@elevasis/core 0.8.0 → 0.8.2

package/dist/test-utils/index.js

@@ -0,0 +1,386 @@
+import { createClient } from '@supabase/supabase-js';
+import jwt from 'jsonwebtoken';
+
+// src/test-utils/rls/RLSTestContext.ts
+var RLSTestContext = class {
+  adminClient;
+  testPrefix;
+  createdIds;
+  constructor() {
+    if (!process.env.SUPABASE_URL) {
+      throw new Error("SUPABASE_URL not configured in .env.development");
+    }
+    if (!process.env.SUPABASE_SERVICE_KEY) {
+      throw new Error("SUPABASE_SERVICE_KEY not configured in .env.development");
+    }
+    if (!process.env.SUPABASE_JWT_SECRET) {
+      throw new Error("SUPABASE_JWT_SECRET not configured in .env.development");
+    }
+    this.adminClient = createClient(process.env.SUPABASE_URL, process.env.SUPABASE_SERVICE_KEY);
+    this.testPrefix = `test_${Date.now()}_${Math.random().toString(36).substring(7)}`;
+    this.createdIds = {
+      users: [],
+      organizations: [],
+      memberships: [],
+      apiKeys: [],
+      invitations: [],
+      taskSchedules: [],
+      commandQueue: [],
+      sessions: [],
+      sessionMessages: [],
+      executionLogs: [],
+      executionMetrics: [],
+      notifications: [],
+      credentials: [],
+      activities: []
+    };
+  }
+  /**
+   * Create a test organization
+   */
+  async createOrganization(name) {
+    const workosOrgId = `org_${this.testPrefix}_${Math.random().toString(36).substring(7)}`;
+    const { data, error } = await this.adminClient.from("organizations").insert({
+      workos_org_id: workosOrgId,
+      name: `${this.testPrefix}_${name}`,
+      is_test: true
+    }).select().single();
+    if (error) {
+      throw new Error(`Failed to create organization: ${error.message}`);
+    }
+    this.createdIds.organizations.push(data.id);
+    return data;
+  }
+  /**
+   * Create a test user with a WorkOS user ID
+   */
+  async createUser(email, isPlatformAdmin = false) {
+    const workosUserId = `user_${this.testPrefix}_${Math.random().toString(36).substring(7)}`;
+    const { data, error } = await this.adminClient.from("users").insert({
+      workos_user_id: workosUserId,
+      email: `${this.testPrefix}_${email}`,
+      first_name: "Test",
+      last_name: "User",
+      is_platform_admin: isPlatformAdmin
+    }).select("*").single();
+    if (error) {
+      throw new Error(`Failed to create user: ${error.message}`);
+    }
+    this.createdIds.users.push(data.id);
+    return {
+      id: data.id,
+      workos_user_id: workosUserId,
+      email: data.email,
+      is_platform_admin: data.is_platform_admin ?? false
+    };
+  }
+  /**
+   * Create a pre-provisioned test user (without WorkOS user ID)
+   * Used for testing invitation flows where users are created before they sign up
+   */
+  async createPreProvisionedUser(email, isPlatformAdmin = false) {
+    const { data, error } = await this.adminClient.from("users").insert({
+      workos_user_id: null,
+      // Key difference: NULL for pre-provisioned
+      email: `${this.testPrefix}_${email}`,
+      first_name: "Test",
+      last_name: "PreProvisioned",
+      is_platform_admin: isPlatformAdmin
+    }).select("*").single();
+    if (error) {
+      throw new Error(`Failed to create pre-provisioned user: ${error.message}`);
+    }
+    this.createdIds.users.push(data.id);
+    return {
+      id: data.id,
+      email: data.email,
+      is_platform_admin: data.is_platform_admin ?? false
+    };
+  }
+  /**
+   * Create an organization membership
+   */
+  async createMembership(userId, organizationId, role) {
+    const workosMembershipId = `om_${this.testPrefix}_${Math.random().toString(36).substring(7)}`;
+    const { data, error } = await this.adminClient.from("org_memberships").insert({
+      user_id: userId,
+      organization_id: organizationId,
+      workos_membership_id: workosMembershipId,
+      role_slug: role,
+      membership_status: "active"
+    }).select().single();
+    if (error) {
+      throw new Error(`Failed to create membership: ${error.message}`);
+    }
+    this.createdIds.memberships.push(data.id);
+    return {
+      id: data.id,
+      user_id: data.user_id,
+      organization_id: data.organization_id,
+      role_slug: data.role_slug
+    };
+  }
+  /**
+   * Create a pre-provisioned organization membership (without WorkOS membership ID)
+   * Used for testing invitation flows where memberships are created before user accepts
+   */
+  async createPreProvisionedMembership(userId, organizationId, role) {
+    const { data, error } = await this.adminClient.from("org_memberships").insert({
+      user_id: userId,
+      organization_id: organizationId,
+      workos_membership_id: null,
+      // Key difference: NULL for pre-provisioned
+      role_slug: role,
+      membership_status: "active"
+      // Pre-provisioned memberships are active from creation
+    }).select().single();
+    if (error) {
+      throw new Error(`Failed to create pre-provisioned membership: ${error.message}`);
+    }
+    this.createdIds.memberships.push(data.id);
+    return {
+      id: data.id,
+      user_id: data.user_id,
+      organization_id: data.organization_id,
+      role_slug: data.role_slug
+    };
+  }
+  /**
+   * Generate a JWT token for a test user
+   * Uses Supabase JWT secret so auth.jwt() in RLS policies can decode it
+   */
+  generateJWT(workosUserId, email) {
+    if (!process.env.SUPABASE_JWT_SECRET) {
+      throw new Error("SUPABASE_JWT_SECRET not configured");
+    }
+    const payload = {
+      sub: workosUserId,
+      // Supabase RLS policies use auth.jwt() ->> 'sub'
+      aud: "authenticated",
+      role: "authenticated",
+      iat: Math.floor(Date.now() / 1e3),
+      exp: Math.floor(Date.now() / 1e3) + 60 * 60,
+      // 1 hour expiry
+      ...email && { email }
+      // Add email claim if provided (for pre-provisioned user RLS)
+    };
+    return jwt.sign(payload, process.env.SUPABASE_JWT_SECRET, {
+      algorithm: "HS256"
+    });
+  }
+  /**
+   * Create a Supabase client for a specific user (respects RLS)
+   * This client will have the user's JWT token, so RLS policies will apply
+   */
+  createUserClient(workosUserId) {
+    if (!process.env.SUPABASE_URL || !process.env.SUPABASE_ANON_KEY) {
+      throw new Error("Test environment not configured");
+    }
+    const token = this.generateJWT(workosUserId);
+    const client = createClient(process.env.SUPABASE_URL, process.env.SUPABASE_ANON_KEY, {
+      global: {
+        headers: {
+          Authorization: `Bearer ${token}`
+        }
+      }
+    });
+    return client;
+  }
+  /**
+   * Create a Supabase client for a pre-provisioned user (respects RLS)
+   * Uses a dummy workos_user_id but includes the email claim for RLS matching
+   * The email claim is what matters for pre-provisioned user RLS policies
+   */
+  createPreProvisionedUserClient(email) {
+    if (!process.env.SUPABASE_URL || !process.env.SUPABASE_ANON_KEY) {
+      throw new Error("Test environment not configured");
+    }
+    const dummyWorkosUserId = `preprov_${this.testPrefix}_${Math.random().toString(36).substring(7)}`;
+    const token = this.generateJWT(dummyWorkosUserId, email);
+    const client = createClient(process.env.SUPABASE_URL, process.env.SUPABASE_ANON_KEY, {
+      global: {
+        headers: {
+          Authorization: `Bearer ${token}`
+        }
+      }
+    });
+    return client;
+  }
+  /** Create an organization with an admin user and authenticated client. */
+  async createOrgWithAdmin(name, email) {
+    const org = await this.createOrganization(name);
+    const user = await this.createUser(email, false);
+    const membership = await this.createMembership(user.id, org.id, "admin");
+    const client = this.createUserClient(user.workos_user_id);
+    return { org, user, membership, client };
+  }
+  /** Create two isolated organizations with admin users for cross-org isolation tests. */
+  async createCrossOrgFixture(nameA = "OrgA", nameB = "OrgB") {
+    const orgA = await this.createOrganization(nameA);
+    const orgB = await this.createOrganization(nameB);
+    const userA = await this.createUser(`${nameA.toLowerCase()}Admin@test.com`, false);
+    const userB = await this.createUser(`${nameB.toLowerCase()}Admin@test.com`, false);
+    const membershipA = await this.createMembership(userA.id, orgA.id, "admin");
+    const membershipB = await this.createMembership(userB.id, orgB.id, "admin");
+    const clientA = this.createUserClient(userA.workos_user_id);
+    const clientB = this.createUserClient(userB.workos_user_id);
+    return { orgA, orgB, userA, userB, membershipA, membershipB, clientA, clientB };
+  }
+  /**
+   * Clean up all test data created during the test run
+   * Called in afterAll() to prevent test pollution
+   *
+   * Cleanup order respects foreign key dependencies (child tables before parent tables):
+   *
+   * Level 1 (Deepest dependencies):
+   * - execution_metrics (FK: execution_logs)
+   * - session_messages (FK: sessions)
+   *
+   * Level 2 (Mid-level dependencies):
+   * - execution_logs (FK: sessions, users)
+   * - task_schedules (FK: organizations)
+   * - command_queue (FK: organizations, users)
+   * - notifications (FK: organizations, users)
+   * - credentials (FK: organizations, users)
+   * - sessions (FK: organizations, users)
+   * - activities (FK: organizations)
+   *
+   * Level 3 (Organization/User dependencies):
+   * - invitations (FK: organizations, users)
+   * - api_keys (FK: organizations)
+   * - memberships (FK: organizations, users)
+   *
+   * Level 4 (Base tables):
+   * - users
+   * - organizations
+   */
+  async cleanup() {
+    const errors = [];
+    if (this.createdIds.executionMetrics.length > 0) {
+      const { error } = await this.adminClient.from("execution_metrics").delete().in("execution_id", this.createdIds.executionMetrics);
+      if (error) {
+        errors.push(`Failed to delete execution_metrics: ${error.message}`);
+      }
+    }
+    if (this.createdIds.sessionMessages.length > 0) {
+      const { error } = await this.adminClient.from("session_messages").delete().in("id", this.createdIds.sessionMessages);
+      if (error) {
+        errors.push(`Failed to delete session_messages: ${error.message}`);
+      }
+    }
+    if (this.createdIds.executionLogs.length > 0) {
+      const { error } = await this.adminClient.from("execution_logs").delete().in("execution_id", this.createdIds.executionLogs);
+      if (error) {
+        errors.push(`Failed to delete execution_logs: ${error.message}`);
+      }
+    }
+    if (this.createdIds.taskSchedules.length > 0) {
+      const { error } = await this.adminClient.from("task_schedules").delete().in("id", this.createdIds.taskSchedules);
+      if (error) {
+        errors.push(`Failed to delete task_schedules: ${error.message}`);
+      }
+    }
+    if (this.createdIds.commandQueue.length > 0) {
+      const { error } = await this.adminClient.from("command_queue").delete().in("id", this.createdIds.commandQueue);
+      if (error) {
+        errors.push(`Failed to delete command_queue: ${error.message}`);
+      }
+    }
+    if (this.createdIds.notifications.length > 0) {
+      const { error } = await this.adminClient.from("notifications").delete().in("id", this.createdIds.notifications);
+      if (error) {
+        errors.push(`Failed to delete notifications: ${error.message}`);
+      }
+    }
+    if (this.createdIds.credentials.length > 0) {
+      const { error } = await this.adminClient.from("credentials").delete().in("id", this.createdIds.credentials);
+      if (error) {
+        errors.push(`Failed to delete credentials: ${error.message}`);
+      }
+    }
+    if (this.createdIds.sessions.length > 0) {
+      const { error } = await this.adminClient.from("sessions").delete().in("session_id", this.createdIds.sessions);
+      if (error) {
+        errors.push(`Failed to delete sessions: ${error.message}`);
+      }
+    }
+    if (this.createdIds.activities.length > 0) {
+      const { error } = await this.adminClient.from("activities").delete().in("id", this.createdIds.activities);
+      if (error) {
+        errors.push(`Failed to delete activities: ${error.message}`);
+      }
+    }
+    if (this.createdIds.invitations.length > 0) {
+      const { error } = await this.adminClient.from("org_invitations").delete().in("id", this.createdIds.invitations);
+      if (error) {
+        errors.push(`Failed to delete invitations: ${error.message}`);
+      }
+    }
+    if (this.createdIds.apiKeys.length > 0) {
+      const { error } = await this.adminClient.from("api_keys").delete().in("id", this.createdIds.apiKeys);
+      if (error) {
+        errors.push(`Failed to delete API keys: ${error.message}`);
+      }
+    }
+    if (this.createdIds.memberships.length > 0) {
+      const { error } = await this.adminClient.from("org_memberships").delete().in("id", this.createdIds.memberships);
+      if (error) {
+        errors.push(`Failed to delete memberships: ${error.message}`);
+      }
+    }
+    if (this.createdIds.users.length > 0) {
+      const { error } = await this.adminClient.from("users").delete().in("id", this.createdIds.users);
+      if (error) {
+        errors.push(`Failed to delete users: ${error.message}`);
+      }
+    }
+    if (this.createdIds.organizations.length > 0) {
+      const { error } = await this.adminClient.from("organizations").delete().in("id", this.createdIds.organizations);
+      if (error) {
+        errors.push(`Failed to delete organizations: ${error.message}`);
+      }
+    }
+    if (errors.length > 0) {
+      console.warn("\n\u26A0\uFE0F  Cleanup warnings:", errors.join("\n"));
+    }
+  }
+};
+
+// src/test-utils/browser-mocks.ts
+function setupMatchMedia() {
+  const win = globalThis.window;
+  if (typeof win === "undefined") return;
+  Object.defineProperty(win, "matchMedia", {
+    writable: true,
+    value: (query) => ({
+      matches: false,
+      media: query,
+      onchange: null,
+      addListener: () => {
+      },
+      removeListener: () => {
+      },
+      addEventListener: () => {
+      },
+      removeEventListener: () => {
+      },
+      dispatchEvent: () => true
+    })
+  });
+}
+function setupResizeObserver() {
+  globalThis.ResizeObserver = class ResizeObserver {
+    observe() {
+    }
+    unobserve() {
+    }
+    disconnect() {
+    }
+  };
+}
+function setupBrowserMocks() {
+  setupMatchMedia();
+  setupResizeObserver();
+}
+
+export { RLSTestContext, setupBrowserMocks, setupMatchMedia, setupResizeObserver };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@elevasis/core",
-  "version": "0.8.0",
+  "version": "0.8.2",
   "license": "MIT",
   "description": "Minimal shared constants across Elevasis monorepo",
   "sideEffects": false,
@@ -16,6 +16,10 @@
       "types": "./dist/index.d.ts",
       "import": "./dist/index.js"
     },
+    "./test-utils": {
+      "types": "./dist/test-utils/index.d.ts",
+      "import": "./dist/test-utils/index.js"
+    },
     "./organization-model": {
       "types": "./dist/organization-model/index.d.ts",
       "import": "./dist/organization-model/index.js"
@@ -43,6 +47,7 @@
     "@googleapis/gmail": "^15.0.0",
     "@googleapis/sheets": "^12.0.0",
     "@sentry/node": "^8.55.0",
+    "@supabase/supabase-js": "^2.80.0",
     "@workos-inc/node": "^7.69.2",
     "croner": "^10.0.1",
     "date-fns-tz": "^3.2.0",

package/src/README.md

@@ -6,17 +6,20 @@ This package is the source of truth for shared types, schemas, and contract help
 
 ## Import Rules
 
-- Use `@elevasis/core` (root export) for browser-safe shared types and schemas.
-- Use `@elevasis/core/organization-model` for the semantic contract layer.
-- These are the only two subpaths available to external consumers of the published npm package.
-- Paths like `@elevasis/core/server`, `@elevasis/core/test-utils`, `@elevasis/core/platform`, etc. are internal monorepo paths (`@repo/core/...`) and are NOT available to external consumers.
+- Use `@elevasis/core` (root export) for browser-safe shared types and schemas.
+- Use `@elevasis/core/organization-model` for the semantic contract layer.
+- Use `@elevasis/core/entities` for the published base entity contracts.
+- Use `@elevasis/core/test-utils` for shared test fixtures, mocks, and test helpers.
+- Paths like `@elevasis/core/server` and `@elevasis/core/platform` are internal monorepo paths (`@repo/core/...`) and are NOT available to external consumers.
 
 ## Published Surface Groups
 
-The published `@elevasis/core` npm package exposes exactly two subpaths:
-
-- `.` (`@elevasis/core`) - browser-safe shared types, schemas, and constants.
-- `./organization-model` (`@elevasis/core/organization-model`) - the semantic contract layer for CRM, lead gen, delivery, features, branding, and navigation.
+The published `@elevasis/core` npm package exposes these subpaths:
+
+- `.` (`@elevasis/core`) - browser-safe shared types, schemas, and constants.
+- `./organization-model` (`@elevasis/core/organization-model`) - the semantic contract layer for CRM, lead gen, delivery, features, branding, and navigation.
+- `./entities` (`@elevasis/core/entities`) - published base entity contracts generic over project metadata extensions.
+- `./test-utils` (`@elevasis/core/test-utils`) - test fixtures, mocks, and helpers for downstream automated tests.
 
 Within the monorepo, the internal `@repo/core` package exposes additional subpaths for use by `apps/` and other packages:
 
@@ -30,9 +33,9 @@ Within the monorepo, the internal `@repo/core` package exposes additional subpat
 - `@repo/core/integrations/...` - OAuth and credential contracts.
 - `@repo/core/projects/api-schemas` - project management request and response schemas.
 - `@repo/core/content` - published content metadata types.
-- `@repo/core/test-utils` - test fixtures and mocks (internal use only).
-
-These `@repo/core/*` subpaths are NOT available in the published `@elevasis/core` package.
+- `@repo/core/test-utils` - source of the published test fixtures and mocks surface.
+
+Other `@repo/core/*` subpaths remain monorepo-only unless they are explicitly listed above in the published `@elevasis/core` surface.
 
 ## When To Read Deeper
 

package/src/__tests__/publish.test.ts

@@ -10,9 +10,14 @@ const packageJson = JSON.parse(readFileSync(packageJsonPath, 'utf-8')) as {
   }
 }
 
-describe('core publish surface', () => {
-  it('publishes the curated @elevasis/core organization-model wrapper', () => {
-    expect(packageJson.publishConfig?.name).toBe('@elevasis/core')
-    expect(Object.keys(packageJson.publishConfig?.exports ?? {})).toEqual(['.', './organization-model', './entities'])
-  })
-})
+describe('core publish surface', () => {
+  it('publishes the curated @elevasis/core organization-model wrapper', () => {
+    expect(packageJson.publishConfig?.name).toBe('@elevasis/core')
+    expect(Object.keys(packageJson.publishConfig?.exports ?? {})).toEqual([
+      '.',
+      './test-utils',
+      './organization-model',
+      './entities'
+    ])
+  })
+})

package/src/_gen/__tests__/__snapshots__/contracts.md.snap

@@ -1,4 +1,4 @@
-<!-- Auto-generated on 2026-04-21 by scripts/monorepo/generate-scaffold-contracts.js -->
+<!-- Auto-generated on YYYY-MM-DD by scripts/monorepo/generate-scaffold-contracts.js -->
 ---
 title: Reference Contracts
 description: Auto-generated TypeScript contracts for SDK consumers. Do not edit manually.

package/src/_gen/__tests__/scaffold-contracts.test.ts

@@ -9,16 +9,26 @@
  * if the output changes without an intentional snapshot update.
  */
 
-import { readFileSync } from 'node:fs'
-import { resolve } from 'node:path'
-import { describe, it, expect } from 'vitest'
+import { readFileSync } from 'node:fs'
+import { resolve } from 'node:path'
+import { describe, it, expect } from 'vitest'
 
 /** Monorepo root relative to packages/core/src/_gen/__tests__/ */
-const ROOT = resolve(import.meta.dirname, '..', '..', '..', '..', '..')
+const ROOT = resolve(import.meta.dirname, '..', '..', '..', '..', '..')
+
+const OUTPUT_PATH = resolve(ROOT, 'packages/core/src/reference/_generated/contracts.md')
+const SNAPSHOT_PATH = resolve(import.meta.dirname, '__snapshots__', 'contracts.md.snap')
+
+function normalizeSnapshotContent(content: string) {
+  return content
+    .replace(/\r\n/g, '\n')
+    .replace(
+      /<!-- Auto-generated on \d{4}-\d{2}-\d{2} by scripts\/monorepo\/generate-scaffold-contracts\.js -->/,
+      '<!-- Auto-generated on YYYY-MM-DD by scripts/monorepo/generate-scaffold-contracts.js -->'
+    )
+}
 
-const OUTPUT_PATH = resolve(ROOT, 'packages/core/src/reference/_generated/contracts.md')
-
-describe('scaffold-contracts generator', () => {
+describe('scaffold-contracts generator', () => {
   it('output file exists and has content', () => {
     // The generator must have been run (either manually or by CI gen step).
     // This test validates the committed artifact — it does NOT re-run the generator
@@ -36,18 +46,19 @@ describe('scaffold-contracts generator', () => {
     expect(content.length).toBeGreaterThan(0)
   })
 
-  it('output file matches stored snapshot', async () => {
-    let content: string
-    try {
-      content = readFileSync(OUTPUT_PATH, 'utf8')
+  it('output file matches stored snapshot', () => {
+    let content: string
+    try {
+      content = readFileSync(OUTPUT_PATH, 'utf8')
     } catch {
       throw new Error(
         `Generated file not found: ${OUTPUT_PATH}\n` +
-          `Run "pnpm scaffold:generate" first to produce the artifact before snapshotting.`
-      )
-    }
-
-    // Snapshot stored alongside test file in __snapshots__/
-    await expect(content).toMatchFileSnapshot(resolve(import.meta.dirname, '__snapshots__', 'contracts.md.snap'))
-  })
-})
+        `Run "pnpm scaffold:generate" first to produce the artifact before snapshotting.`
+      )
+    }
+
+    const snapshot = readFileSync(SNAPSHOT_PATH, 'utf8')
+
+    expect(normalizeSnapshotContent(content)).toBe(normalizeSnapshotContent(snapshot))
+  })
+})

package/src/reference/_generated/contracts.md

@@ -1,4 +1,4 @@
-<!-- Auto-generated on 2026-04-22 by scripts/monorepo/generate-scaffold-contracts.js -->
+<!-- Auto-generated on 2026-04-23 by scripts/monorepo/generate-scaffold-contracts.js -->
 ---
 title: Reference Contracts
 description: Auto-generated TypeScript contracts for SDK consumers. Do not edit manually.