@elevasis/core 0.22.0 → 0.24.0

package/src/auth/multi-tenancy/permissions.test.ts

@@ -1,42 +1,42 @@
-import { describe, it, expect } from 'vitest'
-import { PERMISSIONS, PERMISSION_CATALOG, isPermissionKey } from './permissions'
-
-describe('permissions catalog', () => {
-  const permissionValues = Object.values(PERMISSIONS)
-  const catalogKeys = PERMISSION_CATALOG.map((p) => p.key)
-
-  it('every PERMISSIONS value appears as a key in PERMISSION_CATALOG', () => {
-    for (const value of permissionValues) {
-      expect(catalogKeys).toContain(value)
-    }
-  })
-
-  it('every PERMISSION_CATALOG key exists as a value in PERMISSIONS', () => {
-    for (const key of catalogKeys) {
-      expect(permissionValues).toContain(key)
-    }
-  })
-
-  it('every catalog entry has a non-empty description and a boolean isOrgGrantable', () => {
-    for (const entry of PERMISSION_CATALOG) {
-      expect(typeof entry.description).toBe('string')
-      expect(entry.description.trim().length).toBeGreaterThan(0)
-      expect(typeof entry.isOrgGrantable).toBe('boolean')
-    }
-  })
-
-  it('catalog has no duplicate keys', () => {
-    const seen = new Set<string>()
-    for (const key of catalogKeys) {
-      expect(seen.has(key), `duplicate catalog key: ${key}`).toBe(false)
-      seen.add(key)
-    }
-  })
-
-  it('isPermissionKey returns true for every catalog key and false for unknown strings', () => {
-    for (const key of catalogKeys) {
-      expect(isPermissionKey(key)).toBe(true)
-    }
-    expect(isPermissionKey('not.a.permission')).toBe(false)
-  })
-})
+import { describe, it, expect } from 'vitest'
+import { PERMISSIONS, PERMISSION_CATALOG, isPermissionKey } from './permissions'
+
+describe('permissions catalog', () => {
+  const permissionValues = Object.values(PERMISSIONS)
+  const catalogKeys = PERMISSION_CATALOG.map((p) => p.key)
+
+  it('every PERMISSIONS value appears as a key in PERMISSION_CATALOG', () => {
+    for (const value of permissionValues) {
+      expect(catalogKeys).toContain(value)
+    }
+  })
+
+  it('every PERMISSION_CATALOG key exists as a value in PERMISSIONS', () => {
+    for (const key of catalogKeys) {
+      expect(permissionValues).toContain(key)
+    }
+  })
+
+  it('every catalog entry has a non-empty description and a boolean isOrgGrantable', () => {
+    for (const entry of PERMISSION_CATALOG) {
+      expect(typeof entry.description).toBe('string')
+      expect(entry.description.trim().length).toBeGreaterThan(0)
+      expect(typeof entry.isOrgGrantable).toBe('boolean')
+    }
+  })
+
+  it('catalog has no duplicate keys', () => {
+    const seen = new Set<string>()
+    for (const key of catalogKeys) {
+      expect(seen.has(key), `duplicate catalog key: ${key}`).toBe(false)
+      seen.add(key)
+    }
+  })
+
+  it('isPermissionKey returns true for every catalog key and false for unknown strings', () => {
+    for (const key of catalogKeys) {
+      expect(isPermissionKey(key)).toBe(true)
+    }
+    expect(isPermissionKey('not.a.permission')).toBe(false)
+  })
+})

package/src/auth/multi-tenancy/permissions.ts

@@ -1,123 +1,123 @@
-/**
- * Canonical permission catalog.
- *
- * Source of truth for the permission keys used by:
- *   - RLS policies in Supabase (via has_org_permission(org_id, key))
- *   - API middleware (via requireOrganizationPermission(key))
- *   - UI hooks (via useOrganizationPermissions().hasPermission(key))
- *
- * The DB table `org_rol_permissions` mirrors this constant. There is no
- * runtime reconciler; parity is enforced two ways:
- *   1. Each migration that adds/removes/modifies a permission must INSERT
- *      (or UPDATE / DELETE) the corresponding `org_rol_permissions` row in
- *      the same transaction.
- *   2. `apps/api/src/auth/multi-tenancy/__tests__/permissions-catalog-sync.integration.test.ts`
- *      asserts the TS catalog and the DB rows agree; CI fails on drift.
- *
- * Adding a permission:
- *   1. Add an entry below.
- *   2. Add a row to the migration (INSERT INTO org_rol_permissions ...) in
- *      the same transaction as any policies/grants that reference the key.
- *   3. Reference it in RLS / middleware as needed.
- *   4. Optionally grant it to one or more system roles in org_rol_grants.
- *
- * Removing a permission: follow the deletion runbook — never just delete
- * the entry. Existing role grants and policy references must be cleared first.
- */
-
-export const PERMISSIONS = {
-  ORG_READ: 'org.read',
-  ORG_MANAGE: 'org.manage',
-  ORG_DELETE: 'org.delete',
-  MEMBERS_MANAGE: 'members.manage',
-  ROLES_MANAGE: 'roles.manage',
-  SECRETS_MANAGE: 'secrets.manage',
-  OPERATIONS_READ: 'operations.read',
-  OPERATIONS_MANAGE: 'operations.manage',
-  ACQUISITION_MANAGE: 'acquisition.manage',
-  PROJECTS_MANAGE: 'projects.manage',
-  CLIENTS_MANAGE: 'clients.manage'
-} as const
-
-export type PermissionKey = (typeof PERMISSIONS)[keyof typeof PERMISSIONS]
-
-/**
- * Static metadata for each permission. Mirrored into org_rol_permissions by
- * a migration `INSERT` in the same transaction as any change to this catalog.
- * is_org_grantable=false means the permission is reserved to system roles
- * only — custom roles cannot include it (privilege-escalation guard).
- */
-export interface PermissionDescriptor {
-  key: PermissionKey
-  description: string
-  isOrgGrantable: boolean
-}
-
-export const PERMISSION_CATALOG: readonly PermissionDescriptor[] = [
-  {
-    key: 'org.read',
-    description: 'Read organization profile and listings',
-    isOrgGrantable: true
-  },
-  {
-    key: 'org.manage',
-    description: 'Update organization settings',
-    isOrgGrantable: false
-  },
-  {
-    key: 'org.delete',
-    description: 'Delete the organization (owner-only)',
-    isOrgGrantable: false
-  },
-  {
-    key: 'members.manage',
-    description: 'Invite, remove, and reassign roles for members',
-    isOrgGrantable: false
-  },
-  {
-    key: 'roles.manage',
-    description: 'Grant or revoke privileged system roles (owner, admin) within the organization',
-    isOrgGrantable: false
-  },
-  {
-    key: 'secrets.manage',
-    description: 'Create, update, and delete API keys and credentials',
-    isOrgGrantable: false
-  },
-  {
-    key: 'operations.read',
-    description: 'View executions, sessions, schedules, and command queue',
-    isOrgGrantable: true
-  },
-  {
-    key: 'operations.manage',
-    description: 'Run and modify executions, sessions, schedules, queue',
-    isOrgGrantable: true
-  },
-  {
-    key: 'acquisition.manage',
-    description:
-      'Create, update, and delete acquisition records (acq_companies, acq_contacts, acq_deals, acq_lists*, acq_content*, acquisition storage files)',
-    isOrgGrantable: false
-  },
-  {
-    key: 'projects.manage',
-    description: 'Create, update, and delete project records (prj_projects, prj_milestones, prj_tasks, prj_notes)',
-    isOrgGrantable: false
-  },
-  {
-    key: 'clients.manage',
-    description: 'Create, update, and delete client hub records (clients, clt_* satellites)',
-    isOrgGrantable: false
-  }
-] as const
-
-const PERMISSION_KEY_SET: ReadonlySet<string> = new Set(PERMISSION_CATALOG.map((p) => p.key))
-
-/**
- * Type guard. Use at trust boundaries (request input, third-party data) before
- * passing a string to `has_org_permission` / `requireOrganizationPermission`.
- */
-export function isPermissionKey(value: unknown): value is PermissionKey {
-  return typeof value === 'string' && PERMISSION_KEY_SET.has(value)
-}
+/**
+ * Canonical permission catalog.
+ *
+ * Source of truth for the permission keys used by:
+ *   - RLS policies in Supabase (via has_org_permission(org_id, key))
+ *   - API middleware (via requireOrganizationPermission(key))
+ *   - UI hooks (via useOrganizationPermissions().hasPermission(key))
+ *
+ * The DB table `org_rol_permissions` mirrors this constant. There is no
+ * runtime reconciler; parity is enforced two ways:
+ *   1. Each migration that adds/removes/modifies a permission must INSERT
+ *      (or UPDATE / DELETE) the corresponding `org_rol_permissions` row in
+ *      the same transaction.
+ *   2. `apps/api/src/auth/multi-tenancy/__tests__/permissions-catalog-sync.integration.test.ts`
+ *      asserts the TS catalog and the DB rows agree; CI fails on drift.
+ *
+ * Adding a permission:
+ *   1. Add an entry below.
+ *   2. Add a row to the migration (INSERT INTO org_rol_permissions ...) in
+ *      the same transaction as any policies/grants that reference the key.
+ *   3. Reference it in RLS / middleware as needed.
+ *   4. Optionally grant it to one or more system roles in org_rol_grants.
+ *
+ * Removing a permission: follow the deletion runbook — never just delete
+ * the entry. Existing role grants and policy references must be cleared first.
+ */
+
+export const PERMISSIONS = {
+  ORG_READ: 'org.read',
+  ORG_MANAGE: 'org.manage',
+  ORG_DELETE: 'org.delete',
+  MEMBERS_MANAGE: 'members.manage',
+  ROLES_MANAGE: 'roles.manage',
+  SECRETS_MANAGE: 'secrets.manage',
+  OPERATIONS_READ: 'operations.read',
+  OPERATIONS_MANAGE: 'operations.manage',
+  ACQUISITION_MANAGE: 'acquisition.manage',
+  PROJECTS_MANAGE: 'projects.manage',
+  CLIENTS_MANAGE: 'clients.manage'
+} as const
+
+export type PermissionKey = (typeof PERMISSIONS)[keyof typeof PERMISSIONS]
+
+/**
+ * Static metadata for each permission. Mirrored into org_rol_permissions by
+ * a migration `INSERT` in the same transaction as any change to this catalog.
+ * is_org_grantable=false means the permission is reserved to system roles
+ * only — custom roles cannot include it (privilege-escalation guard).
+ */
+export interface PermissionDescriptor {
+  key: PermissionKey
+  description: string
+  isOrgGrantable: boolean
+}
+
+export const PERMISSION_CATALOG: readonly PermissionDescriptor[] = [
+  {
+    key: 'org.read',
+    description: 'Read organization profile and listings',
+    isOrgGrantable: true
+  },
+  {
+    key: 'org.manage',
+    description: 'Update organization settings',
+    isOrgGrantable: false
+  },
+  {
+    key: 'org.delete',
+    description: 'Delete the organization (owner-only)',
+    isOrgGrantable: false
+  },
+  {
+    key: 'members.manage',
+    description: 'Invite, remove, and reassign roles for members',
+    isOrgGrantable: false
+  },
+  {
+    key: 'roles.manage',
+    description: 'Grant or revoke privileged system roles (owner, admin) within the organization',
+    isOrgGrantable: false
+  },
+  {
+    key: 'secrets.manage',
+    description: 'Create, update, and delete API keys and credentials',
+    isOrgGrantable: false
+  },
+  {
+    key: 'operations.read',
+    description: 'View executions, sessions, schedules, and command queue',
+    isOrgGrantable: true
+  },
+  {
+    key: 'operations.manage',
+    description: 'Run and modify executions, sessions, schedules, queue',
+    isOrgGrantable: true
+  },
+  {
+    key: 'acquisition.manage',
+    description:
+      'Create, update, and delete acquisition records (acq_companies, acq_contacts, acq_deals, acq_lists*, acq_content*, acquisition storage files)',
+    isOrgGrantable: false
+  },
+  {
+    key: 'projects.manage',
+    description: 'Create, update, and delete project records (prj_projects, prj_milestones, prj_tasks, prj_notes)',
+    isOrgGrantable: false
+  },
+  {
+    key: 'clients.manage',
+    description: 'Create, update, and delete client hub records (clients, clt_* satellites)',
+    isOrgGrantable: false
+  }
+] as const
+
+const PERMISSION_KEY_SET: ReadonlySet<string> = new Set(PERMISSION_CATALOG.map((p) => p.key))
+
+/**
+ * Type guard. Use at trust boundaries (request input, third-party data) before
+ * passing a string to `has_org_permission` / `requireOrganizationPermission`.
+ */
+export function isPermissionKey(value: unknown): value is PermissionKey {
+  return typeof value === 'string' && PERMISSION_KEY_SET.has(value)
+}

package/src/auth/multi-tenancy/role-management/api-schemas.ts

@@ -1,78 +1,78 @@
-import { z } from 'zod'
-
-const PermissionKeySchema = z.string().min(1).max(100)
-
-export const OrgRoleParamsSchema = z
-  .object({
-    orgId: z.string().uuid(),
-    roleId: z.string().uuid()
-  })
-  .strict()
-
-export const OrgRolesParamsSchema = z
-  .object({
-    orgId: z.string().uuid()
-  })
-  .strict()
-
-export const MembershipRoleParamsSchema = z
-  .object({
-    membershipId: z.string().min(1),
-    roleId: z.string().uuid()
-  })
-  .strict()
-
-export const MembershipParamsSchema = z
-  .object({
-    membershipId: z.string().min(1)
-  })
-  .strict()
-
-export const CreateOrgRoleRequestSchema = z
-  .object({
-    name: z.string().min(1).max(100).trim(),
-    slug: z
-      .string()
-      .min(1)
-      .max(100)
-      .regex(/^[a-z0-9]+(?:[-_][a-z0-9]+)*$/, 'Role slug must be lowercase letters, numbers, dashes, or underscores'),
-    description: z.string().max(500).trim().optional(),
-    permissionKeys: z.array(PermissionKeySchema).default([])
-  })
-  .strict()
-
-export const UpdateOrgRoleRequestSchema = z
-  .object({
-    name: z.string().min(1).max(100).trim().optional(),
-    slug: z
-      .string()
-      .min(1)
-      .max(100)
-      .regex(/^[a-z0-9]+(?:[-_][a-z0-9]+)*$/, 'Role slug must be lowercase letters, numbers, dashes, or underscores')
-      .optional(),
-    description: z.string().max(500).trim().nullable().optional(),
-    permissionKeys: z.array(PermissionKeySchema).optional()
-  })
-  .strict()
-  .refine(
-    (data) =>
-      data.name !== undefined ||
-      data.slug !== undefined ||
-      data.description !== undefined ||
-      data.permissionKeys !== undefined,
-    { message: 'At least one field must be provided' }
-  )
-
-export const AssignMembershipRoleRequestSchema = z
-  .object({
-    roleId: z.string().uuid()
-  })
-  .strict()
-
-export type OrgRoleParams = z.infer<typeof OrgRoleParamsSchema>
-export type OrgRolesParams = z.infer<typeof OrgRolesParamsSchema>
-export type MembershipRoleParams = z.infer<typeof MembershipRoleParamsSchema>
-export type MembershipParams = z.infer<typeof MembershipParamsSchema>
-export type CreateOrgRoleInput = z.infer<typeof CreateOrgRoleRequestSchema>
-export type UpdateOrgRoleInput = z.infer<typeof UpdateOrgRoleRequestSchema>
-export type AssignMembershipRoleInput = z.infer<typeof AssignMembershipRoleRequestSchema>
+import { z } from 'zod'
+
+const PermissionKeySchema = z.string().min(1).max(100)
+
+export const OrgRoleParamsSchema = z
+  .object({
+    orgId: z.string().uuid(),
+    roleId: z.string().uuid()
+  })
+  .strict()
+
+export const OrgRolesParamsSchema = z
+  .object({
+    orgId: z.string().uuid()
+  })
+  .strict()
+
+export const MembershipRoleParamsSchema = z
+  .object({
+    membershipId: z.string().min(1),
+    roleId: z.string().uuid()
+  })
+  .strict()
+
+export const MembershipParamsSchema = z
+  .object({
+    membershipId: z.string().min(1)
+  })
+  .strict()
+
+export const CreateOrgRoleRequestSchema = z
+  .object({
+    name: z.string().min(1).max(100).trim(),
+    slug: z
+      .string()
+      .min(1)
+      .max(100)
+      .regex(/^[a-z0-9]+(?:[-_][a-z0-9]+)*$/, 'Role slug must be lowercase letters, numbers, dashes, or underscores'),
+    description: z.string().max(500).trim().optional(),
+    permissionKeys: z.array(PermissionKeySchema).default([])
+  })
+  .strict()
+
+export const UpdateOrgRoleRequestSchema = z
+  .object({
+    name: z.string().min(1).max(100).trim().optional(),
+    slug: z
+      .string()
+      .min(1)
+      .max(100)
+      .regex(/^[a-z0-9]+(?:[-_][a-z0-9]+)*$/, 'Role slug must be lowercase letters, numbers, dashes, or underscores')
+      .optional(),
+    description: z.string().max(500).trim().nullable().optional(),
+    permissionKeys: z.array(PermissionKeySchema).optional()
+  })
+  .strict()
+  .refine(
+    (data) =>
+      data.name !== undefined ||
+      data.slug !== undefined ||
+      data.description !== undefined ||
+      data.permissionKeys !== undefined,
+    { message: 'At least one field must be provided' }
+  )
+
+export const AssignMembershipRoleRequestSchema = z
+  .object({
+    roleId: z.string().uuid()
+  })
+  .strict()
+
+export type OrgRoleParams = z.infer<typeof OrgRoleParamsSchema>
+export type OrgRolesParams = z.infer<typeof OrgRolesParamsSchema>
+export type MembershipRoleParams = z.infer<typeof MembershipRoleParamsSchema>
+export type MembershipParams = z.infer<typeof MembershipParamsSchema>
+export type CreateOrgRoleInput = z.infer<typeof CreateOrgRoleRequestSchema>
+export type UpdateOrgRoleInput = z.infer<typeof UpdateOrgRoleRequestSchema>
+export type AssignMembershipRoleInput = z.infer<typeof AssignMembershipRoleRequestSchema>

package/src/auth/multi-tenancy/role-management/index.ts

@@ -1,16 +1,16 @@
-export {
-  AssignMembershipRoleRequestSchema,
-  CreateOrgRoleRequestSchema,
-  MembershipParamsSchema,
-  MembershipRoleParamsSchema,
-  OrgRoleParamsSchema,
-  OrgRolesParamsSchema,
-  UpdateOrgRoleRequestSchema,
-  type AssignMembershipRoleInput,
-  type CreateOrgRoleInput,
-  type MembershipParams,
-  type MembershipRoleParams,
-  type OrgRoleParams,
-  type OrgRolesParams,
-  type UpdateOrgRoleInput
-} from './api-schemas'
+export {
+  AssignMembershipRoleRequestSchema,
+  CreateOrgRoleRequestSchema,
+  MembershipParamsSchema,
+  MembershipRoleParamsSchema,
+  OrgRoleParamsSchema,
+  OrgRolesParamsSchema,
+  UpdateOrgRoleRequestSchema,
+  type AssignMembershipRoleInput,
+  type CreateOrgRoleInput,
+  type MembershipParams,
+  type MembershipRoleParams,
+  type OrgRoleParams,
+  type OrgRolesParams,
+  type UpdateOrgRoleInput
+} from './api-schemas'

package/src/auth/multi-tenancy/theme-presets.ts

@@ -1,45 +1,45 @@
-import { z } from 'zod'
-
-/**
- * Single source of truth for all active theme preset names.
- *
- * This is the canonical list. To add a preset:
- *   1. Add the name here.
- *   2. Create `packages/ui/src/theme/presets/{name}.ts` exporting `{name}Preset: ThemePreset`.
- *   3. Add to `PRESETS` record in `packages/ui/src/theme/presets/index.ts`.
- *   4. Add to `PresetName` union in `packages/ui/src/theme/presets/types.ts`.
- *   5. Add a card in `apps/command-center/src/features/settings/appearance/components/AppearanceSettings.tsx`.
- *
- * The union type (`ThemePresetName`) and Zod enum (`ThemePresetEnum`) are derived
- * automatically — no other files need updating.
- */
-export const THEME_PRESETS = [
-  'default',
-  'tactical',
-  'regal',
-  'cyber-volt',
-  'aurora',
-  'rose-gold',
-  'midnight',
-  'titanium',
-  'canopy',
-  'slate',
-  'cyber-strike',
-  'cyber-chrome',
-  'cyber-void',
-  'nirvana',
-  'wave',
-  'synapse',
-  'cortex',
-  'helios',
-  'graphite',
-  'quarry'
-] as const satisfies readonly string[]
-
-export type ThemePresetName = (typeof THEME_PRESETS)[number]
-
-/**
- * Zod enum derived from THEME_PRESETS.
- * Use `.catch('default')` at write-path callsites to tolerate stale/unknown values.
- */
-export const ThemePresetEnum = z.enum(THEME_PRESETS)
+import { z } from 'zod'
+
+/**
+ * Single source of truth for all active theme preset names.
+ *
+ * This is the canonical list. To add a preset:
+ *   1. Add the name here.
+ *   2. Create `packages/ui/src/theme/presets/{name}.ts` exporting `{name}Preset: ThemePreset`.
+ *   3. Add to `PRESETS` record in `packages/ui/src/theme/presets/index.ts`.
+ *   4. Add to `PresetName` union in `packages/ui/src/theme/presets/types.ts`.
+ *   5. Add a card in `apps/command-center/src/features/settings/appearance/components/AppearanceSettings.tsx`.
+ *
+ * The union type (`ThemePresetName`) and Zod enum (`ThemePresetEnum`) are derived
+ * automatically — no other files need updating.
+ */
+export const THEME_PRESETS = [
+  'default',
+  'tactical',
+  'regal',
+  'cyber-volt',
+  'aurora',
+  'rose-gold',
+  'midnight',
+  'titanium',
+  'canopy',
+  'slate',
+  'cyber-strike',
+  'cyber-chrome',
+  'cyber-void',
+  'nirvana',
+  'wave',
+  'synapse',
+  'cortex',
+  'helios',
+  'graphite',
+  'quarry'
+] as const satisfies readonly string[]
+
+export type ThemePresetName = (typeof THEME_PRESETS)[number]
+
+/**
+ * Zod enum derived from THEME_PRESETS.
+ * Use `.catch('default')` at write-path callsites to tolerate stale/unknown values.
+ */
+export const ThemePresetEnum = z.enum(THEME_PRESETS)