@nextsparkjs/core 0.1.0-beta.97 → 0.1.0-beta.99

package/templates/app/api/v1/media/[id]/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 import { updateMediaSchema } from '@nextsparkjs/core/lib/media/schemas'
@@ -26,14 +28,24 @@ export const GET = withRateLimitTier(async (
 
     // 2. Check permissions
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    // 3. Get media ID from params
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 3b. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
+    }
+
+    // 4. Get media ID from params
     const { id } = await params
 
-    // 4. Fetch media with RLS
-    const media = await MediaService.getById(id, authResult.user!.id)
+    // 5. Fetch media with team isolation
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
 
     if (!media) {
       return createApiError('Media not found', 404)
@@ -72,13 +84,23 @@ export const PATCH = withRateLimitTier(async (
 
     // 2. Check permissions
     if (!hasRequiredScope(authResult, 'media:write')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    // 3. Get media ID from params
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 3b. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
+    }
+
+    // 4. Get media ID from params
     const { id } = await params
 
-    // 4. Parse and validate request body
+    // 5. Parse and validate request body
     const body = await request.json()
     const parsed = updateMediaSchema.safeParse(body)
 
@@ -88,8 +110,12 @@ export const PATCH = withRateLimitTier(async (
       })
     }
 
-    // 5. Update media with RLS
-    const media = await MediaService.update(id, authResult.user!.id, parsed.data)
+    // 6. Update media with team isolation
+    const media = await MediaService.update(id, authResult.user!.id, parsed.data, teamId)
+
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
 
     return createApiResponse(media)
   } catch (error) {
@@ -123,14 +149,24 @@ export const DELETE = withRateLimitTier(async (
 
     // 2. Check permissions
     if (!hasRequiredScope(authResult, 'media:delete')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 3b. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.delete')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
-    // 3. Get media ID from params
+    // 4. Get media ID from params
     const { id } = await params
 
-    // 4. Soft delete media with RLS
-    const deleted = await MediaService.softDelete(id, authResult.user!.id)
+    // 5. Soft delete media with team isolation
+    const deleted = await MediaService.softDelete(id, authResult.user!.id, teamId)
 
     if (!deleted) {
       return createApiError('Media not found', 404)

package/templates/app/api/v1/media/[id]/tags/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 import { z } from 'zod'
@@ -29,11 +31,27 @@ export const GET = withRateLimitTier(async (
     }
 
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const { id } = await params
-    const tags = await MediaService.getMediaTags(id, authResult.user!.id)
+
+    // Verify media belongs to team
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
+
+    const tags = await MediaService.getMediaTags(id, authResult.user!.id, teamId)
     return createApiResponse(tags)
   } catch (error) {
     console.error('[Media Tags API] Error getting tags:', error)
@@ -58,10 +76,26 @@ export const POST = withRateLimitTier(async (
     }
 
     if (!hasRequiredScope(authResult, 'media:write')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const { id } = await params
+
+    // Verify media belongs to team
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
+
     const body = await request.json()
     const parsed = addTagSchema.safeParse(body)
 
@@ -70,7 +104,7 @@ export const POST = withRateLimitTier(async (
     }
 
     await MediaService.addTag(id, parsed.data.tagId, authResult.user!.id)
-    const tags = await MediaService.getMediaTags(id, authResult.user!.id)
+    const tags = await MediaService.getMediaTags(id, authResult.user!.id, teamId)
 
     return createApiResponse(tags, undefined, 201)
   } catch (error) {
@@ -96,10 +130,26 @@ export const PUT = withRateLimitTier(async (
     }
 
     if (!hasRequiredScope(authResult, 'media:write')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const { id } = await params
+
+    // Verify media belongs to team
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
+
     const body = await request.json()
     const parsed = setTagsSchema.safeParse(body)
 
@@ -108,7 +158,7 @@ export const PUT = withRateLimitTier(async (
     }
 
     await MediaService.setTags(id, parsed.data.tagIds, authResult.user!.id)
-    const tags = await MediaService.getMediaTags(id, authResult.user!.id)
+    const tags = await MediaService.getMediaTags(id, authResult.user!.id, teamId)
 
     return createApiResponse(tags)
   } catch (error) {
@@ -133,11 +183,27 @@ export const DELETE = withRateLimitTier(async (
       return createApiError('Unauthorized', 401)
     }
 
-    if (!hasRequiredScope(authResult, 'media:delete')) {
-      return createApiError('Insufficient permissions', 403)
+    if (!hasRequiredScope(authResult, 'media:write')) {
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission (removing a tag is an update action, not media deletion)
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const { id } = await params
+
+    // Verify media belongs to team
+    const media = await MediaService.getById(id, authResult.user!.id, teamId)
+    if (!media) {
+      return createApiError('Media not found', 404)
+    }
+
     const { searchParams } = new URL(request.url)
     const tagId = searchParams.get('tagId')
 

package/templates/app/api/v1/media/check-duplicates/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 
@@ -21,7 +23,16 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
     }
 
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions - media:read scope required', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const body = await request.json()
@@ -36,6 +47,7 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
     for (const file of files) {
       const existing = await MediaService.findDuplicates(
         authResult.user!.id,
+        teamId,
         file.filename,
         file.fileSize
       )

package/templates/app/api/v1/media/route.ts

@@ -1,6 +1,8 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 import { mediaListQuerySchema } from '@nextsparkjs/core/lib/media/schemas'
@@ -32,10 +34,20 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
 
     // 2. Check permissions
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions - media:read scope required', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    // 3. Parse and validate query parameters
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 3b. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
+    }
+
+    // 4. Parse and validate query parameters
     const { searchParams } = new URL(request.url)
     const parsed = mediaListQuerySchema.safeParse(Object.fromEntries(searchParams))
 
@@ -45,8 +57,8 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
       })
     }
 
-    // 4. Query media list with RLS
-    const result = await MediaService.list(authResult.user!.id, parsed.data)
+    // 5. Query media list with team isolation
+    const result = await MediaService.list(authResult.user!.id, teamId, parsed.data)
 
     return createApiResponse(result)
   } catch (error) {

package/templates/app/api/v1/media/upload/route.ts

@@ -1,7 +1,9 @@
 import { NextRequest } from 'next/server'
 import { put } from '@vercel/blob'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MEDIA_CONFIG } from '@nextsparkjs/core/lib/config/config-sync'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
@@ -64,17 +66,17 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
     const hasPermission = hasRequiredScope(authResult, 'media:write')
 
     if (!hasPermission) {
-      return createApiError('Insufficient permissions - media:write scope required', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    // 3. Get team context (x-team-id header or default team)
-    const teamId = request.headers.get('x-team-id') || authResult.user!.defaultTeamId
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
 
-    if (!teamId) {
-      return createApiError(
-        'No team context available. Please provide x-team-id header or have a default team.',
-        400
-      )
+    // 4. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.upload')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const formData = await request.formData()
@@ -246,7 +248,17 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
     const hasPermission = hasRequiredScope(authResult, 'media:read')
 
     if (!hasPermission) {
-      return createApiError('Insufficient permissions - media:read scope required', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    // 3. Resolve and validate team context
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // 4. Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const useVercelBlob = isVercelBlobConfigured()

package/templates/app/api/v1/media-tags/route.ts

@@ -1,13 +1,15 @@
 import { NextRequest } from 'next/server'
-import { authenticateRequest, hasRequiredScope } from '@nextsparkjs/core/lib/api/auth/dual-auth'
+import { authenticateRequest, hasRequiredScope, resolveTeamContext } from '@nextsparkjs/core/lib/api/auth/dual-auth'
 import { createApiResponse, createApiError } from '@nextsparkjs/core/lib/api/helpers'
+import { API_ERROR_CODES } from '@nextsparkjs/core/lib/api/api-error'
+import { checkPermission } from '@nextsparkjs/core/lib/permissions/check'
 import { withRateLimitTier } from '@nextsparkjs/core/lib/api/rate-limit'
 import { MediaService } from '@nextsparkjs/core/lib/services/media.service'
 
 /**
  * GET /api/v1/media-tags
  *
- * List all available media tags (taxonomies of type 'media_tag').
+ * List media tags scoped to the active team.
  *
  * Authentication: Requires valid session or API key with media:read scope
  */
@@ -19,10 +21,19 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
     }
 
     if (!hasRequiredScope(authResult, 'media:read')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
     }
 
-    const tags = await MediaService.getTags(authResult.user!.id)
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.read')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
+    }
+
+    const tags = await MediaService.getTags(authResult.user!.id, teamId)
     return createApiResponse(tags)
   } catch (error) {
     console.error('[Media Tags API] Error listing tags:', error)
@@ -33,7 +44,7 @@ export const GET = withRateLimitTier(async (request: NextRequest) => {
 /**
  * POST /api/v1/media-tags
  *
- * Create a new media tag.
+ * Create a new media tag scoped to the active team.
  * Body: { name: string }
  *
  * Authentication: Requires valid session or API key with media:write scope
@@ -46,7 +57,16 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
     }
 
     if (!hasRequiredScope(authResult, 'media:write')) {
-      return createApiError('Insufficient permissions', 403)
+      return createApiError('Insufficient permissions', 403, undefined, API_ERROR_CODES.INSUFFICIENT_SCOPE)
+    }
+
+    const teamResult = await resolveTeamContext(request, authResult)
+    if (teamResult instanceof Response) return teamResult
+    const teamId = teamResult
+
+    // Check role-based permission
+    if (!await checkPermission(authResult.user!.id, teamId, 'media.update')) {
+      return createApiError('Permission denied', 403, undefined, API_ERROR_CODES.PERMISSION_DENIED)
     }
 
     const body = await request.json()
@@ -56,7 +76,7 @@ export const POST = withRateLimitTier(async (request: NextRequest) => {
       return createApiError('Tag name is required', 400)
     }
 
-    const tag = await MediaService.createTag(name, authResult.user!.id)
+    const tag = await MediaService.createTag(name, authResult.user!.id, teamId)
     return createApiResponse(tag, undefined, 201)
   } catch (error) {
     console.error('[Media Tags API] Error creating tag:', error)

package/templates/app/dashboard/(main)/media/page.tsx

@@ -47,8 +47,10 @@ import { useMediaList, useDeleteMedia } from '@nextsparkjs/core/hooks/useMedia'
 import { useDebounce } from '@nextsparkjs/core/hooks/useDebounce'
 import { useToast } from '@nextsparkjs/core/hooks/useToast'
 import { sel } from '@nextsparkjs/core/lib/selectors'
+import { usePermissions } from '@nextsparkjs/core/lib/permissions/hooks'
 import { getTemplateOrDefaultClient } from '@nextsparkjs/registries/template-registry.client'
 import type { Media, MediaListOptions } from '@nextsparkjs/core/lib/media/types'
+import type { Permission } from '@nextsparkjs/core/lib/permissions/types'
 
 type ViewMode = 'grid' | 'list'
 
@@ -58,6 +60,11 @@ function DefaultMediaDashboardPage() {
   const t = useTranslations('media')
   const { toast } = useToast()
   const deleteMutation = useDeleteMedia()
+  const { canUpload, canUpdate, canDelete } = usePermissions({
+    canUpload: 'media.upload' as Permission,
+    canUpdate: 'media.update' as Permission,
+    canDelete: 'media.delete' as Permission,
+  })
 
   // State
   const [viewMode, setViewMode] = useState<ViewMode>('grid')
@@ -280,23 +287,25 @@ function DefaultMediaDashboardPage() {
           </p>
         </div>
 
-        <Button onClick={handleToggleUpload}>
-          {showUpload ? (
-            <>
-              <ChevronUpIcon className="mr-2 h-4 w-4" />
-              {t('dashboard.hideUpload')}
-            </>
-          ) : (
-            <>
-              <UploadIcon className="mr-2 h-4 w-4" />
-              {t('toolbar.upload')}
-            </>
-          )}
-        </Button>
+        {canUpload && (
+          <Button onClick={handleToggleUpload}>
+            {showUpload ? (
+              <>
+                <ChevronUpIcon className="mr-2 h-4 w-4" />
+                {t('dashboard.hideUpload')}
+              </>
+            ) : (
+              <>
+                <UploadIcon className="mr-2 h-4 w-4" />
+                {t('toolbar.upload')}
+              </>
+            )}
+          </Button>
+        )}
       </div>
 
       {/* Upload zone (collapsible) */}
-      {showUpload && (
+      {showUpload && canUpload && (
         <MediaUploadZone onUploadComplete={handleUploadComplete} />
       )}
 
@@ -407,22 +416,24 @@ function DefaultMediaDashboardPage() {
           <MediaGrid
             items={items}
             isLoading={isLoading}
-            selectedIds={selectedIds}
-            onSelect={handleSelect}
+            selectedIds={canDelete ? selectedIds : new Set<string>()}
+            onSelect={canDelete ? handleSelect : undefined}
             onEdit={isBulkDeleting ? undefined : setEditingMedia}
-            onDelete={isBulkDeleting ? undefined : setDeletingMedia}
-            mode="multiple"
+            onDelete={isBulkDeleting || !canDelete ? undefined : setDeletingMedia}
+            mode={canDelete ? 'multiple' : 'single'}
+            readOnly={!canUpdate}
             columns={columns}
           />
         ) : (
           <MediaList
             items={items}
             isLoading={isLoading}
-            selectedIds={selectedIds}
-            onSelect={handleSelect}
+            selectedIds={canDelete ? selectedIds : new Set<string>()}
+            onSelect={canDelete ? handleSelect : undefined}
             onEdit={isBulkDeleting ? undefined : setEditingMedia}
-            onDelete={isBulkDeleting ? undefined : setDeletingMedia}
-            mode="multiple"
+            onDelete={isBulkDeleting || !canDelete ? undefined : setDeletingMedia}
+            mode={canDelete ? 'multiple' : 'single'}
+            readOnly={!canUpdate}
           />
         )}
       </div>
@@ -494,6 +505,7 @@ function DefaultMediaDashboardPage() {
                 media={editingMedia}
                 onClose={handleCloseDetail}
                 showPreview={false}
+                readOnly={!canUpdate}
                 className="flex-1 min-h-0"
               />
             </div>
@@ -554,7 +566,7 @@ function DefaultMediaDashboardPage() {
       </AlertDialog>
 
       {/* Floating action bar */}
-      {(selectedCount > 0 || isBulkDeleting) && (
+      {canDelete && (selectedCount > 0 || isBulkDeleting) && (
         <div className="fixed bottom-6 left-1/2 -translate-x-1/2 z-50 animate-in slide-in-from-bottom-4 fade-in duration-200">
           <div className="flex items-center gap-3 bg-background border border-border rounded-xl shadow-lg px-4 py-2.5">
             {isBulkDeleting ? (

package/templates/instrumentation.ts

@@ -13,21 +13,27 @@
 export async function register() {
   // Only run on server (not during build or in edge runtime)
   if (process.env.NEXT_RUNTIME === 'nodejs') {
-    const {
-      initializeScheduledActions,
-      initializeRecurringActions,
-    } = await import('@nextsparkjs/core/lib/scheduled-actions')
-
     console.log('[Instrumentation] Initializing scheduled actions system...')
 
-    // Register scheduled action handlers (includes entity hooks for automatic scheduling)
-    // This registers hooks like 'entity.contents.updated' that create scheduled actions
-    initializeScheduledActions()
+    try {
+      const {
+        initializeScheduledActions,
+        initializeRecurringActions,
+      } = await import('@nextsparkjs/core/lib/scheduled-actions')
+
+      // Register scheduled action handlers (includes entity hooks for automatic scheduling)
+      // This registers hooks like 'entity.contents.updated' that create scheduled actions
+      initializeScheduledActions()
 
-    // Register recurring scheduled actions (token refresh, cleanup jobs, etc.)
-    // These are background tasks that run on a schedule (e.g., every 30 minutes)
-    await initializeRecurringActions()
+      // Register recurring scheduled actions (token refresh, cleanup jobs, etc.)
+      // These are background tasks that run on a schedule (e.g., every 30 minutes)
+      // Non-blocking: if DB is unavailable at cold start, the server still boots
+      await initializeRecurringActions()
 
-    console.log('[Instrumentation] ✅ Scheduled actions initialized')
+      console.log('[Instrumentation] ✅ Scheduled actions initialized')
+    } catch (error) {
+      console.warn(`[Instrumentation] ⚠️ Failed to initialize scheduled actions: ${error instanceof Error ? error.message : error}`)
+      console.warn('[Instrumentation] Server will continue without recurring actions')
+    }
   }
 }