    getPermissions,
+    getAccessRules,
     createRole,
     updateRole,
     deleteRole,
@@ -1033,9 +1450,9 @@ export const createAuthRouter = (
     getRegistrationSchema,
     getRegistrationStatus,
     setRegistrationStatus,
-    getAnonymousPermissions,
+    getAnonymousAccessRules,
     getUserById,
-    filterUsersByPermission,
+    filterUsersByAccessRule,
     findUserByEmail,
     upsertExternalUser,
     createSession,
@@ -1045,6 +1462,24 @@ export const createAuthRouter = (
     updateApplication,
     deleteApplication,
     regenerateApplicationSecret,
+    // Teams
+    getTeams,
+    getTeam,
+    createTeam,
+    updateTeam,
+    deleteTeam,
+    addUserToTeam,
+    removeUserFromTeam,
+    addTeamManager,
+    removeTeamManager,
+    getResourceTeamAccess,
+    setResourceTeamAccess,
+    removeResourceTeamAccess,
+    getResourceAccessSettings,
+    setResourceAccessSettings,
+    checkResourceTeamAccess,
+    getAccessibleResourceIds,
+    deleteResourceGrants,
   });
 };