npm - @eduardbar/drift - Versions diffs - 1.3.0 → 1.5.0 - Mend

@eduardbar/drift 1.3.0 → 1.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (198) hide show

package/.gga +50 -0
package/.github/actions/drift-review/README.md +62 -0
package/.github/actions/drift-review/action.yml +148 -0
package/.github/actions/drift-scan/README.md +28 -32
package/.github/actions/drift-scan/action.yml +78 -14
package/.github/workflows/publish-vscode.yml +1 -3
package/.github/workflows/publish.yml +8 -0
package/.github/workflows/quality.yml +15 -0
package/.github/workflows/reusable-quality-checks.yml +95 -0
package/.github/workflows/review-pr.yml +33 -41
package/AGENTS.md +75 -251
package/CHANGELOG.md +41 -0
package/README.md +177 -43
package/benchmarks/fixtures/critical/drift.config.ts +21 -0
package/benchmarks/fixtures/critical/src/app/user-service.ts +30 -0
package/benchmarks/fixtures/critical/src/domain/entities.ts +19 -0
package/benchmarks/fixtures/critical/src/domain/policies.ts +22 -0
package/benchmarks/fixtures/critical/src/index.ts +10 -0
package/benchmarks/fixtures/critical/src/infra/memory-user-repo.ts +14 -0
package/benchmarks/perf-budget.v1.json +27 -0
package/dist/benchmark.d.ts +1 -1
package/dist/benchmark.js +83 -52
package/dist/cli.js +243 -8
package/dist/config.js +16 -2
package/dist/diff.js +42 -50
package/dist/doctor.d.ts +26 -0
package/dist/doctor.js +140 -0
package/dist/format.d.ts +17 -0
package/dist/format.js +45 -0
package/dist/guard-baseline.d.ts +12 -0
package/dist/guard-baseline.js +57 -0
package/dist/guard-metrics.d.ts +6 -0
package/dist/guard-metrics.js +39 -0
package/dist/guard-types.d.ts +58 -0
package/dist/guard-types.js +2 -0
package/dist/guard.d.ts +16 -0
package/dist/guard.js +178 -0
package/dist/index.d.ts +10 -3
package/dist/index.js +4 -1
package/dist/init.d.ts +15 -0
package/dist/init.js +273 -0
package/dist/map-cycles.d.ts +2 -0
package/dist/map-cycles.js +34 -0
package/dist/map-svg.d.ts +19 -0
package/dist/map-svg.js +97 -0
package/dist/map.js +78 -138
package/dist/metrics.js +70 -55
package/dist/output-metadata.d.ts +15 -0
package/dist/output-metadata.js +19 -0
package/dist/plugins-capabilities.d.ts +4 -0
package/dist/plugins-capabilities.js +21 -0
package/dist/plugins-messages.d.ts +10 -0
package/dist/plugins-messages.js +16 -0
package/dist/plugins-rules.d.ts +9 -0
package/dist/plugins-rules.js +137 -0
package/dist/plugins.d.ts +1 -1
package/dist/plugins.js +45 -142
package/dist/reporter-constants.d.ts +16 -0
package/dist/reporter-constants.js +39 -0
package/dist/reporter.d.ts +3 -3
package/dist/reporter.js +35 -55
package/dist/review.d.ts +2 -1
package/dist/review.js +2 -1
package/dist/rules/phase3-configurable.js +23 -15
package/dist/saas/constants.d.ts +15 -0
package/dist/saas/constants.js +48 -0
package/dist/saas/dashboard.d.ts +8 -0
package/dist/saas/dashboard.js +132 -0
package/dist/saas/errors.d.ts +19 -0
package/dist/saas/errors.js +37 -0
package/dist/saas/helpers.d.ts +21 -0
package/dist/saas/helpers.js +110 -0
package/dist/saas/ingest.d.ts +3 -0
package/dist/saas/ingest.js +249 -0
package/dist/saas/organization.d.ts +5 -0
package/dist/saas/organization.js +82 -0
package/dist/saas/plan-change.d.ts +10 -0
package/dist/saas/plan-change.js +15 -0
package/dist/saas/store.d.ts +21 -0
package/dist/saas/store.js +159 -0
package/dist/saas/types.d.ts +191 -0
package/dist/saas/types.js +2 -0
package/dist/saas.d.ts +8 -218
package/dist/saas.js +7 -761
package/dist/sarif.d.ts +74 -0
package/dist/sarif.js +122 -0
package/dist/trust-advanced.d.ts +14 -0
package/dist/trust-advanced.js +65 -0
package/dist/trust-kpi-fs.d.ts +3 -0
package/dist/trust-kpi-fs.js +141 -0
package/dist/trust-kpi-parse.d.ts +7 -0
package/dist/trust-kpi-parse.js +186 -0
package/dist/trust-kpi-types.d.ts +16 -0
package/dist/trust-kpi-types.js +2 -0
package/dist/trust-kpi.d.ts +1 -3
package/dist/trust-kpi.js +6 -266
package/dist/trust-policy.d.ts +32 -0
package/dist/trust-policy.js +160 -0
package/dist/trust-render.d.ts +9 -0
package/dist/trust-render.js +54 -0
package/dist/trust-scoring.d.ts +9 -0
package/dist/trust-scoring.js +208 -0
package/dist/trust.d.ts +5 -32
package/dist/trust.js +29 -432
package/dist/types/app.d.ts +30 -0
package/dist/types/app.js +2 -0
package/dist/types/config.d.ts +25 -0
package/dist/types/config.js +2 -0
package/dist/types/core.d.ts +100 -0
package/dist/types/core.js +2 -0
package/dist/types/diff.d.ts +55 -0
package/dist/types/diff.js +2 -0
package/dist/types/plugin.d.ts +41 -0
package/dist/types/plugin.js +2 -0
package/dist/types/trust.d.ts +120 -0
package/dist/types/trust.js +2 -0
package/dist/types.d.ts +8 -365
package/docs/AGENTS.md +1 -1
package/docs/release-notes-draft.md +40 -0
package/docs/rules-catalog.md +49 -0
package/docs/trust-core-release-checklist.md +37 -5
package/package.json +11 -4
package/packages/vscode-drift/src/code-actions.ts +1 -1
package/schemas/drift-ai-output.v1.json +162 -0
package/schemas/drift-doctor.v1.json +57 -0
package/schemas/drift-guard.v1.json +298 -0
package/schemas/drift-report.v1.json +151 -0
package/schemas/drift-trust.v1.json +131 -0
package/scripts/check-docs-drift.mjs +154 -0
package/scripts/check-performance-budget.mjs +360 -0
package/scripts/check-runtime-policy.mjs +66 -0
package/scripts/smoke-repo.mjs +394 -0
package/src/benchmark.ts +92 -53
package/src/cli.ts +285 -13
package/src/config.ts +19 -2
package/src/diff.ts +57 -48
package/src/doctor.ts +185 -0
package/src/format.ts +81 -0
package/src/guard-baseline.ts +74 -0
package/src/guard-metrics.ts +52 -0
package/src/guard-types.ts +66 -0
package/src/guard.ts +248 -0
package/src/index.ts +36 -0
package/src/init.ts +298 -0
package/src/map-cycles.ts +38 -0
package/src/map-svg.ts +124 -0
package/src/map.ts +111 -142
package/src/metrics.ts +78 -59
package/src/output-metadata.ts +32 -0
package/src/plugins-capabilities.ts +36 -0
package/src/plugins-messages.ts +35 -0
package/src/plugins-rules.ts +296 -0
package/src/plugins.ts +76 -283
package/src/reporter-constants.ts +46 -0
package/src/reporter.ts +64 -65
package/src/review.ts +4 -2
package/src/rules/phase3-configurable.ts +39 -26
package/src/saas/constants.ts +56 -0
package/src/saas/dashboard.ts +172 -0
package/src/saas/errors.ts +45 -0
package/src/saas/helpers.ts +140 -0
package/src/saas/ingest.ts +278 -0
package/src/saas/organization.ts +99 -0
package/src/saas/plan-change.ts +19 -0
package/src/saas/store.ts +172 -0
package/src/saas/types.ts +216 -0
package/src/saas.ts +49 -1031
package/src/sarif.ts +232 -0
package/src/trust-advanced.ts +99 -0
package/src/trust-kpi-fs.ts +169 -0
package/src/trust-kpi-parse.ts +219 -0
package/src/trust-kpi-types.ts +19 -0
package/src/trust-kpi.ts +8 -316
package/src/trust-policy.ts +246 -0
package/src/trust-render.ts +61 -0
package/src/trust-scoring.ts +231 -0
package/src/trust.ts +62 -576
package/src/types/app.ts +30 -0
package/src/types/config.ts +27 -0
package/src/types/core.ts +105 -0
package/src/types/diff.ts +61 -0
package/src/types/plugin.ts +46 -0
package/src/types/trust.ts +134 -0
package/src/types.ts +79 -409
package/tests/ci-quality-matrix.test.ts +37 -0
package/tests/ci-smoke-gate.test.ts +26 -0
package/tests/ci-version-alignment.test.ts +93 -0
package/tests/cli-sarif.test.ts +92 -0
package/tests/docs-drift-check.test.ts +115 -0
package/tests/format.test.ts +157 -0
package/tests/new-features.test.ts +11 -3
package/tests/perf-budget-check.test.ts +146 -0
package/tests/phase1-init-doctor-guard.test.ts +301 -0
package/tests/runtime-policy-alignment.test.ts +46 -0
package/tests/sarif.test.ts +160 -0
package/tests/trust-kpi.test.ts +31 -4
package/tests/trust.test.ts +18 -0
package/vitest.config.ts +2 -0

package/src/saas/helpers.ts ADDED Viewed

@@ -0,0 +1,140 @@
+import type {
+  IngestOptions,
+  SaasPlan,
+  SaasPolicy,
+  SaasPolicyInput,
+  SaasPolicyOverrides,
+  SaasQueryOptions,
+  SaasRepo,
+  SaasRole,
+  SaasSnapshot,
+  SaasStore,
+  SaasWorkspace,
+  ScopedIdentity,
+} from './types.js'
+import {
+  ACTIVE_WINDOW_DAYS,
+  DEFAULT_ORGANIZATION_ID,
+  DEFAULT_SAAS_POLICY,
+  ROLE_PRIORITY,
+  VALID_PLANS,
+  VALID_ROLES,
+  daysAgo,
+} from './constants.js'
+export function resolveSaasPolicy(policy?: SaasPolicyInput): SaasPolicy {
+  const customPlanLimits = (policy && 'maxWorkspacesPerOrganizationByPlan' in policy)
+    ? (policy.maxWorkspacesPerOrganizationByPlan ?? {})
+    : {}
+  return {
+    ...DEFAULT_SAAS_POLICY,
+    ...(policy ?? {}),
+    maxWorkspacesPerOrganizationByPlan: {
+      ...DEFAULT_SAAS_POLICY.maxWorkspacesPerOrganizationByPlan,
+      ...customPlanLimits,
+    },
+  }
+}
+export function normalizePlan(plan?: string): SaasPlan {
+  if (!plan) return 'free'
+  return VALID_PLANS.includes(plan as SaasPlan) ? (plan as SaasPlan) : 'free'
+}
+export function normalizeRole(role?: string): SaasRole {
+  if (!role) return 'member'
+  return VALID_ROLES.includes(role as SaasRole) ? (role as SaasRole) : 'member'
+}
+export function hasRoleAtLeast(role: SaasRole | undefined, requiredRole: SaasRole): boolean {
+  if (!role) return false
+  return ROLE_PRIORITY[role] >= ROLE_PRIORITY[requiredRole]
+}
+export function workspaceKey(organizationId: string, workspaceId: string): string {
+  return `${organizationId}:${workspaceId}`
+}
+function repoKey(organizationId: string, workspaceId: string, repoName: string): string {
+  return `${workspaceKey(organizationId, workspaceId)}:${repoName}`
+}
+export function membershipKey(organizationId: string, workspaceId: string, userId: string): string {
+  return `${workspaceKey(organizationId, workspaceId)}:${userId}`
+}
+export function monthKey(isoDate: string): string {
+  const date = new Date(isoDate)
+  const month = String(date.getUTCMonth() + 1).padStart(2, '0')
+  return `${date.getUTCFullYear()}-${month}`
+}
+export function resolveScopedIdentity(options: IngestOptions): ScopedIdentity {
+  const organizationId = options.organizationId ?? DEFAULT_ORGANIZATION_ID
+  const workspaceId = options.workspaceId
+  const repoName = options.repoName ?? 'default'
+  return {
+    organizationId,
+    workspaceId,
+    workspaceKey: workspaceKey(organizationId, workspaceId),
+    repoName,
+    repoId: repoKey(organizationId, workspaceId, repoName),
+  }
+}
+export function isWorkspaceActive(workspace: SaasWorkspace): boolean {
+  return new Date(workspace.lastSeenAt).getTime() >= daysAgo(ACTIVE_WINDOW_DAYS)
+}
+export function isRepoActive(repo: SaasRepo): boolean {
+  return new Date(repo.lastSeenAt).getTime() >= daysAgo(ACTIVE_WINDOW_DAYS)
+}
+export function matchesTenantScope(snapshot: SaasSnapshot, options?: SaasQueryOptions): boolean {
+  if (!options?.organizationId && !options?.workspaceId) return true
+  if (options.organizationId && snapshot.organizationId !== options.organizationId) return false
+  if (options.workspaceId && snapshot.workspaceId !== options.workspaceId) return false
+  return true
+}
+export function matchesWorkspaceScope(workspace: SaasWorkspace, options?: SaasQueryOptions): boolean {
+  if (options?.organizationId && workspace.organizationId !== options.organizationId) return false
+  if (options?.workspaceId && workspace.id !== options.workspaceId) return false
+  return true
+}
+export function matchesRepoScope(repo: SaasRepo, options?: SaasQueryOptions): boolean {
+  if (options?.organizationId && repo.organizationId !== options.organizationId) return false
+  if (options?.workspaceId && repo.workspaceId !== options.workspaceId) return false
+  return true
+}
+export function computeRunsPerMonth(snapshots: SaasSnapshot[]): Record<string, number> {
+  const runsPerMonth: Record<string, number> = {}
+  for (const snapshot of snapshots) {
+    const key = monthKey(snapshot.createdAt)
+    runsPerMonth[key] = (runsPerMonth[key] ?? 0) + 1
+  }
+  return runsPerMonth
+}
+export function computeUsersRegistered(store: SaasStore, snapshots: SaasSnapshot[], options?: SaasQueryOptions): number {
+  if (!options?.organizationId && !options?.workspaceId) return Object.keys(store.users).length
+  return new Set(snapshots.map((snapshot) => snapshot.userId)).size
+}
+export function escapeHtml(value: string): string {
+  return value
+    .replaceAll('&', '&amp;')
+    .replaceAll('<', '&lt;')
+    .replaceAll('>', '&gt;')
+    .replaceAll('"', '&quot;')
+    .replaceAll("'", '&#39;')
+}
+export function mergePolicy(policy: SaasPolicyOverrides | undefined, base: SaasStore['policy']): SaasPolicy {
+  return resolveSaasPolicy({ ...base, ...(policy ?? {}) })
+}
+export { DEFAULT_ORGANIZATION_ID }

package/src/saas/ingest.ts ADDED Viewed

@@ -0,0 +1,278 @@
+import { resolve } from 'node:path'
+import type { DriftReportInput, IngestMutationContext, IngestOptions, SaasPlan, SaasRole, SaasSnapshot, SaasStore } from './types.js'
+import { createRandomId } from './constants.js'
+import { SaasActorRequiredError } from './errors.js'
+import { applyRetentionPolicy, assertPermissionInStore, defaultSaasStorePath, loadStoreInternal, saveStore } from './store.js'
+import { membershipKey, monthKey, normalizePlan, normalizeRole, resolveScopedIdentity } from './helpers.js'
+import { appendPlanChange } from './plan-change.js'
+function assertWorkspaceLimit(store: SaasStore, scoped: IngestMutationContext['scoped'], effectivePlan: SaasPlan): void {
+  const organization = store.organizations[scoped.organizationId]
+  const workspaceLimit = store.policy.maxWorkspacesPerOrganizationByPlan[effectivePlan]
+  const workspaceExists = Boolean(store.workspaces[scoped.workspaceKey])
+  const workspaceCount = organization?.workspaceIds.length ?? 0
+  if (!workspaceExists && workspaceCount >= workspaceLimit) {
+    throw new Error(`Organization '${scoped.organizationId}' on plan '${effectivePlan}' reached max workspaces (${workspaceLimit}).`)
+  }
+}
+function assertFreeThresholdLimit(store: SaasStore, userId: string): void {
+  const usersRegistered = Object.keys(store.users).length
+  const isFreePhase = usersRegistered < store.policy.freeUserThreshold
+  if (!isFreePhase) return
+  if (!store.users[userId] && usersRegistered + 1 > store.policy.freeUserThreshold) {
+    throw new Error(`Free threshold reached (${store.policy.freeUserThreshold} users).`)
+  }
+}
+function assertRepoLimit(store: SaasStore, scoped: IngestMutationContext['scoped']): void {
+  const workspace = store.workspaces[scoped.workspaceKey]
+  const repoExists = Boolean(store.repos[scoped.repoId])
+  const repoCount = workspace?.repoIds.length ?? 0
+  if (!repoExists && repoCount >= store.policy.maxReposPerWorkspace) {
+    throw new Error(`Workspace '${scoped.workspaceId}' reached max repos (${store.policy.maxReposPerWorkspace}).`)
+  }
+}
+function countWorkspaceRunsThisMonth(store: SaasStore, scoped: IngestMutationContext['scoped'], currentMonth: string): number {
+  return store.snapshots.filter((snapshot) => {
+    return snapshot.organizationId === scoped.organizationId
+      && snapshot.workspaceId === scoped.workspaceId
+      && monthKey(snapshot.createdAt) === currentMonth
+  }).length
+}
+function assertGuardrails(store: SaasStore, options: IngestOptions, nowIso: string): void {
+  const scoped = resolveScopedIdentity(options)
+  const organization = store.organizations[scoped.organizationId]
+  const effectivePlan = normalizePlan(options.plan ?? organization?.plan)
+  assertWorkspaceLimit(store, scoped, effectivePlan)
+  assertFreeThresholdLimit(store, options.userId)
+  assertRepoLimit(store, scoped)
+  const currentMonth = monthKey(nowIso)
+  const runsThisMonth = countWorkspaceRunsThisMonth(store, scoped, currentMonth)
+  if (runsThisMonth >= store.policy.maxRunsPerWorkspacePerMonth) {
+    throw new Error(`Workspace '${scoped.workspaceId}' reached max monthly runs (${store.policy.maxRunsPerWorkspacePerMonth}).`)
+  }
+}
+function upsertUser(store: SaasStore, userId: string, nowIso: string): void {
+  const user = store.users[userId]
+  if (user) {
+    user.lastSeenAt = nowIso
+    return
+  }
+  store.users[userId] = {
+    id: userId,
+    createdAt: nowIso,
+    lastSeenAt: nowIso,
+  }
+}
+function maybeUpdateOrganizationPlanFromIngest(context: IngestMutationContext): void {
+  const { store, scoped, requestedPlan, options, nowIso } = context
+  const existingOrg = store.organizations[scoped.organizationId]
+  if (!existingOrg || !options.plan || existingOrg.plan === requestedPlan) return
+  if (options.actorUserId) {
+    assertPermissionInStore(store, {
+      operation: 'billing:write',
+      organizationId: scoped.organizationId,
+      actorUserId: options.actorUserId,
+    })
+  }
+  const previousPlan = existingOrg.plan
+  existingOrg.plan = requestedPlan
+  appendPlanChange(store, {
+    organizationId: scoped.organizationId,
+    fromPlan: previousPlan,
+    toPlan: requestedPlan,
+    changedAt: nowIso,
+    changedByUserId: options.actorUserId ?? options.userId,
+    reason: 'ingest-option-plan-change',
+  })
+}
+function ensureOrganizationForIngest(context: IngestMutationContext): void {
+  const { store, scoped, requestedPlan, nowIso } = context
+  const existingOrg = store.organizations[scoped.organizationId]
+  if (existingOrg) {
+    existingOrg.lastSeenAt = nowIso
+    maybeUpdateOrganizationPlanFromIngest(context)
+    return
+  }
+  store.organizations[scoped.organizationId] = {
+    id: scoped.organizationId,
+    plan: requestedPlan,
+    createdAt: nowIso,
+    lastSeenAt: nowIso,
+    workspaceIds: [],
+  }
+}
+function upsertWorkspaceForIngest(
+  store: SaasStore,
+  scoped: IngestMutationContext['scoped'],
+  userId: string,
+  nowIso: string,
+): { wasCreated: boolean } {
+  const workspace = store.workspaces[scoped.workspaceKey]
+  if (workspace) {
+    workspace.lastSeenAt = nowIso
+    if (!workspace.userIds.includes(userId)) workspace.userIds.push(userId)
+    return { wasCreated: false }
+  }
+  store.workspaces[scoped.workspaceKey] = {
+    id: scoped.workspaceId,
+    organizationId: scoped.organizationId,
+    createdAt: nowIso,
+    lastSeenAt: nowIso,
+    userIds: [userId],
+    repoIds: [],
+  }
+  const org = store.organizations[scoped.organizationId]
+  if (!org.workspaceIds.includes(scoped.workspaceId)) org.workspaceIds.push(scoped.workspaceId)
+  return { wasCreated: true }
+}
+function upsertMembershipForIngest(context: IngestMutationContext, workspaceWasCreated: boolean): SaasRole {
+  const { store, scoped, options, nowIso } = context
+  const membershipId = membershipKey(scoped.organizationId, scoped.workspaceId, options.userId)
+  const membership = store.memberships[membershipId]
+  let role = normalizeRole(options.role)
+  if (!membership && workspaceWasCreated) role = 'owner'
+  if (membership) {
+    membership.lastSeenAt = nowIso
+    if (options.role) membership.role = normalizeRole(options.role)
+    return membership.role
+  }
+  store.memberships[membershipId] = {
+    id: membershipId,
+    organizationId: scoped.organizationId,
+    workspaceId: scoped.workspaceId,
+    userId: options.userId,
+    role,
+    createdAt: nowIso,
+    lastSeenAt: nowIso,
+  }
+  return role
+}
+function upsertRepoForIngest(store: SaasStore, scoped: IngestMutationContext['scoped'], nowIso: string): void {
+  const repo = store.repos[scoped.repoId]
+  if (repo) {
+    repo.lastSeenAt = nowIso
+    return
+  }
+  store.repos[scoped.repoId] = {
+    id: scoped.repoId,
+    organizationId: scoped.organizationId,
+    workspaceId: scoped.workspaceId,
+    name: scoped.repoName,
+    createdAt: nowIso,
+    lastSeenAt: nowIso,
+  }
+  const workspace = store.workspaces[scoped.workspaceKey]
+  if (!workspace.repoIds.includes(scoped.repoId)) workspace.repoIds.push(scoped.repoId)
+}
+function createSnapshotFromReport(report: DriftReportInput, context: IngestMutationContext, role: SaasRole): SaasSnapshot {
+  const { store, scoped, options, nowIso, requestedPlan } = context
+  return {
+    id: createRandomId(String(Date.now())),
+    createdAt: nowIso,
+    scannedAt: report.scannedAt,
+    organizationId: scoped.organizationId,
+    workspaceId: scoped.workspaceId,
+    userId: options.userId,
+    role,
+    plan: normalizePlan(store.organizations[scoped.organizationId]?.plan ?? requestedPlan),
+    repoId: scoped.repoId,
+    repoName: scoped.repoName,
+    targetPath: report.targetPath,
+    totalScore: report.totalScore,
+    totalIssues: report.totalIssues,
+    totalFiles: report.totalFiles,
+    summary: {
+      errors: report.summary.errors,
+      warnings: report.summary.warnings,
+      infos: report.summary.infos,
+    },
+  }
+}
+function assertIngestActorRequirement(options: IngestOptions, scoped: IngestMutationContext['scoped'], store: SaasStore): void {
+  if (!store.policy.strictActorEnforcement || options.actorUserId) return
+  throw new SaasActorRequiredError({
+    operation: 'snapshot:write',
+    organizationId: scoped.organizationId,
+    workspaceId: scoped.workspaceId,
+  })
+}
+function assertIngestPermissionForActor(store: SaasStore, scoped: IngestMutationContext['scoped'], actorUserId?: string): void {
+  if (!actorUserId) return
+  const workspaceExists = Boolean(store.workspaces[scoped.workspaceKey])
+  const organizationExists = Boolean(store.organizations[scoped.organizationId])
+  if (workspaceExists) {
+    assertPermissionInStore(store, {
+      operation: 'snapshot:write',
+      organizationId: scoped.organizationId,
+      workspaceId: scoped.workspaceId,
+      actorUserId,
+    })
+    return
+  }
+  if (organizationExists) {
+    assertPermissionInStore(store, {
+      operation: 'billing:write',
+      organizationId: scoped.organizationId,
+      actorUserId,
+    })
+  }
+}
+export function ingestSnapshotFromReport(report: DriftReportInput, options: IngestOptions): SaasSnapshot {
+  const storeFile = resolve(options.storeFile ?? defaultSaasStorePath())
+  const store = loadStoreInternal(storeFile, options.policy)
+  const nowIso = new Date().toISOString()
+  const scoped = resolveScopedIdentity(options)
+  const requestedPlan = normalizePlan(options.plan)
+  const context: IngestMutationContext = {
+    store,
+    scoped,
+    options,
+    nowIso,
+    requestedPlan,
+  }
+  assertIngestActorRequirement(options, scoped, store)
+  assertIngestPermissionForActor(store, scoped, options.actorUserId)
+  assertGuardrails(store, options, nowIso)
+  upsertUser(store, options.userId, nowIso)
+  ensureOrganizationForIngest(context)
+  const workspaceState = upsertWorkspaceForIngest(store, scoped, options.userId, nowIso)
+  const role = upsertMembershipForIngest(context, workspaceState.wasCreated)
+  upsertRepoForIngest(store, scoped, nowIso)
+  const snapshot = createSnapshotFromReport(report, context, role)
+  store.snapshots.push(snapshot)
+  applyRetentionPolicy(store)
+  saveStore(storeFile, store)
+  return snapshot
+}

package/src/saas/organization.ts ADDED Viewed

@@ -0,0 +1,99 @@
+import { resolve } from 'node:path'
+import type {
+  ChangeOrganizationPlanOptions,
+  SaasOrganizationUsageSnapshot,
+  SaasPlanChange,
+  SaasPlanChangeQueryOptions,
+  SaasUsageQueryOptions,
+} from './types.js'
+import { assertPermissionInStore, defaultSaasStorePath, loadStoreInternal, saveStore } from './store.js'
+import { monthKey, normalizePlan, workspaceKey } from './helpers.js'
+import { appendPlanChange } from './plan-change.js'
+export function changeOrganizationPlan(options: ChangeOrganizationPlanOptions): SaasPlanChange {
+  const storeFile = resolve(options.storeFile ?? defaultSaasStorePath())
+  const store = loadStoreInternal(storeFile, options.policy)
+  const nowIso = new Date().toISOString()
+  const organization = store.organizations[options.organizationId]
+  if (!organization) throw new Error(`Organization '${options.organizationId}' does not exist.`)
+  assertPermissionInStore(store, {
+    operation: 'billing:write',
+    organizationId: options.organizationId,
+    actorUserId: options.actorUserId,
+  })
+  const nextPlan = normalizePlan(options.newPlan)
+  if (organization.plan === nextPlan) {
+    const unchanged = appendPlanChange(store, {
+      organizationId: organization.id,
+      fromPlan: organization.plan,
+      toPlan: nextPlan,
+      changedAt: nowIso,
+      changedByUserId: options.actorUserId,
+      reason: options.reason,
+    })
+    saveStore(storeFile, store)
+    return unchanged
+  }
+  const previousPlan = organization.plan
+  organization.plan = nextPlan
+  organization.lastSeenAt = nowIso
+  const change = appendPlanChange(store, {
+    organizationId: organization.id,
+    fromPlan: previousPlan,
+    toPlan: nextPlan,
+    changedAt: nowIso,
+    changedByUserId: options.actorUserId,
+    reason: options.reason,
+  })
+  saveStore(storeFile, store)
+  return change
+}
+export function listOrganizationPlanChanges(options: SaasPlanChangeQueryOptions): SaasPlanChange[] {
+  const storeFile = resolve(options.storeFile ?? defaultSaasStorePath())
+  const store = loadStoreInternal(storeFile, options.policy)
+  assertPermissionInStore(store, {
+    operation: 'billing:read',
+    organizationId: options.organizationId,
+    actorUserId: options.actorUserId,
+  })
+  return store.planChanges
+    .filter((change) => change.organizationId === options.organizationId)
+    .sort((a, b) => b.changedAt.localeCompare(a.changedAt))
+}
+export function getOrganizationUsageSnapshot(options: SaasUsageQueryOptions): SaasOrganizationUsageSnapshot {
+  const storeFile = resolve(options.storeFile ?? defaultSaasStorePath())
+  const store = loadStoreInternal(storeFile, options.policy)
+  assertPermissionInStore(store, {
+    operation: 'billing:read',
+    organizationId: options.organizationId,
+    actorUserId: options.actorUserId,
+  })
+  const organization = store.organizations[options.organizationId]
+  if (!organization) throw new Error(`Organization '${options.organizationId}' does not exist.`)
+  const month = options.month ?? monthKey(new Date().toISOString())
+  const organizationRunSnapshots = store.snapshots.filter((snapshot) => snapshot.organizationId === options.organizationId)
+  return {
+    organizationId: options.organizationId,
+    plan: organization.plan,
+    capturedAt: new Date().toISOString(),
+    workspaceCount: organization.workspaceIds.length,
+    repoCount: organization.workspaceIds
+      .map((workspaceId) => store.workspaces[workspaceKey(options.organizationId, workspaceId)])
+      .filter((workspace) => Boolean(workspace))
+      .reduce((count, workspace) => count + workspace.repoIds.length, 0),
+    runCount: organizationRunSnapshots.length,
+    runCountThisMonth: organizationRunSnapshots.filter((snapshot) => monthKey(snapshot.createdAt) === month).length,
+  }
+}

package/src/saas/plan-change.ts ADDED Viewed

@@ -0,0 +1,19 @@
+import type { SaasPlan, SaasPlanChange, SaasStore } from './types.js'
+import { createRandomId } from './constants.js'
+export function appendPlanChange(
+  store: SaasStore,
+  input: { organizationId: string; fromPlan: SaasPlan; toPlan: SaasPlan; changedByUserId: string; reason?: string; changedAt: string },
+): SaasPlanChange {
+  const change: SaasPlanChange = {
+    id: createRandomId(input.changedAt),
+    organizationId: input.organizationId,
+    fromPlan: input.fromPlan,
+    toPlan: input.toPlan,
+    changedAt: input.changedAt,
+    changedByUserId: input.changedByUserId,
+    reason: input.reason,
+  }
+  store.planChanges.push(change)
+  return change
+}