npm - @hotmeshio/long-tail - Versions diffs - 0.4.18 → 0.4.20 - Mend

@hotmeshio/long-tail 0.4.18 → 0.4.20

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (354) hide show

package/build/lib/events/publish.js CHANGED Viewed

@@ -28,7 +28,7 @@ function publishMilestoneEvent(params) {
     if (!params.milestones?.length)
         return Promise.resolve();
     return fireAndForget({
-        type: 'milestone',
+        type: `system.milestone.${params.workflowId}`,
         source: params.source,
         workflowId: params.workflowId,
         workflowName: params.workflowName,
@@ -41,11 +41,13 @@ function publishMilestoneEvent(params) {
     });
 }
 /**
- * Publish a task lifecycle event (created, started, completed, escalated, failed).
+ * Publish a task lifecycle event.
+ * Subject: system.task.{taskId}.{action}
  */
 function publishTaskEvent(params) {
+    const action = params.type.split('.')[1]; // created, started, completed, escalated, failed
     return fireAndForget({
-        type: params.type,
+        type: `system.task.${params.taskId}.${action}`,
         source: params.source,
         workflowId: params.workflowId,
         workflowName: params.workflowName,
@@ -59,11 +61,13 @@ function publishTaskEvent(params) {
     });
 }
 /**
- * Publish an escalation lifecycle event (created, resolved).
+ * Publish an escalation lifecycle event.
+ * Subject: system.escalation.{escalationId}.{action}
  */
 function publishEscalationEvent(params) {
+    const action = params.type.split('.')[1];
     return fireAndForget({
-        type: params.type,
+        type: `system.escalation.${params.escalationId}.${action}`,
         source: params.source,
         workflowId: params.workflowId,
         workflowName: params.workflowName,
@@ -78,11 +82,12 @@ function publishEscalationEvent(params) {
 }
 /**
  * Publish an activity lifecycle event for YAML workflow steps.
- * Lightweight — no payload data, just progress signals.
+ * Subject: system.activity.{workflowId}.{activityName}.{action}
  */
 function publishActivityEvent(params) {
+    const action = params.type.split('.')[1];
     return fireAndForget({
-        type: params.type,
+        type: `system.activity.${params.workflowId}.${params.activityName}.${action}`,
         source: 'yaml-worker',
         workflowId: params.workflowId,
         workflowName: params.workflowName,
@@ -93,13 +98,13 @@ function publishActivityEvent(params) {
     });
 }
 /**
- * Publish a knowledge lifecycle event (stored, deleted).
- * Lightweight — no workflow context required since knowledge writes
- * happen both inside and outside workflows.
+ * Publish a knowledge lifecycle event.
+ * Subject: system.knowledge.{domain}.{action}
  */
 function publishKnowledgeEvent(params) {
+    const action = params.type.split('.')[1];
     return fireAndForget({
-        type: params.type,
+        type: `system.knowledge.${params.domain}.${action}`,
         source: 'knowledge',
         workflowId: '',
         workflowName: '',
@@ -109,17 +114,18 @@ function publishKnowledgeEvent(params) {
     });
 }
 /**
- * Publish a file storage event (stored, deleted).
- * Includes rich metadata: path, name, extension, mime type, size.
+ * Publish a file storage event.
+ * Subject: system.file.{action}
  */
 function publishFileEvent(params) {
+    const action = params.type.split('.')[1];
     const parsed = params.path.split('/');
     const filename = parsed[parsed.length - 1] || '';
     const dotIdx = filename.lastIndexOf('.');
     const name = dotIdx > 0 ? filename.slice(0, dotIdx) : filename;
     const extension = dotIdx > 0 ? filename.slice(dotIdx + 1) : '';
     return fireAndForget({
-        type: params.type,
+        type: `system.file.${action}`,
         source: 'file-storage',
         workflowId: '',
         workflowName: '',
@@ -137,10 +143,12 @@ function publishFileEvent(params) {
 }
 /**
  * Publish an agent lifecycle event.
+ * Subject: system.agent.{agentName}.{action}
  */
 function publishAgentEvent(params) {
+    const action = params.type.replace('agent.', '');
     return fireAndForget({
-        type: params.type,
+        type: `system.agent.${params.agentName}.${action}`,
         source: 'agent',
         workflowId: params.agentId,
         workflowName: params.agentName,
@@ -151,11 +159,13 @@ function publishAgentEvent(params) {
     });
 }
 /**
- * Publish a workflow lifecycle event (started, completed, failed).
+ * Publish a workflow lifecycle event.
+ * Subject: system.workflow.{workflowId}.{action}
  */
 function publishWorkflowEvent(params) {
+    const action = params.type.split('.')[1];
     return fireAndForget({
-        type: params.type,
+        type: `system.workflow.${params.workflowId}.${action}`,
         source: params.source,
         workflowId: params.workflowId,
         workflowName: params.workflowName,

package/build/modules/auth.d.ts CHANGED Viewed

@@ -52,6 +52,13 @@ export declare function setAuthAdapter(adapter: LTAuthAdapter): void;
  * JWT `role` claim for stateless admin checks. Returns 403 otherwise.
  */
 export declare const requireAdmin: RequestHandler;
+/**
+ * Middleware that requires builder access. Must be placed AFTER requireAuth.
+ *
+ * Builders are superadmin, admin, or users with the 'engineer' role.
+ * This is the backend equivalent of the dashboard's `isBuilder` check.
+ */
+export declare const requireBuilder: RequestHandler;
 /**
  * Generate a JWT token. Utility for tests and token provisioning.
  */

package/build/modules/auth.js CHANGED Viewed

@@ -1,15 +1,50 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.requireAdmin = exports.requireAuth = exports.JwtAuthAdapter = void 0;
+exports.requireBuilder = exports.requireAdmin = exports.requireAuth = exports.JwtAuthAdapter = void 0;
 exports.createAuthMiddleware = createAuthMiddleware;
 exports.setAuthAdapter = setAuthAdapter;
 exports.signToken = signToken;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const config_1 = require("./config");
+const sso_1 = require("./sso");
 const user_1 = require("../services/user");
+const sso_provision_1 = require("../services/user/sso-provision");
 const bot_api_key_1 = require("../services/auth/bot-api-key");
 const principal_1 = require("../services/iam/principal");
 /**
@@ -114,7 +149,39 @@ function createAuthMiddleware(adapter) {
  * middleware delegates to the custom adapter instead.
  */
 let _authMiddleware = null;
-const requireAuth = (req, res, next) => {
+const requireAuth = async (req, res, next) => {
+    // Fast path: Bearer token present — use standard JWT/adapter auth
+    const header = req.headers.authorization;
+    if (header?.startsWith('Bearer ')) {
+        const mw = _authMiddleware || createAuthMiddleware(new JwtAuthAdapter());
+        return mw(req, res, next);
+    }
+    // SSO fallback: no Bearer, but host may have authenticated via cookies/headers
+    const ssoConfig = (0, sso_1.getSSOConfig)();
+    if (ssoConfig) {
+        try {
+            const identity = await ssoConfig.resolve(req);
+            if (identity) {
+                const provisioned = await (0, sso_provision_1.ssoProvision)(identity, ssoConfig);
+                const highestType = provisioned.roles.some((r) => r.type === 'superadmin')
+                    ? 'superadmin'
+                    : provisioned.roles.some((r) => r.type === 'admin')
+                        ? 'admin'
+                        : 'member';
+                req.auth = {
+                    userId: provisioned.userId,
+                    role: highestType,
+                    roles: provisioned.roles,
+                    sso: true,
+                };
+                return next();
+            }
+        }
+        catch {
+            // SSO resolve failed — fall through to 401
+        }
+    }
+    // No Bearer, no SSO — delegate to standard middleware (returns 401)
     const mw = _authMiddleware || createAuthMiddleware(new JwtAuthAdapter());
     mw(req, res, next);
 };
@@ -155,6 +222,41 @@ const requireAdmin = async (req, res, next) => {
     }
 };
 exports.requireAdmin = requireAdmin;
+/**
+ * Middleware that requires builder access. Must be placed AFTER requireAuth.
+ *
+ * Builders are superadmin, admin, or users with the 'engineer' role.
+ * This is the backend equivalent of the dashboard's `isBuilder` check.
+ */
+const requireBuilder = async (req, res, next) => {
+    try {
+        if (!req.auth?.userId) {
+            res.status(403).json({ error: 'Forbidden' });
+            return;
+        }
+        // Fast path: trust the JWT role claim for admin/superadmin
+        if (req.auth.role === 'admin' || req.auth.role === 'superadmin') {
+            next();
+            return;
+        }
+        // Check database for superadmin role type
+        if (await (0, user_1.isSuperAdmin)(req.auth.userId)) {
+            next();
+            return;
+        }
+        // Check database for engineer role (builder)
+        const { hasRole } = await Promise.resolve().then(() => __importStar(require('../services/user/roles')));
+        if (await hasRole(req.auth.userId, 'engineer')) {
+            next();
+            return;
+        }
+        res.status(403).json({ error: 'Forbidden: builder access required' });
+    }
+    catch {
+        res.status(403).json({ error: 'Forbidden' });
+    }
+};
+exports.requireBuilder = requireBuilder;
 /**
  * Generate a JWT token. Utility for tests and token provisioning.
  */

package/build/modules/sso.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import type { LTSSOConfig } from '../types/auth';
+export declare function setSSOConfig(config: LTSSOConfig): void;
+export declare function getSSOConfig(): LTSSOConfig | null;
+export declare function isSSOEnabled(): boolean;
+/** Reset SSO config. Used by tests. */
+export declare function clearSSOConfig(): void;

package/build/modules/sso.js ADDED Viewed

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.setSSOConfig = setSSOConfig;
+exports.getSSOConfig = getSSOConfig;
+exports.isSSOEnabled = isSSOEnabled;
+exports.clearSSOConfig = clearSSOConfig;
+let _ssoConfig = null;
+function setSSOConfig(config) {
+    _ssoConfig = config;
+}
+function getSSOConfig() {
+    return _ssoConfig;
+}
+function isSSOEnabled() {
+    return _ssoConfig !== null;
+}
+/** Reset SSO config. Used by tests. */
+function clearSSOConfig() {
+    _ssoConfig = null;
+}

package/build/routes/auth-sso.d.ts ADDED Viewed

	@@ -0,0 +1,2 @@
1	+ declare const router: import("express-serve-static-core").Router;
2	+ export default router;

package/build/routes/auth-sso.js ADDED Viewed

@@ -0,0 +1,51 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = require("express");
+const api = __importStar(require("../api/auth-sso"));
+const router = (0, express_1.Router)();
+/**
+ * POST /api/auth/sso
+ * Exchange host authentication for a Long Tail JWT.
+ *
+ * No Bearer token required — the host's cookies/headers carry the auth.
+ * The dashboard calls this on mount when SSO is enabled, replacing the
+ * login form with a transparent token exchange.
+ */
+router.post('/sso', async (req, res) => {
+    const result = await api.exchangeSSO(req);
+    res.status(result.status).json(result.data ?? { error: result.error });
+});
+exports.default = router;

package/build/routes/bot-accounts.js CHANGED Viewed

@@ -38,7 +38,7 @@ const auth_1 = require("../modules/auth");
 const api = __importStar(require("../api/bot-accounts"));
 const router = (0, express_1.Router)();
 // All bot account routes require admin access
-router.use(auth_1.requireAdmin);
+router.use(auth_1.requireBuilder);
 // ── Bot CRUD ─────────────────────────────────────────────────────────────────
 /**
  * GET /api/bot-accounts

package/build/routes/controlplane.js CHANGED Viewed

@@ -42,7 +42,7 @@ const router = (0, express_1.Router)();
  * List available HotMesh application IDs.
  * Admin-only.
  */
-router.get('/apps', auth_1.requireAdmin, async (_req, res) => {
+router.get('/apps', auth_1.requireBuilder, async (_req, res) => {
     const result = await api.listApps();
     res.status(result.status).json(result.data ?? { error: result.error });
 });
@@ -51,7 +51,7 @@ router.get('/apps', auth_1.requireAdmin, async (_req, res) => {
  * Execute a roll call — discovers all engines and workers.
  * Admin-only.
  */
-router.get('/rollcall', auth_1.requireAdmin, async (req, res) => {
+router.get('/rollcall', auth_1.requireBuilder, async (req, res) => {
     const result = await api.rollCall({
         appId: req.query.app_id || 'durable',
         delay: req.query.delay ? parseInt(req.query.delay, 10) : undefined,
@@ -66,7 +66,7 @@ router.get('/rollcall', auth_1.requireAdmin, async (req, res) => {
  * Body: { appId: string, throttle: number, topic?: string, guid?: string }
  *   throttle: ms delay (-1 = pause, 0 = resume, >0 = delay per msg)
  */
-router.post('/throttle', auth_1.requireAdmin, async (req, res) => {
+router.post('/throttle', auth_1.requireBuilder, async (req, res) => {
     const { appId = 'durable', throttle, topic, guid, scope } = req.body;
     const result = await api.applyThrottle({ appId, throttle, topic, guid, scope });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -79,7 +79,7 @@ router.post('/throttle', auth_1.requireAdmin, async (req, res) => {
  * duration: 15m | 30m | 1h | 1d | 7d (default: 1h)
  * stream: optional stream_name filter (specific task queue topic)
  */
-router.get('/streams', auth_1.requireAdmin, async (req, res) => {
+router.get('/streams', auth_1.requireBuilder, async (req, res) => {
     const result = await api.getStreamStats({
         app_id: req.query.app_id || 'durable',
         duration: req.query.duration || '1h',
@@ -97,7 +97,7 @@ router.get('/streams', auth_1.requireAdmin, async (req, res) => {
  * are separate tables with different schemas.
  * Admin-only.
  */
-router.get('/stream-messages', auth_1.requireAdmin, async (req, res) => {
+router.get('/stream-messages', auth_1.requireBuilder, async (req, res) => {
     const result = await api.listStreamMessages({
         namespace: req.query.namespace,
         source: req.query.source,
@@ -124,7 +124,7 @@ router.get('/stream-messages', auth_1.requireAdmin, async (req, res) => {
  *
  * Body: { appId: string }
  */
-router.post('/subscribe', auth_1.requireAdmin, async (req, res) => {
+router.post('/subscribe', auth_1.requireBuilder, async (req, res) => {
     const { appId = 'durable' } = req.body;
     const result = await api.subscribeMesh({ appId });
     res.status(result.status).json(result.data ?? { error: result.error });

package/build/routes/escalations/list.js CHANGED Viewed

@@ -70,6 +70,7 @@ function registerListRoutes(router) {
             type: req.query.type,
             subtype: req.query.subtype,
             assigned_to: req.query.assigned_to,
+            claimed: req.query.claimed === 'true',
             priority: req.query.priority ? parseInt(req.query.priority, 10) : undefined,
             limit: req.query.limit ? parseInt(req.query.limit, 10) : undefined,
             offset: req.query.offset ? parseInt(req.query.offset, 10) : undefined,

package/build/routes/index.js CHANGED Viewed

@@ -6,6 +6,7 @@ Object.defineProperty(exports, "__esModule", { value: true });
 const express_1 = require("express");
 const auth_1 = require("../modules/auth");
 const auth_2 = __importDefault(require("./auth"));
+const auth_sso_1 = __importDefault(require("./auth-sso"));
 const oauth_1 = __importDefault(require("./oauth"));
 const delegation_1 = __importDefault(require("./delegation"));
 const tasks_1 = __importDefault(require("./tasks"));
@@ -36,6 +37,7 @@ const nats_credentials_1 = __importDefault(require("./nats-credentials"));
 const router = (0, express_1.Router)();
 // Public routes (no auth required — they handle their own auth)
 router.use('/auth', auth_2.default);
+router.use('/auth', auth_sso_1.default);
 router.use('/auth/oauth', oauth_1.default);
 router.use('/delegation', delegation_1.default);
 router.use('/files', files_1.default);

package/build/routes/mcp-endpoint.d.ts ADDED Viewed

@@ -0,0 +1,17 @@
+/**
+ * MCP Streamable HTTP endpoint.
+ *
+ * Exposes long-tail's built-in MCP tools to external clients
+ * (Claude Desktop, Cursor, other agents) via the standard MCP
+ * streamable-http transport protocol.
+ *
+ * Stateless mode — each POST creates a fresh server+transport pair.
+ * Auth via Bearer token (JWT or bot API key) in the Authorization header.
+ *
+ * Mount at /mcp:
+ *   POST /mcp  → JSON-RPC messages (initialize, tools/list, tools/call)
+ *   GET  /mcp  → 405 (no SSE in stateless mode)
+ *   DELETE /mcp → 405 (no sessions in stateless mode)
+ */
+declare const router: import("express-serve-static-core").Router;
+export default router;

package/build/routes/mcp-endpoint.js ADDED Viewed

@@ -0,0 +1,70 @@
+"use strict";
+/**
+ * MCP Streamable HTTP endpoint.
+ *
+ * Exposes long-tail's built-in MCP tools to external clients
+ * (Claude Desktop, Cursor, other agents) via the standard MCP
+ * streamable-http transport protocol.
+ *
+ * Stateless mode — each POST creates a fresh server+transport pair.
+ * Auth via Bearer token (JWT or bot API key) in the Authorization header.
+ *
+ * Mount at /mcp:
+ *   POST /mcp  → JSON-RPC messages (initialize, tools/list, tools/call)
+ *   GET  /mcp  → 405 (no SSE in stateless mode)
+ *   DELETE /mcp → 405 (no sessions in stateless mode)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const express_1 = require("express");
+const streamableHttp_js_1 = require("@modelcontextprotocol/sdk/server/streamableHttp.js");
+const auth_1 = require("../modules/auth");
+const logger_1 = require("../lib/logger");
+const external_server_1 = require("../services/mcp/external-server");
+const exposure_1 = require("../services/mcp/exposure");
+const router = (0, express_1.Router)();
+// All MCP endpoint requests require authentication
+router.use(auth_1.requireAuth);
+// POST /mcp — JSON-RPC messages
+router.post('/', async (req, res) => {
+    try {
+        const exposure = (0, exposure_1.getExposureConfig)();
+        const callerScopes = req.auth?.scopes;
+        const server = await (0, external_server_1.createUnifiedMcpServer)(exposure, callerScopes);
+        const transport = new streamableHttp_js_1.StreamableHTTPServerTransport({
+            sessionIdGenerator: undefined, // stateless
+        });
+        res.on('close', () => {
+            transport.close().catch(() => { });
+            server.close().catch(() => { });
+        });
+        await server.connect(transport);
+        await transport.handleRequest(req, res, req.body);
+    }
+    catch (err) {
+        logger_1.loggerRegistry.error(`[lt-mcp:endpoint] error: ${err.message}`);
+        if (!res.headersSent) {
+            res.status(500).json({
+                jsonrpc: '2.0',
+                error: { code: -32603, message: 'Internal server error' },
+                id: null,
+            });
+        }
+    }
+});
+// GET /mcp — SSE stream (not supported in stateless mode)
+router.get('/', (_req, res) => {
+    res.status(405).json({
+        jsonrpc: '2.0',
+        error: { code: -32000, message: 'Method not allowed. Use POST for stateless requests.' },
+        id: null,
+    });
+});
+// DELETE /mcp — session close (not supported in stateless mode)
+router.delete('/', (_req, res) => {
+    res.status(405).json({
+        jsonrpc: '2.0',
+        error: { code: -32000, message: 'Method not allowed. Stateless mode has no sessions.' },
+        id: null,
+    });
+});
+exports.default = router;

package/build/routes/roles.js CHANGED Viewed

@@ -58,7 +58,7 @@ router.get('/details', async (_req, res) => {
  * Create a standalone role. Requires admin.
  * Body: { role: string }
  */
-router.post('/', auth_1.requireAdmin, async (req, res) => {
+router.post('/', auth_1.requireBuilder, async (req, res) => {
     const { role } = req.body || {};
     const result = await api.createRole({ role });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -76,7 +76,7 @@ router.get('/escalation-chains', async (_req, res) => {
  * Add a single escalation chain entry. Requires admin.
  * Body: { source_role: string, target_role: string }
  */
-router.post('/escalation-chains', auth_1.requireAdmin, async (req, res) => {
+router.post('/escalation-chains', auth_1.requireBuilder, async (req, res) => {
     const { source_role, target_role } = req.body || {};
     const result = await api.addEscalationChain({ source_role, target_role });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -86,7 +86,7 @@ router.post('/escalation-chains', auth_1.requireAdmin, async (req, res) => {
  * Remove a single escalation chain entry. Requires admin.
  * Body: { source_role: string, target_role: string }
  */
-router.delete('/escalation-chains', auth_1.requireAdmin, async (req, res) => {
+router.delete('/escalation-chains', auth_1.requireBuilder, async (req, res) => {
     const { source_role, target_role } = req.body || {};
     const result = await api.removeEscalationChain({ source_role, target_role });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -105,7 +105,7 @@ router.get('/:role/escalation-targets', async (req, res) => {
  * Replace escalation targets for a role. Requires admin.
  * Body: { targets: string[] }
  */
-router.put('/:role/escalation-targets', auth_1.requireAdmin, async (req, res) => {
+router.put('/:role/escalation-targets', auth_1.requireBuilder, async (req, res) => {
     const { targets } = req.body || {};
     const result = await api.replaceEscalationTargets({ role: req.params.role, targets });
     res.status(result.status).json(result.data ?? { error: result.error });
@@ -114,7 +114,7 @@ router.put('/:role/escalation-targets', auth_1.requireAdmin, async (req, res) =>
  * DELETE /api/roles/:role
  * Delete a role if it has no references. Requires admin.
  */
-router.delete('/:role', auth_1.requireAdmin, async (req, res) => {
+router.delete('/:role', auth_1.requireBuilder, async (req, res) => {
     const result = await api.deleteRole({ role: req.params.role });
     res.status(result.status).json(result.data ?? { error: result.error });
 });

package/build/routes/topics.js CHANGED Viewed

@@ -94,6 +94,8 @@ router.delete('/by-name/:topic', async (req, res) => {
 router.post('/by-name/:topic/publish', async (req, res) => {
     const result = await api.publishTopic({
         topic: decodeURIComponent(req.params.topic),
+        subject: req.body.subject || undefined,
+        eventId: req.body.eventId || undefined,
         data: req.body.data ?? {},
         source: req.body.source ?? 'dashboard',
     });

package/build/routes/users.js CHANGED Viewed

@@ -66,24 +66,24 @@ router.get('/:id', async (req, res) => {
  * Create a new user.
  * Body: { external_id, email?, display_name?, roles?: [{ role, type }], metadata? }
  */
-router.post('/', auth_1.requireAdmin, async (req, res) => {
+router.post('/', auth_1.requireBuilder, async (req, res) => {
     const result = await api.createUser(req.body || {});
     res.status(result.status).json(result.data ?? { error: result.error });
 });
 /**
  * PUT /api/users/:id
- * Update a user.
+ * Update a user. Builder only.
  * Body: { email?, display_name?, status?, metadata? }
  */
-router.put('/:id', auth_1.requireAdmin, async (req, res) => {
+router.put('/:id', auth_1.requireBuilder, async (req, res) => {
     const result = await api.updateUser({ id: req.params.id, ...(req.body || {}) });
     res.status(result.status).json(result.data ?? { error: result.error });
 });
 /**
  * DELETE /api/users/:id
- * Delete a user.
+ * Delete a user. Builder only.
  */
-router.delete('/:id', auth_1.requireAdmin, async (req, res) => {
+router.delete('/:id', auth_1.requireBuilder, async (req, res) => {
     const result = await api.deleteUser({ id: req.params.id });
     res.status(result.status).json(result.data ?? { error: result.error });
 });
@@ -100,9 +100,35 @@ router.get('/:id/roles', async (req, res) => {
  * POST /api/users/:id/roles
  * Add a role to a user.
  * Body: { role, type } — type must be superadmin, admin, or member
+ *
+ * Scoping rules:
+ * - superadmin: can assign any role/type
+ * - engineer: can assign up to admin type, but never superadmin type
+ * - role/admin (non-builder): can only assign member/admin for roles they hold
  */
 router.post('/:id/roles', auth_1.requireAdmin, async (req, res) => {
     const { role, type } = req.body || {};
+    const userId = req.auth.userId;
+    // Superadmin bypasses all scoping
+    const { isSuperAdmin } = await Promise.resolve().then(() => __importStar(require('../services/user/rbac')));
+    if (!(await isSuperAdmin(userId))) {
+        // Non-superadmin can never assign superadmin type
+        if (type === 'superadmin') {
+            res.status(403).json({ error: 'Only superadmin can assign superadmin role type' });
+            return;
+        }
+        // Check if caller has the engineer role (builder) — can assign any non-superadmin role
+        const { hasRole: checkRole } = await Promise.resolve().then(() => __importStar(require('../services/user/roles')));
+        const isEngineer = await checkRole(userId, 'engineer');
+        if (!isEngineer) {
+            // Non-builder admin: can only assign roles they themselves hold
+            const callerHasRole = await checkRole(userId, role);
+            if (!callerHasRole) {
+                res.status(403).json({ error: `You can only assign roles you hold. You do not have the '${role}' role.` });
+                return;
+            }
+        }
+    }
     const result = await api.addUserRole({ id: req.params.id, role, type });
     res.status(result.status).json(result.data ?? { error: result.error });
 });

package/build/sdk/index.d.ts CHANGED Viewed

@@ -89,6 +89,7 @@ export declare function createClient(options?: LTClientOptions): {
             type?: string;
             subtype?: string;
             assigned_to?: string;
+            claimed?: boolean;
             priority?: number;
             limit?: number;
             offset?: number;