npm - @tailor-platform/erp-kit - Versions diffs - 0.0.1 → 0.1.0 - Mend

@tailor-platform/erp-kit 0.0.1 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (213) hide show

package/README.md +196 -28
package/dist/cli.js +894 -0
package/package.json +65 -8
package/rules/app-compose/backend/auth.md +78 -0
package/rules/app-compose/frontend/auth.md +55 -0
package/rules/app-compose/frontend/component.md +55 -0
package/rules/app-compose/frontend/page.md +86 -0
package/rules/app-compose/frontend/screen-detailview.md +112 -0
package/rules/app-compose/frontend/screen-form.md +145 -0
package/rules/app-compose/frontend/screen-listview.md +159 -0
package/rules/app-compose/structure.md +32 -0
package/rules/module-development/commands.md +54 -0
package/rules/module-development/cross-module-type-injection.md +28 -0
package/rules/module-development/dependency-modules.md +24 -0
package/rules/module-development/errors.md +12 -0
package/rules/module-development/executors.md +67 -0
package/rules/module-development/exports.md +13 -0
package/rules/module-development/models.md +34 -0
package/rules/module-development/structure.md +27 -0
package/rules/module-development/sync-vs-async-operations.md +83 -0
package/rules/module-development/testing.md +43 -0
package/rules/sdk-best-practices/db-relations.md +74 -0
package/rules/sdk-best-practices/sdk-docs.md +14 -0
package/schemas/app-compose/actors.yml +34 -0
package/schemas/app-compose/business-flow.yml +50 -0
package/schemas/app-compose/requirements.yml +33 -0
package/schemas/app-compose/resolver.yml +47 -0
package/schemas/app-compose/screen.yml +81 -0
package/schemas/app-compose/story.yml +67 -0
package/schemas/module/command.yml +52 -0
package/schemas/module/feature.yml +58 -0
package/schemas/module/model.yml +70 -0
package/schemas/module/module.yml +50 -0
package/skills/1-module-docs/SKILL.md +107 -0
package/skills/2-module-feature-breakdown/SKILL.md +66 -0
package/skills/3-module-doc-review/SKILL.md +230 -0
package/skills/4-module-tdd-implementation/SKILL.md +56 -0
package/skills/5-module-implementation-review/SKILL.md +400 -0
package/skills/app-compose-1-requirement-analysis/SKILL.md +85 -0
package/skills/app-compose-2-requirements-breakdown/SKILL.md +88 -0
package/skills/app-compose-3-doc-review/SKILL.md +112 -0
package/skills/app-compose-4-design-mock/SKILL.md +248 -0
package/skills/app-compose-5-design-mock-review/SKILL.md +283 -0
package/skills/app-compose-6-implementation-spec/SKILL.md +122 -0
package/skills/mock-scenario/SKILL.md +118 -0
package/src/app.ts +1 -0
package/src/cli.ts +120 -0
package/src/commands/check.test.ts +30 -0
package/src/commands/check.ts +66 -0
package/src/commands/init.test.ts +77 -0
package/src/commands/init.ts +87 -0
package/src/commands/mock/index.ts +53 -0
package/src/commands/mock/start.ts +179 -0
package/src/commands/mock/validate.test.ts +185 -0
package/src/commands/mock/validate.ts +198 -0
package/src/commands/scaffold.test.ts +76 -0
package/src/commands/scaffold.ts +119 -0
package/src/commands/sync-check.test.ts +125 -0
package/src/commands/sync-check.ts +182 -0
package/src/integration.test.ts +63 -0
package/src/mdschema.ts +48 -0
package/src/mockServer.ts +55 -0
package/src/module.ts +86 -0
package/src/modules/accounting/.gitkeep +0 -0
package/src/modules/coa-management/.gitkeep +0 -0
package/src/modules/inventory/.gitkeep +0 -0
package/src/modules/manufacturing/.gitkeep +0 -0
package/src/modules/primitives/README.md +39 -0
package/src/modules/primitives/command/activateCategory.test.ts +75 -0
package/src/modules/primitives/command/activateCategory.ts +50 -0
package/src/modules/primitives/command/activateCurrency.test.ts +70 -0
package/src/modules/primitives/command/activateCurrency.ts +50 -0
package/src/modules/primitives/command/activateUnit.test.ts +53 -0
package/src/modules/primitives/command/activateUnit.ts +50 -0
package/src/modules/primitives/command/convertAmount.test.ts +275 -0
package/src/modules/primitives/command/convertAmount.ts +126 -0
package/src/modules/primitives/command/convertQuantity.test.ts +219 -0
package/src/modules/primitives/command/convertQuantity.ts +73 -0
package/src/modules/primitives/command/createCategory.test.ts +126 -0
package/src/modules/primitives/command/createCategory.ts +89 -0
package/src/modules/primitives/command/createCurrency.test.ts +191 -0
package/src/modules/primitives/command/createCurrency.ts +77 -0
package/src/modules/primitives/command/createExchangeRate.test.ts +216 -0
package/src/modules/primitives/command/createExchangeRate.ts +91 -0
package/src/modules/primitives/command/createUnit.test.ts +214 -0
package/src/modules/primitives/command/createUnit.ts +88 -0
package/src/modules/primitives/command/deactivateCategory.test.ts +97 -0
package/src/modules/primitives/command/deactivateCategory.ts +62 -0
package/src/modules/primitives/command/deactivateCurrency.test.ts +85 -0
package/src/modules/primitives/command/deactivateCurrency.ts +55 -0
package/src/modules/primitives/command/deactivateUnit.test.ts +78 -0
package/src/modules/primitives/command/deactivateUnit.ts +62 -0
package/src/modules/primitives/command/setBaseCurrency.test.ts +98 -0
package/src/modules/primitives/command/setBaseCurrency.ts +74 -0
package/src/modules/primitives/command/setReferenceUnit.test.ts +108 -0
package/src/modules/primitives/command/setReferenceUnit.ts +84 -0
package/src/modules/primitives/db/currency.ts +30 -0
package/src/modules/primitives/db/exchangeRate.ts +28 -0
package/src/modules/primitives/db/unit.ts +32 -0
package/src/modules/primitives/db/uomCategory.ts +32 -0
package/src/modules/primitives/docs/commands/ActivateCategory.md +34 -0
package/src/modules/primitives/docs/commands/ActivateCurrency.md +33 -0
package/src/modules/primitives/docs/commands/ActivateUnit.md +34 -0
package/src/modules/primitives/docs/commands/ConvertAmount.md +50 -0
package/src/modules/primitives/docs/commands/ConvertQuantity.md +43 -0
package/src/modules/primitives/docs/commands/CreateCategory.md +44 -0
package/src/modules/primitives/docs/commands/CreateCurrency.md +47 -0
package/src/modules/primitives/docs/commands/CreateExchangeRate.md +48 -0
package/src/modules/primitives/docs/commands/CreateUnit.md +48 -0
package/src/modules/primitives/docs/commands/DeactivateCategory.md +38 -0
package/src/modules/primitives/docs/commands/DeactivateCurrency.md +38 -0
package/src/modules/primitives/docs/commands/DeactivateUnit.md +38 -0
package/src/modules/primitives/docs/commands/SetBaseCurrency.md +39 -0
package/src/modules/primitives/docs/commands/SetReferenceUnit.md +43 -0
package/src/modules/primitives/docs/features/currency-definitions.md +55 -0
package/src/modules/primitives/docs/features/exchange-rates.md +61 -0
package/src/modules/primitives/docs/features/unit-conversion.md +66 -0
package/src/modules/primitives/docs/features/uom-categories.md +52 -0
package/src/modules/primitives/docs/models/Currency.md +45 -0
package/src/modules/primitives/docs/models/ExchangeRate.md +33 -0
package/src/modules/primitives/docs/models/Unit.md +46 -0
package/src/modules/primitives/docs/models/UoMCategory.md +44 -0
package/src/modules/primitives/generated/kysely-tailordb.ts +95 -0
package/src/modules/primitives/index.ts +40 -0
package/src/modules/primitives/lib/errors.ts +138 -0
package/src/modules/primitives/lib/types.ts +20 -0
package/src/modules/primitives/module.ts +66 -0
package/src/modules/primitives/permissions.ts +18 -0
package/src/modules/primitives/tailor.config.ts +11 -0
package/src/modules/primitives/testing/fixtures.ts +161 -0
package/src/modules/product-management/.gitkeep +0 -0
package/src/modules/purchase/.gitkeep +0 -0
package/src/modules/sales/.gitkeep +0 -0
package/src/modules/shared/createContext.test.ts +39 -0
package/src/modules/shared/createContext.ts +15 -0
package/src/modules/shared/defineCommand.test.ts +42 -0
package/src/modules/shared/defineCommand.ts +19 -0
package/src/modules/shared/definePermissions.test.ts +146 -0
package/src/modules/shared/definePermissions.ts +94 -0
package/src/modules/shared/entityTypes.ts +15 -0
package/src/modules/shared/errors.ts +22 -0
package/src/modules/shared/index.ts +1 -0
package/src/modules/shared/internal.ts +13 -0
package/src/modules/shared/requirePermission.test.ts +47 -0
package/src/modules/shared/requirePermission.ts +8 -0
package/src/modules/shared/types.ts +4 -0
package/src/modules/supplier-management/.gitkeep +0 -0
package/src/modules/supplier-portal/.gitkeep +0 -0
package/src/modules/testing/index.ts +120 -0
package/src/modules/user-management/README.md +38 -0
package/src/modules/user-management/command/activateUser.test.ts +112 -0
package/src/modules/user-management/command/activateUser.ts +67 -0
package/src/modules/user-management/command/assignPermissionToRole.test.ts +119 -0
package/src/modules/user-management/command/assignPermissionToRole.ts +87 -0
package/src/modules/user-management/command/assignRoleToUser.test.ts +162 -0
package/src/modules/user-management/command/assignRoleToUser.ts +93 -0
package/src/modules/user-management/command/createPermission.test.ts +143 -0
package/src/modules/user-management/command/createPermission.ts +66 -0
package/src/modules/user-management/command/createRole.test.ts +115 -0
package/src/modules/user-management/command/createRole.ts +52 -0
package/src/modules/user-management/command/createUser.test.ts +198 -0
package/src/modules/user-management/command/createUser.ts +85 -0
package/src/modules/user-management/command/deactivateUser.test.ts +112 -0
package/src/modules/user-management/command/deactivateUser.ts +67 -0
package/src/modules/user-management/command/logAuditEvent.test.ts +179 -0
package/src/modules/user-management/command/logAuditEvent.ts +59 -0
package/src/modules/user-management/command/reactivateUser.test.ts +115 -0
package/src/modules/user-management/command/reactivateUser.ts +67 -0
package/src/modules/user-management/command/revokePermissionFromRole.test.ts +112 -0
package/src/modules/user-management/command/revokePermissionFromRole.ts +81 -0
package/src/modules/user-management/command/revokeRoleFromUser.test.ts +112 -0
package/src/modules/user-management/command/revokeRoleFromUser.ts +81 -0
package/src/modules/user-management/db/auditEvent.ts +47 -0
package/src/modules/user-management/db/permission.ts +31 -0
package/src/modules/user-management/db/role.ts +28 -0
package/src/modules/user-management/db/rolePermission.ts +44 -0
package/src/modules/user-management/db/user.ts +38 -0
package/src/modules/user-management/db/userRole.ts +44 -0
package/src/modules/user-management/docs/commands/ActivateUser.md +36 -0
package/src/modules/user-management/docs/commands/AssignPermissionToRole.md +39 -0
package/src/modules/user-management/docs/commands/AssignRoleToUser.md +43 -0
package/src/modules/user-management/docs/commands/CreatePermission.md +35 -0
package/src/modules/user-management/docs/commands/CreateRole.md +35 -0
package/src/modules/user-management/docs/commands/CreateUser.md +41 -0
package/src/modules/user-management/docs/commands/DeactivateUser.md +38 -0
package/src/modules/user-management/docs/commands/LogAuditEvent.md +37 -0
package/src/modules/user-management/docs/commands/ReactivateUser.md +37 -0
package/src/modules/user-management/docs/commands/RevokePermissionFromRole.md +40 -0
package/src/modules/user-management/docs/commands/RevokeRoleFromUser.md +40 -0
package/src/modules/user-management/docs/features/audit-trail.md +80 -0
package/src/modules/user-management/docs/features/role-based-access-control.md +76 -0
package/src/modules/user-management/docs/features/user-account-management.md +64 -0
package/src/modules/user-management/docs/models/AuditEvent.md +34 -0
package/src/modules/user-management/docs/models/Permission.md +31 -0
package/src/modules/user-management/docs/models/Role.md +31 -0
package/src/modules/user-management/docs/models/RolePermission.md +33 -0
package/src/modules/user-management/docs/models/User.md +47 -0
package/src/modules/user-management/docs/models/UserRole.md +34 -0
package/src/modules/user-management/docs/plans/2026-01-30-flattened-permissions-design.md +52 -0
package/src/modules/user-management/executor/recomputeOnRolePermissionChange.ts +61 -0
package/src/modules/user-management/generated/enums.ts +24 -0
package/src/modules/user-management/generated/kysely-tailordb.ts +112 -0
package/src/modules/user-management/index.ts +32 -0
package/src/modules/user-management/lib/errors.ts +81 -0
package/src/modules/user-management/lib/recomputeUserPermissions.ts +53 -0
package/src/modules/user-management/lib/types.ts +31 -0
package/src/modules/user-management/module.ts +77 -0
package/src/modules/user-management/permissions.ts +15 -0
package/src/modules/user-management/tailor.config.ts +11 -0
package/src/modules/user-management/testing/fixtures.ts +98 -0
package/src/schemas.ts +25 -0
package/src/testing.ts +10 -0
package/src/util.ts +3 -0

package/src/modules/user-management/command/assignRoleToUser.test.ts ADDED Viewed

@@ -0,0 +1,162 @@
+import { describe, expect, it } from "vitest";
+import { InsufficientPermissionError, type CommandContext } from "../../shared/internal";
+import { createMockDb } from "../../testing/index";
+import { DB } from "../generated/kysely-tailordb";
+import { RoleNotFoundError, UserNotActiveError, UserNotFoundError } from "../lib/errors";
+import {
+  activeUser,
+  baseAuditEvent,
+  baseRole,
+  baseUserRole,
+  inactiveUser,
+  pendingUser,
+} from "../testing/fixtures";
+import { assignRoleToUser } from "./assignRoleToUser";
+describe("assignRoleToUser", () => {
+  const ctx: CommandContext = {
+    actorId: "test-actor",
+    permissions: ["user-management:assignRoleToUser"],
+  };
+  it("throws when user does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValue(undefined);
+    await expect(
+      assignRoleToUser(
+        db,
+        {
+          userId: "nonexistent-user",
+          roleId: baseRole.id,
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(UserNotFoundError);
+  });
+  it("throws when role does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValueOnce(activeUser).mockReturnValueOnce(undefined);
+    await expect(
+      assignRoleToUser(
+        db,
+        {
+          userId: activeUser.id,
+          roleId: "nonexistent-role",
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(RoleNotFoundError);
+  });
+  it("throws when user is PENDING", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValueOnce(pendingUser).mockReturnValueOnce(baseRole);
+    await expect(
+      assignRoleToUser(
+        db,
+        {
+          userId: pendingUser.id,
+          roleId: baseRole.id,
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(UserNotActiveError);
+  });
+  it("throws when user is INACTIVE", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValueOnce(inactiveUser).mockReturnValueOnce(baseRole);
+    await expect(
+      assignRoleToUser(
+        db,
+        {
+          userId: inactiveUser.id,
+          roleId: baseRole.id,
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(UserNotActiveError);
+  });
+  it("returns success when assignment already exists (idempotent)", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const updatedUser = { ...activeUser, permissions: ["orders:read"] };
+    spies.select
+      .mockReturnValueOnce(activeUser)
+      .mockReturnValueOnce(baseRole)
+      .mockReturnValueOnce(baseUserRole) // Assignment exists
+      .mockReturnValueOnce([{ key: "orders:read" }]); // Permission keys from recompute
+    spies.update.mockReturnValueOnce(updatedUser);
+    const result = await assignRoleToUser(
+      db,
+      {
+        userId: activeUser.id,
+        roleId: baseRole.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+    expect(result.userRole).toEqual(baseUserRole);
+    expect(result.user.permissions).toEqual(["orders:read"]);
+    expect(spies.insert).not.toHaveBeenCalled();
+  });
+  it("creates UserRole and logs ROLE_ASSIGNED event", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const newUserRole = {
+      ...baseUserRole,
+      id: "new-user-role-id",
+    };
+    const createdAuditEvent = {
+      ...baseAuditEvent,
+      eventType: "ROLE_ASSIGNED" as const,
+      actorId: "actor-1",
+      targetId: activeUser.id,
+      targetType: "User",
+    };
+    const updatedUser = { ...activeUser, permissions: ["orders:read"] };
+    spies.select
+      .mockReturnValueOnce(activeUser)
+      .mockReturnValueOnce(baseRole)
+      .mockReturnValueOnce(undefined) // No existing assignment
+      .mockReturnValueOnce([{ key: "orders:read" }]); // Permission keys from recompute
+    spies.insert.mockReturnValueOnce(newUserRole).mockReturnValueOnce(createdAuditEvent);
+    spies.update.mockReturnValueOnce(updatedUser);
+    const result = await assignRoleToUser(
+      db,
+      {
+        userId: activeUser.id,
+        roleId: baseRole.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+    expect(result.userRole.userId).toBe(activeUser.id);
+    expect(result.userRole.roleId).toBe(baseRole.id);
+    expect(result.auditEvent?.eventType).toBe("ROLE_ASSIGNED");
+    expect(result.user.permissions).toEqual(["orders:read"]);
+    expect(spies.insert).toHaveBeenCalled();
+  });
+  it("throws when permission is missing", async () => {
+    const { db } = createMockDb<DB>();
+    const denied: CommandContext = { actorId: "test-actor", permissions: [] };
+    await expect(
+      assignRoleToUser(db, { userId: "user-1", roleId: "role-1", actorId: "actor-1" }, denied),
+    ).rejects.toBeInstanceOf(InsufficientPermissionError);
+  });
+});

package/src/modules/user-management/command/assignRoleToUser.ts ADDED Viewed

@@ -0,0 +1,93 @@
+import { defineCommand } from "../../shared/internal";
+import { DB } from "../generated/kysely-tailordb";
+import { RoleNotFoundError, UserNotActiveError, UserNotFoundError } from "../lib/errors";
+import { recomputeUserPermissions } from "../lib/recomputeUserPermissions";
+import { permissions } from "../permissions";
+export interface AssignRoleToUserInput {
+  userId: string;
+  roleId: string;
+  actorId: string;
+}
+/**
+ * Function: assignRoleToUser
+ *
+ * Assigns a role to a user. Only ACTIVE users can receive role assignments.
+ * Operation is idempotent - assigning the same role twice does not create
+ * duplicate records or error.
+ */
+export const assignRoleToUser = defineCommand(
+  permissions.assignRoleToUser,
+  async (db: DB, input: AssignRoleToUserInput) => {
+    const user = await db
+      .selectFrom("User")
+      .selectAll()
+      .where("id", "=", input.userId)
+      .executeTakeFirst();
+    if (!user) {
+      throw new UserNotFoundError(input.userId);
+    }
+    const role = await db
+      .selectFrom("Role")
+      .selectAll()
+      .where("id", "=", input.roleId)
+      .executeTakeFirst();
+    if (!role) {
+      throw new RoleNotFoundError(input.roleId);
+    }
+    if (user.status !== "ACTIVE") {
+      throw new UserNotActiveError(input.userId, user.status);
+    }
+    // Idempotent: return existing assignment, recompute permissions for consistency
+    const existingAssignment = await db
+      .selectFrom("UserRole")
+      .selectAll()
+      .where("userId", "=", input.userId)
+      .where("roleId", "=", input.roleId)
+      .executeTakeFirst();
+    if (existingAssignment) {
+      const updatedUser = await recomputeUserPermissions(db, input.userId);
+      return { userRole: existingAssignment, user: updatedUser };
+    }
+    const userRole = await db
+      .insertInto("UserRole")
+      .values({
+        userId: input.userId,
+        roleId: input.roleId,
+        createdAt: new Date(),
+        updatedAt: null,
+      })
+      .returningAll()
+      .executeTakeFirst();
+    const auditEvent = await db
+      .insertInto("AuditEvent")
+      .values({
+        eventType: "ROLE_ASSIGNED",
+        actorId: input.actorId,
+        targetId: input.userId,
+        targetType: "User",
+        payload: JSON.stringify({
+          userId: input.userId,
+          roleId: input.roleId,
+          roleName: role.name,
+        }),
+        createdAt: new Date(),
+        updatedAt: null,
+      })
+      .returningAll()
+      .executeTakeFirst();
+    const updatedUser = await recomputeUserPermissions(db, input.userId);
+    return { userRole: userRole!, user: updatedUser, auditEvent: auditEvent! };
+  },
+);

package/src/modules/user-management/command/createPermission.test.ts ADDED Viewed

@@ -0,0 +1,143 @@
+import { describe, expect, it } from "vitest";
+import { InsufficientPermissionError, type CommandContext } from "../../shared/internal";
+import { createMockDb } from "../../testing/index";
+import { DB } from "../generated/kysely-tailordb";
+import {
+  DuplicatePermissionKeyError,
+  InvalidPermissionKeyFormatError,
+  MissingRequiredFieldError,
+} from "../lib/errors";
+import { basePermission } from "../testing/fixtures";
+import { makeCreatePermission } from "./createPermission";
+const createPermission = makeCreatePermission();
+describe("createPermission", () => {
+  const ctx: CommandContext = {
+    actorId: "test-actor",
+    permissions: ["user-management:createPermission"],
+  };
+  // Error cases
+  it("throws when key is empty", async () => {
+    const { db } = createMockDb<DB>();
+    await expect(createPermission(db, { key: "" }, ctx)).rejects.toBeInstanceOf(
+      MissingRequiredFieldError,
+    );
+  });
+  it("throws when key format is invalid (no colon)", async () => {
+    const { db } = createMockDb<DB>();
+    await expect(createPermission(db, { key: "invalidkey" }, ctx)).rejects.toBeInstanceOf(
+      InvalidPermissionKeyFormatError,
+    );
+  });
+  it("throws when key format is invalid (multiple colons)", async () => {
+    const { db } = createMockDb<DB>();
+    await expect(
+      createPermission(db, { key: "resource:action:extra" }, ctx),
+    ).rejects.toBeInstanceOf(InvalidPermissionKeyFormatError);
+  });
+  it("throws when key format is invalid (empty resource)", async () => {
+    const { db } = createMockDb<DB>();
+    await expect(createPermission(db, { key: ":action" }, ctx)).rejects.toBeInstanceOf(
+      InvalidPermissionKeyFormatError,
+    );
+  });
+  it("throws when key format is invalid (empty action)", async () => {
+    const { db } = createMockDb<DB>();
+    await expect(createPermission(db, { key: "resource:" }, ctx)).rejects.toBeInstanceOf(
+      InvalidPermissionKeyFormatError,
+    );
+  });
+  it("throws when permission key already exists", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValue(basePermission);
+    await expect(createPermission(db, { key: basePermission.key }, ctx)).rejects.toBeInstanceOf(
+      DuplicatePermissionKeyError,
+    );
+  });
+  // Success cases
+  it("creates permission with valid key", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const createdPermission = {
+      ...basePermission,
+      id: "new-permission-id",
+      key: "users:read",
+      description: null,
+    };
+    spies.select.mockReturnValue(undefined); // No existing permission
+    spies.insert.mockReturnValue(createdPermission);
+    const result = await createPermission(db, { key: "users:read" }, ctx);
+    expect(result.permission.key).toBe("users:read");
+    expect(spies.insert).toHaveBeenCalled();
+  });
+  it("creates permission with description", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const createdPermission = {
+      ...basePermission,
+      id: "new-permission-id",
+      key: "users:write",
+      description: "Permission to write users",
+    };
+    spies.select.mockReturnValue(undefined);
+    spies.insert.mockReturnValue(createdPermission);
+    const result = await createPermission(
+      db,
+      {
+        key: "users:write",
+        description: "Permission to write users",
+      },
+      ctx,
+    );
+    expect(result.permission.key).toBe("users:write");
+    expect(result.permission.description).toBe("Permission to write users");
+  });
+  it("throws when permission is missing", async () => {
+    const { db } = createMockDb<DB>();
+    const denied: CommandContext = { actorId: "test-actor", permissions: [] };
+    await expect(createPermission(db, { key: "users:read" }, denied)).rejects.toBeInstanceOf(
+      InsufficientPermissionError,
+    );
+  });
+  it("passes custom fields through to insert", async () => {
+    const createPermissionWithFields = makeCreatePermission<{ module: string }>();
+    const { db, spies } = createMockDb<DB>();
+    const createdPermission = {
+      ...basePermission,
+      id: "new-permission-id",
+      key: "users:read",
+      module: "user-management",
+    };
+    spies.select.mockReturnValue(undefined);
+    spies.insert.mockReturnValue(createdPermission);
+    await createPermissionWithFields(db, { key: "users:read", module: "user-management" }, ctx);
+    expect(spies.values).toHaveBeenNthCalledWith(
+      1,
+      expect.objectContaining({ module: "user-management" }),
+    );
+  });
+});

package/src/modules/user-management/command/createPermission.ts ADDED Viewed

@@ -0,0 +1,66 @@
+import { defineCommand } from "../../shared/internal";
+import { DB } from "../generated/kysely-tailordb";
+import {
+  DuplicatePermissionKeyError,
+  InvalidPermissionKeyFormatError,
+  MissingRequiredFieldError,
+} from "../lib/errors";
+import { permissions } from "../permissions";
+interface CreatePermissionInput {
+  key: string;
+  description?: string;
+}
+const PERMISSION_KEY_PATTERN = /^[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+$/;
+/**
+ * Function: createPermission
+ *
+ * Creates a new permission with the specified key in resource:action format.
+ * Validates that the key follows the correct format and is unique.
+ */
+export function makeCreatePermission<CF extends Record<string, unknown>>() {
+  return defineCommand(
+    permissions.createPermission,
+    async (db: DB, input: CreatePermissionInput & CF) => {
+      const { key, description, ...customFields } = input;
+      // 1. Validate key is provided
+      if (!key || key.trim() === "") {
+        throw new MissingRequiredFieldError("key");
+      }
+      // 2. Validate key format (resource:action)
+      if (!PERMISSION_KEY_PATTERN.test(key)) {
+        throw new InvalidPermissionKeyFormatError(key);
+      }
+      // 3. Check if permission key already exists
+      const existingPermission = await db
+        .selectFrom("Permission")
+        .selectAll()
+        .where("key", "=", key)
+        .executeTakeFirst();
+      if (existingPermission) {
+        throw new DuplicatePermissionKeyError(key);
+      }
+      // 4. Create permission
+      const permission = await db
+        .insertInto("Permission")
+        .values({
+          ...(customFields as Record<string, unknown>),
+          key,
+          description: description ?? null,
+          createdAt: new Date(),
+          updatedAt: null,
+        })
+        .returningAll()
+        .executeTakeFirst();
+      return { permission: permission! };
+    },
+  );
+}

package/src/modules/user-management/command/createRole.test.ts ADDED Viewed

@@ -0,0 +1,115 @@
+import { describe, expect, it } from "vitest";
+import { InsufficientPermissionError, type CommandContext } from "../../shared/internal";
+import { createMockDb } from "../../testing/index";
+import { DB } from "../generated/kysely-tailordb";
+import { DuplicateRoleNameError, MissingRequiredFieldError } from "../lib/errors";
+import { baseRole } from "../testing/fixtures";
+import { makeCreateRole } from "./createRole";
+const createRole = makeCreateRole();
+describe("createRole", () => {
+  const ctx: CommandContext = {
+    actorId: "test-actor",
+    permissions: ["user-management:createRole"],
+  };
+  // Error cases
+  it("throws when name is empty", async () => {
+    const { db } = createMockDb<DB>();
+    await expect(createRole(db, { name: "" }, ctx)).rejects.toBeInstanceOf(
+      MissingRequiredFieldError,
+    );
+  });
+  it("throws when name is whitespace only", async () => {
+    const { db } = createMockDb<DB>();
+    await expect(createRole(db, { name: "   " }, ctx)).rejects.toBeInstanceOf(
+      MissingRequiredFieldError,
+    );
+  });
+  it("throws when role name already exists", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValue(baseRole);
+    await expect(createRole(db, { name: baseRole.name }, ctx)).rejects.toBeInstanceOf(
+      DuplicateRoleNameError,
+    );
+  });
+  // Success cases
+  it("creates role with valid name", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const createdRole = {
+      ...baseRole,
+      id: "new-role-id",
+      name: "Viewer",
+      description: null,
+    };
+    spies.select.mockReturnValue(undefined); // No existing role
+    spies.insert.mockReturnValue(createdRole);
+    const result = await createRole(db, { name: "Viewer" }, ctx);
+    expect(result.role.name).toBe("Viewer");
+    expect(spies.insert).toHaveBeenCalled();
+  });
+  it("creates role with description", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const createdRole = {
+      ...baseRole,
+      id: "new-role-id",
+      name: "Editor",
+      description: "Can edit content",
+    };
+    spies.select.mockReturnValue(undefined);
+    spies.insert.mockReturnValue(createdRole);
+    const result = await createRole(
+      db,
+      {
+        name: "Editor",
+        description: "Can edit content",
+      },
+      ctx,
+    );
+    expect(result.role.name).toBe("Editor");
+    expect(result.role.description).toBe("Can edit content");
+  });
+  it("throws when permission is missing", async () => {
+    const { db } = createMockDb<DB>();
+    const denied: CommandContext = { actorId: "test-actor", permissions: [] };
+    await expect(createRole(db, { name: "Test" }, denied)).rejects.toBeInstanceOf(
+      InsufficientPermissionError,
+    );
+  });
+  it("passes custom fields through to insert", async () => {
+    const createRoleWithFields = makeCreateRole<{ department: string }>();
+    const { db, spies } = createMockDb<DB>();
+    const createdRole = {
+      ...baseRole,
+      id: "new-role-id",
+      name: "Viewer",
+      department: "Engineering",
+    };
+    spies.select.mockReturnValue(undefined);
+    spies.insert.mockReturnValue(createdRole);
+    await createRoleWithFields(db, { name: "Viewer", department: "Engineering" }, ctx);
+    expect(spies.values).toHaveBeenNthCalledWith(
+      1,
+      expect.objectContaining({ department: "Engineering" }),
+    );
+  });
+});

package/src/modules/user-management/command/createRole.ts ADDED Viewed

@@ -0,0 +1,52 @@
+import { defineCommand } from "../../shared/internal";
+import { DB } from "../generated/kysely-tailordb";
+import { DuplicateRoleNameError, MissingRequiredFieldError } from "../lib/errors";
+import { permissions } from "../permissions";
+interface CreateRoleInput {
+  name: string;
+  description?: string;
+}
+/**
+ * Function: createRole
+ *
+ * Creates a new role with the specified name.
+ * Validates that the name is unique within the system.
+ */
+export function makeCreateRole<CF extends Record<string, unknown>>() {
+  return defineCommand(permissions.createRole, async (db: DB, input: CreateRoleInput & CF) => {
+    const { name, description, ...customFields } = input;
+    // 1. Validate name is provided
+    if (!name || name.trim() === "") {
+      throw new MissingRequiredFieldError("name");
+    }
+    // 2. Check if role name already exists
+    const existingRole = await db
+      .selectFrom("Role")
+      .selectAll()
+      .where("name", "=", name)
+      .executeTakeFirst();
+    if (existingRole) {
+      throw new DuplicateRoleNameError(name);
+    }
+    // 3. Create role
+    const role = await db
+      .insertInto("Role")
+      .values({
+        ...(customFields as Record<string, unknown>),
+        name,
+        description: description ?? null,
+        createdAt: new Date(),
+        updatedAt: null,
+      })
+      .returningAll()
+      .executeTakeFirst();
+    return { role: role! };
+  });
+}