@invect/rbac 0.0.1

package/dist/backend/index.mjs

@@ -0,0 +1,1363 @@
+//#region src/backend/plugin.ts
+/**
+* Resolve team IDs for a user from the rbac_team_members table.
+* Use this in a custom `mapUser` for the auth plugin to populate
+* `identity.teamIds` automatically.
+*
+* @example
+* ```ts
+* import { resolveTeamIds } from '@invect/rbac/backend';
+*
+* betterAuthPlugin({
+*   auth,
+*   mapUser: async (user, session) => ({
+*     id: user.id,
+*     name: user.name ?? undefined,
+*     role: user.role === 'admin' ? 'admin' : 'user',
+*     teamIds: await resolveTeamIds(db, user.id),
+*   }),
+* });
+* ```
+*/
+async function resolveTeamIds(db, userId) {
+	return (await db.query("SELECT team_id FROM rbac_team_members WHERE user_id = ?", [userId])).map((r) => r.team_id);
+}
+const FLOW_RESOURCE_TYPES = new Set([
+	"flow",
+	"flow-version",
+	"flow-run",
+	"node-execution"
+]);
+const FLOW_PERMISSION_LEVELS = {
+	viewer: 1,
+	operator: 2,
+	editor: 3,
+	owner: 4
+};
+function isFlowAccessPermission(value) {
+	return value === "viewer" || value === "operator" || value === "editor" || value === "owner";
+}
+function toFlowAccessPermission(value) {
+	return isFlowAccessPermission(value) ? value : null;
+}
+function getHigherPermission(left, right) {
+	if (!left) return right;
+	if (!right) return left;
+	return FLOW_PERMISSION_LEVELS[right] > FLOW_PERMISSION_LEVELS[left] ? right : left;
+}
+function createInClause(count) {
+	return Array.from({ length: count }, () => "?").join(", ");
+}
+function mapActionToRequiredPermission(action) {
+	if (action.includes("delete") || action.includes("share") || action.includes("admin")) return "owner";
+	if (action.includes("update") || action.includes("write") || action.includes("create")) return "editor";
+	if (action.includes("run") || action.includes("execute")) return "operator";
+	return "viewer";
+}
+function normalizeFlowAccessRecord(row) {
+	return {
+		id: String(row.id),
+		flowId: String(row.flowId ?? row.flow_id),
+		userId: row.userId ?? row.user_id ? String(row.userId ?? row.user_id) : null,
+		teamId: row.teamId ?? row.team_id ? String(row.teamId ?? row.team_id) : null,
+		permission: String(row.permission),
+		grantedBy: row.grantedBy ?? row.granted_by ? String(row.grantedBy ?? row.granted_by) : null,
+		grantedAt: String(row.grantedAt ?? row.granted_at),
+		expiresAt: row.expiresAt ?? row.expires_at ? String(row.expiresAt ?? row.expires_at) : null
+	};
+}
+function normalizeScopeAccessRecord(row) {
+	return {
+		id: String(row.id),
+		scopeId: String(row.scopeId ?? row.scope_id),
+		userId: row.userId ?? row.user_id ? String(row.userId ?? row.user_id) : null,
+		teamId: row.teamId ?? row.team_id ? String(row.teamId ?? row.team_id) : null,
+		permission: String(row.permission),
+		grantedBy: row.grantedBy ?? row.granted_by ? String(row.grantedBy ?? row.granted_by) : null,
+		grantedAt: String(row.grantedAt ?? row.granted_at)
+	};
+}
+function normalizeTeamRow(row) {
+	return {
+		id: row.id,
+		name: row.name,
+		description: row.description,
+		parentId: row.parent_id ?? null,
+		createdBy: row.created_by,
+		createdAt: row.created_at,
+		updatedAt: row.updated_at
+	};
+}
+async function getFlowScopeId(db, flowId) {
+	return (await db.query("SELECT scope_id FROM flows WHERE id = ?", [flowId]))[0]?.scope_id ?? null;
+}
+async function getAncestorScopeIds(db, scopeId) {
+	return (await db.query(`WITH RECURSIVE ancestors AS (
+      SELECT id, parent_id FROM rbac_teams WHERE id = ?
+      UNION ALL
+      SELECT parent.id, parent.parent_id
+      FROM rbac_teams parent
+      INNER JOIN ancestors current ON parent.id = current.parent_id
+    )
+    SELECT id FROM ancestors`, [scopeId])).map((row) => row.id);
+}
+async function getDescendantScopeIds(db, scopeId) {
+	return (await db.query(`WITH RECURSIVE descendants AS (
+      SELECT id FROM rbac_teams WHERE id = ?
+      UNION ALL
+      SELECT child.id
+      FROM rbac_teams child
+      INNER JOIN descendants current ON child.parent_id = current.id
+    )
+    SELECT id FROM descendants`, [scopeId])).map((row) => row.id);
+}
+async function listScopeAccessForScopeIds(db, scopeIds, userId, teamIds) {
+	if (scopeIds.length === 0) return [];
+	const params = [...scopeIds, userId];
+	let sql = `SELECT id, scope_id, user_id, team_id, permission, granted_by, granted_at FROM rbac_scope_access WHERE (scope_id IN (${createInClause(scopeIds.length)}) AND user_id = ?)`;
+	if (teamIds.length > 0) {
+		sql += ` OR (scope_id IN (${createInClause(scopeIds.length)}) AND team_id IN (${createInClause(teamIds.length)}))`;
+		params.push(...scopeIds, ...teamIds);
+	}
+	return (await db.query(sql, params)).map(normalizeScopeAccessRecord);
+}
+async function listDirectFlowAccessForIdentity(db, flowId, userId, teamIds) {
+	const params = [flowId, userId];
+	let sql = "SELECT id, flow_id, user_id, team_id, permission, granted_by, granted_at, expires_at FROM flow_access WHERE (flow_id = ? AND user_id = ?)";
+	if (teamIds.length > 0) {
+		sql += ` OR (flow_id = ? AND team_id IN (${createInClause(teamIds.length)}))`;
+		params.push(flowId, ...teamIds);
+	}
+	const rows = await db.query(sql, params);
+	const now = Date.now();
+	return rows.map(normalizeFlowAccessRecord).filter((record) => !record.expiresAt || new Date(record.expiresAt).getTime() > now);
+}
+async function getEffectiveFlowAccessRecords(db, flowId, userId, teamIds) {
+	const directRecords = (await listDirectFlowAccessForIdentity(db, flowId, userId, teamIds)).map((record) => ({
+		...record,
+		source: "direct"
+	}));
+	const scopeId = await getFlowScopeId(db, flowId);
+	if (!scopeId) return directRecords;
+	const ancestorIds = await getAncestorScopeIds(db, scopeId);
+	const inheritedRows = await listScopeAccessForScopeIds(db, ancestorIds, userId, teamIds);
+	if (inheritedRows.length === 0) return directRecords;
+	const scopeRows = await db.query(`SELECT id, name FROM rbac_teams WHERE id IN (${createInClause(ancestorIds.length)})`, ancestorIds);
+	const scopeNames = new Map(scopeRows.map((row) => [row.id, row.name]));
+	return [...directRecords, ...inheritedRows.map((record) => ({
+		id: record.id,
+		flowId,
+		userId: record.userId,
+		teamId: record.teamId,
+		permission: record.permission,
+		grantedBy: record.grantedBy,
+		grantedAt: record.grantedAt,
+		expiresAt: null,
+		source: "inherited",
+		scopeId: record.scopeId,
+		scopeName: scopeNames.get(record.scopeId) ?? null
+	}))];
+}
+async function getEffectiveFlowPermission(db, flowId, identity) {
+	const records = await getEffectiveFlowAccessRecords(db, flowId, identity.id, identity.teamIds ?? []);
+	let highest = null;
+	for (const record of records) highest = getHigherPermission(highest, record.permission);
+	return highest;
+}
+async function getCurrentUserAccessibleFlows(db, identity) {
+	const rows = await db.query("SELECT id FROM flows");
+	const permissions = {};
+	await Promise.all(rows.map(async (row) => {
+		permissions[row.id] = await getEffectiveFlowPermission(db, row.id, identity);
+	}));
+	return {
+		flowIds: rows.map((row) => row.id).filter((flowId) => permissions[flowId]),
+		permissions
+	};
+}
+async function getScopePath(db, scopeId) {
+	if (!scopeId) return [];
+	return (await db.query(`WITH RECURSIVE ancestors AS (
+      SELECT id, name, parent_id, 0 AS depth FROM rbac_teams WHERE id = ?
+      UNION ALL
+      SELECT parent.id, parent.name, parent.parent_id, current.depth + 1
+      FROM rbac_teams parent
+      INNER JOIN ancestors current ON parent.id = current.parent_id
+    )
+    SELECT id, name FROM ancestors ORDER BY depth DESC`, [scopeId])).map((row) => row.name);
+}
+async function listAllScopeAccessForScopeIds(db, scopeIds) {
+	if (scopeIds.length === 0) return [];
+	return (await db.query(`SELECT id, scope_id, user_id, team_id, permission, granted_by, granted_at
+      FROM rbac_scope_access
+      WHERE scope_id IN (${createInClause(scopeIds.length)})`, scopeIds)).map(normalizeScopeAccessRecord);
+}
+async function listAllDirectFlowAccess(db, flowId) {
+	const rows = await db.query("SELECT id, flow_id, user_id, team_id, permission, granted_by, granted_at, expires_at FROM flow_access WHERE flow_id = ?", [flowId]);
+	const now = Date.now();
+	return rows.map(normalizeFlowAccessRecord).filter((record) => !record.expiresAt || new Date(record.expiresAt).getTime() > now);
+}
+async function listAllEffectiveFlowAccessForPreview(db, flowId, overrideScopeId) {
+	const direct = await listAllDirectFlowAccess(db, flowId);
+	const scopeId = overrideScopeId === void 0 ? await getFlowScopeId(db, flowId) : overrideScopeId;
+	if (!scopeId) return direct;
+	const inherited = await listAllScopeAccessForScopeIds(db, await getAncestorScopeIds(db, scopeId));
+	return [...direct, ...inherited];
+}
+async function listAllEffectiveFlowAccessRecords(db, flowId) {
+	const directRecords = (await listAllDirectFlowAccess(db, flowId)).map((record) => ({
+		...record,
+		source: "direct"
+	}));
+	const scopeId = await getFlowScopeId(db, flowId);
+	if (!scopeId) return directRecords;
+	const ancestorIds = await getAncestorScopeIds(db, scopeId);
+	const inheritedRows = await listAllScopeAccessForScopeIds(db, ancestorIds);
+	if (inheritedRows.length === 0) return directRecords;
+	const scopeRows = await db.query(`SELECT id, name FROM rbac_teams WHERE id IN (${createInClause(ancestorIds.length)})`, ancestorIds);
+	const scopeNames = new Map(scopeRows.map((row) => [row.id, row.name]));
+	const teamIds = [...new Set(inheritedRows.map((r) => r.teamId).filter((id) => !!id))];
+	const teamMembersByTeamId = /* @__PURE__ */ new Map();
+	if (teamIds.length > 0) {
+		const memberRows = await db.query(`SELECT team_id, user_id FROM rbac_team_members WHERE team_id IN (${createInClause(teamIds.length)})`, teamIds);
+		for (const row of memberRows) {
+			const members = teamMembersByTeamId.get(row.team_id) ?? [];
+			members.push(row.user_id);
+			teamMembersByTeamId.set(row.team_id, members);
+		}
+	}
+	const expandedInherited = [];
+	for (const record of inheritedRows) {
+		const scopeName = scopeNames.get(record.scopeId) ?? null;
+		if (record.teamId) {
+			const members = teamMembersByTeamId.get(record.teamId) ?? [];
+			for (const userId of members) expandedInherited.push({
+				id: `${record.id}:${userId}`,
+				flowId,
+				userId,
+				teamId: null,
+				permission: record.permission,
+				grantedBy: record.grantedBy,
+				grantedAt: record.grantedAt,
+				expiresAt: null,
+				source: "inherited",
+				scopeId: record.scopeId,
+				scopeName
+			});
+		} else expandedInherited.push({
+			id: record.id,
+			flowId,
+			userId: record.userId,
+			teamId: null,
+			permission: record.permission,
+			grantedBy: record.grantedBy,
+			grantedAt: record.grantedAt,
+			expiresAt: null,
+			source: "inherited",
+			scopeId: record.scopeId,
+			scopeName
+		});
+	}
+	return [...directRecords, ...expandedInherited];
+}
+function buildAccessKey(record) {
+	if (record.userId) return `user:${record.userId}`;
+	if (record.teamId) return `team:${record.teamId}`;
+	return "unknown";
+}
+async function resolveAccessChangeNames(db, entries) {
+	const userIds = Array.from(new Set(entries.map((entry) => entry.userId).filter(Boolean)));
+	const teamIds = Array.from(new Set(entries.map((entry) => entry.teamId).filter(Boolean)));
+	const [userRows, teamRows] = await Promise.all([userIds.length > 0 ? db.query(`SELECT id, name, email FROM user WHERE id IN (${createInClause(userIds.length)})`, userIds) : Promise.resolve([]), teamIds.length > 0 ? db.query(`SELECT id, name FROM rbac_teams WHERE id IN (${createInClause(teamIds.length)})`, teamIds) : Promise.resolve([])]);
+	const userMap = new Map(userRows.map((row) => [row.id, row.name || row.email || row.id]));
+	const teamMap = new Map(teamRows.map((row) => [row.id, row.name]));
+	return entries.map((entry) => ({
+		userId: entry.userId ?? void 0,
+		teamId: entry.teamId ?? void 0,
+		name: entry.userId ? userMap.get(entry.userId) ?? entry.userId : entry.teamId ? teamMap.get(entry.teamId) ?? entry.teamId : "Unknown",
+		permission: entry.permission,
+		source: entry.source
+	}));
+}
+function rbacPlugin(options = {}) {
+	const { useFlowAccessTable = true, adminPermission = "flow:read", enableTeams = true } = options;
+	const teamsSchema = enableTeams ? {
+		flows: { fields: { scope_id: {
+			type: "string",
+			required: false,
+			references: {
+				table: "rbac_teams",
+				field: "id",
+				onDelete: "set null"
+			},
+			index: true
+		} } },
+		rbac_teams: { fields: {
+			id: {
+				type: "string",
+				primaryKey: true
+			},
+			name: {
+				type: "string",
+				required: true
+			},
+			description: {
+				type: "text",
+				required: false
+			},
+			parent_id: {
+				type: "string",
+				required: false,
+				references: {
+					table: "rbac_teams",
+					field: "id",
+					onDelete: "set null"
+				},
+				index: true
+			},
+			created_by: {
+				type: "string",
+				required: false,
+				references: {
+					table: "user",
+					field: "id"
+				}
+			},
+			created_at: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			},
+			updated_at: {
+				type: "date",
+				required: false
+			}
+		} },
+		rbac_team_members: { fields: {
+			id: {
+				type: "string",
+				primaryKey: true
+			},
+			team_id: {
+				type: "string",
+				required: true,
+				references: {
+					table: "rbac_teams",
+					field: "id",
+					onDelete: "cascade"
+				},
+				index: true
+			},
+			user_id: {
+				type: "string",
+				required: true,
+				references: {
+					table: "user",
+					field: "id",
+					onDelete: "cascade"
+				},
+				index: true
+			},
+			created_at: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			}
+		} },
+		rbac_scope_access: { fields: {
+			id: {
+				type: "string",
+				primaryKey: true
+			},
+			scope_id: {
+				type: "string",
+				required: true,
+				references: {
+					table: "rbac_teams",
+					field: "id",
+					onDelete: "cascade"
+				},
+				index: true
+			},
+			user_id: {
+				type: "string",
+				required: false,
+				index: true
+			},
+			team_id: {
+				type: "string",
+				required: false,
+				index: true
+			},
+			permission: {
+				type: "string",
+				required: true,
+				defaultValue: "viewer",
+				typeAnnotation: "FlowAccessPermission"
+			},
+			granted_by: {
+				type: "string",
+				required: false
+			},
+			granted_at: {
+				type: "date",
+				required: true,
+				defaultValue: "now()"
+			}
+		} }
+	} : {};
+	let capturedDbApi = null;
+	const ui = {
+		sidebar: [{
+			label: "Access Control",
+			icon: "Shield",
+			path: "/access",
+			permission: adminPermission
+		}, ...enableTeams ? [] : []],
+		pages: [{
+			path: "/access",
+			componentId: "rbac.AccessControlPage",
+			title: "Access Control"
+		}, ...enableTeams ? [] : []],
+		panelTabs: [{
+			context: "flowEditor",
+			label: "Access",
+			componentId: "rbac.FlowAccessPanel",
+			permission: "flow:read"
+		}],
+		headerActions: [{
+			context: "flowHeader",
+			componentId: "rbac.ShareButton",
+			permission: "flow:update"
+		}]
+	};
+	return {
+		id: "rbac",
+		name: "Role-Based Access Control",
+		schema: teamsSchema,
+		requiredTables: [
+			"user",
+			"session",
+			...enableTeams ? [
+				"rbac_teams",
+				"rbac_team_members",
+				"rbac_scope_access"
+			] : []
+		],
+		setupInstructions: "The RBAC plugin requires better-auth tables (user, session). Make sure @invect/user-auth is configured, then run `npx invect generate` followed by `npx drizzle-kit push`.",
+		init: async (ctx) => {
+			if (!ctx.hasPlugin("better-auth")) ctx.logger.warn("RBAC plugin requires the @invect/user-auth plugin. RBAC will work with reduced functionality (no session resolution). Make sure betterAuthPlugin() is registered before rbacPlugin().");
+			ctx.logger.info("RBAC plugin initialized", { useFlowAccessTable });
+		},
+		endpoints: [
+			{
+				method: "GET",
+				path: "/rbac/me",
+				isPublic: false,
+				handler: async (ctx) => {
+					if (!capturedDbApi && enableTeams) capturedDbApi = ctx.database;
+					const identity = ctx.identity;
+					const permissions = ctx.core.getPermissions(identity);
+					const resolvedRole = identity ? ctx.core.getResolvedRole(identity) : null;
+					return {
+						status: 200,
+						body: {
+							identity: identity ? {
+								id: identity.id,
+								name: identity.name,
+								role: identity.role,
+								resolvedRole
+							} : null,
+							permissions,
+							isAuthenticated: !!identity
+						}
+					};
+				}
+			},
+			{
+				method: "GET",
+				path: "/rbac/roles",
+				isPublic: false,
+				permission: "flow:read",
+				handler: async (ctx) => {
+					return {
+						status: 200,
+						body: { roles: ctx.core.getAvailableRoles() }
+					};
+				}
+			},
+			{
+				method: "GET",
+				path: "/rbac/ui-manifest",
+				isPublic: true,
+				handler: async (_ctx) => {
+					return {
+						status: 200,
+						body: {
+							id: "rbac",
+							...ui
+						}
+					};
+				}
+			},
+			{
+				method: "GET",
+				path: "/rbac/flows/:flowId/access",
+				permission: "flow:read",
+				handler: async (ctx) => {
+					const flowId = ctx.params.flowId;
+					if (!flowId) return {
+						status: 400,
+						body: { error: "Missing flowId parameter" }
+					};
+					if (!ctx.core.isFlowAccessTableEnabled()) return {
+						status: 501,
+						body: {
+							error: "Not Implemented",
+							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
+						}
+					};
+					if (!ctx.identity) return {
+						status: 401,
+						body: {
+							error: "Unauthorized",
+							message: "Authentication required"
+						}
+					};
+					if (!(ctx.core.getPermissions(ctx.identity).includes("admin:*") ? "owner" : await getEffectiveFlowPermission(ctx.database, flowId, ctx.identity))) return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "No access to this flow"
+						}
+					};
+					return {
+						status: 200,
+						body: { access: await ctx.core.listFlowAccess(flowId) }
+					};
+				}
+			},
+			{
+				method: "POST",
+				path: "/rbac/flows/:flowId/access",
+				permission: "flow:read",
+				handler: async (ctx) => {
+					const flowId = ctx.params.flowId;
+					if (!flowId) return {
+						status: 400,
+						body: { error: "Missing flowId parameter" }
+					};
+					if (!ctx.core.isFlowAccessTableEnabled()) return {
+						status: 501,
+						body: {
+							error: "Not Implemented",
+							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
+						}
+					};
+					const { userId, teamId, permission, expiresAt } = ctx.body;
+					if (!userId && !teamId) return {
+						status: 400,
+						body: { error: "Either userId or teamId must be provided" }
+					};
+					if (!ctx.identity) return {
+						status: 401,
+						body: {
+							error: "Unauthorized",
+							message: "Authentication required"
+						}
+					};
+					if ((ctx.core.getPermissions(ctx.identity).includes("admin:*") ? "owner" : await getEffectiveFlowPermission(ctx.database, flowId, ctx.identity)) !== "owner") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Owner access is required to manage sharing"
+						}
+					};
+					if (!permission || ![
+						"owner",
+						"editor",
+						"operator",
+						"viewer"
+					].includes(permission)) return {
+						status: 400,
+						body: { error: "permission must be one of: owner, editor, operator, viewer" }
+					};
+					return {
+						status: 201,
+						body: await ctx.core.grantFlowAccess({
+							flowId,
+							userId,
+							teamId,
+							permission,
+							grantedBy: ctx.identity?.id,
+							expiresAt
+						})
+					};
+				}
+			},
+			{
+				method: "DELETE",
+				path: "/rbac/flows/:flowId/access/:accessId",
+				permission: "flow:read",
+				handler: async (ctx) => {
+					const { flowId, accessId } = ctx.params;
+					if (!flowId || !accessId) return {
+						status: 400,
+						body: { error: "Missing flowId or accessId parameter" }
+					};
+					if (!ctx.core.isFlowAccessTableEnabled()) return {
+						status: 501,
+						body: {
+							error: "Not Implemented",
+							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
+						}
+					};
+					if (!ctx.identity) return {
+						status: 401,
+						body: {
+							error: "Unauthorized",
+							message: "Authentication required"
+						}
+					};
+					if ((ctx.core.getPermissions(ctx.identity).includes("admin:*") ? "owner" : await getEffectiveFlowPermission(ctx.database, flowId, ctx.identity)) !== "owner") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Owner access is required to manage sharing"
+						}
+					};
+					await ctx.core.revokeFlowAccess(accessId);
+					return {
+						status: 204,
+						body: null
+					};
+				}
+			},
+			{
+				method: "GET",
+				path: "/rbac/flows/accessible",
+				isPublic: false,
+				handler: async (ctx) => {
+					if (!ctx.core.isFlowAccessTableEnabled()) return {
+						status: 501,
+						body: {
+							error: "Not Implemented",
+							message: "Flow access table not enabled. Set auth.useFlowAccessTable: true in config."
+						}
+					};
+					const identity = ctx.identity;
+					if (!identity) return {
+						status: 401,
+						body: {
+							error: "Unauthorized",
+							message: "Authentication required"
+						}
+					};
+					if (ctx.core.getPermissions(identity).includes("admin:*")) return {
+						status: 200,
+						body: {
+							flowIds: [],
+							permissions: {},
+							isAdmin: true
+						}
+					};
+					const { flowIds, permissions } = await getCurrentUserAccessibleFlows(ctx.database, identity);
+					return {
+						status: 200,
+						body: {
+							flowIds,
+							permissions,
+							isAdmin: false
+						}
+					};
+				}
+			},
+			{
+				method: "GET",
+				path: "/rbac/flows/:flowId/effective-access",
+				permission: "flow:read",
+				handler: async (ctx) => {
+					const flowId = ctx.params.flowId;
+					if (!flowId) return {
+						status: 400,
+						body: { error: "Missing flowId parameter" }
+					};
+					if (!ctx.identity) return {
+						status: 401,
+						body: {
+							error: "Unauthorized",
+							message: "Authentication required"
+						}
+					};
+					if (!(ctx.core.getPermissions(ctx.identity).includes("admin:*") ? "owner" : await getEffectiveFlowPermission(ctx.database, flowId, ctx.identity))) return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "No access to this flow"
+						}
+					};
+					const records = await listAllEffectiveFlowAccessRecords(ctx.database, flowId);
+					return {
+						status: 200,
+						body: {
+							flowId,
+							scopeId: await getFlowScopeId(ctx.database, flowId),
+							records
+						}
+					};
+				}
+			},
+			{
+				method: "PUT",
+				path: "/rbac/flows/:flowId/scope",
+				permission: "flow:update",
+				handler: async (ctx) => {
+					const flowId = ctx.params.flowId;
+					const { scopeId } = ctx.body;
+					if (!flowId) return {
+						status: 400,
+						body: { error: "Missing flowId parameter" }
+					};
+					if (!ctx.identity) return {
+						status: 401,
+						body: {
+							error: "Unauthorized",
+							message: "Authentication required"
+						}
+					};
+					if ((ctx.core.getPermissions(ctx.identity).includes("admin:*") ? "owner" : await getEffectiveFlowPermission(ctx.database, flowId, ctx.identity)) !== "owner") return {
+						status: 403,
+						body: {
+							error: "Forbidden",
+							message: "Owner access is required to move flows"
+						}
+					};
+					if (scopeId) {
+						if ((await ctx.database.query("SELECT id FROM rbac_teams WHERE id = ?", [scopeId])).length === 0) return {
+							status: 404,
+							body: { error: "Scope not found" }
+						};
+					}
+					await ctx.database.execute("UPDATE flows SET scope_id = ? WHERE id = ?", [scopeId ?? null, flowId]);
+					return {
+						status: 200,
+						body: {
+							success: true,
+							flowId,
+							scopeId: scopeId ?? null
+						}
+					};
+				}
+			},
+			...enableTeams ? [
+				{
+					method: "GET",
+					path: "/rbac/scopes/tree",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						const [teamRows, flowRows, memberRows, accessRows, teamRoleRows] = await Promise.all([
+							ctx.database.query("SELECT id, name, description, parent_id, created_by, created_at, updated_at FROM rbac_teams ORDER BY name"),
+							ctx.database.query("SELECT id, name, scope_id FROM flows ORDER BY name"),
+							ctx.database.query("SELECT team_id, COUNT(*) AS member_count FROM rbac_team_members GROUP BY team_id"),
+							ctx.database.query("SELECT scope_id, COUNT(*) AS access_count FROM rbac_scope_access GROUP BY scope_id"),
+							ctx.database.query("SELECT scope_id, permission FROM rbac_scope_access WHERE team_id = scope_id AND team_id IS NOT NULL")
+						]);
+						const memberCounts = new Map(memberRows.map((row) => [row.team_id, Number(row.member_count)]));
+						const accessCounts = new Map(accessRows.map((row) => [row.scope_id, Number(row.access_count)]));
+						const teamPermissions = new Map(teamRoleRows.map((row) => [row.scope_id, row.permission]));
+						const nodeMap = /* @__PURE__ */ new Map();
+						for (const row of teamRows) nodeMap.set(row.id, {
+							...normalizeTeamRow(row),
+							children: [],
+							flows: [],
+							directAccessCount: accessCounts.get(row.id) ?? 0,
+							memberCount: memberCounts.get(row.id) ?? 0,
+							teamPermission: teamPermissions.get(row.id) ?? null
+						});
+						const roots = [];
+						for (const node of nodeMap.values()) if (node.parentId && nodeMap.has(node.parentId)) nodeMap.get(node.parentId)?.children.push(node);
+						else roots.push(node);
+						const unscopedFlows = [];
+						for (const flow of flowRows) {
+							const mapped = {
+								id: flow.id,
+								name: flow.name,
+								scopeId: flow.scope_id
+							};
+							if (flow.scope_id && nodeMap.has(flow.scope_id)) nodeMap.get(flow.scope_id)?.flows.push(mapped);
+							else unscopedFlows.push(mapped);
+						}
+						return {
+							status: 200,
+							body: {
+								scopes: roots,
+								unscopedFlows
+							}
+						};
+					}
+				},
+				{
+					method: "GET",
+					path: "/rbac/scopes/:scopeId/access",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						return {
+							status: 200,
+							body: { access: (await ctx.database.query("SELECT id, scope_id, user_id, team_id, permission, granted_by, granted_at FROM rbac_scope_access WHERE scope_id = ?", [ctx.params.scopeId])).map(normalizeScopeAccessRecord) }
+						};
+					}
+				},
+				{
+					method: "POST",
+					path: "/rbac/scopes/:scopeId/access",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						if (!ctx.core.getPermissions(ctx.identity).includes("admin:*")) return {
+							status: 403,
+							body: {
+								error: "Forbidden",
+								message: "Admin access required"
+							}
+						};
+						const { scopeId } = ctx.params;
+						const { userId, teamId, permission } = ctx.body;
+						if (!scopeId) return {
+							status: 400,
+							body: { error: "Missing scopeId parameter" }
+						};
+						if (!userId && !teamId) return {
+							status: 400,
+							body: { error: "Either userId or teamId must be provided" }
+						};
+						if (userId && teamId) return {
+							status: 400,
+							body: { error: "Provide either userId or teamId, not both" }
+						};
+						if (teamId && teamId !== scopeId) return {
+							status: 400,
+							body: { error: "Teams can only hold a role on their own scope" }
+						};
+						if (!isFlowAccessPermission(permission)) return {
+							status: 400,
+							body: { error: "permission must be one of: owner, editor, operator, viewer" }
+						};
+						const existing = await ctx.database.query("SELECT id FROM rbac_scope_access WHERE scope_id = ? AND user_id IS ? AND team_id IS ?", [
+							scopeId,
+							userId ?? null,
+							teamId ?? null
+						]);
+						const now = (/* @__PURE__ */ new Date()).toISOString();
+						if (existing[0]) {
+							await ctx.database.execute("UPDATE rbac_scope_access SET permission = ?, granted_by = ?, granted_at = ? WHERE id = ?", [
+								permission,
+								ctx.identity.id,
+								now,
+								existing[0].id
+							]);
+							return {
+								status: 200,
+								body: {
+									id: existing[0].id,
+									scopeId,
+									userId: userId ?? null,
+									teamId: teamId ?? null,
+									permission,
+									grantedBy: ctx.identity.id,
+									grantedAt: now
+								}
+							};
+						}
+						const id = crypto.randomUUID();
+						await ctx.database.execute("INSERT INTO rbac_scope_access (id, scope_id, user_id, team_id, permission, granted_by, granted_at) VALUES (?, ?, ?, ?, ?, ?, ?)", [
+							id,
+							scopeId,
+							userId ?? null,
+							teamId ?? null,
+							permission,
+							ctx.identity.id,
+							now
+						]);
+						return {
+							status: 201,
+							body: {
+								id,
+								scopeId,
+								userId: userId ?? null,
+								teamId: teamId ?? null,
+								permission,
+								grantedBy: ctx.identity.id,
+								grantedAt: now
+							}
+						};
+					}
+				},
+				{
+					method: "DELETE",
+					path: "/rbac/scopes/:scopeId/access/:accessId",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						if (!ctx.core.getPermissions(ctx.identity).includes("admin:*")) return {
+							status: 403,
+							body: {
+								error: "Forbidden",
+								message: "Admin access required"
+							}
+						};
+						await ctx.database.execute("DELETE FROM rbac_scope_access WHERE id = ?", [ctx.params.accessId]);
+						return {
+							status: 204,
+							body: null
+						};
+					}
+				},
+				{
+					method: "POST",
+					path: "/rbac/preview-move",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						if (!ctx.core.getPermissions(ctx.identity).includes("admin:*")) return {
+							status: 403,
+							body: {
+								error: "Forbidden",
+								message: "Admin access required"
+							}
+						};
+						const { type, id, targetScopeId } = ctx.body;
+						if (!type || !id) return {
+							status: 400,
+							body: { error: "type and id are required" }
+						};
+						let affectedFlowIds = [];
+						let itemName = id;
+						if (type === "flow") {
+							const rows = await ctx.database.query("SELECT id, name FROM flows WHERE id = ?", [id]);
+							if (!rows[0]) return {
+								status: 404,
+								body: { error: "Flow not found" }
+							};
+							itemName = rows[0].name;
+							affectedFlowIds = [id];
+						} else {
+							const scopeRows = await ctx.database.query("SELECT id, name FROM rbac_teams WHERE id = ?", [id]);
+							if (!scopeRows[0]) return {
+								status: 404,
+								body: { error: "Scope not found" }
+							};
+							itemName = scopeRows[0].name;
+							const descendantScopeIds = await getDescendantScopeIds(ctx.database, id);
+							if (targetScopeId && descendantScopeIds.includes(targetScopeId)) return {
+								status: 400,
+								body: { error: "Cannot move a scope into itself or its descendant" }
+							};
+							affectedFlowIds = (await ctx.database.query(`SELECT id FROM flows WHERE scope_id IN (${createInClause(descendantScopeIds.length)})`, descendantScopeIds)).map((row) => row.id);
+						}
+						const targetPath = await getScopePath(ctx.database, targetScopeId ?? null);
+						const targetAncestorIds = targetScopeId ? await getAncestorScopeIds(ctx.database, targetScopeId) : [];
+						const targetScopeAccess = await listAllScopeAccessForScopeIds(ctx.database, targetAncestorIds);
+						const gainedEntries = /* @__PURE__ */ new Map();
+						let unchanged = 0;
+						for (const flowId of affectedFlowIds) {
+							const currentRecords = await listAllEffectiveFlowAccessForPreview(ctx.database, flowId);
+							const currentPermissions = /* @__PURE__ */ new Map();
+							for (const record of currentRecords) {
+								const permission = toFlowAccessPermission(record.permission);
+								if (!permission) continue;
+								const key = buildAccessKey(record);
+								currentPermissions.set(key, getHigherPermission(currentPermissions.get(key) ?? null, permission) ?? permission);
+							}
+							for (const record of targetScopeAccess) {
+								const key = buildAccessKey(record);
+								const existingPermission = currentPermissions.get(key) ?? null;
+								if (existingPermission && FLOW_PERMISSION_LEVELS[existingPermission] >= FLOW_PERMISSION_LEVELS[record.permission]) {
+									unchanged += 1;
+									continue;
+								}
+								gainedEntries.set(key, {
+									userId: record.userId,
+									teamId: record.teamId,
+									permission: record.permission,
+									source: `from ${targetPath.at(-1) ?? "root"}`
+								});
+							}
+						}
+						const gained = await resolveAccessChangeNames(ctx.database, Array.from(gainedEntries.values()));
+						return {
+							status: 200,
+							body: {
+								item: {
+									id,
+									name: itemName,
+									type
+								},
+								target: {
+									id: targetScopeId ?? null,
+									name: targetPath.at(-1) ?? "Unscoped",
+									path: targetPath
+								},
+								affectedFlows: affectedFlowIds.length,
+								accessChanges: {
+									gained,
+									unchanged
+								}
+							}
+						};
+					}
+				},
+				{
+					method: "GET",
+					path: "/rbac/teams",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						return {
+							status: 200,
+							body: { teams: (await ctx.database.query("SELECT id, name, description, parent_id, created_by, created_at, updated_at FROM rbac_teams ORDER BY name")).map((r) => normalizeTeamRow(r)) }
+						};
+					}
+				},
+				{
+					method: "POST",
+					path: "/rbac/teams",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						if (!ctx.core.getPermissions(ctx.identity).includes("admin:*")) return {
+							status: 403,
+							body: {
+								error: "Forbidden",
+								message: "Admin access required"
+							}
+						};
+						const { name, description, parentId } = ctx.body;
+						if (!name?.trim()) return {
+							status: 400,
+							body: { error: "Team name is required" }
+						};
+						if (parentId) {
+							if ((await ctx.database.query("SELECT id FROM rbac_teams WHERE id = ?", [parentId])).length === 0) return {
+								status: 404,
+								body: { error: "Parent scope not found" }
+							};
+						}
+						const id = crypto.randomUUID();
+						const now = (/* @__PURE__ */ new Date()).toISOString();
+						await ctx.database.execute("INSERT INTO rbac_teams (id, name, description, parent_id, created_by, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?)", [
+							id,
+							name.trim(),
+							description?.trim() || null,
+							parentId ?? null,
+							ctx.identity.id,
+							now,
+							now
+						]);
+						return {
+							status: 201,
+							body: {
+								id,
+								name: name.trim(),
+								description: description?.trim() || null,
+								parentId: parentId ?? null,
+								createdBy: ctx.identity.id,
+								createdAt: now,
+								updatedAt: now
+							}
+						};
+					}
+				},
+				{
+					method: "PUT",
+					path: "/rbac/teams/:teamId",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						if (!ctx.core.getPermissions(ctx.identity).includes("admin:*")) return {
+							status: 403,
+							body: {
+								error: "Forbidden",
+								message: "Admin access required"
+							}
+						};
+						const { teamId } = ctx.params;
+						const { name, description, parentId } = ctx.body;
+						if ((await ctx.database.query("SELECT id FROM rbac_teams WHERE id = ?", [teamId])).length === 0) return {
+							status: 404,
+							body: { error: "Team not found" }
+						};
+						if (parentId === teamId) return {
+							status: 400,
+							body: { error: "A scope cannot be its own parent" }
+						};
+						if (parentId) {
+							if ((await ctx.database.query("SELECT id FROM rbac_teams WHERE id = ?", [parentId])).length === 0) return {
+								status: 404,
+								body: { error: "Parent scope not found" }
+							};
+							if ((await getDescendantScopeIds(ctx.database, teamId)).includes(parentId)) return {
+								status: 400,
+								body: { error: "Cannot move a scope into itself or its descendant" }
+							};
+						}
+						const updates = [];
+						const values = [];
+						if (name !== void 0) {
+							if (!name.trim()) return {
+								status: 400,
+								body: { error: "Team name cannot be empty" }
+							};
+							updates.push("name = ?");
+							values.push(name.trim());
+						}
+						if (description !== void 0) {
+							updates.push("description = ?");
+							values.push(description?.trim() || null);
+						}
+						if (parentId !== void 0) {
+							updates.push("parent_id = ?");
+							values.push(parentId ?? null);
+						}
+						if (updates.length === 0) return {
+							status: 400,
+							body: { error: "No fields to update" }
+						};
+						updates.push("updated_at = ?");
+						values.push((/* @__PURE__ */ new Date()).toISOString());
+						values.push(teamId);
+						await ctx.database.execute(`UPDATE rbac_teams SET ${updates.join(", ")} WHERE id = ?`, values);
+						return {
+							status: 200,
+							body: { success: true }
+						};
+					}
+				},
+				{
+					method: "DELETE",
+					path: "/rbac/teams/:teamId",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						if (!ctx.core.getPermissions(ctx.identity).includes("admin:*")) return {
+							status: 403,
+							body: {
+								error: "Forbidden",
+								message: "Admin access required"
+							}
+						};
+						const { teamId } = ctx.params;
+						const teams = await ctx.database.query("SELECT id, parent_id FROM rbac_teams WHERE id = ?", [teamId]);
+						if (teams.length === 0) return {
+							status: 404,
+							body: { error: "Team not found" }
+						};
+						const parentId = teams[0].parent_id ?? null;
+						await ctx.database.execute("UPDATE flows SET scope_id = ? WHERE scope_id = ?", [parentId, teamId]);
+						await ctx.database.execute("DELETE FROM rbac_teams WHERE id = ?", [teamId]);
+						return {
+							status: 204,
+							body: null
+						};
+					}
+				},
+				{
+					method: "GET",
+					path: "/rbac/teams/:teamId",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						const { teamId } = ctx.params;
+						const teams = await ctx.database.query("SELECT id, name, description, parent_id, created_by, created_at, updated_at FROM rbac_teams WHERE id = ?", [teamId]);
+						if (teams.length === 0) return {
+							status: 404,
+							body: { error: "Team not found" }
+						};
+						const members = await ctx.database.query("SELECT id, team_id, user_id, created_at FROM rbac_team_members WHERE team_id = ?", [teamId]);
+						const team = teams[0];
+						return {
+							status: 200,
+							body: {
+								...normalizeTeamRow(team),
+								members: members.map((m) => ({
+									id: m.id,
+									teamId: m.team_id,
+									userId: m.user_id,
+									createdAt: m.created_at
+								}))
+							}
+						};
+					}
+				},
+				{
+					method: "POST",
+					path: "/rbac/teams/:teamId/members",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						if (!ctx.core.getPermissions(ctx.identity).includes("admin:*")) return {
+							status: 403,
+							body: {
+								error: "Forbidden",
+								message: "Admin access required"
+							}
+						};
+						const { teamId } = ctx.params;
+						const { userId } = ctx.body;
+						if (!userId?.trim()) return {
+							status: 400,
+							body: { error: "userId is required" }
+						};
+						if ((await ctx.database.query("SELECT id FROM rbac_teams WHERE id = ?", [teamId])).length === 0) return {
+							status: 404,
+							body: { error: "Team not found" }
+						};
+						if ((await ctx.database.query("SELECT id FROM rbac_team_members WHERE team_id = ? AND user_id = ?", [teamId, userId.trim()])).length > 0) return {
+							status: 409,
+							body: { error: "User is already a member of this team" }
+						};
+						const id = crypto.randomUUID();
+						const now = (/* @__PURE__ */ new Date()).toISOString();
+						await ctx.database.execute("INSERT INTO rbac_team_members (id, team_id, user_id, created_at) VALUES (?, ?, ?, ?)", [
+							id,
+							teamId,
+							userId.trim(),
+							now
+						]);
+						return {
+							status: 201,
+							body: {
+								id,
+								teamId,
+								userId: userId.trim(),
+								createdAt: now
+							}
+						};
+					}
+				},
+				{
+					method: "DELETE",
+					path: "/rbac/teams/:teamId/members/:userId",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						if (!ctx.core.getPermissions(ctx.identity).includes("admin:*")) return {
+							status: 403,
+							body: {
+								error: "Forbidden",
+								message: "Admin access required"
+							}
+						};
+						const { teamId, userId } = ctx.params;
+						await ctx.database.execute("DELETE FROM rbac_team_members WHERE team_id = ? AND user_id = ?", [teamId, userId]);
+						return {
+							status: 204,
+							body: null
+						};
+					}
+				},
+				{
+					method: "GET",
+					path: "/rbac/my-teams",
+					isPublic: false,
+					handler: async (ctx) => {
+						if (!ctx.identity) return {
+							status: 401,
+							body: { error: "Unauthorized" }
+						};
+						return {
+							status: 200,
+							body: { teams: (await ctx.database.query("SELECT t.id, t.name, t.description, t.parent_id, t.created_by, t.created_at, t.updated_at FROM rbac_teams t INNER JOIN rbac_team_members tm ON t.id = tm.team_id WHERE tm.user_id = ? ORDER BY t.name", [ctx.identity.id])).map((r) => normalizeTeamRow(r)) }
+						};
+					}
+				}
+			] : []
+		],
+		hooks: {
+			onRequest: enableTeams ? async (_request, context) => {
+				if (!context.identity || !capturedDbApi) return;
+				if (context.identity.teamIds && context.identity.teamIds.length > 0) return;
+				try {
+					const rows = await capturedDbApi.query("SELECT team_id FROM rbac_team_members WHERE user_id = ?", [context.identity.id]);
+					if (rows.length > 0) context.identity = {
+						...context.identity,
+						teamIds: rows.map((r) => r.team_id)
+					};
+				} catch {}
+			} : void 0,
+			onAuthorize: async (context) => {
+				if (!useFlowAccessTable) return;
+				const { identity, resource, action } = context;
+				if (!identity || !resource?.id) return;
+				if (!FLOW_RESOURCE_TYPES.has(resource.type)) return;
+				if (identity.permissions?.includes("admin:*") || identity.role === "admin") return { allowed: true };
+				const database = context.database ?? capturedDbApi;
+				if (!database) return;
+				const effectivePermission = await getEffectiveFlowPermission(database, resource.id, identity);
+				if (!effectivePermission) return { allowed: false };
+				const requiredPermission = mapActionToRequiredPermission(action);
+				return { allowed: FLOW_PERMISSION_LEVELS[effectivePermission] >= FLOW_PERMISSION_LEVELS[requiredPermission] };
+			},
+			afterFlowRun: async (_context) => {}
+		},
+		$ERROR_CODES: {
+			"rbac:no_access": {
+				message: "You do not have access to this flow.",
+				status: 403
+			},
+			"rbac:insufficient_permission": {
+				message: "Your access level is insufficient for this operation.",
+				status: 403
+			},
+			"rbac:auth_required": {
+				message: "Authentication is required. Please sign in.",
+				status: 401
+			},
+			"rbac:plugin_missing": {
+				message: "The RBAC plugin requires the @invect/user-auth plugin.",
+				status: 500
+			}
+		}
+	};
+}
+//#endregion
+export { rbacPlugin, resolveTeamIds };
+
+//# sourceMappingURL=index.mjs.map