@playcademy/sandbox 0.3.17-beta.5 → 0.3.17-beta.7

package/dist/cli.js

@@ -1310,7 +1310,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@playcademy/sandbox",
-    version: "0.3.17-beta.5",
+    version: "0.3.17-beta.7",
     description: "Local development server for Playcademy game development",
     type: "module",
     exports: {
@@ -11550,7 +11550,7 @@ var init_table6 = __esm(() => {
   init_drizzle_orm();
   init_pg_core();
   init_table5();
-  userRoleEnum = pgEnum("user_role", ["admin", "player", "developer"]);
+  userRoleEnum = pgEnum("user_role", ["admin", "player", "developer", "teacher"]);
   developerStatusEnum = pgEnum("developer_status", ["none", "pending", "approved"]);
   users = pgTable("user", {
     id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
@@ -26733,10 +26733,13 @@ var init_game_service = __esm(() => {
       });
     }
     async listManageable(user) {
-      this.validateDeveloperStatus(user);
+      const seesAllGames = user.role === "admin" || user.role === "teacher";
+      if (!seesAllGames) {
+        this.validateDeveloperStatus(user);
+      }
       const db2 = this.deps.db;
       return db2.query.games.findMany({
-        where: user.role === "admin" ? undefined : eq(games.developerId, user.id),
+        where: seesAllGames ? undefined : eq(games.developerId, user.id),
         orderBy: [desc(games.createdAt)]
       });
     }
@@ -27140,6 +27143,19 @@ var init_game_service = __esm(() => {
         throw new NotFoundError("Game", gameId);
       }
     }
+    async validateGameManagementAccess(user, gameId) {
+      if (user.role === "admin" || user.role === "teacher") {
+        const gameExists = await this.deps.db.query.games.findFirst({
+          where: eq(games.id, gameId),
+          columns: { id: true }
+        });
+        if (!gameExists) {
+          throw new NotFoundError("Game", gameId);
+        }
+        return;
+      }
+      return this.validateDeveloperAccess(user, gameId);
+    }
     async validateDeveloperAccessBySlug(user, slug) {
       this.validateDeveloperStatus(user);
       const db2 = this.deps.db;
@@ -27210,6 +27226,7 @@ function createGameServices(deps) {
     validators: {
       validateDeveloperAccessBySlug: (user, slug) => game.validateDeveloperAccessBySlug(user, slug),
       validateDeveloperAccess: (user, gameId) => game.validateDeveloperAccess(user, gameId),
+      validateGameManagementAccess: (user, gameId) => game.validateGameManagementAccess(user, gameId),
       validateOwnership: (user, gameId) => game.validateOwnership(user, gameId)
     }
   };
@@ -30612,9 +30629,13 @@ class TimebackAdminService {
       });
     });
   }
-  async resolveAdminMutationContext(gameId, courseId, user, studentId) {
+  async resolveAdminMutationContext(gameId, courseId, user, studentId, accessLevel = "developer") {
     const client = this.requireClient();
-    await this.deps.validateDeveloperAccess(user, gameId);
+    if (accessLevel === "dashboard") {
+      await this.deps.validateGameManagementAccess(user, gameId);
+    } else {
+      await this.deps.validateDeveloperAccess(user, gameId);
+    }
     const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
       where: and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId))
     });
@@ -30874,7 +30895,7 @@ class TimebackAdminService {
   }
   async listStudentsForCourse(gameId, courseId, user) {
     const client = this.requireClient();
-    await this.deps.validateDeveloperAccess(user, gameId);
+    await this.deps.validateGameManagementAccess(user, gameId);
     const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
       where: and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId))
     });
@@ -30912,7 +30933,7 @@ class TimebackAdminService {
   }
   async getStudentOverview(gameId, studentId, user, courseId) {
     const client = this.requireClient();
-    await this.deps.validateDeveloperAccess(user, gameId);
+    await this.deps.validateGameManagementAccess(user, gameId);
     const integrations = await this.deps.db.query.gameTimebackIntegrations.findMany({
       where: courseId ? and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId)) : eq(gameTimebackIntegrations.gameId, gameId)
     });
@@ -30966,7 +30987,7 @@ class TimebackAdminService {
     const client = this.requireClient();
     const safeLimit = Math.max(1, Math.min(limit, TimebackAdminService.MAX_STUDENT_ACTIVITY_LIMIT));
     const safeOffset = Math.max(0, Math.min(offset, TimebackAdminService.MAX_STUDENT_ACTIVITY_OFFSET));
-    await this.deps.validateDeveloperAccess(user, gameId);
+    await this.deps.validateGameManagementAccess(user, gameId);
     const [integration, sensorUrl] = await Promise.all([
       this.deps.db.query.gameTimebackIntegrations.findFirst({
         where: and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId))
@@ -31030,7 +31051,7 @@ class TimebackAdminService {
     return { status: "ok" };
   }
   async toggleCourseCompletion(data, user) {
-    const { client, sensorUrl, appName, actor } = await this.resolveAdminMutationContext(data.gameId, data.courseId, user, data.studentId);
+    const { client, sensorUrl, appName, actor } = await this.resolveAdminMutationContext(data.gameId, data.courseId, user, data.studentId, "dashboard");
     const historyClient = client;
     const ids = deriveSourcedIds(data.courseId);
     const lineItemId = `${ids.course}-mastery-completion-assessment`;
@@ -31123,6 +31144,77 @@ class TimebackAdminService {
     }
     return { status: "ok" };
   }
+  async searchStudentsForEnrollment(gameId, courseId, query, user) {
+    const client = this.requireClient();
+    await this.deps.validateGameManagementAccess(user, gameId);
+    const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
+      where: and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId))
+    });
+    if (!integration) {
+      throw new NotFoundError("Timeback integration", `${gameId}:${courseId}`);
+    }
+    const trimmedQuery = query.trim();
+    if (trimmedQuery.length < 2) {
+      return { students: [] };
+    }
+    const filterParts = [
+      `givenName~'${escapeFilterValue(trimmedQuery)}'`,
+      `familyName~'${escapeFilterValue(trimmedQuery)}'`,
+      `email~'${escapeFilterValue(trimmedQuery)}'`
+    ];
+    const filter = filterParts.join(" OR ");
+    const params = new URLSearchParams({ filter, limit: "25" });
+    const endpoint = `/ims/oneroster/rostering/v1p2/users?${params}`;
+    let allUsers = [];
+    try {
+      const response = await client["request"](endpoint, "GET");
+      allUsers = response.users || [];
+    } catch (error) {
+      logger16.warn("Failed to search OneRoster users", {
+        query: trimmedQuery,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      return { students: [] };
+    }
+    const roster = await client.oneroster.enrollments.listByCourse(courseId, {
+      role: "student",
+      includeUsers: false
+    });
+    const enrolledStudentIds = new Set(roster.map((entry) => entry.enrollment.user.sourcedId));
+    const students = allUsers.filter((entry) => Boolean(entry.sourcedId) && entry.roles?.some((role) => role.role === "student") === true).map((entry) => ({
+      studentId: entry.sourcedId,
+      name: `${entry.givenName || ""} ${entry.familyName || ""}`.trim() || entry.sourcedId,
+      email: entry.email || null,
+      alreadyEnrolled: enrolledStudentIds.has(entry.sourcedId)
+    }));
+    return { students };
+  }
+  async enrollStudent(data, user) {
+    const client = this.requireClient();
+    await this.deps.validateGameManagementAccess(user, data.gameId);
+    const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
+      where: and(eq(gameTimebackIntegrations.gameId, data.gameId), eq(gameTimebackIntegrations.courseId, data.courseId))
+    });
+    if (!integration) {
+      throw new NotFoundError("Timeback integration", `${data.gameId}:${data.courseId}`);
+    }
+    await client.edubridge.enrollments.enroll(data.studentId, data.courseId, {
+      role: "student"
+    });
+    return { status: "ok" };
+  }
+  async unenrollStudent(data, user) {
+    const client = this.requireClient();
+    await this.deps.validateGameManagementAccess(user, data.gameId);
+    const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
+      where: and(eq(gameTimebackIntegrations.gameId, data.gameId), eq(gameTimebackIntegrations.courseId, data.courseId))
+    });
+    if (!integration) {
+      throw new NotFoundError("Timeback integration", `${data.gameId}:${data.courseId}`);
+    }
+    await client.edubridge.enrollments.unenroll(data.studentId, data.courseId);
+    return { status: "ok" };
+  }
   async getCompletionStatus(client, courseId, studentId) {
     const ids = deriveSourcedIds(courseId);
     const lineItemId = `${ids.course}-mastery-completion-assessment`;
@@ -31574,7 +31666,7 @@ class TimebackService {
     return { integrations, ...verbose && verboseData.length > 0 && { verbose: verboseData } };
   }
   async getIntegrations(gameId, user) {
-    await this.deps.validateDeveloperAccess(user, gameId);
+    await this.deps.validateGameManagementAccess(user, gameId);
     const rows = await this.deps.db.query.gameTimebackIntegrations.findMany({
       where: eq(gameTimebackIntegrations.gameId, gameId)
     });
@@ -31829,6 +31921,7 @@ function createPlatformServices(deps) {
     alerts,
     validateDeveloperAccessBySlug,
     validateDeveloperAccess,
+    validateGameManagementAccess,
     validateOwnership
   } = deps;
   const bucket = new BucketService({
@@ -31863,12 +31956,14 @@ function createPlatformServices(deps) {
   const timeback2 = new TimebackService({
     db: db2,
     timeback: timebackClient,
-    validateDeveloperAccess
+    validateDeveloperAccess,
+    validateGameManagementAccess
   });
   const timebackAdmin = new TimebackAdminService({
     db: db2,
     timeback: timebackClient,
-    validateDeveloperAccess
+    validateDeveloperAccess,
+    validateGameManagementAccess
   });
   return {
     bucket,
@@ -35000,6 +35095,34 @@ function createEduBridgeNamespace(client) {
     listByUser: async (userId) => {
       const response = await client["request"](`/edubridge/enrollments/user/${userId}`, "GET");
       return response.data;
+    },
+    enroll: async (userId, courseId, options) => {
+      const segments = [userId, courseId];
+      if (options?.schoolId) {
+        segments.push(options.schoolId);
+      }
+      const body2 = {};
+      if (options?.role) {
+        body2.role = options.role;
+      }
+      if (options?.sourcedId) {
+        body2.sourcedId = options.sourcedId;
+      }
+      if (options?.beginDate) {
+        body2.beginDate = options.beginDate;
+      }
+      if (options?.metadata) {
+        body2.metadata = options.metadata;
+      }
+      const response = await client["request"](`/edubridge/enrollments/enroll/${segments.join("/")}`, "POST", body2);
+      return response.data;
+    },
+    unenroll: async (userId, courseId, options) => {
+      const segments = [userId, courseId];
+      if (options?.schoolId) {
+        segments.push(options.schoolId);
+      }
+      await client["request"](`/edubridge/enrollments/unenroll/${segments.join("/")}`, "DELETE");
     }
   };
   const analytics = {
@@ -35175,6 +35298,10 @@ function createOneRosterNamespace(client) {
           logTimebackError("list course roster", error, { courseSourcedId });
           throw error;
         }
+      },
+      create: async (data) => client["request"](ONEROSTER_ENDPOINTS4.enrollments, "POST", { enrollment: data }),
+      delete: async (sourcedId) => {
+        await client["request"](`${ONEROSTER_ENDPOINTS4.enrollments}/${sourcedId}`, "DELETE");
       }
     },
     organizations: {
@@ -93507,7 +93634,7 @@ function isValidAdminAttributionDate(value) {
   const date4 = new Date(Date.UTC(year3, month - 1, day, 12, 0, 0));
   return date4.getUTCFullYear() === year3 && date4.getUTCMonth() + 1 === month && date4.getUTCDate() === day;
 }
-var TIMEBACK_GRADES, TIMEBACK_SUBJECTS5, TimebackGradeSchema, TimebackSubjectSchema, UpdateTimebackXpRequestSchema, EndActivityRequestSchema, PopulateStudentRequestSchema, DerivedPlatformCourseConfigSchema, TimebackBaseConfigSchema, PlatformTimebackSetupRequestSchema, AdminTimebackMutationBaseSchema, AdminAttributionDateSchema, GrantTimebackXpRequestSchema, AdjustTimebackTimeRequestSchema, AdjustTimebackMasteryRequestSchema, ToggleCourseCompletionRequestSchema;
+var TIMEBACK_GRADES, TIMEBACK_SUBJECTS5, TimebackGradeSchema, TimebackSubjectSchema, UpdateTimebackXpRequestSchema, EndActivityRequestSchema, PopulateStudentRequestSchema, DerivedPlatformCourseConfigSchema, TimebackBaseConfigSchema, PlatformTimebackSetupRequestSchema, AdminTimebackMutationBaseSchema, AdminAttributionDateSchema, GrantTimebackXpRequestSchema, AdjustTimebackTimeRequestSchema, AdjustTimebackMasteryRequestSchema, ToggleCourseCompletionRequestSchema, EnrollStudentRequestSchema, UnenrollStudentRequestSchema;
 var init_schemas11 = __esm(() => {
   init_esm();
   TIMEBACK_GRADES = [-1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13];
@@ -93650,6 +93777,16 @@ var init_schemas11 = __esm(() => {
     studentId: exports_external.string().min(1),
     action: exports_external.enum(["complete", "resume"])
   });
+  EnrollStudentRequestSchema = exports_external.object({
+    gameId: exports_external.string().uuid(),
+    courseId: exports_external.string().min(1),
+    studentId: exports_external.string().min(1)
+  });
+  UnenrollStudentRequestSchema = exports_external.object({
+    gameId: exports_external.string().uuid(),
+    courseId: exports_external.string().min(1),
+    studentId: exports_external.string().min(1)
+  });
 });
 
 // ../data/src/schemas.index.ts
@@ -93676,6 +93813,9 @@ function isAuthenticated(ctx) {
 var init_types9 = () => {};
 
 // ../api-core/src/utils/auth.util.ts
+function hasGameManagementAccess(user) {
+  return user.role === "admin" || user.role === "teacher" || user.role === "developer" && user.developerStatus === "approved";
+}
 function requireAuth(handler) {
   return async (ctx) => {
     if (!isAuthenticated(ctx)) {
@@ -93719,6 +93859,17 @@ function requireDeveloper(handler) {
     return handler(ctx);
   };
 }
+function requireGameManagementAccess(handler) {
+  return async (ctx) => {
+    if (!isAuthenticated(ctx)) {
+      throw ApiError.unauthorized("Valid session or bearer token required");
+    }
+    if (!hasGameManagementAccess(ctx.user)) {
+      throw ApiError.forbidden("Game management access required");
+    }
+    return handler(ctx);
+  };
+}
 var init_auth_util = __esm(() => {
   init_errors();
   init_types9();
@@ -95776,7 +95927,7 @@ var init_sprite_controller = __esm(() => {
 });
 
 // ../api-core/src/controllers/timeback.controller.ts
-var logger63, getTodayXp, getTotalXp, updateTodayXp, getXpHistory, populateStudent, getUser, getUserById, setupIntegration, getIntegrations, verifyIntegration, getConfig2, deleteIntegrations, endActivity, getStudentXp, getRoster, getStudentOverview, getStudentActivity, grantXp, adjustTime, adjustMastery, toggleCompletion, timeback2;
+var logger63, getTodayXp, getTotalXp, updateTodayXp, getXpHistory, populateStudent, getUser, getUserById, setupIntegration, getIntegrations, verifyIntegration, getConfig2, deleteIntegrations, endActivity, getStudentXp, getRoster, getStudentOverview, getStudentActivity, grantXp, adjustTime, adjustMastery, toggleCompletion, searchStudents, enrollStudent, unenrollStudent, timeback2;
 var init_timeback_controller = __esm(() => {
   init_esm();
   init_schemas_index();
@@ -95866,7 +96017,7 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timeback.setupIntegration(body2.gameId, body2, ctx.user);
   });
-  getIntegrations = requireDeveloper(async (ctx) => {
+  getIntegrations = requireGameManagementAccess(async (ctx) => {
     const gameId = ctx.params.gameId;
     if (!gameId) {
       throw ApiError.badRequest("Missing gameId");
@@ -95991,7 +96142,7 @@ var init_timeback_controller = __esm(() => {
       include
     });
   });
-  getRoster = requireDeveloper(async (ctx) => {
+  getRoster = requireGameManagementAccess(async (ctx) => {
     const gameId = ctx.params.gameId;
     const courseId = ctx.params.courseId;
     if (!gameId || !courseId) {
@@ -96004,7 +96155,7 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timebackAdmin.listStudentsForCourse(gameId, courseId, ctx.user);
   });
-  getStudentOverview = requireDeveloper(async (ctx) => {
+  getStudentOverview = requireGameManagementAccess(async (ctx) => {
     const timebackId = ctx.params.timebackId;
     const gameId = ctx.url.searchParams.get("gameId") || undefined;
     const courseId = ctx.url.searchParams.get("courseId") || undefined;
@@ -96019,7 +96170,7 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timebackAdmin.getStudentOverview(gameId, timebackId, ctx.user, courseId);
   });
-  getStudentActivity = requireDeveloper(async (ctx) => {
+  getStudentActivity = requireGameManagementAccess(async (ctx) => {
     const timebackId = ctx.params.timebackId;
     const courseId = ctx.params.courseId;
     const gameId = ctx.url.searchParams.get("gameId") || undefined;
@@ -96082,7 +96233,7 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timebackAdmin.adjustMasteredUnits(body2, ctx.user);
   });
-  toggleCompletion = requireDeveloper(async (ctx) => {
+  toggleCompletion = requireGameManagementAccess(async (ctx) => {
     const body2 = await parseRequestBody(ctx.request, ToggleCourseCompletionRequestSchema);
     logger63.debug("Toggling course completion", {
       requesterId: ctx.user.id,
@@ -96093,6 +96244,41 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timebackAdmin.toggleCourseCompletion(body2, ctx.user);
   });
+  searchStudents = requireGameManagementAccess(async (ctx) => {
+    const gameId = ctx.params.gameId;
+    const courseId = ctx.params.courseId;
+    const query = ctx.url.searchParams.get("q") || "";
+    if (!gameId || !courseId) {
+      throw ApiError.badRequest("Missing gameId or courseId parameter");
+    }
+    logger63.debug("Searching students for enrollment", {
+      requesterId: ctx.user.id,
+      gameId,
+      courseId,
+      query
+    });
+    return ctx.services.timebackAdmin.searchStudentsForEnrollment(gameId, courseId, query, ctx.user);
+  });
+  enrollStudent = requireGameManagementAccess(async (ctx) => {
+    const body2 = await parseRequestBody(ctx.request, EnrollStudentRequestSchema);
+    logger63.debug("Enrolling student", {
+      requesterId: ctx.user.id,
+      gameId: body2.gameId,
+      courseId: body2.courseId,
+      studentId: body2.studentId
+    });
+    return ctx.services.timebackAdmin.enrollStudent(body2, ctx.user);
+  });
+  unenrollStudent = requireGameManagementAccess(async (ctx) => {
+    const body2 = await parseRequestBody(ctx.request, UnenrollStudentRequestSchema);
+    logger63.debug("Unenrolling student", {
+      requesterId: ctx.user.id,
+      gameId: body2.gameId,
+      courseId: body2.courseId,
+      studentId: body2.studentId
+    });
+    return ctx.services.timebackAdmin.unenrollStudent(body2, ctx.user);
+  });
   timeback2 = {
     getTodayXp,
     getTotalXp,
@@ -96114,7 +96300,10 @@ var init_timeback_controller = __esm(() => {
     grantXp,
     adjustTime,
     adjustMastery,
-    toggleCompletion
+    toggleCompletion,
+    searchStudents,
+    enrollStudent,
+    unenrollStudent
   };
 });
 

package/dist/server.js

@@ -1309,7 +1309,7 @@ var package_default;
 var init_package = __esm(() => {
   package_default = {
     name: "@playcademy/sandbox",
-    version: "0.3.17-beta.5",
+    version: "0.3.17-beta.7",
     description: "Local development server for Playcademy game development",
     type: "module",
     exports: {
@@ -11549,7 +11549,7 @@ var init_table6 = __esm(() => {
   init_drizzle_orm();
   init_pg_core();
   init_table5();
-  userRoleEnum = pgEnum("user_role", ["admin", "player", "developer"]);
+  userRoleEnum = pgEnum("user_role", ["admin", "player", "developer", "teacher"]);
   developerStatusEnum = pgEnum("developer_status", ["none", "pending", "approved"]);
   users = pgTable("user", {
     id: text("id").primaryKey().$defaultFn(() => crypto.randomUUID()),
@@ -26732,10 +26732,13 @@ var init_game_service = __esm(() => {
       });
     }
     async listManageable(user) {
-      this.validateDeveloperStatus(user);
+      const seesAllGames = user.role === "admin" || user.role === "teacher";
+      if (!seesAllGames) {
+        this.validateDeveloperStatus(user);
+      }
       const db2 = this.deps.db;
       return db2.query.games.findMany({
-        where: user.role === "admin" ? undefined : eq(games.developerId, user.id),
+        where: seesAllGames ? undefined : eq(games.developerId, user.id),
         orderBy: [desc(games.createdAt)]
       });
     }
@@ -27139,6 +27142,19 @@ var init_game_service = __esm(() => {
         throw new NotFoundError("Game", gameId);
       }
     }
+    async validateGameManagementAccess(user, gameId) {
+      if (user.role === "admin" || user.role === "teacher") {
+        const gameExists = await this.deps.db.query.games.findFirst({
+          where: eq(games.id, gameId),
+          columns: { id: true }
+        });
+        if (!gameExists) {
+          throw new NotFoundError("Game", gameId);
+        }
+        return;
+      }
+      return this.validateDeveloperAccess(user, gameId);
+    }
     async validateDeveloperAccessBySlug(user, slug) {
       this.validateDeveloperStatus(user);
       const db2 = this.deps.db;
@@ -27209,6 +27225,7 @@ function createGameServices(deps) {
     validators: {
       validateDeveloperAccessBySlug: (user, slug) => game.validateDeveloperAccessBySlug(user, slug),
       validateDeveloperAccess: (user, gameId) => game.validateDeveloperAccess(user, gameId),
+      validateGameManagementAccess: (user, gameId) => game.validateGameManagementAccess(user, gameId),
       validateOwnership: (user, gameId) => game.validateOwnership(user, gameId)
     }
   };
@@ -30611,9 +30628,13 @@ class TimebackAdminService {
       });
     });
   }
-  async resolveAdminMutationContext(gameId, courseId, user, studentId) {
+  async resolveAdminMutationContext(gameId, courseId, user, studentId, accessLevel = "developer") {
     const client = this.requireClient();
-    await this.deps.validateDeveloperAccess(user, gameId);
+    if (accessLevel === "dashboard") {
+      await this.deps.validateGameManagementAccess(user, gameId);
+    } else {
+      await this.deps.validateDeveloperAccess(user, gameId);
+    }
     const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
       where: and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId))
     });
@@ -30873,7 +30894,7 @@ class TimebackAdminService {
   }
   async listStudentsForCourse(gameId, courseId, user) {
     const client = this.requireClient();
-    await this.deps.validateDeveloperAccess(user, gameId);
+    await this.deps.validateGameManagementAccess(user, gameId);
     const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
       where: and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId))
     });
@@ -30911,7 +30932,7 @@ class TimebackAdminService {
   }
   async getStudentOverview(gameId, studentId, user, courseId) {
     const client = this.requireClient();
-    await this.deps.validateDeveloperAccess(user, gameId);
+    await this.deps.validateGameManagementAccess(user, gameId);
     const integrations = await this.deps.db.query.gameTimebackIntegrations.findMany({
       where: courseId ? and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId)) : eq(gameTimebackIntegrations.gameId, gameId)
     });
@@ -30965,7 +30986,7 @@ class TimebackAdminService {
     const client = this.requireClient();
     const safeLimit = Math.max(1, Math.min(limit, TimebackAdminService.MAX_STUDENT_ACTIVITY_LIMIT));
     const safeOffset = Math.max(0, Math.min(offset, TimebackAdminService.MAX_STUDENT_ACTIVITY_OFFSET));
-    await this.deps.validateDeveloperAccess(user, gameId);
+    await this.deps.validateGameManagementAccess(user, gameId);
     const [integration, sensorUrl] = await Promise.all([
       this.deps.db.query.gameTimebackIntegrations.findFirst({
         where: and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId))
@@ -31029,7 +31050,7 @@ class TimebackAdminService {
     return { status: "ok" };
   }
   async toggleCourseCompletion(data, user) {
-    const { client, sensorUrl, appName, actor } = await this.resolveAdminMutationContext(data.gameId, data.courseId, user, data.studentId);
+    const { client, sensorUrl, appName, actor } = await this.resolveAdminMutationContext(data.gameId, data.courseId, user, data.studentId, "dashboard");
     const historyClient = client;
     const ids = deriveSourcedIds(data.courseId);
     const lineItemId = `${ids.course}-mastery-completion-assessment`;
@@ -31122,6 +31143,77 @@ class TimebackAdminService {
     }
     return { status: "ok" };
   }
+  async searchStudentsForEnrollment(gameId, courseId, query, user) {
+    const client = this.requireClient();
+    await this.deps.validateGameManagementAccess(user, gameId);
+    const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
+      where: and(eq(gameTimebackIntegrations.gameId, gameId), eq(gameTimebackIntegrations.courseId, courseId))
+    });
+    if (!integration) {
+      throw new NotFoundError("Timeback integration", `${gameId}:${courseId}`);
+    }
+    const trimmedQuery = query.trim();
+    if (trimmedQuery.length < 2) {
+      return { students: [] };
+    }
+    const filterParts = [
+      `givenName~'${escapeFilterValue(trimmedQuery)}'`,
+      `familyName~'${escapeFilterValue(trimmedQuery)}'`,
+      `email~'${escapeFilterValue(trimmedQuery)}'`
+    ];
+    const filter = filterParts.join(" OR ");
+    const params = new URLSearchParams({ filter, limit: "25" });
+    const endpoint = `/ims/oneroster/rostering/v1p2/users?${params}`;
+    let allUsers = [];
+    try {
+      const response = await client["request"](endpoint, "GET");
+      allUsers = response.users || [];
+    } catch (error) {
+      logger16.warn("Failed to search OneRoster users", {
+        query: trimmedQuery,
+        error: error instanceof Error ? error.message : String(error)
+      });
+      return { students: [] };
+    }
+    const roster = await client.oneroster.enrollments.listByCourse(courseId, {
+      role: "student",
+      includeUsers: false
+    });
+    const enrolledStudentIds = new Set(roster.map((entry) => entry.enrollment.user.sourcedId));
+    const students = allUsers.filter((entry) => Boolean(entry.sourcedId) && entry.roles?.some((role) => role.role === "student") === true).map((entry) => ({
+      studentId: entry.sourcedId,
+      name: `${entry.givenName || ""} ${entry.familyName || ""}`.trim() || entry.sourcedId,
+      email: entry.email || null,
+      alreadyEnrolled: enrolledStudentIds.has(entry.sourcedId)
+    }));
+    return { students };
+  }
+  async enrollStudent(data, user) {
+    const client = this.requireClient();
+    await this.deps.validateGameManagementAccess(user, data.gameId);
+    const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
+      where: and(eq(gameTimebackIntegrations.gameId, data.gameId), eq(gameTimebackIntegrations.courseId, data.courseId))
+    });
+    if (!integration) {
+      throw new NotFoundError("Timeback integration", `${data.gameId}:${data.courseId}`);
+    }
+    await client.edubridge.enrollments.enroll(data.studentId, data.courseId, {
+      role: "student"
+    });
+    return { status: "ok" };
+  }
+  async unenrollStudent(data, user) {
+    const client = this.requireClient();
+    await this.deps.validateGameManagementAccess(user, data.gameId);
+    const integration = await this.deps.db.query.gameTimebackIntegrations.findFirst({
+      where: and(eq(gameTimebackIntegrations.gameId, data.gameId), eq(gameTimebackIntegrations.courseId, data.courseId))
+    });
+    if (!integration) {
+      throw new NotFoundError("Timeback integration", `${data.gameId}:${data.courseId}`);
+    }
+    await client.edubridge.enrollments.unenroll(data.studentId, data.courseId);
+    return { status: "ok" };
+  }
   async getCompletionStatus(client, courseId, studentId) {
     const ids = deriveSourcedIds(courseId);
     const lineItemId = `${ids.course}-mastery-completion-assessment`;
@@ -31573,7 +31665,7 @@ class TimebackService {
     return { integrations, ...verbose && verboseData.length > 0 && { verbose: verboseData } };
   }
   async getIntegrations(gameId, user) {
-    await this.deps.validateDeveloperAccess(user, gameId);
+    await this.deps.validateGameManagementAccess(user, gameId);
     const rows = await this.deps.db.query.gameTimebackIntegrations.findMany({
       where: eq(gameTimebackIntegrations.gameId, gameId)
     });
@@ -31828,6 +31920,7 @@ function createPlatformServices(deps) {
     alerts,
     validateDeveloperAccessBySlug,
     validateDeveloperAccess,
+    validateGameManagementAccess,
     validateOwnership
   } = deps;
   const bucket = new BucketService({
@@ -31862,12 +31955,14 @@ function createPlatformServices(deps) {
   const timeback2 = new TimebackService({
     db: db2,
     timeback: timebackClient,
-    validateDeveloperAccess
+    validateDeveloperAccess,
+    validateGameManagementAccess
   });
   const timebackAdmin = new TimebackAdminService({
     db: db2,
     timeback: timebackClient,
-    validateDeveloperAccess
+    validateDeveloperAccess,
+    validateGameManagementAccess
   });
   return {
     bucket,
@@ -34999,6 +35094,34 @@ function createEduBridgeNamespace(client) {
     listByUser: async (userId) => {
       const response = await client["request"](`/edubridge/enrollments/user/${userId}`, "GET");
       return response.data;
+    },
+    enroll: async (userId, courseId, options) => {
+      const segments = [userId, courseId];
+      if (options?.schoolId) {
+        segments.push(options.schoolId);
+      }
+      const body2 = {};
+      if (options?.role) {
+        body2.role = options.role;
+      }
+      if (options?.sourcedId) {
+        body2.sourcedId = options.sourcedId;
+      }
+      if (options?.beginDate) {
+        body2.beginDate = options.beginDate;
+      }
+      if (options?.metadata) {
+        body2.metadata = options.metadata;
+      }
+      const response = await client["request"](`/edubridge/enrollments/enroll/${segments.join("/")}`, "POST", body2);
+      return response.data;
+    },
+    unenroll: async (userId, courseId, options) => {
+      const segments = [userId, courseId];
+      if (options?.schoolId) {
+        segments.push(options.schoolId);
+      }
+      await client["request"](`/edubridge/enrollments/unenroll/${segments.join("/")}`, "DELETE");
     }
   };
   const analytics = {
@@ -35174,6 +35297,10 @@ function createOneRosterNamespace(client) {
           logTimebackError("list course roster", error, { courseSourcedId });
           throw error;
         }
+      },
+      create: async (data) => client["request"](ONEROSTER_ENDPOINTS4.enrollments, "POST", { enrollment: data }),
+      delete: async (sourcedId) => {
+        await client["request"](`${ONEROSTER_ENDPOINTS4.enrollments}/${sourcedId}`, "DELETE");
       }
     },
     organizations: {
@@ -93506,7 +93633,7 @@ function isValidAdminAttributionDate(value) {
   const date4 = new Date(Date.UTC(year3, month - 1, day, 12, 0, 0));
   return date4.getUTCFullYear() === year3 && date4.getUTCMonth() + 1 === month && date4.getUTCDate() === day;
 }
-var TIMEBACK_GRADES, TIMEBACK_SUBJECTS5, TimebackGradeSchema, TimebackSubjectSchema, UpdateTimebackXpRequestSchema, EndActivityRequestSchema, PopulateStudentRequestSchema, DerivedPlatformCourseConfigSchema, TimebackBaseConfigSchema, PlatformTimebackSetupRequestSchema, AdminTimebackMutationBaseSchema, AdminAttributionDateSchema, GrantTimebackXpRequestSchema, AdjustTimebackTimeRequestSchema, AdjustTimebackMasteryRequestSchema, ToggleCourseCompletionRequestSchema;
+var TIMEBACK_GRADES, TIMEBACK_SUBJECTS5, TimebackGradeSchema, TimebackSubjectSchema, UpdateTimebackXpRequestSchema, EndActivityRequestSchema, PopulateStudentRequestSchema, DerivedPlatformCourseConfigSchema, TimebackBaseConfigSchema, PlatformTimebackSetupRequestSchema, AdminTimebackMutationBaseSchema, AdminAttributionDateSchema, GrantTimebackXpRequestSchema, AdjustTimebackTimeRequestSchema, AdjustTimebackMasteryRequestSchema, ToggleCourseCompletionRequestSchema, EnrollStudentRequestSchema, UnenrollStudentRequestSchema;
 var init_schemas11 = __esm(() => {
   init_esm();
   TIMEBACK_GRADES = [-1, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13];
@@ -93649,6 +93776,16 @@ var init_schemas11 = __esm(() => {
     studentId: exports_external.string().min(1),
     action: exports_external.enum(["complete", "resume"])
   });
+  EnrollStudentRequestSchema = exports_external.object({
+    gameId: exports_external.string().uuid(),
+    courseId: exports_external.string().min(1),
+    studentId: exports_external.string().min(1)
+  });
+  UnenrollStudentRequestSchema = exports_external.object({
+    gameId: exports_external.string().uuid(),
+    courseId: exports_external.string().min(1),
+    studentId: exports_external.string().min(1)
+  });
 });
 
 // ../data/src/schemas.index.ts
@@ -93675,6 +93812,9 @@ function isAuthenticated(ctx) {
 var init_types9 = () => {};
 
 // ../api-core/src/utils/auth.util.ts
+function hasGameManagementAccess(user) {
+  return user.role === "admin" || user.role === "teacher" || user.role === "developer" && user.developerStatus === "approved";
+}
 function requireAuth(handler) {
   return async (ctx) => {
     if (!isAuthenticated(ctx)) {
@@ -93718,6 +93858,17 @@ function requireDeveloper(handler) {
     return handler(ctx);
   };
 }
+function requireGameManagementAccess(handler) {
+  return async (ctx) => {
+    if (!isAuthenticated(ctx)) {
+      throw ApiError.unauthorized("Valid session or bearer token required");
+    }
+    if (!hasGameManagementAccess(ctx.user)) {
+      throw ApiError.forbidden("Game management access required");
+    }
+    return handler(ctx);
+  };
+}
 var init_auth_util = __esm(() => {
   init_errors();
   init_types9();
@@ -95775,7 +95926,7 @@ var init_sprite_controller = __esm(() => {
 });
 
 // ../api-core/src/controllers/timeback.controller.ts
-var logger63, getTodayXp, getTotalXp, updateTodayXp, getXpHistory, populateStudent, getUser, getUserById, setupIntegration, getIntegrations, verifyIntegration, getConfig2, deleteIntegrations, endActivity, getStudentXp, getRoster, getStudentOverview, getStudentActivity, grantXp, adjustTime, adjustMastery, toggleCompletion, timeback2;
+var logger63, getTodayXp, getTotalXp, updateTodayXp, getXpHistory, populateStudent, getUser, getUserById, setupIntegration, getIntegrations, verifyIntegration, getConfig2, deleteIntegrations, endActivity, getStudentXp, getRoster, getStudentOverview, getStudentActivity, grantXp, adjustTime, adjustMastery, toggleCompletion, searchStudents, enrollStudent, unenrollStudent, timeback2;
 var init_timeback_controller = __esm(() => {
   init_esm();
   init_schemas_index();
@@ -95865,7 +96016,7 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timeback.setupIntegration(body2.gameId, body2, ctx.user);
   });
-  getIntegrations = requireDeveloper(async (ctx) => {
+  getIntegrations = requireGameManagementAccess(async (ctx) => {
     const gameId = ctx.params.gameId;
     if (!gameId) {
       throw ApiError.badRequest("Missing gameId");
@@ -95990,7 +96141,7 @@ var init_timeback_controller = __esm(() => {
       include
     });
   });
-  getRoster = requireDeveloper(async (ctx) => {
+  getRoster = requireGameManagementAccess(async (ctx) => {
     const gameId = ctx.params.gameId;
     const courseId = ctx.params.courseId;
     if (!gameId || !courseId) {
@@ -96003,7 +96154,7 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timebackAdmin.listStudentsForCourse(gameId, courseId, ctx.user);
   });
-  getStudentOverview = requireDeveloper(async (ctx) => {
+  getStudentOverview = requireGameManagementAccess(async (ctx) => {
     const timebackId = ctx.params.timebackId;
     const gameId = ctx.url.searchParams.get("gameId") || undefined;
     const courseId = ctx.url.searchParams.get("courseId") || undefined;
@@ -96018,7 +96169,7 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timebackAdmin.getStudentOverview(gameId, timebackId, ctx.user, courseId);
   });
-  getStudentActivity = requireDeveloper(async (ctx) => {
+  getStudentActivity = requireGameManagementAccess(async (ctx) => {
     const timebackId = ctx.params.timebackId;
     const courseId = ctx.params.courseId;
     const gameId = ctx.url.searchParams.get("gameId") || undefined;
@@ -96081,7 +96232,7 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timebackAdmin.adjustMasteredUnits(body2, ctx.user);
   });
-  toggleCompletion = requireDeveloper(async (ctx) => {
+  toggleCompletion = requireGameManagementAccess(async (ctx) => {
     const body2 = await parseRequestBody(ctx.request, ToggleCourseCompletionRequestSchema);
     logger63.debug("Toggling course completion", {
       requesterId: ctx.user.id,
@@ -96092,6 +96243,41 @@ var init_timeback_controller = __esm(() => {
     });
     return ctx.services.timebackAdmin.toggleCourseCompletion(body2, ctx.user);
   });
+  searchStudents = requireGameManagementAccess(async (ctx) => {
+    const gameId = ctx.params.gameId;
+    const courseId = ctx.params.courseId;
+    const query = ctx.url.searchParams.get("q") || "";
+    if (!gameId || !courseId) {
+      throw ApiError.badRequest("Missing gameId or courseId parameter");
+    }
+    logger63.debug("Searching students for enrollment", {
+      requesterId: ctx.user.id,
+      gameId,
+      courseId,
+      query
+    });
+    return ctx.services.timebackAdmin.searchStudentsForEnrollment(gameId, courseId, query, ctx.user);
+  });
+  enrollStudent = requireGameManagementAccess(async (ctx) => {
+    const body2 = await parseRequestBody(ctx.request, EnrollStudentRequestSchema);
+    logger63.debug("Enrolling student", {
+      requesterId: ctx.user.id,
+      gameId: body2.gameId,
+      courseId: body2.courseId,
+      studentId: body2.studentId
+    });
+    return ctx.services.timebackAdmin.enrollStudent(body2, ctx.user);
+  });
+  unenrollStudent = requireGameManagementAccess(async (ctx) => {
+    const body2 = await parseRequestBody(ctx.request, UnenrollStudentRequestSchema);
+    logger63.debug("Unenrolling student", {
+      requesterId: ctx.user.id,
+      gameId: body2.gameId,
+      courseId: body2.courseId,
+      studentId: body2.studentId
+    });
+    return ctx.services.timebackAdmin.unenrollStudent(body2, ctx.user);
+  });
   timeback2 = {
     getTodayXp,
     getTotalXp,
@@ -96113,7 +96299,10 @@ var init_timeback_controller = __esm(() => {
     grantXp,
     adjustTime,
     adjustMastery,
-    toggleCompletion
+    toggleCompletion,
+    searchStudents,
+    enrollStudent,
+    unenrollStudent
   };
 });
 

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "@playcademy/sandbox",
-    "version": "0.3.17-beta.5",
+    "version": "0.3.17-beta.7",
     "description": "Local development server for Playcademy game development",
     "type": "module",
     "exports": {