@flusys/nestjs-iam 1.1.0-beta → 2.0.0

package/fesm/services/permission.service.js

@@ -25,7 +25,7 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { Inject, Injectable, Logger, Scope } from '@nestjs/common';
+import { BadRequestException, ConflictException, Inject, Injectable, Logger, Scope } from '@nestjs/common';
 import { In, IsNull } from 'typeorm';
 import { PermissionAction } from '../dtos/permission.dto';
 import { Action } from '../entities/action.entity';
@@ -35,9 +35,8 @@ import { Role } from '../entities/role.entity';
 import { IamEntityType, IamPermissionType, UserIamPermission } from '../entities/user-iam-permission.entity';
 import { ActionType } from '../enums/action-type.enum';
 import { IAMPermissionMode } from '../enums/permission-type.enum';
-import { PermissionEvaluatorHelper } from '../helpers/permission-evaluator.helper';
 import { IAMConfigService } from './iam-config.service';
-import { IAMDataSourceProvider } from './iam-datasource.provider';
+import { IAMDataSourceService } from './iam-datasource.service';
 import { PermissionCacheService } from './permission-cache.service';
 export class PermissionService {
     // Repository Getters
@@ -56,16 +55,16 @@ export class PermissionService {
     }
     // User-Action Permissions
     async assignUserActions(dto) {
+        if (!this.iamConfigService.isDirectPermissionEnabled()) {
+            throw new BadRequestException('Direct permission assignment not available in RBAC-only mode. Use role-based permissions instead.');
+        }
         const permissionRepo = await this.getPermissionRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
         const branchId = dto.branchId ?? null;
         const companyId = dto.companyId ?? null;
-        // Separate items into add and remove batches
-        const itemsToAdd = dto.items.filter((item)=>item.action === PermissionAction.ADD);
-        const itemsToRemove = dto.items.filter((item)=>item.action === PermissionAction.REMOVE);
+        const { toAdd: itemsToAdd, toRemove: itemsToRemove } = this.splitItemsByAction(dto.items);
         let added = 0;
         let removed = 0;
-        // Batch add: Find existing permissions in one query
         if (itemsToAdd.length > 0) {
             const actionIdsToAdd = itemsToAdd.map((item)=>item.id);
             const whereFind = {
@@ -97,11 +96,17 @@ export class PermissionService {
                     branchId: enableCompanyFeature ? branchId : null
                 }));
             if (newPermissions.length > 0) {
-                await permissionRepo.save(newPermissions);
-                added = newPermissions.length;
+                try {
+                    await permissionRepo.save(newPermissions);
+                    added = newPermissions.length;
+                } catch (error) {
+                    if (error?.code === 'ER_DUP_ENTRY' || error?.message?.includes('Duplicate entry')) {
+                        throw new ConflictException('Some permissions already exist for this user. Please refresh and try again.');
+                    }
+                    throw error;
+                }
             }
         }
-        // Batch remove: Delete all at once using IN clause
         if (itemsToRemove.length > 0) {
             const actionIdsToRemove = itemsToRemove.map((item)=>item.id);
             const whereDelete = {
@@ -118,14 +123,8 @@ export class PermissionService {
             const result = await permissionRepo.delete(whereDelete);
             removed = result.affected || 0;
         }
-        // Invalidate permission cache for this user
         await this.invalidateUserPermissionCache(dto.userId, branchId, companyId);
-        return {
-            success: true,
-            added,
-            removed,
-            message: `Successfully processed ${dto.items.length} items: ${added} added, ${removed} removed`
-        };
+        return this.buildOperationResult(dto.items.length, added, removed);
     }
     async getUserActions(userId, branchId, companyId) {
         const permissionRepo = await this.getPermissionRepository();
@@ -136,22 +135,9 @@ export class PermissionService {
             sourceType: IamEntityType.USER,
             sourceId: userId
         };
-        // When company feature enabled:
-        // - companyId provided → Filter by that company (optional additional filter)
-        // - branchId provided → Filter by that branch (branch-specific actions)
-        // - branchId not provided → Filter by IS NULL (company-wide actions)
         if (enableCompanyFeature) {
-            if (companyId) {
-                // Filter by companyId if provided
-                where.companyId = companyId;
-            }
-            if (branchId) {
-                // Branch-specific actions only
-                where.branchId = branchId;
-            } else {
-                // Company-wide actions only (branchId IS NULL)
-                where.branchId = null;
-            }
+            if (companyId) where.companyId = companyId;
+            where.branchId = branchId ?? null;
         }
         const permissions = await permissionRepo.find({
             where
@@ -185,9 +171,11 @@ export class PermissionService {
     }
     // Role-Action Permissions
     async assignRoleActions(dto) {
+        if (!this.iamConfigService.isRbacEnabled()) {
+            throw new BadRequestException('Role-based permission assignment not available in DIRECT-only mode. Use direct user permissions instead.');
+        }
         const permissionRepo = await this.getPermissionRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
-        // Fetch role companyId if company feature is enabled
         let roleCompanyId = null;
         if (enableCompanyFeature) {
             const roleRepo = await this.getRoleRepository();
@@ -202,12 +190,9 @@ export class PermissionService {
             });
             roleCompanyId = role?.companyId ?? null;
         }
-        // Separate items into add and remove batches
-        const itemsToAdd = dto.items.filter((item)=>item.action === PermissionAction.ADD);
-        const itemsToRemove = dto.items.filter((item)=>item.action === PermissionAction.REMOVE);
+        const { toAdd: itemsToAdd, toRemove: itemsToRemove } = this.splitItemsByAction(dto.items);
         let added = 0;
         let removed = 0;
-        // Batch add: Find existing permissions in one query
         if (itemsToAdd.length > 0) {
             const actionIdsToAdd = itemsToAdd.map((item)=>item.id);
             const existingPermissions = await permissionRepo.find({
@@ -234,11 +219,17 @@ export class PermissionService {
                     branchId: null
                 }));
             if (newPermissions.length > 0) {
-                await permissionRepo.save(newPermissions);
-                added = newPermissions.length;
+                try {
+                    await permissionRepo.save(newPermissions);
+                    added = newPermissions.length;
+                } catch (error) {
+                    if (error?.code === 'ER_DUP_ENTRY' || error?.message?.includes('Duplicate entry')) {
+                        throw new ConflictException('Some role-action permissions already exist. Please refresh and try again.');
+                    }
+                    throw error;
+                }
             }
         }
-        // Batch remove: Delete all at once using IN clause
         if (itemsToRemove.length > 0) {
             const actionIdsToRemove = itemsToRemove.map((item)=>item.id);
             const result = await permissionRepo.delete({
@@ -250,14 +241,8 @@ export class PermissionService {
             });
             removed = result.affected || 0;
         }
-        // Invalidate cache for all users with this role
         const affectedUsers = await this.invalidateRoleMembersCache(dto.roleId);
-        return {
-            success: true,
-            added,
-            removed,
-            message: `Successfully processed ${dto.items.length} items: ${added} added, ${removed} removed. Invalidated cache for ${affectedUsers} users.`
-        };
+        return this.buildOperationResult(dto.items.length, added, removed, `. Invalidated cache for ${affectedUsers} users.`);
     }
     async getRoleActions(roleId) {
         const permissionRepo = await this.getPermissionRepository();
@@ -299,8 +284,7 @@ export class PermissionService {
     /** Assign or remove actions to/from a company (whitelist) */ async assignCompanyActions(dto) {
         const permissionRepo = await this.getPermissionRepository();
         const dataSource = permissionRepo.manager.connection;
-        const itemsToAdd = dto.items.filter((item)=>item.action === PermissionAction.ADD);
-        const itemsToRemove = dto.items.filter((item)=>item.action === PermissionAction.REMOVE);
+        const { toAdd: itemsToAdd, toRemove: itemsToRemove } = this.splitItemsByAction(dto.items);
         let added = 0;
         let removed = 0;
         let removedRoleActions = 0;
@@ -320,12 +304,7 @@ export class PermissionService {
         });
         const affectedCacheEntries = await this.invalidateCompanyMembersCache(dto.companyId);
         const cascadeInfo = removedRoleActions > 0 || removedUserActions > 0 ? ` Cascaded removal: ${removedRoleActions} role permissions, ${removedUserActions} user permissions.` : '';
-        return {
-            success: true,
-            added,
-            removed,
-            message: `Successfully processed ${dto.items.length} items: ${added} added, ${removed} removed.${cascadeInfo} Invalidated ${affectedCacheEntries} cache entries.`
-        };
+        return this.buildOperationResult(dto.items.length, added, removed, `.${cascadeInfo} Invalidated ${affectedCacheEntries} cache entries.`);
     }
     async addCompanyActions(permissionRepo, companyId, actionIds) {
         const existingPermissions = await permissionRepo.find({
@@ -459,16 +438,16 @@ export class PermissionService {
     }
     // User-Role Permissions
     /** Assign user to roles (branch-scoped when company feature is enabled) */ async assignUserRoles(dto) {
+        if (!this.iamConfigService.isRbacEnabled()) {
+            throw new BadRequestException('Role assignment not available in DIRECT-only mode. Use direct user permissions instead.');
+        }
         const permissionRepo = await this.getPermissionRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
         const branchId = dto.branchId ?? null;
         const companyId = dto.companyId ?? null;
-        // Separate items into add and remove batches
-        const itemsToAdd = dto.items.filter((item)=>item.action === PermissionAction.ADD);
-        const itemsToRemove = dto.items.filter((item)=>item.action === PermissionAction.REMOVE);
+        const { toAdd: itemsToAdd, toRemove: itemsToRemove } = this.splitItemsByAction(dto.items);
         let added = 0;
         let removed = 0;
-        // Batch add: Find existing permissions in one query
         if (itemsToAdd.length > 0) {
             const roleIdsToAdd = itemsToAdd.map((item)=>item.id);
             const whereFind = {
@@ -500,11 +479,17 @@ export class PermissionService {
                     branchId: enableCompanyFeature ? branchId : null
                 }));
             if (newPermissions.length > 0) {
-                await permissionRepo.save(newPermissions);
-                added = newPermissions.length;
+                try {
+                    await permissionRepo.save(newPermissions);
+                    added = newPermissions.length;
+                } catch (error) {
+                    if (error?.code === 'ER_DUP_ENTRY' || error?.message?.includes('Duplicate entry')) {
+                        throw new ConflictException('Some user-role permissions already exist. Please refresh and try again.');
+                    }
+                    throw error;
+                }
             }
         }
-        // Batch remove: Delete all at once using IN clause
         if (itemsToRemove.length > 0) {
             const roleIdsToRemove = itemsToRemove.map((item)=>item.id);
             const whereDelete = {
@@ -521,41 +506,21 @@ export class PermissionService {
             const result = await permissionRepo.delete(whereDelete);
             removed = result.affected || 0;
         }
-        // Invalidate permission cache for this user
         await this.invalidateUserPermissionCache(dto.userId, branchId, companyId);
-        return {
-            success: true,
-            added,
-            removed,
-            message: `Successfully processed ${dto.items.length} items: ${added} added, ${removed} removed`
-        };
+        return this.buildOperationResult(dto.items.length, added, removed);
     }
     /** Get user's roles (branch-scoped, filtered by companyId and branchId if provided) */ async getUserRoles(userId, branchId, companyId) {
         const permissionRepo = await this.getPermissionRepository();
         const roleRepo = await this.getRoleRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
-        // Build where clause with optional companyId and branchId filter
-        // When company feature enabled:
-        // - companyId provided → Filter by that company (optional additional filter)
-        // - branchId provided → Filter by that branch (branch-specific roles)
-        // - branchId not provided → Filter by IS NULL (company-wide roles)
         const where = {
             permissionType: IamPermissionType.USER_ROLE,
             sourceType: IamEntityType.USER,
             sourceId: userId
         };
         if (enableCompanyFeature) {
-            if (companyId) {
-                // Filter by companyId if provided
-                where.companyId = companyId;
-            }
-            if (branchId) {
-                // Branch-specific roles only
-                where.branchId = branchId;
-            } else {
-                // Company-wide roles only (branchId IS NULL)
-                where.branchId = null;
-            }
+            if (companyId) where.companyId = companyId;
+            where.branchId = branchId ?? null;
         }
         const permissions = await permissionRepo.find({
             where
@@ -596,20 +561,15 @@ export class PermissionService {
             branchId,
             enableCompanyFeature
         };
-        // Step 1: Check cache first
         const cachedData = await this.permissionCacheService.getMyPermissions(cacheOptions);
         if (cachedData) {
-            // Cache hit - use cached data (even if empty)
             return this.buildResponseFromCache(cachedData, parentCodes);
         }
-        // Step 2: Cache miss - fetch from DB and cache (even if empty)
         const freshData = await this.fetchAndCachePermissions(userId, branchId, companyId);
-        // Step 3: Apply parentCodes filter and return
         return this.buildResponseFromCache(freshData, parentCodes);
     }
     /** Build response from cached data, applying optional parentCodes filter */ async buildResponseFromCache(cachedData, parentCodes) {
         let frontendActions = cachedData.frontendActions;
-        // Apply parentCodes filter if provided
         if (parentCodes?.length) {
             const parentIds = await this.getParentIdsByCodesWithCache(parentCodes);
             if (parentIds.size > 0) {
@@ -628,13 +588,19 @@ export class PermissionService {
             cachedEndpoints: cachedData.backendCodes.length
         };
     }
-    /** Get parent IDs by codes, using cache first */ async getParentIdsByCodesWithCache(codes) {
-        // Try cache first
-        const cachedMap = await this.permissionCacheService.getActionIdsByCodes(codes);
+    /** Get current tenant ID for multi-tenant cache keys */ getCurrentTenantId() {
+        if (!this.iamConfigService.isMultiTenant()) {
+            return undefined;
+        }
+        const tenant = this.dataSourceProvider.getCurrentTenant();
+        return tenant?.id;
+    }
+    /** Get parent IDs by codes, using cache first (tenant-aware) */ async getParentIdsByCodesWithCache(codes) {
+        const tenantId = this.getCurrentTenantId();
+        const cachedMap = await this.permissionCacheService.getActionIdsByCodes(codes, tenantId);
         if (cachedMap) {
             return new Set(Object.values(cachedMap));
         }
-        // Cache miss - fetch from DB and cache
         const actionRepo = await this.getActionRepository();
         const allActions = await actionRepo.find({
             select: [
@@ -642,33 +608,42 @@ export class PermissionService {
                 'code'
             ]
         });
-        // Build full code → ID map and cache it
         const fullMap = {};
         for (const action of allActions){
             if (action.code) {
                 fullMap[action.code] = action.id;
             }
         }
-        await this.permissionCacheService.setActionCodeMap(fullMap);
-        // Return only requested codes
+        await this.permissionCacheService.setActionCodeMap(fullMap, tenantId);
         return new Set(codes.map((code)=>fullMap[code]).filter(Boolean));
     }
     /** Fetch permissions from DB and cache them (empty permissions are also cached) */ async fetchAndCachePermissions(userId, branchId, companyId) {
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
-        const permissionMode = this.iamConfigService.getPermissionMode();
         const cacheOptions = {
             userId,
             companyId,
             branchId,
             enableCompanyFeature
         };
-        // Empty cache data for users with no permissions
         const emptyData = {
             frontendActions: [],
             backendCodes: []
         };
+        const allActionIds = await this.collectAllActionIds(userId, branchId, companyId);
+        if (allActionIds.size === 0) {
+            await this.permissionCacheService.setMyPermissions(cacheOptions, emptyData);
+            return emptyData;
+        }
+        await this.applyCompanyWhitelist(allActionIds, companyId);
+        if (allActionIds.size === 0) {
+            await this.permissionCacheService.setMyPermissions(cacheOptions, emptyData);
+            return emptyData;
+        }
+        return this.buildAndCachePermissionData(allActionIds, cacheOptions);
+    }
+    /** Collect all action IDs based on permission mode (RBAC, DIRECT, or FULL) */ async collectAllActionIds(userId, branchId, companyId) {
+        const permissionMode = this.iamConfigService.getPermissionMode();
         const allActionIds = new Set();
-        // Collect action IDs based on permission mode
         if (permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL) {
             const userRoleIds = await this.getUserRoleIds(userId, branchId, companyId);
             if (userRoleIds.length > 0) {
@@ -680,40 +655,33 @@ export class PermissionService {
             const userActionIds = await this.getUserActionIds(userId, branchId, companyId);
             userActionIds.forEach((id)=>allActionIds.add(id));
         }
-        if (allActionIds.size === 0) {
-            // Cache empty result to avoid repeated DB hits
-            await this.permissionCacheService.setMyPermissions(cacheOptions, emptyData);
-            return emptyData;
-        }
-        // Filter by company whitelist
-        if (enableCompanyFeature && companyId) {
-            const companyActionIds = await this.getCompanyActionIds(companyId);
-            if (companyActionIds.length > 0) {
-                const allowedActionIds = new Set(companyActionIds);
-                for (const actionId of allActionIds){
-                    if (!allowedActionIds.has(actionId)) {
-                        allActionIds.delete(actionId);
-                    }
-                }
+        return allActionIds;
+    }
+    /** Apply company whitelist filter to action IDs (mutates the set) */ async applyCompanyWhitelist(actionIds, companyId) {
+        if (!this.iamConfigService.isCompanyFeatureEnabled() || !companyId) {
+            return;
+        }
+        const companyActionIds = await this.getCompanyActionIds(companyId);
+        if (companyActionIds.length === 0) {
+            return;
+        }
+        const allowedActionIds = new Set(companyActionIds);
+        for (const actionId of actionIds){
+            if (!allowedActionIds.has(actionId)) {
+                actionIds.delete(actionId);
             }
         }
-        if (allActionIds.size === 0) {
-            // Cache empty result to avoid repeated DB hits
-            await this.permissionCacheService.setMyPermissions(cacheOptions, emptyData);
-            return emptyData;
-        }
-        // Fetch actions from DB
+    }
+    /** Fetch actions from DB, separate by type, build cache data, and cache it */ async buildAndCachePermissionData(actionIds, cacheOptions) {
         const actionRepo = await this.getActionRepository();
         const actions = await actionRepo.find({
             where: {
-                id: In(Array.from(allActionIds))
+                id: In(Array.from(actionIds))
             }
         });
-        // Separate by type
         const backendActions = actions.filter((a)=>a.actionType === ActionType.BACKEND || a.actionType === ActionType.BOTH);
         const frontendActions = actions.filter((a)=>a.actionType === ActionType.FRONTEND || a.actionType === ActionType.BOTH);
         const backendCodes = backendActions.map((a)=>a.code).filter((c)=>!!c);
-        // Build cache data (includes parentId for filtering)
         const cacheData = {
             frontendActions: frontendActions.map((a)=>({
                     id: a.id,
@@ -724,7 +692,6 @@ export class PermissionService {
                 })),
             backendCodes
         };
-        // Cache both: full permissions and backend codes for PermissionGuard
         await Promise.all([
             this.permissionCacheService.setMyPermissions(cacheOptions, cacheData),
             this.permissionCacheService.setPermissions(cacheOptions, backendCodes)
@@ -732,11 +699,24 @@ export class PermissionService {
         return cacheData;
     }
     // Helper Methods
+    /** Split permission items into add and remove arrays */ splitItemsByAction(items) {
+        return {
+            toAdd: items.filter((item)=>item.action === PermissionAction.ADD),
+            toRemove: items.filter((item)=>item.action === PermissionAction.REMOVE)
+        };
+    }
+    /** Build standard operation result DTO */ buildOperationResult(totalItems, added, removed, additionalMessage = '') {
+        return {
+            success: true,
+            added,
+            removed,
+            message: `Successfully processed ${totalItems} items: ${added} added, ${removed} removed${additionalMessage}`
+        };
+    }
     /** Get role IDs assigned to a user (merges company-wide + branch-specific roles) */ async getUserRoleIds(userId, branchId, companyId) {
         const permissionRepo = await this.getPermissionRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
         if (!enableCompanyFeature) {
-            // Simple case: no company feature, get all user roles
             const permissions = await permissionRepo.find({
                 where: {
                     permissionType: IamPermissionType.USER_ROLE,
@@ -744,33 +724,37 @@ export class PermissionService {
                     sourceId: userId
                 }
             });
-            return permissions.map((p)=>p.targetId);
+            return permissions.filter((p)=>p.isValid()).map((p)=>p.targetId);
         }
-        // Company feature enabled: merge company-wide + branch-specific roles
         const roleIds = new Set();
-        // Step 1: Get company-wide roles (branchId = null)
-        const companyWidePermissions = await permissionRepo.find({
-            where: {
-                permissionType: IamPermissionType.USER_ROLE,
-                sourceType: IamEntityType.USER,
-                sourceId: userId,
-                branchId: IsNull(),
-                companyId: companyId
-            }
-        });
-        companyWidePermissions.forEach((p)=>roleIds.add(p.targetId));
-        // Step 2: Get branch-specific roles (branchId = value) if branchId provided
+        const baseWhere = {
+            permissionType: IamPermissionType.USER_ROLE,
+            sourceType: IamEntityType.USER,
+            sourceId: userId,
+            companyId: companyId
+        };
         if (branchId) {
+            // Get company-wide + branch-specific roles
+            const companyWidePermissions = await permissionRepo.find({
+                where: {
+                    ...baseWhere,
+                    branchId: IsNull()
+                }
+            });
+            companyWidePermissions.filter((p)=>p.isValid()).forEach((p)=>roleIds.add(p.targetId));
             const branchPermissions = await permissionRepo.find({
                 where: {
-                    permissionType: IamPermissionType.USER_ROLE,
-                    sourceType: IamEntityType.USER,
-                    sourceId: userId,
-                    branchId,
-                    companyId: companyId
+                    ...baseWhere,
+                    branchId
                 }
             });
-            branchPermissions.forEach((p)=>roleIds.add(p.targetId));
+            branchPermissions.filter((p)=>p.isValid()).forEach((p)=>roleIds.add(p.targetId));
+        } else {
+            // No branch context: get all roles for this company
+            const allPermissions = await permissionRepo.find({
+                where: baseWhere
+            });
+            allPermissions.filter((p)=>p.isValid()).forEach((p)=>roleIds.add(p.targetId));
         }
         return Array.from(roleIds);
     }
@@ -783,13 +767,12 @@ export class PermissionService {
                 sourceId: In(roleIds)
             }
         });
-        return permissions.map((p)=>p.targetId);
+        return permissions.filter((p)=>p.isValid()).map((p)=>p.targetId);
     }
     /** Get action IDs directly assigned to a user (merges company-wide + branch-specific actions) */ async getUserActionIds(userId, branchId, companyId) {
         const permissionRepo = await this.getPermissionRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
         if (!enableCompanyFeature) {
-            // Simple case: no company feature, get all user actions
             const permissions = await permissionRepo.find({
                 where: {
                     permissionType: IamPermissionType.USER_ACTION,
@@ -797,44 +780,43 @@ export class PermissionService {
                     sourceId: userId
                 }
             });
-            return permissions.map((p)=>p.targetId);
+            return permissions.filter((p)=>p.isValid()).map((p)=>p.targetId);
         }
-        // Company feature enabled: merge company-wide + branch-specific actions
         const actionIds = new Set();
-        // Step 1: Get company-wide actions (branchId = null, companyId = current)
-        const companyWideWhere = {
+        const baseWhere = {
             permissionType: IamPermissionType.USER_ACTION,
             sourceType: IamEntityType.USER,
-            sourceId: userId,
-            branchId: IsNull()
+            sourceId: userId
         };
         if (companyId) {
-            companyWideWhere.companyId = companyId;
+            baseWhere.companyId = companyId;
         }
-        const companyWidePermissions = await permissionRepo.find({
-            where: companyWideWhere
-        });
-        companyWidePermissions.forEach((p)=>actionIds.add(p.targetId));
-        // Step 2: Get branch-specific actions (branchId = value, companyId = current) if branchId provided
         if (branchId) {
-            const branchWhere = {
-                permissionType: IamPermissionType.USER_ACTION,
-                sourceType: IamEntityType.USER,
-                sourceId: userId,
-                branchId
-            };
-            if (companyId) {
-                branchWhere.companyId = companyId;
-            }
+            // Get company-wide + branch-specific actions
+            const companyWidePermissions = await permissionRepo.find({
+                where: {
+                    ...baseWhere,
+                    branchId: IsNull()
+                }
+            });
+            companyWidePermissions.filter((p)=>p.isValid()).forEach((p)=>actionIds.add(p.targetId));
             const branchPermissions = await permissionRepo.find({
-                where: branchWhere
+                where: {
+                    ...baseWhere,
+                    branchId
+                }
+            });
+            branchPermissions.filter((p)=>p.isValid()).forEach((p)=>actionIds.add(p.targetId));
+        } else {
+            // No branch context: get all actions for this company
+            const allPermissions = await permissionRepo.find({
+                where: baseWhere
             });
-            branchPermissions.forEach((p)=>actionIds.add(p.targetId));
+            allPermissions.filter((p)=>p.isValid()).forEach((p)=>actionIds.add(p.targetId));
         }
         return Array.from(actionIds);
     }
     /** Invalidate permission cache for a user */ async invalidateUserPermissionCache(userId, branchId, companyId) {
-        // Wrap branchId in array if provided, otherwise invalidate null branch only
         const branchIds = branchId !== undefined ? [
             branchId
         ] : [
@@ -842,11 +824,10 @@ export class PermissionService {
         ];
         await this.permissionCacheService.invalidateUser(userId, companyId, branchIds);
     }
-    /** Invalidate permission cache for all users with a specific role */ async invalidateRoleMembersCache(roleId) {
+    async invalidateRoleMembersCache(roleId) {
         const permissionRepo = await this.getPermissionRepository();
         const roleRepo = await this.getRoleRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
-        // Find all users assigned to this role with their branch IDs
         const userRoles = await permissionRepo.find({
             where: {
                 permissionType: IamPermissionType.USER_ROLE,
@@ -855,21 +836,18 @@ export class PermissionService {
                 targetId: roleId
             }
         });
-        // Get unique user IDs
         const userIds = [
             ...new Set(userRoles.map((ur)=>ur.sourceId))
         ];
         if (userIds.length === 0) {
             return 0;
         }
-        // Get company ID from role (if company feature enabled)
         const role = await roleRepo.findOne({
             where: {
                 id: roleId
             }
         });
         const companyId = role?.companyId || null;
-        // Get all branch IDs for these users (to invalidate all their cached branches)
         let branchIds = [
             null
         ];
@@ -883,15 +861,13 @@ export class PermissionService {
                 ...new Set(userBranches.map((p)=>p.branchId))
             ];
         }
-        // Invalidate cache for all users with all their branches
-        return await this.permissionCacheService.invalidateRole(roleId, userIds, companyId, branchIds);
+        return this.permissionCacheService.invalidateRole(roleId, userIds, companyId, branchIds);
     }
     /** Invalidate permission cache for all users in a company */ async invalidateCompanyMembersCache(companyId) {
         if (!this.iamConfigService.isCompanyFeatureEnabled()) {
             return 0;
         }
         const permissionRepo = await this.getPermissionRepository();
-        // Find all unique user IDs and branch IDs that have permissions in this company
         const userPermissions = await permissionRepo.createQueryBuilder('p').select('DISTINCT p.user_id', 'userId').addSelect('p.branch_id', 'branchId').where('p.company_id = :companyId', {
             companyId
         }).andWhere('p.user_id IS NOT NULL').getRawMany();
@@ -907,13 +883,11 @@ export class PermissionService {
         return await this.permissionCacheService.invalidateUsers(userIds, companyId, branchIds);
     }
     // NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild
-    constructor(permissionEvaluator, permissionCacheService, iamConfigService, dataSourceProvider){
-        _define_property(this, "permissionEvaluator", void 0);
+    constructor(permissionCacheService, iamConfigService, dataSourceProvider){
         _define_property(this, "permissionCacheService", void 0);
         _define_property(this, "iamConfigService", void 0);
         _define_property(this, "dataSourceProvider", void 0);
         _define_property(this, "logger", void 0);
-        this.permissionEvaluator = permissionEvaluator;
         this.permissionCacheService = permissionCacheService;
         this.iamConfigService = iamConfigService;
         this.dataSourceProvider = dataSourceProvider;
@@ -924,15 +898,13 @@ PermissionService = _ts_decorate([
     Injectable({
         scope: Scope.REQUEST
     }),
-    _ts_param(0, Inject(PermissionEvaluatorHelper)),
-    _ts_param(1, Inject(PermissionCacheService)),
-    _ts_param(2, Inject(IAMConfigService)),
-    _ts_param(3, Inject(IAMDataSourceProvider)),
+    _ts_param(0, Inject(PermissionCacheService)),
+    _ts_param(1, Inject(IAMConfigService)),
+    _ts_param(2, Inject(IAMDataSourceService)),
     _ts_metadata("design:type", Function),
     _ts_metadata("design:paramtypes", [
-        typeof PermissionEvaluatorHelper === "undefined" ? Object : PermissionEvaluatorHelper,
         typeof PermissionCacheService === "undefined" ? Object : PermissionCacheService,
         typeof IAMConfigService === "undefined" ? Object : IAMConfigService,
-        typeof IAMDataSourceProvider === "undefined" ? Object : IAMDataSourceProvider
+        typeof IAMDataSourceService === "undefined" ? Object : IAMDataSourceService
     ])
 ], PermissionService);