@elevasis/core 0.28.0 → 0.30.0

package/dist/index.d.ts

@@ -2238,9 +2238,9 @@ declare const OmTopologyNodeKindSchema: z.ZodEnum<{
     externalResource: "externalResource";
 }>;
 declare const OmTopologyRelationshipKindSchema: z.ZodEnum<{
-    approval: "approval";
     triggers: "triggers";
     uses: "uses";
+    approval: "approval";
 }>;
 declare const OmTopologyNodeRefSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
     kind: z.ZodLiteral<"system">;
@@ -2295,9 +2295,9 @@ declare const OmTopologyRelationshipSchema: z.ZodObject<{
         id: z.ZodString;
     }, z.core.$strip>], "kind">;
     kind: z.ZodEnum<{
-        approval: "approval";
         triggers: "triggers";
         uses: "uses";
+        approval: "approval";
     }>;
     to: z.ZodDiscriminatedUnion<[z.ZodObject<{
         kind: z.ZodLiteral<"system">;
@@ -2357,9 +2357,9 @@ declare const OmTopologyDomainSchema: z.ZodDefault<z.ZodObject<{
             id: z.ZodString;
         }, z.core.$strip>], "kind">;
         kind: z.ZodEnum<{
-            approval: "approval";
             triggers: "triggers";
             uses: "uses";
+            approval: "approval";
         }>;
         to: z.ZodDiscriminatedUnion<[z.ZodObject<{
             kind: z.ZodLiteral<"system">;
@@ -2634,7 +2634,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2690,7 +2690,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2746,7 +2746,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2802,7 +2802,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2858,7 +2858,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2914,7 +2914,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -3672,7 +3672,6 @@ declare function scaffoldOrganizationModel(model: OrganizationModel, spec: OmSca
 declare const LinkSchema: z.ZodObject<{
     nodeId: z.ZodString;
     kind: z.ZodEnum<{
-        approval: "approval";
         affects: "affects";
         actions: "actions";
         effects: "effects";
@@ -3682,6 +3681,7 @@ declare const LinkSchema: z.ZodObject<{
         emits: "emits";
         triggers: "triggers";
         uses: "uses";
+        approval: "approval";
         contains: "contains";
         references: "references";
         maps_to: "maps_to";
@@ -4528,9 +4528,9 @@ declare const OrganizationModelSchema: z.ZodObject<{
                 id: z.ZodString;
             }, z.core.$strip>], "kind">;
             kind: z.ZodEnum<{
-                approval: "approval";
                 triggers: "triggers";
                 uses: "uses";
+                approval: "approval";
             }>;
             to: z.ZodDiscriminatedUnion<[z.ZodObject<{
                 kind: z.ZodLiteral<"system">;

package/dist/knowledge/index.d.ts

@@ -997,9 +997,9 @@ declare const OrganizationModelSchema: z.ZodObject<{
                 id: z.ZodString;
             }, z.core.$strip>], "kind">;
             kind: z.ZodEnum<{
-                approval: "approval";
                 triggers: "triggers";
                 uses: "uses";
+                approval: "approval";
             }>;
             to: z.ZodDiscriminatedUnion<[z.ZodObject<{
                 kind: z.ZodLiteral<"system">;

package/dist/organization-model/index.d.ts

@@ -2238,9 +2238,9 @@ declare const OmTopologyNodeKindSchema: z.ZodEnum<{
     externalResource: "externalResource";
 }>;
 declare const OmTopologyRelationshipKindSchema: z.ZodEnum<{
-    approval: "approval";
     triggers: "triggers";
     uses: "uses";
+    approval: "approval";
 }>;
 declare const OmTopologyNodeRefSchema: z.ZodDiscriminatedUnion<[z.ZodObject<{
     kind: z.ZodLiteral<"system">;
@@ -2295,9 +2295,9 @@ declare const OmTopologyRelationshipSchema: z.ZodObject<{
         id: z.ZodString;
     }, z.core.$strip>], "kind">;
     kind: z.ZodEnum<{
-        approval: "approval";
         triggers: "triggers";
         uses: "uses";
+        approval: "approval";
     }>;
     to: z.ZodDiscriminatedUnion<[z.ZodObject<{
         kind: z.ZodLiteral<"system">;
@@ -2357,9 +2357,9 @@ declare const OmTopologyDomainSchema: z.ZodDefault<z.ZodObject<{
             id: z.ZodString;
         }, z.core.$strip>], "kind">;
         kind: z.ZodEnum<{
-            approval: "approval";
             triggers: "triggers";
             uses: "uses";
+            approval: "approval";
         }>;
         to: z.ZodDiscriminatedUnion<[z.ZodObject<{
             kind: z.ZodLiteral<"system">;
@@ -2634,7 +2634,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2690,7 +2690,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2746,7 +2746,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2802,7 +2802,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2858,7 +2858,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -2914,7 +2914,7 @@ declare const topologyRelationship: {
             kind: "externalResource";
             id: string;
         };
-        kind: "approval" | "triggers" | "uses";
+        kind: "triggers" | "uses" | "approval";
         to: {
             kind: "system";
             id: string;
@@ -3672,7 +3672,6 @@ declare function scaffoldOrganizationModel(model: OrganizationModel, spec: OmSca
 declare const LinkSchema: z.ZodObject<{
     nodeId: z.ZodString;
     kind: z.ZodEnum<{
-        approval: "approval";
         affects: "affects";
         actions: "actions";
         effects: "effects";
@@ -3682,6 +3681,7 @@ declare const LinkSchema: z.ZodObject<{
         emits: "emits";
         triggers: "triggers";
         uses: "uses";
+        approval: "approval";
         contains: "contains";
         references: "references";
         maps_to: "maps_to";
@@ -4528,9 +4528,9 @@ declare const OrganizationModelSchema: z.ZodObject<{
                 id: z.ZodString;
             }, z.core.$strip>], "kind">;
             kind: z.ZodEnum<{
-                approval: "approval";
                 triggers: "triggers";
                 uses: "uses";
+                approval: "approval";
             }>;
             to: z.ZodDiscriminatedUnion<[z.ZodObject<{
                 kind: z.ZodLiteral<"system">;

package/dist/test-utils/index.d.ts

@@ -2786,6 +2786,7 @@ type Database = {
                     title: string | null;
                     updated_at: string;
                     user_id: string;
+                    visibility: string;
                 };
                 Insert: {
                     content: string;
@@ -2800,6 +2801,7 @@ type Database = {
                     title?: string | null;
                     updated_at?: string;
                     user_id: string;
+                    visibility?: string;
                 };
                 Update: {
                     content?: string;
@@ -2814,6 +2816,7 @@ type Database = {
                     title?: string | null;
                     updated_at?: string;
                     user_id?: string;
+                    visibility?: string;
                 };
                 Relationships: [
                     {
@@ -2982,6 +2985,12 @@ type Database = {
                 Args: never;
                 Returns: boolean;
             };
+            current_user_shares_org_with: {
+                Args: {
+                    other_user_id: string;
+                };
+                Returns: boolean;
+            };
             current_user_supabase_id: {
                 Args: never;
                 Returns: string;
@@ -3021,6 +3030,20 @@ type Database = {
                 Args: never;
                 Returns: string;
             };
+            has_org_access: {
+                Args: {
+                    action?: string;
+                    org_id: string;
+                    system_path: string;
+                };
+                Returns: boolean;
+            } | {
+                Args: {
+                    action?: string;
+                    system_path: string;
+                };
+                Returns: boolean;
+            };
             has_org_permission: {
                 Args: {
                     org_id: string;
@@ -4398,9 +4421,9 @@ declare const OrganizationModelSchema: z.ZodObject<{
                 id: z.ZodString;
             }, z.core.$strip>], "kind">;
             kind: z.ZodEnum<{
-                approval: "approval";
                 triggers: "triggers";
                 uses: "uses";
+                approval: "approval";
             }>;
             to: z.ZodDiscriminatedUnion<[z.ZodObject<{
                 kind: z.ZodLiteral<"system">;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elevasis/core",
-  "version": "0.28.0",
+  "version": "0.30.0",
   "license": "MIT",
   "description": "Minimal shared constants across Elevasis monorepo",
   "sideEffects": false,
@@ -16,6 +16,10 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
     },
+    "./auth": {
+      "types": "./dist/auth/index.d.ts",
+      "import": "./dist/auth/index.js"
+    },
     "./test-utils": {
       "types": "./dist/test-utils/index.d.ts",
       "import": "./dist/test-utils/index.js"
@@ -41,8 +45,8 @@
     "rollup-plugin-dts": "^6.3.0",
     "tsup": "^8.0.0",
     "typescript": "5.9.2",
-    "@repo/typescript-config": "0.0.0",
-    "@repo/eslint-config": "0.0.0"
+    "@repo/eslint-config": "0.0.0",
+    "@repo/typescript-config": "0.0.0"
   },
   "dependencies": {
     "@anthropic-ai/sdk": "^0.62.0",

package/src/__tests__/publish.test.ts

@@ -13,12 +13,13 @@ const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf-8')) as {
 describe('core publish surface', () => {
   it('publishes the curated @elevasis/core organization-model wrapper', () => {
     expect(packageJson.publishConfig?.name).toBe('@elevasis/core')
-    expect(Object.keys(packageJson.publishConfig?.exports ?? {})).toEqual([
-      '.',
-      './test-utils',
-      './organization-model',
-      './entities',
-      './knowledge'
-    ])
+    expect(Object.keys(packageJson.publishConfig?.exports ?? {})).toEqual([
+      '.',
+      './auth',
+      './test-utils',
+      './organization-model',
+      './entities',
+      './knowledge'
+    ])
   })
 })

package/src/auth/__tests__/access-key-coverage.test.ts

@@ -0,0 +1,42 @@
+import { describe, expect, it } from 'vitest'
+
+import { AccessKeys, deriveAccessKeyCatalog, findAccessCatalogEntry, normalizeAccessKey } from '../access-keys'
+import { accessTestOrganizationModel } from './access-test-fixtures'
+import { scanAccessKeyUsages } from './access-key-scan'
+
+const INTENTIONALLY_UNCONSUMED_ACCESS_KEYS = new Set([
+  'secretsManage',
+  'operationsManage',
+  'acquisitionManage',
+  'projectsManage',
+  'clientsManage',
+  'operationsRecentExecutions'
+])
+
+describe('access key coverage', () => {
+  it('keeps every runtime consumer key present in the catalog', () => {
+    const catalog = deriveAccessKeyCatalog(accessTestOrganizationModel)
+    const usages = scanAccessKeyUsages()
+    const consumerKeys = [
+      ...usages.stringLiterals.map((usage) => ({ file: usage.file, key: normalizeAccessKey(usage.key) })),
+      ...usages.accessKeySymbols.map((usage) => ({
+        file: usage.file,
+        key: AccessKeys[usage.symbol as keyof typeof AccessKeys]
+      }))
+    ]
+
+    const missingCatalogEntries = consumerKeys
+      .filter((usage) => findAccessCatalogEntry(catalog, usage.key) === undefined)
+      .map((usage) => `${usage.file}: ${usage.key.systemPath}:${usage.key.action}`)
+
+    expect(missingCatalogEntries).toEqual([])
+  })
+
+  it('keeps exported static AccessKeys either consumed or explicitly reserved', () => {
+    const usages = scanAccessKeyUsages()
+    const consumedSymbols = new Set(usages.accessKeySymbols.map((usage) => usage.symbol))
+    const unconsumedSymbols = Object.keys(AccessKeys).filter((symbol) => !consumedSymbols.has(symbol))
+
+    expect(unconsumedSymbols).toEqual([...INTENTIONALLY_UNCONSUMED_ACCESS_KEYS])
+  })
+})

package/src/auth/__tests__/access-key-scan.ts

@@ -0,0 +1,117 @@
+import { existsSync, readdirSync, readFileSync } from 'node:fs'
+import { dirname, join, relative } from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+import type { AccessKeyInput } from '../access-keys'
+
+export interface AccessKeyUsage {
+  file: string
+  key: AccessKeyInput
+}
+
+export interface AccessKeySymbolUsage {
+  file: string
+  symbol: string
+}
+
+const repoRoot = findRepoRoot(dirname(fileURLToPath(import.meta.url)))
+
+const RUNTIME_SOURCE_ROOTS = [
+  join(repoRoot, 'apps', 'command-center', 'src'),
+  join(repoRoot, 'packages', 'ui', 'src'),
+  join(repoRoot, 'apps', 'api', 'src'),
+  join(repoRoot, 'external', '_template', 'ui', 'src')
+]
+
+const STRING_LITERAL_PATTERNS = [
+  /<AccessGuard\b[\s\S]*?\baccessKey\s*=\s*["']([^"']+)["']/g,
+  /<AccessGuard\b[\s\S]*?\baccessKey\s*=\s*\{\s*["']([^"']+)["']\s*\}/g,
+  /\buseAccess\(\s*["']([^"']+)["']\s*\)/g,
+  /\brequireAccess\(\s*["']([^"']+)["']\s*[,)]/g
+]
+
+const ACCESS_KEYS_PATTERN = /\bAccessKeys\.([A-Za-z_$][A-Za-z0-9_$]*)\b/g
+
+function findRepoRoot(startDirectory: string): string {
+  let current = startDirectory
+
+  while (current !== dirname(current)) {
+    if (existsSync(join(current, 'pnpm-workspace.yaml'))) return current
+    current = dirname(current)
+  }
+
+  throw new Error('Could not find monorepo root from access-key scan test')
+}
+
+function isRuntimeSourceFile(file: string): boolean {
+  if (!/\.(ts|tsx)$/.test(file)) return false
+  if (file.includes(`${join('', '__tests__').slice(1)}`)) return false
+  if (file.includes('__tests__')) return false
+  if (/\.(test|spec)\.(ts|tsx)$/.test(file)) return false
+  return !file.endsWith('routeTree.gen.ts')
+}
+
+function listRuntimeSourceFiles(directory: string): string[] {
+  if (!existsSync(directory)) return []
+
+  const entries = readdirSync(directory, { withFileTypes: true })
+  const files: string[] = []
+
+  for (const entry of entries) {
+    const entryPath = join(directory, entry.name)
+
+    if (entry.isDirectory()) {
+      if (['node_modules', 'dist', '.next', 'coverage'].includes(entry.name)) continue
+      files.push(...listRuntimeSourceFiles(entryPath))
+      continue
+    }
+
+    if (isRuntimeSourceFile(entryPath)) files.push(entryPath)
+  }
+
+  return files
+}
+
+function relativePath(file: string): string {
+  return relative(repoRoot, file).replaceAll('\\', '/')
+}
+
+function collectMatches<T>(
+  content: string,
+  pattern: RegExp,
+  build: (match: RegExpExecArray) => T
+): T[] {
+  const matches: T[] = []
+  pattern.lastIndex = 0
+
+  for (let match = pattern.exec(content); match !== null; match = pattern.exec(content)) {
+    matches.push(build(match))
+  }
+
+  return matches
+}
+
+export function scanAccessKeyUsages(): {
+  stringLiterals: AccessKeyUsage[]
+  accessKeySymbols: AccessKeySymbolUsage[]
+} {
+  const stringLiterals: AccessKeyUsage[] = []
+  const accessKeySymbols: AccessKeySymbolUsage[] = []
+
+  for (const sourceRoot of RUNTIME_SOURCE_ROOTS) {
+    for (const file of listRuntimeSourceFiles(sourceRoot)) {
+      const content = readFileSync(file, 'utf8')
+      const path = relativePath(file)
+
+      for (const pattern of STRING_LITERAL_PATTERNS) {
+        stringLiterals.push(...collectMatches(content, pattern, (match) => ({ file: path, key: match[1] })))
+      }
+
+      accessKeySymbols.push(
+        ...collectMatches(content, ACCESS_KEYS_PATTERN, (match) => ({ file: path, symbol: match[1] }))
+      )
+    }
+  }
+
+  return { stringLiterals, accessKeySymbols }
+}

package/src/auth/__tests__/access-keys.test.ts

@@ -0,0 +1,81 @@
+import { describe, expect, it } from 'vitest'
+import {
+  AccessKeys,
+  DIAGNOSTIC_VIEW_ACCESS_KEYS,
+  PLATFORM_ADMIN_ACCESS_KEY,
+  deriveAccessKeyCatalog,
+  findAccessCatalogEntry,
+  listAccessKeys,
+  normalizeAccessKey
+} from '../access-keys'
+import type { OrganizationModel } from '../../organization-model/types'
+
+const model = {
+  systems: {
+    sales: {
+      id: 'sales',
+      label: 'Sales',
+      lifecycle: 'active',
+      order: 10,
+      systems: {
+        crm: {
+          id: 'crm',
+          label: 'CRM',
+          lifecycle: 'active',
+          order: 10
+        }
+      }
+    },
+    operations: {
+      id: 'operations',
+      label: 'Operations',
+      lifecycle: 'active',
+      order: 20
+    }
+  }
+} as OrganizationModel
+
+describe('access keys', () => {
+  it('normalizes string shorthand to view access keys', () => {
+    expect(normalizeAccessKey('sales.crm')).toEqual({ systemPath: 'sales.crm', action: 'view' })
+    expect(normalizeAccessKey({ systemPath: 'sales.crm' })).toEqual({ systemPath: 'sales.crm', action: 'view' })
+  })
+
+  it('normalizes platformAdmin string shorthand to the platform special-case key', () => {
+    expect(normalizeAccessKey('platformAdmin')).toEqual(AccessKeys.platformAdmin)
+    expect(normalizeAccessKey('platformAdmin').systemPath).toBe(PLATFORM_ADMIN_ACCESS_KEY)
+  })
+
+  it('derives view and manage access keys from nested Organization Model systems', () => {
+    const catalog = deriveAccessKeyCatalog(model)
+    const keys = listAccessKeys(catalog)
+
+    expect(keys).toContainEqual({ systemPath: 'sales', action: 'view' })
+    expect(keys).toContainEqual({ systemPath: 'sales.crm', action: 'view' })
+    expect(keys).toContainEqual({ systemPath: 'sales.crm', action: 'manage' })
+    expect(keys).toContainEqual({ systemPath: 'operations', action: 'manage' })
+  })
+
+  it('includes diagnostic allowlist keys and platformAdmin in the catalog', () => {
+    const catalog = deriveAccessKeyCatalog(model)
+
+    for (const systemPath of DIAGNOSTIC_VIEW_ACCESS_KEYS) {
+      expect(findAccessCatalogEntry(catalog, { systemPath, action: 'view' })?.source).toBe('diagnostic')
+    }
+
+    expect(findAccessCatalogEntry(catalog, AccessKeys.platformAdmin)?.source).toBe('platform')
+  })
+
+  it('includes permission-only access keys with their legacy role-permission mapping', () => {
+    const catalog = deriveAccessKeyCatalog(model)
+
+    expect(findAccessCatalogEntry(catalog, AccessKeys.organizationManage)).toMatchObject({
+      source: 'permission',
+      rolePermission: 'org.manage'
+    })
+    expect(findAccessCatalogEntry(catalog, AccessKeys.membersManage)).toMatchObject({
+      source: 'permission',
+      rolePermission: 'members.manage'
+    })
+  })
+})