@urateam/cli 0.1.2 → 0.1.5

package/dist/__tests__/admin-commands.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=admin-commands.test.d.ts.map

package/dist/__tests__/admin-commands.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-commands.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/admin-commands.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/admin-commands.test.js

@@ -0,0 +1,66 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { createDb } from "@urateam/core";
+import { dashboardUsers } from "@urateam/core/dist/db/schema.js";
+import { runAdminList, runAdminGrant, runAdminRevoke, } from "../commands/admin.js";
+import { installTestProLicense, restoreLicense, } from "./helpers/license.js";
+let db;
+let logs;
+const log = (s) => {
+    logs.push(s);
+};
+beforeEach(async () => {
+    logs = [];
+    await installTestProLicense("enterprise");
+    db = await createDb({ connectionString: ":memory:" });
+    await db.insert(dashboardUsers).values([
+        {
+            id: "u_admin",
+            email: "admin@b.com",
+            name: "Admin",
+            workosUserId: null,
+            role: "admin",
+        },
+        {
+            id: "u_op",
+            email: "op@b.com",
+            name: "Op",
+            workosUserId: null,
+            role: "operator",
+        },
+    ]);
+});
+afterEach(async () => {
+    await restoreLicense();
+});
+describe("ura admin commands", () => {
+    it("list prints all users", async () => {
+        await runAdminList({ db, log });
+        expect(logs.some((l) => l.includes("admin@b.com"))).toBe(true);
+        expect(logs.some((l) => l.includes("op@b.com"))).toBe(true);
+    });
+    it("grant promotes by email", async () => {
+        await runAdminGrant({ db, email: "op@b.com", newRole: "admin", log });
+        const rows = await db.select().from(dashboardUsers);
+        expect(rows.find((u) => u.id === "u_op").role).toBe("admin");
+    });
+    it("grant with unknown email errors clearly", async () => {
+        await expect(runAdminGrant({
+            db,
+            email: "ghost@nowhere.com",
+            newRole: "admin",
+            log,
+        })).rejects.toThrow(/user not found/i);
+    });
+    it("revoke sets role to viewer", async () => {
+        // First promote op to admin so a revoke → viewer is a real change
+        await runAdminGrant({ db, email: "op@b.com", newRole: "admin", log });
+        await runAdminRevoke({ db, email: "op@b.com", log });
+        const rows = await db.select().from(dashboardUsers);
+        expect(rows.find((u) => u.id === "u_op").role).toBe("viewer");
+    });
+    it("refuses when feature is unlicensed", async () => {
+        await restoreLicense();
+        await expect(runAdminList({ db, log })).rejects.toThrow(/enterprise/i);
+    });
+});
+//# sourceMappingURL=admin-commands.test.js.map

package/dist/__tests__/admin-commands.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin-commands.test.js","sourceRoot":"","sources":["../../src/__tests__/admin-commands.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,EACL,YAAY,EACZ,aAAa,EACb,cAAc,GACf,MAAM,sBAAsB,CAAC;AAC9B,OAAO,EACL,qBAAqB,EACrB,cAAc,GACf,MAAM,sBAAsB,CAAC;AAE9B,IAAI,EAAO,CAAC;AACZ,IAAI,IAAc,CAAC;AACnB,MAAM,GAAG,GAAG,CAAC,CAAS,EAAE,EAAE;IACxB,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AACf,CAAC,CAAC;AAEF,UAAU,CAAC,KAAK,IAAI,EAAE;IACpB,IAAI,GAAG,EAAE,CAAC;IACV,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAC1C,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;IACtD,MAAM,EAAE,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,MAAM,CAAC;QACrC;YACE,EAAE,EAAE,SAAS;YACb,KAAK,EAAE,aAAa;YACpB,IAAI,EAAE,OAAO;YACb,YAAY,EAAE,IAAI;YAClB,IAAI,EAAE,OAAO;SACd;QACD;YACE,EAAE,EAAE,MAAM;YACV,KAAK,EAAE,UAAU;YACjB,IAAI,EAAE,IAAI;YACV,YAAY,EAAE,IAAI;YAClB,IAAI,EAAE,UAAU;SACjB;KACF,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,MAAM,cAAc,EAAE,CAAC;AACzB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,oBAAoB,EAAE,GAAG,EAAE;IAClC,EAAE,CAAC,uBAAuB,EAAE,KAAK,IAAI,EAAE;QACrC,MAAM,YAAY,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC;QAChC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAC/D,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC9D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yBAAyB,EAAE,KAAK,IAAI,EAAE;QACvC,MAAM,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;QACtE,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACpE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yCAAyC,EAAE,KAAK,IAAI,EAAE;QACvD,MAAM,MAAM,CACV,aAAa,CAAC;YACZ,EAAE;YACF,KAAK,EAAE,mBAAmB;YAC1B,OAAO,EAAE,OAAO;YAChB,GAAG;SACJ,CAAC,CACH,CAAC,OAAO,CAAC,OAAO,CAAC,iBAAiB,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4BAA4B,EAAE,KAAK,IAAI,EAAE;QAC1C,kEAAkE;QAClE,MAAM,aAAa,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,OAAO,EAAE,OAAO,EAAE,GAAG,EAAE,CAAC,CAAC;QACtE,MAAM,cAAc,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,EAAE,GAAG,EAAE,CAAC,CAAC;QACrD,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,KAAK,MAAM,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,KAAK,IAAI,EAAE;QAClD,MAAM,cAAc,EAAE,CAAC;QACvB,MAAM,MAAM,CAAC,YAAY,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,aAAa,CAAC,CAAC;IACzE,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/helpers/license.d.ts

@@ -0,0 +1,3 @@
+export declare function installTestProLicense(tier?: "pro" | "enterprise"): Promise<void>;
+export declare function restoreLicense(): Promise<void>;
+//# sourceMappingURL=license.d.ts.map

package/dist/__tests__/helpers/license.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"license.d.ts","sourceRoot":"","sources":["../../../src/__tests__/helpers/license.ts"],"names":[],"mappings":"AAuBA,wBAAsB,qBAAqB,CACzC,IAAI,GAAE,KAAK,GAAG,YAA2B,GACxC,OAAO,CAAC,IAAI,CAAC,CA8Bf;AAED,wBAAsB,cAAc,IAAI,OAAO,CAAC,IAAI,CAAC,CAiBpD"}

package/dist/__tests__/helpers/license.js

@@ -0,0 +1,66 @@
+import { generateKeyPairSync, sign } from "node:crypto";
+import { _resetLicenseCache } from "@urateam/core/dist/license.js";
+function b64url(buf) {
+    return buf
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+function makeJwt(privateKey, payload) {
+    const header = { alg: "EdDSA", typ: "JWT" };
+    const headerB64 = b64url(Buffer.from(JSON.stringify(header)));
+    const payloadB64 = b64url(Buffer.from(JSON.stringify(payload)));
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const sig = sign(null, Buffer.from(signingInput), privateKey);
+    return `${signingInput}.${b64url(sig)}`;
+}
+let savedPublicKey;
+let savedEnv;
+export async function installTestProLicense(tier = "enterprise") {
+    const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+    const publicKeyB64 = Buffer.from(publicKey.export({ format: "der", type: "spki" })).toString("base64");
+    const mod = await import("@urateam/core/dist/license-public-key.js");
+    if (savedPublicKey === undefined) {
+        savedPublicKey = mod
+            .LICENSE_PUBLIC_KEY_DER_B64;
+    }
+    Object.defineProperty(mod, "LICENSE_PUBLIC_KEY_DER_B64", {
+        value: publicKeyB64,
+        writable: true,
+        configurable: true,
+    });
+    const now = Math.floor(Date.now() / 1000);
+    const jwt = makeJwt(privateKey, {
+        iss: "urateams.com",
+        sub: "cust_test",
+        tier,
+        seats: 25,
+        iat: now,
+        exp: now + 86_400,
+    });
+    if (savedEnv === undefined)
+        savedEnv = process.env.URATEAM_LICENSE_KEY;
+    process.env.URATEAM_LICENSE_KEY = jwt;
+    _resetLicenseCache();
+}
+export async function restoreLicense() {
+    if (savedPublicKey !== undefined) {
+        const mod = await import("@urateam/core/dist/license-public-key.js");
+        Object.defineProperty(mod, "LICENSE_PUBLIC_KEY_DER_B64", {
+            value: savedPublicKey,
+            writable: true,
+            configurable: true,
+        });
+        savedPublicKey = undefined;
+    }
+    if (savedEnv === undefined) {
+        delete process.env.URATEAM_LICENSE_KEY;
+    }
+    else {
+        process.env.URATEAM_LICENSE_KEY = savedEnv;
+        savedEnv = undefined;
+    }
+    _resetLicenseCache();
+}
+//# sourceMappingURL=license.js.map

package/dist/__tests__/helpers/license.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"license.js","sourceRoot":"","sources":["../../../src/__tests__/helpers/license.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,mBAAmB,EAAkB,IAAI,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAEnE,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,GAAG;SACP,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,OAAO,CAAC,UAAqB,EAAE,OAAe;IACrD,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,UAAU,CAAC,CAAC;IAC9D,OAAO,GAAG,YAAY,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;AAC1C,CAAC;AAED,IAAI,cAAkC,CAAC;AACvC,IAAI,QAA4B,CAAC;AAEjC,MAAM,CAAC,KAAK,UAAU,qBAAqB,CACzC,OAA6B,YAAY;IAEzC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAC9B,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAClD,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,0CAA0C,CAAC,CAAC;IACrE,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,cAAc,GAAI,GAA8C;aAC7D,0BAA0B,CAAC;IAChC,CAAC;IACD,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,4BAA4B,EAAE;QACvD,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE;QAC9B,GAAG,EAAE,cAAc;QACnB,GAAG,EAAE,WAAW;QAChB,IAAI;QACJ,KAAK,EAAE,EAAE;QACT,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,MAAM;KAClB,CAAC,CAAC;IAEH,IAAI,QAAQ,KAAK,SAAS;QAAE,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACvE,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,GAAG,CAAC;IACtC,kBAAkB,EAAE,CAAC;AACvB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,0CAA0C,CAAC,CAAC;QACrE,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,4BAA4B,EAAE;YACvD,KAAK,EAAE,cAAc;YACrB,QAAQ,EAAE,IAAI;YACd,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC;QACH,cAAc,GAAG,SAAS,CAAC;IAC7B,CAAC;IACD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACzC,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;QAC3C,QAAQ,GAAG,SAAS,CAAC;IACvB,CAAC;IACD,kBAAkB,EAAE,CAAC;AACvB,CAAC"}

package/dist/__tests__/license-command.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=license-command.test.d.ts.map

package/dist/__tests__/license-command.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"license-command.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/license-command.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/license-command.test.js

@@ -0,0 +1,114 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { generateKeyPairSync, createPublicKey, verify } from "node:crypto";
+import { issueLicense } from "../commands/license.js";
+describe("issueLicense", () => {
+    let publicKeyDer;
+    let originalSigningKey;
+    beforeEach(() => {
+        const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+        publicKeyDer = Buffer.from(publicKey.export({ format: "der", type: "spki" }));
+        originalSigningKey = process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64;
+        process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64 = Buffer.from(privateKey.export({ format: "der", type: "pkcs8" })).toString("base64");
+    });
+    afterEach(() => {
+        if (originalSigningKey === undefined) {
+            delete process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64;
+        }
+        else {
+            process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64 = originalSigningKey;
+        }
+    });
+    function decodeJwt(token) {
+        const [h, p] = token.split(".");
+        const fromB64Url = (s) => Buffer.from(s.replace(/-/g, "+").replace(/_/g, "/") +
+            "=".repeat((4 - (s.length % 4)) % 4), "base64").toString("utf-8");
+        return { header: JSON.parse(fromB64Url(h)), payload: JSON.parse(fromB64Url(p)) };
+    }
+    it("issues a signed JWT with the requested claims", () => {
+        const token = issueLicense({
+            customerId: "cust_acme",
+            tier: "enterprise",
+            seats: 100,
+            expiresAt: new Date("2027-04-13T00:00:00Z"),
+        });
+        const { header, payload } = decodeJwt(token);
+        expect(header).toEqual({ alg: "EdDSA", typ: "JWT" });
+        expect(payload.iss).toBe("urateams.com");
+        expect(payload.sub).toBe("cust_acme");
+        expect(payload.tier).toBe("enterprise");
+        expect(payload.seats).toBe(100);
+        expect(payload.exp).toBe(Math.floor(new Date("2027-04-13T00:00:00Z").getTime() / 1000));
+    });
+    it("produces a JWT whose signature verifies with the matching public key", () => {
+        const token = issueLicense({
+            customerId: "cust_test",
+            tier: "pro",
+            seats: 25,
+            expiresAt: new Date(Date.now() + 86_400_000),
+        });
+        const [h, p, s] = token.split(".");
+        const signingInput = Buffer.from(`${h}.${p}`);
+        const fromB64Url = (str) => Buffer.from(str.replace(/-/g, "+").replace(/_/g, "/") +
+            "=".repeat((4 - (str.length % 4)) % 4), "base64");
+        const sig = fromB64Url(s);
+        const pk = createPublicKey({ key: publicKeyDer, format: "der", type: "spki" });
+        expect(verify(null, signingInput, pk, sig)).toBe(true);
+    });
+    it("throws when URATEAM_LICENSE_SIGNING_KEY_DER_B64 is not set", () => {
+        delete process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64;
+        expect(() => issueLicense({
+            customerId: "cust_test",
+            tier: "pro",
+            seats: 25,
+            expiresAt: new Date(Date.now() + 86_400_000),
+        })).toThrow(/URATEAM_LICENSE_SIGNING_KEY_DER_B64/);
+    });
+});
+describe("licenseCommand action", () => {
+    let originalSigningKey;
+    beforeEach(() => {
+        const { privateKey } = generateKeyPairSync("ed25519");
+        originalSigningKey = process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64;
+        process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64 = Buffer.from(privateKey.export({ format: "der", type: "pkcs8" })).toString("base64");
+    });
+    afterEach(() => {
+        if (originalSigningKey === undefined) {
+            delete process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64;
+        }
+        else {
+            process.env.URATEAM_LICENSE_SIGNING_KEY_DER_B64 = originalSigningKey;
+        }
+    });
+    it("rejects --seats 0 instead of silently issuing an unlimited license", async () => {
+        const { licenseCommand } = await import("../commands/license.js");
+        licenseCommand.exitOverride(); // throw instead of process.exit on commander errors
+        await expect(licenseCommand.parseAsync([
+            "issue",
+            "--customer-id", "cust_test",
+            "--tier", "pro",
+            "--expires", "2027-12-31",
+            "--seats", "0",
+        ], { from: "user" })).rejects.toThrow(/--seats must be a positive integer/);
+    });
+    it("rejects an unknown --tier value", async () => {
+        const { licenseCommand } = await import("../commands/license.js");
+        licenseCommand.exitOverride();
+        await expect(licenseCommand.parseAsync([
+            "issue",
+            "--customer-id", "cust_test",
+            "--tier", "free",
+            "--expires", "2027-12-31",
+        ], { from: "user" })).rejects.toThrow(/tier must be 'pro' or 'enterprise'/);
+    });
+    it("rejects an unparseable --expires", async () => {
+        const { licenseCommand } = await import("../commands/license.js");
+        licenseCommand.exitOverride();
+        await expect(licenseCommand.parseAsync([
+            "issue",
+            "--customer-id", "cust_test",
+            "--tier", "pro",
+            "--expires", "not-a-date",
+        ], { from: "user" })).rejects.toThrow(/invalid --expires/);
+    });
+});
+//# sourceMappingURL=license-command.test.js.map

package/dist/__tests__/license-command.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"license-command.test.js","sourceRoot":"","sources":["../../src/__tests__/license-command.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,mBAAmB,EAAE,eAAe,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAC3E,OAAO,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAEtD,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,IAAI,YAAoB,CAAC;IACzB,IAAI,kBAAsC,CAAC;IAE3C,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACjE,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC;QAC9E,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,mCAAmC,GAAG,MAAM,CAAC,IAAI,CAC3D,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CACpD,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACrC,OAAO,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,mCAAmC,GAAG,kBAAkB,CAAC;QACvE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,SAAS,SAAS,CAAC,KAAa;QAC9B,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,UAAU,GAAG,CAAC,CAAS,EAAE,EAAE,CAC/B,MAAM,CAAC,IAAI,CACT,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;YACrC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EACtC,QAAQ,CACT,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;QACtB,OAAO,EAAE,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACnF,CAAC;IAED,EAAE,CAAC,+CAA+C,EAAE,GAAG,EAAE;QACvD,MAAM,KAAK,GAAG,YAAY,CAAC;YACzB,UAAU,EAAE,WAAW;YACvB,IAAI,EAAE,YAAY;YAClB,KAAK,EAAE,GAAG;YACV,SAAS,EAAE,IAAI,IAAI,CAAC,sBAAsB,CAAC;SAC5C,CAAC,CAAC;QAEH,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,CAAC,KAAK,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC;QACrD,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACzC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACtC,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAChC,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,sBAAsB,CAAC,CAAC,OAAO,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC;IAC1F,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sEAAsE,EAAE,GAAG,EAAE;QAC9E,MAAM,KAAK,GAAG,YAAY,CAAC;YACzB,UAAU,EAAE,WAAW;YACvB,IAAI,EAAE,KAAK;YACX,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;SAC7C,CAAC,CAAC;QACH,MAAM,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACnC,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9C,MAAM,UAAU,GAAG,CAAC,GAAW,EAAE,EAAE,CACjC,MAAM,CAAC,IAAI,CACT,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC;YACvC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,EACxC,QAAQ,CACT,CAAC;QACJ,MAAM,GAAG,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC;QAC1B,MAAM,EAAE,GAAG,eAAe,CAAC,EAAE,GAAG,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QAC/E,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACzD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4DAA4D,EAAE,GAAG,EAAE;QACpE,OAAO,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC;QACvD,MAAM,CAAC,GAAG,EAAE,CACV,YAAY,CAAC;YACX,UAAU,EAAE,WAAW;YACvB,IAAI,EAAE,KAAK;YACX,KAAK,EAAE,EAAE;YACT,SAAS,EAAE,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,UAAU,CAAC;SAC7C,CAAC,CACH,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC;IACnD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,uBAAuB,EAAE,GAAG,EAAE;IACrC,IAAI,kBAAsC,CAAC;IAE3C,UAAU,CAAC,GAAG,EAAE;QACd,MAAM,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;QACtD,kBAAkB,GAAG,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,mCAAmC,GAAG,MAAM,CAAC,IAAI,CAC3D,UAAU,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CACpD,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IACvB,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,IAAI,kBAAkB,KAAK,SAAS,EAAE,CAAC;YACrC,OAAO,OAAO,CAAC,GAAG,CAAC,mCAAmC,CAAC;QACzD,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,mCAAmC,GAAG,kBAAkB,CAAC;QACvE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAClE,cAAc,CAAC,YAAY,EAAE,CAAC,CAAC,oDAAoD;QAEnF,MAAM,MAAM,CACV,cAAc,CAAC,UAAU,CACvB;YACE,OAAO;YACP,eAAe,EAAE,WAAW;YAC5B,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,YAAY;YACzB,SAAS,EAAE,GAAG;SACf,EACD,EAAE,IAAI,EAAE,MAAM,EAAE,CACjB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAClE,cAAc,CAAC,YAAY,EAAE,CAAC;QAE9B,MAAM,MAAM,CACV,cAAc,CAAC,UAAU,CACvB;YACE,OAAO;YACP,eAAe,EAAE,WAAW;YAC5B,QAAQ,EAAE,MAAM;YAChB,WAAW,EAAE,YAAY;SAC1B,EACD,EAAE,IAAI,EAAE,MAAM,EAAE,CACjB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,oCAAoC,CAAC,CAAC;IAC1D,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kCAAkC,EAAE,KAAK,IAAI,EAAE;QAChD,MAAM,EAAE,cAAc,EAAE,GAAG,MAAM,MAAM,CAAC,wBAAwB,CAAC,CAAC;QAClE,cAAc,CAAC,YAAY,EAAE,CAAC;QAE9B,MAAM,MAAM,CACV,cAAc,CAAC,UAAU,CACvB;YACE,OAAO;YACP,eAAe,EAAE,WAAW;YAC5B,QAAQ,EAAE,KAAK;YACf,WAAW,EAAE,YAAY;SAC1B,EACD,EAAE,IAAI,EAAE,MAAM,EAAE,CACjB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/sso-bootstrap.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=sso-bootstrap.test.d.ts.map

package/dist/__tests__/sso-bootstrap.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso-bootstrap.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/sso-bootstrap.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/sso-bootstrap.test.js

@@ -0,0 +1,94 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from "vitest";
+import { bootstrapSsoFromEnv } from "../sso-bootstrap.js";
+const stubWorkosClient = vi.fn(async (_apiKey) => ({
+    getAuthorizationUrl: async () => "https://stub/auth",
+    authenticateWithCode: async () => ({
+        user: {
+            id: "u",
+            email: "u@example.com",
+            firstName: null,
+            lastName: null,
+        },
+    }),
+}));
+// Stub the core module so we don't actually hit WorkOS during tests.
+vi.mock("@urateam/core", async () => {
+    const actual = await vi.importActual("@urateam/core");
+    return {
+        ...actual,
+        getDefaultWorkosClient: stubWorkosClient,
+    };
+});
+const FULL_ENV = {
+    URATEAM_SSO_ENABLED: "true",
+    URATEAM_WORKOS_API_KEY: "sk_test",
+    URATEAM_WORKOS_CLIENT_ID: "client_test",
+    URATEAM_WORKOS_REDIRECT_URI: "https://dash.example.com/auth/callback",
+    URATEAM_SSO_STATE_SECRET: "0123456789abcdef0123456789abcdef",
+};
+// The first dynamic import("@urateam/core") in a worker is slow (~3s) because
+// it pulls in the whole core barrel. Give each test 15s of headroom.
+describe("bootstrapSsoFromEnv", { timeout: 15_000 }, () => {
+    let exitSpy;
+    let errorSpy;
+    beforeEach(() => {
+        exitSpy = vi
+            .spyOn(process, "exit")
+            .mockImplementation(((_code) => {
+            throw new Error("__EXIT__");
+        }));
+        errorSpy = vi.spyOn(console, "error").mockImplementation(() => { });
+    });
+    afterEach(() => {
+        exitSpy.mockRestore();
+        errorSpy.mockRestore();
+    });
+    it("returns undefined when SSO is not enabled", async () => {
+        const result = await bootstrapSsoFromEnv({});
+        expect(result).toBeUndefined();
+        expect(exitSpy).not.toHaveBeenCalled();
+    });
+    it("returns sso config + workos client when all env vars are present", async () => {
+        const result = await bootstrapSsoFromEnv({ ...FULL_ENV });
+        expect(result).toBeDefined();
+        expect(result.sso.enabled).toBe(true);
+        expect(result.sso.workosClientId).toBe("client_test");
+        expect(result.sso.redirectUri).toBe("https://dash.example.com/auth/callback");
+        expect(result.workos).toBeDefined();
+        expect(typeof result.workos.getAuthorizationUrl).toBe("function");
+        expect(exitSpy).not.toHaveBeenCalled();
+    });
+    it("exits when URATEAM_WORKOS_API_KEY is missing", async () => {
+        const env = { ...FULL_ENV };
+        delete env.URATEAM_WORKOS_API_KEY;
+        await expect(bootstrapSsoFromEnv(env)).rejects.toThrow("__EXIT__");
+        expect(exitSpy).toHaveBeenCalledWith(1);
+        expect(errorSpy).toHaveBeenCalled();
+        const msg = errorSpy.mock.calls[0].join(" ");
+        expect(msg).toContain("URATEAM_WORKOS_API_KEY");
+    });
+    it("exits when URATEAM_SSO_STATE_SECRET is missing", async () => {
+        const env = { ...FULL_ENV };
+        delete env.URATEAM_SSO_STATE_SECRET;
+        await expect(bootstrapSsoFromEnv(env)).rejects.toThrow("__EXIT__");
+        expect(exitSpy).toHaveBeenCalledWith(1);
+    });
+    it("accepts optional allowedDomain", async () => {
+        const result = await bootstrapSsoFromEnv({
+            ...FULL_ENV,
+            URATEAM_SSO_ALLOWED_DOMAIN: "acme.com",
+        });
+        expect(result.sso.allowedDomain).toBe("acme.com");
+    });
+    it("exits with an actionable message when getDefaultWorkosClient throws LicenseRequiredError", async () => {
+        const { LicenseRequiredError } = await import("@urateam/core");
+        stubWorkosClient.mockRejectedValueOnce(new LicenseRequiredError("sso", "pro"));
+        await expect(bootstrapSsoFromEnv({ ...FULL_ENV })).rejects.toThrow("__EXIT__");
+        expect(exitSpy).toHaveBeenCalledWith(1);
+        const msg = errorSpy.mock.calls[0].join(" ");
+        expect(msg).toContain("requires an enterprise license");
+        expect(msg).toContain("Current tier: pro");
+        expect(msg).toContain("support@urateams.com");
+    });
+});
+//# sourceMappingURL=sso-bootstrap.test.js.map

package/dist/__tests__/sso-bootstrap.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso-bootstrap.test.js","sourceRoot":"","sources":["../../src/__tests__/sso-bootstrap.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,mBAAmB,EAAE,MAAM,qBAAqB,CAAC;AAE1D,MAAM,gBAAgB,GAAG,EAAE,CAAC,EAAE,CAAC,KAAK,EAAE,OAAe,EAAE,EAAE,CAAC,CAAC;IACzD,mBAAmB,EAAE,KAAK,IAAI,EAAE,CAAC,mBAAmB;IACpD,oBAAoB,EAAE,KAAK,IAAI,EAAE,CAAC,CAAC;QACjC,IAAI,EAAE;YACJ,EAAE,EAAE,GAAG;YACP,KAAK,EAAE,eAAe;YACtB,SAAS,EAAE,IAAI;YACf,QAAQ,EAAE,IAAI;SACf;KACF,CAAC;CACH,CAAC,CAAC,CAAC;AAEJ,qEAAqE;AACrE,EAAE,CAAC,IAAI,CAAC,eAAe,EAAE,KAAK,IAAI,EAAE;IAClC,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,YAAY,CAClC,eAAe,CAChB,CAAC;IACF,OAAO;QACL,GAAG,MAAM;QACT,sBAAsB,EAAE,gBAAgB;KACzC,CAAC;AACJ,CAAC,CAAC,CAAC;AAEH,MAAM,QAAQ,GAAsB;IAClC,mBAAmB,EAAE,MAAM;IAC3B,sBAAsB,EAAE,SAAS;IACjC,wBAAwB,EAAE,aAAa;IACvC,2BAA2B,EAAE,wCAAwC;IACrE,wBAAwB,EAAE,kCAAkC;CAC7D,CAAC;AAEF,8EAA8E;AAC9E,qEAAqE;AACrE,QAAQ,CAAC,qBAAqB,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE;IACxD,IAAI,OAAY,CAAC;IACjB,IAAI,QAAa,CAAC;IAElB,UAAU,CAAC,GAAG,EAAE;QACd,OAAO,GAAG,EAAE;aACT,KAAK,CAAC,OAAO,EAAE,MAAM,CAAC;aACtB,kBAAkB,CAAC,CAAC,CAAC,KAAc,EAAE,EAAE;YACtC,MAAM,IAAI,KAAK,CAAC,UAAU,CAAC,CAAC;QAC9B,CAAC,CAAU,CAAC,CAAC;QACf,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC,kBAAkB,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;IACrE,CAAC,CAAC,CAAC;IAEH,SAAS,CAAC,GAAG,EAAE;QACb,OAAO,CAAC,WAAW,EAAE,CAAC;QACtB,QAAQ,CAAC,WAAW,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2CAA2C,EAAE,KAAK,IAAI,EAAE;QACzD,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,CAAC,CAAC;QAC7C,MAAM,CAAC,MAAM,CAAC,CAAC,aAAa,EAAE,CAAC;QAC/B,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,kEAAkE,EAAE,KAAK,IAAI,EAAE;QAChF,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC,EAAE,GAAG,QAAQ,EAAE,CAAC,CAAC;QAC1D,MAAM,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7B,MAAM,CAAC,MAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,CAAC,MAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACvD,MAAM,CAAC,MAAO,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC,IAAI,CAClC,wCAAwC,CACzC,CAAC;QACF,MAAM,CAAC,MAAO,CAAC,MAAM,CAAC,CAAC,WAAW,EAAE,CAAC;QACrC,MAAM,CAAC,OAAO,MAAO,CAAC,MAAM,CAAC,mBAAmB,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACnE,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,gBAAgB,EAAE,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,KAAK,IAAI,EAAE;QAC5D,MAAM,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC5B,OAAO,GAAG,CAAC,sBAAsB,CAAC;QAClC,MAAM,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACnE,MAAM,CAAC,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,CAAC,QAAQ,CAAC,CAAC,gBAAgB,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,wBAAwB,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gDAAgD,EAAE,KAAK,IAAI,EAAE;QAC9D,MAAM,GAAG,GAAG,EAAE,GAAG,QAAQ,EAAE,CAAC;QAC5B,OAAO,GAAG,CAAC,wBAAwB,CAAC;QACpC,MAAM,MAAM,CAAC,mBAAmB,CAAC,GAAG,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC;QACnE,MAAM,CAAC,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC;IAC1C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,KAAK,IAAI,EAAE;QAC9C,MAAM,MAAM,GAAG,MAAM,mBAAmB,CAAC;YACvC,GAAG,QAAQ;YACX,0BAA0B,EAAE,UAAU;SACvC,CAAC,CAAC;QACH,MAAM,CAAC,MAAO,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;IACrD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,0FAA0F,EAAE,KAAK,IAAI,EAAE;QACxG,MAAM,EAAE,oBAAoB,EAAE,GAAG,MAAM,MAAM,CAAC,eAAe,CAAC,CAAC;QAC/D,gBAAgB,CAAC,qBAAqB,CACpC,IAAI,oBAAoB,CAAC,KAAK,EAAE,KAAK,CAAC,CACvC,CAAC;QACF,MAAM,MAAM,CAAC,mBAAmB,CAAC,EAAE,GAAG,QAAQ,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAChE,UAAU,CACX,CAAC;QACF,MAAM,CAAC,OAAO,CAAC,CAAC,oBAAoB,CAAC,CAAC,CAAC,CAAC;QACxC,MAAM,GAAG,GAAG,QAAQ,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC9C,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,gCAAgC,CAAC,CAAC;QACxD,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC3C,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,sBAAsB,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/version.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=version.test.d.ts.map

package/dist/__tests__/version.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/version.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/version.test.js

@@ -0,0 +1,14 @@
+import { describe, it, expect } from "vitest";
+import { readFileSync } from "node:fs";
+import { join } from "node:path";
+import { getPackageVersion } from "../version.js";
+describe("getPackageVersion", () => {
+    it("returns the version from package.json", () => {
+        const pkg = JSON.parse(readFileSync(join(__dirname, "..", "..", "package.json"), "utf8"));
+        expect(getPackageVersion()).toBe(pkg.version);
+    });
+    it("returns a semver-shaped string", () => {
+        expect(getPackageVersion()).toMatch(/^\d+\.\d+\.\d+/);
+    });
+});
+//# sourceMappingURL=version.test.js.map

package/dist/__tests__/version.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"version.test.js","sourceRoot":"","sources":["../../src/__tests__/version.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAC9C,OAAO,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AACvC,OAAO,EAAE,IAAI,EAAE,MAAM,WAAW,CAAC;AACjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAElD,QAAQ,CAAC,mBAAmB,EAAE,GAAG,EAAE;IACjC,EAAE,CAAC,uCAAuC,EAAE,GAAG,EAAE;QAC/C,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CACpB,YAAY,CAAC,IAAI,CAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,MAAM,CAAC,CAC3C,CAAC;QACzB,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gCAAgC,EAAE,GAAG,EAAE;QACxC,MAAM,CAAC,iBAAiB,EAAE,CAAC,CAAC,OAAO,CAAC,gBAAgB,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/commands/admin.d.ts

@@ -0,0 +1,16 @@
+import { Command } from "commander";
+import { type Role } from "@urateam/core";
+export interface AdminDeps {
+    db: any;
+    log: (msg: string) => void;
+}
+export declare function runAdminList(deps: AdminDeps): Promise<void>;
+export declare function runAdminGrant(args: AdminDeps & {
+    email: string;
+    newRole: Role;
+}): Promise<void>;
+export declare function runAdminRevoke(args: AdminDeps & {
+    email: string;
+}): Promise<void>;
+export declare const adminCommand: Command;
+//# sourceMappingURL=admin.d.ts.map

package/dist/commands/admin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.d.ts","sourceRoot":"","sources":["../../src/commands/admin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,OAAO,EAKL,KAAK,IAAI,EACV,MAAM,eAAe,CAAC;AAEvB,MAAM,WAAW,SAAS;IACxB,EAAE,EAAE,GAAG,CAAC;IACR,GAAG,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,IAAI,CAAC;CAC5B;AAkBD,wBAAsB,YAAY,CAAC,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,IAAI,CAAC,CAUjE;AAED,wBAAsB,aAAa,CACjC,IAAI,EAAE,SAAS,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,IAAI,CAAA;CAAE,GACjD,OAAO,CAAC,IAAI,CAAC,CAef;AAED,wBAAsB,cAAc,CAClC,IAAI,EAAE,SAAS,GAAG;IAAE,KAAK,EAAE,MAAM,CAAA;CAAE,GAClC,OAAO,CAAC,IAAI,CAAC,CAEf;AAmBD,eAAO,MAAM,YAAY,SA4DtB,CAAC"}

package/dist/commands/admin.js

@@ -0,0 +1,110 @@
+import { Command } from "commander";
+import * as os from "node:os";
+import { createDb, isFeatureLicensed, listUsers, setUserRole, } from "@urateam/core";
+function requireLicensed() {
+    if (!isFeatureLicensed("rbac")) {
+        throw new Error("RBAC is an Enterprise feature. Upgrade your license to use 'ura admin' commands.");
+    }
+}
+function actorId() {
+    try {
+        return `cli:${os.userInfo().username}`;
+    }
+    catch {
+        return "cli:unknown";
+    }
+}
+export async function runAdminList(deps) {
+    requireLicensed();
+    const users = await listUsers(deps.db);
+    deps.log("EMAIL                            ROLE       LAST_LOGIN");
+    for (const u of users) {
+        const email = u.email.padEnd(32).slice(0, 32);
+        const role = u.role.padEnd(10).slice(0, 10);
+        const ll = u.lastLoginAt ? u.lastLoginAt.toISOString() : "(never)";
+        deps.log(`${email} ${role} ${ll}`);
+    }
+}
+export async function runAdminGrant(args) {
+    requireLicensed();
+    const normalized = args.email.trim().toLowerCase();
+    const users = await listUsers(args.db);
+    const target = users.find((u) => u.email.toLowerCase() === normalized);
+    if (!target) {
+        throw new Error(`user not found: ${args.email}`);
+    }
+    await setUserRole(args.db, {
+        userId: target.id,
+        newRole: args.newRole,
+        actorUserId: actorId(),
+    });
+    args.log(`Updated ${target.email} → ${args.newRole}`);
+}
+export async function runAdminRevoke(args) {
+    await runAdminGrant({ ...args, newRole: "viewer" });
+}
+// ---------------- commander wiring ----------------
+async function openDb() {
+    const conn = process.env.DATABASE_URL;
+    if (!conn) {
+        throw new Error("DATABASE_URL is not set. Set it to your urateam database (e.g. postgres://... or file:./ura.db).");
+    }
+    return createDb({ connectionString: conn });
+}
+function fail(err) {
+    console.error(err instanceof Error ? err.message : String(err));
+    process.exit(1);
+}
+export const adminCommand = new Command("admin")
+    .description("Manage dashboard user roles (Enterprise)")
+    .addCommand(new Command("list")
+    .description("List all dashboard users and their roles")
+    .action(async () => {
+    try {
+        const db = await openDb();
+        await runAdminList({ db, log: (s) => console.log(s) });
+    }
+    catch (err) {
+        fail(err);
+    }
+}))
+    .addCommand(new Command("grant")
+    .description("Grant a role to a user (by email)")
+    .argument("<email>", "Target user email")
+    .option("--role <role>", "New role: admin | operator | viewer", "operator")
+    .action(async (email, opts) => {
+    if (opts.role !== "admin" &&
+        opts.role !== "operator" &&
+        opts.role !== "viewer") {
+        fail(new Error(`invalid --role: '${opts.role}'`));
+    }
+    try {
+        const db = await openDb();
+        await runAdminGrant({
+            db,
+            email,
+            newRole: opts.role,
+            log: (s) => console.log(s),
+        });
+    }
+    catch (err) {
+        fail(err);
+    }
+}))
+    .addCommand(new Command("revoke")
+    .description("Revoke privileges — sets role to viewer")
+    .argument("<email>", "Target user email")
+    .action(async (email) => {
+    try {
+        const db = await openDb();
+        await runAdminRevoke({
+            db,
+            email,
+            log: (s) => console.log(s),
+        });
+    }
+    catch (err) {
+        fail(err);
+    }
+}));
+//# sourceMappingURL=admin.js.map

package/dist/commands/admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.js","sourceRoot":"","sources":["../../src/commands/admin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,EAAE,MAAM,SAAS,CAAC;AAC9B,OAAO,EACL,QAAQ,EACR,iBAAiB,EACjB,SAAS,EACT,WAAW,GAEZ,MAAM,eAAe,CAAC;AAOvB,SAAS,eAAe;IACtB,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,MAAM,IAAI,KAAK,CACb,kFAAkF,CACnF,CAAC;IACJ,CAAC;AACH,CAAC;AAED,SAAS,OAAO;IACd,IAAI,CAAC;QACH,OAAO,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,QAAQ,EAAE,CAAC;IACzC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,aAAa,CAAC;IACvB,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY,CAAC,IAAe;IAChD,eAAe,EAAE,CAAC;IAClB,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvC,IAAI,CAAC,GAAG,CAAC,wDAAwD,CAAC,CAAC;IACnE,KAAK,MAAM,CAAC,IAAI,KAAK,EAAE,CAAC;QACtB,MAAM,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC9C,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QAC5C,MAAM,EAAE,GAAG,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QACnE,IAAI,CAAC,GAAG,CAAC,GAAG,KAAK,IAAI,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;IACrC,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,IAAkD;IAElD,eAAe,EAAE,CAAC;IAClB,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACnD,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvC,MAAM,MAAM,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,CAAC;IACvE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,WAAW,CAAC,IAAI,CAAC,EAAE,EAAE;QACzB,MAAM,EAAE,MAAM,CAAC,EAAE;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,OAAO,EAAE;KACvB,CAAC,CAAC;IACH,IAAI,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,KAAK,MAAM,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAClC,IAAmC;IAEnC,MAAM,aAAa,CAAC,EAAE,GAAG,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC,CAAC;AACtD,CAAC;AAED,qDAAqD;AAErD,KAAK,UAAU,MAAM;IACnB,MAAM,IAAI,GAAG,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;IACtC,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,MAAM,IAAI,KAAK,CACb,kGAAkG,CACnG,CAAC;IACJ,CAAC;IACD,OAAO,QAAQ,CAAC,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,IAAI,CAAC,GAAY;IACxB,OAAO,CAAC,KAAK,CAAC,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;IAChE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,MAAM,YAAY,GAAG,IAAI,OAAO,CAAC,OAAO,CAAC;KAC7C,WAAW,CAAC,0CAA0C,CAAC;KACvD,UAAU,CACT,IAAI,OAAO,CAAC,MAAM,CAAC;KAChB,WAAW,CAAC,0CAA0C,CAAC;KACvD,MAAM,CAAC,KAAK,IAAI,EAAE;IACjB,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,MAAM,EAAE,CAAC;QAC1B,MAAM,YAAY,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IACzD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CACL;KACA,UAAU,CACT,IAAI,OAAO,CAAC,OAAO,CAAC;KACjB,WAAW,CAAC,mCAAmC,CAAC;KAChD,QAAQ,CAAC,SAAS,EAAE,mBAAmB,CAAC;KACxC,MAAM,CACL,eAAe,EACf,qCAAqC,EACrC,UAAU,CACX;KACA,MAAM,CAAC,KAAK,EAAE,KAAa,EAAE,IAAsB,EAAE,EAAE;IACtD,IACE,IAAI,CAAC,IAAI,KAAK,OAAO;QACrB,IAAI,CAAC,IAAI,KAAK,UAAU;QACxB,IAAI,CAAC,IAAI,KAAK,QAAQ,EACtB,CAAC;QACD,IAAI,CAAC,IAAI,KAAK,CAAC,oBAAoB,IAAI,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC;IACpD,CAAC;IACD,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,MAAM,EAAE,CAAC;QAC1B,MAAM,aAAa,CAAC;YAClB,EAAE;YACF,KAAK;YACL,OAAO,EAAE,IAAI,CAAC,IAAY;YAC1B,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CACL;KACA,UAAU,CACT,IAAI,OAAO,CAAC,QAAQ,CAAC;KAClB,WAAW,CAAC,yCAAyC,CAAC;KACtD,QAAQ,CAAC,SAAS,EAAE,mBAAmB,CAAC;KACxC,MAAM,CAAC,KAAK,EAAE,KAAa,EAAE,EAAE;IAC9B,IAAI,CAAC;QACH,MAAM,EAAE,GAAG,MAAM,MAAM,EAAE,CAAC;QAC1B,MAAM,cAAc,CAAC;YACnB,EAAE;YACF,KAAK;YACL,GAAG,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC;SAC3B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,IAAI,CAAC,GAAG,CAAC,CAAC;IACZ,CAAC;AACH,CAAC,CAAC,CACL,CAAC"}

package/dist/commands/dev.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"dev.d.ts","sourceRoot":"","sources":["../../src/commands/dev.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAEpC,eAAO,MAAM,UAAU,SAiFnB,CAAC"}
+{"version":3,"file":"dev.d.ts","sourceRoot":"","sources":["../../src/commands/dev.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAGpC,eAAO,MAAM,UAAU,SAkHnB,CAAC"}

package/dist/commands/dev.js

@@ -1,4 +1,5 @@
 import { Command } from "commander";
+import { bootstrapSsoFromEnv } from "../sso-bootstrap.js";
 export const devCommand = new Command("dev")
     .description("Start local development server (webhook + dashboard)")
     .option("--port <port>", "Webhook server port", "3000")
@@ -34,6 +35,20 @@ export const devCommand = new Command("dev")
         }
         repoConfigs[process.env.REPO_TEAM_ID] = repoEntry;
     }
+    // Fail fast if no repoConfigs could be built. Without this, `ura dev`
+    // looks healthy in logs (webhook server up, dashboard up) but every
+    // inbound Linear webhook fails with "no repo mapping" — usually after
+    // the user has already moved a real issue to Todo. The first-time-user
+    // setup path nearly always lands here because .urateam/.env ships with
+    // `REPO_URL=` and `REPO_TEAM_ID=` blank. See urateam#33.
+    if (Object.keys(repoConfigs).length === 0) {
+        console.error("Error: no repoConfigs could be built from environment variables.\n" +
+            "Set REPO_TEAM_ID and REPO_URL in .urateam/.env and restart.\n" +
+            "Example:\n" +
+            "  REPO_TEAM_ID=<your Linear team UUID — usually the same as LINEAR_TEAM_ID>\n" +
+            "  REPO_URL=https://github.com/org/repo\n");
+        process.exit(1);
+    }
     const config = {
         webhookSecret: process.env.LINEAR_WEBHOOK_SECRET ?? "dev-secret",
         linearApiKey: process.env.LINEAR_API_KEY ?? "",
@@ -45,12 +60,26 @@ export const devCommand = new Command("dev")
         repoCloneDir: process.env.REPO_CLONE_DIR ?? "/tmp/agent-repos",
         githubWebhookSecret: process.env.GITHUB_WEBHOOK_SECRET,
     };
+    // Validate SSO env vars before opening DB so misconfig fails fast.
+    const ssoBootstrap = await bootstrapSsoFromEnv();
     const { app, db } = await createApp(config);
+    try {
+        const { checkLicense, logAuditEvent, configLoadedEvent } = await import("@urateam/core");
+        const { createHash } = await import("node:crypto");
+        const status = checkLicense(db);
+        const sha = createHash("sha256").update(JSON.stringify(config.pipelineConfigs, null, 0)).digest("hex");
+        void logAuditEvent(db, configLoadedEvent({ path: "(env-vars)", sha256: sha, tier: status.tier }));
+    }
+    catch {
+        // audit must never crash startup
+    }
     const dashboardApp = createDashboard({
         db,
         pipelineConfigs: config.pipelineConfigs,
         repoConfigs: config.repoConfigs,
         auth: dashboardAuth,
+        sso: ssoBootstrap?.sso,
+        workos: ssoBootstrap?.workos,
     });
     const { serve } = await import("@hono/node-server");
     const port = parseInt(options.port, 10);