@urateam/dashboard 0.1.2 → 0.1.5

package/dist/__tests__/audit.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=audit.test.d.ts.map

package/dist/__tests__/audit.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/audit.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/audit.test.js

@@ -0,0 +1,219 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { generateKeyPairSync, sign } from "node:crypto";
+import { Hono } from "hono";
+import { createDashboard } from "../server.js";
+import { createDb } from "@urateam/core";
+import { auditEvents } from "@urateam/core/dist/db/schema.js";
+import { _resetLicenseCache } from "@urateam/core/dist/license.js";
+// ---------------- license test helper (inlined) ----------------
+function b64url(buf) {
+    return buf
+        .toString("base64")
+        .replace(/\+/g, "-")
+        .replace(/\//g, "_")
+        .replace(/=+$/, "");
+}
+function makeJwt(privateKey, payload) {
+    const header = { alg: "EdDSA", typ: "JWT" };
+    const headerB64 = b64url(Buffer.from(JSON.stringify(header)));
+    const payloadB64 = b64url(Buffer.from(JSON.stringify(payload)));
+    const signingInput = `${headerB64}.${payloadB64}`;
+    const sig = sign(null, Buffer.from(signingInput), privateKey);
+    return `${signingInput}.${b64url(sig)}`;
+}
+let savedPublicKey;
+let savedEnv;
+async function installEnterpriseLicense() {
+    const { publicKey, privateKey } = generateKeyPairSync("ed25519");
+    const publicKeyB64 = Buffer.from(publicKey.export({ format: "der", type: "spki" })).toString("base64");
+    const mod = await import("@urateam/core/dist/license-public-key.js");
+    if (savedPublicKey === undefined) {
+        savedPublicKey = mod
+            .LICENSE_PUBLIC_KEY_DER_B64;
+    }
+    Object.defineProperty(mod, "LICENSE_PUBLIC_KEY_DER_B64", {
+        value: publicKeyB64,
+        writable: true,
+        configurable: true,
+    });
+    const now = Math.floor(Date.now() / 1000);
+    const jwt = makeJwt(privateKey, {
+        iss: "urateams.com",
+        sub: "cust_test",
+        tier: "enterprise",
+        seats: 25,
+        iat: now,
+        exp: now + 86_400,
+    });
+    if (savedEnv === undefined)
+        savedEnv = process.env.URATEAM_LICENSE_KEY;
+    process.env.URATEAM_LICENSE_KEY = jwt;
+    _resetLicenseCache();
+}
+async function restoreLicense() {
+    if (savedPublicKey !== undefined) {
+        const mod = await import("@urateam/core/dist/license-public-key.js");
+        Object.defineProperty(mod, "LICENSE_PUBLIC_KEY_DER_B64", {
+            value: savedPublicKey,
+            writable: true,
+            configurable: true,
+        });
+        savedPublicKey = undefined;
+    }
+    if (savedEnv === undefined) {
+        delete process.env.URATEAM_LICENSE_KEY;
+    }
+    else {
+        process.env.URATEAM_LICENSE_KEY = savedEnv;
+        savedEnv = undefined;
+    }
+    _resetLicenseCache();
+}
+function basicAuthHeader(u, p) {
+    return "Basic " + Buffer.from(`${u}:${p}`).toString("base64");
+}
+const AUTH = { Authorization: basicAuthHeader("admin", "secret") };
+async function seedAuditEvent(db) {
+    await db.insert(auditEvents).values({
+        id: "evt-test-1",
+        timestamp: new Date(),
+        eventType: "pm.issue_promoted",
+        actor: "pm-agent",
+        actorType: "pm-agent",
+        scope: "pm",
+        runId: null,
+        issueId: "ISS-1",
+        inputTokens: 0,
+        outputTokens: 0,
+        payload: JSON.stringify({ reason: "ready" }),
+    });
+}
+// ---------------- tests ----------------
+describe("audit route — unlicensed", () => {
+    beforeEach(async () => {
+        await restoreLicense(); // ensure no license
+    });
+    it("returns 404 for GET /audit when feature is not licensed", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        const app = createDashboard({
+            db,
+            pipelineConfigs: {},
+            repoConfigs: {},
+            auth: { username: "admin", password: "secret" },
+        });
+        const res = await app.request("/audit", { headers: AUTH });
+        expect(res.status).toBe(404);
+    });
+    it("returns 404 for GET /audit/export.csv when feature is not licensed", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        const app = createDashboard({
+            db,
+            pipelineConfigs: {},
+            repoConfigs: {},
+            auth: { username: "admin", password: "secret" },
+        });
+        const res = await app.request("/audit/export.csv", { headers: AUTH });
+        expect(res.status).toBe(404);
+    });
+});
+describe("audit route — licensed (enterprise)", () => {
+    beforeEach(async () => {
+        await installEnterpriseLicense();
+    });
+    afterEach(async () => {
+        await restoreLicense();
+    });
+    // Enterprise tier enables `rbac`, so `requirePermission("audit.view")`
+    // requires a `user` in context. Wrap the dashboard in an outer Hono and
+    // inject a stub admin user so tests that run in enterprise mode pass.
+    function wrapWithAdminUser(inner) {
+        const outer = new Hono();
+        outer.use("*", async (c, next) => {
+            c.set("user", {
+                id: "u_admin",
+                email: "admin@b.com",
+                role: "admin",
+            });
+            await next();
+        });
+        outer.route("/", inner);
+        return outer;
+    }
+    it("GET /audit returns 200 and renders a seeded event", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        await seedAuditEvent(db);
+        const app = wrapWithAdminUser(createDashboard({
+            db,
+            pipelineConfigs: {},
+            repoConfigs: {},
+            auth: { username: "admin", password: "secret" },
+        }));
+        const res = await app.request("/audit", { headers: AUTH });
+        expect(res.status).toBe(200);
+        const html = await res.text();
+        expect(html).toContain("pm.issue_promoted");
+        expect(html).toContain("Audit Log");
+    });
+    it("GET /audit/event/:id returns detail row with full payload", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        await seedAuditEvent(db);
+        const app = wrapWithAdminUser(createDashboard({
+            db,
+            pipelineConfigs: {},
+            repoConfigs: {},
+            auth: { username: "admin", password: "secret" },
+        }));
+        const res = await app.request("/audit/event/evt-test-1", { headers: AUTH });
+        expect(res.status).toBe(200);
+        const html = await res.text();
+        expect(html).toContain("audit-detail-row");
+        expect(html).toContain("evt-test-1");
+        // Full payload JSON must be present (formatted with 2-space indent).
+        expect(html).toContain(""reason": "ready"");
+    });
+    it("GET /audit/event/:id returns 404 for missing event", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        const app = wrapWithAdminUser(createDashboard({
+            db,
+            pipelineConfigs: {},
+            repoConfigs: {},
+            auth: { username: "admin", password: "secret" },
+        }));
+        // Return 200 (not 404) so HTMX renders the error fragment in the DOM.
+        const res = await app.request("/audit/event/does-not-exist", { headers: AUTH });
+        expect(res.status).toBe(200);
+        const html = await res.text();
+        expect(html).toContain("Event not found");
+    });
+    it("GET /audit includes expand button with hx-get pointing to /audit/event/:id", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        await seedAuditEvent(db);
+        const app = wrapWithAdminUser(createDashboard({
+            db,
+            pipelineConfigs: {},
+            repoConfigs: {},
+            auth: { username: "admin", password: "secret" },
+        }));
+        const res = await app.request("/audit", { headers: AUTH });
+        const html = await res.text();
+        expect(html).toContain('hx-get="/audit/event/evt-test-1"');
+        expect(html).toContain('hx-swap="afterend"');
+    });
+    it("GET /audit/export.csv returns 200 text/csv with the header row", async () => {
+        const db = await createDb({ connectionString: ":memory:" });
+        await seedAuditEvent(db);
+        const app = wrapWithAdminUser(createDashboard({
+            db,
+            pipelineConfigs: {},
+            repoConfigs: {},
+            auth: { username: "admin", password: "secret" },
+        }));
+        const res = await app.request("/audit/export.csv", { headers: AUTH });
+        expect(res.status).toBe(200);
+        expect(res.headers.get("content-type") ?? "").toContain("text/csv");
+        const body = await res.text();
+        expect(body).toContain("timestamp_utc,event_type,actor,actor_type,scope,run_id,issue_id,input_tokens,output_tokens,payload_json");
+        expect(body).toContain("pm.issue_promoted");
+    });
+});
+//# sourceMappingURL=audit.test.js.map

package/dist/__tests__/audit.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.test.js","sourceRoot":"","sources":["../../src/__tests__/audit.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,mBAAmB,EAAkB,IAAI,EAAE,MAAM,aAAa,CAAC;AACxE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AAEzC,OAAO,EAAE,WAAW,EAAE,MAAM,iCAAiC,CAAC;AAC9D,OAAO,EAAE,kBAAkB,EAAE,MAAM,+BAA+B,CAAC;AAEnE,kEAAkE;AAClE,SAAS,MAAM,CAAC,GAAW;IACzB,OAAO,GAAG;SACP,QAAQ,CAAC,QAAQ,CAAC;SAClB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;AACxB,CAAC;AAED,SAAS,OAAO,CAAC,UAAqB,EAAE,OAAe;IACrD,MAAM,MAAM,GAAG,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC;IAC5C,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAC9D,MAAM,UAAU,GAAG,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAChE,MAAM,YAAY,GAAG,GAAG,SAAS,IAAI,UAAU,EAAE,CAAC;IAClD,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,UAAU,CAAC,CAAC;IAC9D,OAAO,GAAG,YAAY,IAAI,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC;AAC1C,CAAC;AAED,IAAI,cAAkC,CAAC;AACvC,IAAI,QAA4B,CAAC;AAEjC,KAAK,UAAU,wBAAwB;IACrC,MAAM,EAAE,SAAS,EAAE,UAAU,EAAE,GAAG,mBAAmB,CAAC,SAAS,CAAC,CAAC;IACjE,MAAM,YAAY,GAAG,MAAM,CAAC,IAAI,CAC9B,SAAS,CAAC,MAAM,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAClD,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;IAErB,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,0CAA0C,CAAC,CAAC;IACrE,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,cAAc,GAAI,GAA8C;aAC7D,0BAA0B,CAAC;IAChC,CAAC;IACD,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,4BAA4B,EAAE;QACvD,KAAK,EAAE,YAAY;QACnB,QAAQ,EAAE,IAAI;QACd,YAAY,EAAE,IAAI;KACnB,CAAC,CAAC;IAEH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,GAAG,GAAG,OAAO,CAAC,UAAU,EAAE;QAC9B,GAAG,EAAE,cAAc;QACnB,GAAG,EAAE,WAAW;QAChB,IAAI,EAAE,YAAY;QAClB,KAAK,EAAE,EAAE;QACT,GAAG,EAAE,GAAG;QACR,GAAG,EAAE,GAAG,GAAG,MAAM;KAClB,CAAC,CAAC;IAEH,IAAI,QAAQ,KAAK,SAAS;QAAE,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACvE,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,GAAG,CAAC;IACtC,kBAAkB,EAAE,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,cAAc;IAC3B,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,MAAM,GAAG,GAAG,MAAM,MAAM,CAAC,0CAA0C,CAAC,CAAC;QACrE,MAAM,CAAC,cAAc,CAAC,GAAG,EAAE,4BAA4B,EAAE;YACvD,KAAK,EAAE,cAAc;YACrB,QAAQ,EAAE,IAAI;YACd,YAAY,EAAE,IAAI;SACnB,CAAC,CAAC;QACH,cAAc,GAAG,SAAS,CAAC;IAC7B,CAAC;IACD,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;QAC3B,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;IACzC,CAAC;SAAM,CAAC;QACN,OAAO,CAAC,GAAG,CAAC,mBAAmB,GAAG,QAAQ,CAAC;QAC3C,QAAQ,GAAG,SAAS,CAAC;IACvB,CAAC;IACD,kBAAkB,EAAE,CAAC;AACvB,CAAC;AAED,SAAS,eAAe,CAAC,CAAS,EAAE,CAAS;IAC3C,OAAO,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;AAChE,CAAC;AAED,MAAM,IAAI,GAAG,EAAE,aAAa,EAAE,eAAe,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;AAEnE,KAAK,UAAU,cAAc,CAAC,EAAM;IAClC,MAAO,EAAU,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC,MAAM,CAAC;QAC3C,EAAE,EAAE,YAAY;QAChB,SAAS,EAAE,IAAI,IAAI,EAAE;QACrB,SAAS,EAAE,mBAAmB;QAC9B,KAAK,EAAE,UAAU;QACjB,SAAS,EAAE,UAAU;QACrB,KAAK,EAAE,IAAI;QACX,KAAK,EAAE,IAAI;QACX,OAAO,EAAE,OAAO;QAChB,WAAW,EAAE,CAAC;QACd,YAAY,EAAE,CAAC;QACf,OAAO,EAAE,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;KAC7C,CAAC,CAAC;AACL,CAAC;AAED,0CAA0C;AAC1C,QAAQ,CAAC,0BAA0B,EAAE,GAAG,EAAE;IACxC,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,MAAM,cAAc,EAAE,CAAC,CAAC,oBAAoB;IAC9C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,yDAAyD,EAAE,KAAK,IAAI,EAAE;QACvE,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,eAAe,CAAC;YAC1B,EAAE;YACF,eAAe,EAAE,EAAE;YACnB,WAAW,EAAE,EAAE;YACf,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE;SAChD,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oEAAoE,EAAE,KAAK,IAAI,EAAE;QAClF,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5D,MAAM,GAAG,GAAG,eAAe,CAAC;YAC1B,EAAE;YACF,eAAe,EAAE,EAAE;YACnB,WAAW,EAAE,EAAE;YACf,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE;SAChD,CAAC,CAAC;QAEH,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,qCAAqC,EAAE,GAAG,EAAE;IACnD,UAAU,CAAC,KAAK,IAAI,EAAE;QACpB,MAAM,wBAAwB,EAAE,CAAC;IACnC,CAAC,CAAC,CAAC;IACH,SAAS,CAAC,KAAK,IAAI,EAAE;QACnB,MAAM,cAAc,EAAE,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,uEAAuE;IACvE,wEAAwE;IACxE,sEAAsE;IACtE,SAAS,iBAAiB,CAAC,KAAW;QACpC,MAAM,KAAK,GAAG,IAAI,IAAI,EAAE,CAAC;QACzB,KAAK,CAAC,GAAG,CAAC,GAAG,EAAE,KAAK,EAAE,CAAC,EAAE,IAAI,EAAE,EAAE;YAC/B,CAAC,CAAC,GAAG,CAAC,MAAe,EAAE;gBACrB,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,aAAa;gBACpB,IAAI,EAAE,OAAO;aACP,CAAC,CAAC;YACV,MAAM,IAAI,EAAE,CAAC;QACf,CAAC,CAAC,CAAC;QACH,KAAK,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC;IACf,CAAC;IAED,EAAE,CAAC,mDAAmD,EAAE,KAAK,IAAI,EAAE;QACjE,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5D,MAAM,cAAc,CAAC,EAAE,CAAC,CAAC;QAEzB,MAAM,GAAG,GAAG,iBAAiB,CAC3B,eAAe,CAAC;YACd,EAAE;YACF,eAAe,EAAE,EAAE;YACnB,WAAW,EAAE,EAAE;YACf,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE;SAChD,CAAC,CACH,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;QAC5C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5D,MAAM,cAAc,CAAC,EAAE,CAAC,CAAC;QAEzB,MAAM,GAAG,GAAG,iBAAiB,CAC3B,eAAe,CAAC;YACd,EAAE;YACF,eAAe,EAAE,EAAE;YACnB,WAAW,EAAE,EAAE;YACf,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE;SAChD,CAAC,CACH,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,yBAAyB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAC5E,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAC3C,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACrC,qEAAqE;QACrE,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,uCAAuC,CAAC,CAAC;IAClE,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAE5D,MAAM,GAAG,GAAG,iBAAiB,CAC3B,eAAe,CAAC;YACd,EAAE;YACF,eAAe,EAAE,EAAE;YACnB,WAAW,EAAE,EAAE;YACf,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE;SAChD,CAAC,CACH,CAAC;QAEF,sEAAsE;QACtE,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,6BAA6B,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAChF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,iBAAiB,CAAC,CAAC;IAC5C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,4EAA4E,EAAE,KAAK,IAAI,EAAE;QAC1F,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5D,MAAM,cAAc,CAAC,EAAE,CAAC,CAAC;QAEzB,MAAM,GAAG,GAAG,iBAAiB,CAC3B,eAAe,CAAC;YACd,EAAE;YACF,eAAe,EAAE,EAAE;YACnB,WAAW,EAAE,EAAE;YACf,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE;SAChD,CAAC,CACH,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QAC3D,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,kCAAkC,CAAC,CAAC;QAC3D,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,oBAAoB,CAAC,CAAC;IAC/C,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,gEAAgE,EAAE,KAAK,IAAI,EAAE;QAC9E,MAAM,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;QAC5D,MAAM,cAAc,CAAC,EAAE,CAAC,CAAC;QAEzB,MAAM,GAAG,GAAG,iBAAiB,CAC3B,eAAe,CAAC;YACd,EAAE;YACF,eAAe,EAAE,EAAE;YACnB,WAAW,EAAE,EAAE;YACf,IAAI,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE;SAChD,CAAC,CACH,CAAC;QAEF,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAAC,mBAAmB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACtE,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QAEpE,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAAE,CAAC;QAC9B,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CACpB,yGAAyG,CAC1G,CAAC;QACF,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,mBAAmB,CAAC,CAAC;IAC9C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/auth-routes.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=auth-routes.test.d.ts.map

package/dist/__tests__/auth-routes.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-routes.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/auth-routes.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/auth-routes.test.js

@@ -0,0 +1,116 @@
+import { describe, it, expect, beforeEach, afterEach } from "vitest";
+import { Hono } from "hono";
+import { createDb, signState } from "@urateam/core";
+import { auditEvents, dashboardSessions, } from "@urateam/core/dist/db/schema.js";
+import { createAuthRouter } from "../routes/auth.js";
+import { installTestProLicense, restoreLicense } from "./helpers/license.js";
+let db;
+const ssoConfig = {
+    enabled: true,
+    workosApiKey: "sk_test",
+    workosClientId: "client_test",
+    redirectUri: "https://x/auth/callback",
+    allowedDomain: undefined,
+    sessionDurationHours: 24,
+    cookieName: "urateam_session",
+    cookieSecure: false,
+    stateSigningSecret: "0123456789abcdef0123456789abcdef",
+};
+const stubWorkos = {
+    async getAuthorizationUrl(args) {
+        return `https://workos.example/auth?state=${args.state}&client=${args.clientId}`;
+    },
+    async authenticateWithCode(_args) {
+        return {
+            user: {
+                id: "wu_test",
+                email: "alice@acme.com",
+                firstName: "Alice",
+                lastName: "X",
+            },
+        };
+    },
+};
+beforeEach(async () => {
+    await installTestProLicense("enterprise");
+    db = await createDb({ connectionString: ":memory:" });
+});
+afterEach(async () => {
+    await restoreLicense();
+});
+function buildApp() {
+    const app = new Hono();
+    app.route("/", createAuthRouter({ db, sso: ssoConfig, workos: stubWorkos }));
+    return app;
+}
+// flush fire-and-forget audit writes
+async function tick() {
+    await new Promise((r) => setImmediate(r));
+    await new Promise((r) => setImmediate(r));
+}
+describe("/auth/login", () => {
+    it("returns 302 to a workos url with a signed state", async () => {
+        const res = await buildApp().request("/auth/login?next=/runs");
+        expect(res.status).toBe(302);
+        const loc = res.headers.get("location");
+        expect(loc).toContain("workos.example");
+        expect(loc).toContain("state=");
+    });
+});
+describe("/auth/callback", () => {
+    it("creates a session, sets cookie, writes audit event, redirects to next", async () => {
+        const state = signState({ next: "/runs", nonce: "n" }, ssoConfig.stateSigningSecret);
+        const res = await buildApp().request(`/auth/callback?code=abc&state=${encodeURIComponent(state)}`);
+        expect(res.status).toBe(302);
+        expect(res.headers.get("location")).toBe("/runs");
+        const setCookie = res.headers.get("set-cookie");
+        expect(setCookie).toContain("urateam_session=");
+        expect(setCookie).toContain("HttpOnly");
+        const sessions = await db.select().from(dashboardSessions);
+        expect(sessions).toHaveLength(1);
+        await tick();
+        const events = await db.select().from(auditEvents);
+        expect(events.find((e) => e.eventType === "dashboard.login")).toBeDefined();
+    });
+    it("returns 400 on state mismatch", async () => {
+        const res = await buildApp().request(`/auth/callback?code=abc&state=garbage`);
+        expect(res.status).toBe(400);
+    });
+    it("returns 403 + audit event when allowedDomain rejects", async () => {
+        ssoConfig.allowedDomain = "evil.com";
+        const state = signState({ next: "/", nonce: "n" }, ssoConfig.stateSigningSecret);
+        const res = await buildApp().request(`/auth/callback?code=abc&state=${encodeURIComponent(state)}`);
+        expect(res.status).toBe(403);
+        await tick();
+        const events = await db.select().from(auditEvents);
+        expect(events.find((e) => e.eventType === "dashboard.login_denied")).toBeDefined();
+        ssoConfig.allowedDomain = undefined;
+    });
+});
+describe("/auth/logout", () => {
+    it("deletes session, clears cookie, writes logout event", async () => {
+        const state = signState({ next: "/", nonce: "n" }, ssoConfig.stateSigningSecret);
+        const cb = await buildApp().request(`/auth/callback?code=abc&state=${encodeURIComponent(state)}`);
+        const cookieHeader = cb.headers.get("set-cookie");
+        const sid = cookieHeader.match(/urateam_session=([^;]+)/)[1];
+        // Logout is now CSRF-protected at the server level: the dashboard
+        // middleware requires an HX-Request header on all state-changing
+        // routes. This test drives createAuthRouter directly (no middleware
+        // stack) but we send the header anyway to mirror the real client.
+        const res = await buildApp().request("/auth/logout", {
+            method: "POST",
+            headers: {
+                cookie: `urateam_session=${sid}`,
+                "HX-Request": "true",
+            },
+        });
+        expect(res.status).toBe(302);
+        expect(res.headers.get("location")).toBe("/auth/login");
+        const sessions = await db.select().from(dashboardSessions);
+        expect(sessions).toHaveLength(0);
+        await tick();
+        const events = await db.select().from(auditEvents);
+        expect(events.find((e) => e.eventType === "dashboard.logout")).toBeDefined();
+    });
+});
+//# sourceMappingURL=auth-routes.test.js.map

package/dist/__tests__/auth-routes.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"auth-routes.test.js","sourceRoot":"","sources":["../../src/__tests__/auth-routes.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,MAAM,QAAQ,CAAC;AACrE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AAEpD,OAAO,EACL,WAAW,EACX,iBAAiB,GAClB,MAAM,iCAAiC,CAAC;AACzC,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE7E,IAAI,EAAO,CAAC;AACZ,MAAM,SAAS,GAAG;IAChB,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,SAAS;IACvB,cAAc,EAAE,aAAa;IAC7B,WAAW,EAAE,yBAAyB;IACtC,aAAa,EAAE,SAA+B;IAC9C,oBAAoB,EAAE,EAAE;IACxB,UAAU,EAAE,iBAAiB;IAC7B,YAAY,EAAE,KAAK;IACnB,kBAAkB,EAAE,kCAAkC;CACvD,CAAC;AAEF,MAAM,UAAU,GAAiB;IAC/B,KAAK,CAAC,mBAAmB,CAAC,IAAI;QAC5B,OAAO,qCAAqC,IAAI,CAAC,KAAK,WAAW,IAAI,CAAC,QAAQ,EAAE,CAAC;IACnF,CAAC;IACD,KAAK,CAAC,oBAAoB,CAAC,KAAK;QAC9B,OAAO;YACL,IAAI,EAAE;gBACJ,EAAE,EAAE,SAAS;gBACb,KAAK,EAAE,gBAAgB;gBACvB,SAAS,EAAE,OAAO;gBAClB,QAAQ,EAAE,GAAG;aACd;SACF,CAAC;IACJ,CAAC;CACF,CAAC;AAEF,UAAU,CAAC,KAAK,IAAI,EAAE;IACpB,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAC1C,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;AACxD,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,MAAM,cAAc,EAAE,CAAC;AACzB,CAAC,CAAC,CAAC;AAEH,SAAS,QAAQ;IACf,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;IACvB,GAAG,CAAC,KAAK,CACP,GAAG,EACH,gBAAgB,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,SAAgB,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CACpE,CAAC;IACF,OAAO,GAAG,CAAC;AACb,CAAC;AAED,qCAAqC;AACrC,KAAK,UAAU,IAAI;IACjB,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;IAC1C,MAAM,IAAI,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC;AAC5C,CAAC;AAED,QAAQ,CAAC,aAAa,EAAE,GAAG,EAAE;IAC3B,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,MAAM,GAAG,GAAG,MAAM,QAAQ,EAAE,CAAC,OAAO,CAAC,wBAAwB,CAAC,CAAC;QAC/D,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAE,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;QACxC,MAAM,CAAC,GAAG,CAAC,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,gBAAgB,EAAE,GAAG,EAAE;IAC9B,EAAE,CAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,MAAM,KAAK,GAAG,SAAS,CACrB,EAAE,IAAI,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,EAAE,EAC7B,SAAS,CAAC,kBAAkB,CAC7B,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,QAAQ,EAAE,CAAC,OAAO,CAClC,iCAAiC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAClD,MAAM,SAAS,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAE,CAAC;QACjD,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,kBAAkB,CAAC,CAAC;QAChD,MAAM,CAAC,SAAS,CAAC,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACxC,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnD,MAAM,CACJ,MAAM,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,iBAAiB,CAAC,CAC3D,CAAC,WAAW,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,+BAA+B,EAAE,KAAK,IAAI,EAAE;QAC7C,MAAM,GAAG,GAAG,MAAM,QAAQ,EAAE,CAAC,OAAO,CAClC,uCAAuC,CACxC,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,sDAAsD,EAAE,KAAK,IAAI,EAAE;QACpE,SAAS,CAAC,aAAa,GAAG,UAAU,CAAC;QACrC,MAAM,KAAK,GAAG,SAAS,CACrB,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,EACzB,SAAS,CAAC,kBAAkB,CAC7B,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,QAAQ,EAAE,CAAC,OAAO,CAClC,iCAAiC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnD,MAAM,CACJ,MAAM,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,wBAAwB,CAAC,CAClE,CAAC,WAAW,EAAE,CAAC;QAChB,SAAS,CAAC,aAAa,GAAG,SAAS,CAAC;IACtC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,cAAc,EAAE,GAAG,EAAE;IAC5B,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,MAAM,KAAK,GAAG,SAAS,CACrB,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,EACzB,SAAS,CAAC,kBAAkB,CAC7B,CAAC;QACF,MAAM,EAAE,GAAG,MAAM,QAAQ,EAAE,CAAC,OAAO,CACjC,iCAAiC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;QACF,MAAM,YAAY,GAAG,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,YAAY,CAAE,CAAC;QACnD,MAAM,GAAG,GAAG,YAAY,CAAC,KAAK,CAAC,yBAAyB,CAAE,CAAC,CAAC,CAAC,CAAC;QAE9D,kEAAkE;QAClE,iEAAiE;QACjE,oEAAoE;QACpE,kEAAkE;QAClE,MAAM,GAAG,GAAG,MAAM,QAAQ,EAAE,CAAC,OAAO,CAAC,cAAc,EAAE;YACnD,MAAM,EAAE,MAAM;YACd,OAAO,EAAE;gBACP,MAAM,EAAE,mBAAmB,GAAG,EAAE;gBAChC,YAAY,EAAE,MAAM;aACrB;SACF,CAAC,CAAC;QACH,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;QACxD,MAAM,QAAQ,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;QAC3D,MAAM,CAAC,QAAQ,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QACjC,MAAM,IAAI,EAAE,CAAC;QACb,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACnD,MAAM,CACJ,MAAM,CAAC,IAAI,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,KAAK,kBAAkB,CAAC,CAC5D,CAAC,WAAW,EAAE,CAAC;IAClB,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/bootstrap-integration.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=bootstrap-integration.test.d.ts.map

package/dist/__tests__/bootstrap-integration.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap-integration.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/bootstrap-integration.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/bootstrap-integration.test.js

@@ -0,0 +1,75 @@
+import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
+import { createDb, signState } from "@urateam/core";
+import { dashboardUsers } from "@urateam/core/dist/db/schema.js";
+import { Hono } from "hono";
+import { createAuthRouter } from "../routes/auth.js";
+import { installTestProLicense, restoreLicense } from "./helpers/license.js";
+let db;
+const ssoConfig = {
+    enabled: true,
+    workosApiKey: "sk_test",
+    workosClientId: "client_test",
+    redirectUri: "https://x/auth/callback",
+    allowedDomain: undefined,
+    sessionDurationHours: 24,
+    cookieName: "urateam_session",
+    cookieSecure: false,
+    stateSigningSecret: "0123456789abcdef0123456789abcdef",
+};
+const stubWorkos = {
+    async getAuthorizationUrl() {
+        return "https://workos.example/auth";
+    },
+    async authenticateWithCode() {
+        return {
+            user: {
+                id: "wu_1",
+                email: "alice@acme.com",
+                firstName: "Alice",
+                lastName: "X",
+            },
+        };
+    },
+};
+beforeEach(async () => {
+    await installTestProLicense("enterprise");
+    db = await createDb({ connectionString: ":memory:" });
+});
+afterEach(async () => {
+    await restoreLicense();
+    vi.unstubAllEnvs();
+});
+describe("SSO callback bootstrap admin integration", () => {
+    it("promotes alice@acme.com when URATEAM_ADMIN_EMAILS matches", async () => {
+        vi.stubEnv("URATEAM_ADMIN_EMAILS", "alice@acme.com");
+        const app = new Hono();
+        app.route("/", createAuthRouter({ db, sso: ssoConfig, workos: stubWorkos }));
+        const state = signState({ next: "/", nonce: "n" }, ssoConfig.stateSigningSecret);
+        const res = await app.request(`/auth/callback?code=abc&state=${encodeURIComponent(state)}`);
+        expect(res.status).toBe(302);
+        const users = await db.select().from(dashboardUsers);
+        expect(users).toHaveLength(1);
+        expect(users[0].role).toBe("admin");
+    });
+    it("leaves role as viewer when email does not match", async () => {
+        vi.stubEnv("URATEAM_ADMIN_EMAILS", "bob@acme.com");
+        const app = new Hono();
+        app.route("/", createAuthRouter({ db, sso: ssoConfig, workos: stubWorkos }));
+        const state = signState({ next: "/", nonce: "n" }, ssoConfig.stateSigningSecret);
+        const res = await app.request(`/auth/callback?code=abc&state=${encodeURIComponent(state)}`);
+        expect(res.status).toBe(302);
+        const users = await db.select().from(dashboardUsers);
+        expect(users[0].role).toBe("viewer");
+    });
+    it("does not promote when URATEAM_ADMIN_EMAILS is unset", async () => {
+        vi.stubEnv("URATEAM_ADMIN_EMAILS", "");
+        const app = new Hono();
+        app.route("/", createAuthRouter({ db, sso: ssoConfig, workos: stubWorkos }));
+        const state = signState({ next: "/", nonce: "n" }, ssoConfig.stateSigningSecret);
+        const res = await app.request(`/auth/callback?code=abc&state=${encodeURIComponent(state)}`);
+        expect(res.status).toBe(302);
+        const users = await db.select().from(dashboardUsers);
+        expect(users[0].role).toBe("viewer");
+    });
+});
+//# sourceMappingURL=bootstrap-integration.test.js.map

package/dist/__tests__/bootstrap-integration.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"bootstrap-integration.test.js","sourceRoot":"","sources":["../../src/__tests__/bootstrap-integration.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,UAAU,EAAE,SAAS,EAAE,EAAE,EAAE,MAAM,QAAQ,CAAC;AACzE,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,eAAe,CAAC;AACpD,OAAO,EAAE,cAAc,EAAE,MAAM,iCAAiC,CAAC;AACjE,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,qBAAqB,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AAE7E,IAAI,EAAO,CAAC;AAEZ,MAAM,SAAS,GAAG;IAChB,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,SAAS;IACvB,cAAc,EAAE,aAAa;IAC7B,WAAW,EAAE,yBAAyB;IACtC,aAAa,EAAE,SAA+B;IAC9C,oBAAoB,EAAE,EAAE;IACxB,UAAU,EAAE,iBAAiB;IAC7B,YAAY,EAAE,KAAK;IACnB,kBAAkB,EAAE,kCAAkC;CACvD,CAAC;AAEF,MAAM,UAAU,GAAG;IACjB,KAAK,CAAC,mBAAmB;QACvB,OAAO,6BAA6B,CAAC;IACvC,CAAC;IACD,KAAK,CAAC,oBAAoB;QACxB,OAAO;YACL,IAAI,EAAE;gBACJ,EAAE,EAAE,MAAM;gBACV,KAAK,EAAE,gBAAgB;gBACvB,SAAS,EAAE,OAAO;gBAClB,QAAQ,EAAE,GAAG;aACd;SACF,CAAC;IACJ,CAAC;CACK,CAAC;AAET,UAAU,CAAC,KAAK,IAAI,EAAE;IACpB,MAAM,qBAAqB,CAAC,YAAY,CAAC,CAAC;IAC1C,EAAE,GAAG,MAAM,QAAQ,CAAC,EAAE,gBAAgB,EAAE,UAAU,EAAE,CAAC,CAAC;AACxD,CAAC,CAAC,CAAC;AAEH,SAAS,CAAC,KAAK,IAAI,EAAE;IACnB,MAAM,cAAc,EAAE,CAAC;IACvB,EAAE,CAAC,aAAa,EAAE,CAAC;AACrB,CAAC,CAAC,CAAC;AAEH,QAAQ,CAAC,0CAA0C,EAAE,GAAG,EAAE;IACxD,EAAE,CAAC,2DAA2D,EAAE,KAAK,IAAI,EAAE;QACzE,EAAE,CAAC,OAAO,CAAC,sBAAsB,EAAE,gBAAgB,CAAC,CAAC;QACrD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,GAAG,CAAC,KAAK,CACP,GAAG,EACH,gBAAgB,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,SAAgB,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CACpE,CAAC;QACF,MAAM,KAAK,GAAG,SAAS,CACrB,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,EACzB,SAAS,CAAC,kBAAkB,CAC7B,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAC3B,iCAAiC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACrD,MAAM,CAAC,KAAK,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IACtC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,iDAAiD,EAAE,KAAK,IAAI,EAAE;QAC/D,EAAE,CAAC,OAAO,CAAC,sBAAsB,EAAE,cAAc,CAAC,CAAC;QACnD,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,GAAG,CAAC,KAAK,CACP,GAAG,EACH,gBAAgB,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,SAAgB,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CACpE,CAAC;QACF,MAAM,KAAK,GAAG,SAAS,CACrB,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,EACzB,SAAS,CAAC,kBAAkB,CAC7B,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAC3B,iCAAiC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACrD,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,qDAAqD,EAAE,KAAK,IAAI,EAAE;QACnE,EAAE,CAAC,OAAO,CAAC,sBAAsB,EAAE,EAAE,CAAC,CAAC;QACvC,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;QACvB,GAAG,CAAC,KAAK,CACP,GAAG,EACH,gBAAgB,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,SAAgB,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,CACpE,CAAC;QACF,MAAM,KAAK,GAAG,SAAS,CACrB,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,EAAE,GAAG,EAAE,EACzB,SAAS,CAAC,kBAAkB,CAC7B,CAAC;QACF,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,OAAO,CAC3B,iCAAiC,kBAAkB,CAAC,KAAK,CAAC,EAAE,CAC7D,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7B,MAAM,KAAK,GAAG,MAAM,EAAE,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;QACrD,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACvC,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/cost-chart.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cost-chart.test.d.ts.map

package/dist/__tests__/cost-chart.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cost-chart.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/cost-chart.test.ts"],"names":[],"mappings":""}

package/dist/__tests__/cost-chart.test.js

@@ -0,0 +1,51 @@
+import { describe, it, expect } from "vitest";
+import { renderCostChart } from "../views/cost.js";
+describe("renderCostChart", () => {
+    it("returns empty string for fewer than 2 data points", () => {
+        expect(renderCostChart([])).toBe("");
+        expect(renderCostChart([{ date: "2026-04-01", runs: 1, prsMerged: 1, dollars: 1, timeSavedHours: 1 }])).toBe("");
+    });
+    it("emits an SVG polyline with one point per day", () => {
+        const byDay = [
+            { date: "2026-04-01", runs: 1, prsMerged: 1, dollars: 10, timeSavedHours: 4 },
+            { date: "2026-04-02", runs: 2, prsMerged: 2, dollars: 20, timeSavedHours: 8 },
+            { date: "2026-04-03", runs: 1, prsMerged: 1, dollars: 5, timeSavedHours: 4 },
+        ];
+        const html = renderCostChart(byDay);
+        expect(html).toContain("<svg");
+        expect(html).toContain("<polyline");
+        // 3 points → 3 "x,y" pairs in the points attribute
+        const pointsMatch = html.match(/points="([^"]+)"/);
+        expect(pointsMatch).not.toBeNull();
+        const points = pointsMatch[1].trim().split(" ");
+        expect(points).toHaveLength(3);
+        // first and last dates rendered as header labels
+        expect(html).toContain("2026-04-01");
+        expect(html).toContain("2026-04-03");
+        // total + peak labels
+        expect(html).toContain("Total: $35.00");
+        expect(html).toContain("peak: $20.00");
+    });
+    it("handles a flat-zero series without divide-by-zero", () => {
+        const byDay = [
+            { date: "2026-04-01", runs: 0, prsMerged: 0, dollars: 0, timeSavedHours: 0 },
+            { date: "2026-04-02", runs: 0, prsMerged: 0, dollars: 0, timeSavedHours: 0 },
+        ];
+        const html = renderCostChart(byDay);
+        expect(html).toContain("<polyline");
+        // No NaN anywhere
+        expect(html).not.toMatch(/NaN/);
+    });
+    it("escapes HTML-sensitive date labels", () => {
+        // Dates are YYYY-MM-DD from the server so no real injection risk, but the
+        // renderer should still pass dates through escapeHtml to stay defensive.
+        const byDay = [
+            { date: "<script>", runs: 1, prsMerged: 1, dollars: 1, timeSavedHours: 1 },
+            { date: "2026-04-02", runs: 1, prsMerged: 1, dollars: 1, timeSavedHours: 1 },
+        ];
+        const html = renderCostChart(byDay);
+        expect(html).not.toContain("<script>");
+        expect(html).toContain("&lt;script&gt;");
+    });
+});
+//# sourceMappingURL=cost-chart.test.js.map

package/dist/__tests__/cost-chart.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cost-chart.test.js","sourceRoot":"","sources":["../../src/__tests__/cost-chart.test.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,EAAE,EAAE,MAAM,EAAE,MAAM,QAAQ,CAAC;AAE9C,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAEnD,QAAQ,CAAC,iBAAiB,EAAE,GAAG,EAAE;IAC/B,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,CAAC,eAAe,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACrC,MAAM,CAAC,eAAe,CAAC,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnH,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,8CAA8C,EAAE,GAAG,EAAE;QACtD,MAAM,KAAK,GAAe;YACxB,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE;YAC7E,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,cAAc,EAAE,CAAC,EAAE;YAC7E,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE;SAC7E,CAAC;QACF,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;QAC/B,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACpC,mDAAmD;QACnD,MAAM,WAAW,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QACnD,MAAM,CAAC,WAAW,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,WAAY,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACjD,MAAM,CAAC,MAAM,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;QAC/B,iDAAiD;QACjD,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,YAAY,CAAC,CAAC;QACrC,sBAAsB;QACtB,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,eAAe,CAAC,CAAC;QACxC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,cAAc,CAAC,CAAC;IACzC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,mDAAmD,EAAE,GAAG,EAAE;QAC3D,MAAM,KAAK,GAAe;YACxB,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE;YAC5E,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE;SAC7E,CAAC;QACF,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;QACpC,kBAAkB;QAClB,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC,CAAC,CAAC;IAEH,EAAE,CAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,0EAA0E;QAC1E,yEAAyE;QACzE,MAAM,KAAK,GAAe;YACxB,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE;YAC1E,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,SAAS,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,cAAc,EAAE,CAAC,EAAE;SAC7E,CAAC;QACF,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;QACpC,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,UAAU,CAAC,CAAC;QACvC,MAAM,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,gBAAgB,CAAC,CAAC;IAC3C,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/__tests__/cost.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=cost.test.d.ts.map

package/dist/__tests__/cost.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cost.test.d.ts","sourceRoot":"","sources":["../../src/__tests__/cost.test.ts"],"names":[],"mappings":""}