@elevasis/core 0.15.1 → 0.16.0

package/src/auth/multi-tenancy/index.ts

@@ -1,3 +1,6 @@
+// Theme preset SSOT (const tuple + derived union + Zod enum)
+export * from './theme-presets'
+
 // Config types
 export * from './types'
 

package/src/auth/multi-tenancy/theme-presets.ts

@@ -0,0 +1,45 @@
+import { z } from 'zod'
+
+/**
+ * Single source of truth for all active theme preset names.
+ *
+ * This is the canonical list. To add a preset:
+ *   1. Add the name here.
+ *   2. Create `packages/ui/src/theme/presets/{name}.ts` exporting `{name}Preset: ThemePreset`.
+ *   3. Add to `PRESETS` record in `packages/ui/src/theme/presets/index.ts`.
+ *   4. Add to `PresetName` union in `packages/ui/src/theme/presets/types.ts`.
+ *   5. Add a card in `apps/command-center/src/features/settings/appearance/components/AppearanceSettings.tsx`.
+ *
+ * The union type (`ThemePresetName`) and Zod enum (`ThemePresetEnum`) are derived
+ * automatically — no other files need updating.
+ */
+export const THEME_PRESETS = [
+  'default',
+  'tactical',
+  'regal',
+  'cyber-volt',
+  'aurora',
+  'rose-gold',
+  'midnight',
+  'titanium',
+  'canopy',
+  'slate',
+  'cyber-strike',
+  'cyber-chrome',
+  'cyber-void',
+  'nirvana',
+  'wave',
+  'synapse',
+  'cortex',
+  'helios',
+  'graphite',
+  'quarry'
+] as const satisfies readonly string[]
+
+export type ThemePresetName = (typeof THEME_PRESETS)[number]
+
+/**
+ * Zod enum derived from THEME_PRESETS.
+ * Use `.catch('default')` at write-path callsites to tolerate stale/unknown values.
+ */
+export const ThemePresetEnum = z.enum(THEME_PRESETS)

package/src/auth/multi-tenancy/types.ts

@@ -1,83 +1,57 @@
-/**
- * Multi-tenancy configuration types
- *
- * Config is stored in dedicated `config` columns (NOT nested in metadata):
- * - organizations.config: Org-level config (no feature toggles -- all features available by default)
- * - org_memberships.config: Per-user-per-org feature overrides
- * - users.config: User-global config
- */
-
-/**
- * Per-user-per-org config (stored in org_memberships.config)
- * Controls which features a specific member can access within their org.
- * Keys are feature IDs from the organization model (e.g. crm, lead-gen, projects, seo).
- */
-export interface MembershipFeatureConfig {
-  features?: Record<string, boolean>
-}
-
-/**
- * User-global config (stored in users.config)
- * Theme and onboarding are user-specific, NOT org-specific
- */
-export interface UserConfig {
-  theme?: {
-    preset?:
-      | 'default'
-      | 'tactical'
-      | 'regal'
-      | 'cyber-volt'
-      | 'aurora'
-      | 'rose-gold'
-      | 'midnight'
-      | 'titanium'
-      | 'obsidian'
-      | 'honey'
-      | 'abyss'
-      | 'canopy'
-      | 'slate'
-      | 'cyber-strike'
-      | 'cyber-chrome'
-      | 'cyber-void'
-      | 'nirvana'
-      | 'wave'
-      | 'synapse'
-      | 'cortex'
-      | 'helios'
-      | 'graphite'
-      | 'quarry'
-      | 'canyon'
-      | 'nord'
-      | 'catppuccin'
-      | 'tokyo-night'
-      | 'gruvbox'
-    colorScheme?: 'light' | 'dark' | 'auto'
-  }
-  onboarding?: {
-    completed?: boolean
-    completedAt?: string // ISO date
-    role?: string
-    primaryUseCase?: string[]
-    experienceLevel?: string
-    /** Onboarding guide system state (set by checklist/tour system) */
-    guides?: {
-      completedIds?: string[] // e.g. ["explore-dashboard", "view-workflow"]
-      dismissed?: boolean // user manually dismissed checklist
-      completedAt?: string // ISO date — all guides finished
-    }
-  }
-}
-
-/**
- * OrgMetadata - Contains WorkOS sync data only
- * Note: This is kept separate from config for clarity
- */
-export interface OrgMetadata {
-  domains?: {
-    verified: string[]
-    pending: string[]
-    all: string[]
-  }
-  workos_created_at?: string
-  workos_updated_at?: string
-}
+/**
+ * Multi-tenancy configuration types
+ *
+ * Config is stored in dedicated `config` columns (NOT nested in metadata):
+ * - organizations.config: Org-level config (no feature toggles -- all features available by default)
+ * - org_memberships.config: Per-user-per-org feature overrides
+ * - users.config: User-global config
+ */
+
+import type { ThemePresetName } from './theme-presets'
+
+/**
+ * Per-user-per-org config (stored in org_memberships.config)
+ * Controls which features a specific member can access within their org.
+ * Keys are feature IDs from the organization model (e.g. crm, lead-gen, projects, seo).
+ */
+export interface MembershipFeatureConfig {
+  features?: Record<string, boolean>
+}
+
+/**
+ * User-global config (stored in users.config)
+ * Theme and onboarding are user-specific, NOT org-specific
+ */
+export interface UserConfig {
+  theme?: {
+    preset?: ThemePresetName
+    colorScheme?: 'light' | 'dark' | 'auto'
+  }
+  onboarding?: {
+    completed?: boolean
+    completedAt?: string // ISO date
+    role?: string
+    primaryUseCase?: string[]
+    experienceLevel?: string
+    /** Onboarding guide system state (set by checklist/tour system) */
+    guides?: {
+      completedIds?: string[] // e.g. ["explore-dashboard", "view-workflow"]
+      dismissed?: boolean // user manually dismissed checklist
+      completedAt?: string // ISO date — all guides finished
+    }
+  }
+}
+
+/**
+ * OrgMetadata - Contains WorkOS sync data only
+ * Note: This is kept separate from config for clarity
+ */
+export interface OrgMetadata {
+  domains?: {
+    verified: string[]
+    pending: string[]
+    all: string[]
+  }
+  workos_created_at?: string
+  workos_updated_at?: string
+}

package/src/auth/multi-tenancy/users/api-schemas.ts

@@ -1,194 +1,165 @@
-/**
- * Users Domain - Zod Validation Schemas
- *
- * Validation schemas for user management endpoints.
- * Includes request bodies, query params, and path params.
- *
- * Security:
- * - All schemas use .strict() to prevent mass assignment attacks
- * - UUID validation prevents invalid references
- * - Email validation prevents email injection attacks
- * - emailVerified field excluded from create/update (admin-only)
- * - String length limits prevent DoS
- */
-
-import { z } from 'zod'
-import { EmailSchema, createStringSchema } from '../../../platform/utils/validation'
-
-// ============================================================================
-// Path Parameters
-// ============================================================================
-
-/**
- * Validate user ID in URL path
- * Used by: GET/PUT/DELETE /users/:id
- */
-export const UserIdParamSchema = z
-  .object({
-    id: z.string().min(1) // WorkOS user IDs can be UUID or 'user_' prefixed strings
-  })
-  .strict()
-
-/**
- * Validate external ID in URL path
- * Used by: GET /users/external/:externalId
- */
-export const ExternalIdParamSchema = z
-  .object({
-    externalId: z.string().min(1)
-  })
-  .strict()
-
-// ============================================================================
-// Request Bodies
-// ============================================================================
-
-/**
- * Update user profile
- * PUT /users/:id
- *
- * Security:
- * - All fields optional (partial update)
- * - Email format validated
- * - emailVerified NOT accepted (managed by WorkOS only)
- * - Strict mode prevents unknown field injection
- */
-export const UpdateUserSchema = z
-  .object({
-    email: EmailSchema.optional(),
-    firstName: createStringSchema(1, 100, 'First name').optional(),
-    lastName: createStringSchema(1, 100, 'Last name').optional()
-  })
-  .strict()
-
-// ============================================================================
-// Self-Service Profile
-// ============================================================================
-
-/**
- * Self-service profile update (subset of admin UpdateUserSchema)
- * PATCH /users/me
- *
- * Security:
- * - All fields optional (partial update)
- * - Server identifies user from JWT (no user ID in body)
- * - Config restricted to theme and onboarding only
- * - Strict mode prevents unknown field injection
- */
-export const UpdateMyProfileSchema = z
-  .object({
-    firstName: createStringSchema(1, 100, 'First name').optional(),
-    lastName: createStringSchema(1, 100, 'Last name').optional(),
-    profilePictureUrl: z
-      .string()
-      .url()
-      .refine((url) => url.startsWith('https://'), { message: 'Only HTTPS URLs are allowed' })
-      .optional(),
-    lastVisitedOrg: z.string().uuid().optional(),
-    config: z
-      .object({
-        theme: z
-          .object({
-            // `.catch('default')` makes the write path tolerant of stale/unknown preset strings.
-            // Any value that fails enum validation silently coerces to 'default' instead of 400ing.
-            // This protects against preset renames (e.g. cyber-punk → cyber-chrome) and drift between
-            // the enum and legacy DB values. Paired with a read-path sync-back in main.tsx that
-            // persists the corrected value back to DB on next profile load.
-            preset: z
-              .enum([
-                'default',
-                'tactical',
-                'regal',
-                'cyber-volt',
-                'aurora',
-                'rose-gold',
-                'midnight',
-                'titanium',
-                'obsidian',
-                'honey',
-                'abyss',
-                'canopy',
-                'slate',
-                'cyber-strike',
-                'cyber-chrome',
-                'cyber-void',
-                'nirvana',
-                'wave',
-                'synapse',
-                'cortex',
-                'helios',
-                'graphite',
-                'quarry',
-                'canyon',
-                'nord',
-                'catppuccin',
-                'tokyo-night',
-                'gruvbox'
-              ])
-              .catch('default')
-              .optional(),
-            colorScheme: z.enum(['light', 'dark', 'auto']).catch('auto').optional()
-          })
-          .strict()
-          .optional(),
-        onboarding: z
-          .object({
-            completed: z.boolean().optional(),
-            completedAt: z.string().datetime().nullable().optional(),
-            role: z.string().max(100).nullable().optional(),
-            primaryUseCase: z.array(z.string().max(100)).max(10).nullable().optional(),
-            experienceLevel: z.string().max(100).nullable().optional(),
-            guides: z
-              .object({
-                completedIds: z.array(z.string().max(100)).max(20).optional(),
-                dismissed: z.boolean().optional(),
-                completedAt: z.string().datetime().nullable().optional()
-              })
-              .strict()
-              .optional()
-          })
-          .strict()
-          .optional()
-      })
-      .strict()
-      .optional()
-  })
-  .strict()
-
-// ============================================================================
-// Query Parameters
-// ============================================================================
-
-/**
- * List users with filters
- * GET /users
- *
- * Filters:
- * - email: Filter by email
- * - organizationId: Filter by organization
- * - limit: Max results (pagination handled by WorkOS)
- *
- * Security:
- * - Email validated (prevents injection)
- * - organizationId validated (UUID format)
- */
-export const ListUsersQuerySchema = z
-  .object({
-    email: EmailSchema.optional(),
-    organizationId: z.string().optional(), // WorkOS org IDs can be UUID or 'org_' prefixed
-    limit: z.coerce.number().int().min(1).max(100).optional(),
-    before: z.string().optional(), // WorkOS pagination cursor
-    after: z.string().optional() // WorkOS pagination cursor
-  })
-  .strict()
-
-// ============================================================================
-// TypeScript Type Exports
-// ============================================================================
-
-// Export inferred types for use in route handlers
-export type UpdateUserInput = z.infer<typeof UpdateUserSchema>
-export type UpdateMyProfileInput = z.infer<typeof UpdateMyProfileSchema>
-export type ListUsersQuery = z.infer<typeof ListUsersQuerySchema>
-export type UserIdParam = z.infer<typeof UserIdParamSchema>
-export type ExternalIdParam = z.infer<typeof ExternalIdParamSchema>
+/**
+ * Users Domain - Zod Validation Schemas
+ *
+ * Validation schemas for user management endpoints.
+ * Includes request bodies, query params, and path params.
+ *
+ * Security:
+ * - All schemas use .strict() to prevent mass assignment attacks
+ * - UUID validation prevents invalid references
+ * - Email validation prevents email injection attacks
+ * - emailVerified field excluded from create/update (admin-only)
+ * - String length limits prevent DoS
+ */
+
+import { z } from 'zod'
+import { EmailSchema, createStringSchema } from '../../../platform/utils/validation'
+import { ThemePresetEnum } from '../theme-presets'
+
+// ============================================================================
+// Path Parameters
+// ============================================================================
+
+/**
+ * Validate user ID in URL path
+ * Used by: GET/PUT/DELETE /users/:id
+ */
+export const UserIdParamSchema = z
+  .object({
+    id: z.string().min(1) // WorkOS user IDs can be UUID or 'user_' prefixed strings
+  })
+  .strict()
+
+/**
+ * Validate external ID in URL path
+ * Used by: GET /users/external/:externalId
+ */
+export const ExternalIdParamSchema = z
+  .object({
+    externalId: z.string().min(1)
+  })
+  .strict()
+
+// ============================================================================
+// Request Bodies
+// ============================================================================
+
+/**
+ * Update user profile
+ * PUT /users/:id
+ *
+ * Security:
+ * - All fields optional (partial update)
+ * - Email format validated
+ * - emailVerified NOT accepted (managed by WorkOS only)
+ * - Strict mode prevents unknown field injection
+ */
+export const UpdateUserSchema = z
+  .object({
+    email: EmailSchema.optional(),
+    firstName: createStringSchema(1, 100, 'First name').optional(),
+    lastName: createStringSchema(1, 100, 'Last name').optional()
+  })
+  .strict()
+
+// ============================================================================
+// Self-Service Profile
+// ============================================================================
+
+/**
+ * Self-service profile update (subset of admin UpdateUserSchema)
+ * PATCH /users/me
+ *
+ * Security:
+ * - All fields optional (partial update)
+ * - Server identifies user from JWT (no user ID in body)
+ * - Config restricted to theme and onboarding only
+ * - Strict mode prevents unknown field injection
+ */
+export const UpdateMyProfileSchema = z
+  .object({
+    firstName: createStringSchema(1, 100, 'First name').optional(),
+    lastName: createStringSchema(1, 100, 'Last name').optional(),
+    profilePictureUrl: z
+      .string()
+      .url()
+      .refine((url) => url.startsWith('https://'), { message: 'Only HTTPS URLs are allowed' })
+      .optional(),
+    lastVisitedOrg: z.string().uuid().optional(),
+    config: z
+      .object({
+        theme: z
+          .object({
+            // `.catch('default')` makes the write path tolerant of stale/unknown preset strings.
+            // Any value that fails enum validation silently coerces to 'default' instead of 400ing.
+            // This protects against preset renames (e.g. cyber-punk → cyber-chrome) and drift between
+            // the enum and legacy DB values. Paired with a read-path sync-back in main.tsx that
+            // persists the corrected value back to DB on next profile load.
+            // ThemePresetEnum is derived from THEME_PRESETS — the single source of truth in
+            // packages/core/src/auth/multi-tenancy/theme-presets.ts.
+            preset: ThemePresetEnum.catch('default').optional(),
+            colorScheme: z.enum(['light', 'dark', 'auto']).catch('auto').optional()
+          })
+          .strict()
+          .optional(),
+        onboarding: z
+          .object({
+            completed: z.boolean().optional(),
+            completedAt: z.string().datetime().nullable().optional(),
+            role: z.string().max(100).nullable().optional(),
+            primaryUseCase: z.array(z.string().max(100)).max(10).nullable().optional(),
+            experienceLevel: z.string().max(100).nullable().optional(),
+            guides: z
+              .object({
+                completedIds: z.array(z.string().max(100)).max(20).optional(),
+                dismissed: z.boolean().optional(),
+                completedAt: z.string().datetime().nullable().optional()
+              })
+              .strict()
+              .optional()
+          })
+          .strict()
+          .optional()
+      })
+      .strict()
+      .optional()
+  })
+  .strict()
+
+// ============================================================================
+// Query Parameters
+// ============================================================================
+
+/**
+ * List users with filters
+ * GET /users
+ *
+ * Filters:
+ * - email: Filter by email
+ * - organizationId: Filter by organization
+ * - limit: Max results (pagination handled by WorkOS)
+ *
+ * Security:
+ * - Email validated (prevents injection)
+ * - organizationId validated (UUID format)
+ */
+export const ListUsersQuerySchema = z
+  .object({
+    email: EmailSchema.optional(),
+    organizationId: z.string().optional(), // WorkOS org IDs can be UUID or 'org_' prefixed
+    limit: z.coerce.number().int().min(1).max(100).optional(),
+    before: z.string().optional(), // WorkOS pagination cursor
+    after: z.string().optional() // WorkOS pagination cursor
+  })
+  .strict()
+
+// ============================================================================
+// TypeScript Type Exports
+// ============================================================================
+
+// Export inferred types for use in route handlers
+export type UpdateUserInput = z.infer<typeof UpdateUserSchema>
+export type UpdateMyProfileInput = z.infer<typeof UpdateMyProfileSchema>
+export type ListUsersQuery = z.infer<typeof ListUsersQuerySchema>
+export type UserIdParam = z.infer<typeof UserIdParamSchema>
+export type ExternalIdParam = z.infer<typeof ExternalIdParamSchema>

package/src/business/acquisition/activity-events.ts

@@ -4,7 +4,7 @@ import { z } from 'zod'
 // Platform event member schemas (9 members — closed union, stays in @repo/core)
 //
 // Domain-specific events (reply_received, booking_nudge_sent, etc.) live in
-// external/elevasis/operations as CrmDomainActivityEventSchema.
+// @repo/elevasis-operations as CrmDomainActivityEventSchema.
 // See Open Decision #5 in crm-action-system.mdx for rationale.
 // ---------------------------------------------------------------------------