@tailor-platform/erp-kit 0.1.2 → 0.2.0

package/src/modules/user-management/command/assignRoleToUser.test.ts

@@ -1,8 +1,8 @@
 import { describe, expect, it } from "vitest";
-import { InsufficientPermissionError, type CommandContext } from "../../shared/internal";
+import { type CommandContext } from "../../shared/internal";
 import { createMockDb } from "../../testing/index";
 import { DB } from "../generated/kysely-tailordb";
-import { RoleNotFoundError, UserNotActiveError, UserNotFoundError } from "../lib/errors";
+import { RoleNotFoundError, UserNotActiveError, UserNotFoundError } from "../lib/errors.generated";
 import {
   activeUser,
   baseAuditEvent,
@@ -11,7 +11,7 @@ import {
   inactiveUser,
   pendingUser,
 } from "../testing/fixtures";
-import { assignRoleToUser } from "./assignRoleToUser";
+import { run } from "./assignRoleToUser";
 
 describe("assignRoleToUser", () => {
   const ctx: CommandContext = {
@@ -23,68 +23,76 @@ describe("assignRoleToUser", () => {
     const { db, spies } = createMockDb<DB>();
     spies.select.mockReturnValue(undefined);
 
-    await expect(
-      assignRoleToUser(
-        db,
-        {
-          userId: "nonexistent-user",
-          roleId: baseRole.id,
-          actorId: "actor-1",
-        },
-        ctx,
-      ),
-    ).rejects.toBeInstanceOf(UserNotFoundError);
+    const result = await run(
+      db,
+      {
+        userId: "nonexistent-user",
+        roleId: baseRole.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(UserNotFoundError);
+    }
   });
 
   it("throws when role does not exist", async () => {
     const { db, spies } = createMockDb<DB>();
     spies.select.mockReturnValueOnce(activeUser).mockReturnValueOnce(undefined);
 
-    await expect(
-      assignRoleToUser(
-        db,
-        {
-          userId: activeUser.id,
-          roleId: "nonexistent-role",
-          actorId: "actor-1",
-        },
-        ctx,
-      ),
-    ).rejects.toBeInstanceOf(RoleNotFoundError);
+    const result = await run(
+      db,
+      {
+        userId: activeUser.id,
+        roleId: "nonexistent-role",
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(RoleNotFoundError);
+    }
   });
 
   it("throws when user is PENDING", async () => {
     const { db, spies } = createMockDb<DB>();
     spies.select.mockReturnValueOnce(pendingUser).mockReturnValueOnce(baseRole);
 
-    await expect(
-      assignRoleToUser(
-        db,
-        {
-          userId: pendingUser.id,
-          roleId: baseRole.id,
-          actorId: "actor-1",
-        },
-        ctx,
-      ),
-    ).rejects.toBeInstanceOf(UserNotActiveError);
+    const result = await run(
+      db,
+      {
+        userId: pendingUser.id,
+        roleId: baseRole.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(UserNotActiveError);
+    }
   });
 
   it("throws when user is INACTIVE", async () => {
     const { db, spies } = createMockDb<DB>();
     spies.select.mockReturnValueOnce(inactiveUser).mockReturnValueOnce(baseRole);
 
-    await expect(
-      assignRoleToUser(
-        db,
-        {
-          userId: inactiveUser.id,
-          roleId: baseRole.id,
-          actorId: "actor-1",
-        },
-        ctx,
-      ),
-    ).rejects.toBeInstanceOf(UserNotActiveError);
+    const result = await run(
+      db,
+      {
+        userId: inactiveUser.id,
+        roleId: baseRole.id,
+        actorId: "actor-1",
+      },
+      ctx,
+    );
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(UserNotActiveError);
+    }
   });
 
   it("returns success when assignment already exists (idempotent)", async () => {
@@ -97,7 +105,7 @@ describe("assignRoleToUser", () => {
       .mockReturnValueOnce([{ key: "orders:read" }]); // Permission keys from recompute
     spies.update.mockReturnValueOnce(updatedUser);
 
-    const result = await assignRoleToUser(
+    const result = await run(
       db,
       {
         userId: activeUser.id,
@@ -107,8 +115,11 @@ describe("assignRoleToUser", () => {
       ctx,
     );
 
-    expect(result.userRole).toEqual(baseUserRole);
-    expect(result.user.permissions).toEqual(["orders:read"]);
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.value.userRole).toEqual(baseUserRole);
+      expect(result.value.user.permissions).toEqual(["orders:read"]);
+    }
     expect(spies.insert).not.toHaveBeenCalled();
   });
 
@@ -135,7 +146,7 @@ describe("assignRoleToUser", () => {
     spies.insert.mockReturnValueOnce(newUserRole).mockReturnValueOnce(createdAuditEvent);
     spies.update.mockReturnValueOnce(updatedUser);
 
-    const result = await assignRoleToUser(
+    const result = await run(
       db,
       {
         userId: activeUser.id,
@@ -145,18 +156,14 @@ describe("assignRoleToUser", () => {
       ctx,
     );
 
-    expect(result.userRole.userId).toBe(activeUser.id);
-    expect(result.userRole.roleId).toBe(baseRole.id);
-    expect(result.auditEvent?.eventType).toBe("ROLE_ASSIGNED");
-    expect(result.user.permissions).toEqual(["orders:read"]);
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.value.userRole.userId).toBe(activeUser.id);
+      expect(result.value.userRole.roleId).toBe(baseRole.id);
+      // eslint-disable-next-line @typescript-eslint/no-explicit-any, @typescript-eslint/no-unsafe-member-access
+      expect((result.value as any).auditEvent?.eventType).toBe("ROLE_ASSIGNED");
+      expect(result.value.user.permissions).toEqual(["orders:read"]);
+    }
     expect(spies.insert).toHaveBeenCalled();
   });
-
-  it("throws when permission is missing", async () => {
-    const { db } = createMockDb<DB>();
-    const denied: CommandContext = { actorId: "test-actor", permissions: [] };
-    await expect(
-      assignRoleToUser(db, { userId: "user-1", roleId: "role-1", actorId: "actor-1" }, denied),
-    ).rejects.toBeInstanceOf(InsufficientPermissionError);
-  });
 });

package/src/modules/user-management/command/assignRoleToUser.ts

@@ -1,8 +1,7 @@
-import { defineCommand } from "../../shared/internal";
+import { ok, err, type CommandContext } from "../../shared/internal";
 import { DB } from "../generated/kysely-tailordb";
-import { RoleNotFoundError, UserNotActiveError, UserNotFoundError } from "../lib/errors";
+import { RoleNotFoundError, UserNotActiveError, UserNotFoundError } from "../lib/errors.generated";
 import { recomputeUserPermissions } from "../lib/recomputeUserPermissions";
-import { permissions } from "../permissions";
 
 export interface AssignRoleToUserInput {
   userId: string;
@@ -17,77 +16,75 @@ export interface AssignRoleToUserInput {
  * Operation is idempotent - assigning the same role twice does not create
  * duplicate records or error.
  */
-export const assignRoleToUser = defineCommand(
-  permissions.assignRoleToUser,
-  async (db: DB, input: AssignRoleToUserInput) => {
-    const user = await db
-      .selectFrom("User")
-      .selectAll()
-      .where("id", "=", input.userId)
-      .executeTakeFirst();
+// eslint-disable-next-line @typescript-eslint/no-unused-vars
+export async function run(db: DB, input: AssignRoleToUserInput, _ctx: CommandContext) {
+  const user = await db
+    .selectFrom("User")
+    .selectAll()
+    .where("id", "=", input.userId)
+    .executeTakeFirst();
 
-    if (!user) {
-      throw new UserNotFoundError(input.userId);
-    }
+  if (!user) {
+    return err(new UserNotFoundError(input.userId));
+  }
 
-    const role = await db
-      .selectFrom("Role")
-      .selectAll()
-      .where("id", "=", input.roleId)
-      .executeTakeFirst();
+  const role = await db
+    .selectFrom("Role")
+    .selectAll()
+    .where("id", "=", input.roleId)
+    .executeTakeFirst();
 
-    if (!role) {
-      throw new RoleNotFoundError(input.roleId);
-    }
+  if (!role) {
+    return err(new RoleNotFoundError(input.roleId));
+  }
 
-    if (user.status !== "ACTIVE") {
-      throw new UserNotActiveError(input.userId, user.status);
-    }
+  if (user.status !== "ACTIVE") {
+    return err(new UserNotActiveError(`${input.userId} (status: ${user.status})`));
+  }
 
-    // Idempotent: return existing assignment, recompute permissions for consistency
-    const existingAssignment = await db
-      .selectFrom("UserRole")
-      .selectAll()
-      .where("userId", "=", input.userId)
-      .where("roleId", "=", input.roleId)
-      .executeTakeFirst();
+  // Idempotent: return existing assignment, recompute permissions for consistency
+  const existingAssignment = await db
+    .selectFrom("UserRole")
+    .selectAll()
+    .where("userId", "=", input.userId)
+    .where("roleId", "=", input.roleId)
+    .executeTakeFirst();
 
-    if (existingAssignment) {
-      const updatedUser = await recomputeUserPermissions(db, input.userId);
-      return { userRole: existingAssignment, user: updatedUser };
-    }
+  if (existingAssignment) {
+    const updatedUser = await recomputeUserPermissions(db, input.userId);
+    return ok({ userRole: existingAssignment, user: updatedUser });
+  }
+
+  const userRole = await db
+    .insertInto("UserRole")
+    .values({
+      userId: input.userId,
+      roleId: input.roleId,
+      createdAt: new Date(),
+      updatedAt: null,
+    })
+    .returningAll()
+    .executeTakeFirst();
 
-    const userRole = await db
-      .insertInto("UserRole")
-      .values({
+  const auditEvent = await db
+    .insertInto("AuditEvent")
+    .values({
+      eventType: "ROLE_ASSIGNED",
+      actorId: input.actorId,
+      targetId: input.userId,
+      targetType: "User",
+      payload: JSON.stringify({
         userId: input.userId,
         roleId: input.roleId,
-        createdAt: new Date(),
-        updatedAt: null,
-      })
-      .returningAll()
-      .executeTakeFirst();
+        roleName: role.name,
+      }),
+      createdAt: new Date(),
+      updatedAt: null,
+    })
+    .returningAll()
+    .executeTakeFirst();
 
-    const auditEvent = await db
-      .insertInto("AuditEvent")
-      .values({
-        eventType: "ROLE_ASSIGNED",
-        actorId: input.actorId,
-        targetId: input.userId,
-        targetType: "User",
-        payload: JSON.stringify({
-          userId: input.userId,
-          roleId: input.roleId,
-          roleName: role.name,
-        }),
-        createdAt: new Date(),
-        updatedAt: null,
-      })
-      .returningAll()
-      .executeTakeFirst();
+  const updatedUser = await recomputeUserPermissions(db, input.userId);
 
-    const updatedUser = await recomputeUserPermissions(db, input.userId);
-
-    return { userRole: userRole!, user: updatedUser, auditEvent: auditEvent! };
-  },
-);
+  return ok({ userRole: userRole!, user: updatedUser, auditEvent: auditEvent! });
+}

package/src/modules/user-management/command/createPermission.generated.ts

@@ -0,0 +1,6 @@
+// @generated — do not edit
+import { defineCommand } from "../../shared/internal";
+import { permissions } from "../lib/permissions.generated";
+import { run } from "./createPermission";
+
+export const createPermission = defineCommand(permissions.createPermission, run);

package/src/modules/user-management/command/createPermission.test.ts

@@ -1,16 +1,14 @@
 import { describe, expect, it } from "vitest";
-import { InsufficientPermissionError, type CommandContext } from "../../shared/internal";
+import { type CommandContext } from "../../shared/internal";
 import { createMockDb } from "../../testing/index";
 import { DB } from "../generated/kysely-tailordb";
 import {
   DuplicatePermissionKeyError,
   InvalidPermissionKeyFormatError,
   MissingRequiredFieldError,
-} from "../lib/errors";
+} from "../lib/errors.generated";
 import { basePermission } from "../testing/fixtures";
-import { makeCreatePermission } from "./createPermission";
-
-const createPermission = makeCreatePermission();
+import { run } from "./createPermission";
 
 describe("createPermission", () => {
   const ctx: CommandContext = {
@@ -22,50 +20,62 @@ describe("createPermission", () => {
   it("throws when key is empty", async () => {
     const { db } = createMockDb<DB>();
 
-    await expect(createPermission(db, { key: "" }, ctx)).rejects.toBeInstanceOf(
-      MissingRequiredFieldError,
-    );
+    const result = await run(db, { key: "" }, ctx);
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(MissingRequiredFieldError);
+    }
   });
 
   it("throws when key format is invalid (no colon)", async () => {
     const { db } = createMockDb<DB>();
 
-    await expect(createPermission(db, { key: "invalidkey" }, ctx)).rejects.toBeInstanceOf(
-      InvalidPermissionKeyFormatError,
-    );
+    const result = await run(db, { key: "invalidkey" }, ctx);
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(InvalidPermissionKeyFormatError);
+    }
   });
 
   it("throws when key format is invalid (multiple colons)", async () => {
     const { db } = createMockDb<DB>();
 
-    await expect(
-      createPermission(db, { key: "resource:action:extra" }, ctx),
-    ).rejects.toBeInstanceOf(InvalidPermissionKeyFormatError);
+    const result = await run(db, { key: "resource:action:extra" }, ctx);
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(InvalidPermissionKeyFormatError);
+    }
   });
 
   it("throws when key format is invalid (empty resource)", async () => {
     const { db } = createMockDb<DB>();
 
-    await expect(createPermission(db, { key: ":action" }, ctx)).rejects.toBeInstanceOf(
-      InvalidPermissionKeyFormatError,
-    );
+    const result = await run(db, { key: ":action" }, ctx);
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(InvalidPermissionKeyFormatError);
+    }
   });
 
   it("throws when key format is invalid (empty action)", async () => {
     const { db } = createMockDb<DB>();
 
-    await expect(createPermission(db, { key: "resource:" }, ctx)).rejects.toBeInstanceOf(
-      InvalidPermissionKeyFormatError,
-    );
+    const result = await run(db, { key: "resource:" }, ctx);
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(InvalidPermissionKeyFormatError);
+    }
   });
 
   it("throws when permission key already exists", async () => {
     const { db, spies } = createMockDb<DB>();
     spies.select.mockReturnValue(basePermission);
 
-    await expect(createPermission(db, { key: basePermission.key }, ctx)).rejects.toBeInstanceOf(
-      DuplicatePermissionKeyError,
-    );
+    const result = await run(db, { key: basePermission.key }, ctx);
+    expect(result.ok).toBe(false);
+    if (!result.ok) {
+      expect(result.error).toBeInstanceOf(DuplicatePermissionKeyError);
+    }
   });
 
   // Success cases
@@ -81,9 +91,12 @@ describe("createPermission", () => {
     spies.select.mockReturnValue(undefined); // No existing permission
     spies.insert.mockReturnValue(createdPermission);
 
-    const result = await createPermission(db, { key: "users:read" }, ctx);
+    const result = await run(db, { key: "users:read" }, ctx);
 
-    expect(result.permission.key).toBe("users:read");
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.value.permission.key).toBe("users:read");
+    }
     expect(spies.insert).toHaveBeenCalled();
   });
 
@@ -99,7 +112,7 @@ describe("createPermission", () => {
     spies.select.mockReturnValue(undefined);
     spies.insert.mockReturnValue(createdPermission);
 
-    const result = await createPermission(
+    const result = await run(
       db,
       {
         key: "users:write",
@@ -108,20 +121,14 @@ describe("createPermission", () => {
       ctx,
     );
 
-    expect(result.permission.key).toBe("users:write");
-    expect(result.permission.description).toBe("Permission to write users");
-  });
-
-  it("throws when permission is missing", async () => {
-    const { db } = createMockDb<DB>();
-    const denied: CommandContext = { actorId: "test-actor", permissions: [] };
-    await expect(createPermission(db, { key: "users:read" }, denied)).rejects.toBeInstanceOf(
-      InsufficientPermissionError,
-    );
+    expect(result.ok).toBe(true);
+    if (result.ok) {
+      expect(result.value.permission.key).toBe("users:write");
+      expect(result.value.permission.description).toBe("Permission to write users");
+    }
   });
 
   it("passes custom fields through to insert", async () => {
-    const createPermissionWithFields = makeCreatePermission<{ module: string }>();
     const { db, spies } = createMockDb<DB>();
     const createdPermission = {
       ...basePermission,
@@ -133,7 +140,7 @@ describe("createPermission", () => {
     spies.select.mockReturnValue(undefined);
     spies.insert.mockReturnValue(createdPermission);
 
-    await createPermissionWithFields(db, { key: "users:read", module: "user-management" }, ctx);
+    await run(db, { key: "users:read", module: "user-management" }, ctx);
 
     expect(spies.values).toHaveBeenNthCalledWith(
       1,

package/src/modules/user-management/command/createPermission.ts

@@ -1,11 +1,10 @@
-import { defineCommand } from "../../shared/internal";
+import { ok, err, type CommandContext } from "../../shared/internal";
 import { DB } from "../generated/kysely-tailordb";
 import {
   DuplicatePermissionKeyError,
   InvalidPermissionKeyFormatError,
   MissingRequiredFieldError,
-} from "../lib/errors";
-import { permissions } from "../permissions";
+} from "../lib/errors.generated";
 
 interface CreatePermissionInput {
   key: string;
@@ -20,47 +19,44 @@ const PERMISSION_KEY_PATTERN = /^[a-zA-Z0-9_-]+:[a-zA-Z0-9_-]+$/;
  * Creates a new permission with the specified key in resource:action format.
  * Validates that the key follows the correct format and is unique.
  */
-export function makeCreatePermission<CF extends Record<string, unknown>>() {
-  return defineCommand(
-    permissions.createPermission,
-    async (db: DB, input: CreatePermissionInput & CF) => {
-      const { key, description, ...customFields } = input;
-
-      // 1. Validate key is provided
-      if (!key || key.trim() === "") {
-        throw new MissingRequiredFieldError("key");
-      }
-
-      // 2. Validate key format (resource:action)
-      if (!PERMISSION_KEY_PATTERN.test(key)) {
-        throw new InvalidPermissionKeyFormatError(key);
-      }
-
-      // 3. Check if permission key already exists
-      const existingPermission = await db
-        .selectFrom("Permission")
-        .selectAll()
-        .where("key", "=", key)
-        .executeTakeFirst();
-
-      if (existingPermission) {
-        throw new DuplicatePermissionKeyError(key);
-      }
-
-      // 4. Create permission
-      const permission = await db
-        .insertInto("Permission")
-        .values({
-          ...(customFields as Record<string, unknown>),
-          key,
-          description: description ?? null,
-          createdAt: new Date(),
-          updatedAt: null,
-        })
-        .returningAll()
-        .executeTakeFirst();
-
-      return { permission: permission! };
-    },
-  );
+export async function run<CF extends Record<string, unknown>>(
+  db: DB,
+  input: CreatePermissionInput & CF,
+  // eslint-disable-next-line @typescript-eslint/no-unused-vars
+  _ctx: CommandContext,
+) {
+  const { key, description, ...customFields } = input;
+
+  if (!key || key.trim() === "") {
+    return err(new MissingRequiredFieldError("key"));
+  }
+
+  if (!PERMISSION_KEY_PATTERN.test(key)) {
+    return err(new InvalidPermissionKeyFormatError(key));
+  }
+
+  const existingPermission = await db
+    .selectFrom("Permission")
+    .selectAll()
+    .where("key", "=", key)
+    .executeTakeFirst();
+
+  if (existingPermission) {
+    return err(new DuplicatePermissionKeyError(key));
+  }
+
+  // 4. Create permission
+  const permission = await db
+    .insertInto("Permission")
+    .values({
+      ...(customFields as Record<string, unknown>),
+      key,
+      description: description ?? null,
+      createdAt: new Date(),
+      updatedAt: null,
+    })
+    .returningAll()
+    .executeTakeFirst();
+
+  return ok({ permission: permission! });
 }

package/src/modules/user-management/command/createRole.generated.ts

@@ -0,0 +1,6 @@
+// @generated — do not edit
+import { defineCommand } from "../../shared/internal";
+import { permissions } from "../lib/permissions.generated";
+import { run } from "./createRole";
+
+export const createRole = defineCommand(permissions.createRole, run);