@gelabs/ovr 0.2.1 → 0.3.0

package/dist/data-mock-store.js

@@ -1,20 +1,33 @@
-import { round2, computeCharges, makePaymentRef, fullName, addDays, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, enrich } from './chunk-B634JHKZ.js';
+import { SUPER_ADMIN_LOCKED_PERMISSIONS, ALL_PERMISSIONS } from './chunk-IS3THKTE.js';
+import { round2, computeCharges, makePaymentRef, fullName, addDays, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, enrich } from './chunk-BI4EGLPG.js';
 import 'server-only';
 import { promises } from 'fs';
+import { randomUUID } from 'crypto';
 import os from 'os';
 import path from 'path';
 
-var SEED_VERSION = 1;
+var SEED_VERSION = 5;
 var norm = (s) => s.trim().toLowerCase();
+function slugRole(label) {
+  return label.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+}
+function normalizePerms(perms) {
+  const set = new Set(perms);
+  return ALL_PERMISSIONS.filter((p) => set.has(p));
+}
 function createMockStore(rules, seed) {
-  const { CATALOG, OFFICERS, SEED_TICKETS, SEED_NEXT_SEQ } = seed;
+  const { CATALOG, OFFICERS, SEED_TICKETS, SEED_NEXT_SEQ, USERS, ROLES } = seed;
   const STORE_PATH = process.env.EOVR_STORE_FILE || path.join(os.tmpdir(), "eovr-store.json");
   const enrichRec = (rec, asOf) => enrich(rec, asOf, rules.surchargeRatePerMonth);
   function seeded() {
     return {
       version: SEED_VERSION,
       counter: SEED_NEXT_SEQ,
-      tickets: structuredClone(SEED_TICKETS)
+      tickets: structuredClone(SEED_TICKETS),
+      users: structuredClone(USERS),
+      roles: structuredClone(ROLES),
+      activities: [],
+      officers: structuredClone(OFFICERS)
     };
   }
   async function writeStore(data) {
@@ -24,7 +37,7 @@ function createMockStore(rules, seed) {
     try {
       const raw = await promises.readFile(STORE_PATH, "utf8");
       const data = JSON.parse(raw);
-      if (!data || data.version !== SEED_VERSION || !Array.isArray(data.tickets) || typeof data.counter !== "number") {
+      if (!data || data.version !== SEED_VERSION || !Array.isArray(data.tickets) || !Array.isArray(data.users) || !Array.isArray(data.roles) || !Array.isArray(data.activities) || !Array.isArray(data.officers) || typeof data.counter !== "number") {
         const fresh = seeded();
         await writeStore(fresh);
         return fresh;
@@ -42,16 +55,75 @@ function createMockStore(rules, seed) {
       return structuredClone(items);
     },
     async listOfficers() {
-      return structuredClone(OFFICERS);
+      const data = await readStore();
+      return structuredClone(data.officers);
     },
     async getOfficer(id) {
-      return OFFICERS.find((o) => o.id === id) ?? null;
+      const data = await readStore();
+      return data.officers.find((o) => o.id === id) ?? null;
+    },
+    async createOfficer(input) {
+      const data = await readStore();
+      const name = input.name.trim();
+      if (!name) throw new Error("Officer name is required.");
+      const office = input.office.trim();
+      if (!office) throw new Error("Office is required.");
+      const id = `off-${slugRole(name)}`;
+      if (id === "off-") {
+        throw new Error("Officer name must include letters or numbers.");
+      }
+      if (data.officers.some((o) => o.id === id)) {
+        throw new Error(`An officer "${name}" already exists.`);
+      }
+      const officer = {
+        id,
+        name,
+        badgeNo: input.badgeNo?.trim() || void 0,
+        office
+      };
+      data.officers.push(officer);
+      await writeStore(data);
+      return structuredClone(officer);
+    },
+    async updateOfficer(id, patch) {
+      const data = await readStore();
+      const o = data.officers.find((x) => x.id === id);
+      if (!o) throw new Error("Officer not found.");
+      if (patch.name !== void 0) {
+        const name = patch.name.trim();
+        if (!name) throw new Error("Officer name is required.");
+        o.name = name;
+      }
+      if (patch.office !== void 0) {
+        const office = patch.office.trim();
+        if (!office) throw new Error("Office is required.");
+        o.office = office;
+      }
+      if (patch.badgeNo !== void 0) o.badgeNo = patch.badgeNo?.trim() || void 0;
+      await writeStore(data);
+      return structuredClone(o);
+    },
+    async deleteOfficer(id) {
+      const data = await readStore();
+      const o = data.officers.find((x) => x.id === id);
+      if (!o) throw new Error("Officer not found.");
+      const ticketCount = data.tickets.filter((t) => t.officer.id === id).length;
+      if (ticketCount > 0) {
+        throw new Error(
+          `Can't remove \u2014 this officer has ${ticketCount} issued ticket(s).`
+        );
+      }
+      if (data.users.some((u) => u.officerId === id)) {
+        throw new Error("Can't remove \u2014 this officer is linked to an account.");
+      }
+      data.officers = data.officers.filter((x) => x.id !== id);
+      await writeStore(data);
     },
     async createTicket(input) {
       const store2 = await readStore();
       const now = /* @__PURE__ */ new Date();
       const seq = store2.counter;
-      const officer = OFFICERS.find((o) => o.id === input.officerId) ?? OFFICERS[0];
+      const officer = store2.officers.find((o) => o.id === input.officerId) ?? store2.officers[0];
       const violations = input.violations.map((v) => {
         const c = CATALOG.find((x) => x.code === v.catalogCode);
         if (!c) throw new Error(`Unknown violation code: ${v.catalogCode}`);
@@ -82,6 +154,9 @@ function createMockStore(rules, seed) {
         officer,
         violations,
         remarks: input.remarks?.trim() || void 0,
+        issuedBy: input.issuedBy?.trim() || void 0,
+        apprehendingEnforcerId: input.apprehendingEnforcerId || void 0,
+        apprehendingEnforcerName: input.apprehendingEnforcerName?.trim() || void 0,
         assessedAt,
         dueDate: addDays(now, rules.dueWindowDays).toISOString(),
         basicFinesTotal,
@@ -109,7 +184,7 @@ function createMockStore(rules, seed) {
       );
       if (existing) return enrichRec(existing, /* @__PURE__ */ new Date());
       const created = new Date(input.createdAt);
-      const officer = OFFICERS.find((o) => o.id === input.officerId) ?? OFFICERS[0];
+      const officer = data.officers.find((o) => o.id === input.officerId) ?? data.officers[0];
       const violations = input.violations.map((v) => {
         const c = CATALOG.find((x) => x.code === v.catalogCode);
         if (!c) throw new Error(`Unknown violation code: ${v.catalogCode}`);
@@ -135,6 +210,9 @@ function createMockStore(rules, seed) {
         officer,
         violations,
         remarks: input.remarks?.trim() || void 0,
+        issuedBy: input.issuedBy?.trim() || void 0,
+        apprehendingEnforcerId: input.apprehendingEnforcerId || void 0,
+        apprehendingEnforcerName: input.apprehendingEnforcerName?.trim() || void 0,
         assessedAt: input.createdAt,
         dueDate: addDays(created, rules.dueWindowDays).toISOString(),
         basicFinesTotal,
@@ -220,6 +298,184 @@ function createMockStore(rules, seed) {
           }) === todayKey
         ).length
       };
+    },
+    // ── Accounts (GE-013 RBAC) ──────────────────────────────────────────────
+    // Mock mode has no real credential store (login is the demo cookie); these
+    // back the accounts UI so it's fully browsable without Postgres.
+    async listUsers() {
+      const data = await readStore();
+      return structuredClone(data.users).sort(
+        (a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime()
+      );
+    },
+    async createUser(input) {
+      const data = await readStore();
+      const username = input.username.trim();
+      if (!username) throw new Error("Username is required.");
+      const role = data.roles.find((r) => r.name === input.role);
+      if (!role) throw new Error(`Unknown role: ${input.role}`);
+      if (data.users.some((u) => norm(u.username) === norm(username))) {
+        throw new Error(`Username "${username}" is already taken.`);
+      }
+      const officer = input.officerId ? data.officers.find((o) => o.id === input.officerId) : void 0;
+      const account = {
+        id: `usr-${randomUUID()}`,
+        username,
+        role: role.name,
+        roleLabel: role.label,
+        active: true,
+        officerId: input.officerId ?? null,
+        officerName: officer?.name,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      };
+      data.users.unshift(account);
+      await writeStore(data);
+      return structuredClone(account);
+    },
+    async setUserActive(id, active) {
+      const data = await readStore();
+      const u = data.users.find((x) => x.id === id);
+      if (!u) throw new Error("Account not found.");
+      u.active = active;
+      await writeStore(data);
+      return structuredClone(u);
+    },
+    async setUserRole(id, role) {
+      const data = await readStore();
+      const u = data.users.find((x) => x.id === id);
+      if (!u) throw new Error("Account not found.");
+      const roleDef = data.roles.find((r) => r.name === role);
+      if (!roleDef) throw new Error(`Unknown role: ${role}`);
+      u.role = roleDef.name;
+      u.roleLabel = roleDef.label;
+      await writeStore(data);
+      return structuredClone(u);
+    },
+    async updateUser(id, patch) {
+      const data = await readStore();
+      const u = data.users.find((x) => x.id === id);
+      if (!u) throw new Error("Account not found.");
+      if (patch.username !== void 0) {
+        const username = patch.username.trim();
+        if (!username) throw new Error("Username is required.");
+        if (data.users.some((x) => x.id !== id && norm(x.username) === norm(username))) {
+          throw new Error(`Username "${username}" is already taken.`);
+        }
+        u.username = username;
+      }
+      if (patch.role !== void 0) {
+        const roleDef = data.roles.find((r) => r.name === patch.role);
+        if (!roleDef) throw new Error(`Unknown role: ${patch.role}`);
+        u.role = roleDef.name;
+        u.roleLabel = roleDef.label;
+      }
+      if (patch.officerId !== void 0) {
+        u.officerId = patch.officerId ?? null;
+        const officer = patch.officerId ? data.officers.find((o) => o.id === patch.officerId) : void 0;
+        u.officerName = officer?.name;
+      }
+      await writeStore(data);
+      return structuredClone(u);
+    },
+    async resetUserPassword() {
+    },
+    // ── Roles (GE-013 RBAC) ─────────────────────────────────────────────────
+    async listRoles() {
+      const data = await readStore();
+      return structuredClone(data.roles).sort(
+        (a, b) => a.isSystem === b.isSystem ? a.label.localeCompare(b.label) : a.isSystem ? -1 : 1
+      );
+    },
+    async getRolePermissions(name) {
+      const data = await readStore();
+      const r = data.roles.find((x) => x.name === name);
+      return r ? normalizePerms(r.permissions) : [];
+    },
+    async createRole(input) {
+      const data = await readStore();
+      const label = input.label.trim();
+      if (!label) throw new Error("Role name is required.");
+      const name = slugRole(label);
+      if (!name) throw new Error("Role name must include letters or numbers.");
+      if (data.roles.some((r) => r.name === name)) {
+        throw new Error(`A role named "${label}" already exists.`);
+      }
+      const role = {
+        name,
+        label,
+        isSystem: false,
+        permissions: normalizePerms(input.permissions)
+      };
+      data.roles.push(role);
+      await writeStore(data);
+      return structuredClone(role);
+    },
+    async updateRole(name, patch) {
+      const data = await readStore();
+      const role = data.roles.find((r) => r.name === name);
+      if (!role) throw new Error("Role not found.");
+      if (patch.label !== void 0 && !role.isSystem) {
+        const label = patch.label.trim();
+        if (!label) throw new Error("Role name is required.");
+        role.label = label;
+      }
+      if (patch.permissions !== void 0) {
+        let perms = normalizePerms(patch.permissions);
+        if (name === "SUPER_ADMIN") {
+          perms = normalizePerms([...perms, ...SUPER_ADMIN_LOCKED_PERMISSIONS]);
+        }
+        role.permissions = perms;
+      }
+      await writeStore(data);
+      return structuredClone(role);
+    },
+    async deleteRole(name) {
+      const data = await readStore();
+      const role = data.roles.find((r) => r.name === name);
+      if (!role) throw new Error("Role not found.");
+      if (role.isSystem) throw new Error("System roles can't be deleted.");
+      const inUse = data.users.filter((u) => u.role === name).length;
+      if (inUse > 0) {
+        throw new Error(
+          `Can't delete "${role.label}" \u2014 it's assigned to ${inUse} account(s).`
+        );
+      }
+      data.roles = data.roles.filter((r) => r.name !== name);
+      await writeStore(data);
+    },
+    // ── Activity log (GE-022) ───────────────────────────────────────────────
+    async logActivity(entry) {
+      const data = await readStore();
+      data.activities.push({
+        id: `act-${randomUUID()}`,
+        actorId: entry.actorId ?? null,
+        actorUsername: entry.actorUsername ?? null,
+        action: entry.action,
+        summary: entry.summary,
+        targetType: entry.targetType,
+        targetId: entry.targetId,
+        createdAt: (/* @__PURE__ */ new Date()).toISOString()
+      });
+      await writeStore(data);
+    },
+    async listActivity(filter) {
+      const data = await readStore();
+      let items = [...data.activities].sort(
+        (a, b) => new Date(b.createdAt).getTime() - new Date(a.createdAt).getTime()
+      );
+      if (filter?.action) items = items.filter((a) => a.action === filter.action);
+      if (filter?.actorId)
+        items = items.filter((a) => a.actorId === filter.actorId);
+      if (filter?.fromISO) {
+        const lo = Date.parse(filter.fromISO);
+        items = items.filter((a) => Date.parse(a.createdAt) >= lo);
+      }
+      if (filter?.toISO) {
+        const hi = Date.parse(filter.toISO);
+        items = items.filter((a) => Date.parse(a.createdAt) <= hi);
+      }
+      const limit = Math.min(Math.max(filter?.limit ?? 200, 1), 1e3);
+      return structuredClone(items.slice(0, limit));
     }
   };
   return store;

package/dist/data-prisma-store.js

@@ -1,13 +1,22 @@
 import { prisma } from './chunk-MKALJTAU.js';
-import { round2, computeCharges, makePaymentRef, fullName, addDays, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, enrich } from './chunk-B634JHKZ.js';
+import { SUPER_ADMIN_LOCKED_PERMISSIONS, ALL_PERMISSIONS } from './chunk-IS3THKTE.js';
+import { round2, computeCharges, makePaymentRef, fullName, addDays, makeBillNo, makeOrderOfPaymentNo, makeOvrTicketNo, enrich } from './chunk-BI4EGLPG.js';
 import 'server-only';
 
 var norm = (s) => s.trim().toLowerCase();
+function slugRole(label) {
+  return label.trim().toLowerCase().replace(/[^a-z0-9]+/g, "-").replace(/^-+|-+$/g, "");
+}
+function normalizePerms(perms) {
+  const set = new Set(perms);
+  return ALL_PERMISSIONS.filter((p) => set.has(p));
+}
 var ticketInclude = {
   officer: true,
   violations: true,
   payment: true
 };
+var userInclude = { officer: true, roleRef: true };
 function toOfficer(o) {
   return {
     id: o.id,
@@ -16,6 +25,26 @@ function toOfficer(o) {
     office: o.office
   };
 }
+function toUserAccount(u) {
+  return {
+    id: u.id,
+    username: u.username,
+    role: u.role,
+    roleLabel: u.roleRef?.label,
+    active: u.active,
+    officerId: u.officerId ?? null,
+    officerName: u.officer?.name,
+    createdAt: u.createdAt.toISOString()
+  };
+}
+function toRoleDef(r) {
+  return {
+    name: r.name,
+    label: r.label,
+    isSystem: r.isSystem,
+    permissions: normalizePerms(r.permissions)
+  };
+}
 function toRecord(row) {
   const violator = {
     firstName: row.violatorFirstName,
@@ -45,6 +74,9 @@ function toRecord(row) {
     officer: toOfficer(row.officer),
     violations,
     remarks: row.remarks ?? void 0,
+    issuedBy: row.issuedBy ?? void 0,
+    apprehendingEnforcerId: row.apprehendingEnforcerId ?? void 0,
+    apprehendingEnforcerName: row.apprehendingEnforcerName ?? void 0,
     assessedAt: row.assessedAt.toISOString(),
     dueDate: row.dueDate.toISOString(),
     basicFinesTotal: row.basicFinesTotal.toNumber(),
@@ -84,6 +116,49 @@ function createPrismaStore(rules) {
       const o = await prisma.officer.findUnique({ where: { id } });
       return o ? toOfficer(o) : null;
     },
+    async createOfficer(input) {
+      const name = input.name.trim();
+      if (!name) throw new Error("Officer name is required.");
+      const office = input.office.trim();
+      if (!office) throw new Error("Office is required.");
+      const id = `off-${slugRole(name)}`;
+      if (id === "off-") throw new Error("Officer name must include letters or numbers.");
+      const existing = await prisma.officer.findUnique({ where: { id } });
+      if (existing) throw new Error(`An officer "${name}" already exists.`);
+      const o = await prisma.officer.create({
+        data: { id, name, badgeNo: input.badgeNo?.trim() || null, office }
+      });
+      return toOfficer(o);
+    },
+    async updateOfficer(id, patch) {
+      const data = {};
+      if (patch.name !== void 0) {
+        const name = patch.name.trim();
+        if (!name) throw new Error("Officer name is required.");
+        data.name = name;
+      }
+      if (patch.office !== void 0) {
+        const office = patch.office.trim();
+        if (!office) throw new Error("Office is required.");
+        data.office = office;
+      }
+      if (patch.badgeNo !== void 0) data.badgeNo = patch.badgeNo?.trim() || null;
+      const o = await prisma.officer.update({ where: { id }, data });
+      return toOfficer(o);
+    },
+    async deleteOfficer(id) {
+      const tickets = await prisma.ticket.count({ where: { officerId: id } });
+      if (tickets > 0) {
+        throw new Error(
+          `Can't remove \u2014 this officer has ${tickets} issued ticket(s).`
+        );
+      }
+      const linked = await prisma.user.count({ where: { officerId: id } });
+      if (linked > 0) {
+        throw new Error("Can't remove \u2014 this officer is linked to an account.");
+      }
+      await prisma.officer.delete({ where: { id } });
+    },
     async createTicket(input) {
       const now = /* @__PURE__ */ new Date();
       const v = input.violator;
@@ -145,6 +220,9 @@ function createPrismaStore(rules) {
             apprehendedAt: new Date(input.apprehendedAt),
             placeOfViolation: input.placeOfViolation?.trim() || null,
             remarks: input.remarks?.trim() || null,
+            issuedBy: input.issuedBy?.trim() || null,
+            apprehendingEnforcerId: input.apprehendingEnforcerId || null,
+            apprehendingEnforcerName: input.apprehendingEnforcerName?.trim() || null,
             officerId: officer.id,
             assessedAt: now,
             dueDate: addDays(now, rules.dueWindowDays),
@@ -228,6 +306,9 @@ function createPrismaStore(rules) {
             apprehendedAt: new Date(input.apprehendedAt),
             placeOfViolation: input.placeOfViolation?.trim() || null,
             remarks: input.remarks?.trim() || null,
+            issuedBy: input.issuedBy?.trim() || null,
+            apprehendingEnforcerId: input.apprehendingEnforcerId || null,
+            apprehendingEnforcerName: input.apprehendingEnforcerName?.trim() || null,
             officerId: officer.id,
             assessedAt: created,
             dueDate: addDays(created, rules.dueWindowDays),
@@ -339,6 +420,178 @@ function createPrismaStore(rules) {
           }) === todayKey
         ).length
       };
+    },
+    // ── Accounts (GE-013 RBAC) ──────────────────────────────────────────────
+    async listUsers() {
+      const rows = await prisma.user.findMany({
+        include: userInclude,
+        orderBy: { createdAt: "desc" }
+      });
+      return rows.map(toUserAccount);
+    },
+    async createUser(input) {
+      const username = input.username.trim();
+      if (!username) throw new Error("Username is required.");
+      const role = await prisma.role.findUnique({ where: { name: input.role } });
+      if (!role) throw new Error(`Unknown role: ${input.role}`);
+      const existing = await prisma.user.findUnique({ where: { username } });
+      if (existing) throw new Error(`Username "${username}" is already taken.`);
+      const row = await prisma.user.create({
+        data: {
+          username,
+          passwordHash: input.passwordHash,
+          role: input.role,
+          active: true,
+          officerId: input.officerId ?? null
+        },
+        include: userInclude
+      });
+      return toUserAccount(row);
+    },
+    async setUserActive(id, active) {
+      const row = await prisma.user.update({
+        where: { id },
+        data: { active },
+        include: userInclude
+      });
+      return toUserAccount(row);
+    },
+    async setUserRole(id, role) {
+      const exists = await prisma.role.findUnique({ where: { name: role } });
+      if (!exists) throw new Error(`Unknown role: ${role}`);
+      const row = await prisma.user.update({
+        where: { id },
+        data: { role },
+        include: userInclude
+      });
+      return toUserAccount(row);
+    },
+    async updateUser(id, patch) {
+      const data = {};
+      if (patch.username !== void 0) {
+        const username = patch.username.trim();
+        if (!username) throw new Error("Username is required.");
+        const existing = await prisma.user.findUnique({ where: { username } });
+        if (existing && existing.id !== id) {
+          throw new Error(`Username "${username}" is already taken.`);
+        }
+        data.username = username;
+      }
+      if (patch.role !== void 0) {
+        const role = await prisma.role.findUnique({ where: { name: patch.role } });
+        if (!role) throw new Error(`Unknown role: ${patch.role}`);
+        data.roleRef = { connect: { name: patch.role } };
+      }
+      if (patch.officerId !== void 0) {
+        data.officer = patch.officerId ? { connect: { id: patch.officerId } } : { disconnect: true };
+      }
+      const row = await prisma.user.update({
+        where: { id },
+        data,
+        include: userInclude
+      });
+      return toUserAccount(row);
+    },
+    async resetUserPassword(id, passwordHash) {
+      await prisma.user.update({ where: { id }, data: { passwordHash } });
+    },
+    // ── Roles (GE-013 RBAC) ─────────────────────────────────────────────────
+    async listRoles() {
+      const rows = await prisma.role.findMany({
+        orderBy: [{ isSystem: "desc" }, { label: "asc" }]
+      });
+      return rows.map(toRoleDef);
+    },
+    async getRolePermissions(name) {
+      const r = await prisma.role.findUnique({ where: { name } });
+      return r ? normalizePerms(r.permissions) : [];
+    },
+    async createRole(input) {
+      const label = input.label.trim();
+      if (!label) throw new Error("Role name is required.");
+      const name = slugRole(label);
+      if (!name) throw new Error("Role name must include letters or numbers.");
+      const existing = await prisma.role.findUnique({ where: { name } });
+      if (existing) throw new Error(`A role named "${label}" already exists.`);
+      const row = await prisma.role.create({
+        data: {
+          name,
+          label,
+          isSystem: false,
+          permissions: normalizePerms(input.permissions)
+        }
+      });
+      return toRoleDef(row);
+    },
+    async updateRole(name, patch) {
+      const role = await prisma.role.findUnique({ where: { name } });
+      if (!role) throw new Error("Role not found.");
+      const data = {};
+      if (patch.label !== void 0 && !role.isSystem) {
+        const label = patch.label.trim();
+        if (!label) throw new Error("Role name is required.");
+        data.label = label;
+      }
+      if (patch.permissions !== void 0) {
+        let perms = normalizePerms(patch.permissions);
+        if (name === "SUPER_ADMIN") {
+          perms = normalizePerms([...perms, ...SUPER_ADMIN_LOCKED_PERMISSIONS]);
+        }
+        data.permissions = perms;
+      }
+      const row = await prisma.role.update({ where: { name }, data });
+      return toRoleDef(row);
+    },
+    async deleteRole(name) {
+      const role = await prisma.role.findUnique({ where: { name } });
+      if (!role) throw new Error("Role not found.");
+      if (role.isSystem) throw new Error("System roles can't be deleted.");
+      const inUse = await prisma.user.count({ where: { role: name } });
+      if (inUse > 0) {
+        throw new Error(
+          `Can't delete "${role.label}" \u2014 it's assigned to ${inUse} account(s).`
+        );
+      }
+      await prisma.role.delete({ where: { name } });
+    },
+    // ── Activity log (GE-022) ───────────────────────────────────────────────
+    async logActivity(entry) {
+      await prisma.activityLog.create({
+        data: {
+          actorId: entry.actorId ?? null,
+          actorUsername: entry.actorUsername ?? null,
+          action: entry.action,
+          summary: entry.summary,
+          targetType: entry.targetType ?? null,
+          targetId: entry.targetId ?? null
+        }
+      });
+    },
+    async listActivity(filter) {
+      const where = {};
+      if (filter?.action) where.action = filter.action;
+      if (filter?.actorId) where.actorId = filter.actorId;
+      if (filter?.fromISO || filter?.toISO) {
+        const range = {};
+        if (filter.fromISO) range.gte = new Date(filter.fromISO);
+        if (filter.toISO) range.lte = new Date(filter.toISO);
+        where.createdAt = range;
+      }
+      const rows = await prisma.activityLog.findMany({
+        where,
+        orderBy: { createdAt: "desc" },
+        take: Math.min(Math.max(filter?.limit ?? 200, 1), 1e3)
+      });
+      return rows.map((r) => ({
+        id: r.id,
+        actorId: r.actorId ?? null,
+        actorUsername: r.actorUsername ?? null,
+        action: r.action,
+        summary: r.summary,
+        targetType: r.targetType ?? void 0,
+        targetId: r.targetId ?? void 0,
+        createdAt: r.createdAt.toISOString()
+      }));
     }
   };
   return store;

package/dist/data-seed-runner.js

@@ -1,6 +1,18 @@
 // ../ovr-data/src/seed-runner.ts
 async function seedRunner(prisma, data) {
-  const { catalog, officers, tickets, users, passwordHash } = data;
+  const { catalog, officers, tickets, users, roles, passwordHash } = data;
+  for (const r of roles) {
+    await prisma.role.upsert({
+      where: { name: r.name },
+      update: { label: r.label, isSystem: r.isSystem, permissions: r.permissions },
+      create: {
+        name: r.name,
+        label: r.label,
+        isSystem: r.isSystem,
+        permissions: r.permissions
+      }
+    });
+  }
   for (const o of officers) {
     await prisma.officer.upsert({
       where: { id: o.id },
@@ -77,21 +89,12 @@ async function seedRunner(prisma, data) {
     });
   }
   for (const u of users) {
+    const role = u.role ?? "ENFORCER";
+    const officerId = u.officerId ?? null;
     await prisma.user.upsert({
       where: { username: u.username },
-      update: {
-        passwordHash,
-        role: "ENFORCER",
-        active: true,
-        officerId: u.officerId
-      },
-      create: {
-        username: u.username,
-        passwordHash,
-        role: "ENFORCER",
-        active: true,
-        officerId: u.officerId
-      }
+      update: { passwordHash, role, active: true, officerId },
+      create: { username: u.username, passwordHash, role, active: true, officerId }
     });
   }
   await prisma.$executeRawUnsafe(`
@@ -102,7 +105,7 @@ async function seedRunner(prisma, data) {
     )
   `);
   console.log(
-    `\u2713 Seed complete: ${officers.length} officers, ${catalog.length} catalog items, ${tickets.length} tickets, ${users.length} users.`
+    `\u2713 Seed complete: ${roles.length} roles, ${officers.length} officers, ${catalog.length} catalog items, ${tickets.length} tickets, ${users.length} users.`
   );
 }