npm - @nextsparkjs/core - Versions diffs - 0.1.0-beta.92 → 0.1.0-beta.94 - Mend

@nextsparkjs/core 0.1.0-beta.92 → 0.1.0-beta.94

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (341) hide show

package/dist/templates/app/api/v1/media-tags/route.ts ADDED Viewed

@@ -0,0 +1,65 @@
+import { NextRequest } from 'next/server'
+import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
+import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
+/**
+ * GET /api/v1/media-tags
+ *
+ * List all available media tags (taxonomies of type 'media_tag').
+ *
+ * Authentication: Requires valid session or API key with media:read scope
+ */
+export const GET = withRateLimitTier(async (request: NextRequest) => {
+  try {
+    const authResult = await authenticateRequest(request)
+    if (!authResult.success) {
+      return createApiError('Unauthorized', 401)
+    }
+    if (!hasRequiredScope(authResult, 'media:read')) {
+      return createApiError('Insufficient permissions', 403)
+    }
+    const tags = await MediaService.getTags(authResult.user!.id)
+    return createApiResponse(tags)
+  } catch (error) {
+    console.error('[Media Tags API] Error listing tags:', error)
+    return createApiError('Failed to list media tags', 500)
+  }
+}, 'read')
+/**
+ * POST /api/v1/media-tags
+ *
+ * Create a new media tag.
+ * Body: { name: string }
+ *
+ * Authentication: Requires valid session or API key with media:write scope
+ */
+export const POST = withRateLimitTier(async (request: NextRequest) => {
+  try {
+    const authResult = await authenticateRequest(request)
+    if (!authResult.success) {
+      return createApiError('Unauthorized', 401)
+    }
+    if (!hasRequiredScope(authResult, 'media:write')) {
+      return createApiError('Insufficient permissions', 403)
+    }
+    const body = await request.json()
+    const { name } = body
+    if (!name || typeof name !== 'string' || !name.trim()) {
+      return createApiError('Tag name is required', 400)
+    }
+    const tag = await MediaService.createTag(name, authResult.user!.id)
+    return createApiResponse(tag, undefined, 201)
+  } catch (error) {
+    console.error('[Media Tags API] Error creating tag:', error)
+    return createApiError('Failed to create media tag', 500)
+  }
+}, 'write')

package/dist/templates/app/api/v1/plugin/[...path]/route.ts CHANGED Viewed

@@ -8,46 +8,47 @@
 import { NextRequest, NextResponse } from 'next/server'
 import { PluginService, type RouteFileEndpoint, type PluginRegistryEntry } from '@nextsparkjs/core/lib/services'
 import { PLUGIN_REGISTRY } from '@nextsparkjs/registries/plugin-registry'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
-export async function GET(
+export const GET = withRateLimitTier(async (
   request: NextRequest,
   { params }: { params: Promise<{ path: string[] }> }
-) {
+) => {
   const { path } = await params
   return handlePluginRequest(request, path, 'GET')
-}
+}, 'read');
-export async function POST(
+export const POST = withRateLimitTier(async (
   request: NextRequest,
   { params }: { params: Promise<{ path: string[] }> }
-) {
+) => {
   const { path } = await params
   return handlePluginRequest(request, path, 'POST')
-}
+}, 'write');
-export async function PUT(
+export const PUT = withRateLimitTier(async (
   request: NextRequest,
   { params }: { params: Promise<{ path: string[] }> }
-) {
+) => {
   const { path } = await params
   return handlePluginRequest(request, path, 'PUT')
-}
+}, 'write');
-export async function DELETE(
+export const DELETE = withRateLimitTier(async (
   request: NextRequest,
   { params }: { params: Promise<{ path: string[] }> }
-) {
+) => {
   const { path } = await params
   return handlePluginRequest(request, path, 'DELETE')
-}
+}, 'write');
-export async function PATCH(
+export const PATCH = withRateLimitTier(async (
   request: NextRequest,
   { params }: { params: Promise<{ path: string[] }> }
-) {
+) => {
   const { path } = await params
   return handlePluginRequest(request, path, 'PATCH')
-}
+}, 'write');
 /**
  * Handle plugin API requests with nested paths

package/dist/templates/app/api/v1/plugin/route.ts CHANGED Viewed

@@ -8,10 +8,11 @@
 import { NextResponse } from 'next/server'
 import { PluginService, type PluginRegistryEntry } from '@nextsparkjs/core/lib/services'
 import { PLUGIN_REGISTRY } from '@nextsparkjs/registries/plugin-registry'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
-export async function GET() {
+export const GET = withRateLimitTier(async () => {
   return listPluginsWithAPI()
-}
+}, 'read');
 /**
  * List all plugins with their API status

package/dist/templates/app/api/v1/post-categories/[id]/route.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { query as dbQuery } from '@nextsparkjs/core/lib/db'
 import { z } from 'zod'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 const updateCategorySchema = z.object({
   name: z.string().min(1).max(255).optional(),
@@ -16,10 +17,10 @@ const updateCategorySchema = z.object({
 })
 // GET /api/v1/post-categories/:id - Get category by ID
-export async function GET(
+export const GET = withRateLimitTier(async (
   request: NextRequest,
   { params }: { params: Promise<{ id: string }> }
-): Promise<NextResponse> {
+): Promise<NextResponse> => {
   try {
     const { id } = await params
@@ -43,13 +44,13 @@ export async function GET(
     console.error('Error in post-categories API:', err)
     return NextResponse.json({ success: false, error: 'Internal server error' }, { status: 500 })
   }
-}
+}, 'read');
 // PUT /api/v1/post-categories/:id - Update category
-export async function PUT(
+export const PUT = withRateLimitTier(async (
   request: NextRequest,
   { params }: { params: Promise<{ id: string }> }
-): Promise<NextResponse> {
+): Promise<NextResponse> => {
   try {
     // Dual authentication: API key or session
     const authResult = await authenticateRequest(request)
@@ -183,13 +184,13 @@ export async function PUT(
     const errorMessage = err instanceof Error ? err.message : 'Internal server error'
     return NextResponse.json({ success: false, error: errorMessage }, { status: 500 })
   }
-}
+}, 'write');
 // DELETE /api/v1/post-categories/:id - Delete category
-export async function DELETE(
+export const DELETE = withRateLimitTier(async (
   request: NextRequest,
   { params }: { params: Promise<{ id: string }> }
-): Promise<NextResponse> {
+): Promise<NextResponse> => {
   try {
     // Dual authentication: API key or session
     const authResult = await authenticateRequest(request)
@@ -252,4 +253,4 @@ export async function DELETE(
     console.error('Error in post-categories API DELETE:', err)
     return NextResponse.json({ success: false, error: 'Internal server error' }, { status: 500 })
   }
-}
+}, 'write');

package/dist/templates/app/api/v1/post-categories/route.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { query as dbQuery } from '@nextsparkjs/core/lib/db'
 import { z } from 'zod'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 const createCategorySchema = z.object({
   name: z.string().min(1).max(255),
@@ -26,7 +27,7 @@ function generateSlug(name: string): string {
 }
 // GET /api/v1/post-categories - List categories (filters taxonomies by type = 'post_category')
-export async function GET() {
+export const GET = withRateLimitTier(async () => {
   try {
     const result = await dbQuery(
       `SELECT id, name, slug, description, icon, color, "parentId", "order", "isDefault", "isActive",
@@ -44,10 +45,10 @@ export async function GET() {
     console.error('Error fetching post categories:', error)
     return NextResponse.json({ success: false, error: 'Internal server error' }, { status: 500 })
   }
-}
+}, 'read');
 // POST /api/v1/post-categories - Create category
-export async function POST(request: NextRequest) {
+export const POST = withRateLimitTier(async (request: NextRequest) => {
   try {
     // Dual authentication: API key or session
     const authResult = await authenticateRequest(request)
@@ -116,4 +117,4 @@ export async function POST(request: NextRequest) {
     console.error('Error creating post category:', error)
     return NextResponse.json({ success: false, error: 'Internal server error' }, { status: 500 })
   }
-}
+}, 'write');

package/dist/templates/app/api/v1/team-invitations/[token]/accept/route.ts CHANGED Viewed

@@ -8,7 +8,7 @@ import {
   addCorsHeaders,
 } from '@nextsparkjs/core/lib/api/helpers'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
-import { checkRateLimit } from '@nextsparkjs/core/lib/api/rate-limit'
+import { checkRateLimit, withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { RATE_LIMITS } from '@nextsparkjs/core/lib/api/keys'
 import type { TeamInvitation, TeamMember } from '@nextsparkjs/core/lib/teams/types'
@@ -18,7 +18,7 @@ export async function OPTIONS() {
 }
 // POST /api/v1/team-invitations/:token/accept - Accept invitation and become member
-export const POST = withApiLogging(
+export const POST = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ token: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -176,4 +176,4 @@ export const POST = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'write');

package/dist/templates/app/api/v1/team-invitations/[token]/decline/route.ts CHANGED Viewed

@@ -8,7 +8,7 @@ import {
   addCorsHeaders,
 } from '@nextsparkjs/core/lib/api/helpers'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
-import { checkRateLimit } from '@nextsparkjs/core/lib/api/rate-limit'
+import { checkRateLimit, withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { RATE_LIMITS } from '@nextsparkjs/core/lib/api/keys'
 import type { TeamInvitation } from '@nextsparkjs/core/lib/teams/types'
@@ -18,7 +18,7 @@ export async function OPTIONS() {
 }
 // POST /api/v1/team-invitations/:token/decline - Decline invitation
-export const POST = withApiLogging(
+export const POST = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ token: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -117,4 +117,4 @@ export const POST = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'write');

package/dist/templates/app/api/v1/team-invitations/[token]/route.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import {
   addCorsHeaders,
 } from '@nextsparkjs/core/lib/api/helpers'
 import type { TeamInvitation } from '@nextsparkjs/core/lib/teams/types'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 // Handle CORS preflight
 export async function OPTIONS() {
@@ -15,7 +16,7 @@ export async function OPTIONS() {
 }
 // GET /api/v1/team-invitations/:token - Get invitation details (public endpoint for preview)
-export const GET = withApiLogging(
+export const GET = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ token: string }> }): Promise<NextResponse> => {
     try {
       const { token } = await params
@@ -86,4 +87,4 @@ export const GET = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'read');

package/dist/templates/app/api/v1/team-invitations/route.ts CHANGED Viewed

@@ -11,6 +11,7 @@ import {
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { invitationListQuerySchema } from '@nextsparkjs/core/lib/teams/schema'
 import type { TeamInvitation } from '@nextsparkjs/core/lib/teams/types'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 // Handle CORS preflight
 export async function OPTIONS() {
@@ -18,7 +19,7 @@ export async function OPTIONS() {
 }
 // GET /api/v1/team-invitations - List pending invitations for current user
-export const GET = withApiLogging(async (req: NextRequest): Promise<NextResponse> => {
+export const GET = withRateLimitTier(withApiLogging(async (req: NextRequest): Promise<NextResponse> => {
   try {
     // Authenticate using dual auth
     const authResult = await authenticateRequest(req)
@@ -111,4 +112,4 @@ export const GET = withApiLogging(async (req: NextRequest): Promise<NextResponse
     const response = createApiError('Internal server error', 500)
     return addCorsHeaders(response)
   }
-})
+}), 'read');

package/dist/templates/app/api/v1/teams/[teamId]/invitations/route.ts CHANGED Viewed

@@ -9,6 +9,7 @@ import {
   addCorsHeaders,
 } from '@nextsparkjs/core/lib/api/helpers'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { TeamMemberService, MembershipService } from '@nextsparkjs/core/lib/services'
 import type { TeamInvitation } from '@nextsparkjs/core/lib/teams/types'
@@ -18,7 +19,7 @@ export async function OPTIONS() {
 }
 // GET /api/v1/teams/:teamId/invitations - List pending invitations for a team
-export const GET = withApiLogging(
+export const GET = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -98,10 +99,10 @@ export const GET = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'read')
 // DELETE /api/v1/teams/:teamId/invitations/:invitationId - Cancel/revoke an invitation
-export const DELETE = withApiLogging(
+export const DELETE = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -168,4 +169,4 @@ export const DELETE = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'write')

package/dist/templates/app/api/v1/teams/[teamId]/invoices/[invoiceNumber]/route.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import {
   addCorsHeaders,
 } from '@nextsparkjs/core/lib/api/helpers'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MembershipService } from '@nextsparkjs/core/lib/services'
 import type { InvoiceResponse } from '@nextsparkjs/core/lib/validation/invoices'
@@ -17,7 +18,7 @@ export async function OPTIONS() {
 }
 // GET /api/v1/teams/:teamId/invoices/:invoiceNumber - Get single invoice (owner only)
-export const GET = withApiLogging(
+export const GET = withRateLimitTier(withApiLogging(
   async (
     req: NextRequest,
     { params }: { params: Promise<{ teamId: string; invoiceNumber: string }> }
@@ -102,4 +103,4 @@ export const GET = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'read')

package/dist/templates/app/api/v1/teams/[teamId]/invoices/route.ts CHANGED Viewed

@@ -9,6 +9,7 @@ import {
   addCorsHeaders,
 } from '@nextsparkjs/core/lib/api/helpers'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MembershipService } from '@nextsparkjs/core/lib/services'
 import { invoiceQuerySchema } from '@nextsparkjs/core/lib/validation/invoices'
 import type { InvoiceResponse } from '@nextsparkjs/core/lib/validation/invoices'
@@ -19,7 +20,7 @@ export async function OPTIONS() {
 }
 // GET /api/v1/teams/:teamId/invoices - List team invoices (owner only)
-export const GET = withApiLogging(
+export const GET = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth (API key OR session)
@@ -122,4 +123,4 @@ export const GET = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'read')

package/dist/templates/app/api/v1/teams/[teamId]/members/[memberId]/route.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import {
   addCorsHeaders,
 } from '@nextsparkjs/core/lib/api/helpers'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { updateMemberRoleSchema } from '@nextsparkjs/core/lib/teams/schema'
 import { MembershipService } from '@nextsparkjs/core/lib/services'
 import { validateRoleTransition, canManageRole } from '@nextsparkjs/core/lib/teams/permissions'
@@ -19,7 +20,7 @@ export async function OPTIONS() {
 }
 // PATCH /api/v1/teams/:teamId/members/:memberId - Update member role
-export const PATCH = withApiLogging(
+export const PATCH = withRateLimitTier(withApiLogging(
   async (
     req: NextRequest,
     { params }: { params: Promise<{ teamId: string; memberId: string }> }
@@ -155,10 +156,10 @@ export const PATCH = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'write')
 // DELETE /api/v1/teams/:teamId/members/:memberId - Remove member from team
-export const DELETE = withApiLogging(
+export const DELETE = withRateLimitTier(withApiLogging(
   async (
     req: NextRequest,
     { params }: { params: Promise<{ teamId: string; memberId: string }> }
@@ -260,4 +261,4 @@ export const DELETE = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'write')

package/dist/templates/app/api/v1/teams/[teamId]/members/route.ts CHANGED Viewed

@@ -10,7 +10,7 @@ import {
 } from '@nextsparkjs/core/lib/api/helpers'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { isSuperAdmin } from '@nextsparkjs/core/lib/api/auth/permissions'
-import { checkRateLimit } from '@nextsparkjs/core/lib/api/rate-limit'
+import { checkRateLimit, withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { RATE_LIMITS } from '@nextsparkjs/core/lib/api/keys'
 import { inviteMemberSchema, memberListQuerySchema } from '@nextsparkjs/core/lib/teams/schema'
 import { TeamMemberService, MembershipService } from '@nextsparkjs/core/lib/services'
@@ -37,7 +37,7 @@ export async function OPTIONS() {
 }
 // GET /api/v1/teams/:teamId/members - List team members
-export const GET = withApiLogging(
+export const GET = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -159,10 +159,10 @@ export const GET = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'read')
 // POST /api/v1/teams/:teamId/members - Invite new member (creates invitation)
-export const POST = withApiLogging(
+export const POST = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -355,4 +355,4 @@ export const POST = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'write')

package/dist/templates/app/api/v1/teams/[teamId]/route.ts CHANGED Viewed

@@ -8,7 +8,8 @@ import {
   addCorsHeaders,
 } from '@nextsparkjs/core/lib/api/helpers'
 import { authenticateRequest } from '@nextsparkjs/core/lib/api/auth/dual-auth'
-import { ownerUpdateTeamSchema, adminUpdateTeamSchema } from '@nextsparkjs/core/lib/teams/schema'
+import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
+import { updateTeamSchema } from '@nextsparkjs/core/lib/teams/schema'
 import { TeamService, MembershipService } from '@nextsparkjs/core/lib/services'
 import type { Team, TeamRole } from '@nextsparkjs/core/lib/teams/types'
@@ -18,7 +19,7 @@ export async function OPTIONS() {
 }
 // GET /api/v1/teams/:teamId - Get team details
-export const GET = withApiLogging(
+export const GET = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -87,10 +88,10 @@ export const GET = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'read')
 // PATCH /api/v1/teams/:teamId - Update team (owners/admins only)
-export const PATCH = withApiLogging(
+export const PATCH = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -115,56 +116,28 @@ export const PATCH = withApiLogging(
         return addCorsHeaders(response)
       }
-      const body = await req.json()
-      // FIX #2: Check owner-only requirement FIRST for name/description fields
-      // This provides clearer error messages to users
-      // Issue: https://github.com/NextSpark-js/nextspark/pull/1 (Issue #2)
-      // FIX #1: Use 'in' operator to check property existence (not value truthiness)
-      // This prevents type coercion bypass with falsy values (empty string, null, 0, false)
-      // Issue: https://github.com/NextSpark-js/nextspark/pull/1 (Issue #1)
-      const isOwnerOnlyUpdate = 'name' in body || 'description' in body
-      if (isOwnerOnlyUpdate) {
-        // Fetch team to verify ownership BEFORE other checks
-        const team = await TeamService.getById(teamId, authResult.user!.id)
-        if (!team || team.ownerId !== authResult.user!.id) {
-          const response = createApiError(
-            'Only team owners can edit team name and description',
-            403,
-            null,
-            'OWNER_ONLY'
-          )
-          return addCorsHeaders(response)
-        }
-        // Proceed with owner update (skip general permission check)
-      } else {
-        // Check general teams.update permission for non-owner-only fields
-        const membership = await MembershipService.get(authResult.user!.id, teamId)
-        const actionResult = membership.canPerformAction('teams.update')
-        if (!actionResult.allowed) {
-          const response = NextResponse.json(
-            {
-              success: false,
-              error: actionResult.message,
-              reason: actionResult.reason,
-              meta: actionResult.meta,
-            },
-            { status: 403 }
-          )
-          return addCorsHeaders(response)
-        }
+      // Check if user has permission to edit team using MembershipService
+      const membership = await MembershipService.get(authResult.user!.id, teamId)
+      const actionResult = membership.canPerformAction('teams.update')
+      if (!actionResult.allowed) {
+        const response = NextResponse.json(
+          {
+            success: false,
+            error: actionResult.message,
+            reason: actionResult.reason,
+            meta: actionResult.meta,
+          },
+          { status: 403 }
+        )
+        return addCorsHeaders(response)
       }
-      // Validate with appropriate schema based on update type
-      const schema = isOwnerOnlyUpdate ? ownerUpdateTeamSchema : adminUpdateTeamSchema
-      const validatedData = schema.parse(body) as Record<string, unknown>
+      const body = await req.json()
+      const validatedData = updateTeamSchema.parse(body)
       // Check if slug is being changed and if it's available
-      if ('slug' in validatedData && typeof validatedData.slug === 'string') {
+      if (validatedData.slug) {
         const slugAvailable = await TeamService.isSlugAvailable(validatedData.slug, teamId)
         if (!slugAvailable) {
           const response = createApiError('Team slug already exists', 409, null, 'SLUG_EXISTS')
@@ -177,27 +150,27 @@ export const PATCH = withApiLogging(
       const values = []
       let paramCount = 1
-      if ('name' in validatedData && validatedData.name !== undefined) {
+      if (validatedData.name !== undefined) {
         updates.push(`name = $${paramCount++}`)
         values.push(validatedData.name)
       }
-      if ('slug' in validatedData && validatedData.slug !== undefined) {
+      if (validatedData.slug !== undefined) {
         updates.push(`slug = $${paramCount++}`)
         values.push(validatedData.slug)
       }
-      if ('description' in validatedData && validatedData.description !== undefined) {
+      if (validatedData.description !== undefined) {
         updates.push(`description = $${paramCount++}`)
         values.push(validatedData.description)
       }
-      if ('avatarUrl' in validatedData && validatedData.avatarUrl !== undefined) {
+      if (validatedData.avatarUrl !== undefined) {
         updates.push(`"avatarUrl" = $${paramCount++}`)
         values.push(validatedData.avatarUrl)
       }
-      if ('settings' in validatedData && validatedData.settings !== undefined) {
+      if (validatedData.settings !== undefined) {
         updates.push(`settings = $${paramCount++}`)
         values.push(JSON.stringify(validatedData.settings))
       }
@@ -256,10 +229,10 @@ export const PATCH = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'write')
 // DELETE /api/v1/teams/:teamId - Delete team (owners only, NOT personal teams)
-export const DELETE = withApiLogging(
+export const DELETE = withRateLimitTier(withApiLogging(
   async (req: NextRequest, { params }: { params: Promise<{ teamId: string }> }): Promise<NextResponse> => {
     try {
       // Authenticate using dual auth
@@ -319,4 +292,4 @@ export const DELETE = withApiLogging(
       return addCorsHeaders(response)
     }
   }
-)
+), 'write')