@selvajs/local-provider 0.11.0

package/src/data/LocalOrgStore.ts

@@ -0,0 +1,356 @@
+import * as path from 'node:path';
+import type {
+	IOrgStore,
+	IInviteStore,
+	IComputeServerStore,
+	IPlatformProjectGrantStore,
+	IEventSink,
+	Organization,
+	OrgRole,
+	OrgPermission,
+	OrgMember,
+	Project,
+	ProjectMember,
+	RequestContext,
+	ListOptions,
+	Page
+} from '@selvajs/platform';
+import {
+	DEFAULT_ORG_PERMISSIONS,
+	ProviderError,
+	auditUpdate,
+	auditSoftDelete,
+	actorFrom,
+	NoopEventSink
+} from '@selvajs/platform';
+import { paginate, applyOrder } from './pagination.js';
+import { readJsonFile, writeJsonFile } from './fsJson.js';
+import { LocalInviteStore } from './LocalInviteStore.js';
+import { LocalComputeServerStore } from './LocalComputeServerStore.js';
+import { LocalPlatformProjectGrantStore } from './LocalPlatformProjectGrantStore.js';
+
+/** Shape of the on-disk local-org.json file. */
+export interface LocalOrgStoreData {
+	orgs: Organization[];
+	projects: Project[];
+	orgMembers: OrgMember[];
+	projectMembers: ProjectMember[];
+}
+
+/** Data-access-layer filter: row is live (not soft-deleted). */
+function isLive<T extends { deletedAt?: string | null }>(row: T): boolean {
+	return row.deletedAt == null;
+}
+
+/**
+ * Shared by LocalOrgStore and LocalProjectStore — one instance so all
+ * reads/writes go through one cache and one atomic write path. The store
+ * starts empty; orgs are created explicitly via `createOrg`.
+ *
+ * Concurrent first-callers share a single in-flight read promise so they
+ * end up with the same cached object reference. Mutations after that point
+ * stack on the shared object, and `writeJsonFile`'s temp+rename keeps the
+ * on-disk view atomic.
+ */
+export class LocalOrgStoreLoader {
+	readonly storePath: string;
+	private store: LocalOrgStoreData | null = null;
+	private loading: Promise<LocalOrgStoreData> | null = null;
+
+	constructor(dataPath: string) {
+		this.storePath = path.join(dataPath, 'local-org.json');
+	}
+
+	async get(): Promise<LocalOrgStoreData> {
+		if (this.store) return this.store;
+		this.loading ??= readJsonFile<LocalOrgStoreData>(this.storePath, {
+			orgs: [],
+			projects: [],
+			orgMembers: [],
+			projectMembers: []
+		}).then((data) => {
+			this.store = data;
+			this.loading = null;
+			return data;
+		});
+		return this.loading;
+	}
+
+	async write(store: LocalOrgStoreData): Promise<void> {
+		this.store = store;
+		await writeJsonFile(this.storePath, store);
+	}
+}
+
+export interface LocalOrgStoreOptions {
+	loader: LocalOrgStoreLoader;
+	/**
+	 * Sibling stores wired in for the `deleteOrg` cascade. The local provider
+	 * splits invites, compute config, and platform-project grants into
+	 * separate JSON files that the loader can't reach — so they're injected
+	 * here. Required, not optional: an unwired cascade silently leaks
+	 * operational data, exactly the footgun the cascade fix was meant to
+	 * remove.
+	 */
+	invites: IInviteStore;
+	computeServer: IComputeServerStore;
+	grants: IPlatformProjectGrantStore;
+	events?: IEventSink;
+}
+
+export class LocalOrgStore implements IOrgStore {
+	private readonly loader: LocalOrgStoreLoader;
+	private readonly events: IEventSink;
+	private readonly invites: IInviteStore;
+	private readonly computeServer: IComputeServerStore;
+	private readonly grants: IPlatformProjectGrantStore;
+
+	static fromEnv(env: Record<string, string | undefined>): LocalOrgStore {
+		if (!env.DATA_PATH) throw new Error('Missing required env var: DATA_PATH');
+		return new LocalOrgStore({
+			loader: new LocalOrgStoreLoader(env.DATA_PATH),
+			invites: LocalInviteStore.fromEnv(env),
+			computeServer: LocalComputeServerStore.fromEnv(env),
+			grants: LocalPlatformProjectGrantStore.fromEnv(env)
+		});
+	}
+
+	constructor(opts: LocalOrgStoreOptions) {
+		this.loader = opts.loader;
+		this.invites = opts.invites;
+		this.computeServer = opts.computeServer;
+		this.grants = opts.grants;
+		this.events = opts.events ?? new NoopEventSink();
+	}
+
+	async listOrgs(_ctx: RequestContext, opts?: ListOptions): Promise<Page<Organization>> {
+		const { orgs } = await this.loader.get();
+		return paginate(applyOrder(orgs.filter(isLive), opts), opts);
+	}
+
+	async getOrg(_ctx: RequestContext, id: string): Promise<Organization | null> {
+		const { orgs } = await this.loader.get();
+		const o = orgs.find((o) => o.id === id);
+		return o && isLive(o) ? o : null;
+	}
+
+	async getOrgBySlug(_ctx: RequestContext, slug: string): Promise<Organization | null> {
+		const { orgs } = await this.loader.get();
+		const o = orgs.find((o) => o.slug === slug);
+		return o && isLive(o) ? o : null;
+	}
+
+	async createOrg(ctx: RequestContext, org: Organization): Promise<void> {
+		const store = await this.loader.get();
+		if (store.orgs.some((o) => o.id === org.id && isLive(o))) {
+			throw new ProviderError(`Org '${org.id}' already exists`, 409);
+		}
+		if (store.orgs.some((o) => o.slug === org.slug && isLive(o))) {
+			throw new ProviderError(`Org slug '${org.slug}' already in use`, 409);
+		}
+		store.orgs.push({ ...org, deletedAt: null });
+		const now = new Date().toISOString();
+		store.orgMembers.push({
+			orgId: org.id,
+			userId: org.ownerId,
+			role: 'owner',
+			permissions: [...DEFAULT_ORG_PERMISSIONS.owner],
+			joinedAt: now,
+			...auditUpdate(ctx, org.ownerId),
+			deletedAt: null
+		});
+		await this.loader.write(store);
+		await this.events.emit({ type: 'org.created', orgId: org.id, actorId: actorFrom(ctx) });
+	}
+
+	async updateOrg(
+		ctx: RequestContext,
+		id: string,
+		patch: Partial<Pick<Organization, 'name' | 'slug'>>
+	): Promise<void> {
+		const store = await this.loader.get();
+		const idx = store.orgs.findIndex((o) => o.id === id && isLive(o));
+		if (idx === -1) throw new ProviderError(`Org '${id}' not found`, 404);
+		if (patch.slug && patch.slug !== store.orgs[idx].slug) {
+			if (store.orgs.some((o) => o.id !== id && o.slug === patch.slug && isLive(o))) {
+				throw new ProviderError(`Org slug '${patch.slug}' already in use`, 409);
+			}
+		}
+		store.orgs[idx] = {
+			...store.orgs[idx],
+			...patch,
+			...auditUpdate(ctx, store.orgs[idx].updatedBy ?? store.orgs[idx].ownerId)
+		};
+		await this.loader.write(store);
+	}
+
+	async deleteOrg(ctx: RequestContext, id: string): Promise<void> {
+		const store = await this.loader.get();
+		const idx = store.orgs.findIndex((o) => o.id === id && isLive(o));
+		if (idx === -1) throw new ProviderError(`Org '${id}' not found`, 404);
+		const stamp = auditSoftDelete(ctx, store.orgs[idx].updatedBy ?? store.orgs[idx].ownerId);
+		// Cascade soft-delete into members, projects, and project members.
+		store.orgs[idx] = { ...store.orgs[idx], ...stamp };
+		store.orgMembers = store.orgMembers.map((m) =>
+			m.orgId === id && isLive(m) ? { ...m, ...stamp } : m
+		);
+		const orgProjectIds = new Set(
+			store.projects.filter((p) => p.orgId === id && isLive(p)).map((p) => p.id)
+		);
+		store.projects = store.projects.map((p) =>
+			p.orgId === id && isLive(p) ? { ...p, ...stamp } : p
+		);
+		store.projectMembers = store.projectMembers.map((m) =>
+			orgProjectIds.has(m.projectId) && isLive(m) ? { ...m, ...stamp } : m
+		);
+		await this.loader.write(store);
+		// Cascade into hard-delete-only sibling stores. Pending invites and
+		// org compute config are operational, not user data — no audit trail
+		// to preserve, and leaving them behind only creates orphans.
+		await this.invites.deleteByOrg(ctx, id);
+		await this.computeServer.deleteByOrg(ctx, id);
+		// Drop grants for projects we just soft-deleted, plus any grant where
+		// this org is the grantee. User grants survive — they're identity-
+		// scoped, not org-scoped.
+		for (const projectId of orgProjectIds) {
+			await this.grants.deleteByProject(ctx, projectId);
+		}
+		await this.grants.deleteByGranteeOrg(ctx, id);
+		await this.events.emit({ type: 'org.deleted', orgId: id, actorId: actorFrom(ctx) });
+	}
+
+	async listOrgMembers(
+		_ctx: RequestContext,
+		orgId: string,
+		opts?: ListOptions
+	): Promise<Page<OrgMember>> {
+		const { orgMembers } = await this.loader.get();
+		return paginate(
+			orgMembers.filter((m) => m.orgId === orgId && isLive(m)),
+			opts
+		);
+	}
+
+	async getOrgMember(
+		_ctx: RequestContext,
+		orgId: string,
+		userId: string
+	): Promise<OrgMember | null> {
+		const { orgMembers } = await this.loader.get();
+		const m = orgMembers.find((m) => m.orgId === orgId && m.userId === userId);
+		return m && isLive(m) ? m : null;
+	}
+
+	async findUserMembership(
+		_ctx: RequestContext,
+		userId: string
+	): Promise<{ org: Organization; member: OrgMember } | null> {
+		// Single pass over org_members for this user (filesystem JSON, so the
+		// file IS the index). Pick the first live membership; ordering follows
+		// insertion order in the JSON file, stable across reads.
+		const store = await this.loader.get();
+		const member = store.orgMembers.find((m) => m.userId === userId && isLive(m));
+		if (!member) return null;
+		const org = store.orgs.find((o) => o.id === member.orgId);
+		// A membership pointing at a soft-deleted org is treated as gone — same
+		// invariant the SQL adapter gets via FK + RLS on `orgs.deleted_at`.
+		if (!org || !isLive(org)) return null;
+		return { org, member };
+	}
+
+	async addOrgMember(ctx: RequestContext, member: OrgMember): Promise<void> {
+		const store = await this.loader.get();
+		// Reactivate a prior soft-deleted row rather than piling rows up.
+		const existing = store.orgMembers.find(
+			(m) => m.orgId === member.orgId && m.userId === member.userId
+		);
+		if (existing) {
+			Object.assign(existing, member, {
+				...auditUpdate(ctx, member.userId),
+				deletedAt: null
+			});
+		} else {
+			store.orgMembers.push({ ...member, deletedAt: null });
+		}
+		await this.loader.write(store);
+		await this.events.emit({
+			type: 'org_member.added',
+			orgId: member.orgId,
+			userId: member.userId,
+			actorId: actorFrom(ctx)
+		});
+	}
+
+	async updateOrgMemberRole(
+		ctx: RequestContext,
+		orgId: string,
+		userId: string,
+		role: OrgRole
+	): Promise<void> {
+		const store = await this.loader.get();
+		const m = store.orgMembers.find((m) => m.orgId === orgId && m.userId === userId && isLive(m));
+		if (!m) throw new ProviderError(`Org member '${userId}' not found`, 404);
+		m.role = role;
+		// Role change re-seeds the permission defaults. To preserve a custom
+		// OrgPermission set, call updateOrgMemberPermissions after the role change.
+		m.permissions = [...DEFAULT_ORG_PERMISSIONS[role]];
+		Object.assign(m, auditUpdate(ctx, m.updatedBy));
+		await this.loader.write(store);
+		await this.events.emit({
+			type: 'org_member.role_changed',
+			orgId,
+			userId,
+			role,
+			actorId: actorFrom(ctx)
+		});
+	}
+
+	async updateOrgMemberPermissions(
+		ctx: RequestContext,
+		orgId: string,
+		userId: string,
+		permissions: readonly OrgPermission[]
+	): Promise<void> {
+		const store = await this.loader.get();
+		const m = store.orgMembers.find((m) => m.orgId === orgId && m.userId === userId && isLive(m));
+		if (!m) throw new ProviderError(`Org member '${userId}' not found`, 404);
+		m.permissions = [...permissions];
+		Object.assign(m, auditUpdate(ctx, m.updatedBy));
+		await this.loader.write(store);
+		await this.events.emit({
+			type: 'org_member.permissions_changed',
+			orgId,
+			userId,
+			permissions: [...permissions],
+			actorId: actorFrom(ctx)
+		});
+	}
+
+	async removeOrgMember(ctx: RequestContext, orgId: string, userId: string): Promise<void> {
+		const store = await this.loader.get();
+		const m = store.orgMembers.find((m) => m.orgId === orgId && m.userId === userId && isLive(m));
+		if (!m) return;
+		const stamp = auditSoftDelete(ctx, m.updatedBy);
+		Object.assign(m, stamp);
+
+		// §9: losing org membership ends every project membership scoped to
+		// that tenant. Cascading here keeps the "members ⊂ org members"
+		// invariant true by construction so reads don't need to re-check it.
+		const projectIdsInOrg = new Set(
+			store.projects.filter((p) => p.orgId === orgId).map((p) => p.id)
+		);
+		store.projectMembers = store.projectMembers.map((pm) =>
+			pm.userId === userId && projectIdsInOrg.has(pm.projectId) && isLive(pm)
+				? { ...pm, ...stamp }
+				: pm
+		);
+
+		await this.loader.write(store);
+		await this.events.emit({
+			type: 'org_member.removed',
+			orgId,
+			userId,
+			actorId: actorFrom(ctx)
+		});
+	}
+}

package/src/data/LocalPlatformProjectGrantStore.ts

@@ -0,0 +1,85 @@
+import * as path from 'node:path';
+import type {
+	IPlatformProjectGrantStore,
+	PlatformProjectGrant,
+	RequestContext
+} from '@selvajs/platform';
+import { ProviderError } from '@selvajs/platform';
+import { readJsonFile, writeJsonFile } from './fsJson.js';
+
+interface OnDiskShape {
+	grants: PlatformProjectGrant[];
+}
+
+const empty = (): OnDiskShape => ({ grants: [] });
+
+export class LocalPlatformProjectGrantStore implements IPlatformProjectGrantStore {
+	private readonly filePath: string;
+
+	static fromEnv(env: Record<string, string | undefined>): LocalPlatformProjectGrantStore {
+		if (!env.DATA_PATH) throw new Error('Missing required env var: DATA_PATH');
+		return new LocalPlatformProjectGrantStore(
+			path.join(env.DATA_PATH, 'platform-project-grants.json')
+		);
+	}
+
+	constructor(filePath: string) {
+		this.filePath = filePath;
+	}
+
+	private async read(): Promise<OnDiskShape> {
+		return readJsonFile<OnDiskShape>(this.filePath, empty());
+	}
+
+	private async write(data: OnDiskShape): Promise<void> {
+		await writeJsonFile(this.filePath, data);
+	}
+
+	async listByProject(_ctx: RequestContext, projectId: string): Promise<PlatformProjectGrant[]> {
+		const { grants } = await this.read();
+		return grants.filter((g) => g.projectId === projectId);
+	}
+
+	async create(_ctx: RequestContext, grant: PlatformProjectGrant): Promise<void> {
+		const data = await this.read();
+		if (data.grants.some((g) => g.id === grant.id)) {
+			throw new ProviderError(`Grant '${grant.id}' already exists`, 409);
+		}
+		const duplicate = data.grants.find(
+			(g) =>
+				g.projectId === grant.projectId &&
+				g.granteeType === grant.granteeType &&
+				g.granteeId === grant.granteeId
+		);
+		if (duplicate) {
+			throw new ProviderError(
+				`A grant for this ${grant.granteeType} already exists on this project`,
+				409
+			);
+		}
+		data.grants.push(grant);
+		await this.write(data);
+	}
+
+	async delete(_ctx: RequestContext, id: string): Promise<void> {
+		const data = await this.read();
+		const idx = data.grants.findIndex((g) => g.id === id);
+		if (idx === -1) throw new ProviderError(`Grant '${id}' not found`, 404);
+		data.grants.splice(idx, 1);
+		await this.write(data);
+	}
+
+	async deleteByProject(_ctx: RequestContext, projectId: string): Promise<void> {
+		const data = await this.read();
+		const before = data.grants.length;
+		data.grants = data.grants.filter((g) => g.projectId !== projectId);
+		if (data.grants.length !== before) await this.write(data);
+	}
+
+	async deleteByGranteeOrg(_ctx: RequestContext, orgId: string): Promise<void> {
+		const data = await this.read();
+		const before = data.grants.length;
+		data.grants = data.grants.filter((g) => !(g.granteeType === 'org' && g.granteeId === orgId));
+		if (data.grants.length !== before) await this.write(data);
+	}
+}

package/src/data/LocalProjectStore.ts

@@ -0,0 +1,274 @@
+import type {
+	IProjectStore,
+	IPlatformProjectGrantStore,
+	IEventSink,
+	Project,
+	ProjectRole,
+	ProjectMember,
+	RequestContext,
+	ListOptions,
+	Page
+} from '@selvajs/platform';
+import {
+	ProviderError,
+	auditUpdate,
+	auditSoftDelete,
+	actorFrom,
+	NoopEventSink
+} from '@selvajs/platform';
+import { paginate, applyOrder } from './pagination.js';
+import type { LocalOrgStoreLoader } from './LocalOrgStore.js';
+
+/** Data-access-layer filter — never let a soft-deleted row surface to callers. */
+function isLive<T extends { deletedAt?: string | null }>(row: T): boolean {
+	return row.deletedAt == null;
+}
+
+export interface LocalProjectStoreOptions {
+	loader: LocalOrgStoreLoader;
+	/**
+	 * Sibling store wired in for the `deleteProject` cascade. Grants live in
+	 * a separate JSON file the loader can't reach. Required, not optional —
+	 * an unwired cascade leaks grants on platform projects after deletion.
+	 */
+	grants: IPlatformProjectGrantStore;
+	events?: IEventSink;
+}
+
+export class LocalProjectStore implements IProjectStore {
+	private readonly loader: LocalOrgStoreLoader;
+	private readonly events: IEventSink;
+	private readonly grants: IPlatformProjectGrantStore;
+
+	constructor(opts: LocalProjectStoreOptions) {
+		this.loader = opts.loader;
+		this.grants = opts.grants;
+		this.events = opts.events ?? new NoopEventSink();
+	}
+
+	async listProjects(
+		_ctx: RequestContext,
+		orgId: string,
+		opts?: ListOptions
+	): Promise<Page<Project>> {
+		const { projects } = await this.loader.get();
+		return paginate(
+			applyOrder(
+				projects.filter((p) => p.orgId === orgId && isLive(p)),
+				opts
+			),
+			opts
+		);
+	}
+
+	async getProject(_ctx: RequestContext, id: string): Promise<Project | null> {
+		const { projects } = await this.loader.get();
+		const p = projects.find((p) => p.id === id);
+		return p && isLive(p) ? p : null;
+	}
+
+	async getProjectBySlug(
+		_ctx: RequestContext,
+		orgId: string,
+		slug: string
+	): Promise<Project | null> {
+		const { projects } = await this.loader.get();
+		const p = projects.find((p) => p.orgId === orgId && p.slug === slug);
+		return p && isLive(p) ? p : null;
+	}
+
+	async createProject(ctx: RequestContext, project: Project): Promise<void> {
+		const store = await this.loader.get();
+		if (!store.orgs.some((o) => o.id === project.orgId && isLive(o))) {
+			throw new ProviderError(`Org '${project.orgId}' not found`, 404);
+		}
+		if (store.projects.some((p) => p.id === project.id && isLive(p))) {
+			throw new ProviderError(`Project '${project.id}' already exists`, 409);
+		}
+		const nameKey = project.name.toLowerCase();
+		if (
+			store.projects.some(
+				(p) => p.orgId === project.orgId && isLive(p) && p.name.toLowerCase() === nameKey
+			)
+		) {
+			throw new ProviderError('projects_org_name_unique: project name already in use', 409);
+		}
+		if (
+			store.projects.some((p) => p.orgId === project.orgId && isLive(p) && p.slug === project.slug)
+		) {
+			throw new ProviderError('projects_org_id_slug_key: project slug already in use', 409);
+		}
+		store.projects.push({ ...project, deletedAt: null });
+		store.projectMembers.push({
+			projectId: project.id,
+			userId: project.ownerId,
+			role: 'owner',
+			joinedAt: project.createdAt,
+			updatedAt: project.createdAt,
+			updatedBy: project.ownerId,
+			deletedAt: null
+		});
+		await this.loader.write(store);
+		await this.events.emit({
+			type: 'project.created',
+			projectId: project.id,
+			orgId: project.orgId,
+			actorId: actorFrom(ctx)
+		});
+	}
+
+	async updateProject(
+		ctx: RequestContext,
+		id: string,
+		patch: Partial<
+			Pick<Project, 'name' | 'slug' | 'description' | 'visibility' | 'autoJoinOnUpload'>
+		>
+	): Promise<void> {
+		const store = await this.loader.get();
+		const idx = store.projects.findIndex((p) => p.id === id && isLive(p));
+		if (idx === -1) throw new ProviderError(`Project '${id}' not found`, 404);
+
+		const current = store.projects[idx];
+
+		if (patch.name && patch.name.toLowerCase() !== current.name.toLowerCase()) {
+			const nameKey = patch.name.toLowerCase();
+			if (
+				store.projects.some(
+					(p) =>
+						p.orgId === current.orgId &&
+						p.id !== id &&
+						isLive(p) &&
+						p.name.toLowerCase() === nameKey
+				)
+			) {
+				throw new ProviderError('projects_org_name_unique: project name already in use', 409);
+			}
+		}
+
+		if (patch.slug && patch.slug !== current.slug) {
+			if (
+				store.projects.some(
+					(p) => p.orgId === current.orgId && p.slug === patch.slug && p.id !== id && isLive(p)
+				)
+			) {
+				throw new ProviderError('projects_org_id_slug_key: project slug already in use', 409);
+			}
+		}
+
+		store.projects[idx] = {
+			...current,
+			...patch,
+			...auditUpdate(ctx, current.updatedBy ?? current.ownerId)
+		};
+		await this.loader.write(store);
+	}
+
+	async deleteProject(ctx: RequestContext, id: string): Promise<void> {
+		const store = await this.loader.get();
+		const idx = store.projects.findIndex((p) => p.id === id && isLive(p));
+		if (idx === -1) throw new ProviderError(`Project '${id}' not found`, 404);
+		const stamp = auditSoftDelete(
+			ctx,
+			store.projects[idx].updatedBy ?? store.projects[idx].ownerId
+		);
+		store.projects[idx] = { ...store.projects[idx], ...stamp };
+		store.projectMembers = store.projectMembers.map((m) =>
+			m.projectId === id && isLive(m) ? { ...m, ...stamp } : m
+		);
+		await this.loader.write(store);
+		// Hard-delete grants — they have no soft-delete column and a deleted
+		// project should never resolve grants again.
+		await this.grants.deleteByProject(ctx, id);
+		await this.events.emit({ type: 'project.deleted', projectId: id, actorId: actorFrom(ctx) });
+	}
+
+	async listProjectMembers(
+		_ctx: RequestContext,
+		projectId: string,
+		opts?: ListOptions
+	): Promise<Page<ProjectMember>> {
+		const { projectMembers } = await this.loader.get();
+		return paginate(
+			projectMembers.filter((m) => m.projectId === projectId && isLive(m)),
+			opts
+		);
+	}
+
+	async getProjectMember(
+		_ctx: RequestContext,
+		projectId: string,
+		userId: string
+	): Promise<ProjectMember | null> {
+		const { projectMembers } = await this.loader.get();
+		const m = projectMembers.find((m) => m.projectId === projectId && m.userId === userId);
+		return m && isLive(m) ? m : null;
+	}
+
+	async addProjectMember(ctx: RequestContext, member: ProjectMember): Promise<void> {
+		const store = await this.loader.get();
+		// Reactivate a prior soft-deleted row rather than piling rows up.
+		const existing = store.projectMembers.find(
+			(m) => m.projectId === member.projectId && m.userId === member.userId
+		);
+		if (existing) {
+			Object.assign(existing, member, {
+				...auditUpdate(ctx, member.userId),
+				deletedAt: null
+			});
+		} else {
+			const stamp = auditUpdate(ctx, member.userId);
+			store.projectMembers.push({
+				...member,
+				updatedAt: member.updatedAt ?? stamp.updatedAt,
+				updatedBy: member.updatedBy ?? stamp.updatedBy,
+				deletedAt: null
+			});
+		}
+		await this.loader.write(store);
+		await this.events.emit({
+			type: 'project_member.added',
+			projectId: member.projectId,
+			userId: member.userId,
+			actorId: actorFrom(ctx)
+		});
+	}
+
+	async updateProjectMemberRole(
+		ctx: RequestContext,
+		projectId: string,
+		userId: string,
+		role: ProjectRole
+	): Promise<void> {
+		const store = await this.loader.get();
+		const m = store.projectMembers.find(
+			(m) => m.projectId === projectId && m.userId === userId && isLive(m)
+		);
+		if (!m) throw new ProviderError(`Project member '${userId}' not found`, 404);
+		m.role = role;
+		Object.assign(m, auditUpdate(ctx, m.updatedBy));
+		await this.loader.write(store);
+		await this.events.emit({
+			type: 'project_member.role_changed',
+			projectId,
+			userId,
+			role,
+			actorId: actorFrom(ctx)
+		});
+	}
+
+	async removeProjectMember(ctx: RequestContext, projectId: string, userId: string): Promise<void> {
+		const store = await this.loader.get();
+		const m = store.projectMembers.find(
+			(m) => m.projectId === projectId && m.userId === userId && isLive(m)
+		);
+		if (!m) return;
+		Object.assign(m, auditSoftDelete(ctx, m.updatedBy));
+		await this.loader.write(store);
+		await this.events.emit({
+			type: 'project_member.removed',
+			projectId,
+			userId,
+			actorId: actorFrom(ctx)
+		});
+	}
+}