@happyvertical/smrt-users 0.31.0 → 0.32.0

package/AGENTS.md

@@ -18,14 +18,30 @@ Multi-tenant user management with RBAC, hierarchical tenants, session handling,
 | MembershipOverride | Per-user permission grant/deny. **DENY always wins.** |
 | TenantPermissionOverride | Tenant-level cascade overrides. Effect: INHERIT/GRANT/DENY. |
 
-## Permission Resolution — 4-Level Cascade
-
-PermissionResolver evaluates in order (each level can add/remove permissions):
-
-1. **Tenant hierarchy** — walk ancestors, apply TenantPermissionOverride at each level
-2. **Membership role** — base permissions from user's role in tenant
-3. **Group roles** — permissions from all groups user belongs to **in that tenant**
-4. **Membership overrides** — final GRANT/DENY per-user (DENY takes absolute precedence)
+## Permission Resolution — Precedence (broad → specific, most-specific wins)
+
+`PermissionResolver.resolvePermissions` builds the effective set in this order;
+each later layer overrides earlier ones:
+
+1. **Tenant-inherited** — walk ancestors, apply each `TenantPermissionOverride`
+   down the cascade (GRANT adds, DENY removes within the hierarchy)
+2. **Membership role** — base permissions from the user's role in the tenant
+3. **Group roles** — permissions from all groups the user belongs to **in that tenant**
+4. **Tenant-level DENY** *(removes; overrides role/group grants, tenant-wide)* — a
+   `TenantPermissionOverride` with effect `DENY` is a HARD, tenant-wide block: it
+   subtracts the DENY'd slug even if a role or group granted it (steps 2–3). It
+   sits just **above** the per-user membership overrides and **below** role/group.
+5. **Membership GRANT override** *(re-adds; most specific)* — a per-user GRANT can
+   re-add a slug a tenant DENY'd in step 4, because it is more specific.
+6. **Membership DENY override** *(absolute; always wins)* — a per-user DENY removes
+   the slug last and is never overridden.
+
+So a permission a role grants but the tenant DENYs is **removed**, unless that
+exact user also has a membership-GRANT override for it. A membership-DENY always
+wins. Tenant-DENY of an inherited/cascade grant still blocks it (unchanged).
+The hard block reflects the tenant cascade's **net** resolution, not an
+unconditional union of every DENY in the chain — so a more-specific tenant GRANT
+(e.g. a child sub-tenant re-granting a permission its parent DENYs) still wins.
 
 **Critical**: `getGroupIdsForTenant(userId, tenantId)` (joins with groups table to scope by tenant). Never use `getGroupIds()` — it's cross-tenant.
 
@@ -64,13 +80,22 @@ await switchSessionTenant(event, tenantId, { db });
   structural regression test (`security-audit-1400.test.ts`) enumerates the
   registry to assert no authority model exposes a mutating op. (`cli` stays
   enabled — local-operator surface, outside the network/agent threat model.)
-- **`switchTenant` is fail-closed.** `SessionService.switchTenant` /
-  `switchSessionTenant` verify the session's user has an ACTIVE membership in the
-  target tenant before writing `session.tenantId` (the tenant-isolation key for
-  every `@TenantScoped` query). A non-member switch returns `false` without
-  mutating the session; `null` clears the context and is always allowed. The
-  low-level `SessionCollection.setSessionTenant` is the UNGUARDED primitive —
-  never call it with an untrusted tenant id.
+- **`switchTenant` is fail-closed AND rotates the session id.**
+  `SessionService.switchTenant` / `switchSessionTenant` verify the session's user
+  has an ACTIVE membership in the target tenant before any write (the tenant id
+  is the isolation key for every `@TenantScoped` query). A non-member/unknown-
+  session switch returns `{ switched: false, sessionId: null, ... }` and mutates
+  nothing. On a successful switch into a NON-null tenant the session id is
+  ROTATED: a fresh `Session` (new secure id, fresh TTL, same user, new tenant,
+  device context carried over) is minted and the old session is REVOKED — so a
+  captured pre-switch id immediately stops validating, shrinking the blast radius
+  of a leaked id across a tenant boundary. `switchTenant` returns a
+  `SwitchTenantResult` (`{ switched, sessionId, session, rotated }`); callers MUST
+  persist the returned `sessionId`. `switchSessionTenant` does this for you by
+  re-setting the session cookie (preserving httpOnly/secure/sameSite) to the new
+  id. A `null` clear stays in place (no rotation, no cookie change). The
+  low-level `SessionCollection.setSessionTenant` is the UNGUARDED primitive (used
+  for the null-clear path) — never call it with an untrusted tenant id.
 - **OIDC `email_verified` is enforced.** `UserCollection.getOrCreateFromOidc`
   refuses to provision a user when the IdP explicitly returns
   `email_verified: false` (opt out with `{ allowUnverifiedEmail: true }`). An

package/dist/chunks/{TerminalAuthService-DoAMQ_yn.js → TerminalAuthService-D5VVPG9e.js}

@@ -6,14 +6,14 @@ import { MembershipStatus, OverrideEffect, SessionStatus, TenantStatus, TenantPe
 ObjectRegistry.registerPackageManifest(
   new URL("./manifest.json", import.meta.url)
 );
-var __defProp$9 = Object.defineProperty;
-var __getOwnPropDesc$a = Object.getOwnPropertyDescriptor;
-var __decorateClass$a = (decorators, target, key, kind) => {
-  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$a(target, key) : target;
+var __defProp$a = Object.defineProperty;
+var __getOwnPropDesc$b = Object.getOwnPropertyDescriptor;
+var __decorateClass$b = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$b(target, key) : target;
   for (var i = decorators.length - 1, decorator; i >= 0; i--)
     if (decorator = decorators[i])
       result = (kind ? decorator(target, key, result) : decorator(result)) || result;
-  if (kind && result) __defProp$9(target, key, result);
+  if (kind && result) __defProp$a(target, key, result);
   return result;
 };
 let UsersCliAuthRequest = class extends SmrtObject {
@@ -26,31 +26,31 @@ let UsersCliAuthRequest = class extends SmrtObject {
   expiresAt = /* @__PURE__ */ new Date();
   approvedAt = null;
 };
-__decorateClass$a([
+__decorateClass$b([
   field({ type: "text" })
 ], UsersCliAuthRequest.prototype, "userCode", 2);
-__decorateClass$a([
+__decorateClass$b([
   field({ type: "text" })
 ], UsersCliAuthRequest.prototype, "deviceCodeHash", 2);
-__decorateClass$a([
+__decorateClass$b([
   field({ type: "text" })
 ], UsersCliAuthRequest.prototype, "status", 2);
-__decorateClass$a([
+__decorateClass$b([
   field({ type: "text" })
 ], UsersCliAuthRequest.prototype, "userId", 2);
-__decorateClass$a([
+__decorateClass$b([
   field({ type: "text" })
 ], UsersCliAuthRequest.prototype, "tenantId", 2);
-__decorateClass$a([
+__decorateClass$b([
   field({ type: "text" })
 ], UsersCliAuthRequest.prototype, "sessionId", 2);
-__decorateClass$a([
+__decorateClass$b([
   field({ type: "datetime" })
 ], UsersCliAuthRequest.prototype, "expiresAt", 2);
-__decorateClass$a([
+__decorateClass$b([
   field({ type: "datetime", nullable: true })
 ], UsersCliAuthRequest.prototype, "approvedAt", 2);
-UsersCliAuthRequest = __decorateClass$a([
+UsersCliAuthRequest = __decorateClass$b([
   smrt({
     tableName: "users_cli_auth_requests",
     api: { include: [] },
@@ -98,6 +98,68 @@ class UsersCliAuthRequestCollection extends SmrtCollection {
     return count;
   }
 }
+var __defProp$9 = Object.defineProperty;
+var __getOwnPropDesc$a = Object.getOwnPropertyDescriptor;
+var __decorateClass$a = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$a(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp$9(target, key, result);
+  return result;
+};
+let Group = class extends SmrtObject {
+  tenantId;
+  /**
+   * Display name for the group
+   */
+  name = "";
+  /**
+   * Description of the group
+   */
+  description = "";
+  constructor(options = {}) {
+    super(options);
+    if (options.tenantId !== void 0) this.tenantId = options.tenantId;
+    if (options.name !== void 0) this.name = options.name;
+    if (options.description !== void 0)
+      this.description = options.description;
+  }
+};
+__decorateClass$a([
+  foreignKey("Tenant", { required: true })
+], Group.prototype, "tenantId", 2);
+Group = __decorateClass$a([
+  smrt({
+    // #1400: read-only generated surface — RBAC/identity writes go through
+    // permission-gated services, not auth-only generated CRUD.
+    api: { include: ["list", "get"] },
+    mcp: { include: ["list", "get"] },
+    cli: true
+  })
+], Group);
+class GroupCollection extends SmrtCollection {
+  static _itemClass = Group;
+  /**
+   * Find all groups in a tenant
+   */
+  async findByTenant(tenantId) {
+    return await this.list({
+      where: { tenantId },
+      orderBy: "name ASC"
+    });
+  }
+  /**
+   * Find group by slug within a tenant
+   */
+  async findBySlug(slug, tenantId) {
+    const results = await this.list({
+      where: { slug, tenantId },
+      limit: 1
+    });
+    return results.length > 0 ? results[0] : null;
+  }
+}
 var __defProp$8 = Object.defineProperty;
 var __getOwnPropDesc$9 = Object.getOwnPropertyDescriptor;
 var __decorateClass$9 = (decorators, target, key, kind) => {
@@ -135,6 +197,22 @@ GroupMember = __decorateClass$9([
 ], GroupMember);
 class GroupMemberCollection extends SmrtCollection {
   static _itemClass = GroupMember;
+  /** Memoized Group collection, used to resolve the Group table name. */
+  groupCollection;
+  /**
+   * Resolve the database table name for the `Group` model from the registry
+   * (via a shared-connection GroupCollection) rather than hardcoding `groups`.
+   * A `@smrt({ tableName })` override or table prefix on Group would otherwise
+   * make raw joins reference a non-existent or foreign table.
+   */
+  async getGroupTableName() {
+    if (!this.groupCollection) {
+      this.groupCollection = await GroupCollection.create({
+        db: this.options.db
+      });
+    }
+    return this.groupCollection.tableName;
+  }
   /**
    * Find all members of a group
    */
@@ -203,10 +281,11 @@ class GroupMemberCollection extends SmrtCollection {
    * This prevents cross-tenant permission leakage by filtering groups by tenant
    */
   async getGroupIdsForTenant(userId, tenantId) {
+    const groupTable = await this.getGroupTableName();
     const sql = `
       SELECT gm.group_id
       FROM ${this.tableName} gm
-      INNER JOIN groups g ON g.id = gm.group_id
+      INNER JOIN ${groupTable} g ON g.id = gm.group_id
       WHERE gm.user_id = ? AND g.tenant_id = ?
     `;
     const result = await this.db.query(sql, userId, tenantId);
@@ -1047,8 +1126,17 @@ class SessionCollection extends SmrtCollection {
     if (!session) return null;
     if (!session.isValid()) {
       if (session.isExpired() && session.status === SessionStatus.ACTIVE) {
-        session.status = SessionStatus.EXPIRED;
-        await session.save();
+        const now = (/* @__PURE__ */ new Date()).toISOString();
+        await this.db.query(
+          `UPDATE ${this.tableName}
+           SET status = ?, updated_at = ?
+           WHERE id = ? AND status = ? AND expires_at < ?`,
+          SessionStatus.EXPIRED,
+          now,
+          sessionId,
+          SessionStatus.ACTIVE,
+          now
+        );
       }
       return null;
     }
@@ -4207,7 +4295,8 @@ class PermissionResolver {
     const result = {
       permissions: /* @__PURE__ */ new Set(),
       contributingTenantIds: [],
-      inheritanceActive: false
+      inheritanceActive: false,
+      deniedPermissions: /* @__PURE__ */ new Set()
     };
     const tenant = await this.tenantCollection.get({ id: tenantId });
     if (!tenant) {
@@ -4220,9 +4309,13 @@ class PermissionResolver {
       chainTenantIds
     );
     const allPermissionIds = /* @__PURE__ */ new Set();
+    const deniedPermissionIds = /* @__PURE__ */ new Set();
     for (const overrides of allOverridesMap.values()) {
       for (const id of overrides.grantedPermissionIds) allPermissionIds.add(id);
-      for (const id of overrides.deniedPermissionIds) allPermissionIds.add(id);
+      for (const id of overrides.deniedPermissionIds) {
+        allPermissionIds.add(id);
+        deniedPermissionIds.add(id);
+      }
     }
     let inheritedPermissions = /* @__PURE__ */ new Set();
     for (let i = 0; i < chain.length; i++) {
@@ -4270,6 +4363,13 @@ class PermissionResolver {
           result.permissions.add(perm.slug);
         }
       }
+      for (const permId of deniedPermissionIds) {
+        if (inheritedPermissions.has(permId)) continue;
+        const perm = permissionsMap.get(permId);
+        if (perm?.slug) {
+          result.deniedPermissions.add(perm.slug);
+        }
+      }
     }
     return result;
   }
@@ -4301,13 +4401,23 @@ class PermissionResolver {
     return chain;
   }
   /**
-   * Resolve all effective permissions for a user in a tenant
+   * Resolve all effective permissions for a user in a tenant.
+   *
+   * Precedence (broad -> specific, most-specific wins):
+   *   tenant-inherited (cascade)
+   *     -> role
+   *     -> group roles
+   *     -> tenant-DENY      (removes; overrides role/group grants, tenant-wide)
+   *     -> membership GRANT (re-adds; most specific, can win over a tenant-DENY)
+   *     -> membership DENY  (absolute; always wins)
    *
    * Algorithm:
    * 1. Get membership and collect all permission IDs from all sources
    * 2. Batch fetch all permissions in a single query
-   * 3. Apply permissions from role, groups, and overrides
-   * 4. DENY overrides take precedence over GRANT
+   * 3. Apply permissions from role, then groups
+   * 4. Subtract tenant-level DENY'd slugs (hard tenant-wide block)
+   * 5. Apply membership GRANT overrides (can re-add a tenant-DENY'd slug)
+   * 6. Subtract membership DENY overrides (absolute precedence)
    */
   async resolvePermissions(userId, tenantId, options = {}) {
     const result = {
@@ -4396,6 +4506,9 @@ class PermissionResolver {
         }
       }
     }
+    for (const slug of tenantPermissions.deniedPermissions) {
+      result.permissions.delete(slug);
+    }
     for (const permId of grantedPermissionIds) {
       const slug = permissionIdToSlug.get(permId);
       if (slug) {
@@ -4555,23 +4668,66 @@ class SessionService {
    * query, so it must never be set to a tenant the session's user is not an
    * active member of — otherwise a caller could read/write another tenant's data
    * by feeding an arbitrary id here (e.g. straight from untrusted form data).
-   * Fail-closed (#1400): returns `false` without switching when the session is
-   * unknown or the user has no active membership in the target tenant. Passing
-   * `null` clears the tenant context and is always allowed.
+   *
+   * Fail-closed (#1400): the user's ACTIVE membership in the target tenant is
+   * verified BEFORE any write. A non-member switch returns
+   * `{ switched: false, ... }` and mutates nothing.
+   *
+   * Session-id ROTATION (#1354 follow-up): a successful switch into a non-null
+   * tenant mints a BRAND-NEW session (fresh secure id, fresh TTL) for the same
+   * user with the new tenant, then REVOKES the old session — so any captured
+   * pre-switch session id immediately stops validating, shrinking the blast
+   * radius of a leaked id across a privilege/tenant boundary. The device context
+   * (user agent, IP, custom data) carries over to the new session. Callers MUST
+   * persist the returned `sessionId` (e.g. re-set the cookie).
+   *
+   * Passing `null` clears the tenant context, is always allowed, and stays
+   * in-place (no rotation — there is no privilege boundary being crossed).
+   *
+   * @returns A {@link SwitchTenantResult}; check `switched` for success.
    */
   async switchTenant(sessionId, tenantId) {
+    const failClosed = {
+      switched: false,
+      sessionId: null,
+      session: null,
+      rotated: false
+    };
     const session = await this.sessionCollection.findValidSession(sessionId);
-    if (!session) return false;
-    if (tenantId !== null) {
-      const membership = await this.membershipCollection.findByUserAndTenant(
-        session.userId,
-        tenantId
-      );
-      if (!membership || !membership.isActive()) {
-        return false;
-      }
+    if (!session) return failClosed;
+    if (tenantId === null) {
+      const ok = await this.sessionCollection.setSessionTenant(sessionId, null);
+      if (!ok) return failClosed;
+      const updated = await this.sessionCollection.findValidSession(sessionId);
+      return {
+        switched: true,
+        sessionId,
+        session: updated,
+        rotated: false
+      };
     }
-    return this.sessionCollection.setSessionTenant(sessionId, tenantId);
+    const membership = await this.membershipCollection.findByUserAndTenant(
+      session.userId,
+      tenantId
+    );
+    if (!membership || !membership.isActive()) {
+      return failClosed;
+    }
+    await this.sessionCollection.revokeSession(sessionId);
+    const rotated = await this.sessionCollection.createSession({
+      userId: session.userId,
+      tenantId,
+      ttl: this.defaultTTL,
+      userAgent: session.userAgent,
+      ipAddress: session.ipAddress,
+      data: session.data
+    });
+    return {
+      switched: true,
+      sessionId: rotated.id,
+      session: rotated,
+      rotated: true
+    };
   }
   /**
    * Get all active sessions for a user (for "manage sessions" UI)
@@ -5042,53 +5198,55 @@ class TerminalAuthRateLimitError extends TerminalAuthError {
   }
 }
 export {
-  JWSInvalid as $,
-  TenantPermissionOverride as A,
-  TenantPermissionOverrideCollection as B,
-  TerminalAuthError as C,
+  checkKeyLength as $,
+  Tenant as A,
+  TenantHierarchyError as B,
+  TenantPermissionOverride as C,
   DEFAULT_ROLES as D,
-  TerminalAuthRateLimitError as E,
-  TerminalAuthService as F,
-  GroupMember as G,
-  User as H,
-  UserCollection as I,
-  decodeOidcTransaction as J,
-  encodeOidcTransaction as K,
-  generateSessionId as L,
+  TenantPermissionOverrideCollection as E,
+  TerminalAuthError as F,
+  Group as G,
+  TerminalAuthRateLimitError as H,
+  TerminalAuthService as I,
+  User as J,
+  UserCollection as K,
+  decodeOidcTransaction as L,
   MembershipCollection as M,
-  getCurrentSessionPermissionContext as N,
+  encodeOidcTransaction as N,
   OidcLoginError as O,
   PermissionCollection as P,
-  getRequestScopedDatabase as Q,
+  generateSessionId as Q,
   RolePermission as R,
   Session as S,
   TenantCollection as T,
   UsersCliAuthRequest as U,
-  getUsersOidcConfig as V,
-  resolveOidcProviderConfig as W,
-  withSessionPermissionContext as X,
-  getSigKey as Y,
-  checkKeyLength as Z,
-  subtleAlgorithm as _,
+  getCurrentSessionPermissionContext as V,
+  getRequestScopedDatabase as W,
+  getUsersOidcConfig as X,
+  resolveOidcProviderConfig as Y,
+  withSessionPermissionContext as Z,
+  getSigKey as _,
   isValidPermissionSlug as a,
-  isDisjoint as a0,
-  validateCrit as a1,
-  checkKeyType as a2,
-  encode as a3,
-  encode$1 as a4,
-  concat as a5,
-  normalizeKey as a6,
-  JWTClaimsBuilder as a7,
-  JWTInvalid as a8,
-  errors as a9,
-  jwtVerify as aa,
-  compactVerify as ab,
-  createLocalJWKSet as ac,
-  createRemoteJWKSet as ad,
-  customFetch as ae,
-  flattenedVerify as af,
-  importJWK as ag,
-  jwksCache as ah,
+  subtleAlgorithm as a0,
+  JWSInvalid as a1,
+  isDisjoint as a2,
+  validateCrit as a3,
+  checkKeyType as a4,
+  encode as a5,
+  encode$1 as a6,
+  concat as a7,
+  normalizeKey as a8,
+  JWTClaimsBuilder as a9,
+  JWTInvalid as aa,
+  errors as ab,
+  jwtVerify as ac,
+  compactVerify as ad,
+  createLocalJWKSet as ae,
+  createRemoteJWKSet as af,
+  customFetch as ag,
+  flattenedVerify as ah,
+  importJWK as ai,
+  jwksCache as aj,
   DEFAULT_TENANT_POLICY as b,
   DEFAULT_ROLE_SLUGS as c,
   UsersCliAuthRequestCollection as d,
@@ -5097,22 +5255,22 @@ export {
   DEFAULT_CLI_SESSION_TTL_SECONDS as g,
   DEFAULT_SESSION_TTL as h,
   isValidEmail as i,
-  GroupMemberCollection as j,
-  GroupRole as k,
-  GroupRoleCollection as l,
-  MAX_TENANT_HIERARCHY_DEPTH as m,
+  GroupCollection as j,
+  GroupMember as k,
+  GroupMemberCollection as l,
+  GroupRole as m,
   normalizeEmail as n,
-  Membership as o,
+  GroupRoleCollection as o,
   parsePermissionSlug as p,
-  MembershipOverride as q,
-  MembershipOverrideCollection as r,
-  OidcLoginService as s,
-  Permission as t,
-  PermissionResolver as u,
-  RolePermissionCollection as v,
-  SessionCollection as w,
-  SessionService as x,
-  Tenant as y,
-  TenantHierarchyError as z
+  MAX_TENANT_HIERARCHY_DEPTH as q,
+  Membership as r,
+  MembershipOverride as s,
+  MembershipOverrideCollection as t,
+  OidcLoginService as u,
+  Permission as v,
+  PermissionResolver as w,
+  RolePermissionCollection as x,
+  SessionCollection as y,
+  SessionService as z
 };
-//# sourceMappingURL=TerminalAuthService-DoAMQ_yn.js.map
+//# sourceMappingURL=TerminalAuthService-D5VVPG9e.js.map