@elevasis/core 0.11.1 → 0.12.0

package/src/auth/multi-tenancy/invitations/api-schemas.ts

@@ -1,107 +1,104 @@
-/**
- * Invitations Domain - Zod Validation Schemas
- *
- * Validation schemas for invitation management endpoints.
- * Includes request bodies, query params, and path params.
- *
- * Security:
- * - All schemas use .strict() to prevent mass assignment attacks
- * - Email validation prevents header injection
- * - Role enum validation prevents privilege escalation
- * - organizationId from JWT (not accepted in body for protected routes)
- */
-
-import { z } from 'zod'
-import { EmailSchema } from '../../../platform/utils/validation'
-import { MembershipRoleSchema } from '../memberships/api-schemas'
-
-// ============================================================================
-// Path Parameters
-// ============================================================================
-
-/**
- * Validate invitation ID in URL path
- * Used by: GET/DELETE /invitations/:id
- */
-export const InvitationIdParamSchema = z
-  .object({
-    id: z.string().min(1) // WorkOS invitation IDs
-  })
-  .strict()
-
-// ============================================================================
-// Request Bodies
-// ============================================================================
-
-/**
- * Send new invitation
- * POST /invitations
- *
- * Security:
- * - Email format validated (prevents header injection)
- * - Role enum prevents privilege escalation
- * - expiresInDays bounded (1-90 days)
- * - organizationId NOT in body (from JWT via requireOrganization middleware)
- */
-export const SendInvitationSchema = z
-  .object({
-    email: EmailSchema,
-    organizationId: z.string().optional(), // For WorkOS API - but typically from JWT
-    roleSlug: MembershipRoleSchema.default('member'),
-    expiresInDays: z.number().int().min(1).max(90).default(7)
-  })
-  .strict()
-
-/**
- * Accept invitation by token
- * POST /invitations/accept
- *
- * Security:
- * - Token validated (non-empty string)
- */
-export const AcceptInvitationSchema = z
-  .object({
-    invitation_token: z.string().min(1, 'Invitation token is required')
-  })
-  .strict()
-
-// ============================================================================
-// Query Parameters
-// ============================================================================
-
-/**
- * List invitations with filters
- * GET /invitations
- *
- * Filters:
- * - organizationId: Filter by organization
- * - email: Filter by email
- *
- * Security:
- * - Requires organizationId or userId filter
- * - Email validated
- */
-export const ListInvitationsQuerySchema = z
-  .object({
-    organizationId: z.string().optional(),
-    userId: z.string().optional(),
-    email: EmailSchema.optional(),
-    limit: z.coerce.number().int().min(1).max(100).optional(),
-    before: z.string().optional(), // WorkOS pagination cursor
-    after: z.string().optional()   // WorkOS pagination cursor
-  })
-  .strict()
-  .refine(
-    (data) => data.organizationId || data.userId,
-    { message: 'Either organizationId or userId must be provided' }
-  )
-
-// ============================================================================
-// TypeScript Type Exports
-// ============================================================================
-
-// Export inferred types for use in route handlers
-export type SendInvitationInput = z.infer<typeof SendInvitationSchema>
-export type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>
-export type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>
-export type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>
+/**
+ * Invitations Domain - Zod Validation Schemas
+ *
+ * Validation schemas for invitation management endpoints.
+ * Includes request bodies, query params, and path params.
+ *
+ * Security:
+ * - All schemas use .strict() to prevent mass assignment attacks
+ * - Email validation prevents header injection
+ * - Role enum validation prevents privilege escalation
+ * - organizationId from JWT (not accepted in body for protected routes)
+ */
+
+import { z } from 'zod'
+import { EmailSchema } from '../../../platform/utils/validation'
+import { MembershipRoleSchema } from '../memberships/api-schemas'
+
+// ============================================================================
+// Path Parameters
+// ============================================================================
+
+/**
+ * Validate invitation ID in URL path
+ * Used by: GET/DELETE /invitations/:id
+ */
+export const InvitationIdParamSchema = z
+  .object({
+    id: z.string().min(1) // WorkOS invitation IDs
+  })
+  .strict()
+
+// ============================================================================
+// Request Bodies
+// ============================================================================
+
+/**
+ * Send new invitation
+ * POST /invitations
+ *
+ * Security:
+ * - Email format validated (prevents header injection)
+ * - roleSlug validated as non-empty slug; service layer checks against org_rol_definitions
+ * - expiresInDays bounded (1-90 days)
+ * - organizationId NOT in body (from JWT via requireOrganization middleware)
+ */
+export const SendInvitationSchema = z
+  .object({
+    email: EmailSchema,
+    organizationId: z.string().optional(), // For WorkOS API - but typically from JWT
+    roleSlug: MembershipRoleSchema.default('member'),
+    expiresInDays: z.number().int().min(1).max(90).default(7)
+  })
+  .strict()
+
+/**
+ * Accept invitation by token
+ * POST /invitations/accept
+ *
+ * Security:
+ * - Token validated (non-empty string)
+ */
+export const AcceptInvitationSchema = z
+  .object({
+    invitation_token: z.string().min(1, 'Invitation token is required')
+  })
+  .strict()
+
+// ============================================================================
+// Query Parameters
+// ============================================================================
+
+/**
+ * List invitations with filters
+ * GET /invitations
+ *
+ * Filters:
+ * - organizationId: Filter by organization
+ * - email: Filter by email
+ *
+ * Security:
+ * - Requires organizationId or userId filter
+ * - Email validated
+ */
+export const ListInvitationsQuerySchema = z
+  .object({
+    organizationId: z.string().optional(),
+    userId: z.string().optional(),
+    email: EmailSchema.optional(),
+    limit: z.coerce.number().int().min(1).max(100).optional(),
+    before: z.string().optional(), // WorkOS pagination cursor
+    after: z.string().optional() // WorkOS pagination cursor
+  })
+  .strict()
+  .refine((data) => data.organizationId || data.userId, { message: 'Either organizationId or userId must be provided' })
+
+// ============================================================================
+// TypeScript Type Exports
+// ============================================================================
+
+// Export inferred types for use in route handlers
+export type SendInvitationInput = z.infer<typeof SendInvitationSchema>
+export type AcceptInvitationInput = z.infer<typeof AcceptInvitationSchema>
+export type ListInvitationsQuery = z.infer<typeof ListInvitationsQuerySchema>
+export type InvitationIdParam = z.infer<typeof InvitationIdParamSchema>

package/src/auth/multi-tenancy/memberships/api-schemas.ts

@@ -19,11 +19,12 @@ import { z } from 'zod'
 
 /**
  * Membership role validation
- * Restricts to valid role slugs only
+ * Accepts any non-empty role slug (max 64 chars).
  *
- * Security: Prevents privilege escalation by limiting role values
+ * Roles are now DB-driven via `org_rol_definitions`. Runtime validation
+ * against valid slugs happens at the service layer, not here.
  */
-export const MembershipRoleSchema = z.enum(['admin', 'member'])
+export const MembershipRoleSchema = z.string().min(1).max(64)
 
 /**
  * Membership status validation
@@ -73,7 +74,7 @@ export const MyOrgPermissionsResponseSchema = z.object({
  * Security:
  * - userId must be valid (string format for WorkOS)
  * - organizationId must be valid (string format for WorkOS)
- * - roleSlug enum prevents privilege escalation
+ * - roleSlug validated as non-empty slug; service layer checks against org_rol_definitions
  * - Strict mode prevents injection
  */
 export const CreateMembershipSchema = z
@@ -90,7 +91,7 @@ export const CreateMembershipSchema = z
  *
  * Security:
  * - Only roleSlug can be updated
- * - Enum validation prevents privilege escalation
+ * - Service layer validates slug against org_rol_definitions
  */
 export const UpdateMembershipSchema = z
   .object({

package/src/auth/multi-tenancy/memberships/membership.ts

@@ -1,138 +1,130 @@
-import type { MembershipFeatureConfig } from '../types'
-import { type MembershipStatus } from './api-schemas.js'
-
-export type { MembershipStatus }
-
-/**
- * Organization Membership types based on WorkOS API
- */
-
-export interface OrganizationMembership {
-  object: 'organization_membership'
-  id: string
-  userId: string
-  organizationId: string
-  role: {
-    slug: string
-  }
-  status: 'active' | 'inactive'
-  createdAt: string
-  updatedAt: string
-}
-
-/**
- * Request interfaces for membership operations
- */
-export interface CreateMembershipRequest {
-  userId: string
-  organizationId: string
-  roleSlug?: string
-}
-
-export interface UpdateMembershipRequest {
-  roleSlug: string
-}
-
-export interface ListMembershipsParams {
-  userId?: string
-  organizationId?: string
-  statuses?: MembershipStatus[]
-  limit?: number
-  before?: string
-  after?: string
-  order?: 'asc' | 'desc'
-}
-
-/**
- * Response interfaces
- */
-export interface ListMembershipsResponse {
-  data: OrganizationMembership[]
-  listMetadata?: {
-    before?: string | null
-    after?: string | null
-  }
-}
-
-/**
- * Extended membership with user and organization details for UI
- */
-export interface MembershipWithDetails extends OrganizationMembership {
-  user?: {
-    id: string
-    email: string
-    firstName?: string
-    lastName?: string
-    profilePictureUrl?: string
-  }
-  organization?: {
-    id: string
-    name: string
-    workos_org_id: string
-    primaryDomain?: string
-    is_test?: boolean
-    status?: string
-    metadata?: Record<string, unknown>
-    config?: Record<string, unknown>
-  }
-  config?: MembershipFeatureConfig
-}
-
-/**
- * UI-specific membership table row data
- */
-export interface MembershipTableRow {
-  id: string
-  userId: string
-  organizationId: string
-  userEmail: string
-  userFullName: string
-  organizationName: string
-  role: string
-  status: MembershipStatus
-  statusBadge: 'active' | 'inactive'
-  joinedAt: Date
-  updatedAt: Date
-  canEdit: boolean
-  canRemove: boolean
-}
-
-/**
- * Transform membership to table row format
- */
-export function transformMembershipToTableRow(membership: MembershipWithDetails): MembershipTableRow {
-  return {
-    id: membership.id,
-    userId: membership.userId,
-    organizationId: membership.organizationId,
-    userEmail: membership.user?.email || 'Unknown',
-    userFullName:
-      membership.user?.firstName && membership.user?.lastName
-        ? `${membership.user.firstName} ${membership.user.lastName}`
-        : membership.user?.email || 'Unknown User',
-    organizationName: membership.organization?.name || 'Unknown Organization',
-    role: membership.role.slug,
-    status: membership.status,
-    statusBadge: membership.status,
-    joinedAt: new Date(membership.createdAt),
-    updatedAt: new Date(membership.updatedAt),
-    canEdit: membership.status === 'active',
-    canRemove: true
-  }
-}
-
-/**
- * Membership status color mapping for UI
- */
-export const MEMBERSHIP_STATUS_COLORS = {
-  active: 'green',
-  inactive: 'gray'
-} as const
-
-/**
- * Membership role options (can be extended)
- */
-export const DEFAULT_MEMBERSHIP_ROLES = [
-  { value: 'admin', label: 'Admin' },
-  { value: 'member', label: 'Member' }
-] as const
+import type { MembershipFeatureConfig } from '../types'
+import { type MembershipStatus } from './api-schemas.js'
+
+export type { MembershipStatus }
+
+/**
+ * Organization Membership types based on WorkOS API
+ */
+
+export interface OrganizationMembership {
+  object: 'organization_membership'
+  id: string
+  userId: string
+  organizationId: string
+  role: {
+    slug: string
+  }
+  status: 'active' | 'inactive'
+  createdAt: string
+  updatedAt: string
+}
+
+/**
+ * Request interfaces for membership operations
+ */
+export interface CreateMembershipRequest {
+  userId: string
+  organizationId: string
+  roleSlug?: string
+}
+
+export interface UpdateMembershipRequest {
+  roleSlug: string
+}
+
+export interface ListMembershipsParams {
+  userId?: string
+  organizationId?: string
+  statuses?: MembershipStatus[]
+  limit?: number
+  before?: string
+  after?: string
+  order?: 'asc' | 'desc'
+}
+
+/**
+ * Response interfaces
+ */
+export interface ListMembershipsResponse {
+  data: OrganizationMembership[]
+  listMetadata?: {
+    before?: string | null
+    after?: string | null
+  }
+}
+
+/**
+ * Extended membership with user and organization details for UI
+ */
+export interface MembershipWithDetails extends OrganizationMembership {
+  user?: {
+    id: string
+    email: string
+    firstName?: string
+    lastName?: string
+    profilePictureUrl?: string
+  }
+  organization?: {
+    id: string
+    name: string
+    workos_org_id: string
+    primaryDomain?: string
+    is_test?: boolean
+    status?: string
+    metadata?: Record<string, unknown>
+    config?: Record<string, unknown>
+  }
+  config?: MembershipFeatureConfig
+}
+
+/**
+ * UI-specific membership table row data
+ */
+export interface MembershipTableRow {
+  id: string
+  userId: string
+  organizationId: string
+  userEmail: string
+  userFullName: string
+  organizationName: string
+  role: string
+  status: MembershipStatus
+  statusBadge: 'active' | 'inactive'
+  joinedAt: Date
+  updatedAt: Date
+  canEdit: boolean
+  canRemove: boolean
+}
+
+/**
+ * Transform membership to table row format
+ */
+export function transformMembershipToTableRow(membership: MembershipWithDetails): MembershipTableRow {
+  return {
+    id: membership.id,
+    userId: membership.userId,
+    organizationId: membership.organizationId,
+    userEmail: membership.user?.email || 'Unknown',
+    userFullName:
+      membership.user?.firstName && membership.user?.lastName
+        ? `${membership.user.firstName} ${membership.user.lastName}`
+        : membership.user?.email || 'Unknown User',
+    organizationName: membership.organization?.name || 'Unknown Organization',
+    role: membership.role.slug,
+    status: membership.status,
+    statusBadge: membership.status,
+    joinedAt: new Date(membership.createdAt),
+    updatedAt: new Date(membership.updatedAt),
+    canEdit: membership.status === 'active',
+    canRemove: true
+  }
+}
+
+/**
+ * Membership status color mapping for UI
+ */
+export const MEMBERSHIP_STATUS_COLORS = {
+  active: 'green',
+  inactive: 'gray'
+} as const

package/src/auth/multi-tenancy/role-management/api-schemas.ts

@@ -0,0 +1,78 @@
+import { z } from 'zod'
+
+const PermissionKeySchema = z.string().min(1).max(100)
+
+export const OrgRoleParamsSchema = z
+  .object({
+    orgId: z.string().uuid(),
+    roleId: z.string().uuid()
+  })
+  .strict()
+
+export const OrgRolesParamsSchema = z
+  .object({
+    orgId: z.string().uuid()
+  })
+  .strict()
+
+export const MembershipRoleParamsSchema = z
+  .object({
+    membershipId: z.string().min(1),
+    roleId: z.string().uuid()
+  })
+  .strict()
+
+export const MembershipParamsSchema = z
+  .object({
+    membershipId: z.string().min(1)
+  })
+  .strict()
+
+export const CreateOrgRoleRequestSchema = z
+  .object({
+    name: z.string().min(1).max(100).trim(),
+    slug: z
+      .string()
+      .min(1)
+      .max(100)
+      .regex(/^[a-z0-9]+(?:[-_][a-z0-9]+)*$/, 'Role slug must be lowercase letters, numbers, dashes, or underscores'),
+    description: z.string().max(500).trim().optional(),
+    permissionKeys: z.array(PermissionKeySchema).default([])
+  })
+  .strict()
+
+export const UpdateOrgRoleRequestSchema = z
+  .object({
+    name: z.string().min(1).max(100).trim().optional(),
+    slug: z
+      .string()
+      .min(1)
+      .max(100)
+      .regex(/^[a-z0-9]+(?:[-_][a-z0-9]+)*$/, 'Role slug must be lowercase letters, numbers, dashes, or underscores')
+      .optional(),
+    description: z.string().max(500).trim().nullable().optional(),
+    permissionKeys: z.array(PermissionKeySchema).optional()
+  })
+  .strict()
+  .refine(
+    (data) =>
+      data.name !== undefined ||
+      data.slug !== undefined ||
+      data.description !== undefined ||
+      data.permissionKeys !== undefined,
+    { message: 'At least one field must be provided' }
+  )
+
+export const AssignMembershipRoleRequestSchema = z
+  .object({
+    roleId: z.string().uuid()
+  })
+  .strict()
+
+export type OrgRoleParams = z.infer<typeof OrgRoleParamsSchema>
+export type OrgRolesParams = z.infer<typeof OrgRolesParamsSchema>
+export type MembershipRoleParams = z.infer<typeof MembershipRoleParamsSchema>
+export type MembershipParams = z.infer<typeof MembershipParamsSchema>
+export type CreateOrgRoleInput = z.infer<typeof CreateOrgRoleRequestSchema>
+export type UpdateOrgRoleInput = z.infer<typeof UpdateOrgRoleRequestSchema>
+export type AssignMembershipRoleInput = z.infer<typeof AssignMembershipRoleRequestSchema>

package/src/auth/multi-tenancy/role-management/index.ts

@@ -0,0 +1,16 @@
+export {
+  AssignMembershipRoleRequestSchema,
+  CreateOrgRoleRequestSchema,
+  MembershipParamsSchema,
+  MembershipRoleParamsSchema,
+  OrgRoleParamsSchema,
+  OrgRolesParamsSchema,
+  UpdateOrgRoleRequestSchema,
+  type AssignMembershipRoleInput,
+  type CreateOrgRoleInput,
+  type MembershipParams,
+  type MembershipRoleParams,
+  type OrgRoleParams,
+  type OrgRolesParams,
+  type UpdateOrgRoleInput
+} from './api-schemas'