@nextsparkjs/core 0.1.0-beta.95 → 0.1.0-beta.98

package/scripts/build/registry/discovery/permissions.mjs

@@ -158,6 +158,71 @@ function parseEntitiesFromConfig(content) {
   return entities
 }
 
+/**
+ * Parse a flat array of permission action objects from a named section
+ * Works for both `teams: [...]` and `features: [...]`
+ * Each item has: action, label, description, roles, category?, dangerous?
+ *
+ * @param {string} content - Full file content
+ * @param {string} sectionName - Section name ('teams' or 'features')
+ * @returns {Array} Parsed permission actions
+ */
+function parseActionArrayFromConfig(content, sectionName) {
+  const results = []
+
+  // Find the section: sectionName: [ ... ]
+  // The closing bracket must be at column 2 (two-space indent) followed by ],
+  const sectionRegex = new RegExp(`${sectionName}:\\s*\\[([\\s\\S]*?)\\n  \\],?\\s*\\n`)
+  const sectionMatch = content.match(sectionRegex)
+  if (!sectionMatch) {
+    verbose(`No ${sectionName} section found in permissions.config.ts`)
+    return results
+  }
+
+  const sectionContent = sectionMatch[1]
+
+  // Match each action object { ... }
+  // Handles both single-line: { action: 'x', ... }
+  // and multi-line: {\n  action: 'x',\n  ...\n}
+  const actionRegex = /\{[^}]+\}/g
+  let actionMatch
+
+  while ((actionMatch = actionRegex.exec(sectionContent)) !== null) {
+    const block = actionMatch[0]
+
+    // Extract action (supports dotted names like 'media.upload', 'team.view')
+    const actionKeyMatch = block.match(/action:\s*['"]([^'"]+)['"]/)
+    if (!actionKeyMatch) continue
+    const action = actionKeyMatch[1]
+
+    // Extract label
+    const labelMatch = block.match(/label:\s*['"]([^'"]+)['"]/)
+    const label = labelMatch ? labelMatch[1] : action
+
+    // Extract description
+    const descMatch = block.match(/description:\s*['"]([^'"]+)['"]/)
+    const description = descMatch ? descMatch[1] : null
+
+    // Extract category (features have this, teams don't)
+    const categoryMatch = block.match(/category:\s*['"]([^'"]+)['"]/)
+    const category = categoryMatch ? categoryMatch[1] : null
+
+    // Extract roles
+    const rolesMatch = block.match(/roles:\s*\[([^\]]+)\]/)
+    const roles = rolesMatch
+      ? rolesMatch[1].split(',').map(r => r.trim().replace(/['"]/g, ''))
+      : ['owner', 'admin']
+
+    // Extract dangerous
+    const dangerousMatch = block.match(/dangerous:\s*(true|false)/)
+    const dangerous = dangerousMatch ? dangerousMatch[1] === 'true' : false
+
+    results.push({ action, label, description, category, roles, dangerous })
+  }
+
+  return results
+}
+
 /**
  * Discover permissions configuration from active theme
  * Returns null if theme doesn't have a permissions.config.ts
@@ -180,19 +245,29 @@ export async function discoverPermissionsConfig(config = DEFAULT_CONFIG) {
 
   log(`Found permissions.config.ts for theme ${themeName}`, 'success')
 
-  // Parse entities and roles from the config file
+  // Parse entities, roles, teams, and features from the config file
   let entities = {}
   let roles = null
+  let teams = []
+  let features = []
   try {
     const content = readFileSync(permissionsPath, 'utf8')
     entities = parseEntitiesFromConfig(content)
     roles = parseRolesFromConfig(content)
+    teams = parseActionArrayFromConfig(content, 'teams')
+    features = parseActionArrayFromConfig(content, 'features')
 
     const entityCount = Object.keys(entities).length
     const permCount = Object.values(entities).reduce((acc, arr) => acc + arr.length, 0)
     if (entityCount > 0) {
       log(`  📋 Parsed ${permCount} entity permissions across ${entityCount} entities`, 'info')
     }
+    if (teams.length > 0) {
+      log(`  🔑 Parsed ${teams.length} team permissions`, 'info')
+    }
+    if (features.length > 0) {
+      log(`  ⚡ Parsed ${features.length} feature permissions`, 'info')
+    }
     if (roles && roles.additionalRoles) {
       log(`  👥 Parsed ${roles.additionalRoles.length} custom roles: ${roles.additionalRoles.join(', ')}`, 'info')
     }
@@ -205,6 +280,8 @@ export async function discoverPermissionsConfig(config = DEFAULT_CONFIG) {
     importPath: `@/contents/themes/${themeName}/config/permissions.config`,
     themeName,
     entities,
-    roles
+    roles,
+    teams,
+    features
   }
 }

package/templates/app/api/v1/media/[id]/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 import { updateMediaSchema } from '@nextsparkjs/core/lib/media/schemas'
@@ -26,14 +28,24 @@ export const GET = withRateLimitTier(async (
 
     // 2. Check permissions
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    // 3. Get media ID from params
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 3b. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
+    }
+
+    // 4. Get media ID from params
     const { id } = await params
 
-    // 4. Fetch media with RLS
-    const media = await MediaService.getById(id, authResult.user!.id)
+    // 5. Fetch media with team isolation
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
 
     if (!media) {
       return createApiError('Media not found', 404)
@@ -72,13 +84,23 @@ export const PATCH = withRateLimitTier(async (
 
     // 2. Check permissions
     if (!hasRequiredScope(authResult, 'media:write')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    // 3. Get media ID from params
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 3b. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
+    }
+
+    // 4. Get media ID from params
     const { id } = await params
 
-    // 4. Parse and validate request body
+    // 5. Parse and validate request body
     const body = await request.json()
     const parsed = updateMediaSchema.safeParse(body)
 
@@ -88,8 +110,12 @@ export const PATCH = withRateLimitTier(async (
       })
     }
 
-    // 5. Update media with RLS
-    const media = await MediaService.update(id, authResult.user!.id, parsed.data)
+    // 6. Update media with team isolation
+    const media = await MediaService.update(id, authResult.user!.id, parsed.data, teamId)
+
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
 
     return createApiResponse(media)
   } catch (error) {
@@ -123,14 +149,24 @@ export const DELETE = withRateLimitTier(async (
 
     // 2. Check permissions
     if (!hasRequiredScope(authResult, 'media:delete')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 3b. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.delete')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
-    // 3. Get media ID from params
+    // 4. Get media ID from params
     const { id } = await params
 
-    // 4. Soft delete media with RLS
-    const deleted = await MediaService.softDelete(id, authResult.user!.id)
+    // 5. Soft delete media with team isolation
+    const deleted = await MediaService.softDelete(id, authResult.user!.id, teamId)
 
     if (!deleted) {
       return createApiError('Media not found', 404)

package/templates/app/api/v1/media/[id]/tags/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 import { z } from 'zod'
@@ -29,11 +31,27 @@ export const GET = withRateLimitTier(async (
     }
 
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const { id } = await params
-    const tags = await MediaService.getMediaTags(id, authResult.user!.id)
+
+    // Verify media belongs to team
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
+
+    const tags = await MediaService.getMediaTags(id, authResult.user!.id, teamId)
     return createApiResponse(tags)
   } catch (error) {
     console.error('[Media Tags API] Error getting tags:', error)
@@ -58,10 +76,26 @@ export const POST = withRateLimitTier(async (
     }
 
     if (!hasRequiredScope(authResult, 'media:write')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const { id } = await params
+
+    // Verify media belongs to team
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
+
     const body = await request.json()
     const parsed = addTagSchema.safeParse(body)
 
@@ -70,7 +104,7 @@ export const POST = withRateLimitTier(async (
     }
 
     await MediaService.addTag(id, parsed.data.tagId, authResult.user!.id)
-    const tags = await MediaService.getMediaTags(id, authResult.user!.id)
+    const tags = await MediaService.getMediaTags(id, authResult.user!.id, teamId)
 
     return createApiResponse(tags, undefined, 201)
   } catch (error) {
@@ -96,10 +130,26 @@ export const PUT = withRateLimitTier(async (
     }
 
     if (!hasRequiredScope(authResult, 'media:write')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const { id } = await params
+
+    // Verify media belongs to team
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
+
     const body = await request.json()
     const parsed = setTagsSchema.safeParse(body)
 
@@ -108,7 +158,7 @@ export const PUT = withRateLimitTier(async (
     }
 
     await MediaService.setTags(id, parsed.data.tagIds, authResult.user!.id)
-    const tags = await MediaService.getMediaTags(id, authResult.user!.id)
+    const tags = await MediaService.getMediaTags(id, authResult.user!.id, teamId)
 
     return createApiResponse(tags)
   } catch (error) {
@@ -133,11 +183,27 @@ export const DELETE = withRateLimitTier(async (
       return createApiError('Unauthorized', 401)
     }
 
-    if (!hasRequiredScope(authResult, 'media:delete')) {
-      return createApiError('Insufficient permissions', 403)
+    if (!hasRequiredScope(authResult, 'media:write')) {
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission (removing a tag is an update action, not media deletion)
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const { id } = await params
+
+    // Verify media belongs to team
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
+
     const { searchParams } = new URL(request.url)
     const tagId = searchParams.get('tagId')
 

package/templates/app/api/v1/media/check-duplicates/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 
@@ -21,7 +23,16 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
     }
 
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions - media:read scope required', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const body = await request.json()
@@ -36,6 +47,7 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
     for (const file of files) {
       const existing = await MediaService.findDuplicates(
         authResult.user!.id,
+        teamId,
         file.filename,
         file.fileSize
       )

package/templates/app/api/v1/media/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 import { mediaListQuerySchema } from '@nextsparkjs/core/lib/media/schemas'
@@ -32,10 +34,20 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
 
     // 2. Check permissions
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions - media:read scope required', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    // 3. Parse and validate query parameters
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 3b. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
+    }
+
+    // 4. Parse and validate query parameters
     const { searchParams } = new URL(request.url)
     const parsed = mediaListQuerySchema.safeParse(Object.fromEntries(searchParams))
 
@@ -45,8 +57,8 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
       })
     }
 
-    // 4. Query media list with RLS
-    const result = await MediaService.list(authResult.user!.id, parsed.data)
+    // 5. Query media list with team isolation
+    const result = await MediaService.list(authResult.user!.id, teamId, parsed.data)
 
     return createApiResponse(result)
   } catch (error) {

package/templates/app/api/v1/media/upload/route.ts

@@ -1,7 +1,9 @@
 import { NextRequest } from 'next/server'
 import { put } from '@vercel/blob'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MEDIA_CONFIG } from '@nextsparkjs/core/lib/config/config-sync'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
@@ -64,17 +66,17 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
     const hasPermission = hasRequiredScope(authResult, 'media:write')
 
     if (!hasPermission) {
-      return createApiError('Insufficient permissions - media:write scope required', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    // 3. Get team context (x-team-id header or default team)
-    const teamId = request.headers.get('x-team-id') || authResult.user!.defaultTeamId
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
 
-    if (!teamId) {
-      return createApiError(
-        'No team context available. Please provide x-team-id header or have a default team.',
-        400
-      )
+    // 4. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.upload')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const formData = await request.formData()
@@ -246,7 +248,17 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
     const hasPermission = hasRequiredScope(authResult, 'media:read')
 
     if (!hasPermission) {
-      return createApiError('Insufficient permissions - media:read scope required', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 4. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const useVercelBlob = isVercelBlobConfigured()

package/templates/app/api/v1/media-tags/route.ts

@@ -1,13 +1,15 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 
 /**
  * GET /api/v1/media-tags
  *
- * List all available media tags (taxonomies of type 'media_tag').
+ * List media tags scoped to the active team.
  *
  * Authentication: Requires valid session or API key with media:read scope
  */
@@ -19,10 +21,19 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
     }
 
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    const tags = await MediaService.getTags(authResult.user!.id)
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
+    }
+
+    const tags = await MediaService.getTags(authResult.user!.id, teamId)
     return createApiResponse(tags)
   } catch (error) {
     console.error('[Media Tags API] Error listing tags:', error)
@@ -33,7 +44,7 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
 /**
  * POST /api/v1/media-tags
  *
- * Create a new media tag.
+ * Create a new media tag scoped to the active team.
  * Body: { name: string }
  *
  * Authentication: Requires valid session or API key with media:write scope
@@ -46,7 +57,16 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
     }
 
     if (!hasRequiredScope(authResult, 'media:write')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const body = await request.json()
@@ -56,7 +76,7 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
       return createApiError('Tag name is required', 400)
     }
 
-    const tag = await MediaService.createTag(name, authResult.user!.id)
+    const tag = await MediaService.createTag(name, authResult.user!.id, teamId)
     return createApiResponse(tag, undefined, 201)
   } catch (error) {
     console.error('[Media Tags API] Error creating tag:', error)