@fideliosai/server 2026.331.0-canary.0

package/dist/secrets/local-encrypted-provider.js

@@ -0,0 +1,116 @@
+import { createCipheriv, createDecipheriv, createHash, randomBytes } from "node:crypto";
+import { mkdirSync, readFileSync, writeFileSync, existsSync, chmodSync } from "node:fs";
+import path from "node:path";
+import { badRequest } from "../errors.js";
+function resolveMasterKeyFilePath() {
+    const fromEnv = process.env.FIDELIOS_SECRETS_MASTER_KEY_FILE;
+    if (fromEnv && fromEnv.trim().length > 0)
+        return path.resolve(fromEnv.trim());
+    return path.resolve(process.cwd(), "data/secrets/master.key");
+}
+function decodeMasterKey(raw) {
+    const trimmed = raw.trim();
+    if (!trimmed)
+        return null;
+    if (/^[A-Fa-f0-9]{64}$/.test(trimmed)) {
+        return Buffer.from(trimmed, "hex");
+    }
+    try {
+        const decoded = Buffer.from(trimmed, "base64");
+        if (decoded.length === 32)
+            return decoded;
+    }
+    catch {
+        // ignored
+    }
+    if (Buffer.byteLength(trimmed, "utf8") === 32) {
+        return Buffer.from(trimmed, "utf8");
+    }
+    return null;
+}
+function loadOrCreateMasterKey() {
+    const envKeyRaw = process.env.FIDELIOS_SECRETS_MASTER_KEY;
+    if (envKeyRaw && envKeyRaw.trim().length > 0) {
+        const fromEnv = decodeMasterKey(envKeyRaw);
+        if (!fromEnv) {
+            throw badRequest("Invalid FIDELIOS_SECRETS_MASTER_KEY (expected 32-byte base64, 64-char hex, or raw 32-char string)");
+        }
+        return fromEnv;
+    }
+    const keyPath = resolveMasterKeyFilePath();
+    if (existsSync(keyPath)) {
+        const raw = readFileSync(keyPath, "utf8");
+        const decoded = decodeMasterKey(raw);
+        if (!decoded) {
+            throw badRequest(`Invalid secrets master key at ${keyPath}`);
+        }
+        return decoded;
+    }
+    const dir = path.dirname(keyPath);
+    mkdirSync(dir, { recursive: true });
+    const generated = randomBytes(32);
+    writeFileSync(keyPath, generated.toString("base64"), { encoding: "utf8", mode: 0o600 });
+    try {
+        chmodSync(keyPath, 0o600);
+    }
+    catch {
+        // best effort
+    }
+    return generated;
+}
+function sha256Hex(value) {
+    return createHash("sha256").update(value).digest("hex");
+}
+function encryptValue(masterKey, value) {
+    const iv = randomBytes(12);
+    const cipher = createCipheriv("aes-256-gcm", masterKey, iv);
+    const ciphertext = Buffer.concat([cipher.update(value, "utf8"), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return {
+        scheme: "local_encrypted_v1",
+        iv: iv.toString("base64"),
+        tag: tag.toString("base64"),
+        ciphertext: ciphertext.toString("base64"),
+    };
+}
+function decryptValue(masterKey, material) {
+    const iv = Buffer.from(material.iv, "base64");
+    const tag = Buffer.from(material.tag, "base64");
+    const ciphertext = Buffer.from(material.ciphertext, "base64");
+    const decipher = createDecipheriv("aes-256-gcm", masterKey, iv);
+    decipher.setAuthTag(tag);
+    const plain = Buffer.concat([decipher.update(ciphertext), decipher.final()]);
+    return plain.toString("utf8");
+}
+function asLocalEncryptedMaterial(value) {
+    if (value &&
+        typeof value === "object" &&
+        value.scheme === "local_encrypted_v1" &&
+        typeof value.iv === "string" &&
+        typeof value.tag === "string" &&
+        typeof value.ciphertext === "string") {
+        return value;
+    }
+    throw badRequest("Invalid local_encrypted secret material");
+}
+export const localEncryptedProvider = {
+    id: "local_encrypted",
+    descriptor: {
+        id: "local_encrypted",
+        label: "Local encrypted (default)",
+        requiresExternalRef: false,
+    },
+    async createVersion(input) {
+        const masterKey = loadOrCreateMasterKey();
+        return {
+            material: encryptValue(masterKey, input.value),
+            valueSha256: sha256Hex(input.value),
+            externalRef: null,
+        };
+    },
+    async resolveVersion(input) {
+        const masterKey = loadOrCreateMasterKey();
+        return decryptValue(masterKey, asLocalEncryptedMaterial(input.material));
+    },
+};
+//# sourceMappingURL=local-encrypted-provider.js.map

package/dist/secrets/local-encrypted-provider.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"local-encrypted-provider.js","sourceRoot":"","sources":["../../src/secrets/local-encrypted-provider.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,UAAU,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AACxF,OAAO,EAAE,SAAS,EAAE,YAAY,EAAE,aAAa,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,SAAS,CAAC;AACxF,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AAS1C,SAAS,wBAAwB;IAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC;IAC7D,IAAI,OAAO,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9E,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,yBAAyB,CAAC,CAAC;AAChE,CAAC;AAED,SAAS,eAAe,CAAC,GAAW;IAClC,MAAM,OAAO,GAAG,GAAG,CAAC,IAAI,EAAE,CAAC;IAC3B,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAE1B,IAAI,mBAAmB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;QAC/C,IAAI,OAAO,CAAC,MAAM,KAAK,EAAE;YAAE,OAAO,OAAO,CAAC;IAC5C,CAAC;IAAC,MAAM,CAAC;QACP,UAAU;IACZ,CAAC;IAED,IAAI,MAAM,CAAC,UAAU,CAAC,OAAO,EAAE,MAAM,CAAC,KAAK,EAAE,EAAE,CAAC;QAC9C,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IACtC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,qBAAqB;IAC5B,MAAM,SAAS,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;IAC1D,IAAI,SAAS,IAAI,SAAS,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC7C,MAAM,OAAO,GAAG,eAAe,CAAC,SAAS,CAAC,CAAC;QAC3C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,UAAU,CACd,mGAAmG,CACpG,CAAC;QACJ,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,OAAO,GAAG,wBAAwB,EAAE,CAAC;IAC3C,IAAI,UAAU,CAAC,OAAO,CAAC,EAAE,CAAC;QACxB,MAAM,GAAG,GAAG,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1C,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,CAAC;QACrC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,UAAU,CAAC,iCAAiC,OAAO,EAAE,CAAC,CAAC;QAC/D,CAAC;QACD,OAAO,OAAO,CAAC;IACjB,CAAC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;IAClC,SAAS,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;IACpC,MAAM,SAAS,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAClC,aAAa,CAAC,OAAO,EAAE,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC;IACxF,IAAI,CAAC;QACH,SAAS,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;IAC5B,CAAC;IAAC,MAAM,CAAC;QACP,cAAc;IAChB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,SAAS,SAAS,CAAC,KAAa;IAC9B,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,SAAS,YAAY,CAAC,SAAiB,EAAE,KAAa;IACpD,MAAM,EAAE,GAAG,WAAW,CAAC,EAAE,CAAC,CAAC;IAC3B,MAAM,MAAM,GAAG,cAAc,CAAC,aAAa,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,KAAK,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACjF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO;QACL,MAAM,EAAE,oBAAoB;QAC5B,EAAE,EAAE,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC;QACzB,GAAG,EAAE,GAAG,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAC3B,UAAU,EAAE,UAAU,CAAC,QAAQ,CAAC,QAAQ,CAAC;KAC1C,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,SAAiB,EAAE,QAAgC;IACvE,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;IAChD,MAAM,UAAU,GAAG,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC;IAC9D,MAAM,QAAQ,GAAG,gBAAgB,CAAC,aAAa,EAAE,SAAS,EAAE,EAAE,CAAC,CAAC;IAChE,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,MAAM,KAAK,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,UAAU,CAAC,EAAE,QAAQ,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAC7E,OAAO,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;AAChC,CAAC;AAED,SAAS,wBAAwB,CAAC,KAAkC;IAClE,IACE,KAAK;QACL,OAAO,KAAK,KAAK,QAAQ;QACzB,KAAK,CAAC,MAAM,KAAK,oBAAoB;QACrC,OAAO,KAAK,CAAC,EAAE,KAAK,QAAQ;QAC5B,OAAO,KAAK,CAAC,GAAG,KAAK,QAAQ;QAC7B,OAAO,KAAK,CAAC,UAAU,KAAK,QAAQ,EACpC,CAAC;QACD,OAAO,KAA+B,CAAC;IACzC,CAAC;IACD,MAAM,UAAU,CAAC,yCAAyC,CAAC,CAAC;AAC9D,CAAC;AAED,MAAM,CAAC,MAAM,sBAAsB,GAAyB;IAC1D,EAAE,EAAE,iBAAiB;IACrB,UAAU,EAAE;QACV,EAAE,EAAE,iBAAiB;QACrB,KAAK,EAAE,2BAA2B;QAClC,mBAAmB,EAAE,KAAK;KAC3B;IACD,KAAK,CAAC,aAAa,CAAC,KAAK;QACvB,MAAM,SAAS,GAAG,qBAAqB,EAAE,CAAC;QAC1C,OAAO;YACL,QAAQ,EAAE,YAAY,CAAC,SAAS,EAAE,KAAK,CAAC,KAAK,CAAC;YAC9C,WAAW,EAAE,SAAS,CAAC,KAAK,CAAC,KAAK,CAAC;YACnC,WAAW,EAAE,IAAI;SAClB,CAAC;IACJ,CAAC;IACD,KAAK,CAAC,cAAc,CAAC,KAAK;QACxB,MAAM,SAAS,GAAG,qBAAqB,EAAE,CAAC;QAC1C,OAAO,YAAY,CAAC,SAAS,EAAE,wBAAwB,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC;IAC3E,CAAC;CACF,CAAC"}

package/dist/secrets/provider-registry.d.ts

@@ -0,0 +1,5 @@
+import type { SecretProvider, SecretProviderDescriptor } from "@fideliosai/shared";
+import type { SecretProviderModule } from "./types.js";
+export declare function getSecretProvider(id: SecretProvider): SecretProviderModule;
+export declare function listSecretProviders(): SecretProviderDescriptor[];
+//# sourceMappingURL=provider-registry.d.ts.map

package/dist/secrets/provider-registry.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-registry.d.ts","sourceRoot":"","sources":["../../src/secrets/provider-registry.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAOnF,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,YAAY,CAAC;AAcvD,wBAAgB,iBAAiB,CAAC,EAAE,EAAE,cAAc,GAAG,oBAAoB,CAI1E;AAED,wBAAgB,mBAAmB,IAAI,wBAAwB,EAAE,CAEhE"}

package/dist/secrets/provider-registry.js

@@ -0,0 +1,20 @@
+import { localEncryptedProvider } from "./local-encrypted-provider.js";
+import { awsSecretsManagerProvider, gcpSecretManagerProvider, vaultProvider, } from "./external-stub-providers.js";
+import { unprocessable } from "../errors.js";
+const providers = [
+    localEncryptedProvider,
+    awsSecretsManagerProvider,
+    gcpSecretManagerProvider,
+    vaultProvider,
+];
+const providerById = new Map(providers.map((provider) => [provider.id, provider]));
+export function getSecretProvider(id) {
+    const provider = providerById.get(id);
+    if (!provider)
+        throw unprocessable(`Unsupported secret provider: ${id}`);
+    return provider;
+}
+export function listSecretProviders() {
+    return providers.map((provider) => provider.descriptor);
+}
+//# sourceMappingURL=provider-registry.js.map

package/dist/secrets/provider-registry.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"provider-registry.js","sourceRoot":"","sources":["../../src/secrets/provider-registry.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,sBAAsB,EAAE,MAAM,+BAA+B,CAAC;AACvE,OAAO,EACL,yBAAyB,EACzB,wBAAwB,EACxB,aAAa,GACd,MAAM,8BAA8B,CAAC;AAEtC,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAE7C,MAAM,SAAS,GAA2B;IACxC,sBAAsB;IACtB,yBAAyB;IACzB,wBAAwB;IACxB,aAAa;CACd,CAAC;AAEF,MAAM,YAAY,GAAG,IAAI,GAAG,CAC1B,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CACrD,CAAC;AAEF,MAAM,UAAU,iBAAiB,CAAC,EAAkB;IAClD,MAAM,QAAQ,GAAG,YAAY,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;IACtC,IAAI,CAAC,QAAQ;QAAE,MAAM,aAAa,CAAC,gCAAgC,EAAE,EAAE,CAAC,CAAC;IACzE,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,mBAAmB;IACjC,OAAO,SAAS,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC;AAC1D,CAAC"}

package/dist/secrets/types.d.ts

@@ -0,0 +1,21 @@
+import type { SecretProvider, SecretProviderDescriptor } from "@fideliosai/shared";
+export interface StoredSecretVersionMaterial {
+    [key: string]: unknown;
+}
+export interface SecretProviderModule {
+    id: SecretProvider;
+    descriptor: SecretProviderDescriptor;
+    createVersion(input: {
+        value: string;
+        externalRef: string | null;
+    }): Promise<{
+        material: StoredSecretVersionMaterial;
+        valueSha256: string;
+        externalRef: string | null;
+    }>;
+    resolveVersion(input: {
+        material: StoredSecretVersionMaterial;
+        externalRef: string | null;
+    }): Promise<string>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/secrets/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/secrets/types.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,cAAc,EAAE,wBAAwB,EAAE,MAAM,oBAAoB,CAAC;AAEnF,MAAM,WAAW,2BAA2B;IAC1C,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,oBAAoB;IACnC,EAAE,EAAE,cAAc,CAAC;IACnB,UAAU,EAAE,wBAAwB,CAAC;IACrC,aAAa,CAAC,KAAK,EAAE;QACnB,KAAK,EAAE,MAAM,CAAC;QACd,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5B,GAAG,OAAO,CAAC;QACV,QAAQ,EAAE,2BAA2B,CAAC;QACtC,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5B,CAAC,CAAC;IACH,cAAc,CAAC,KAAK,EAAE;QACpB,QAAQ,EAAE,2BAA2B,CAAC;QACtC,WAAW,EAAE,MAAM,GAAG,IAAI,CAAC;KAC5B,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;CACrB"}

package/dist/secrets/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/secrets/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/secrets/types.ts"],"names":[],"mappings":""}

package/dist/services/access.d.ts

@@ -0,0 +1,113 @@
+import type { Db } from "@fideliosai/db";
+import { companyMemberships } from "@fideliosai/db";
+import type { PermissionKey, PrincipalType } from "@fideliosai/shared";
+type MembershipRow = typeof companyMemberships.$inferSelect;
+type GrantInput = {
+    permissionKey: PermissionKey;
+    scope?: Record<string, unknown> | null;
+};
+export declare function accessService(db: Db): {
+    isInstanceAdmin: (userId: string | null | undefined) => Promise<boolean>;
+    canUser: (companyId: string, userId: string | null | undefined, permissionKey: PermissionKey) => Promise<boolean>;
+    hasPermission: (companyId: string, principalType: PrincipalType, principalId: string, permissionKey: PermissionKey) => Promise<boolean>;
+    getMembership: (companyId: string, principalType: PrincipalType, principalId: string) => Promise<MembershipRow | null>;
+    ensureMembership: (companyId: string, principalType: PrincipalType, principalId: string, membershipRole?: string | null, status?: "pending" | "active" | "suspended") => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }>;
+    listMembers: (companyId: string) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }[]>;
+    listActiveUserMemberships: (companyId: string) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }[]>;
+    copyActiveUserMemberships: (sourceCompanyId: string, targetCompanyId: string) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }[]>;
+    setMemberPermissions: (companyId: string, memberId: string, grants: GrantInput[], grantedByUserId: string | null) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    } | null>;
+    promoteInstanceAdmin: (userId: string) => Promise<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        role: string;
+        userId: string;
+    }>;
+    demoteInstanceAdmin: (userId: string) => Promise<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        role: string;
+        userId: string;
+    }>;
+    listUserCompanyAccess: (userId: string) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }[]>;
+    setUserCompanyAccess: (userId: string, companyIds: string[]) => Promise<{
+        id: string;
+        status: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        principalType: string;
+        principalId: string;
+        membershipRole: string | null;
+    }[]>;
+    setPrincipalGrants: (companyId: string, principalType: PrincipalType, principalId: string, grants: GrantInput[], grantedByUserId: string | null) => Promise<void>;
+    listPrincipalGrants: (companyId: string, principalType: PrincipalType, principalId: string) => Promise<{
+        id: string;
+        createdAt: Date;
+        updatedAt: Date;
+        companyId: string;
+        scope: Record<string, unknown> | null;
+        principalType: string;
+        principalId: string;
+        permissionKey: string;
+        grantedByUserId: string | null;
+    }[]>;
+    setPrincipalPermission: (companyId: string, principalType: PrincipalType, principalId: string, permissionKey: PermissionKey, enabled: boolean, grantedByUserId: string | null, scope?: Record<string, unknown> | null) => Promise<void>;
+};
+export {};
+//# sourceMappingURL=access.d.ts.map

package/dist/services/access.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/services/access.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AACzC,OAAO,EACL,kBAAkB,EAGnB,MAAM,gBAAgB,CAAC;AACxB,OAAO,KAAK,EAAE,aAAa,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAC;AAEvE,KAAK,aAAa,GAAG,OAAO,kBAAkB,CAAC,YAAY,CAAC;AAC5D,KAAK,UAAU,GAAG;IAChB,aAAa,EAAE,aAAa,CAAC;IAC7B,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CACxC,CAAC;AAEF,wBAAgB,aAAa,CAAC,EAAE,EAAE,EAAE;8BACK,MAAM,GAAG,IAAI,GAAG,SAAS,KAAG,OAAO,CAAC,OAAO,CAAC;yBAoDtE,MAAM,UACT,MAAM,GAAG,IAAI,GAAG,SAAS,iBAClB,aAAa,KAC3B,OAAO,CAAC,OAAO,CAAC;+BA1BN,MAAM,iBACF,aAAa,eACf,MAAM,iBACJ,aAAa,KAC3B,OAAO,CAAC,OAAO,CAAC;+BAtBN,MAAM,iBACF,aAAa,eACf,MAAM,KAClB,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;kCA2KnB,MAAM,iBACF,aAAa,eACf,MAAM,mBACH,MAAM,GAAG,IAAI,WACrB,SAAS,GAAG,QAAQ,GAAG,WAAW;;;;;;;;;;6BAhIN,MAAM;;;;;;;;;;2CAQQ,MAAM;;;;;;;;;;iDAsLA,MAAM,mBAAmB,MAAM;;;;;;;;;;sCAvK5E,MAAM,YACP,MAAM,UACR,UAAU,EAAE,mBACH,MAAM,GAAG,IAAI;;;;;;;;;;mCAsCY,MAAM;;;;;;;kCAiBP,MAAM;;;;;;;oCAQJ,MAAM;;;;;;;;;;mCAQP,MAAM,cAAc,MAAM,EAAE;;;;;;;;;;oCA6D3D,MAAM,iBACF,aAAa,eACf,MAAM,UACX,UAAU,EAAE,mBACH,MAAM,GAAG,IAAI;qCA2CnB,MAAM,iBACF,aAAa,eACf,MAAM;;;;;;;;;;;wCAgBR,MAAM,iBACF,aAAa,eACf,MAAM,iBACJ,aAAa,WACnB,OAAO,mBACC,MAAM,GAAG,IAAI,UACvB,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI;EAyExC"}

package/dist/services/access.js

@@ -0,0 +1,247 @@
+import { and, eq, inArray, sql } from "drizzle-orm";
+import { companyMemberships, instanceUserRoles, principalPermissionGrants, } from "@fideliosai/db";
+export function accessService(db) {
+    async function isInstanceAdmin(userId) {
+        if (!userId)
+            return false;
+        const row = await db
+            .select({ id: instanceUserRoles.id })
+            .from(instanceUserRoles)
+            .where(and(eq(instanceUserRoles.userId, userId), eq(instanceUserRoles.role, "instance_admin")))
+            .then((rows) => rows[0] ?? null);
+        return Boolean(row);
+    }
+    async function getMembership(companyId, principalType, principalId) {
+        return db
+            .select()
+            .from(companyMemberships)
+            .where(and(eq(companyMemberships.companyId, companyId), eq(companyMemberships.principalType, principalType), eq(companyMemberships.principalId, principalId)))
+            .then((rows) => rows[0] ?? null);
+    }
+    async function hasPermission(companyId, principalType, principalId, permissionKey) {
+        const membership = await getMembership(companyId, principalType, principalId);
+        if (!membership || membership.status !== "active")
+            return false;
+        const grant = await db
+            .select({ id: principalPermissionGrants.id })
+            .from(principalPermissionGrants)
+            .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, principalType), eq(principalPermissionGrants.principalId, principalId), eq(principalPermissionGrants.permissionKey, permissionKey)))
+            .then((rows) => rows[0] ?? null);
+        return Boolean(grant);
+    }
+    async function canUser(companyId, userId, permissionKey) {
+        if (!userId)
+            return false;
+        if (await isInstanceAdmin(userId))
+            return true;
+        return hasPermission(companyId, "user", userId, permissionKey);
+    }
+    async function listMembers(companyId) {
+        return db
+            .select()
+            .from(companyMemberships)
+            .where(eq(companyMemberships.companyId, companyId))
+            .orderBy(sql `${companyMemberships.createdAt} desc`);
+    }
+    async function listActiveUserMemberships(companyId) {
+        return db
+            .select()
+            .from(companyMemberships)
+            .where(and(eq(companyMemberships.companyId, companyId), eq(companyMemberships.principalType, "user"), eq(companyMemberships.status, "active")))
+            .orderBy(sql `${companyMemberships.createdAt} asc`);
+    }
+    async function setMemberPermissions(companyId, memberId, grants, grantedByUserId) {
+        const member = await db
+            .select()
+            .from(companyMemberships)
+            .where(and(eq(companyMemberships.companyId, companyId), eq(companyMemberships.id, memberId)))
+            .then((rows) => rows[0] ?? null);
+        if (!member)
+            return null;
+        await db.transaction(async (tx) => {
+            await tx
+                .delete(principalPermissionGrants)
+                .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, member.principalType), eq(principalPermissionGrants.principalId, member.principalId)));
+            if (grants.length > 0) {
+                await tx.insert(principalPermissionGrants).values(grants.map((grant) => ({
+                    companyId,
+                    principalType: member.principalType,
+                    principalId: member.principalId,
+                    permissionKey: grant.permissionKey,
+                    scope: grant.scope ?? null,
+                    grantedByUserId,
+                    createdAt: new Date(),
+                    updatedAt: new Date(),
+                })));
+            }
+        });
+        return member;
+    }
+    async function promoteInstanceAdmin(userId) {
+        const existing = await db
+            .select()
+            .from(instanceUserRoles)
+            .where(and(eq(instanceUserRoles.userId, userId), eq(instanceUserRoles.role, "instance_admin")))
+            .then((rows) => rows[0] ?? null);
+        if (existing)
+            return existing;
+        return db
+            .insert(instanceUserRoles)
+            .values({
+            userId,
+            role: "instance_admin",
+        })
+            .returning()
+            .then((rows) => rows[0]);
+    }
+    async function demoteInstanceAdmin(userId) {
+        return db
+            .delete(instanceUserRoles)
+            .where(and(eq(instanceUserRoles.userId, userId), eq(instanceUserRoles.role, "instance_admin")))
+            .returning()
+            .then((rows) => rows[0] ?? null);
+    }
+    async function listUserCompanyAccess(userId) {
+        return db
+            .select()
+            .from(companyMemberships)
+            .where(and(eq(companyMemberships.principalType, "user"), eq(companyMemberships.principalId, userId)))
+            .orderBy(sql `${companyMemberships.createdAt} desc`);
+    }
+    async function setUserCompanyAccess(userId, companyIds) {
+        const existing = await listUserCompanyAccess(userId);
+        const existingByCompany = new Map(existing.map((row) => [row.companyId, row]));
+        const target = new Set(companyIds);
+        await db.transaction(async (tx) => {
+            const toDelete = existing.filter((row) => !target.has(row.companyId)).map((row) => row.id);
+            if (toDelete.length > 0) {
+                await tx.delete(companyMemberships).where(inArray(companyMemberships.id, toDelete));
+            }
+            for (const companyId of target) {
+                if (existingByCompany.has(companyId))
+                    continue;
+                await tx.insert(companyMemberships).values({
+                    companyId,
+                    principalType: "user",
+                    principalId: userId,
+                    status: "active",
+                    membershipRole: "member",
+                });
+            }
+        });
+        return listUserCompanyAccess(userId);
+    }
+    async function ensureMembership(companyId, principalType, principalId, membershipRole = "member", status = "active") {
+        const existing = await getMembership(companyId, principalType, principalId);
+        if (existing) {
+            if (existing.status !== status || existing.membershipRole !== membershipRole) {
+                const updated = await db
+                    .update(companyMemberships)
+                    .set({ status, membershipRole, updatedAt: new Date() })
+                    .where(eq(companyMemberships.id, existing.id))
+                    .returning()
+                    .then((rows) => rows[0] ?? null);
+                return updated ?? existing;
+            }
+            return existing;
+        }
+        return db
+            .insert(companyMemberships)
+            .values({
+            companyId,
+            principalType,
+            principalId,
+            status,
+            membershipRole,
+        })
+            .returning()
+            .then((rows) => rows[0]);
+    }
+    async function setPrincipalGrants(companyId, principalType, principalId, grants, grantedByUserId) {
+        await db.transaction(async (tx) => {
+            await tx
+                .delete(principalPermissionGrants)
+                .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, principalType), eq(principalPermissionGrants.principalId, principalId)));
+            if (grants.length === 0)
+                return;
+            await tx.insert(principalPermissionGrants).values(grants.map((grant) => ({
+                companyId,
+                principalType,
+                principalId,
+                permissionKey: grant.permissionKey,
+                scope: grant.scope ?? null,
+                grantedByUserId,
+                createdAt: new Date(),
+                updatedAt: new Date(),
+            })));
+        });
+    }
+    async function copyActiveUserMemberships(sourceCompanyId, targetCompanyId) {
+        const sourceMemberships = await listActiveUserMemberships(sourceCompanyId);
+        for (const membership of sourceMemberships) {
+            await ensureMembership(targetCompanyId, "user", membership.principalId, membership.membershipRole, "active");
+        }
+        return sourceMemberships;
+    }
+    async function listPrincipalGrants(companyId, principalType, principalId) {
+        return db
+            .select()
+            .from(principalPermissionGrants)
+            .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, principalType), eq(principalPermissionGrants.principalId, principalId)))
+            .orderBy(principalPermissionGrants.permissionKey);
+    }
+    async function setPrincipalPermission(companyId, principalType, principalId, permissionKey, enabled, grantedByUserId, scope = null) {
+        if (!enabled) {
+            await db
+                .delete(principalPermissionGrants)
+                .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, principalType), eq(principalPermissionGrants.principalId, principalId), eq(principalPermissionGrants.permissionKey, permissionKey)));
+            return;
+        }
+        await ensureMembership(companyId, principalType, principalId, "member", "active");
+        const existing = await db
+            .select()
+            .from(principalPermissionGrants)
+            .where(and(eq(principalPermissionGrants.companyId, companyId), eq(principalPermissionGrants.principalType, principalType), eq(principalPermissionGrants.principalId, principalId), eq(principalPermissionGrants.permissionKey, permissionKey)))
+            .then((rows) => rows[0] ?? null);
+        if (existing) {
+            await db
+                .update(principalPermissionGrants)
+                .set({
+                scope,
+                grantedByUserId,
+                updatedAt: new Date(),
+            })
+                .where(eq(principalPermissionGrants.id, existing.id));
+            return;
+        }
+        await db.insert(principalPermissionGrants).values({
+            companyId,
+            principalType,
+            principalId,
+            permissionKey,
+            scope,
+            grantedByUserId,
+            createdAt: new Date(),
+            updatedAt: new Date(),
+        });
+    }
+    return {
+        isInstanceAdmin,
+        canUser,
+        hasPermission,
+        getMembership,
+        ensureMembership,
+        listMembers,
+        listActiveUserMemberships,
+        copyActiveUserMemberships,
+        setMemberPermissions,
+        promoteInstanceAdmin,
+        demoteInstanceAdmin,
+        listUserCompanyAccess,
+        setUserCompanyAccess,
+        setPrincipalGrants,
+        listPrincipalGrants,
+        setPrincipalPermission,
+    };
+}
+//# sourceMappingURL=access.js.map

package/dist/services/access.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/services/access.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAEpD,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,yBAAyB,GAC1B,MAAM,gBAAgB,CAAC;AASxB,MAAM,UAAU,aAAa,CAAC,EAAM;IAClC,KAAK,UAAU,eAAe,CAAC,MAAiC;QAC9D,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,MAAM,GAAG,GAAG,MAAM,EAAE;aACjB,MAAM,CAAC,EAAE,EAAE,EAAE,iBAAiB,CAAC,EAAE,EAAE,CAAC;aACpC,IAAI,CAAC,iBAAiB,CAAC;aACvB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC;aAC9F,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,OAAO,OAAO,CAAC,GAAG,CAAC,CAAC;IACtB,CAAC;IAED,KAAK,UAAU,aAAa,CAC1B,SAAiB,EACjB,aAA4B,EAC5B,WAAmB;QAEnB,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,SAAS,CAAC,EAC3C,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,aAAa,CAAC,EACnD,EAAE,CAAC,kBAAkB,CAAC,WAAW,EAAE,WAAW,CAAC,CAChD,CACF;aACA,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,UAAU,aAAa,CAC1B,SAAiB,EACjB,aAA4B,EAC5B,WAAmB,EACnB,aAA4B;QAE5B,MAAM,UAAU,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;QAC9E,IAAI,CAAC,UAAU,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ;YAAE,OAAO,KAAK,CAAC;QAChE,MAAM,KAAK,GAAG,MAAM,EAAE;aACnB,MAAM,CAAC,EAAE,EAAE,EAAE,yBAAyB,CAAC,EAAE,EAAE,CAAC;aAC5C,IAAI,CAAC,yBAAyB,CAAC;aAC/B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,EAC1D,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,WAAW,CAAC,EACtD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,CAC3D,CACF;aACA,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,OAAO,OAAO,CAAC,KAAK,CAAC,CAAC;IACxB,CAAC;IAED,KAAK,UAAU,OAAO,CACpB,SAAiB,EACjB,MAAiC,EACjC,aAA4B;QAE5B,IAAI,CAAC,MAAM;YAAE,OAAO,KAAK,CAAC;QAC1B,IAAI,MAAM,eAAe,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,OAAO,aAAa,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,aAAa,CAAC,CAAC;IACjE,CAAC;IAED,KAAK,UAAU,WAAW,CAAC,SAAiB;QAC1C,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,SAAS,CAAC,CAAC;aAClD,OAAO,CAAC,GAAG,CAAA,GAAG,kBAAkB,CAAC,SAAS,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,UAAU,yBAAyB,CAAC,SAAiB;QACxD,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,SAAS,CAAC,EAC3C,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,EAC5C,EAAE,CAAC,kBAAkB,CAAC,MAAM,EAAE,QAAQ,CAAC,CACxC,CACF;aACA,OAAO,CAAC,GAAG,CAAA,GAAG,kBAAkB,CAAC,SAAS,MAAM,CAAC,CAAC;IACvD,CAAC;IAED,KAAK,UAAU,oBAAoB,CACjC,SAAiB,EACjB,QAAgB,EAChB,MAAoB,EACpB,eAA8B;QAE9B,MAAM,MAAM,GAAG,MAAM,EAAE;aACpB,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,kBAAkB,CAAC,SAAS,EAAE,SAAS,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;aAC5F,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAC;QAEzB,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YAChC,MAAM,EAAE;iBACL,MAAM,CAAC,yBAAyB,CAAC;iBACjC,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,MAAM,CAAC,aAAa,CAAC,EACjE,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,MAAM,CAAC,WAAW,CAAC,CAC9D,CACF,CAAC;YACJ,IAAI,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACtB,MAAM,EAAE,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAC/C,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;oBACrB,SAAS;oBACT,aAAa,EAAE,MAAM,CAAC,aAAa;oBACnC,WAAW,EAAE,MAAM,CAAC,WAAW;oBAC/B,aAAa,EAAE,KAAK,CAAC,aAAa;oBAClC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;oBAC1B,eAAe;oBACf,SAAS,EAAE,IAAI,IAAI,EAAE;oBACrB,SAAS,EAAE,IAAI,IAAI,EAAE;iBACtB,CAAC,CAAC,CACJ,CAAC;YACJ,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,KAAK,UAAU,oBAAoB,CAAC,MAAc;QAChD,MAAM,QAAQ,GAAG,MAAM,EAAE;aACtB,MAAM,EAAE;aACR,IAAI,CAAC,iBAAiB,CAAC;aACvB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC;aAC9F,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QACnC,IAAI,QAAQ;YAAE,OAAO,QAAQ,CAAC;QAC9B,OAAO,EAAE;aACN,MAAM,CAAC,iBAAiB,CAAC;aACzB,MAAM,CAAC;YACN,MAAM;YACN,IAAI,EAAE,gBAAgB;SACvB,CAAC;aACD,SAAS,EAAE;aACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,UAAU,mBAAmB,CAAC,MAAc;QAC/C,OAAO,EAAE;aACN,MAAM,CAAC,iBAAiB,CAAC;aACzB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,iBAAiB,CAAC,MAAM,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,iBAAiB,CAAC,IAAI,EAAE,gBAAgB,CAAC,CAAC,CAAC;aAC9F,SAAS,EAAE;aACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;IACrC,CAAC;IAED,KAAK,UAAU,qBAAqB,CAAC,MAAc;QACjD,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,kBAAkB,CAAC;aACxB,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC,kBAAkB,CAAC,aAAa,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC,CAAC;aACpG,OAAO,CAAC,GAAG,CAAA,GAAG,kBAAkB,CAAC,SAAS,OAAO,CAAC,CAAC;IACxD,CAAC;IAED,KAAK,UAAU,oBAAoB,CAAC,MAAc,EAAE,UAAoB;QACtE,MAAM,QAAQ,GAAG,MAAM,qBAAqB,CAAC,MAAM,CAAC,CAAC;QACrD,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,SAAS,EAAE,GAAG,CAAC,CAAC,CAAC,CAAC;QAC/E,MAAM,MAAM,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,CAAC;QAEnC,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YAChC,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAC3F,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACxB,MAAM,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAAE,EAAE,QAAQ,CAAC,CAAC,CAAC;YACtF,CAAC;YAED,KAAK,MAAM,SAAS,IAAI,MAAM,EAAE,CAAC;gBAC/B,IAAI,iBAAiB,CAAC,GAAG,CAAC,SAAS,CAAC;oBAAE,SAAS;gBAC/C,MAAM,EAAE,CAAC,MAAM,CAAC,kBAAkB,CAAC,CAAC,MAAM,CAAC;oBACzC,SAAS;oBACT,aAAa,EAAE,MAAM;oBACrB,WAAW,EAAE,MAAM;oBACnB,MAAM,EAAE,QAAQ;oBAChB,cAAc,EAAE,QAAQ;iBACzB,CAAC,CAAC;YACL,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,OAAO,qBAAqB,CAAC,MAAM,CAAC,CAAC;IACvC,CAAC;IAED,KAAK,UAAU,gBAAgB,CAC7B,SAAiB,EACjB,aAA4B,EAC5B,WAAmB,EACnB,iBAAgC,QAAQ,EACxC,SAA6C,QAAQ;QAErD,MAAM,QAAQ,GAAG,MAAM,aAAa,CAAC,SAAS,EAAE,aAAa,EAAE,WAAW,CAAC,CAAC;QAC5E,IAAI,QAAQ,EAAE,CAAC;YACb,IAAI,QAAQ,CAAC,MAAM,KAAK,MAAM,IAAI,QAAQ,CAAC,cAAc,KAAK,cAAc,EAAE,CAAC;gBAC7E,MAAM,OAAO,GAAG,MAAM,EAAE;qBACrB,MAAM,CAAC,kBAAkB,CAAC;qBAC1B,GAAG,CAAC,EAAE,MAAM,EAAE,cAAc,EAAE,SAAS,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;qBACtD,KAAK,CAAC,EAAE,CAAC,kBAAkB,CAAC,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC;qBAC7C,SAAS,EAAE;qBACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;gBACnC,OAAO,OAAO,IAAI,QAAQ,CAAC;YAC7B,CAAC;YACD,OAAO,QAAQ,CAAC;QAClB,CAAC;QAED,OAAO,EAAE;aACN,MAAM,CAAC,kBAAkB,CAAC;aAC1B,MAAM,CAAC;YACN,SAAS;YACT,aAAa;YACb,WAAW;YACX,MAAM;YACN,cAAc;SACf,CAAC;aACD,SAAS,EAAE;aACX,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,KAAK,UAAU,kBAAkB,CAC/B,SAAiB,EACjB,aAA4B,EAC5B,WAAmB,EACnB,MAAoB,EACpB,eAA8B;QAE9B,MAAM,EAAE,CAAC,WAAW,CAAC,KAAK,EAAE,EAAE,EAAE,EAAE;YAChC,MAAM,EAAE;iBACL,MAAM,CAAC,yBAAyB,CAAC;iBACjC,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,EAC1D,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,WAAW,CAAC,CACvD,CACF,CAAC;YACJ,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;gBAAE,OAAO;YAChC,MAAM,EAAE,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAC/C,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;gBACrB,SAAS;gBACT,aAAa;gBACb,WAAW;gBACX,aAAa,EAAE,KAAK,CAAC,aAAa;gBAClC,KAAK,EAAE,KAAK,CAAC,KAAK,IAAI,IAAI;gBAC1B,eAAe;gBACf,SAAS,EAAE,IAAI,IAAI,EAAE;gBACrB,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC,CAAC,CACJ,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED,KAAK,UAAU,yBAAyB,CAAC,eAAuB,EAAE,eAAuB;QACvF,MAAM,iBAAiB,GAAG,MAAM,yBAAyB,CAAC,eAAe,CAAC,CAAC;QAC3E,KAAK,MAAM,UAAU,IAAI,iBAAiB,EAAE,CAAC;YAC3C,MAAM,gBAAgB,CACpB,eAAe,EACf,MAAM,EACN,UAAU,CAAC,WAAW,EACtB,UAAU,CAAC,cAAc,EACzB,QAAQ,CACT,CAAC;QACJ,CAAC;QACD,OAAO,iBAAiB,CAAC;IAC3B,CAAC;IAED,KAAK,UAAU,mBAAmB,CAChC,SAAiB,EACjB,aAA4B,EAC5B,WAAmB;QAEnB,OAAO,EAAE;aACN,MAAM,EAAE;aACR,IAAI,CAAC,yBAAyB,CAAC;aAC/B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,EAC1D,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,WAAW,CAAC,CACvD,CACF;aACA,OAAO,CAAC,yBAAyB,CAAC,aAAa,CAAC,CAAC;IACtD,CAAC;IAED,KAAK,UAAU,sBAAsB,CACnC,SAAiB,EACjB,aAA4B,EAC5B,WAAmB,EACnB,aAA4B,EAC5B,OAAgB,EAChB,eAA8B,EAC9B,QAAwC,IAAI;QAE5C,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,MAAM,EAAE;iBACL,MAAM,CAAC,yBAAyB,CAAC;iBACjC,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,EAC1D,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,WAAW,CAAC,EACtD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,CAC3D,CACF,CAAC;YACJ,OAAO;QACT,CAAC;QAED,MAAM,gBAAgB,CAAC,SAAS,EAAE,aAAa,EAAE,WAAW,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;QAElF,MAAM,QAAQ,GAAG,MAAM,EAAE;aACtB,MAAM,EAAE;aACR,IAAI,CAAC,yBAAyB,CAAC;aAC/B,KAAK,CACJ,GAAG,CACD,EAAE,CAAC,yBAAyB,CAAC,SAAS,EAAE,SAAS,CAAC,EAClD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,EAC1D,EAAE,CAAC,yBAAyB,CAAC,WAAW,EAAE,WAAW,CAAC,EACtD,EAAE,CAAC,yBAAyB,CAAC,aAAa,EAAE,aAAa,CAAC,CAC3D,CACF;aACA,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC;QAEnC,IAAI,QAAQ,EAAE,CAAC;YACb,MAAM,EAAE;iBACL,MAAM,CAAC,yBAAyB,CAAC;iBACjC,GAAG,CAAC;gBACH,KAAK;gBACL,eAAe;gBACf,SAAS,EAAE,IAAI,IAAI,EAAE;aACtB,CAAC;iBACD,KAAK,CAAC,EAAE,CAAC,yBAAyB,CAAC,EAAE,EAAE,QAAQ,CAAC,EAAE,CAAC,CAAC,CAAC;YACxD,OAAO;QACT,CAAC;QAED,MAAM,EAAE,CAAC,MAAM,CAAC,yBAAyB,CAAC,CAAC,MAAM,CAAC;YAChD,SAAS;YACT,aAAa;YACb,WAAW;YACX,aAAa;YACb,KAAK;YACL,eAAe;YACf,SAAS,EAAE,IAAI,IAAI,EAAE;YACrB,SAAS,EAAE,IAAI,IAAI,EAAE;SACtB,CAAC,CAAC;IACL,CAAC;IAED,OAAO;QACL,eAAe;QACf,OAAO;QACP,aAAa;QACb,aAAa;QACb,gBAAgB;QAChB,WAAW;QACX,yBAAyB;QACzB,yBAAyB;QACzB,oBAAoB;QACpB,oBAAoB;QACpB,mBAAmB;QACnB,qBAAqB;QACrB,oBAAoB;QACpB,kBAAkB;QAClB,mBAAmB;QACnB,sBAAsB;KACvB,CAAC;AACJ,CAAC"}

package/dist/services/activity-log.d.ts

@@ -0,0 +1,17 @@
+import type { Db } from "@fideliosai/db";
+import type { PluginEventBus } from "./plugin-event-bus.js";
+/** Wire the plugin event bus so domain events are forwarded to plugins. */
+export declare function setPluginEventBus(bus: PluginEventBus): void;
+export interface LogActivityInput {
+    companyId: string;
+    actorType: "agent" | "user" | "system";
+    actorId: string;
+    action: string;
+    entityType: string;
+    entityId: string;
+    agentId?: string | null;
+    runId?: string | null;
+    details?: Record<string, unknown> | null;
+}
+export declare function logActivity(db: Db, input: LogActivityInput): Promise<void>;
+//# sourceMappingURL=activity-log.d.ts.map

package/dist/services/activity-log.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"activity-log.d.ts","sourceRoot":"","sources":["../../src/services/activity-log.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,gBAAgB,CAAC;AAQzC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AAO5D,2EAA2E;AAC3E,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,cAAc,GAAG,IAAI,CAK3D;AAED,MAAM,WAAW,gBAAgB;IAC/B,SAAS,EAAE,MAAM,CAAC;IAClB,SAAS,EAAE,OAAO,GAAG,MAAM,GAAG,QAAQ,CAAC;IACvC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;CAC1C;AAED,wBAAsB,WAAW,CAAC,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,gBAAgB,iBAyDhE"}