@eduardbar/drift 1.3.0 → 1.4.0

package/dist/saas/helpers.js

@@ -0,0 +1,110 @@
+import { ACTIVE_WINDOW_DAYS, DEFAULT_ORGANIZATION_ID, DEFAULT_SAAS_POLICY, ROLE_PRIORITY, VALID_PLANS, VALID_ROLES, daysAgo, } from './constants.js';
+export function resolveSaasPolicy(policy) {
+    const customPlanLimits = (policy && 'maxWorkspacesPerOrganizationByPlan' in policy)
+        ? (policy.maxWorkspacesPerOrganizationByPlan ?? {})
+        : {};
+    return {
+        ...DEFAULT_SAAS_POLICY,
+        ...(policy ?? {}),
+        maxWorkspacesPerOrganizationByPlan: {
+            ...DEFAULT_SAAS_POLICY.maxWorkspacesPerOrganizationByPlan,
+            ...customPlanLimits,
+        },
+    };
+}
+export function normalizePlan(plan) {
+    if (!plan)
+        return 'free';
+    return VALID_PLANS.includes(plan) ? plan : 'free';
+}
+export function normalizeRole(role) {
+    if (!role)
+        return 'member';
+    return VALID_ROLES.includes(role) ? role : 'member';
+}
+export function hasRoleAtLeast(role, requiredRole) {
+    if (!role)
+        return false;
+    return ROLE_PRIORITY[role] >= ROLE_PRIORITY[requiredRole];
+}
+export function workspaceKey(organizationId, workspaceId) {
+    return `${organizationId}:${workspaceId}`;
+}
+function repoKey(organizationId, workspaceId, repoName) {
+    return `${workspaceKey(organizationId, workspaceId)}:${repoName}`;
+}
+export function membershipKey(organizationId, workspaceId, userId) {
+    return `${workspaceKey(organizationId, workspaceId)}:${userId}`;
+}
+export function monthKey(isoDate) {
+    const date = new Date(isoDate);
+    const month = String(date.getUTCMonth() + 1).padStart(2, '0');
+    return `${date.getUTCFullYear()}-${month}`;
+}
+export function resolveScopedIdentity(options) {
+    const organizationId = options.organizationId ?? DEFAULT_ORGANIZATION_ID;
+    const workspaceId = options.workspaceId;
+    const repoName = options.repoName ?? 'default';
+    return {
+        organizationId,
+        workspaceId,
+        workspaceKey: workspaceKey(organizationId, workspaceId),
+        repoName,
+        repoId: repoKey(organizationId, workspaceId, repoName),
+    };
+}
+export function isWorkspaceActive(workspace) {
+    return new Date(workspace.lastSeenAt).getTime() >= daysAgo(ACTIVE_WINDOW_DAYS);
+}
+export function isRepoActive(repo) {
+    return new Date(repo.lastSeenAt).getTime() >= daysAgo(ACTIVE_WINDOW_DAYS);
+}
+export function matchesTenantScope(snapshot, options) {
+    if (!options?.organizationId && !options?.workspaceId)
+        return true;
+    if (options.organizationId && snapshot.organizationId !== options.organizationId)
+        return false;
+    if (options.workspaceId && snapshot.workspaceId !== options.workspaceId)
+        return false;
+    return true;
+}
+export function matchesWorkspaceScope(workspace, options) {
+    if (options?.organizationId && workspace.organizationId !== options.organizationId)
+        return false;
+    if (options?.workspaceId && workspace.id !== options.workspaceId)
+        return false;
+    return true;
+}
+export function matchesRepoScope(repo, options) {
+    if (options?.organizationId && repo.organizationId !== options.organizationId)
+        return false;
+    if (options?.workspaceId && repo.workspaceId !== options.workspaceId)
+        return false;
+    return true;
+}
+export function computeRunsPerMonth(snapshots) {
+    const runsPerMonth = {};
+    for (const snapshot of snapshots) {
+        const key = monthKey(snapshot.createdAt);
+        runsPerMonth[key] = (runsPerMonth[key] ?? 0) + 1;
+    }
+    return runsPerMonth;
+}
+export function computeUsersRegistered(store, snapshots, options) {
+    if (!options?.organizationId && !options?.workspaceId)
+        return Object.keys(store.users).length;
+    return new Set(snapshots.map((snapshot) => snapshot.userId)).size;
+}
+export function escapeHtml(value) {
+    return value
+        .replaceAll('&', '&')
+        .replaceAll('<', '&lt;')
+        .replaceAll('>', '&gt;')
+        .replaceAll('"', '&quot;')
+        .replaceAll("'", '&#39;');
+}
+export function mergePolicy(policy, base) {
+    return resolveSaasPolicy({ ...base, ...(policy ?? {}) });
+}
+export { DEFAULT_ORGANIZATION_ID };
+//# sourceMappingURL=helpers.js.map

package/dist/saas/ingest.d.ts

@@ -0,0 +1,3 @@
+import type { DriftReportInput, IngestOptions, SaasSnapshot } from './types.js';
+export declare function ingestSnapshotFromReport(report: DriftReportInput, options: IngestOptions): SaasSnapshot;
+//# sourceMappingURL=ingest.d.ts.map

package/dist/saas/ingest.js

@@ -0,0 +1,249 @@
+import { resolve } from 'node:path';
+import { createRandomId } from './constants.js';
+import { SaasActorRequiredError } from './errors.js';
+import { applyRetentionPolicy, assertPermissionInStore, defaultSaasStorePath, loadStoreInternal, saveStore } from './store.js';
+import { membershipKey, monthKey, normalizePlan, normalizeRole, resolveScopedIdentity } from './helpers.js';
+import { appendPlanChange } from './plan-change.js';
+function assertWorkspaceLimit(store, scoped, effectivePlan) {
+    const organization = store.organizations[scoped.organizationId];
+    const workspaceLimit = store.policy.maxWorkspacesPerOrganizationByPlan[effectivePlan];
+    const workspaceExists = Boolean(store.workspaces[scoped.workspaceKey]);
+    const workspaceCount = organization?.workspaceIds.length ?? 0;
+    if (!workspaceExists && workspaceCount >= workspaceLimit) {
+        throw new Error(`Organization '${scoped.organizationId}' on plan '${effectivePlan}' reached max workspaces (${workspaceLimit}).`);
+    }
+}
+function assertFreeThresholdLimit(store, userId) {
+    const usersRegistered = Object.keys(store.users).length;
+    const isFreePhase = usersRegistered < store.policy.freeUserThreshold;
+    if (!isFreePhase)
+        return;
+    if (!store.users[userId] && usersRegistered + 1 > store.policy.freeUserThreshold) {
+        throw new Error(`Free threshold reached (${store.policy.freeUserThreshold} users).`);
+    }
+}
+function assertRepoLimit(store, scoped) {
+    const workspace = store.workspaces[scoped.workspaceKey];
+    const repoExists = Boolean(store.repos[scoped.repoId]);
+    const repoCount = workspace?.repoIds.length ?? 0;
+    if (!repoExists && repoCount >= store.policy.maxReposPerWorkspace) {
+        throw new Error(`Workspace '${scoped.workspaceId}' reached max repos (${store.policy.maxReposPerWorkspace}).`);
+    }
+}
+function countWorkspaceRunsThisMonth(store, scoped, currentMonth) {
+    return store.snapshots.filter((snapshot) => {
+        return snapshot.organizationId === scoped.organizationId
+            && snapshot.workspaceId === scoped.workspaceId
+            && monthKey(snapshot.createdAt) === currentMonth;
+    }).length;
+}
+function assertGuardrails(store, options, nowIso) {
+    const scoped = resolveScopedIdentity(options);
+    const organization = store.organizations[scoped.organizationId];
+    const effectivePlan = normalizePlan(options.plan ?? organization?.plan);
+    assertWorkspaceLimit(store, scoped, effectivePlan);
+    assertFreeThresholdLimit(store, options.userId);
+    assertRepoLimit(store, scoped);
+    const currentMonth = monthKey(nowIso);
+    const runsThisMonth = countWorkspaceRunsThisMonth(store, scoped, currentMonth);
+    if (runsThisMonth >= store.policy.maxRunsPerWorkspacePerMonth) {
+        throw new Error(`Workspace '${scoped.workspaceId}' reached max monthly runs (${store.policy.maxRunsPerWorkspacePerMonth}).`);
+    }
+}
+function upsertUser(store, userId, nowIso) {
+    const user = store.users[userId];
+    if (user) {
+        user.lastSeenAt = nowIso;
+        return;
+    }
+    store.users[userId] = {
+        id: userId,
+        createdAt: nowIso,
+        lastSeenAt: nowIso,
+    };
+}
+function maybeUpdateOrganizationPlanFromIngest(context) {
+    const { store, scoped, requestedPlan, options, nowIso } = context;
+    const existingOrg = store.organizations[scoped.organizationId];
+    if (!existingOrg || !options.plan || existingOrg.plan === requestedPlan)
+        return;
+    if (options.actorUserId) {
+        assertPermissionInStore(store, {
+            operation: 'billing:write',
+            organizationId: scoped.organizationId,
+            actorUserId: options.actorUserId,
+        });
+    }
+    const previousPlan = existingOrg.plan;
+    existingOrg.plan = requestedPlan;
+    appendPlanChange(store, {
+        organizationId: scoped.organizationId,
+        fromPlan: previousPlan,
+        toPlan: requestedPlan,
+        changedAt: nowIso,
+        changedByUserId: options.actorUserId ?? options.userId,
+        reason: 'ingest-option-plan-change',
+    });
+}
+function ensureOrganizationForIngest(context) {
+    const { store, scoped, requestedPlan, nowIso } = context;
+    const existingOrg = store.organizations[scoped.organizationId];
+    if (existingOrg) {
+        existingOrg.lastSeenAt = nowIso;
+        maybeUpdateOrganizationPlanFromIngest(context);
+        return;
+    }
+    store.organizations[scoped.organizationId] = {
+        id: scoped.organizationId,
+        plan: requestedPlan,
+        createdAt: nowIso,
+        lastSeenAt: nowIso,
+        workspaceIds: [],
+    };
+}
+function upsertWorkspaceForIngest(store, scoped, userId, nowIso) {
+    const workspace = store.workspaces[scoped.workspaceKey];
+    if (workspace) {
+        workspace.lastSeenAt = nowIso;
+        if (!workspace.userIds.includes(userId))
+            workspace.userIds.push(userId);
+        return { wasCreated: false };
+    }
+    store.workspaces[scoped.workspaceKey] = {
+        id: scoped.workspaceId,
+        organizationId: scoped.organizationId,
+        createdAt: nowIso,
+        lastSeenAt: nowIso,
+        userIds: [userId],
+        repoIds: [],
+    };
+    const org = store.organizations[scoped.organizationId];
+    if (!org.workspaceIds.includes(scoped.workspaceId))
+        org.workspaceIds.push(scoped.workspaceId);
+    return { wasCreated: true };
+}
+function upsertMembershipForIngest(context, workspaceWasCreated) {
+    const { store, scoped, options, nowIso } = context;
+    const membershipId = membershipKey(scoped.organizationId, scoped.workspaceId, options.userId);
+    const membership = store.memberships[membershipId];
+    let role = normalizeRole(options.role);
+    if (!membership && workspaceWasCreated)
+        role = 'owner';
+    if (membership) {
+        membership.lastSeenAt = nowIso;
+        if (options.role)
+            membership.role = normalizeRole(options.role);
+        return membership.role;
+    }
+    store.memberships[membershipId] = {
+        id: membershipId,
+        organizationId: scoped.organizationId,
+        workspaceId: scoped.workspaceId,
+        userId: options.userId,
+        role,
+        createdAt: nowIso,
+        lastSeenAt: nowIso,
+    };
+    return role;
+}
+function upsertRepoForIngest(store, scoped, nowIso) {
+    const repo = store.repos[scoped.repoId];
+    if (repo) {
+        repo.lastSeenAt = nowIso;
+        return;
+    }
+    store.repos[scoped.repoId] = {
+        id: scoped.repoId,
+        organizationId: scoped.organizationId,
+        workspaceId: scoped.workspaceId,
+        name: scoped.repoName,
+        createdAt: nowIso,
+        lastSeenAt: nowIso,
+    };
+    const workspace = store.workspaces[scoped.workspaceKey];
+    if (!workspace.repoIds.includes(scoped.repoId))
+        workspace.repoIds.push(scoped.repoId);
+}
+function createSnapshotFromReport(report, context, role) {
+    const { store, scoped, options, nowIso, requestedPlan } = context;
+    return {
+        id: createRandomId(String(Date.now())),
+        createdAt: nowIso,
+        scannedAt: report.scannedAt,
+        organizationId: scoped.organizationId,
+        workspaceId: scoped.workspaceId,
+        userId: options.userId,
+        role,
+        plan: normalizePlan(store.organizations[scoped.organizationId]?.plan ?? requestedPlan),
+        repoId: scoped.repoId,
+        repoName: scoped.repoName,
+        targetPath: report.targetPath,
+        totalScore: report.totalScore,
+        totalIssues: report.totalIssues,
+        totalFiles: report.totalFiles,
+        summary: {
+            errors: report.summary.errors,
+            warnings: report.summary.warnings,
+            infos: report.summary.infos,
+        },
+    };
+}
+function assertIngestActorRequirement(options, scoped, store) {
+    if (!store.policy.strictActorEnforcement || options.actorUserId)
+        return;
+    throw new SaasActorRequiredError({
+        operation: 'snapshot:write',
+        organizationId: scoped.organizationId,
+        workspaceId: scoped.workspaceId,
+    });
+}
+function assertIngestPermissionForActor(store, scoped, actorUserId) {
+    if (!actorUserId)
+        return;
+    const workspaceExists = Boolean(store.workspaces[scoped.workspaceKey]);
+    const organizationExists = Boolean(store.organizations[scoped.organizationId]);
+    if (workspaceExists) {
+        assertPermissionInStore(store, {
+            operation: 'snapshot:write',
+            organizationId: scoped.organizationId,
+            workspaceId: scoped.workspaceId,
+            actorUserId,
+        });
+        return;
+    }
+    if (organizationExists) {
+        assertPermissionInStore(store, {
+            operation: 'billing:write',
+            organizationId: scoped.organizationId,
+            actorUserId,
+        });
+    }
+}
+export function ingestSnapshotFromReport(report, options) {
+    const storeFile = resolve(options.storeFile ?? defaultSaasStorePath());
+    const store = loadStoreInternal(storeFile, options.policy);
+    const nowIso = new Date().toISOString();
+    const scoped = resolveScopedIdentity(options);
+    const requestedPlan = normalizePlan(options.plan);
+    const context = {
+        store,
+        scoped,
+        options,
+        nowIso,
+        requestedPlan,
+    };
+    assertIngestActorRequirement(options, scoped, store);
+    assertIngestPermissionForActor(store, scoped, options.actorUserId);
+    assertGuardrails(store, options, nowIso);
+    upsertUser(store, options.userId, nowIso);
+    ensureOrganizationForIngest(context);
+    const workspaceState = upsertWorkspaceForIngest(store, scoped, options.userId, nowIso);
+    const role = upsertMembershipForIngest(context, workspaceState.wasCreated);
+    upsertRepoForIngest(store, scoped, nowIso);
+    const snapshot = createSnapshotFromReport(report, context, role);
+    store.snapshots.push(snapshot);
+    applyRetentionPolicy(store);
+    saveStore(storeFile, store);
+    return snapshot;
+}
+//# sourceMappingURL=ingest.js.map

package/dist/saas/organization.d.ts

@@ -0,0 +1,5 @@
+import type { ChangeOrganizationPlanOptions, SaasOrganizationUsageSnapshot, SaasPlanChange, SaasPlanChangeQueryOptions, SaasUsageQueryOptions } from './types.js';
+export declare function changeOrganizationPlan(options: ChangeOrganizationPlanOptions): SaasPlanChange;
+export declare function listOrganizationPlanChanges(options: SaasPlanChangeQueryOptions): SaasPlanChange[];
+export declare function getOrganizationUsageSnapshot(options: SaasUsageQueryOptions): SaasOrganizationUsageSnapshot;
+//# sourceMappingURL=organization.d.ts.map

package/dist/saas/organization.js

@@ -0,0 +1,82 @@
+import { resolve } from 'node:path';
+import { assertPermissionInStore, defaultSaasStorePath, loadStoreInternal, saveStore } from './store.js';
+import { monthKey, normalizePlan, workspaceKey } from './helpers.js';
+import { appendPlanChange } from './plan-change.js';
+export function changeOrganizationPlan(options) {
+    const storeFile = resolve(options.storeFile ?? defaultSaasStorePath());
+    const store = loadStoreInternal(storeFile, options.policy);
+    const nowIso = new Date().toISOString();
+    const organization = store.organizations[options.organizationId];
+    if (!organization)
+        throw new Error(`Organization '${options.organizationId}' does not exist.`);
+    assertPermissionInStore(store, {
+        operation: 'billing:write',
+        organizationId: options.organizationId,
+        actorUserId: options.actorUserId,
+    });
+    const nextPlan = normalizePlan(options.newPlan);
+    if (organization.plan === nextPlan) {
+        const unchanged = appendPlanChange(store, {
+            organizationId: organization.id,
+            fromPlan: organization.plan,
+            toPlan: nextPlan,
+            changedAt: nowIso,
+            changedByUserId: options.actorUserId,
+            reason: options.reason,
+        });
+        saveStore(storeFile, store);
+        return unchanged;
+    }
+    const previousPlan = organization.plan;
+    organization.plan = nextPlan;
+    organization.lastSeenAt = nowIso;
+    const change = appendPlanChange(store, {
+        organizationId: organization.id,
+        fromPlan: previousPlan,
+        toPlan: nextPlan,
+        changedAt: nowIso,
+        changedByUserId: options.actorUserId,
+        reason: options.reason,
+    });
+    saveStore(storeFile, store);
+    return change;
+}
+export function listOrganizationPlanChanges(options) {
+    const storeFile = resolve(options.storeFile ?? defaultSaasStorePath());
+    const store = loadStoreInternal(storeFile, options.policy);
+    assertPermissionInStore(store, {
+        operation: 'billing:read',
+        organizationId: options.organizationId,
+        actorUserId: options.actorUserId,
+    });
+    return store.planChanges
+        .filter((change) => change.organizationId === options.organizationId)
+        .sort((a, b) => b.changedAt.localeCompare(a.changedAt));
+}
+export function getOrganizationUsageSnapshot(options) {
+    const storeFile = resolve(options.storeFile ?? defaultSaasStorePath());
+    const store = loadStoreInternal(storeFile, options.policy);
+    assertPermissionInStore(store, {
+        operation: 'billing:read',
+        organizationId: options.organizationId,
+        actorUserId: options.actorUserId,
+    });
+    const organization = store.organizations[options.organizationId];
+    if (!organization)
+        throw new Error(`Organization '${options.organizationId}' does not exist.`);
+    const month = options.month ?? monthKey(new Date().toISOString());
+    const organizationRunSnapshots = store.snapshots.filter((snapshot) => snapshot.organizationId === options.organizationId);
+    return {
+        organizationId: options.organizationId,
+        plan: organization.plan,
+        capturedAt: new Date().toISOString(),
+        workspaceCount: organization.workspaceIds.length,
+        repoCount: organization.workspaceIds
+            .map((workspaceId) => store.workspaces[workspaceKey(options.organizationId, workspaceId)])
+            .filter((workspace) => Boolean(workspace))
+            .reduce((count, workspace) => count + workspace.repoIds.length, 0),
+        runCount: organizationRunSnapshots.length,
+        runCountThisMonth: organizationRunSnapshots.filter((snapshot) => monthKey(snapshot.createdAt) === month).length,
+    };
+}
+//# sourceMappingURL=organization.js.map

package/dist/saas/plan-change.d.ts

@@ -0,0 +1,10 @@
+import type { SaasPlan, SaasPlanChange, SaasStore } from './types.js';
+export declare function appendPlanChange(store: SaasStore, input: {
+    organizationId: string;
+    fromPlan: SaasPlan;
+    toPlan: SaasPlan;
+    changedByUserId: string;
+    reason?: string;
+    changedAt: string;
+}): SaasPlanChange;
+//# sourceMappingURL=plan-change.d.ts.map

package/dist/saas/plan-change.js

@@ -0,0 +1,15 @@
+import { createRandomId } from './constants.js';
+export function appendPlanChange(store, input) {
+    const change = {
+        id: createRandomId(input.changedAt),
+        organizationId: input.organizationId,
+        fromPlan: input.fromPlan,
+        toPlan: input.toPlan,
+        changedAt: input.changedAt,
+        changedByUserId: input.changedByUserId,
+        reason: input.reason,
+    };
+    store.planChanges.push(change);
+    return change;
+}
+//# sourceMappingURL=plan-change.js.map

package/dist/saas/store.d.ts

@@ -0,0 +1,21 @@
+import type { SaasEffectiveLimits, SaasOperation, SaasPermissionContext, SaasPermissionResult, SaasPlan, SaasPolicyOverrides, SaasRole, SaasStore } from './types.js';
+export declare function defaultSaasStorePath(root?: string): string;
+export declare function applyRetentionPolicy(store: SaasStore): void;
+export declare function saveStore(storeFile: string, store: SaasStore): void;
+export declare function loadStoreInternal(storeFile: string, policy?: SaasPolicyOverrides): SaasStore;
+export declare function assertPermissionInStore(store: SaasStore, context: SaasPermissionContext): SaasPermissionResult;
+export declare function getRequiredRoleForOperation(operation: SaasOperation): SaasRole;
+export declare function assertSaasPermission(context: SaasPermissionContext & {
+    storeFile?: string;
+    policy?: SaasPolicyOverrides;
+}): SaasPermissionResult;
+export declare function getSaasEffectiveLimits(input: {
+    plan: SaasPlan;
+    policy?: SaasPolicyOverrides;
+}): SaasEffectiveLimits;
+export declare function getOrganizationEffectiveLimits(options: {
+    organizationId: string;
+    storeFile?: string;
+    policy?: SaasPolicyOverrides;
+}): SaasEffectiveLimits;
+//# sourceMappingURL=store.d.ts.map

package/dist/saas/store.js

@@ -0,0 +1,159 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { dirname, resolve } from 'node:path';
+import { DEFAULT_ORGANIZATION_ID, REQUIRED_ROLE_BY_OPERATION, ROLE_PRIORITY, STORE_VERSION } from './constants.js';
+import { SaasActorRequiredError, SaasPermissionError } from './errors.js';
+import { hasRoleAtLeast, membershipKey, mergePolicy, normalizePlan, resolveSaasPolicy } from './helpers.js';
+const HOURS_PER_DAY = 24;
+const MINUTES_PER_HOUR = 60;
+const SECONDS_PER_MINUTE = 60;
+const MILLISECONDS_PER_SECOND = 1000;
+export function defaultSaasStorePath(root = '.') {
+    return resolve(root, '.drift-cloud', 'store.json');
+}
+function createEmptyStore(policy) {
+    return {
+        version: STORE_VERSION,
+        policy: resolveSaasPolicy(policy),
+        users: {},
+        organizations: {},
+        workspaces: {},
+        memberships: {},
+        repos: {},
+        snapshots: [],
+        planChanges: [],
+    };
+}
+function ensureStoreFile(storeFile, policy) {
+    const dir = dirname(storeFile);
+    if (!existsSync(dir))
+        mkdirSync(dir, { recursive: true });
+    if (!existsSync(storeFile)) {
+        const initial = createEmptyStore(policy);
+        writeFileSync(storeFile, JSON.stringify(initial, null, 2), 'utf8');
+    }
+}
+function applyStoreEntityDefaults(store) {
+    for (const workspace of Object.values(store.workspaces)) {
+        if (!workspace.organizationId)
+            workspace.organizationId = DEFAULT_ORGANIZATION_ID;
+    }
+    for (const repo of Object.values(store.repos)) {
+        if (!repo.organizationId)
+            repo.organizationId = DEFAULT_ORGANIZATION_ID;
+    }
+    for (const snapshot of store.snapshots) {
+        if (!snapshot.organizationId)
+            snapshot.organizationId = DEFAULT_ORGANIZATION_ID;
+        if (!snapshot.plan)
+            snapshot.plan = 'free';
+        if (!snapshot.role)
+            snapshot.role = 'member';
+    }
+}
+function ensureOrganizationFromWorkspace(store, workspace) {
+    const orgId = workspace.organizationId;
+    const existingOrg = store.organizations[orgId];
+    if (!existingOrg) {
+        store.organizations[orgId] = {
+            id: orgId,
+            plan: 'free',
+            createdAt: workspace.createdAt,
+            lastSeenAt: workspace.lastSeenAt,
+            workspaceIds: [workspace.id],
+        };
+        return;
+    }
+    if (!existingOrg.workspaceIds.includes(workspace.id))
+        existingOrg.workspaceIds.push(workspace.id);
+    if (workspace.lastSeenAt > existingOrg.lastSeenAt)
+        existingOrg.lastSeenAt = workspace.lastSeenAt;
+}
+function hydrateOrganizationsFromWorkspaces(store) {
+    for (const workspace of Object.values(store.workspaces)) {
+        ensureOrganizationFromWorkspace(store, workspace);
+    }
+}
+export function applyRetentionPolicy(store) {
+    const millisecondsPerDay = HOURS_PER_DAY * MINUTES_PER_HOUR * SECONDS_PER_MINUTE * MILLISECONDS_PER_SECOND;
+    const cutoff = Date.now() - store.policy.retentionDays * millisecondsPerDay;
+    store.snapshots = store.snapshots.filter((snapshot) => new Date(snapshot.createdAt).getTime() >= cutoff);
+}
+export function saveStore(storeFile, store) {
+    writeFileSync(storeFile, JSON.stringify(store, null, 2), 'utf8');
+}
+export function loadStoreInternal(storeFile, policy) {
+    ensureStoreFile(storeFile, policy);
+    const raw = readFileSync(storeFile, 'utf8');
+    const parsed = JSON.parse(raw);
+    const merged = createEmptyStore(parsed.policy);
+    merged.version = parsed.version ?? STORE_VERSION;
+    merged.users = parsed.users ?? {};
+    merged.organizations = parsed.organizations ?? {};
+    merged.workspaces = parsed.workspaces ?? {};
+    merged.memberships = parsed.memberships ?? {};
+    merged.repos = parsed.repos ?? {};
+    merged.snapshots = parsed.snapshots ?? [];
+    merged.planChanges = parsed.planChanges ?? [];
+    merged.policy = mergePolicy(policy, merged.policy);
+    applyStoreEntityDefaults(merged);
+    hydrateOrganizationsFromWorkspaces(merged);
+    applyRetentionPolicy(merged);
+    return merged;
+}
+function resolveActorRole(store, organizationId, actorUserId, workspaceId) {
+    if (workspaceId) {
+        const scopedMembershipId = membershipKey(organizationId, workspaceId, actorUserId);
+        return store.memberships[scopedMembershipId]?.role;
+    }
+    let highestRole;
+    for (const membership of Object.values(store.memberships)) {
+        if (membership.organizationId !== organizationId)
+            continue;
+        if (membership.userId !== actorUserId)
+            continue;
+        if (!highestRole || ROLE_PRIORITY[membership.role] > ROLE_PRIORITY[highestRole])
+            highestRole = membership.role;
+        if (highestRole === 'owner')
+            break;
+    }
+    return highestRole;
+}
+export function assertPermissionInStore(store, context) {
+    const requiredRole = REQUIRED_ROLE_BY_OPERATION[context.operation];
+    if (!context.actorUserId) {
+        if (store.policy.strictActorEnforcement)
+            throw new SaasActorRequiredError(context);
+        return { requiredRole };
+    }
+    const actorRole = resolveActorRole(store, context.organizationId, context.actorUserId, context.workspaceId);
+    if (!hasRoleAtLeast(actorRole, requiredRole)) {
+        throw new SaasPermissionError(context, requiredRole, actorRole);
+    }
+    return { requiredRole, actorRole };
+}
+export function getRequiredRoleForOperation(operation) {
+    return REQUIRED_ROLE_BY_OPERATION[operation];
+}
+export function assertSaasPermission(context) {
+    const storeFile = resolve(context.storeFile ?? defaultSaasStorePath());
+    const store = loadStoreInternal(storeFile, context.policy);
+    return assertPermissionInStore(store, context);
+}
+export function getSaasEffectiveLimits(input) {
+    const policy = resolveSaasPolicy(input.policy);
+    const plan = normalizePlan(input.plan);
+    return {
+        plan,
+        maxWorkspaces: policy.maxWorkspacesPerOrganizationByPlan[plan],
+        maxReposPerWorkspace: policy.maxReposPerWorkspace,
+        maxRunsPerWorkspacePerMonth: policy.maxRunsPerWorkspacePerMonth,
+        retentionDays: policy.retentionDays,
+    };
+}
+export function getOrganizationEffectiveLimits(options) {
+    const storeFile = resolve(options.storeFile ?? defaultSaasStorePath());
+    const store = loadStoreInternal(storeFile, options.policy);
+    const plan = normalizePlan(store.organizations[options.organizationId]?.plan);
+    return getSaasEffectiveLimits({ plan, policy: store.policy });
+}
+//# sourceMappingURL=store.js.map