@hotmeshio/long-tail 0.4.19 → 0.4.21

package/build/api/escalations/helpers.js

@@ -59,11 +59,12 @@ async function checkBulkPermission(userId, ids) {
     if (await userService.hasGlobalEscalationAccess(userId))
         return { allowed: true };
     const roles = await escalationService.getEscalationRoles(ids);
-    for (const role of roles) {
-        const canManage = await userService.isGroupAdmin(userId, role);
-        if (!canManage) {
-            return { allowed: false, status: 403, error: `Insufficient permissions for role "${role}"` };
-        }
+    if (!roles.length)
+        return { allowed: true };
+    // Single batched query instead of N+1 loop
+    const canManageAll = await userService.hasRolesAsAdmin(userId, roles);
+    if (!canManageAll) {
+        return { allowed: false, status: 403, error: 'Insufficient permissions for one or more escalation roles' };
     }
     return { allowed: true };
 }

package/build/api/escalations/metadata.d.ts

@@ -2,13 +2,8 @@ import type { LTApiAuth, LTApiResult } from '../../types/sdk';
 /**
  * Find escalations by a metadata key-value pair.
  *
- * Uses JSONB containment (`@>`) backed by a GIN index.
- * Results are RBAC-scoped to the caller's visible roles.
- *
- * @param input.key — metadata field name (e.g. `"orderId"`)
- * @param input.value — metadata field value (e.g. `"order-123"`)
- * @param input.status — optional status filter (e.g. `"pending"`)
- * @returns `{ status: 200, data: { escalations, total } }`
+ * Single query with window function for count. Results are
+ * RBAC-scoped to the caller's visible roles.
  */
 export declare function findByMetadata(input: {
     key: string;
@@ -20,15 +15,9 @@ export declare function findByMetadata(input: {
 /**
  * Claim an escalation by metadata key-value pair.
  *
- * Finds one available (pending + unassigned/expired) escalation matching
- * the metadata and claims it atomically. Optionally resolves an assignee
- * from an external_id.
- *
- * @param input.key — metadata field name
- * @param input.value — metadata field value
- * @param input.durationMinutes — claim duration (default 30)
- * @param input.assignee — optional external_id of the user to claim as
- * @returns `{ status: 200, data: { escalation, isExtension } }`
+ * Single atomic query. RBAC is enforced in the SQL WHERE clause —
+ * if the caller doesn't have an allowed role, zero rows match and
+ * the claim never happens. No pre-flight find, no TOCTOU.
  */
 export declare function claimByMetadata(input: {
     key: string;
@@ -40,14 +29,8 @@ export declare function claimByMetadata(input: {
 /**
  * Resolve an escalation by metadata key-value pair.
  *
- * Finds the pending escalation, auto-claims if unclaimed, then delegates
- * to the standard resolve logic (supports all 5 resolution paths).
- *
- * @param input.key — metadata field name
- * @param input.value — metadata field value
- * @param input.resolverPayload — resolution data for the workflow
- * @param input.assignee — optional external_id of the resolving user
- * @returns result from the standard resolve endpoint
+ * Single atomic CTE: find + claim + resolve in one query.
+ * RBAC is enforced in the SQL WHERE clause.
  */
 export declare function resolveByMetadata(input: {
     key: string;

package/build/api/escalations/metadata.js

@@ -42,13 +42,8 @@ const helpers_1 = require("./helpers");
 /**
  * Find escalations by a metadata key-value pair.
  *
- * Uses JSONB containment (`@>`) backed by a GIN index.
- * Results are RBAC-scoped to the caller's visible roles.
- *
- * @param input.key — metadata field name (e.g. `"orderId"`)
- * @param input.value — metadata field value (e.g. `"order-123"`)
- * @param input.status — optional status filter (e.g. `"pending"`)
- * @returns `{ status: 200, data: { escalations, total } }`
+ * Single query with window function for count. Results are
+ * RBAC-scoped to the caller's visible roles.
  */
 async function findByMetadata(input, auth) {
     try {
@@ -72,15 +67,9 @@ async function findByMetadata(input, auth) {
 /**
  * Claim an escalation by metadata key-value pair.
  *
- * Finds one available (pending + unassigned/expired) escalation matching
- * the metadata and claims it atomically. Optionally resolves an assignee
- * from an external_id.
- *
- * @param input.key — metadata field name
- * @param input.value — metadata field value
- * @param input.durationMinutes — claim duration (default 30)
- * @param input.assignee — optional external_id of the user to claim as
- * @returns `{ status: 200, data: { escalation, isExtension } }`
+ * Single atomic query. RBAC is enforced in the SQL WHERE clause —
+ * if the caller doesn't have an allowed role, zero rows match and
+ * the claim never happens. No pre-flight find, no TOCTOU.
  */
 async function claimByMetadata(input, auth) {
     try {
@@ -91,25 +80,17 @@ async function claimByMetadata(input, auth) {
         if ('error' in resolved)
             return resolved.error;
         const claimUserId = resolved.userId;
-        // RBAC: find the candidate to check role membership before atomic claim
-        const candidates = await escalationService.findByMetadata(input.key, input.value, 'pending', 1, 0);
-        if (candidates.escalations.length === 0) {
+        // Resolve allowed roles: null = global access (no filter), string[] = scoped
+        const allowedRoles = await resolveAllowedRoles(auth.userId);
+        const result = await escalationService.claimByMetadata(input.key, input.value, claimUserId, input.durationMinutes, input.metadata, allowedRoles);
+        if (!result) {
+            // No rows matched. Check if candidates existed (role mismatch vs no match).
             return { status: 404, error: 'No pending escalation found for this metadata' };
         }
-        const candidate = candidates.escalations[0];
-        const hasGlobal = await (0, helpers_1.hasGlobalEscalationAccess)(auth.userId);
-        if (!hasGlobal) {
-            const userHasRole = await userService.hasRole(claimUserId, candidate.role);
-            if (!userHasRole) {
-                return { status: 403, error: `User must have the "${candidate.role}" role to claim this escalation` };
-            }
+        if (result.candidatesExist > 0 && !result.escalation) {
+            return { status: 403, error: 'Escalation exists but your roles do not permit claiming it' };
         }
-        const result = await escalationService.claimByMetadata(input.key, input.value, claimUserId, input.durationMinutes, input.metadata);
-        if (!result) {
-            return { status: 409, error: 'Escalation not available for claim' };
-        }
-        // Event published by service layer (services/escalation/crud.ts)
-        return { status: 200, data: result };
+        return { status: 200, data: { escalation: result.escalation, isExtension: result.isExtension } };
     }
     catch (err) {
         return { status: 500, error: err.message };
@@ -118,14 +99,8 @@ async function claimByMetadata(input, auth) {
 /**
  * Resolve an escalation by metadata key-value pair.
  *
- * Finds the pending escalation, auto-claims if unclaimed, then delegates
- * to the standard resolve logic (supports all 5 resolution paths).
- *
- * @param input.key — metadata field name
- * @param input.value — metadata field value
- * @param input.resolverPayload — resolution data for the workflow
- * @param input.assignee — optional external_id of the resolving user
- * @returns result from the standard resolve endpoint
+ * Single atomic CTE: find + claim + resolve in one query.
+ * RBAC is enforced in the SQL WHERE clause.
  */
 async function resolveByMetadata(input, auth) {
     try {
@@ -135,38 +110,29 @@ async function resolveByMetadata(input, auth) {
         if (!input.resolverPayload) {
             return { status: 400, error: 'resolverPayload is required' };
         }
-        const candidates = await escalationService.findByMetadata(input.key, input.value, 'pending', 1, 0);
-        if (candidates.escalations.length === 0) {
-            return { status: 404, error: 'No pending escalation found for this metadata' };
-        }
-        const escalation = candidates.escalations[0];
         const resolved = await (0, helpers_1.resolveAssignee)(input.assignee, auth);
         if ('error' in resolved)
             return resolved.error;
         const resolveUserId = resolved.userId;
-        const hasGlobal = await (0, helpers_1.hasGlobalEscalationAccess)(auth.userId);
-        if (!hasGlobal) {
-            const userHasRole = await userService.hasRole(resolveUserId, escalation.role);
-            if (!userHasRole) {
-                return { status: 403, error: `User must have the "${escalation.role}" role` };
-            }
-        }
-        // Merge additional metadata if provided
-        if (input.metadata && Object.keys(input.metadata).length > 0) {
-            await escalationService.updateEscalationMetadata(escalation.id, input.metadata);
-        }
-        // Auto-claim if unclaimed or expired
-        const isClaimed = escalation.assigned_to &&
-            escalation.assigned_until &&
-            new Date(escalation.assigned_until) > new Date();
-        if (!isClaimed) {
-            await escalationService.claimEscalation(escalation.id, resolveUserId, 5);
+        const allowedRoles = await resolveAllowedRoles(auth.userId);
+        const escalation = await escalationService.resolveByMetadataAtomic(input.key, input.value, resolveUserId, input.resolverPayload, input.metadata, allowedRoles);
+        if (!escalation) {
+            return { status: 404, error: 'No pending escalation found for this metadata, or insufficient role permissions' };
         }
-        // Delegate to the full resolve logic (handles all 5 resolution paths)
-        const { resolveEscalation } = await Promise.resolve().then(() => __importStar(require('./resolve')));
-        return resolveEscalation({ id: escalation.id, resolverPayload: input.resolverPayload }, auth);
+        return { status: 200, data: { escalation } };
     }
     catch (err) {
         return { status: 500, error: err.message };
     }
 }
+// ── Helpers ──────────────────────────────────────────────────────────────────
+/**
+ * Resolve the set of roles the caller is allowed to act on.
+ * Returns null for global access (superadmin/admin), or string[] for scoped users.
+ */
+async function resolveAllowedRoles(userId) {
+    if (await userService.hasGlobalEscalationAccess(userId))
+        return null;
+    const userRoles = await userService.getUserRoles(userId);
+    return userRoles.map(r => r.role);
+}

package/build/services/escalation/crud.d.ts

@@ -49,4 +49,20 @@ export declare function findByMetadata(key: string, value: string, status?: stri
     escalations: LTEscalationRecord[];
     total: number;
 }>;
-export declare function claimByMetadata(key: string, value: string, userId: string, durationMinutes?: number, metadata?: Record<string, any>): Promise<ClaimResult | null>;
+/**
+ * Atomic claim by metadata with inline RBAC.
+ * The SQL WHERE clause enforces role membership — if the caller
+ * doesn't have an allowed role, zero rows match and the claim
+ * never happens. No pre-flight find, no TOCTOU.
+ *
+ * @param allowedRoles — roles the caller can claim (null = no filter / global access)
+ * @returns `{ escalation, isExtension, candidatesExist }` or null
+ */
+export declare function claimByMetadata(key: string, value: string, userId: string, durationMinutes?: number, metadata?: Record<string, any>, allowedRoles?: string[] | null): Promise<(ClaimResult & {
+    candidatesExist: number;
+}) | null>;
+/**
+ * Atomic resolve by metadata: find + claim + resolve in one CTE.
+ * RBAC is enforced in the SQL WHERE clause via allowedRoles.
+ */
+export declare function resolveByMetadataAtomic(key: string, value: string, userId: string, resolverPayload: Record<string, any>, metadata?: Record<string, any>, allowedRoles?: string[] | null): Promise<LTEscalationRecord | null>;

package/build/services/escalation/crud.js

@@ -16,6 +16,7 @@ exports.enrichEscalationRouting = enrichEscalationRouting;
 exports.getEscalationsByOriginId = getEscalationsByOriginId;
 exports.findByMetadata = findByMetadata;
 exports.claimByMetadata = claimByMetadata;
+exports.resolveByMetadataAtomic = resolveByMetadataAtomic;
 const db_1 = require("../../lib/db");
 const publish_1 = require("../../lib/events/publish");
 const logger_1 = require("../../lib/logger");
@@ -205,24 +206,32 @@ async function getEscalationsByOriginId(originId) {
 async function findByMetadata(key, value, status, limit = 50, offset = 0) {
     const pool = (0, db_1.getPool)();
     const filter = JSON.stringify({ [key]: value });
-    const [countResult, dataResult] = await Promise.all([
-        pool.query(sql_1.COUNT_BY_METADATA, [filter, status || null]),
-        pool.query(sql_1.FIND_BY_METADATA, [filter, status || null, limit, offset]),
-    ]);
-    return {
-        escalations: dataResult.rows,
-        total: parseInt(countResult.rows[0].count, 10),
-    };
+    const { rows } = await pool.query(sql_1.FIND_BY_METADATA, [filter, status || null, limit, offset]);
+    const total = rows.length > 0 ? parseInt(rows[0]._total, 10) : 0;
+    // Strip the window function column from results
+    const escalations = rows.map(({ _total, ...rest }) => rest);
+    return { escalations, total };
 }
-async function claimByMetadata(key, value, userId, durationMinutes = 30, metadata) {
+/**
+ * Atomic claim by metadata with inline RBAC.
+ * The SQL WHERE clause enforces role membership — if the caller
+ * doesn't have an allowed role, zero rows match and the claim
+ * never happens. No pre-flight find, no TOCTOU.
+ *
+ * @param allowedRoles — roles the caller can claim (null = no filter / global access)
+ * @returns `{ escalation, isExtension, candidatesExist }` or null
+ */
+async function claimByMetadata(key, value, userId, durationMinutes = 30, metadata, allowedRoles) {
     const pool = (0, db_1.getPool)();
     const filter = JSON.stringify({ [key]: value });
     const metaPatch = metadata ? JSON.stringify(metadata) : null;
-    const { rows } = await pool.query(sql_1.CLAIM_BY_METADATA, [filter, userId, durationMinutes, metaPatch]);
+    const roles = allowedRoles ?? null;
+    const { rows } = await pool.query(sql_1.CLAIM_BY_METADATA_GUARDED, [filter, userId, durationMinutes, metaPatch, roles]);
     if (rows.length === 0)
         return null;
     const row = rows[0];
-    const escalation = row;
+    const { candidates_exist, prev_assigned_to, _total, ...rest } = row;
+    const escalation = rest;
     (0, publish_1.publishEscalationEvent)({
         type: 'escalation.claimed',
         source: 'service',
@@ -235,6 +244,33 @@ async function claimByMetadata(key, value, userId, durationMinutes = 30, metadat
     });
     return {
         escalation,
-        isExtension: row.prev_assigned_to === userId,
+        isExtension: prev_assigned_to === userId,
+        candidatesExist: parseInt(candidates_exist, 10),
     };
 }
+/**
+ * Atomic resolve by metadata: find + claim + resolve in one CTE.
+ * RBAC is enforced in the SQL WHERE clause via allowedRoles.
+ */
+async function resolveByMetadataAtomic(key, value, userId, resolverPayload, metadata, allowedRoles) {
+    const pool = (0, db_1.getPool)();
+    const filter = JSON.stringify({ [key]: value });
+    const payloadJson = JSON.stringify(resolverPayload);
+    const metaPatch = metadata ? JSON.stringify(metadata) : null;
+    const roles = allowedRoles ?? null;
+    const { rows } = await pool.query(sql_1.RESOLVE_BY_METADATA_ATOMIC, [filter, userId, payloadJson, metaPatch, roles]);
+    if (rows.length === 0)
+        return null;
+    const escalation = rows[0];
+    (0, publish_1.publishEscalationEvent)({
+        type: 'escalation.resolved',
+        source: 'service',
+        workflowId: escalation.workflow_id || '',
+        workflowName: escalation.workflow_type || '',
+        taskQueue: escalation.task_queue || '',
+        escalationId: escalation.id,
+        status: 'resolved',
+        data: { resolved_by: userId },
+    });
+    return escalation;
+}

package/build/services/escalation/sql.d.ts

@@ -19,8 +19,17 @@ export declare const BULK_RESOLVE_FOR_TRIAGE = "UPDATE lt_escalations\nSET statu
 export declare const UPDATE_ESCALATION_METADATA = "UPDATE lt_escalations\nSET metadata = COALESCE(metadata, '{}'::jsonb) || $2::jsonb,\n    updated_at = NOW()\nWHERE id = $1\nRETURNING *";
 export declare const ENRICH_ESCALATION_ROUTING = "UPDATE lt_escalations\nSET metadata = COALESCE(metadata, '{}'::jsonb) || $2::jsonb,\n    workflow_type = COALESCE(workflow_type, $3),\n    workflow_id = COALESCE(workflow_id, $4),\n    task_queue = COALESCE(task_queue, $5),\n    task_id = COALESCE(task_id, $6),\n    updated_at = NOW()\nWHERE id = $1\nRETURNING *";
 export declare const LIST_DISTINCT_TYPES = "SELECT DISTINCT type FROM lt_escalations ORDER BY type";
-/** Find escalations by a single metadata key-value pair. */
-export declare const FIND_BY_METADATA = "SELECT * FROM lt_escalations\nWHERE metadata @> $1::jsonb\n  AND ($2::text IS NULL OR status = $2)\nORDER BY priority ASC, created_at ASC\nLIMIT $3 OFFSET $4";
-export declare const COUNT_BY_METADATA = "SELECT COUNT(*) FROM lt_escalations\nWHERE metadata @> $1::jsonb\n  AND ($2::text IS NULL OR status = $2)";
-/** Atomic claim by metadata: find one available escalation, claim it, and optionally merge metadata. */
-export declare const CLAIM_BY_METADATA = "WITH target AS (\n  SELECT id, assigned_to\n  FROM lt_escalations\n  WHERE metadata @> $1::jsonb\n    AND status = 'pending'\n    AND (\n      assigned_to IS NULL\n      OR assigned_until <= NOW()\n      OR assigned_to = $2\n    )\n  ORDER BY priority ASC, created_at ASC\n  LIMIT 1\n  FOR UPDATE SKIP LOCKED\n),\nupdated AS (\n  UPDATE lt_escalations e\n  SET assigned_to = $2,\n      claimed_at = NOW(),\n      assigned_until = NOW() + INTERVAL '1 minute' * $3,\n      metadata = CASE WHEN $4::jsonb IS NOT NULL\n        THEN COALESCE(e.metadata, '{}'::jsonb) || $4::jsonb\n        ELSE e.metadata END\n  FROM target t\n  WHERE e.id = t.id\n  RETURNING e.*, t.assigned_to AS prev_assigned_to\n)\nSELECT * FROM updated";
+/** Find escalations by a single metadata key-value pair. Window function for total count. */
+export declare const FIND_BY_METADATA = "SELECT *, COUNT(*) OVER() AS _total\nFROM lt_escalations\nWHERE metadata @> $1::jsonb\n  AND ($2::text IS NULL OR status = $2)\nORDER BY priority ASC, created_at ASC\nLIMIT $3 OFFSET $4";
+/**
+ * Atomic claim by metadata with inline RBAC.
+ * $1 = metadata filter (jsonb), $2 = userId, $3 = durationMinutes,
+ * $4 = metadata patch (jsonb, nullable), $5 = allowed roles (text[], null = no filter)
+ */
+export declare const CLAIM_BY_METADATA_GUARDED = "WITH target AS (\n  SELECT id, assigned_to\n  FROM lt_escalations\n  WHERE metadata @> $1::jsonb\n    AND status = 'pending'\n    AND (assigned_to IS NULL OR assigned_until <= NOW() OR assigned_to = $2)\n    AND ($5::text[] IS NULL OR role = ANY($5))\n  ORDER BY priority ASC, created_at ASC\n  LIMIT 1\n  FOR UPDATE SKIP LOCKED\n),\nupdated AS (\n  UPDATE lt_escalations e\n  SET assigned_to = $2,\n      claimed_at = NOW(),\n      assigned_until = NOW() + INTERVAL '1 minute' * $3,\n      metadata = CASE WHEN $4::jsonb IS NOT NULL\n        THEN COALESCE(e.metadata, '{}'::jsonb) || $4::jsonb\n        ELSE e.metadata END,\n      updated_at = NOW()\n  FROM target t\n  WHERE e.id = t.id\n  RETURNING e.*, t.assigned_to AS prev_assigned_to\n)\nSELECT *,\n  (SELECT COUNT(*) FROM lt_escalations WHERE metadata @> $1::jsonb AND status = 'pending') AS candidates_exist\nFROM updated";
+/**
+ * Atomic resolve by metadata: find + claim + resolve in one CTE.
+ * $1 = metadata filter (jsonb), $2 = userId, $3 = resolver_payload (jsonb),
+ * $4 = metadata patch (jsonb, nullable), $5 = allowed roles (text[], null = no filter)
+ */
+export declare const RESOLVE_BY_METADATA_ATOMIC = "WITH target AS (\n  SELECT id\n  FROM lt_escalations\n  WHERE metadata @> $1::jsonb\n    AND status = 'pending'\n    AND ($5::text[] IS NULL OR role = ANY($5))\n  ORDER BY priority ASC, created_at ASC\n  LIMIT 1\n  FOR UPDATE SKIP LOCKED\n),\nclaimed AS (\n  UPDATE lt_escalations e\n  SET assigned_to = $2,\n      claimed_at = NOW(),\n      assigned_until = NOW() + INTERVAL '5 minutes',\n      metadata = CASE WHEN $4::jsonb IS NOT NULL\n        THEN COALESCE(e.metadata, '{}'::jsonb) || $4::jsonb\n        ELSE e.metadata END\n  FROM target\n  WHERE e.id = target.id\n  RETURNING e.*\n)\nUPDATE lt_escalations e\nSET status = 'resolved',\n    resolved_at = NOW(),\n    resolver_payload = $3,\n    updated_at = NOW()\nFROM claimed\nWHERE e.id = claimed.id\nRETURNING e.*";

package/build/services/escalation/sql.js

@@ -3,7 +3,7 @@
 // Escalation SQL – externalized from crud.ts, bulk.ts, queries.ts
 // ---------------------------------------------------------------------------
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CLAIM_BY_METADATA = exports.COUNT_BY_METADATA = exports.FIND_BY_METADATA = exports.LIST_DISTINCT_TYPES = exports.ENRICH_ESCALATION_ROUTING = exports.UPDATE_ESCALATION_METADATA = exports.BULK_RESOLVE_FOR_TRIAGE = exports.BULK_ESCALATE_TO_ROLE = exports.BULK_ASSIGN = exports.BULK_CLAIM = exports.GET_ESCALATIONS_BY_ORIGIN_ID = exports.GET_ESCALATIONS_BY_WORKFLOW_ID = exports.GET_ESCALATIONS_BY_TASK_ID = exports.GET_ESCALATION = exports.ESCALATE_TO_ROLE = exports.RELEASE_EXPIRED_CLAIMS = exports.RELEASE_ESCALATION = exports.GET_ESCALATION_ROLES = exports.UPDATE_ESCALATIONS_PRIORITY = exports.RESOLVE_ESCALATION = exports.CLAIM_ESCALATION = exports.CREATE_ESCALATION = exports.ENSURE_ROLE_EXISTS = void 0;
+exports.RESOLVE_BY_METADATA_ATOMIC = exports.CLAIM_BY_METADATA_GUARDED = exports.FIND_BY_METADATA = exports.LIST_DISTINCT_TYPES = exports.ENRICH_ESCALATION_ROUTING = exports.UPDATE_ESCALATION_METADATA = exports.BULK_RESOLVE_FOR_TRIAGE = exports.BULK_ESCALATE_TO_ROLE = exports.BULK_ASSIGN = exports.BULK_CLAIM = exports.GET_ESCALATIONS_BY_ORIGIN_ID = exports.GET_ESCALATIONS_BY_WORKFLOW_ID = exports.GET_ESCALATIONS_BY_TASK_ID = exports.GET_ESCALATION = exports.ESCALATE_TO_ROLE = exports.RELEASE_EXPIRED_CLAIMS = exports.RELEASE_ESCALATION = exports.GET_ESCALATION_ROLES = exports.UPDATE_ESCALATIONS_PRIORITY = exports.RESOLVE_ESCALATION = exports.CLAIM_ESCALATION = exports.CREATE_ESCALATION = exports.ENSURE_ROLE_EXISTS = void 0;
 // --- Role management -------------------------------------------------------
 exports.ENSURE_ROLE_EXISTS = 'INSERT INTO lt_roles (role) VALUES ($1) ON CONFLICT DO NOTHING';
 // --- Single-record CRUD ---------------------------------------------------
@@ -134,29 +134,27 @@ WHERE id = $1
 RETURNING *`;
 exports.LIST_DISTINCT_TYPES = 'SELECT DISTINCT type FROM lt_escalations ORDER BY type';
 // --- Metadata candidate key lookups -----------------------------------------
-/** Find escalations by a single metadata key-value pair. */
+/** Find escalations by a single metadata key-value pair. Window function for total count. */
 exports.FIND_BY_METADATA = `\
-SELECT * FROM lt_escalations
+SELECT *, COUNT(*) OVER() AS _total
+FROM lt_escalations
 WHERE metadata @> $1::jsonb
   AND ($2::text IS NULL OR status = $2)
 ORDER BY priority ASC, created_at ASC
 LIMIT $3 OFFSET $4`;
-exports.COUNT_BY_METADATA = `\
-SELECT COUNT(*) FROM lt_escalations
-WHERE metadata @> $1::jsonb
-  AND ($2::text IS NULL OR status = $2)`;
-/** Atomic claim by metadata: find one available escalation, claim it, and optionally merge metadata. */
-exports.CLAIM_BY_METADATA = `\
+/**
+ * Atomic claim by metadata with inline RBAC.
+ * $1 = metadata filter (jsonb), $2 = userId, $3 = durationMinutes,
+ * $4 = metadata patch (jsonb, nullable), $5 = allowed roles (text[], null = no filter)
+ */
+exports.CLAIM_BY_METADATA_GUARDED = `\
 WITH target AS (
   SELECT id, assigned_to
   FROM lt_escalations
   WHERE metadata @> $1::jsonb
     AND status = 'pending'
-    AND (
-      assigned_to IS NULL
-      OR assigned_until <= NOW()
-      OR assigned_to = $2
-    )
+    AND (assigned_to IS NULL OR assigned_until <= NOW() OR assigned_to = $2)
+    AND ($5::text[] IS NULL OR role = ANY($5))
   ORDER BY priority ASC, created_at ASC
   LIMIT 1
   FOR UPDATE SKIP LOCKED
@@ -168,9 +166,48 @@ updated AS (
       assigned_until = NOW() + INTERVAL '1 minute' * $3,
       metadata = CASE WHEN $4::jsonb IS NOT NULL
         THEN COALESCE(e.metadata, '{}'::jsonb) || $4::jsonb
-        ELSE e.metadata END
+        ELSE e.metadata END,
+      updated_at = NOW()
   FROM target t
   WHERE e.id = t.id
   RETURNING e.*, t.assigned_to AS prev_assigned_to
 )
-SELECT * FROM updated`;
+SELECT *,
+  (SELECT COUNT(*) FROM lt_escalations WHERE metadata @> $1::jsonb AND status = 'pending') AS candidates_exist
+FROM updated`;
+/**
+ * Atomic resolve by metadata: find + claim + resolve in one CTE.
+ * $1 = metadata filter (jsonb), $2 = userId, $3 = resolver_payload (jsonb),
+ * $4 = metadata patch (jsonb, nullable), $5 = allowed roles (text[], null = no filter)
+ */
+exports.RESOLVE_BY_METADATA_ATOMIC = `\
+WITH target AS (
+  SELECT id
+  FROM lt_escalations
+  WHERE metadata @> $1::jsonb
+    AND status = 'pending'
+    AND ($5::text[] IS NULL OR role = ANY($5))
+  ORDER BY priority ASC, created_at ASC
+  LIMIT 1
+  FOR UPDATE SKIP LOCKED
+),
+claimed AS (
+  UPDATE lt_escalations e
+  SET assigned_to = $2,
+      claimed_at = NOW(),
+      assigned_until = NOW() + INTERVAL '5 minutes',
+      metadata = CASE WHEN $4::jsonb IS NOT NULL
+        THEN COALESCE(e.metadata, '{}'::jsonb) || $4::jsonb
+        ELSE e.metadata END
+  FROM target
+  WHERE e.id = target.id
+  RETURNING e.*
+)
+UPDATE lt_escalations e
+SET status = 'resolved',
+    resolved_at = NOW(),
+    resolver_payload = $3,
+    updated_at = NOW()
+FROM claimed
+WHERE e.id = claimed.id
+RETURNING e.*`;

package/build/services/user/index.d.ts

@@ -1,6 +1,6 @@
 export { CreateUserInput, UpdateUserInput, VALID_ROLE_TYPES } from './types';
 export { createUser, getUser, getUserByExternalId, getUserByEmail, updateUser, deleteUser, listUsers, } from './crud';
 export { isValidRoleType, addUserRole, removeUserRole, getUserRoles, hasRole, hasRoleType, } from './roles';
-export { isSuperAdmin, isGroupAdmin, canManageRole, hasGlobalEscalationAccess } from './rbac';
+export { isSuperAdmin, isGroupAdmin, canManageRole, hasGlobalEscalationAccess, hasRolesAsAdmin } from './rbac';
 export { verifyPassword } from './auth';
 export { seedAdmin } from './seed-admin';

package/build/services/user/index.js

@@ -1,6 +1,6 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.seedAdmin = exports.verifyPassword = exports.hasGlobalEscalationAccess = exports.canManageRole = exports.isGroupAdmin = exports.isSuperAdmin = exports.hasRoleType = exports.hasRole = exports.getUserRoles = exports.removeUserRole = exports.addUserRole = exports.isValidRoleType = exports.listUsers = exports.deleteUser = exports.updateUser = exports.getUserByEmail = exports.getUserByExternalId = exports.getUser = exports.createUser = exports.VALID_ROLE_TYPES = void 0;
+exports.seedAdmin = exports.verifyPassword = exports.hasRolesAsAdmin = exports.hasGlobalEscalationAccess = exports.canManageRole = exports.isGroupAdmin = exports.isSuperAdmin = exports.hasRoleType = exports.hasRole = exports.getUserRoles = exports.removeUserRole = exports.addUserRole = exports.isValidRoleType = exports.listUsers = exports.deleteUser = exports.updateUser = exports.getUserByEmail = exports.getUserByExternalId = exports.getUser = exports.createUser = exports.VALID_ROLE_TYPES = void 0;
 var types_1 = require("./types");
 Object.defineProperty(exports, "VALID_ROLE_TYPES", { enumerable: true, get: function () { return types_1.VALID_ROLE_TYPES; } });
 var crud_1 = require("./crud");
@@ -23,6 +23,7 @@ Object.defineProperty(exports, "isSuperAdmin", { enumerable: true, get: function
 Object.defineProperty(exports, "isGroupAdmin", { enumerable: true, get: function () { return rbac_1.isGroupAdmin; } });
 Object.defineProperty(exports, "canManageRole", { enumerable: true, get: function () { return rbac_1.canManageRole; } });
 Object.defineProperty(exports, "hasGlobalEscalationAccess", { enumerable: true, get: function () { return rbac_1.hasGlobalEscalationAccess; } });
+Object.defineProperty(exports, "hasRolesAsAdmin", { enumerable: true, get: function () { return rbac_1.hasRolesAsAdmin; } });
 var auth_1 = require("./auth");
 Object.defineProperty(exports, "verifyPassword", { enumerable: true, get: function () { return auth_1.verifyPassword; } });
 var seed_admin_1 = require("./seed-admin");

package/build/services/user/rbac.d.ts

@@ -24,3 +24,8 @@ export declare function canManageRole(actorId: string, role: string): Promise<bo
  * all roles, and can perform bulk actions.
  */
 export declare function hasGlobalEscalationAccess(userId: string): Promise<boolean>;
+/**
+ * Batch check: does the user have admin type for ALL specified roles?
+ * Single query — replaces the N+1 loop in checkBulkPermission.
+ */
+export declare function hasRolesAsAdmin(userId: string, roles: string[]): Promise<boolean>;

package/build/services/user/rbac.js

@@ -4,6 +4,7 @@ exports.isSuperAdmin = isSuperAdmin;
 exports.isGroupAdmin = isGroupAdmin;
 exports.canManageRole = canManageRole;
 exports.hasGlobalEscalationAccess = hasGlobalEscalationAccess;
+exports.hasRolesAsAdmin = hasRolesAsAdmin;
 const db_1 = require("../../lib/db");
 const roles_1 = require("./roles");
 const sql_1 = require("./sql");
@@ -47,3 +48,16 @@ async function hasGlobalEscalationAccess(userId) {
     const roles = await (0, roles_1.getUserRoles)(userId);
     return roles.some((r) => r.role === 'admin' && r.type === 'admin');
 }
+/**
+ * Batch check: does the user have admin type for ALL specified roles?
+ * Single query — replaces the N+1 loop in checkBulkPermission.
+ */
+async function hasRolesAsAdmin(userId, roles) {
+    if (!roles.length)
+        return true;
+    const pool = (0, db_1.getPool)();
+    const { rows } = await pool.query(`SELECT COUNT(DISTINCT role)::int AS cnt
+     FROM lt_user_roles
+     WHERE user_id = $1 AND role = ANY($2::text[]) AND type IN ('admin', 'superadmin')`, [userId, roles]);
+    return (rows[0]?.cnt ?? 0) >= roles.length;
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@hotmeshio/long-tail",
-  "version": "0.4.19",
+  "version": "0.4.21",
   "description": "Long Tail Workflows — Durable AI workflows with human-in-the-loop escalation. Powered by PostgreSQL.",
   "main": "./build/index.js",
   "types": "./build/index.d.ts",
@@ -70,7 +70,7 @@
     "@anthropic-ai/sdk": "^0.92.0",
     "@aws-sdk/client-s3": "^3.1017.0",
     "@aws-sdk/s3-request-presigner": "^3.1045.0",
-    "@hotmeshio/hotmesh": "^0.19.4",
+    "@hotmeshio/hotmesh": "^0.19.5",
     "@modelcontextprotocol/sdk": "^1.27.1",
     "@opentelemetry/exporter-trace-otlp-proto": "^0.215.0",
     "@opentelemetry/resources": "^2.5.1",