@jskit-ai/users-core 0.1.32 → 0.1.33

package/package.descriptor.mjs

@@ -1,7 +1,7 @@
 export default Object.freeze({
   packageVersion: 1,
   packageId: "@jskit-ai/users-core",
-  version: "0.1.32",
+  version: "0.1.33",
   kind: "runtime",
   description: "Users/workspace domain runtime plus HTTP routes for workspace, account, and console features.",
   dependsOn: [
@@ -95,7 +95,7 @@ export default Object.freeze({
         {
           method: "GET",
           path: "/api/w/:workspaceSlug/roles",
-          summary: "Get workspace role catalog by workspace slug."
+          summary: "Get role catalog by workspace slug."
         },
         {
           method: "GET",
@@ -198,11 +198,11 @@ export default Object.freeze({
   mutations: {
     dependencies: {
       runtime: {
-        "@jskit-ai/auth-core": "0.1.22",
-        "@jskit-ai/database-runtime": "0.1.23",
-        "@jskit-ai/http-runtime": "0.1.22",
-        "@jskit-ai/kernel": "0.1.23",
-        "@jskit-ai/uploads-runtime": "0.1.1",
+        "@jskit-ai/auth-core": "0.1.23",
+        "@jskit-ai/database-runtime": "0.1.24",
+        "@jskit-ai/http-runtime": "0.1.23",
+        "@jskit-ai/kernel": "0.1.24",
+        "@jskit-ai/uploads-runtime": "0.1.2",
         "@fastify/type-provider-typebox": "^6.1.0",
         "typebox": "^1.0.81"
       },
@@ -290,12 +290,12 @@ export default Object.freeze({
         id: "users-core-app-owned-user-settings-fields"
       },
       {
-        from: "templates/config/workspaceRoles.js",
-        to: "config/workspaceRoles.js",
+        from: "templates/config/roles.js",
+        to: "config/roles.js",
         preserveOnRemove: true,
-        reason: "Install app-owned workspace role catalog in a dedicated config file.",
+        reason: "Install app-owned role catalog in a dedicated config file.",
         category: "users-core",
-        id: "users-core-app-owned-workspace-roles-config"
+        id: "users-core-app-owned-role-catalog-config"
       }
     ],
     text: [
@@ -362,11 +362,11 @@ export default Object.freeze({
         op: "append-text",
         file: "config/public.js",
         position: "top",
-        skipIfContains: "import { workspaceRoles } from \"./workspaceRoles.js\";",
-        value: "import { workspaceRoles } from \"./workspaceRoles.js\";\n",
-        reason: "Load app-owned workspace role catalog from dedicated config file.",
+        skipIfContains: "import { roleCatalog } from \"./roles.js\";",
+        value: "import { roleCatalog } from \"./roles.js\";\n",
+        reason: "Load app-owned role catalog from dedicated config file.",
         category: "users-core",
-        id: "users-core-workspace-roles-public-import"
+        id: "users-core-role-catalog-public-import"
       },
       {
         op: "append-text",
@@ -428,11 +428,11 @@ export default Object.freeze({
         op: "append-text",
         file: "config/public.js",
         position: "bottom",
-        skipIfContains: "config.workspaceRoles = workspaceRoles;",
-        value: "\nconfig.workspaceRoles = workspaceRoles;\n",
-        reason: "Bind app-owned workspace role catalog onto public config.",
+        skipIfContains: "config.roleCatalog = roleCatalog;",
+        value: "\nconfig.roleCatalog = roleCatalog;\n",
+        reason: "Bind app-owned role catalog onto public config.",
         category: "users-core",
-        id: "users-core-workspace-roles-public-config"
+        id: "users-core-role-catalog-public-config"
       },
       {
         op: "append-text",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@jskit-ai/users-core",
-  "version": "0.1.32",
+  "version": "0.1.33",
   "type": "module",
   "scripts": {
     "test": "node --test"
@@ -24,11 +24,11 @@
     "./shared/resources/consoleSettingsFields": "./src/shared/resources/consoleSettingsFields.js"
   },
   "dependencies": {
-    "@jskit-ai/auth-core": "0.1.22",
-    "@jskit-ai/database-runtime": "0.1.23",
-    "@jskit-ai/http-runtime": "0.1.22",
-    "@jskit-ai/kernel": "0.1.23",
-    "@jskit-ai/uploads-runtime": "0.1.1",
+    "@jskit-ai/auth-core": "0.1.23",
+    "@jskit-ai/database-runtime": "0.1.24",
+    "@jskit-ai/http-runtime": "0.1.23",
+    "@jskit-ai/kernel": "0.1.24",
+    "@jskit-ai/uploads-runtime": "0.1.2",
     "@fastify/type-provider-typebox": "^6.1.0",
     "typebox": "^1.0.81"
   }

package/src/server/accountNotifications/accountNotificationsService.js

@@ -9,15 +9,15 @@ import {
 
 function createService({
   userSettingsRepository,
-  userProfilesRepository,
+  usersRepository,
   authService
 } = {}) {
-  if (!userSettingsRepository || !userProfilesRepository) {
+  if (!userSettingsRepository || !usersRepository) {
     throw new Error("accountNotificationsService requires repositories.");
   }
 
   async function updateNotifications(request, user, payload = {}, options = {}) {
-    const profile = await resolveUserProfile(userProfilesRepository, user);
+    const profile = await resolveUserProfile(usersRepository, user);
     if (!profile) {
       throw new AppError(404, "User profile was not found.");
     }

package/src/server/accountNotifications/registerAccountNotifications.js

@@ -14,7 +14,7 @@ function registerAccountNotifications(app) {
     (scope) =>
       createAccountNotificationsService({
         userSettingsRepository: scope.make("userSettingsRepository"),
-        userProfilesRepository: scope.make("userProfilesRepository"),
+        usersRepository: scope.make("usersRepository"),
         authService: scope.make("authService")
       }),
     {

package/src/server/accountPreferences/accountPreferencesService.js

@@ -9,15 +9,15 @@ import {
 
 function createService({
   userSettingsRepository,
-  userProfilesRepository,
+  usersRepository,
   authService
 } = {}) {
-  if (!userSettingsRepository || !userProfilesRepository) {
+  if (!userSettingsRepository || !usersRepository) {
     throw new Error("accountPreferencesService requires repositories.");
   }
 
   async function updatePreferences(request, user, payload = {}, options = {}) {
-    const profile = await resolveUserProfile(userProfilesRepository, user);
+    const profile = await resolveUserProfile(usersRepository, user);
     if (!profile) {
       throw new AppError(404, "User profile was not found.");
     }

package/src/server/accountPreferences/registerAccountPreferences.js

@@ -14,7 +14,7 @@ function registerAccountPreferences(app) {
     (scope) =>
       createAccountPreferencesService({
         userSettingsRepository: scope.make("userSettingsRepository"),
-        userProfilesRepository: scope.make("userProfilesRepository"),
+        usersRepository: scope.make("usersRepository"),
         authService: scope.make("authService")
       }),
     {

package/src/server/accountProfile/accountProfileActions.js

@@ -95,10 +95,17 @@ const accountProfileActions = Object.freeze([
     },
     observability: {},
     async execute(input, context, deps) {
+      const avatarUpload = {
+        stream: input.stream,
+        mimeType: input.mimeType,
+        fileName: input.fileName,
+        uploadDimension: input.uploadDimension
+      };
+
       return deps.accountProfileService.uploadAvatar(
         resolveRequest(context),
         resolveActionUser(context, input),
-        input,
+        avatarUpload,
         {
           context
         }
@@ -125,7 +132,6 @@ const accountProfileActions = Object.freeze([
       return deps.accountProfileService.deleteAvatar(
         resolveRequest(context),
         resolveActionUser(context, input),
-        input,
         {
           context
         }

package/src/server/accountProfile/accountProfileService.js

@@ -9,16 +9,16 @@ import {
 
 function createService({
   userSettingsRepository,
-  userProfilesRepository,
+  usersRepository,
   authService,
   avatarService
 } = {}) {
-  if (!userSettingsRepository || !userProfilesRepository || !avatarService) {
+  if (!userSettingsRepository || !usersRepository || !avatarService) {
     throw new Error("accountProfileService requires repositories and avatarService.");
   }
 
   async function getForUser(request, user, options = {}) {
-    const profile = await resolveUserProfile(userProfilesRepository, user);
+    const profile = await resolveUserProfile(usersRepository, user);
     if (!profile) {
       throw new AppError(404, "User profile was not found.");
     }
@@ -35,7 +35,7 @@ function createService({
   }
 
   async function updateProfile(request, user, payload = {}, options = {}) {
-    const profile = await resolveUserProfile(userProfilesRepository, user);
+    const profile = await resolveUserProfile(usersRepository, user);
     if (!profile) {
       throw new AppError(404, "User profile was not found.");
     }
@@ -49,7 +49,7 @@ function createService({
     }
 
     if (!updatedProfile) {
-      updatedProfile = await userProfilesRepository.updateDisplayNameById(profile.id, payload.displayName);
+      updatedProfile = await usersRepository.updateDisplayNameById(profile.id, payload.displayName);
     }
 
     const settings = await userSettingsRepository.ensureForUserId(updatedProfile.id);
@@ -66,11 +66,11 @@ function createService({
     };
   }
 
-  async function uploadAvatar(request, user, payload = {}, options = {}) {
+  async function uploadAvatar(request, user, avatarUpload = {}, options = {}) {
     void options;
 
-    const avatarUpload = await avatarService.uploadForUser(user, payload);
-    const profile = avatarUpload?.profile || null;
+    const result = await avatarService.uploadForUser(user, avatarUpload);
+    const profile = result?.profile || null;
     if (!profile) {
       throw new AppError(500, "Avatar upload completed without a profile result.");
     }
@@ -86,7 +86,7 @@ function createService({
     });
   }
 
-  async function deleteAvatar(request, user, _payload = {}, options = {}) {
+  async function deleteAvatar(request, user, options = {}) {
     void options;
 
     const profile = await avatarService.clearForUser(user);
@@ -101,7 +101,7 @@ function createService({
     });
   }
 
-  async function readAvatar(_request, user, _payload = {}, options = {}) {
+  async function readAvatar(_request, user, options = {}) {
     void options;
 
     const avatar = await avatarService.readForUser(user);

package/src/server/accountProfile/avatarService.js

@@ -21,9 +21,9 @@ async function readAvatarBuffer(stream, { maxBytes = DEFAULT_AVATAR_POLICY.maxUp
   });
 }
 
-function createService({ userProfilesRepository, avatarStorageService, avatarPolicy } = {}) {
-  if (!userProfilesRepository) {
-    throw new TypeError("avatarService requires userProfilesRepository.");
+function createService({ usersRepository, avatarStorageService, avatarPolicy } = {}) {
+  if (!usersRepository) {
+    throw new TypeError("avatarService requires usersRepository.");
   }
   if (!avatarStorageService) {
     throw new TypeError("avatarService requires avatarStorageService.");
@@ -32,21 +32,21 @@ function createService({ userProfilesRepository, avatarStorageService, avatarPol
   const resolvedAvatarPolicy = resolveAvatarPolicy(avatarPolicy);
 
   async function resolveProfile(user) {
-    const profile = await resolveUserProfile(userProfilesRepository, user);
+    const profile = await resolveUserProfile(usersRepository, user);
     if (!profile) {
       throw new AppError(404, "User profile was not found.");
     }
     return profile;
   }
 
-  async function uploadForUser(user, payload = {}) {
+  async function uploadForUser(user, avatarUpload = {}) {
     const profile = await resolveProfile(user);
-    validateUploadMimeType(payload?.mimeType, resolvedAvatarPolicy, {
+    validateUploadMimeType(avatarUpload?.mimeType, resolvedAvatarPolicy, {
       fieldName: "avatar",
       label: "Avatar"
     });
 
-    const buffer = await readAvatarBuffer(payload.stream, {
+    const buffer = await readAvatarBuffer(avatarUpload?.stream, {
       maxBytes: resolvedAvatarPolicy.maxUploadBytes
     });
 
@@ -57,7 +57,7 @@ function createService({ userProfilesRepository, avatarStorageService, avatarPol
       buffer
     });
 
-    const updatedProfile = await userProfilesRepository.updateAvatarById(profile.id, {
+    const updatedProfile = await usersRepository.updateAvatarById(profile.id, {
       avatarStorageKey: savedAvatar.storageKey,
       avatarVersion,
       avatarUpdatedAt: new Date(avatarVersionMs)
@@ -73,7 +73,7 @@ function createService({ userProfilesRepository, avatarStorageService, avatarPol
     if (profile.avatarStorageKey) {
       await avatarStorageService.deleteAvatar(profile.avatarStorageKey);
     }
-    return userProfilesRepository.clearAvatarById(profile.id);
+    return usersRepository.clearAvatarById(profile.id);
   }
 
   async function readForUser(user) {

package/src/server/accountProfile/bootAccountProfileRoutes.js

@@ -1,4 +1,5 @@
 import { withStandardErrorResponses } from "@jskit-ai/http-runtime/shared/validators/errorResponses";
+import { DEFAULT_IMAGE_UPLOAD_MAX_BYTES } from "@jskit-ai/uploads-runtime/shared";
 import { readSingleMultipartFile } from "@jskit-ai/uploads-runtime/server/multipart/readSingleMultipartFile";
 import { userSettingsResource } from "../../shared/resources/userSettingsResource.js";
 import { userProfileResource } from "../../shared/resources/userProfileResource.js";
@@ -77,7 +78,7 @@ function bootAccountProfileRoutes(app) {
       }
     },
     async function (request, reply) {
-      const avatar = await accountProfileService.readAvatar(request, request.user, {}, {
+      const avatar = await accountProfileService.readAvatar(request, request.user, {
         context: {
           actor: request.user
         }
@@ -114,10 +115,11 @@ function bootAccountProfileRoutes(app) {
     },
     async function (request, reply) {
       const filePart = await readSingleMultipartFile(request, {
-        fieldNames: ["avatar"],
+        fieldName: "avatar",
         required: true,
         fieldErrorKey: "avatar",
-        label: "Avatar"
+        label: "Avatar",
+        maxBytes: DEFAULT_IMAGE_UPLOAD_MAX_BYTES
       });
 
       const uploadDimension = filePart.fields?.uploadDimension?.value;

package/src/server/accountProfile/registerAccountProfile.js

@@ -20,7 +20,7 @@ function registerAccountProfile(app) {
 
   app.singleton("users.avatar.service", (scope) =>
     createAvatarService({
-      userProfilesRepository: scope.make("userProfilesRepository"),
+      usersRepository: scope.make("usersRepository"),
       avatarStorageService: scope.make("users.avatar.storage.service")
     })
   );
@@ -30,7 +30,7 @@ function registerAccountProfile(app) {
     (scope) =>
       createAccountProfileService({
         userSettingsRepository: scope.make("userSettingsRepository"),
-        userProfilesRepository: scope.make("userProfilesRepository"),
+        usersRepository: scope.make("usersRepository"),
         authService: scope.make("authService"),
         avatarService: scope.make("users.avatar.service")
       }),

package/src/server/accountSecurity/accountSecurityService.js

@@ -10,10 +10,10 @@ import {
 
 function createService({
   userSettingsRepository,
-  userProfilesRepository,
+  usersRepository,
   authService
 } = {}) {
-  if (!userSettingsRepository || !userProfilesRepository) {
+  if (!userSettingsRepository || !usersRepository) {
     throw new Error("accountSecurityService requires repositories.");
   }
 
@@ -40,7 +40,7 @@ function createService({
       throw new AppError(501, "Password method toggle is not available.");
     }
 
-    const profile = await resolveUserProfile(userProfilesRepository, user);
+    const profile = await resolveUserProfile(usersRepository, user);
     if (!profile) {
       throw new AppError(404, "User profile was not found.");
     }

package/src/server/accountSecurity/registerAccountSecurity.js

@@ -11,7 +11,7 @@ function registerAccountSecurity(app) {
     const authService = scope.has("authService") ? scope.make("authService") : null;
     return createAccountSecurityService({
       userSettingsRepository: scope.make("userSettingsRepository"),
-      userProfilesRepository: scope.make("userProfilesRepository"),
+      usersRepository: scope.make("usersRepository"),
       authService
     });
   });

package/src/server/common/contributors/workspaceActionContextContributor.js

@@ -2,6 +2,7 @@ import {
   normalizeObject,
   requireServiceMethod
 } from "@jskit-ai/kernel/shared/actions/actionContributorHelpers";
+import { normalizeSurfaceId } from "@jskit-ai/kernel/shared/surface/registry";
 import {
   checkRouteVisibility,
   USERS_ROUTE_VISIBILITY_PUBLIC,
@@ -9,45 +10,51 @@ import {
   USERS_ROUTE_VISIBILITY_WORKSPACE_USER
 } from "../../../shared/support/usersVisibility.js";
 import { resolveActionUser } from "../support/resolveActionUser.js";
-
-const WORKSPACE_CONTEXT_ACTION_IDS = Object.freeze([
-  "workspace.roles.list",
-  "workspace.settings.read",
-  "workspace.settings.update",
-  "workspace.members.list",
-  "workspace.member.role.update",
-  "workspace.member.remove",
-  "workspace.invites.list",
-  "workspace.invite.create",
-  "workspace.invite.revoke"
-]);
 const WORKSPACE_VISIBILITY_ACTION_CONTEXT_SET = new Set([
   USERS_ROUTE_VISIBILITY_WORKSPACE,
   USERS_ROUTE_VISIBILITY_WORKSPACE_USER
 ]);
 
-function createWorkspaceActionContextContributor({ workspaceService } = {}) {
+function normalizeWorkspaceSurfaceIds(surfaceIds = []) {
+  const source = Array.isArray(surfaceIds) ? surfaceIds : [];
+  const normalized = new Set();
+
+  for (const entry of source) {
+    const surfaceId = normalizeSurfaceId(entry);
+    if (!surfaceId) {
+      continue;
+    }
+    normalized.add(surfaceId);
+  }
+
+  return normalized;
+}
+
+function createWorkspaceActionContextContributor({ workspaceService, workspaceSurfaceIds = [] } = {}) {
   const contributorId = "users.workspace.context";
+  const workspaceSurfaceIdSet = normalizeWorkspaceSurfaceIds(workspaceSurfaceIds);
 
   requireServiceMethod(workspaceService, "resolveWorkspaceContextForUserBySlug", contributorId);
 
   return Object.freeze({
     contributorId,
-    async contribute({ actionId, input, context, request } = {}) {
+    async contribute({ definition = null, input, context, request } = {}) {
       const payload = normalizeObject(input);
       if (!Object.hasOwn(payload, "workspaceSlug")) {
         return {};
       }
 
-      const actionName = String(actionId || "").trim();
-      const hasLegacyWorkspaceActionId = WORKSPACE_CONTEXT_ACTION_IDS.includes(actionName);
+      const actionSurfaces = Array.isArray(definition?.surfaces) ? definition.surfaces : [];
+      const hasWorkspaceActionSurface = actionSurfaces.some((surfaceId) => workspaceSurfaceIdSet.has(surfaceId));
+      const routeSurfaceId = normalizeSurfaceId(request?.routeOptions?.config?.surface);
+      const hasWorkspaceSurface = workspaceSurfaceIdSet.has(routeSurfaceId);
       const routeVisibilityInput =
         request && request.routeOptions && request.routeOptions.config
           ? request.routeOptions.config.visibility
           : USERS_ROUTE_VISIBILITY_PUBLIC;
       const routeVisibility = checkRouteVisibility(routeVisibilityInput);
       const hasWorkspaceRouteVisibility = WORKSPACE_VISIBILITY_ACTION_CONTEXT_SET.has(routeVisibility);
-      if (!hasLegacyWorkspaceActionId && !hasWorkspaceRouteVisibility) {
+      if (!hasWorkspaceActionSurface && !hasWorkspaceRouteVisibility && !hasWorkspaceSurface) {
         return {};
       }
 

package/src/server/common/registerCommonRepositories.js

@@ -1,4 +1,4 @@
-import { createRepository as createUserProfilesRepository } from "./repositories/userProfilesRepository.js";
+import { createRepository as createUsersRepository } from "./repositories/usersRepository.js";
 import { createRepository as createUserSettingsRepository } from "./repositories/userSettingsRepository.js";
 import { createRepository as createWorkspacesRepository } from "./repositories/workspacesRepository.js";
 import { createRepository as createWorkspaceMembershipsRepository } from "./repositories/workspaceMembershipsRepository.js";
@@ -10,9 +10,9 @@ function registerCommonRepositories(app) {
     throw new Error("registerCommonRepositories requires application singleton().");
   }
 
-  app.singleton("userProfilesRepository", (scope) => {
+  app.singleton("usersRepository", (scope) => {
     const knex = scope.make("jskit.database.knex");
-    return createUserProfilesRepository(knex);
+    return createUsersRepository(knex);
   });
 
   app.singleton("userSettingsRepository", (scope) => {

package/src/server/common/repositories/{userProfilesRepository.js → usersRepository.js}

@@ -104,7 +104,7 @@ async function resolveUniqueUsername(client, baseUsername, { excludeUserId = 0 }
 
 function createRepository(knex) {
   if (typeof knex !== "function") {
-    throw new TypeError("userProfilesRepository requires knex.");
+    throw new TypeError("usersRepository requires knex.");
   }
 
   async function findById(userId, options = {}) {

package/src/server/common/services/accountContextService.js

@@ -1,9 +1,9 @@
-import { normalizeIdentity } from "../repositories/userProfilesRepository.js";
+import { normalizeIdentity } from "../repositories/usersRepository.js";
 
-async function resolveUserProfile(userProfilesRepository, user) {
+async function resolveUserProfile(usersRepository, user) {
   const identity = normalizeIdentity(user);
   if (identity) {
-    const profile = await userProfilesRepository.findByIdentity(identity);
+    const profile = await usersRepository.findByIdentity(identity);
     if (profile) {
       return profile;
     }
@@ -11,7 +11,7 @@ async function resolveUserProfile(userProfilesRepository, user) {
 
   const userId = Number(user?.id);
   if (Number.isInteger(userId) && userId > 0) {
-    const profileById = await userProfilesRepository.findById(userId);
+    const profileById = await usersRepository.findById(userId);
     if (profileById) {
       return profileById;
     }

package/src/server/common/services/authProfileSyncService.js

@@ -1,5 +1,5 @@
 import { normalizeLowerText, normalizeText } from "@jskit-ai/kernel/shared/actions/textNormalization";
-import { normalizeIdentity } from "../repositories/userProfilesRepository.js";
+import { normalizeIdentity } from "../repositories/usersRepository.js";
 
 function buildNormalizedIdentityKey(identityLike) {
   const identity = normalizeIdentity(identityLike);
@@ -53,12 +53,12 @@ function requireSynchronizedProfile(profile) {
   throw new Error("Profile synchronization failed.");
 }
 
-function createService({ userProfilesRepository, workspaceProvisioningService = null, userSettingsRepository = null } = {}) {
-  if (!userProfilesRepository || typeof userProfilesRepository.findByIdentity !== "function") {
-    throw new Error("authProfileSyncService requires userProfilesRepository.findByIdentity().");
+function createService({ usersRepository, workspaceProvisioningService = null, userSettingsRepository = null } = {}) {
+  if (!usersRepository || typeof usersRepository.findByIdentity !== "function") {
+    throw new Error("authProfileSyncService requires usersRepository.findByIdentity().");
   }
-  if (typeof userProfilesRepository.upsert !== "function") {
-    throw new Error("authProfileSyncService requires userProfilesRepository.upsert().");
+  if (typeof usersRepository.upsert !== "function") {
+    throw new Error("authProfileSyncService requires usersRepository.upsert().");
   }
   if (!userSettingsRepository || typeof userSettingsRepository.ensureForUserId !== "function") {
     throw new Error("authProfileSyncService requires userSettingsRepository.ensureForUserId().");
@@ -66,7 +66,7 @@ function createService({ userProfilesRepository, workspaceProvisioningService =
 
   async function findByIdentity(identityLike, options = {}) {
     const normalized = buildNormalizedIdentityKey(identityLike);
-    return userProfilesRepository.findByIdentity(
+    return usersRepository.findByIdentity(
       {
         provider: normalized.authProvider,
         providerUserId: normalized.authProviderUserSid
@@ -77,7 +77,7 @@ function createService({ userProfilesRepository, workspaceProvisioningService =
 
   async function upsertByIdentity(profileLike, options = {}) {
     const normalized = buildNormalizedIdentityProfile(profileLike);
-    return userProfilesRepository.upsert(
+    return usersRepository.upsert(
       {
         authProvider: normalized.authProvider,
         authProviderUserSid: normalized.authProviderUserSid,
@@ -118,8 +118,8 @@ function createService({ userProfilesRepository, workspaceProvisioningService =
     if (options?.trx) {
       return runSync(options.trx);
     }
-    if (typeof userProfilesRepository.withTransaction === "function") {
-      return userProfilesRepository.withTransaction((trx) => runSync(trx));
+    if (typeof usersRepository.withTransaction === "function") {
+      return usersRepository.withTransaction((trx) => runSync(trx));
     }
     return runSync();
   }

package/src/server/registerWorkspaceBootstrap.js

@@ -17,7 +17,7 @@ function registerWorkspaceBootstrap(app) {
         ? scope.make("users.workspace.pending-invitations.service")
         : null,
       workspaceInvitationsEnabled,
-      userProfilesRepository: scope.make("userProfilesRepository"),
+      usersRepository: scope.make("usersRepository"),
       userSettingsRepository: scope.make("userSettingsRepository"),
       appConfig: resolveAppConfig(scope),
       tenancyProfile: scope.make("users.tenancy.profile"),

package/src/server/registerWorkspaceCore.js

@@ -10,6 +10,7 @@ import { createWorkspaceActionContextContributor } from "./common/contributors/w
 import { createWorkspaceRouteVisibilityResolver } from "./common/contributors/workspaceRouteVisibilityResolver.js";
 import { createWorkspaceAuthPolicyContextResolver } from "./common/contributors/workspaceAuthPolicyContextResolver.js";
 import { resolveWorkspaceInvitationsPolicy } from "./support/workspaceInvitationsPolicy.js";
+import { resolveWorkspaceSurfaceIdsFromAppConfig } from "./support/workspaceActionSurfaces.js";
 
 
 function registerWorkspaceCore(app) {
@@ -29,7 +30,7 @@ function registerWorkspaceCore(app) {
 
   app.singleton("users.profile.sync.service", (scope) => {
     return createAuthProfileSyncService({
-      userProfilesRepository: scope.make("userProfilesRepository"),
+      usersRepository: scope.make("usersRepository"),
       userSettingsRepository: scope.make("userSettingsRepository"),
       workspaceProvisioningService: scope.make("users.workspace.service")
     });
@@ -62,8 +63,10 @@ function registerWorkspaceCore(app) {
   });
 
   registerActionContextContributor(app, "users.core.workspace.actionContextContributor", (scope) => {
+    const appConfig = resolveAppConfig(scope);
     return createWorkspaceActionContextContributor({
-      workspaceService: scope.make("users.workspace.service")
+      workspaceService: scope.make("users.workspace.service"),
+      workspaceSurfaceIds: resolveWorkspaceSurfaceIdsFromAppConfig(appConfig)
     });
   });
 

package/src/server/workspaceBootstrapContributor.js

@@ -230,7 +230,7 @@ function mapUserSettingsBootstrap(settings = {}) {
 function createWorkspaceBootstrapContributor({
   workspaceService,
   workspacePendingInvitationsService,
-  userProfilesRepository,
+  usersRepository,
   userSettingsRepository,
   workspaceInvitationsEnabled = false,
   appConfig = {},
@@ -255,8 +255,8 @@ function createWorkspaceBootstrapContributor({
       serviceLabel: "workspacePendingInvitationsService"
     });
   }
-  requireServiceMethod(userProfilesRepository, "findByIdentity", contributorId, {
-    serviceLabel: "userProfilesRepository"
+  requireServiceMethod(usersRepository, "findByIdentity", contributorId, {
+    serviceLabel: "usersRepository"
   });
   requireServiceMethod(userSettingsRepository, "ensureForUserId", contributorId, {
     serviceLabel: "userSettingsRepository"
@@ -317,7 +317,7 @@ function createWorkspaceBootstrapContributor({
 
       if (normalizedUser) {
         const latestProfile =
-          (await userProfilesRepository.findByIdentity({
+          (await usersRepository.findByIdentity({
             provider: normalizedUser.authProvider,
             providerUserId: normalizedUser.authProviderUserSid
           })) || normalizedUser;

package/src/shared/roles.js

@@ -20,10 +20,35 @@ function normalizeRoleId(value) {
     .toLowerCase();
 }
 
-function createRoleDescriptor(roleSid, configuredDefinition) {
+function resolveInheritedRolePermissions(roleSid, configuredRoles = {}, seenRoleIds = new Set()) {
+  if (seenRoleIds.has(roleSid)) {
+    throw new TypeError(`roleCatalog role "${roleSid}" has circular inheritance.`);
+  }
+
+  const source = asRecord(configuredRoles[roleSid]);
+  const inheritedRoleId = normalizeRoleId(source.inherits);
+  const directPermissions = normalizePermissionList(source.permissions);
+  if (!inheritedRoleId) {
+    return directPermissions;
+  }
+
+  if (!Object.hasOwn(configuredRoles, inheritedRoleId)) {
+    throw new TypeError(`roleCatalog role "${roleSid}" inherits unknown role "${inheritedRoleId}".`);
+  }
+
+  const nextSeenRoleIds = new Set(seenRoleIds);
+  nextSeenRoleIds.add(roleSid);
+
+  return normalizePermissionList([
+    ...resolveInheritedRolePermissions(inheritedRoleId, configuredRoles, nextSeenRoleIds),
+    ...directPermissions
+  ]);
+}
+
+function createRoleDescriptor(roleSid, configuredDefinition, configuredRoles = {}) {
   const source = asRecord(configuredDefinition);
   const assignable = roleSid === OWNER_ROLE_ID ? false : source.assignable === true;
-  const permissions = normalizePermissionList(source.permissions);
+  const permissions = resolveInheritedRolePermissions(roleSid, configuredRoles);
 
   return Object.freeze({
     id: roleSid,
@@ -38,12 +63,12 @@ function listConfiguredRoleIds(appConfig = {}) {
 }
 
 function resolveConfiguredDefaultInviteRole(appConfig = {}) {
-  return normalizeRoleId(appConfig?.workspaceRoles?.defaultInviteRole);
+  return normalizeRoleId(appConfig?.roleCatalog?.workspace?.defaultInviteRole);
 }
 
 function normalizeConfiguredRoles(appConfig = {}) {
-  const workspaceRoles = asRecord(appConfig?.workspaceRoles);
-  const configuredRoles = asRecord(workspaceRoles.roles);
+  const roleCatalog = asRecord(appConfig?.roleCatalog);
+  const configuredRoles = asRecord(roleCatalog.roles);
   const normalizedRoles = {};
 
   for (const [roleSid, roleDefinition] of Object.entries(configuredRoles)) {
@@ -60,7 +85,7 @@ function normalizeConfiguredRoles(appConfig = {}) {
 function createWorkspaceRoleCatalog(appConfig = {}) {
   const configuredRoles = normalizeConfiguredRoles(appConfig);
   const roleIds = listConfiguredRoleIds(appConfig);
-  const roles = roleIds.map((roleSid) => createRoleDescriptor(roleSid, configuredRoles[roleSid]));
+  const roles = roleIds.map((roleSid) => createRoleDescriptor(roleSid, configuredRoles[roleSid], configuredRoles));
   const assignableRoleIds = roles.filter((role) => role.assignable).map((role) => role.id);
   const configuredDefaultInviteRole = resolveConfiguredDefaultInviteRole(appConfig);
   const defaultInviteRole = assignableRoleIds.includes(configuredDefaultInviteRole)

package/templates/config/roles.js

@@ -0,0 +1,27 @@
+export const roleCatalog = {
+  workspace: {
+    defaultInviteRole: "member"
+  },
+  roles: {
+    owner: {
+      assignable: false,
+      permissions: ["*"]
+    },
+    admin: {
+      assignable: true,
+      inherits: "member",
+      permissions: [
+        "workspace.roles.view",
+        "workspace.settings.update",
+        "workspace.members.view",
+        "workspace.members.invite",
+        "workspace.members.manage",
+        "workspace.invites.revoke"
+      ]
+    },
+    member: {
+      assignable: true,
+      permissions: ["workspace.settings.view"]
+    }
+  }
+};

package/test/authProfileSyncService.test.js

@@ -7,7 +7,7 @@ test("authProfileSyncService.syncIdentityProfile uses shared transaction for pro
   const transaction = { trxId: "tx-1" };
 
   const service = createService({
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity(_identity, options = {}) {
         calls.push({ step: "find", trx: options.trx || null });
         return null;
@@ -64,7 +64,7 @@ test("authProfileSyncService.syncIdentityProfile skips write path when profile i
   let provisionCalls = 0;
 
   const service = createService({
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return {
           id: 7,
@@ -109,7 +109,7 @@ test("authProfileSyncService.syncIdentityProfile skips write path when profile i
 test("authProfileSyncService.findByIdentity normalizes provider identity input", async () => {
   let capturedIdentity = null;
   const service = createService({
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity(identity) {
         capturedIdentity = identity;
         return null;

package/test/avatarService.test.js

@@ -59,7 +59,7 @@ test("avatarService uploadForUser stores bytes and updates profile avatar fields
   };
 
   const avatarService = createService({
-    userProfilesRepository: repository,
+    usersRepository: repository,
     avatarStorageService
   });
 
@@ -99,7 +99,7 @@ test("avatarService clearForUser removes stored avatar and clears profile fields
   };
 
   const avatarService = createService({
-    userProfilesRepository: repository,
+    usersRepository: repository,
     avatarStorageService
   });
 

package/test/roles.test.js

@@ -7,7 +7,7 @@ import {
   hasPermission
 } from "../src/shared/roles.js";
 
-test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.workspaceRoles", () => {
+test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.roleCatalog", () => {
   const emptyCatalog = createWorkspaceRoleCatalog();
   assert.deepEqual(emptyCatalog.roles, []);
   assert.deepEqual(emptyCatalog.assignableRoleIds, []);
@@ -15,8 +15,10 @@ test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.w
   assert.equal(emptyCatalog.collaborationEnabled, false);
 
   const appConfig = {
-    workspaceRoles: {
-      defaultInviteRole: "editor",
+    roleCatalog: {
+      workspace: {
+        defaultInviteRole: "editor"
+      },
       roles: {
         owner: {
           assignable: false,
@@ -24,7 +26,7 @@ test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.w
         },
         editor: {
           assignable: true,
-          permissions: ["crud_contacts.*"]
+          permissions: ["crud.contacts.*"]
         }
       }
     }
@@ -35,7 +37,90 @@ test("createWorkspaceRoleCatalog resolves role descriptors only from appConfig.w
   assert.equal(roleCatalog.defaultInviteRole, "editor");
   assert.equal(roleCatalog.assignableRoleIds.includes("editor"), true);
   assert.deepEqual(resolveRolePermissions("owner", appConfig), ["workspace.settings.update"]);
-  assert.equal(hasPermission(editorRole?.permissions, "crud_contacts.update"), true);
+  assert.equal(hasPermission(editorRole?.permissions, "crud.contacts.update"), true);
+});
+
+test("createWorkspaceRoleCatalog resolves inherited role permissions with parent permissions first", () => {
+  const appConfig = {
+    roleCatalog: {
+      workspace: {
+        defaultInviteRole: "member"
+      },
+      roles: {
+        member: {
+          assignable: true,
+          permissions: [
+            "workspace.settings.view",
+            "crud.contacts.list"
+          ]
+        },
+        admin: {
+          assignable: true,
+          inherits: "member",
+          permissions: [
+            "workspace.settings.update",
+            "workspace.members.manage",
+            "workspace.settings.view"
+          ]
+        }
+      }
+    }
+  };
+
+  const roleCatalog = createWorkspaceRoleCatalog(appConfig);
+  const adminRole = roleCatalog.roles.find((role) => role.id === "admin");
+
+  assert.deepEqual(adminRole, {
+    id: "admin",
+    assignable: true,
+    permissions: [
+      "workspace.settings.view",
+      "crud.contacts.list",
+      "workspace.settings.update",
+      "workspace.members.manage"
+    ]
+  });
+});
+
+test("createWorkspaceRoleCatalog rejects unknown inherited roles", () => {
+  assert.throws(
+    () =>
+      createWorkspaceRoleCatalog({
+        roleCatalog: {
+          roles: {
+            admin: {
+              assignable: true,
+              inherits: "member",
+              permissions: []
+            }
+          }
+        }
+      }),
+    /inherits unknown role "member"/
+  );
+});
+
+test("createWorkspaceRoleCatalog rejects circular inherited roles", () => {
+  assert.throws(
+    () =>
+      createWorkspaceRoleCatalog({
+        roleCatalog: {
+          roles: {
+            member: {
+              assignable: true,
+              inherits: "admin",
+              permissions: []
+            },
+            admin: {
+              assignable: true,
+              inherits: "member",
+              permissions: []
+            }
+          }
+        }
+      }),
+    /circular inheritance/
+  );
 });
 
 test("cloneWorkspaceRoleCatalog normalizes role ids and returns detached arrays", () => {

package/test/workspaceActionContextContributor.test.js

@@ -24,7 +24,8 @@ test("workspace action context contributor resolves workspace context for worksp
           permissions: ["workspace.settings.update"]
         };
       }
-    }
+    },
+    workspaceSurfaceIds: ["admin", "app"]
   });
 
   const request = {
@@ -35,7 +36,10 @@ test("workspace action context contributor resolves workspace context for worksp
   };
 
   const contribution = await contributor.contribute({
-    actionId: "workspace.settings.update",
+    definition: {
+      id: "workspace.settings.update",
+      surfaces: ["admin", "app"]
+    },
     input: {
       workspaceSlug: "Acme"
     },
@@ -118,7 +122,8 @@ test("workspace action context contributor always resolves and stores resolved c
           permissions: ["workspace.settings.update"]
         };
       }
-    }
+    },
+    workspaceSurfaceIds: ["admin", "app"]
   });
 
   const request = {
@@ -128,7 +133,10 @@ test("workspace action context contributor always resolves and stores resolved c
   };
 
   const contribution = await contributor.contribute({
-    actionId: "workspace.members.list",
+    definition: {
+      id: "workspace.members.list",
+      surfaces: ["admin", "app"]
+    },
     input: {
       workspaceSlug: "acme"
     },
@@ -205,7 +213,10 @@ test("workspace action context contributor resolves context for workspace-visibl
   };
 
   const contribution = await contributor.contribute({
-    actionId: "assistant.conversations.list",
+    definition: {
+      id: "assistant.conversations.list",
+      surfaces: ["admin"]
+    },
     input: {
       workspaceSlug: "acme"
     },
@@ -249,3 +260,85 @@ test("workspace action context contributor resolves context for workspace-visibl
     permissions: ["assistant.chat.use"]
   });
 });
+
+test("workspace action context contributor resolves context for workspace surfaces even when route visibility is public", async () => {
+  const calls = [];
+  const contributor = createWorkspaceActionContextContributor({
+    workspaceService: {
+      async resolveWorkspaceContextForUserBySlug(user, workspaceSlug, options) {
+        calls.push({ user, workspaceSlug, options });
+        return {
+          workspace: {
+            id: 77,
+            slug: "acme"
+          },
+          membership: {
+            roleSid: "member"
+          },
+          permissions: ["crud.breeds.list"]
+        };
+      }
+    },
+    workspaceSurfaceIds: ["admin", "app"]
+  });
+
+  const request = {
+    user: {
+      id: 42
+    },
+    routeOptions: {
+      config: {
+        surface: "admin",
+        visibility: "public"
+      }
+    }
+  };
+
+  const contribution = await contributor.contribute({
+    definition: {
+      id: "crud.breeds.list",
+      surfaces: ["admin"]
+    },
+    input: {
+      workspaceSlug: "acme"
+    },
+    context: {
+      requestMeta: {
+        request
+      }
+    },
+    request
+  });
+
+  assert.deepEqual(calls, [
+    {
+      user: request.user,
+      workspaceSlug: "acme",
+      options: {
+        request
+      }
+    }
+  ]);
+  assert.deepEqual(contribution, {
+    requestMeta: {
+      resolvedWorkspaceContext: {
+        workspace: {
+          id: 77,
+          slug: "acme"
+        },
+        membership: {
+          roleSid: "member"
+        },
+        permissions: ["crud.breeds.list"]
+      }
+    },
+    workspace: {
+      id: 77,
+      slug: "acme"
+    },
+    membership: {
+      roleSid: "member"
+    },
+    permissions: ["crud.breeds.list"]
+  });
+});

package/test/workspaceBootstrapContributor.test.js

@@ -39,7 +39,7 @@ test("workspace bootstrap contributor passes actor context to pending invites se
         return [];
       }
     },
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return profile;
       }
@@ -101,7 +101,7 @@ test("workspace bootstrap contributor seeds the initial console owner on authent
         return [];
       }
     },
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return profile;
       }
@@ -162,7 +162,7 @@ test("workspace bootstrap contributor emits canonical tenancy profile from users
         return [];
       }
     },
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return null;
       }
@@ -228,7 +228,7 @@ test("workspace bootstrap contributor resolves workspace slug from bootstrap que
         return [];
       }
     },
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return profile;
       }
@@ -291,7 +291,7 @@ test("workspace bootstrap contributor returns global payload with requestedWorks
         return [];
       }
     },
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return profile;
       }
@@ -363,7 +363,7 @@ test("workspace bootstrap contributor returns requestedWorkspace=not_found when
         return [];
       }
     },
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return profile;
       }
@@ -427,7 +427,7 @@ test("workspace bootstrap contributor returns requestedWorkspace=unauthenticated
         return [];
       }
     },
-    userProfilesRepository: {
+    usersRepository: {
       async findByIdentity() {
         return null;
       }

package/test/workspaceMembersService.test.js

@@ -16,8 +16,10 @@ function authorizedOptions(permissions = []) {
 
 function createRoleCatalog() {
   return createWorkspaceRoleCatalog({
-    workspaceRoles: {
-      defaultInviteRole: "member",
+    roleCatalog: {
+      workspace: {
+        defaultInviteRole: "member"
+      },
       roles: {
         owner: {
           assignable: false,

package/test/workspaceService.test.js

@@ -2,9 +2,11 @@ import test from "node:test";
 import assert from "node:assert/strict";
 import { createService } from "../src/server/common/services/workspaceContextService.js";
 
-function createWorkspaceRoles() {
+function createRoleCatalog() {
   return {
-    defaultInviteRole: "member",
+    workspace: {
+      defaultInviteRole: "member"
+    },
     roles: {
       owner: {
         assignable: false,
@@ -21,7 +23,7 @@ function createWorkspaceRoles() {
 function createWorkspaceServiceFixture({
   tenancyMode = "workspaces",
   tenancyPolicy = {},
-  workspaceRoles = createWorkspaceRoles(),
+  roleCatalog = createRoleCatalog(),
   additionalWorkspaces = [],
   userWorkspaceRows = null,
   membershipResolver = null,
@@ -69,7 +71,7 @@ function createWorkspaceServiceFixture({
     appConfig: {
       tenancyMode,
       tenancyPolicy,
-      workspaceRoles: workspaceRoles && typeof workspaceRoles === "object" ? { ...workspaceRoles } : workspaceRoles
+      roleCatalog: roleCatalog && typeof roleCatalog === "object" ? { ...roleCatalog } : roleCatalog
     },
     workspacesRepository: {
       async findBySlug(slug) {
@@ -404,7 +406,7 @@ test("workspaceService.resolveWorkspaceContextForUserBySlug grants owner access
   const service = createService({
     appConfig: {
       tenancyMode: "personal",
-      workspaceRoles: createWorkspaceRoles()
+      roleCatalog: createRoleCatalog()
     },
     workspacesRepository: {
       async findBySlug(slug) {
@@ -468,10 +470,12 @@ test("workspaceService.resolveWorkspaceContextForUserBySlug grants owner access
   assert.deepEqual(context.permissions, ["*"]);
 });
 
-test("workspaceService.resolveWorkspaceContextForUserBySlug resolves permissions from appConfig.workspaceRoles", async () => {
+test("workspaceService.resolveWorkspaceContextForUserBySlug resolves permissions from appConfig.roleCatalog", async () => {
   const { service } = createWorkspaceServiceFixture({
-    workspaceRoles: {
-      defaultInviteRole: "member",
+    roleCatalog: {
+      workspace: {
+        defaultInviteRole: "member"
+      },
       roles: {
         owner: {
           assignable: false,

package/test/workspaceSettingsResource.test.js

@@ -8,8 +8,10 @@ import { createWorkspaceRoleCatalog } from "../src/shared/roles.js";
 
 function createRoleCatalog() {
   return createWorkspaceRoleCatalog({
-    workspaceRoles: {
-      defaultInviteRole: "member",
+    roleCatalog: {
+      workspace: {
+        defaultInviteRole: "member"
+      },
       roles: {
         owner: {
           assignable: false,

package/templates/config/workspaceRoles.js

@@ -1,30 +0,0 @@
-export const workspaceRoles = {};
-
-workspaceRoles.defaultInviteRole = "member";
-workspaceRoles.roles = {};
-
-workspaceRoles.roles.owner = {
-  assignable: false,
-  permissions: []
-};
-workspaceRoles.roles.owner.permissions.push("*");
-
-workspaceRoles.roles.admin = {
-  assignable: true,
-  permissions: []
-};
-workspaceRoles.roles.admin.permissions.push(
-  "workspace.roles.view",
-  "workspace.settings.view",
-  "workspace.settings.update",
-  "workspace.members.view",
-  "workspace.members.invite",
-  "workspace.members.manage",
-  "workspace.invites.revoke"
-);
-
-workspaceRoles.roles.member = {
-  assignable: true,
-  permissions: []
-};
-workspaceRoles.roles.member.permissions.push("workspace.settings.view");