@tailor-platform/erp-kit 0.0.1 → 0.1.0

package/src/modules/user-management/command/reactivateUser.test.ts

@@ -0,0 +1,115 @@
+import { describe, expect, it } from "vitest";
+import { InsufficientPermissionError, type CommandContext } from "../../shared/internal";
+import { createMockDb } from "../../testing/index";
+import { DB } from "../generated/kysely-tailordb";
+import { InvalidStatusTransitionError, UserNotFoundError } from "../lib/errors";
+import { activeUser, baseAuditEvent, inactiveUser, pendingUser } from "../testing/fixtures";
+import { reactivateUser } from "./reactivateUser";
+
+describe("reactivateUser", () => {
+  const ctx: CommandContext = {
+    actorId: "test-actor",
+    permissions: ["user-management:reactivateUser"],
+  };
+
+  // Error cases
+  it("throws when user does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValue(undefined);
+
+    await expect(
+      reactivateUser(db, { userId: "nonexistent-user", actorId: "actor-1" }, ctx),
+    ).rejects.toBeInstanceOf(UserNotFoundError);
+  });
+
+  it("throws when user is PENDING", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValue(pendingUser);
+
+    await expect(
+      reactivateUser(db, { userId: pendingUser.id, actorId: "actor-1" }, ctx),
+    ).rejects.toBeInstanceOf(InvalidStatusTransitionError);
+  });
+
+  it("throws when user is already ACTIVE", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValue(activeUser);
+
+    await expect(
+      reactivateUser(db, { userId: activeUser.id, actorId: "actor-1" }, ctx),
+    ).rejects.toBeInstanceOf(InvalidStatusTransitionError);
+  });
+
+  // Success cases
+  it("reactivates INACTIVE user to ACTIVE", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const reactivatedUser = {
+      ...inactiveUser,
+      status: "ACTIVE" as const,
+      updatedAt: new Date("2024-01-15T00:00:00.000Z"),
+    };
+    const createdAuditEvent = {
+      ...baseAuditEvent,
+      eventType: "USER_REACTIVATED" as const,
+      actorId: "actor-1",
+      targetId: inactiveUser.id,
+    };
+
+    spies.select.mockReturnValue(inactiveUser);
+    spies.update.mockReturnValue(reactivatedUser);
+    spies.insert.mockReturnValue(createdAuditEvent);
+
+    const result = await reactivateUser(
+      db,
+      {
+        userId: inactiveUser.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+
+    expect(result.user.status).toBe("ACTIVE");
+    expect(result.user.updatedAt).not.toBeNull();
+    expect(spies.update).toHaveBeenCalled();
+  });
+
+  it("logs USER_REACTIVATED audit event", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const reactivatedUser = {
+      ...inactiveUser,
+      status: "ACTIVE" as const,
+      updatedAt: new Date("2024-01-15T00:00:00.000Z"),
+    };
+    const createdAuditEvent = {
+      ...baseAuditEvent,
+      eventType: "USER_REACTIVATED" as const,
+      actorId: "actor-1",
+      targetId: inactiveUser.id,
+    };
+
+    spies.select.mockReturnValue(inactiveUser);
+    spies.update.mockReturnValue(reactivatedUser);
+    spies.insert.mockReturnValue(createdAuditEvent);
+
+    const result = await reactivateUser(
+      db,
+      {
+        userId: inactiveUser.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+
+    expect(result.auditEvent.eventType).toBe("USER_REACTIVATED");
+    expect(result.auditEvent.actorId).toBe("actor-1");
+    expect(result.auditEvent.targetId).toBe(inactiveUser.id);
+  });
+
+  it("throws when permission is missing", async () => {
+    const { db } = createMockDb<DB>();
+    const denied: CommandContext = { actorId: "test-actor", permissions: [] };
+    await expect(
+      reactivateUser(db, { userId: "some-user", actorId: "actor-1" }, denied),
+    ).rejects.toBeInstanceOf(InsufficientPermissionError);
+  });
+});

package/src/modules/user-management/command/reactivateUser.ts

@@ -0,0 +1,67 @@
+import { defineCommand } from "../../shared/internal";
+import { DB } from "../generated/kysely-tailordb";
+import { InvalidStatusTransitionError, UserNotFoundError } from "../lib/errors";
+import { permissions } from "../permissions";
+
+export interface ReactivateUserInput {
+  userId: string;
+  actorId: string;
+  from?: string[];
+}
+
+/**
+ * Function: reactivateUser
+ *
+ * Transitions a user from INACTIVE back to ACTIVE status.
+ * Restores access for previously deactivated users.
+ */
+export const reactivateUser = defineCommand(
+  permissions.reactivateUser,
+  async (db: DB, input: ReactivateUserInput) => {
+    // 1. Find user by ID
+    const user = await db
+      .selectFrom("User")
+      .selectAll()
+      .where("id", "=", input.userId)
+      .executeTakeFirst();
+
+    // 2. If not found, throw error
+    if (!user) {
+      throw new UserNotFoundError(input.userId);
+    }
+
+    // 3. Validate status transition
+    const validFromStatuses = input.from ?? ["INACTIVE"];
+    if (!validFromStatuses.includes(user.status)) {
+      throw new InvalidStatusTransitionError(user.status, "ACTIVE");
+    }
+
+    // 4. Update status to ACTIVE
+    const updatedUser = await db
+      .updateTable("User")
+      .set({
+        status: "ACTIVE",
+        updatedAt: new Date(),
+      })
+      .where("id", "=", input.userId)
+      .returningAll()
+      .executeTakeFirst();
+
+    // 5. Log USER_REACTIVATED audit event
+    const auditEvent = await db
+      .insertInto("AuditEvent")
+      .values({
+        eventType: "USER_REACTIVATED",
+        actorId: input.actorId,
+        targetId: input.userId,
+        targetType: "User",
+        payload: JSON.stringify({ previousStatus: user.status }),
+        createdAt: new Date(),
+        updatedAt: null,
+      })
+      .returningAll()
+      .executeTakeFirst();
+
+    return { user: updatedUser!, auditEvent: auditEvent! };
+  },
+);

package/src/modules/user-management/command/revokePermissionFromRole.test.ts

@@ -0,0 +1,112 @@
+import { describe, expect, it } from "vitest";
+import { InsufficientPermissionError, type CommandContext } from "../../shared/internal";
+import { createMockDb } from "../../testing/index";
+import { DB } from "../generated/kysely-tailordb";
+import { AssignmentNotFoundError, PermissionNotFoundError, RoleNotFoundError } from "../lib/errors";
+import { baseAuditEvent, basePermission, baseRole, baseRolePermission } from "../testing/fixtures";
+import { revokePermissionFromRole } from "./revokePermissionFromRole";
+
+describe("revokePermissionFromRole", () => {
+  const ctx: CommandContext = {
+    actorId: "test-actor",
+    permissions: ["user-management:revokePermissionFromRole"],
+  };
+
+  it("throws when role does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValue(undefined);
+
+    await expect(
+      revokePermissionFromRole(
+        db,
+        {
+          roleId: "nonexistent-role",
+          permissionId: basePermission.id,
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(RoleNotFoundError);
+  });
+
+  it("throws when permission does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValueOnce(baseRole).mockReturnValueOnce(undefined);
+
+    await expect(
+      revokePermissionFromRole(
+        db,
+        {
+          roleId: baseRole.id,
+          permissionId: "nonexistent-permission",
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(PermissionNotFoundError);
+  });
+
+  it("throws when assignment does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select
+      .mockReturnValueOnce(baseRole)
+      .mockReturnValueOnce(basePermission)
+      .mockReturnValueOnce(undefined);
+
+    await expect(
+      revokePermissionFromRole(
+        db,
+        {
+          roleId: baseRole.id,
+          permissionId: basePermission.id,
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(AssignmentNotFoundError);
+  });
+
+  it("deletes RolePermission and logs PERMISSION_REVOKED event", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const createdAuditEvent = {
+      ...baseAuditEvent,
+      eventType: "PERMISSION_REVOKED" as const,
+      actorId: "actor-1",
+      targetId: baseRole.id,
+      targetType: "Role",
+    };
+
+    spies.select
+      .mockReturnValueOnce(baseRole)
+      .mockReturnValueOnce(basePermission)
+      .mockReturnValueOnce(baseRolePermission);
+    spies.delete.mockReturnValue(baseRolePermission);
+    spies.insert.mockReturnValue(createdAuditEvent);
+
+    const result = await revokePermissionFromRole(
+      db,
+      {
+        roleId: baseRole.id,
+        permissionId: basePermission.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+
+    expect(result.auditEvent.eventType).toBe("PERMISSION_REVOKED");
+    expect(result.auditEvent.targetId).toBe(baseRole.id);
+    expect(spies.delete).toHaveBeenCalled();
+  });
+
+  it("throws when permission is missing", async () => {
+    const { db } = createMockDb<DB>();
+    const denied: CommandContext = { actorId: "test-actor", permissions: [] };
+    await expect(
+      revokePermissionFromRole(
+        db,
+        { roleId: "role-1", permissionId: "perm-1", actorId: "actor-1" },
+        denied,
+      ),
+    ).rejects.toBeInstanceOf(InsufficientPermissionError);
+  });
+});

package/src/modules/user-management/command/revokePermissionFromRole.ts

@@ -0,0 +1,81 @@
+import { defineCommand } from "../../shared/internal";
+import { DB } from "../generated/kysely-tailordb";
+import { AssignmentNotFoundError, PermissionNotFoundError, RoleNotFoundError } from "../lib/errors";
+import { permissions } from "../permissions";
+
+export interface RevokePermissionFromRoleInput {
+  roleId: string;
+  permissionId: string;
+  actorId: string;
+}
+
+/**
+ * Function: revokePermissionFromRole
+ *
+ * Removes a permission from a role.
+ * Throws an error if the assignment does not exist.
+ *
+ * Note: Permissions for affected users are recomputed asynchronously via executor.
+ */
+export const revokePermissionFromRole = defineCommand(
+  permissions.revokePermissionFromRole,
+  async (db: DB, input: RevokePermissionFromRoleInput) => {
+    const role = await db
+      .selectFrom("Role")
+      .selectAll()
+      .where("id", "=", input.roleId)
+      .executeTakeFirst();
+
+    if (!role) {
+      throw new RoleNotFoundError(input.roleId);
+    }
+
+    const permission = await db
+      .selectFrom("Permission")
+      .selectAll()
+      .where("id", "=", input.permissionId)
+      .executeTakeFirst();
+
+    if (!permission) {
+      throw new PermissionNotFoundError(input.permissionId);
+    }
+
+    const existingAssignment = await db
+      .selectFrom("RolePermission")
+      .selectAll()
+      .where("roleId", "=", input.roleId)
+      .where("permissionId", "=", input.permissionId)
+      .executeTakeFirst();
+
+    if (!existingAssignment) {
+      throw new AssignmentNotFoundError("Role", input.roleId, "Permission", input.permissionId);
+    }
+
+    // Permission recomputation for affected users is handled asynchronously by executor
+    await db
+      .deleteFrom("RolePermission")
+      .where("id", "=", existingAssignment.id)
+      .returningAll()
+      .executeTakeFirst();
+
+    const auditEvent = await db
+      .insertInto("AuditEvent")
+      .values({
+        eventType: "PERMISSION_REVOKED",
+        actorId: input.actorId,
+        targetId: input.roleId,
+        targetType: "Role",
+        payload: JSON.stringify({
+          roleId: input.roleId,
+          permissionId: input.permissionId,
+          permissionKey: permission.key,
+        }),
+        createdAt: new Date(),
+        updatedAt: null,
+      })
+      .returningAll()
+      .executeTakeFirst();
+
+    return { auditEvent: auditEvent! };
+  },
+);

package/src/modules/user-management/command/revokeRoleFromUser.test.ts

@@ -0,0 +1,112 @@
+import { describe, expect, it } from "vitest";
+import { InsufficientPermissionError, type CommandContext } from "../../shared/internal";
+import { createMockDb } from "../../testing/index";
+import { DB } from "../generated/kysely-tailordb";
+import { AssignmentNotFoundError, RoleNotFoundError, UserNotFoundError } from "../lib/errors";
+import { activeUser, baseAuditEvent, baseRole, baseUserRole } from "../testing/fixtures";
+import { revokeRoleFromUser } from "./revokeRoleFromUser";
+
+describe("revokeRoleFromUser", () => {
+  const ctx: CommandContext = {
+    actorId: "test-actor",
+    permissions: ["user-management:revokeRoleFromUser"],
+  };
+
+  it("throws when user does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValue(undefined);
+
+    await expect(
+      revokeRoleFromUser(
+        db,
+        {
+          userId: "nonexistent-user",
+          roleId: baseRole.id,
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(UserNotFoundError);
+  });
+
+  it("throws when role does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select.mockReturnValueOnce(activeUser).mockReturnValueOnce(undefined);
+
+    await expect(
+      revokeRoleFromUser(
+        db,
+        {
+          userId: activeUser.id,
+          roleId: "nonexistent-role",
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(RoleNotFoundError);
+  });
+
+  it("throws when assignment does not exist", async () => {
+    const { db, spies } = createMockDb<DB>();
+    spies.select
+      .mockReturnValueOnce(activeUser)
+      .mockReturnValueOnce(baseRole)
+      .mockReturnValueOnce(undefined);
+
+    await expect(
+      revokeRoleFromUser(
+        db,
+        {
+          userId: activeUser.id,
+          roleId: baseRole.id,
+          actorId: "actor-1",
+        },
+        ctx,
+      ),
+    ).rejects.toBeInstanceOf(AssignmentNotFoundError);
+  });
+
+  it("deletes UserRole and logs ROLE_REVOKED event", async () => {
+    const { db, spies } = createMockDb<DB>();
+    const createdAuditEvent = {
+      ...baseAuditEvent,
+      eventType: "ROLE_REVOKED" as const,
+      actorId: "actor-1",
+      targetId: activeUser.id,
+      targetType: "User",
+    };
+    const updatedUser = { ...activeUser, permissions: [] };
+
+    spies.select
+      .mockReturnValueOnce(activeUser)
+      .mockReturnValueOnce(baseRole)
+      .mockReturnValueOnce(baseUserRole)
+      .mockReturnValueOnce([]); // Permission keys from recompute (empty after revoke)
+    spies.delete.mockReturnValue(baseUserRole);
+    spies.insert.mockReturnValue(createdAuditEvent);
+    spies.update.mockReturnValue(updatedUser);
+
+    const result = await revokeRoleFromUser(
+      db,
+      {
+        userId: activeUser.id,
+        roleId: baseRole.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+
+    expect(result.auditEvent.eventType).toBe("ROLE_REVOKED");
+    expect(result.auditEvent.targetId).toBe(activeUser.id);
+    expect(result.user.permissions).toEqual([]);
+    expect(spies.delete).toHaveBeenCalled();
+  });
+
+  it("throws when permission is missing", async () => {
+    const { db } = createMockDb<DB>();
+    const denied: CommandContext = { actorId: "test-actor", permissions: [] };
+    await expect(
+      revokeRoleFromUser(db, { userId: "user-1", roleId: "role-1", actorId: "actor-1" }, denied),
+    ).rejects.toBeInstanceOf(InsufficientPermissionError);
+  });
+});

package/src/modules/user-management/command/revokeRoleFromUser.ts

@@ -0,0 +1,81 @@
+import { defineCommand } from "../../shared/internal";
+import { DB } from "../generated/kysely-tailordb";
+import { AssignmentNotFoundError, RoleNotFoundError, UserNotFoundError } from "../lib/errors";
+import { recomputeUserPermissions } from "../lib/recomputeUserPermissions";
+import { permissions } from "../permissions";
+
+export interface RevokeRoleFromUserInput {
+  userId: string;
+  roleId: string;
+  actorId: string;
+}
+
+/**
+ * Function: revokeRoleFromUser
+ *
+ * Removes a role from a user.
+ * Throws an error if the assignment does not exist.
+ */
+export const revokeRoleFromUser = defineCommand(
+  permissions.revokeRoleFromUser,
+  async (db: DB, input: RevokeRoleFromUserInput) => {
+    const user = await db
+      .selectFrom("User")
+      .selectAll()
+      .where("id", "=", input.userId)
+      .executeTakeFirst();
+
+    if (!user) {
+      throw new UserNotFoundError(input.userId);
+    }
+
+    const role = await db
+      .selectFrom("Role")
+      .selectAll()
+      .where("id", "=", input.roleId)
+      .executeTakeFirst();
+
+    if (!role) {
+      throw new RoleNotFoundError(input.roleId);
+    }
+
+    const existingAssignment = await db
+      .selectFrom("UserRole")
+      .selectAll()
+      .where("userId", "=", input.userId)
+      .where("roleId", "=", input.roleId)
+      .executeTakeFirst();
+
+    if (!existingAssignment) {
+      throw new AssignmentNotFoundError("User", input.userId, "Role", input.roleId);
+    }
+
+    await db
+      .deleteFrom("UserRole")
+      .where("id", "=", existingAssignment.id)
+      .returningAll()
+      .executeTakeFirst();
+
+    const auditEvent = await db
+      .insertInto("AuditEvent")
+      .values({
+        eventType: "ROLE_REVOKED",
+        actorId: input.actorId,
+        targetId: input.userId,
+        targetType: "User",
+        payload: JSON.stringify({
+          userId: input.userId,
+          roleId: input.roleId,
+          roleName: role.name,
+        }),
+        createdAt: new Date(),
+        updatedAt: null,
+      })
+      .returningAll()
+      .executeTakeFirst();
+
+    const updatedUser = await recomputeUserPermissions(db, input.userId);
+
+    return { user: updatedUser, auditEvent: auditEvent! };
+  },
+);

package/src/modules/user-management/db/auditEvent.ts

@@ -0,0 +1,47 @@
+import {
+  db,
+  unsafeAllowAllGqlPermission,
+  unsafeAllowAllTypePermission,
+} from "@tailor-platform/sdk";
+
+export interface CreateAuditEventTypeParams {
+  fields?: Record<string, unknown>;
+  additionalEventTypes?: string[];
+}
+
+const BASE_EVENT_TYPES = [
+  "USER_CREATED",
+  "USER_ACTIVATED",
+  "USER_DEACTIVATED",
+  "USER_REACTIVATED",
+  "ROLE_ASSIGNED",
+  "ROLE_REVOKED",
+  "PERMISSION_ASSIGNED",
+  "PERMISSION_REVOKED",
+] as const;
+
+export function createAuditEventType(params: CreateAuditEventTypeParams) {
+  const eventTypes = [...BASE_EVENT_TYPES, ...(params.additionalEventTypes ?? [])] as [
+    string,
+    ...string[],
+  ];
+
+  return db
+    .type("AuditEvent", {
+      eventType: db.enum(eventTypes).description("Type of audit event"),
+      actorId: db.uuid().description("ID of the user who performed the action"),
+      targetId: db.uuid({ optional: true }).description("ID of the affected entity"),
+      targetType: db
+        .string({ optional: true })
+        .description("Type of the affected entity (User, Role, Permission)"),
+      payload: db
+        .string({ optional: true })
+        .description("JSON payload with additional event details"),
+      ...params.fields,
+      ...db.fields.timestamps(),
+    })
+    .permission(unsafeAllowAllTypePermission)
+    .gqlPermission(unsafeAllowAllGqlPermission);
+}
+
+export const auditEvent = createAuditEventType({});

package/src/modules/user-management/db/permission.ts

@@ -0,0 +1,31 @@
+import {
+  db,
+  type TailorAnyDBField,
+  unsafeAllowAllGqlPermission,
+  unsafeAllowAllTypePermission,
+} from "@tailor-platform/sdk";
+
+export interface CreatePermissionTypeParams<F extends Record<string, TailorAnyDBField>> {
+  fields?: F;
+}
+
+export function createPermissionType<const F extends Record<string, TailorAnyDBField>>(
+  params: CreatePermissionTypeParams<F>,
+) {
+  return db
+    .type("Permission", {
+      key: db
+        .string()
+        .unique()
+        .description("Permission key in resource:action format (e.g., orders:read)"),
+      description: db
+        .string({ optional: true })
+        .description("Optional description of what this permission grants"),
+      ...((params.fields ?? {}) as F),
+      ...db.fields.timestamps(),
+    })
+    .permission(unsafeAllowAllTypePermission)
+    .gqlPermission(unsafeAllowAllGqlPermission);
+}
+
+export const permission = createPermissionType({});

package/src/modules/user-management/db/role.ts

@@ -0,0 +1,28 @@
+import {
+  db,
+  type TailorAnyDBField,
+  unsafeAllowAllGqlPermission,
+  unsafeAllowAllTypePermission,
+} from "@tailor-platform/sdk";
+
+export interface CreateRoleTypeParams<F extends Record<string, TailorAnyDBField>> {
+  fields?: F;
+}
+
+export function createRoleType<const F extends Record<string, TailorAnyDBField>>(
+  params: CreateRoleTypeParams<F>,
+) {
+  return db
+    .type("Role", {
+      name: db.string().unique().description("Role name (unique identifier)"),
+      description: db
+        .string({ optional: true })
+        .description("Optional description of what this role represents"),
+      ...((params.fields ?? {}) as F),
+      ...db.fields.timestamps(),
+    })
+    .permission(unsafeAllowAllTypePermission)
+    .gqlPermission(unsafeAllowAllGqlPermission);
+}
+
+export const role = createRoleType({});