@happyvertical/smrt-users 0.31.1 → 0.32.1

package/AGENTS.md

@@ -18,14 +18,30 @@ Multi-tenant user management with RBAC, hierarchical tenants, session handling,
 | MembershipOverride | Per-user permission grant/deny. **DENY always wins.** |
 | TenantPermissionOverride | Tenant-level cascade overrides. Effect: INHERIT/GRANT/DENY. |
 
-## Permission Resolution — 4-Level Cascade
-
-PermissionResolver evaluates in order (each level can add/remove permissions):
-
-1. **Tenant hierarchy** — walk ancestors, apply TenantPermissionOverride at each level
-2. **Membership role** — base permissions from user's role in tenant
-3. **Group roles** — permissions from all groups user belongs to **in that tenant**
-4. **Membership overrides** — final GRANT/DENY per-user (DENY takes absolute precedence)
+## Permission Resolution — Precedence (broad → specific, most-specific wins)
+
+`PermissionResolver.resolvePermissions` builds the effective set in this order;
+each later layer overrides earlier ones:
+
+1. **Tenant-inherited** — walk ancestors, apply each `TenantPermissionOverride`
+   down the cascade (GRANT adds, DENY removes within the hierarchy)
+2. **Membership role** — base permissions from the user's role in the tenant
+3. **Group roles** — permissions from all groups the user belongs to **in that tenant**
+4. **Tenant-level DENY** *(removes; overrides role/group grants, tenant-wide)* — a
+   `TenantPermissionOverride` with effect `DENY` is a HARD, tenant-wide block: it
+   subtracts the DENY'd slug even if a role or group granted it (steps 2–3). It
+   sits just **above** the per-user membership overrides and **below** role/group.
+5. **Membership GRANT override** *(re-adds; most specific)* — a per-user GRANT can
+   re-add a slug a tenant DENY'd in step 4, because it is more specific.
+6. **Membership DENY override** *(absolute; always wins)* — a per-user DENY removes
+   the slug last and is never overridden.
+
+So a permission a role grants but the tenant DENYs is **removed**, unless that
+exact user also has a membership-GRANT override for it. A membership-DENY always
+wins. Tenant-DENY of an inherited/cascade grant still blocks it (unchanged).
+The hard block reflects the tenant cascade's **net** resolution, not an
+unconditional union of every DENY in the chain — so a more-specific tenant GRANT
+(e.g. a child sub-tenant re-granting a permission its parent DENYs) still wins.
 
 **Critical**: `getGroupIdsForTenant(userId, tenantId)` (joins with groups table to scope by tenant). Never use `getGroupIds()` — it's cross-tenant.
 
@@ -64,13 +80,22 @@ await switchSessionTenant(event, tenantId, { db });
   structural regression test (`security-audit-1400.test.ts`) enumerates the
   registry to assert no authority model exposes a mutating op. (`cli` stays
   enabled — local-operator surface, outside the network/agent threat model.)
-- **`switchTenant` is fail-closed.** `SessionService.switchTenant` /
-  `switchSessionTenant` verify the session's user has an ACTIVE membership in the
-  target tenant before writing `session.tenantId` (the tenant-isolation key for
-  every `@TenantScoped` query). A non-member switch returns `false` without
-  mutating the session; `null` clears the context and is always allowed. The
-  low-level `SessionCollection.setSessionTenant` is the UNGUARDED primitive —
-  never call it with an untrusted tenant id.
+- **`switchTenant` is fail-closed AND rotates the session id.**
+  `SessionService.switchTenant` / `switchSessionTenant` verify the session's user
+  has an ACTIVE membership in the target tenant before any write (the tenant id
+  is the isolation key for every `@TenantScoped` query). A non-member/unknown-
+  session switch returns `{ switched: false, sessionId: null, ... }` and mutates
+  nothing. On a successful switch into a NON-null tenant the session id is
+  ROTATED: a fresh `Session` (new secure id, fresh TTL, same user, new tenant,
+  device context carried over) is minted and the old session is REVOKED — so a
+  captured pre-switch id immediately stops validating, shrinking the blast radius
+  of a leaked id across a tenant boundary. `switchTenant` returns a
+  `SwitchTenantResult` (`{ switched, sessionId, session, rotated }`); callers MUST
+  persist the returned `sessionId`. `switchSessionTenant` does this for you by
+  re-setting the session cookie (preserving httpOnly/secure/sameSite) to the new
+  id. A `null` clear stays in place (no rotation, no cookie change). The
+  low-level `SessionCollection.setSessionTenant` is the UNGUARDED primitive (used
+  for the null-clear path) — never call it with an untrusted tenant id.
 - **OIDC `email_verified` is enforced.** `UserCollection.getOrCreateFromOidc`
   refuses to provision a user when the IdP explicitly returns
   `email_verified: false` (opt out with `{ allowUnverifiedEmail: true }`). An

package/dist/chunks/{TerminalAuthService-DsQBk1Hc.js → TerminalAuthService-D5VVPG9e.js}

@@ -4295,7 +4295,8 @@ class PermissionResolver {
     const result = {
       permissions: /* @__PURE__ */ new Set(),
       contributingTenantIds: [],
-      inheritanceActive: false
+      inheritanceActive: false,
+      deniedPermissions: /* @__PURE__ */ new Set()
     };
     const tenant = await this.tenantCollection.get({ id: tenantId });
     if (!tenant) {
@@ -4308,9 +4309,13 @@ class PermissionResolver {
       chainTenantIds
     );
     const allPermissionIds = /* @__PURE__ */ new Set();
+    const deniedPermissionIds = /* @__PURE__ */ new Set();
     for (const overrides of allOverridesMap.values()) {
       for (const id of overrides.grantedPermissionIds) allPermissionIds.add(id);
-      for (const id of overrides.deniedPermissionIds) allPermissionIds.add(id);
+      for (const id of overrides.deniedPermissionIds) {
+        allPermissionIds.add(id);
+        deniedPermissionIds.add(id);
+      }
     }
     let inheritedPermissions = /* @__PURE__ */ new Set();
     for (let i = 0; i < chain.length; i++) {
@@ -4358,6 +4363,13 @@ class PermissionResolver {
           result.permissions.add(perm.slug);
         }
       }
+      for (const permId of deniedPermissionIds) {
+        if (inheritedPermissions.has(permId)) continue;
+        const perm = permissionsMap.get(permId);
+        if (perm?.slug) {
+          result.deniedPermissions.add(perm.slug);
+        }
+      }
     }
     return result;
   }
@@ -4389,13 +4401,23 @@ class PermissionResolver {
     return chain;
   }
   /**
-   * Resolve all effective permissions for a user in a tenant
+   * Resolve all effective permissions for a user in a tenant.
+   *
+   * Precedence (broad -> specific, most-specific wins):
+   *   tenant-inherited (cascade)
+   *     -> role
+   *     -> group roles
+   *     -> tenant-DENY      (removes; overrides role/group grants, tenant-wide)
+   *     -> membership GRANT (re-adds; most specific, can win over a tenant-DENY)
+   *     -> membership DENY  (absolute; always wins)
    *
    * Algorithm:
    * 1. Get membership and collect all permission IDs from all sources
    * 2. Batch fetch all permissions in a single query
-   * 3. Apply permissions from role, groups, and overrides
-   * 4. DENY overrides take precedence over GRANT
+   * 3. Apply permissions from role, then groups
+   * 4. Subtract tenant-level DENY'd slugs (hard tenant-wide block)
+   * 5. Apply membership GRANT overrides (can re-add a tenant-DENY'd slug)
+   * 6. Subtract membership DENY overrides (absolute precedence)
    */
   async resolvePermissions(userId, tenantId, options = {}) {
     const result = {
@@ -4484,6 +4506,9 @@ class PermissionResolver {
         }
       }
     }
+    for (const slug of tenantPermissions.deniedPermissions) {
+      result.permissions.delete(slug);
+    }
     for (const permId of grantedPermissionIds) {
       const slug = permissionIdToSlug.get(permId);
       if (slug) {
@@ -4643,23 +4668,66 @@ class SessionService {
    * query, so it must never be set to a tenant the session's user is not an
    * active member of — otherwise a caller could read/write another tenant's data
    * by feeding an arbitrary id here (e.g. straight from untrusted form data).
-   * Fail-closed (#1400): returns `false` without switching when the session is
-   * unknown or the user has no active membership in the target tenant. Passing
-   * `null` clears the tenant context and is always allowed.
+   *
+   * Fail-closed (#1400): the user's ACTIVE membership in the target tenant is
+   * verified BEFORE any write. A non-member switch returns
+   * `{ switched: false, ... }` and mutates nothing.
+   *
+   * Session-id ROTATION (#1354 follow-up): a successful switch into a non-null
+   * tenant mints a BRAND-NEW session (fresh secure id, fresh TTL) for the same
+   * user with the new tenant, then REVOKES the old session — so any captured
+   * pre-switch session id immediately stops validating, shrinking the blast
+   * radius of a leaked id across a privilege/tenant boundary. The device context
+   * (user agent, IP, custom data) carries over to the new session. Callers MUST
+   * persist the returned `sessionId` (e.g. re-set the cookie).
+   *
+   * Passing `null` clears the tenant context, is always allowed, and stays
+   * in-place (no rotation — there is no privilege boundary being crossed).
+   *
+   * @returns A {@link SwitchTenantResult}; check `switched` for success.
    */
   async switchTenant(sessionId, tenantId) {
+    const failClosed = {
+      switched: false,
+      sessionId: null,
+      session: null,
+      rotated: false
+    };
     const session = await this.sessionCollection.findValidSession(sessionId);
-    if (!session) return false;
-    if (tenantId !== null) {
-      const membership = await this.membershipCollection.findByUserAndTenant(
-        session.userId,
-        tenantId
-      );
-      if (!membership || !membership.isActive()) {
-        return false;
-      }
+    if (!session) return failClosed;
+    if (tenantId === null) {
+      const ok = await this.sessionCollection.setSessionTenant(sessionId, null);
+      if (!ok) return failClosed;
+      const updated = await this.sessionCollection.findValidSession(sessionId);
+      return {
+        switched: true,
+        sessionId,
+        session: updated,
+        rotated: false
+      };
     }
-    return this.sessionCollection.setSessionTenant(sessionId, tenantId);
+    const membership = await this.membershipCollection.findByUserAndTenant(
+      session.userId,
+      tenantId
+    );
+    if (!membership || !membership.isActive()) {
+      return failClosed;
+    }
+    await this.sessionCollection.revokeSession(sessionId);
+    const rotated = await this.sessionCollection.createSession({
+      userId: session.userId,
+      tenantId,
+      ttl: this.defaultTTL,
+      userAgent: session.userAgent,
+      ipAddress: session.ipAddress,
+      data: session.data
+    });
+    return {
+      switched: true,
+      sessionId: rotated.id,
+      session: rotated,
+      rotated: true
+    };
   }
   /**
    * Get all active sessions for a user (for "manage sessions" UI)
@@ -5205,4 +5273,4 @@ export {
   SessionCollection as y,
   SessionService as z
 };
-//# sourceMappingURL=TerminalAuthService-DsQBk1Hc.js.map
+//# sourceMappingURL=TerminalAuthService-D5VVPG9e.js.map