@valentine-efagene/qshelter-common 2.0.88 → 2.0.90

package/dist/generated/client/models/UserRole.d.ts

@@ -2,7 +2,8 @@ import type * as runtime from "@prisma/client/runtime/client";
 import type * as Prisma from "../internal/prismaNamespace.js";
 /**
  * Model UserRole
- *
+ * Legacy: Direct user-role assignment (global, not tenant-scoped)
+ * @deprecated Use TenantMembership for tenant-scoped role assignments
  */
 export type UserRoleModel = runtime.Types.Result.DefaultSelection<Prisma.$UserRolePayload>;
 export type AggregateUserRole = {

package/dist/generated/client/models/index.d.ts

@@ -53,6 +53,7 @@ export * from './Settings';
 export * from './Social';
 export * from './StepEventAttachment';
 export * from './Tenant';
+export * from './TenantMembership';
 export * from './Transaction';
 export * from './User';
 export * from './UserRole';

package/dist/generated/client/models/index.js

@@ -53,6 +53,7 @@ export * from './Settings';
 export * from './Social';
 export * from './StepEventAttachment';
 export * from './Tenant';
+export * from './TenantMembership';
 export * from './Transaction';
 export * from './User';
 export * from './UserRole';

package/dist/generated/client/models.d.ts

@@ -3,6 +3,7 @@ export type * from './models/Role.js';
 export type * from './models/Permission.js';
 export type * from './models/RolePermission.js';
 export type * from './models/UserRole.js';
+export type * from './models/TenantMembership.js';
 export type * from './models/Tenant.js';
 export type * from './models/ApiKey.js';
 export type * from './models/RefreshToken.js';

package/dist/src/events/policies/policy-event.d.ts

@@ -13,29 +13,61 @@ export declare enum PolicyEventType {
     PERMISSION_DELETED = "POLICY.PERMISSION_DELETED",
     ROLE_PERMISSION_ASSIGNED = "POLICY.ROLE_PERMISSION_ASSIGNED",
     ROLE_PERMISSION_REVOKED = "POLICY.ROLE_PERMISSION_REVOKED",
+    TENANT_MEMBERSHIP_CREATED = "POLICY.TENANT_MEMBERSHIP_CREATED",
+    TENANT_MEMBERSHIP_UPDATED = "POLICY.TENANT_MEMBERSHIP_UPDATED",
+    TENANT_MEMBERSHIP_DELETED = "POLICY.TENANT_MEMBERSHIP_DELETED",
     FULL_SYNC_REQUESTED = "POLICY.FULL_SYNC_REQUESTED"
 }
+/**
+ * Role data with tenant scoping
+ */
 export interface RoleData {
     id: string;
     name: string;
     description?: string | null;
+    tenantId?: string | null;
+    isSystem?: boolean;
+    isActive?: boolean;
 }
+/**
+ * Permission with path-based authorization
+ * Matches the authorizer's expected policy structure
+ */
 export interface PermissionData {
     id: string;
     name: string;
     description?: string | null;
-    resource: string;
-    action: string;
+    path: string;
+    methods: string[];
+    effect: 'ALLOW' | 'DENY';
+    tenantId?: string | null;
 }
+/**
+ * Role with full permission details for policy sync
+ */
 export interface RolePermissionData {
     roleId: string;
     roleName: string;
+    tenantId?: string | null;
     permissions: Array<{
         id: string;
-        resource: string;
-        action: string;
+        path: string;
+        methods: string[];
+        effect: 'ALLOW' | 'DENY';
     }>;
 }
+/**
+ * Tenant membership data for federated users
+ */
+export interface TenantMembershipData {
+    id: string;
+    userId: string;
+    tenantId: string;
+    roleId: string;
+    roleName: string;
+    isActive: boolean;
+    isDefault: boolean;
+}
 export interface PolicyEventMeta {
     source: string;
     timestamp: string;
@@ -86,4 +118,17 @@ export interface FullSyncRequestedEvent extends PolicyEvent<{
 }> {
     eventType: PolicyEventType.FULL_SYNC_REQUESTED;
 }
-export type AnyPolicyEvent = RoleCreatedEvent | RoleUpdatedEvent | RoleDeletedEvent | PermissionCreatedEvent | PermissionUpdatedEvent | PermissionDeletedEvent | RolePermissionAssignedEvent | RolePermissionRevokedEvent | FullSyncRequestedEvent;
+export interface TenantMembershipCreatedEvent extends PolicyEvent<TenantMembershipData> {
+    eventType: PolicyEventType.TENANT_MEMBERSHIP_CREATED;
+}
+export interface TenantMembershipUpdatedEvent extends PolicyEvent<TenantMembershipData> {
+    eventType: PolicyEventType.TENANT_MEMBERSHIP_UPDATED;
+}
+export interface TenantMembershipDeletedEvent extends PolicyEvent<{
+    membershipId: string;
+    userId: string;
+    tenantId: string;
+}> {
+    eventType: PolicyEventType.TENANT_MEMBERSHIP_DELETED;
+}
+export type AnyPolicyEvent = RoleCreatedEvent | RoleUpdatedEvent | RoleDeletedEvent | PermissionCreatedEvent | PermissionUpdatedEvent | PermissionDeletedEvent | RolePermissionAssignedEvent | RolePermissionRevokedEvent | FullSyncRequestedEvent | TenantMembershipCreatedEvent | TenantMembershipUpdatedEvent | TenantMembershipDeletedEvent;

package/dist/src/events/policies/policy-event.js

@@ -17,6 +17,10 @@ export var PolicyEventType;
     // Role-Permission association events
     PolicyEventType["ROLE_PERMISSION_ASSIGNED"] = "POLICY.ROLE_PERMISSION_ASSIGNED";
     PolicyEventType["ROLE_PERMISSION_REVOKED"] = "POLICY.ROLE_PERMISSION_REVOKED";
+    // Tenant membership events (for federated users)
+    PolicyEventType["TENANT_MEMBERSHIP_CREATED"] = "POLICY.TENANT_MEMBERSHIP_CREATED";
+    PolicyEventType["TENANT_MEMBERSHIP_UPDATED"] = "POLICY.TENANT_MEMBERSHIP_UPDATED";
+    PolicyEventType["TENANT_MEMBERSHIP_DELETED"] = "POLICY.TENANT_MEMBERSHIP_DELETED";
     // Bulk sync events
     PolicyEventType["FULL_SYNC_REQUESTED"] = "POLICY.FULL_SYNC_REQUESTED";
 })(PolicyEventType || (PolicyEventType = {}));

package/dist/src/events/policies/policy-publisher.d.ts

@@ -1,4 +1,4 @@
-import { PolicyEventType, PolicyEventMeta, RoleData, PermissionData, RolePermissionData } from './policy-event';
+import { PolicyEventType, PolicyEventMeta, RoleData, PermissionData, RolePermissionData, TenantMembershipData } from './policy-event';
 /**
  * Configuration for the policy event publisher
  */
@@ -52,6 +52,18 @@ export declare class PolicyEventPublisher {
      * Publish role permission revoked event
      */
     publishRolePermissionRevoked(data: RolePermissionData, meta?: Partial<PolicyEventMeta>): Promise<string>;
+    /**
+     * Publish tenant membership created event
+     */
+    publishTenantMembershipCreated(data: TenantMembershipData, meta?: Partial<PolicyEventMeta>): Promise<string>;
+    /**
+     * Publish tenant membership updated event
+     */
+    publishTenantMembershipUpdated(data: TenantMembershipData, meta?: Partial<PolicyEventMeta>): Promise<string>;
+    /**
+     * Publish tenant membership deleted event
+     */
+    publishTenantMembershipDeleted(membershipId: string, userId: string, tenantId: string, meta?: Partial<PolicyEventMeta>): Promise<string>;
     /**
      * Publish full sync requested event
      */

package/dist/src/events/policies/policy-publisher.js

@@ -119,6 +119,30 @@ export class PolicyEventPublisher {
     async publishRolePermissionRevoked(data, meta) {
         return this.publish(PolicyEventType.ROLE_PERMISSION_REVOKED, data, meta);
     }
+    /**
+     * Publish tenant membership created event
+     */
+    async publishTenantMembershipCreated(data, meta) {
+        return this.publish(PolicyEventType.TENANT_MEMBERSHIP_CREATED, data, {
+            ...meta,
+            tenantId: data.tenantId,
+        });
+    }
+    /**
+     * Publish tenant membership updated event
+     */
+    async publishTenantMembershipUpdated(data, meta) {
+        return this.publish(PolicyEventType.TENANT_MEMBERSHIP_UPDATED, data, {
+            ...meta,
+            tenantId: data.tenantId,
+        });
+    }
+    /**
+     * Publish tenant membership deleted event
+     */
+    async publishTenantMembershipDeleted(membershipId, userId, tenantId, meta) {
+        return this.publish(PolicyEventType.TENANT_MEMBERSHIP_DELETED, { membershipId, userId, tenantId }, { ...meta, tenantId });
+    }
     /**
      * Publish full sync requested event
      */

package/dist/src/prisma/tenant.js

@@ -9,16 +9,18 @@
  * These models either:
  * - Don't have a tenantId field (system tables)
  * - Have optional tenantId but are designed to work across tenants (User)
+ * - Are cross-tenant lookup/join tables (TenantMembership)
  */
 const GLOBAL_MODELS = [
-    // User can exist across tenants or without a tenant
+    // User can exist across tenants or without a tenant (federated)
     "user",
+    // TenantMembership is the user-tenant join table (queries by userId or tenantId)
+    "tenantMembership",
     // System/infrastructure tables without tenantId
     "tenant",
-    "role",
-    "permission",
-    "rolePermission",
+    // Legacy role assignment (global, not tenant-scoped)
     "userRole",
+    "rolePermission",
     "refreshToken",
     "passwordReset",
     "wallet",
@@ -29,7 +31,13 @@ const GLOBAL_MODELS = [
  * These can be global templates (tenantId = null) or tenant-specific.
  * Queries will return both global AND tenant-specific records.
  */
-const OPTIONAL_TENANT_MODELS = ["paymentPlan"];
+const OPTIONAL_TENANT_MODELS = [
+    "paymentPlan",
+    // Role can be global template (tenantId = null) or tenant-specific
+    "role",
+    // Permission can be global template or tenant-specific
+    "permission",
+];
 function isGlobalModel(model) {
     return GLOBAL_MODELS.includes(model);
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@valentine-efagene/qshelter-common",
-  "version": "2.0.88",
+  "version": "2.0.90",
   "description": "Shared database schemas and utilities for QShelter services",
   "main": "dist/src/index.js",
   "types": "dist/src/index.d.ts",

package/prisma/migrations/20260111091027_rbac_redesign_federated_users/migration.sql

@@ -0,0 +1,79 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `action` on the `permissions` table. All the data in the column will be lost.
+  - You are about to drop the column `resource` on the `permissions` table. All the data in the column will be lost.
+  - A unique constraint covering the columns `[path,tenantId]` on the table `permissions` will be added. If there are existing duplicate values, this will fail.
+  - A unique constraint covering the columns `[name,tenantId]` on the table `roles` will be added. If there are existing duplicate values, this will fail.
+  - Added the required column `path` to the `permissions` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- DropIndex
+DROP INDEX `permissions_name_key` ON `permissions`;
+
+-- DropIndex
+DROP INDEX `permissions_resource_action_key` ON `permissions`;
+
+-- DropIndex
+DROP INDEX `permissions_resource_idx` ON `permissions`;
+
+-- DropIndex
+DROP INDEX `roles_name_key` ON `roles`;
+
+-- AlterTable
+ALTER TABLE `permissions` DROP COLUMN `action`,
+    DROP COLUMN `resource`,
+    ADD COLUMN `effect` ENUM('ALLOW', 'DENY') NOT NULL DEFAULT 'ALLOW',
+    ADD COLUMN `isSystem` BOOLEAN NOT NULL DEFAULT false,
+    ADD COLUMN `methods` JSON NOT NULL,
+    ADD COLUMN `path` VARCHAR(191) NOT NULL,
+    ADD COLUMN `tenantId` VARCHAR(191) NULL;
+
+-- AlterTable
+ALTER TABLE `roles` ADD COLUMN `isActive` BOOLEAN NOT NULL DEFAULT true,
+    ADD COLUMN `isSystem` BOOLEAN NOT NULL DEFAULT false,
+    ADD COLUMN `tenantId` VARCHAR(191) NULL;
+
+-- CreateTable
+CREATE TABLE `tenant_memberships` (
+    `id` VARCHAR(191) NOT NULL,
+    `userId` VARCHAR(191) NOT NULL,
+    `tenantId` VARCHAR(191) NOT NULL,
+    `roleId` VARCHAR(191) NOT NULL,
+    `isActive` BOOLEAN NOT NULL DEFAULT true,
+    `isDefault` BOOLEAN NOT NULL DEFAULT false,
+    `createdAt` DATETIME(3) NOT NULL DEFAULT CURRENT_TIMESTAMP(3),
+    `updatedAt` DATETIME(3) NOT NULL,
+
+    INDEX `tenant_memberships_tenantId_idx`(`tenantId`),
+    INDEX `tenant_memberships_userId_idx`(`userId`),
+    UNIQUE INDEX `tenant_memberships_userId_tenantId_key`(`userId`, `tenantId`),
+    PRIMARY KEY (`id`)
+) DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
+
+-- CreateIndex
+CREATE INDEX `permissions_tenantId_idx` ON `permissions`(`tenantId`);
+
+-- CreateIndex
+CREATE UNIQUE INDEX `permissions_path_tenantId_key` ON `permissions`(`path`, `tenantId`);
+
+-- CreateIndex
+CREATE INDEX `roles_tenantId_idx` ON `roles`(`tenantId`);
+
+-- CreateIndex
+CREATE UNIQUE INDEX `roles_name_tenantId_key` ON `roles`(`name`, `tenantId`);
+
+-- AddForeignKey
+ALTER TABLE `roles` ADD CONSTRAINT `roles_tenantId_fkey` FOREIGN KEY (`tenantId`) REFERENCES `tenants`(`id`) ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE `permissions` ADD CONSTRAINT `permissions_tenantId_fkey` FOREIGN KEY (`tenantId`) REFERENCES `tenants`(`id`) ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE `tenant_memberships` ADD CONSTRAINT `tenant_memberships_userId_fkey` FOREIGN KEY (`userId`) REFERENCES `users`(`id`) ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE `tenant_memberships` ADD CONSTRAINT `tenant_memberships_tenantId_fkey` FOREIGN KEY (`tenantId`) REFERENCES `tenants`(`id`) ON DELETE CASCADE ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE `tenant_memberships` ADD CONSTRAINT `tenant_memberships_roleId_fkey` FOREIGN KEY (`roleId`) REFERENCES `roles`(`id`) ON DELETE RESTRICT ON UPDATE CASCADE;

package/prisma/schema.prisma

@@ -292,29 +292,39 @@ enum ExecutionStatus {
   SKIPPED
 }
 
+/// Permission effect (Allow/Deny)
+enum PermissionEffect {
+  ALLOW
+  DENY
+}
+
 // =============================================================================
 // USER & AUTH DOMAIN
 // =============================================================================
 
 model User {
-  id                     String            @id @default(cuid())
-  email                  String            @unique
+  id                     String             @id @default(cuid())
+  email                  String             @unique
   password               String?
-  phone                  String?           @unique
+  phone                  String?            @unique
   firstName              String?
   lastName               String?
-  isActive               Boolean           @default(true)
-  isEmailVerified        Boolean           @default(false)
+  isActive               Boolean            @default(true)
+  isEmailVerified        Boolean            @default(false)
   googleId               String?
   avatar                 String?
+  // Legacy: Optional direct tenant association (for backward compatibility)
+  // New: Use tenantMemberships for multi-tenant federation
   tenantId               String?
-  tenant                 Tenant?           @relation(fields: [tenantId], references: [id], onDelete: SetNull)
-  // Support multiple roles via explicit join table `UserRole`
+  tenant                 Tenant?            @relation(fields: [tenantId], references: [id], onDelete: SetNull)
+  // Federated: User can belong to multiple tenants with different roles
+  tenantMemberships      TenantMembership[]
+  // Legacy: Support multiple roles via explicit join table `UserRole`
   userRoles              UserRole[]
-  walletId               String?           @unique
-  wallet                 Wallet?           @relation(fields: [walletId], references: [id])
-  createdAt              DateTime          @default(now())
-  updatedAt              DateTime          @updatedAt
+  walletId               String?            @unique
+  wallet                 Wallet?            @relation(fields: [walletId], references: [id])
+  createdAt              DateTime           @default(now())
+  updatedAt              DateTime           @updatedAt
   emailVerifiedAt        DateTime?
   emailVerificationToken String?
   lastLoginAt            DateTime?
@@ -368,29 +378,51 @@ model User {
 }
 
 model Role {
-  id          String           @id @default(cuid())
-  name        String           @unique
+  id          String             @id @default(cuid())
+  name        String
   description String?
+  // Tenant-scoping: NULL = global template, set = tenant-specific role
+  tenantId    String?
+  tenant      Tenant?            @relation(fields: [tenantId], references: [id], onDelete: Cascade)
+  // System roles cannot be deleted (admin, user, etc.)
+  isSystem    Boolean            @default(false)
+  isActive    Boolean            @default(true)
+  // Legacy: UserRole for backward compatibility
   userRoles   UserRole[]
+  // New: TenantMembership for federated users
+  memberships TenantMembership[]
   permissions RolePermission[]
-  createdAt   DateTime         @default(now())
-  updatedAt   DateTime         @updatedAt
+  createdAt   DateTime           @default(now())
+  updatedAt   DateTime           @updatedAt
 
+  @@unique([name, tenantId]) // Unique name per tenant (null tenantId = global)
+  @@index([tenantId])
   @@map("roles")
 }
 
+/// Permission defines a path pattern + HTTP methods + effect
+/// Supports path-based authorization matching the authorizer's policy structure
 model Permission {
   id          String           @id @default(cuid())
-  name        String           @unique
+  name        String // Descriptive name: "Read Users", "Manage Properties"
   description String?
-  resource    String
-  action      String
+  // Path pattern: /users, /users/:id, /properties/*, etc.
+  path        String
+  // HTTP methods: ["GET"], ["GET", "POST"], ["*"] - stored as JSON
+  methods     Json             @default("[]")
+  // Allow or Deny this path/methods
+  effect      PermissionEffect @default(ALLOW)
+  // Tenant-scoping: NULL = global template, set = tenant-specific
+  tenantId    String?
+  tenant      Tenant?          @relation(fields: [tenantId], references: [id], onDelete: Cascade)
+  // System permissions cannot be deleted
+  isSystem    Boolean          @default(false)
   roles       RolePermission[]
   createdAt   DateTime         @default(now())
   updatedAt   DateTime         @updatedAt
 
-  @@unique([resource, action])
-  @@index([resource])
+  @@unique([path, tenantId]) // Unique path per tenant
+  @@index([tenantId])
   @@map("permissions")
 }
 
@@ -405,6 +437,8 @@ model RolePermission {
   @@map("role_permissions")
 }
 
+/// Legacy: Direct user-role assignment (global, not tenant-scoped)
+/// @deprecated Use TenantMembership for tenant-scoped role assignments
 model UserRole {
   userId    String
   roleId    String
@@ -416,6 +450,30 @@ model UserRole {
   @@map("user_roles")
 }
 
+/// Tenant Membership: Links users to tenants with specific roles
+/// Enables federated users across multiple tenants with different roles per tenant
+model TenantMembership {
+  id        String   @id @default(cuid())
+  userId    String
+  tenantId  String
+  roleId    String
+  // Whether this membership is active
+  isActive  Boolean  @default(true)
+  // Whether this is the user's default tenant (for login without specifying tenant)
+  isDefault Boolean  @default(false)
+  createdAt DateTime @default(now())
+  updatedAt DateTime @updatedAt
+
+  user   User   @relation(fields: [userId], references: [id], onDelete: Cascade)
+  tenant Tenant @relation(fields: [tenantId], references: [id], onDelete: Cascade)
+  role   Role   @relation(fields: [roleId], references: [id], onDelete: Restrict)
+
+  @@unique([userId, tenantId]) // User can only have one membership per tenant
+  @@index([tenantId])
+  @@index([userId])
+  @@map("tenant_memberships")
+}
+
 model Tenant {
   id        String   @id @default(cuid())
   name      String
@@ -431,6 +489,12 @@ model Tenant {
   paymentMethods PropertyPaymentMethod[]
   contracts      Contract[]
 
+  // RBAC: Tenant-scoped roles and permissions
+  roles       Role[]
+  permissions Permission[]
+  // Federated user memberships
+  memberships TenantMembership[]
+
   // Payment method changes
   paymentMethodChangeRequests PaymentMethodChangeRequest[]
   documentRequirementRules    DocumentRequirementRule[]