@urateam/core 0.1.3 → 0.1.8

package/dist/policy/override.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Check whether a Linear issue carries the configured override label.
+ * Case-insensitive match.
+ *
+ * SECURITY NOTE: This bypass relies on Linear label creation being restricted
+ * to authorized team members. Operators should ensure that the configured
+ * override label (default "policy-override") can only be created and applied
+ * by principals trusted to bypass policy gates. In permissive Linear
+ * workspaces, consider using a label name that's less likely to be created
+ * accidentally, or disable the override mechanism entirely by setting
+ * `overrideLabel` to a sentinel value that no one will use.
+ *
+ * Uses Linear SDK lazy-relation method pattern — `.labels` is a method,
+ * not a property.
+ */
+export declare function hasOverrideLabel(issue: {
+    labels: () => Promise<{
+        nodes: Array<{
+            name: string;
+        }>;
+    }>;
+}, labelName: string): Promise<boolean>;
+//# sourceMappingURL=override.d.ts.map

package/dist/policy/override.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"override.d.ts","sourceRoot":"","sources":["../../src/policy/override.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,wBAAsB,gBAAgB,CACpC,KAAK,EAAE;IAAE,MAAM,EAAE,MAAM,OAAO,CAAC;QAAE,KAAK,EAAE,KAAK,CAAC;YAAE,IAAI,EAAE,MAAM,CAAA;SAAE,CAAC,CAAA;KAAE,CAAC,CAAA;CAAE,EACpE,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,OAAO,CAAC,CAQlB"}

package/dist/policy/override.js

@@ -0,0 +1,26 @@
+/**
+ * Check whether a Linear issue carries the configured override label.
+ * Case-insensitive match.
+ *
+ * SECURITY NOTE: This bypass relies on Linear label creation being restricted
+ * to authorized team members. Operators should ensure that the configured
+ * override label (default "policy-override") can only be created and applied
+ * by principals trusted to bypass policy gates. In permissive Linear
+ * workspaces, consider using a label name that's less likely to be created
+ * accidentally, or disable the override mechanism entirely by setting
+ * `overrideLabel` to a sentinel value that no one will use.
+ *
+ * Uses Linear SDK lazy-relation method pattern — `.labels` is a method,
+ * not a property.
+ */
+export async function hasOverrideLabel(issue, labelName) {
+    try {
+        const labels = await issue.labels();
+        const target = labelName.toLowerCase();
+        return labels.nodes.some((l) => l.name.toLowerCase() === target);
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=override.js.map

package/dist/policy/override.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"override.js","sourceRoot":"","sources":["../../src/policy/override.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CACpC,KAAoE,EACpE,SAAiB;IAEjB,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,KAAK,CAAC,MAAM,EAAE,CAAC;QACpC,MAAM,MAAM,GAAG,SAAS,CAAC,WAAW,EAAE,CAAC;QACvC,OAAO,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC;IACnE,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/policy/path-gate.d.ts

@@ -0,0 +1,3 @@
+import type { PolicyViolation } from "./types.js";
+export declare function evaluatePathBlocklist(changedFiles: string[], patterns: string[]): PolicyViolation[];
+//# sourceMappingURL=path-gate.d.ts.map

package/dist/policy/path-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-gate.d.ts","sourceRoot":"","sources":["../../src/policy/path-gate.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,YAAY,CAAC;AAElD,wBAAgB,qBAAqB,CACnC,YAAY,EAAE,MAAM,EAAE,EACtB,QAAQ,EAAE,MAAM,EAAE,GACjB,eAAe,EAAE,CAgBnB"}

package/dist/policy/path-gate.js

@@ -0,0 +1,20 @@
+import { matchesAnyPattern } from "../util/glob.js";
+export function evaluatePathBlocklist(changedFiles, patterns) {
+    if (patterns.length === 0)
+        return [];
+    const violations = [];
+    for (const file of changedFiles) {
+        for (const pattern of patterns) {
+            if (matchesAnyPattern(file, [pattern])) {
+                violations.push({
+                    gate: "path",
+                    detail: `${file} matches ${pattern}`,
+                    severity: "blocking",
+                    payload: { path: file, pattern },
+                });
+            }
+        }
+    }
+    return violations;
+}
+//# sourceMappingURL=path-gate.js.map

package/dist/policy/path-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"path-gate.js","sourceRoot":"","sources":["../../src/policy/path-gate.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,iBAAiB,CAAC;AAGpD,MAAM,UAAU,qBAAqB,CACnC,YAAsB,EACtB,QAAkB;IAElB,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,EAAE,CAAC;IACrC,MAAM,UAAU,GAAsB,EAAE,CAAC;IACzC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,iBAAiB,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,CAAC,EAAE,CAAC;gBACvC,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,MAAM;oBACZ,MAAM,EAAE,GAAG,IAAI,YAAY,OAAO,EAAE;oBACpC,QAAQ,EAAE,UAAU;oBACpB,OAAO,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE;iBACjC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IACD,OAAO,UAAU,CAAC;AACpB,CAAC"}

package/dist/policy/reviewer-gate.d.ts

@@ -0,0 +1,45 @@
+import type { Policy } from "../types.js";
+/** Test-only: clear the team membership cache between runs. */
+export declare function _clearTeamMembershipCache(): void;
+export interface ReviewerRequest {
+    users: string[];
+    teams: string[];
+}
+export declare function buildReviewerRequest(policy: Policy | undefined): ReviewerRequest | null;
+export interface ApprovalVerification {
+    satisfied: boolean;
+    missingUsers: string[];
+    missingTeams: string[];
+}
+/**
+ * Query a GitHub PR's reviews and compare approving reviewers against the
+ * required set. A required user is satisfied if they personally approved.
+ * A required team is satisfied if any member of the team approved.
+ */
+export declare function verifyApprovalsReceived(octokit: {
+    pulls: {
+        listReviews: (args: {
+            owner: string;
+            repo: string;
+            pull_number: number;
+        }) => Promise<{
+            data: Array<{
+                user: {
+                    login: string;
+                } | null;
+                state: string;
+            }>;
+        }>;
+    };
+    teams: {
+        listMembersInOrg: (args: {
+            org: string;
+            team_slug: string;
+        }) => Promise<{
+            data: Array<{
+                login: string;
+            }>;
+        }>;
+    };
+}, owner: string, repo: string, pull_number: number, required: ReviewerRequest): Promise<ApprovalVerification>;
+//# sourceMappingURL=reviewer-gate.d.ts.map

package/dist/policy/reviewer-gate.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reviewer-gate.d.ts","sourceRoot":"","sources":["../../src/policy/reviewer-gate.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,MAAM,EAAE,MAAM,aAAa,CAAC;AAqB1C,+DAA+D;AAC/D,wBAAgB,yBAAyB,IAAI,IAAI,CAEhD;AAED,MAAM,WAAW,eAAe;IAC9B,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,KAAK,EAAE,MAAM,EAAE,CAAC;CACjB;AAED,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,GAAG,eAAe,GAAG,IAAI,CAKvF;AAED,MAAM,WAAW,oBAAoB;IACnC,SAAS,EAAE,OAAO,CAAC;IACnB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,YAAY,EAAE,MAAM,EAAE,CAAC;CACxB;AAED;;;;GAIG;AACH,wBAAsB,uBAAuB,CAC3C,OAAO,EAAE;IACP,KAAK,EAAE;QACL,WAAW,EAAE,CAAC,IAAI,EAAE;YAClB,KAAK,EAAE,MAAM,CAAC;YACd,IAAI,EAAE,MAAM,CAAC;YACb,WAAW,EAAE,MAAM,CAAC;SACrB,KAAK,OAAO,CAAC;YAAE,IAAI,EAAE,KAAK,CAAC;gBAAE,IAAI,EAAE;oBAAE,KAAK,EAAE,MAAM,CAAA;iBAAE,GAAG,IAAI,CAAC;gBAAC,KAAK,EAAE,MAAM,CAAA;aAAE,CAAC,CAAA;SAAE,CAAC,CAAC;KACnF,CAAC;IACF,KAAK,EAAE;QACL,gBAAgB,EAAE,CAAC,IAAI,EAAE;YACvB,GAAG,EAAE,MAAM,CAAC;YACZ,SAAS,EAAE,MAAM,CAAC;SACnB,KAAK,OAAO,CAAC;YAAE,IAAI,EAAE,KAAK,CAAC;gBAAE,KAAK,EAAE,MAAM,CAAA;aAAE,CAAC,CAAA;SAAE,CAAC,CAAC;KACnD,CAAC;CACH,EACD,KAAK,EAAE,MAAM,EACb,IAAI,EAAE,MAAM,EACZ,WAAW,EAAE,MAAM,EACnB,QAAQ,EAAE,eAAe,GACxB,OAAO,CAAC,oBAAoB,CAAC,CA+C/B"}

package/dist/policy/reviewer-gate.js

@@ -0,0 +1,77 @@
+/**
+ * TTL cache for GitHub team membership lookups. High-frequency CI webhooks on
+ * a PR with multiple required teams otherwise call `listMembersInOrg` on every
+ * check, exhausting GitHub's secondary rate limit.
+ *
+ * Cache key: `${org}/${team_slug}`. Stale entries are evicted on read.
+ * Default TTL: 15 minutes (team rosters change infrequently).
+ *
+ * This is module-level state — acceptable here because (a) team membership is
+ * not tenant-scoped in any way within a single process, and (b) the cache is
+ * memory-only so key rotation requires a process restart anyway.
+ */
+const TEAM_CACHE_TTL_MS = 15 * 60 * 1000;
+const teamCache = new Map();
+/** Test-only: clear the team membership cache between runs. */
+export function _clearTeamMembershipCache() {
+    teamCache.clear();
+}
+export function buildReviewerRequest(policy) {
+    const r = policy?.mandatoryReviewers;
+    if (!r)
+        return null;
+    if (r.users.length === 0 && r.teams.length === 0)
+        return null;
+    return { users: [...r.users], teams: [...r.teams] };
+}
+/**
+ * Query a GitHub PR's reviews and compare approving reviewers against the
+ * required set. A required user is satisfied if they personally approved.
+ * A required team is satisfied if any member of the team approved.
+ */
+export async function verifyApprovalsReceived(octokit, owner, repo, pull_number, required) {
+    if (required.users.length === 0 && required.teams.length === 0) {
+        return { satisfied: true, missingUsers: [], missingTeams: [] };
+    }
+    const reviews = await octokit.pulls.listReviews({ owner, repo, pull_number });
+    // De-dup by user: listReviews returns reviews chronologically (oldest first),
+    // so iterating and overwriting gives the latest state per user. A user who
+    // APPROVED then CHANGES_REQUESTED must NOT count as approved.
+    const latestByUser = new Map();
+    for (const r of reviews.data) {
+        if (r.user)
+            latestByUser.set(r.user.login.toLowerCase(), r.state);
+    }
+    const approved = new Set(Array.from(latestByUser.entries())
+        .filter(([, state]) => state === "APPROVED")
+        .map(([login]) => login));
+    const missingUsers = required.users.filter((u) => !approved.has(u.toLowerCase()));
+    const missingTeams = [];
+    const now = Date.now();
+    for (const team of required.teams) {
+        // Null byte separator: unambiguous even if a future API allows "/" in
+        // org or team slugs. GitHub today forbids "/" in both, so this is
+        // defensive rather than strictly necessary.
+        const cacheKey = `${owner}\x00${team}`;
+        let memberLogins;
+        const cached = teamCache.get(cacheKey);
+        if (cached && cached.expiresAt > now) {
+            memberLogins = cached.members;
+        }
+        else {
+            const members = await octokit.teams.listMembersInOrg({ org: owner, team_slug: team });
+            memberLogins = members.data.map((m) => m.login.toLowerCase());
+            teamCache.set(cacheKey, { members: memberLogins, expiresAt: now + TEAM_CACHE_TTL_MS });
+        }
+        const memberSet = new Set(memberLogins);
+        const anyApproved = Array.from(approved).some((u) => memberSet.has(u));
+        if (!anyApproved)
+            missingTeams.push(team);
+    }
+    return {
+        satisfied: missingUsers.length === 0 && missingTeams.length === 0,
+        missingUsers,
+        missingTeams,
+    };
+}
+//# sourceMappingURL=reviewer-gate.js.map

package/dist/policy/reviewer-gate.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reviewer-gate.js","sourceRoot":"","sources":["../../src/policy/reviewer-gate.ts"],"names":[],"mappings":"AAEA;;;;;;;;;;;GAWG;AACH,MAAM,iBAAiB,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC;AAKzC,MAAM,SAAS,GAAG,IAAI,GAAG,EAA0B,CAAC;AAEpD,+DAA+D;AAC/D,MAAM,UAAU,yBAAyB;IACvC,SAAS,CAAC,KAAK,EAAE,CAAC;AACpB,CAAC;AAOD,MAAM,UAAU,oBAAoB,CAAC,MAA0B;IAC7D,MAAM,CAAC,GAAG,MAAM,EAAE,kBAAkB,CAAC;IACrC,IAAI,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IACpB,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAC9D,OAAO,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,EAAE,KAAK,EAAE,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;AACtD,CAAC;AAQD;;;;GAIG;AACH,MAAM,CAAC,KAAK,UAAU,uBAAuB,CAC3C,OAcC,EACD,KAAa,EACb,IAAY,EACZ,WAAmB,EACnB,QAAyB;IAEzB,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,QAAQ,CAAC,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC/D,OAAO,EAAE,SAAS,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,YAAY,EAAE,EAAE,EAAE,CAAC;IACjE,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,WAAW,CAAC,EAAE,KAAK,EAAE,IAAI,EAAE,WAAW,EAAE,CAAC,CAAC;IAC9E,8EAA8E;IAC9E,2EAA2E;IAC3E,8DAA8D;IAC9D,MAAM,YAAY,GAAG,IAAI,GAAG,EAAkB,CAAC;IAC/C,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,CAAC,IAAI;YAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC;IACpE,CAAC;IACD,MAAM,QAAQ,GAAG,IAAI,GAAG,CACtB,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,OAAO,EAAE,CAAC;SAC/B,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,KAAK,UAAU,CAAC;SAC3C,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,CAAC,CAC3B,CAAC;IAEF,MAAM,YAAY,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC;IAElF,MAAM,YAAY,GAAa,EAAE,CAAC;IAClC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,KAAK,EAAE,CAAC;QAClC,sEAAsE;QACtE,kEAAkE;QAClE,4CAA4C;QAC5C,MAAM,QAAQ,GAAG,GAAG,KAAK,OAAO,IAAI,EAAE,CAAC;QACvC,IAAI,YAAsB,CAAC;QAC3B,MAAM,MAAM,GAAG,SAAS,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACvC,IAAI,MAAM,IAAI,MAAM,CAAC,SAAS,GAAG,GAAG,EAAE,CAAC;YACrC,YAAY,GAAG,MAAM,CAAC,OAAO,CAAC;QAChC,CAAC;aAAM,CAAC;YACN,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,KAAK,CAAC,gBAAgB,CAAC,EAAE,GAAG,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YACtF,YAAY,GAAG,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,WAAW,EAAE,CAAC,CAAC;YAC9D,SAAS,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,YAAY,EAAE,SAAS,EAAE,GAAG,GAAG,iBAAiB,EAAE,CAAC,CAAC;QACzF,CAAC;QACD,MAAM,SAAS,GAAG,IAAI,GAAG,CAAC,YAAY,CAAC,CAAC;QACxC,MAAM,WAAW,GAAG,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACvE,IAAI,CAAC,WAAW;YAAE,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IAED,OAAO;QACL,SAAS,EAAE,YAAY,CAAC,MAAM,KAAK,CAAC,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC;QACjE,YAAY;QACZ,YAAY;KACb,CAAC;AACJ,CAAC"}

package/dist/policy/types.d.ts

@@ -0,0 +1,7 @@
+export interface PolicyViolation {
+    gate: "path" | "cost" | "reviewer";
+    detail: string;
+    severity: "blocking";
+    payload: Record<string, unknown>;
+}
+//# sourceMappingURL=types.d.ts.map

package/dist/policy/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/policy/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,GAAG,MAAM,GAAG,UAAU,CAAC;IACnC,MAAM,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,UAAU,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CAClC"}

package/dist/policy/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/policy/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/policy/types.ts"],"names":[],"mappings":""}

package/dist/rbac/errors.d.ts

@@ -0,0 +1,7 @@
+export declare class SelfDemoteError extends Error {
+    constructor();
+}
+export declare class LastAdminError extends Error {
+    constructor();
+}
+//# sourceMappingURL=errors.d.ts.map

package/dist/rbac/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/rbac/errors.ts"],"names":[],"mappings":"AAAA,qBAAa,eAAgB,SAAQ,KAAK;;CAKzC;AAED,qBAAa,cAAe,SAAQ,KAAK;;CAKxC"}

package/dist/rbac/errors.js

@@ -0,0 +1,13 @@
+export class SelfDemoteError extends Error {
+    constructor() {
+        super("An admin cannot demote themselves");
+        this.name = "SelfDemoteError";
+    }
+}
+export class LastAdminError extends Error {
+    constructor() {
+        super("Cannot demote the last remaining admin");
+        this.name = "LastAdminError";
+    }
+}
+//# sourceMappingURL=errors.js.map

package/dist/rbac/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/rbac/errors.ts"],"names":[],"mappings":"AAAA,MAAM,OAAO,eAAgB,SAAQ,KAAK;IACxC;QACE,KAAK,CAAC,mCAAmC,CAAC,CAAC;QAC3C,IAAI,CAAC,IAAI,GAAG,iBAAiB,CAAC;IAChC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC;QACE,KAAK,CAAC,wCAAwC,CAAC,CAAC;QAChD,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF"}

package/dist/rbac/index.d.ts

@@ -0,0 +1,5 @@
+export * from "./types.js";
+export * from "./matrix.js";
+export * from "./errors.js";
+export * from "./user-role-store.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/rbac/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/rbac/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC"}

package/dist/rbac/index.js

@@ -0,0 +1,5 @@
+export * from "./types.js";
+export * from "./matrix.js";
+export * from "./errors.js";
+export * from "./user-role-store.js";
+//# sourceMappingURL=index.js.map

package/dist/rbac/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/rbac/index.ts"],"names":[],"mappings":"AAAA,cAAc,YAAY,CAAC;AAC3B,cAAc,aAAa,CAAC;AAC5B,cAAc,aAAa,CAAC;AAC5B,cAAc,sBAAsB,CAAC"}

package/dist/rbac/matrix.d.ts

@@ -0,0 +1,35 @@
+import type { Role } from "./types.js";
+export declare const PERMISSION_MATRIX: {
+    readonly "runs.view": readonly ["admin", "operator", "viewer"];
+    readonly "runs.retry": readonly ["admin", "operator"];
+    readonly "tokens.view": readonly ["admin", "operator", "viewer"];
+    readonly "audit.view": readonly ["admin", "operator"];
+    readonly "audit.export": readonly ["admin", "operator"];
+    readonly "cost.view": readonly ["admin", "operator"];
+    readonly "cost.export": readonly ["admin", "operator"];
+    readonly "errors.view": readonly ["admin", "operator", "viewer"];
+    readonly "coordination.view": readonly ["admin", "operator"];
+    readonly "config.view": readonly ["admin"];
+    readonly "users.view": readonly ["admin"];
+    readonly "users.manage": readonly ["admin"];
+};
+export type PermissionKey = keyof typeof PERMISSION_MATRIX;
+/**
+ * Check whether `role` is allowed to perform `action`.
+ *
+ * Defensive license gate: returns `false` (fail closed, "no permission") with
+ * a structured warn when the `rbac` feature is not licensed. The gate is
+ * additive to — not a replacement for — the upstream guards in the dashboard
+ * middleware and the runs UI, both of which already skip calling `canAccess`
+ * in OSS mode. Its purpose is to ensure any future direct caller of the rbac
+ * module — a new route, CLI command, third-party integration — cannot
+ * silently grant permissions without a license check.
+ *
+ * Returns `false` rather than throwing because callers (e.g., the canRetry
+ * ternary in `dashboard/src/routes/runs.ts`) treat the result as a predicate.
+ * Initializers that cannot tolerate a silent denial should mirror the
+ * `getDefaultWorkosClient` pattern in `auth/workos-client.ts` (throws
+ * `LicenseRequiredError`).
+ */
+export declare function canAccess(role: Role, action: PermissionKey): boolean;
+//# sourceMappingURL=matrix.d.ts.map

package/dist/rbac/matrix.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"matrix.d.ts","sourceRoot":"","sources":["../../src/rbac/matrix.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAMvC,eAAO,MAAM,iBAAiB;;;;;;;;;;;;;CAasB,CAAC;AAErD,MAAM,MAAM,aAAa,GAAG,MAAM,OAAO,iBAAiB,CAAC;AAE3D;;;;;;;;;;;;;;;;GAgBG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,aAAa,GAAG,OAAO,CASpE"}

package/dist/rbac/matrix.js

@@ -0,0 +1,42 @@
+import { isFeatureLicensed } from "../license.js";
+import { createLogger } from "../logger.js";
+const log = createLogger({ component: "rbac" });
+export const PERMISSION_MATRIX = {
+    "runs.view": ["admin", "operator", "viewer"],
+    "runs.retry": ["admin", "operator"],
+    "tokens.view": ["admin", "operator", "viewer"],
+    "audit.view": ["admin", "operator"],
+    "audit.export": ["admin", "operator"],
+    "cost.view": ["admin", "operator"],
+    "cost.export": ["admin", "operator"],
+    "errors.view": ["admin", "operator", "viewer"],
+    "coordination.view": ["admin", "operator"],
+    "config.view": ["admin"],
+    "users.view": ["admin"],
+    "users.manage": ["admin"],
+};
+/**
+ * Check whether `role` is allowed to perform `action`.
+ *
+ * Defensive license gate: returns `false` (fail closed, "no permission") with
+ * a structured warn when the `rbac` feature is not licensed. The gate is
+ * additive to — not a replacement for — the upstream guards in the dashboard
+ * middleware and the runs UI, both of which already skip calling `canAccess`
+ * in OSS mode. Its purpose is to ensure any future direct caller of the rbac
+ * module — a new route, CLI command, third-party integration — cannot
+ * silently grant permissions without a license check.
+ *
+ * Returns `false` rather than throwing because callers (e.g., the canRetry
+ * ternary in `dashboard/src/routes/runs.ts`) treat the result as a predicate.
+ * Initializers that cannot tolerate a silent denial should mirror the
+ * `getDefaultWorkosClient` pattern in `auth/workos-client.ts` (throws
+ * `LicenseRequiredError`).
+ */
+export function canAccess(role, action) {
+    if (!isFeatureLicensed("rbac")) {
+        log.warn({ feature: "rbac", action, role }, "canAccess called without an enterprise license — denying (fail closed)");
+        return false;
+    }
+    return PERMISSION_MATRIX[action].includes(role);
+}
+//# sourceMappingURL=matrix.js.map

package/dist/rbac/matrix.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"matrix.js","sourceRoot":"","sources":["../../src/rbac/matrix.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAC;AAE5C,MAAM,GAAG,GAAG,YAAY,CAAC,EAAE,SAAS,EAAE,MAAM,EAAE,CAAC,CAAC;AAEhD,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,WAAW,EAAU,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC;IACpD,YAAY,EAAS,CAAC,OAAO,EAAE,UAAU,CAAC;IAC1C,aAAa,EAAQ,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC;IACpD,YAAY,EAAS,CAAC,OAAO,EAAE,UAAU,CAAC;IAC1C,cAAc,EAAO,CAAC,OAAO,EAAE,UAAU,CAAC;IAC1C,WAAW,EAAU,CAAC,OAAO,EAAE,UAAU,CAAC;IAC1C,aAAa,EAAQ,CAAC,OAAO,EAAE,UAAU,CAAC;IAC1C,aAAa,EAAQ,CAAC,OAAO,EAAE,UAAU,EAAE,QAAQ,CAAC;IACpD,mBAAmB,EAAE,CAAC,OAAO,EAAE,UAAU,CAAC;IAC1C,aAAa,EAAQ,CAAC,OAAO,CAAC;IAC9B,YAAY,EAAS,CAAC,OAAO,CAAC;IAC9B,cAAc,EAAO,CAAC,OAAO,CAAC;CACoB,CAAC;AAIrD;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,UAAU,SAAS,CAAC,IAAU,EAAE,MAAqB;IACzD,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,EAAE,CAAC;QAC/B,GAAG,CAAC,IAAI,CACN,EAAE,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,EACjC,wEAAwE,CACzE,CAAC;QACF,OAAO,KAAK,CAAC;IACf,CAAC;IACD,OAAQ,iBAAiB,CAAC,MAAM,CAAqB,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;AACvE,CAAC"}

package/dist/rbac/types.d.ts

@@ -0,0 +1,2 @@
+export type Role = "admin" | "operator" | "viewer";
+//# sourceMappingURL=types.d.ts.map

package/dist/rbac/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/rbac/types.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,IAAI,GAAG,OAAO,GAAG,UAAU,GAAG,QAAQ,CAAC"}

package/dist/rbac/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/rbac/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/rbac/types.ts"],"names":[],"mappings":""}

package/dist/rbac/user-role-store.d.ts

@@ -0,0 +1,27 @@
+import type { AnyDb } from "../db/client.js";
+import type { Role } from "./types.js";
+export interface SetUserRoleArgs {
+    userId: string;
+    newRole: Role;
+    actorUserId: string;
+    reason?: string;
+}
+export declare function setUserRole(db: AnyDb, args: SetUserRoleArgs): Promise<void>;
+export declare function getUserRole(db: AnyDb, userId: string): Promise<Role | null>;
+/**
+ * If the user's email matches `envAdminList` (comma-separated, case-insensitive),
+ * promote them to admin. Idempotent — already-admin users are not re-promoted
+ * and no audit event is written. Emits a `dashboard.manual_action` event with
+ * `action: "bootstrap_admin"` on successful promotion.
+ *
+ * Returns true if the role was changed.
+ */
+export declare function applyBootstrapAdmins(db: AnyDb, email: string, userId: string, envAdminList: string | undefined): Promise<boolean>;
+export declare function listUsers(db: AnyDb): Promise<Array<{
+    id: string;
+    email: string;
+    name: string | null;
+    role: Role;
+    lastLoginAt: Date | null;
+}>>;
+//# sourceMappingURL=user-role-store.d.ts.map

package/dist/rbac/user-role-store.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-role-store.d.ts","sourceRoot":"","sources":["../../src/rbac/user-role-store.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,iBAAiB,CAAC;AAS7C,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAGvC,MAAM,WAAW,eAAe;IAC9B,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,IAAI,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB;AAED,wBAAsB,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,eAAe,GAAG,OAAO,CAAC,IAAI,CAAC,CA+FjF;AAED,wBAAsB,WAAW,CAAC,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC,CAOjF;AAED;;;;;;;GAOG;AACH,wBAAsB,oBAAoB,CACxC,EAAE,EAAE,KAAK,EACT,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,YAAY,EAAE,MAAM,GAAG,SAAS,GAC/B,OAAO,CAAC,OAAO,CAAC,CA+BlB;AAED,wBAAsB,SAAS,CAAC,EAAE,EAAE,KAAK,GAAG,OAAO,CACjD,KAAK,CAAC;IACJ,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,GAAG,IAAI,CAAC;IACpB,IAAI,EAAE,IAAI,CAAC;IACX,WAAW,EAAE,IAAI,GAAG,IAAI,CAAC;CAC1B,CAAC,CACH,CAYA"}

package/dist/rbac/user-role-store.js

@@ -0,0 +1,148 @@
+import { and, eq, ne, count, sql } from "drizzle-orm";
+import { isPostgres } from "../db/client.js";
+import { dashboardUsers } from "../db/schema.js";
+import { logAuditEvent, dashboardGrantRoleEvent, dashboardRevokeRoleEvent, dashboardBootstrapAdminEvent, } from "../audit/index.js";
+import { SelfDemoteError, LastAdminError } from "./errors.js";
+export async function setUserRole(db, args) {
+    // The SELECT current / SELECT COUNT / UPDATE sequence MUST share a
+    // transaction to close the TOCTOU race on the last-admin guard. Two
+    // concurrent demotions must not both see `otherAdmins > 0`.
+    //
+    // Driver note: drizzle's `db.transaction(async ...)` is NOT supported on
+    // better-sqlite3 (it throws "Transaction function cannot return a
+    // promise"). For SQLite we issue `BEGIN IMMEDIATE` / `COMMIT` manually,
+    // which acquires a RESERVED lock and serializes concurrent writers.
+    // For Postgres we use the native drizzle transaction API.
+    // `logAuditEvent` is fire-and-forget and runs outside the transaction.
+    let oldRole;
+    let actorEmail = "unknown";
+    let targetEmail;
+    const body = async (handle) => {
+        const currentRows = await handle
+            .select()
+            .from(dashboardUsers)
+            .where(eq(dashboardUsers.id, args.userId));
+        if (currentRows.length === 0)
+            throw new Error(`user not found: ${args.userId}`);
+        const current = currentRows[0];
+        oldRole = current.role;
+        targetEmail = current.email;
+        // Idempotent no-op
+        if (oldRole === args.newRole)
+            return;
+        // Self-lockout
+        if (args.userId === args.actorUserId && args.newRole !== "admin") {
+            throw new SelfDemoteError();
+        }
+        // Last-admin guard: if target is currently admin and we're demoting, count other admins
+        if (oldRole === "admin" && args.newRole !== "admin") {
+            const [row] = await handle
+                .select({ n: count() })
+                .from(dashboardUsers)
+                .where(and(eq(dashboardUsers.role, "admin"), ne(dashboardUsers.id, args.userId)));
+            const otherAdmins = Number(row?.n ?? 0);
+            if (otherAdmins === 0)
+                throw new LastAdminError();
+        }
+        await handle
+            .update(dashboardUsers)
+            .set({ role: args.newRole })
+            .where(eq(dashboardUsers.id, args.userId));
+        const actorRows = await handle
+            .select()
+            .from(dashboardUsers)
+            .where(eq(dashboardUsers.id, args.actorUserId));
+        actorEmail = actorRows[0]?.email ?? "unknown";
+    };
+    if (isPostgres(db)) {
+        await db.transaction(async (tx) => {
+            await body(tx);
+        });
+    }
+    else {
+        // SQLite path — manual transaction. Use BEGIN IMMEDIATE to grab the
+        // RESERVED lock up front, avoiding SQLITE_BUSY under contention.
+        await db.run(sql `BEGIN IMMEDIATE`);
+        try {
+            await body(db);
+            await db.run(sql `COMMIT`);
+        }
+        catch (err) {
+            try {
+                await db.run(sql `ROLLBACK`);
+            }
+            catch {
+                // ignore rollback errors
+            }
+            throw err;
+        }
+    }
+    // Early-exit idempotent no-op: skip audit write.
+    if (oldRole === args.newRole)
+        return;
+    const isRevoke = args.newRole === "viewer";
+    const builder = isRevoke ? dashboardRevokeRoleEvent : dashboardGrantRoleEvent;
+    await logAuditEvent(db, builder({
+        targetUserId: args.userId,
+        targetEmail: targetEmail,
+        oldRole: oldRole,
+        newRole: args.newRole,
+        actorUserId: args.actorUserId,
+        actorEmail,
+    }));
+}
+export async function getUserRole(db, userId) {
+    const rows = await db
+        .select()
+        .from(dashboardUsers)
+        .where(eq(dashboardUsers.id, userId));
+    if (rows.length === 0)
+        return null;
+    return rows[0].role;
+}
+/**
+ * If the user's email matches `envAdminList` (comma-separated, case-insensitive),
+ * promote them to admin. Idempotent — already-admin users are not re-promoted
+ * and no audit event is written. Emits a `dashboard.manual_action` event with
+ * `action: "bootstrap_admin"` on successful promotion.
+ *
+ * Returns true if the role was changed.
+ */
+export async function applyBootstrapAdmins(db, email, userId, envAdminList) {
+    if (!envAdminList || envAdminList.trim() === "")
+        return false;
+    const normalizedEmail = email.trim().toLowerCase();
+    const adminSet = new Set(envAdminList
+        .split(",")
+        .map((s) => s.trim().toLowerCase())
+        .filter(Boolean));
+    if (!adminSet.has(normalizedEmail))
+        return false;
+    // Already admin? No-op.
+    const currentRole = await getUserRole(db, userId);
+    if (currentRole === "admin")
+        return false;
+    // Promote. Bypass setUserRole because the actor is "system", not a user, and
+    // the self-demote/last-admin guards don't apply.
+    await db
+        .update(dashboardUsers)
+        .set({ role: "admin" })
+        .where(eq(dashboardUsers.id, userId));
+    await logAuditEvent(db, dashboardBootstrapAdminEvent({
+        targetUserId: userId,
+        targetEmail: normalizedEmail,
+    }));
+    return true;
+}
+export async function listUsers(db) {
+    const rows = await db.select().from(dashboardUsers);
+    const mapped = rows.map((r) => ({
+        id: r.id,
+        email: r.email,
+        name: r.name ?? null,
+        role: r.role,
+        lastLoginAt: r.lastLoginAt ?? null,
+    }));
+    return mapped.sort((a, b) => a.email.localeCompare(b.email));
+}
+//# sourceMappingURL=user-role-store.js.map

package/dist/rbac/user-role-store.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user-role-store.js","sourceRoot":"","sources":["../../src/rbac/user-role-store.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,MAAM,aAAa,CAAC;AAEtD,OAAO,EAAE,UAAU,EAAE,MAAM,iBAAiB,CAAC;AAC7C,OAAO,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACjD,OAAO,EACL,aAAa,EACb,uBAAuB,EACvB,wBAAwB,EACxB,4BAA4B,GAC7B,MAAM,mBAAmB,CAAC;AAE3B,OAAO,EAAE,eAAe,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AAS9D,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,EAAS,EAAE,IAAqB;IAChE,mEAAmE;IACnE,oEAAoE;IACpE,4DAA4D;IAC5D,EAAE;IACF,yEAAyE;IACzE,kEAAkE;IAClE,wEAAwE;IACxE,oEAAoE;IACpE,0DAA0D;IAC1D,uEAAuE;IACvE,IAAI,OAAa,CAAC;IAClB,IAAI,UAAU,GAAG,SAAS,CAAC;IAC3B,IAAI,WAAmB,CAAC;IAExB,MAAM,IAAI,GAAG,KAAK,EAAE,MAAW,EAAiB,EAAE;QAChD,MAAM,WAAW,GAAG,MAAM,MAAM;aAC7B,MAAM,EAAE;aACR,IAAI,CAAC,cAAc,CAAC;aACpB,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAC7C,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC;YAC1B,MAAM,IAAI,KAAK,CAAC,mBAAmB,IAAI,CAAC,MAAM,EAAE,CAAC,CAAC;QACpD,MAAM,OAAO,GAAG,WAAW,CAAC,CAAC,CAA8C,CAAC;QAC5E,OAAO,GAAG,OAAO,CAAC,IAAI,CAAC;QACvB,WAAW,GAAG,OAAO,CAAC,KAAK,CAAC;QAE5B,mBAAmB;QACnB,IAAI,OAAO,KAAK,IAAI,CAAC,OAAO;YAAE,OAAO;QAErC,eAAe;QACf,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,CAAC,WAAW,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;YACjE,MAAM,IAAI,eAAe,EAAE,CAAC;QAC9B,CAAC;QAED,wFAAwF;QACxF,IAAI,OAAO,KAAK,OAAO,IAAI,IAAI,CAAC,OAAO,KAAK,OAAO,EAAE,CAAC;YACpD,MAAM,CAAC,GAAG,CAAC,GAAG,MAAM,MAAM;iBACvB,MAAM,CAAC,EAAE,CAAC,EAAE,KAAK,EAAE,EAAE,CAAC;iBACtB,IAAI,CAAC,cAAc,CAAC;iBACpB,KAAK,CACJ,GAAG,CAAC,EAAE,CAAC,cAAc,CAAC,IAAI,EAAE,OAAO,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAC1E,CAAC;YACJ,MAAM,WAAW,GAAG,MAAM,CAAE,GAAW,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;YACjD,IAAI,WAAW,KAAK,CAAC;gBAAE,MAAM,IAAI,cAAc,EAAE,CAAC;QACpD,CAAC;QAED,MAAM,MAAM;aACT,MAAM,CAAC,cAAc,CAAC;aACtB,GAAG,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC;aAC3B,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAE7C,MAAM,SAAS,GAAG,MAAM,MAAM;aAC3B,MAAM,EAAE;aACR,IAAI,CAAC,cAAc,CAAC;aACpB,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;QAClD,UAAU,GAAI,SAAS,CAAC,CAAC,CAAS,EAAE,KAAK,IAAI,SAAS,CAAC;IACzD,CAAC,CAAC;IAEF,IAAI,UAAU,CAAC,EAAS,CAAC,EAAE,CAAC;QAC1B,MAAO,EAAU,CAAC,WAAW,CAAC,KAAK,EAAE,EAAO,EAAE,EAAE;YAC9C,MAAM,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC;SAAM,CAAC;QACN,oEAAoE;QACpE,iEAAiE;QACjE,MAAO,EAAU,CAAC,GAAG,CAAC,GAAG,CAAA,iBAAiB,CAAC,CAAC;QAC5C,IAAI,CAAC;YACH,MAAM,IAAI,CAAC,EAAE,CAAC,CAAC;YACf,MAAO,EAAU,CAAC,GAAG,CAAC,GAAG,CAAA,QAAQ,CAAC,CAAC;QACrC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,CAAC;gBACH,MAAO,EAAU,CAAC,GAAG,CAAC,GAAG,CAAA,UAAU,CAAC,CAAC;YACvC,CAAC;YAAC,MAAM,CAAC;gBACP,yBAAyB;YAC3B,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,iDAAiD;IACjD,IAAI,OAAQ,KAAK,IAAI,CAAC,OAAO;QAAE,OAAO;IAEtC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,KAAK,QAAQ,CAAC;IAC3C,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,wBAAwB,CAAC,CAAC,CAAC,uBAAuB,CAAC;IAC9E,MAAM,aAAa,CACjB,EAAE,EACF,OAAO,CAAC;QACN,YAAY,EAAE,IAAI,CAAC,MAAM;QACzB,WAAW,EAAE,WAAY;QACzB,OAAO,EAAE,OAAQ;QACjB,OAAO,EAAE,IAAI,CAAC,OAAO;QACrB,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,UAAU;KACX,CAAC,CACH,CAAC;AACJ,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,WAAW,CAAC,EAAS,EAAE,MAAc;IACzD,MAAM,IAAI,GAAG,MAAO,EAAU;SAC3B,MAAM,EAAE;SACR,IAAI,CAAC,cAAc,CAAC;SACpB,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IACxC,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACnC,OAAQ,IAAI,CAAC,CAAC,CAAS,CAAC,IAAY,CAAC;AACvC,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CACxC,EAAS,EACT,KAAa,EACb,MAAc,EACd,YAAgC;IAEhC,IAAI,CAAC,YAAY,IAAI,YAAY,CAAC,IAAI,EAAE,KAAK,EAAE;QAAE,OAAO,KAAK,CAAC;IAE9D,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;IACnD,MAAM,QAAQ,GAAG,IAAI,GAAG,CACtB,YAAY;SACT,KAAK,CAAC,GAAG,CAAC;SACV,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC;SAClC,MAAM,CAAC,OAAO,CAAC,CACnB,CAAC;IACF,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IAEjD,wBAAwB;IACxB,MAAM,WAAW,GAAG,MAAM,WAAW,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAClD,IAAI,WAAW,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAE1C,6EAA6E;IAC7E,iDAAiD;IACjD,MAAO,EAAU;SACd,MAAM,CAAC,cAAc,CAAC;SACtB,GAAG,CAAC,EAAE,IAAI,EAAE,OAAe,EAAE,CAAC;SAC9B,KAAK,CAAC,EAAE,CAAC,cAAc,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC,CAAC;IAExC,MAAM,aAAa,CACjB,EAAE,EACF,4BAA4B,CAAC;QAC3B,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,eAAe;KAC7B,CAAC,CACH,CAAC;IACF,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,EAAS;IASvC,MAAM,IAAI,GAAG,MAAO,EAAU,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IAC7D,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;QACnC,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,KAAK,EAAE,CAAC,CAAC,KAAK;QACd,IAAI,EAAE,CAAC,CAAC,IAAI,IAAI,IAAI;QACpB,IAAI,EAAE,CAAC,CAAC,IAAY;QACpB,WAAW,EAAE,CAAC,CAAC,WAAW,IAAI,IAAI;KACnC,CAAC,CAAC,CAAC;IACJ,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAoB,EAAE,CAAoB,EAAE,EAAE,CAChE,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CAAC,CAAC,KAAK,CAAC,CAC/B,CAAC;AACJ,CAAC"}

package/dist/repo/git.d.ts

@@ -146,6 +146,15 @@ export declare function createPRViaCli(options: {
     title: string;
     body: string;
     draft?: boolean;
+    /** GitHub usernames to request review from. */
+    reviewers?: string[];
+    /** GitHub team slugs (without owner prefix) to request review from. */
+    teamReviewers?: string[];
+    /**
+     * Repo owner — required when `teamReviewers` is supplied because
+     * `gh pr create --reviewer` expects `owner/team-slug` for team reviewers.
+     */
+    owner?: string;
 }): Promise<string>;
 /**
  * Merge a PR using the `gh` CLI. Returns true on success.

package/dist/repo/git.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../../src/repo/git.ts"],"names":[],"mappings":"AAqBA;;;;;GAKG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,SAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAiBzF;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EAAE,EACd,GAAG,EAAE,MAAM,EACX,SAAS,SAAS,GACjB,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAY3F;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BvE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEhE;AA0CD;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,MAA0B,GAClC,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED;;;;;;GAMG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,MAA0B,GAClC,OAAO,CAAC,MAAM,CAAC,CAOjB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE5E;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CACrC,YAAY,EAAE,MAAM,EACpB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0DvE;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBxE;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAC9B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAGf;AAED;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,YAAY,EAAE,OAAO,CAAA;CAAE,CAAC,CA2BtD;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAErE;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAGf;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,OAAO,GACtB,kBAAkB,GAAG,UAAU,CAKjC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CACrC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,OAAO,CAAC,CAqBlB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,EAAE,CAAC,CAsBnB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;CACjB,GAAG,OAAO,CAAC,MAAM,CAAC,CA0BlB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAgBlB;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAWjG;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAchG;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuBxB;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAEhE;AAED;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,QAAQ,GAAE,MAAW,GACpB,OAAO,CAAC,MAAM,EAAE,CAAC,CAoCnB"}
+{"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../../src/repo/git.ts"],"names":[],"mappings":"AAqBA;;;;;GAKG;AACH,wBAAgB,OAAO,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,SAAU,GAAG,OAAO,CAAC,MAAM,CAAC,CAiBzF;AAED;;;;GAIG;AACH,wBAAsB,WAAW,CAC/B,IAAI,EAAE,MAAM,EAAE,EACd,GAAG,EAAE,MAAM,EACX,SAAS,SAAS,GACjB,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED;;;GAGG;AACH,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,EAAE,EAAE,GAAG,EAAE,MAAM,EAAE,SAAS,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAY3F;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA2BvE;AAED;;GAEG;AACH,wBAAsB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAEhE;AA0CD;;;;;GAKG;AACH,wBAAsB,cAAc,CAClC,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,MAA0B,GAClC,OAAO,CAAC,MAAM,CAAC,CAMjB;AAED;;;;;;GAMG;AACH,wBAAsB,wBAAwB,CAC5C,OAAO,EAAE,MAAM,EACf,KAAK,EAAE,MAAM,EACb,MAAM,EAAE,MAAM,EACd,OAAO,GAAE,MAA0B,GAClC,OAAO,CAAC,MAAM,CAAC,CAOjB;AAED;;;GAGG;AACH,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE5E;AAED;;;;;;;;;GASG;AACH,wBAAsB,iBAAiB,CACrC,YAAY,EAAE,MAAM,EACpB,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,IAAI,CAAC,CAUf;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,kBAAkB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0DvE;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAoBxE;AAED;;;;GAIG;AACH,wBAAsB,UAAU,CAC9B,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAGf;AAED;;;;;;;;GAQG;AACH,wBAAsB,YAAY,CAChC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC;IAAE,OAAO,EAAE,OAAO,CAAC;IAAC,YAAY,EAAE,OAAO,CAAA;CAAE,CAAC,CA2BtD;AAED;;;GAGG;AACH,wBAAsB,WAAW,CAAC,YAAY,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAErE;AAED;;;;;;GAMG;AACH,wBAAsB,eAAe,CACnC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,IAAI,CAAC,CAGf;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAChC,MAAM,EAAE,MAAM,EACd,cAAc,EAAE,OAAO,GACtB,kBAAkB,GAAG,UAAU,CAKjC;AAED;;;;;;;;;;;GAWG;AACH,wBAAsB,iBAAiB,CACrC,YAAY,EAAE,MAAM,EACpB,OAAO,EAAE,MAAM,EACf,cAAc,CAAC,EAAE,MAAM,GACtB,OAAO,CAAC,OAAO,CAAC,CAqBlB;AAED;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,GACjB,OAAO,CAAC,MAAM,EAAE,CAAC,CAsBnB;AAED;;;GAGG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,OAAO,CAAC;IAChB,+CAA+C;IAC/C,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IACrB,uEAAuE;IACvE,aAAa,CAAC,EAAE,MAAM,EAAE,CAAC;IACzB;;;OAGG;IACH,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,GAAG,OAAO,CAAC,MAAM,CAAC,CA0ClB;AAED;;GAEG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,EACpB,MAAM,EAAE,MAAM,GACb,OAAO,CAAC,OAAO,CAAC,CAgBlB;AAED;;;;GAIG;AACH,wBAAsB,eAAe,CAAC,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAWjG;AAED;;;;GAIG;AACH,wBAAsB,gBAAgB,CAAC,YAAY,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAchG;AAED;;;;;GAKG;AACH,wBAAsB,oBAAoB,CACxC,OAAO,EAAE,MAAM,EACf,OAAO,EAAE,MAAM,GACd,OAAO,CAAC,MAAM,GAAG,IAAI,CAAC,CAuBxB;AAED;;GAEG;AACH,wBAAgB,UAAU,CAAC,OAAO,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,GAAG,MAAM,CAEhE;AAED;;;;;;GAMG;AACH,wBAAsB,gBAAgB,CACpC,OAAO,EAAE,MAAM,EACf,QAAQ,GAAE,MAAW,GACpB,OAAO,CAAC,MAAM,EAAE,CAAC,CAoCnB"}