@valentinkolb/cloud 0.4.0 → 0.5.0

package/src/services/auth-flows/password-reset.ts

@@ -0,0 +1,284 @@
+import { redis, sql } from "bun";
+import { notifications } from "../notifications";
+import { providers } from "../providers";
+import { session } from "../session";
+import * as settings from "../settings";
+import { renderTemplate } from "../settings/templates";
+import { logger } from "../logging";
+import { getServiceIpaSession } from "../ipa/service-account";
+import { getFreeIpaConfig } from "../freeipa-config";
+import type { User } from "../../contracts/shared";
+import { createAuthPasswordResetUrl } from "../../shared/redirect";
+import * as ipaFlow from "./ipa";
+
+const log = logger("auth:password-reset");
+
+const REQUEST_TTL_SECONDS = 900;
+const REQUEST_COOLDOWN_SECONDS = 60;
+const GENERIC_MESSAGE =
+  "If this account can reset a password, a reset link has been sent.";
+
+type ResetTarget = {
+  userId: string;
+  uid: string;
+  email: string;
+};
+
+type ResetAttemptSuccess = {
+  ok: true;
+  userId: string;
+  user: User;
+};
+
+type ResetAttemptFailure =
+  | {
+      ok: false;
+      status: 400;
+      reason: "policy_failed";
+      message: string;
+    }
+  | {
+      ok: false;
+      status: 400 | 401;
+      reason: "invalid_or_expired";
+      message: string;
+    }
+  | {
+      ok: false;
+      status: number;
+      reason: "reset_failed" | "login_failed";
+      message: string;
+    };
+
+const normalizeEmail = (email: string): string => email.trim().toLowerCase();
+const cooldownKey = (email: string) => `password-reset-cooldown:${email}`;
+
+const isInCooldown = async (email: string): Promise<boolean> => {
+  if (await redis.get(cooldownKey(email))) return true;
+  await redis.set(cooldownKey(email), "1", "EX", REQUEST_COOLDOWN_SECONDS);
+  return false;
+};
+
+const buildTarget = (row: { id: string; uid: string; mail: string }): ResetTarget => ({
+  userId: row.id,
+  uid: row.uid,
+  email: row.mail,
+});
+
+const resolveResetTarget = async (email: string): Promise<ResetTarget | null> => {
+  const rows = await sql<{ id: string; uid: string; mail: string }[]>`
+    SELECT id, uid, btrim(mail) AS mail
+    FROM auth.users
+    WHERE provider = 'ipa'
+      AND profile = 'user'
+      AND lower(btrim(mail)) = ${email}
+      AND (account_expires IS NULL OR account_expires > now())
+  `;
+
+  if (rows.length !== 1) {
+    if (rows.length > 1) {
+      log.warn("Password reset skipped: ambiguous IPA email", {
+        email,
+        matches: rows.length,
+      });
+    }
+    return null;
+  }
+
+  return buildTarget(rows[0]!);
+};
+
+const resolveResetTargetForToken = async (params: {
+  userId: string;
+  email: string;
+}): Promise<ResetTarget | null> => {
+  const rows = await sql<{ id: string; uid: string; mail: string }[]>`
+    SELECT id, uid, btrim(mail) AS mail
+    FROM auth.users
+    WHERE id = ${params.userId}
+      AND provider = 'ipa'
+      AND profile = 'user'
+      AND lower(btrim(mail)) = ${params.email}
+      AND (account_expires IS NULL OR account_expires > now())
+    LIMIT 1
+  `;
+
+  return rows.length === 1 ? buildTarget(rows[0]!) : null;
+};
+
+const sendResetEmail = async (
+  params: ResetTarget & { redirectTo?: string }
+): Promise<void> => {
+  const token = await providers.local.auth.createPasswordResetToken({
+    userId: params.userId,
+    uid: params.uid,
+    email: params.email,
+    ttlSeconds: REQUEST_TTL_SECONDS,
+  });
+  const rawAppUrl = await settings.get<string>("app.url");
+  const appUrl = rawAppUrl.startsWith("http")
+    ? rawAppUrl
+    : `https://${rawAppUrl}`;
+  const resetLink = createAuthPasswordResetUrl(appUrl, {
+    token,
+    redirectTo: params.redirectTo,
+  });
+  const [appName, contactEmail, template] = await Promise.all([
+    settings.get<string>("app.name"),
+    settings.get<string>("app.contact_email"),
+    settings.get<string>("mail.password_reset"),
+  ]);
+
+  await notifications.send({
+    type: "email",
+    recipient: params.email,
+    subject: `${appName} Password Reset`,
+    rawHtml: renderTemplate(template, {
+      RESET_LINK: resetLink,
+      APP_NAME: appName,
+      CONTACT_EMAIL: contactEmail?.trim() ?? "",
+    }),
+  });
+};
+
+const changeTemporaryPassword = async (params: {
+  userId: string;
+  uid: string;
+  email: string;
+  temporaryPassword: string;
+  newPassword: string;
+}): Promise<ResetAttemptSuccess | ResetAttemptFailure> => {
+  const changeResult = await ipaFlow.changeExpiredPassword({
+    username: params.uid,
+    currentPassword: params.temporaryPassword,
+    newPassword: params.newPassword,
+  });
+
+  if (!changeResult.ok) {
+    if (changeResult.reason === "change_failed") {
+      return {
+        ok: false,
+        status: 400,
+        reason: "policy_failed",
+        message: `${changeResult.message} Request a new reset link and choose a stronger password.`,
+      };
+    }
+
+    return {
+      ok: false,
+      status: changeResult.status,
+      reason: "login_failed",
+      message: changeResult.message,
+    };
+  }
+
+  await session.revokeAllForUser(changeResult.userId);
+
+  return {
+    ok: true,
+    userId: changeResult.userId,
+    user: changeResult.user,
+  };
+};
+
+export const request = async (params: {
+  email: string;
+  redirectTo?: string;
+}): Promise<{ ok: true; message: string }> => {
+  const email = normalizeEmail(params.email);
+  if (await isInCooldown(email)) {
+    log.info("Password reset request ignored during cooldown");
+    return { ok: true, message: GENERIC_MESSAGE };
+  }
+
+  const freeIpaConfig = await getFreeIpaConfig();
+  if (!freeIpaConfig.enabled || !freeIpaConfig.configured) {
+    log.info("Password reset request accepted while FreeIPA is unavailable");
+    return { ok: true, message: GENERIC_MESSAGE };
+  }
+
+  const target = await resolveResetTarget(email);
+  if (!target) {
+    log.info("Password reset request accepted without eligible target");
+    return { ok: true, message: GENERIC_MESSAGE };
+  }
+
+  await sendResetEmail({ ...target, redirectTo: params.redirectTo });
+  log.info("Password reset email sent", { uid: target.uid });
+  return { ok: true, message: GENERIC_MESSAGE };
+};
+
+export const complete = async (params: {
+  token?: string;
+  newPassword: string;
+}): Promise<ResetAttemptSuccess | ResetAttemptFailure> => {
+  if (!params.token) {
+    return {
+      ok: false,
+      status: 400,
+      reason: "invalid_or_expired",
+      message: "Missing password reset token.",
+    };
+  }
+
+  const payload = await providers.local.auth.consumePasswordResetToken(
+    params.token
+  );
+  if (!payload) {
+    return {
+      ok: false,
+      status: 401,
+      reason: "invalid_or_expired",
+      message:
+        "This password reset link has expired. Request a new reset link.",
+    };
+  }
+
+  const target = await resolveResetTargetForToken({
+    userId: payload.userId,
+    email: payload.email,
+  });
+  if (!target) {
+    return {
+      ok: false,
+      status: 401,
+      reason: "invalid_or_expired",
+      message:
+        "This password reset link has expired. Request a new reset link.",
+    };
+  }
+
+  const serviceSession = await getServiceIpaSession();
+  if (!serviceSession.ok) {
+    return {
+      ok: false,
+      status: serviceSession.status,
+      reason: "reset_failed",
+      message: serviceSession.error,
+    };
+  }
+
+  const resetResult = await providers.ipa.users.resetPassword({
+    ipaSession: serviceSession.data,
+    id: target.userId,
+  });
+  if (!resetResult.ok) {
+    return {
+      ok: false,
+      status: resetResult.status,
+      reason: "reset_failed",
+      message: resetResult.error,
+    };
+  }
+
+  return changeTemporaryPassword({
+    ...target,
+    temporaryPassword: resetResult.data.password,
+    newPassword: params.newPassword,
+  });
+};
+
+export const passwordReset = {
+  request,
+  complete,
+} as const;

package/src/services/auth-flows/proxy-return.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, test } from "bun:test";
+import * as proxyReturn from "./proxy-return";
+
+describe("proxy auth return tokens", () => {
+  test("creates and consumes one-time return tokens", async () => {
+    const token = await proxyReturn.create({
+      clientId: "proxy-client",
+      url: "https://protected.example/path?query=1",
+      ttlSeconds: 30,
+    });
+
+    expect(token).toBeTruthy();
+    const consumed = await proxyReturn.consume({ token: token! });
+    expect(consumed).toEqual({
+      clientId: "proxy-client",
+      url: "https://protected.example/path?query=1",
+    });
+    expect(await proxyReturn.consume({ token: token! })).toBeNull();
+  });
+
+  test("rejects non-http return URLs", async () => {
+    expect(await proxyReturn.create({ clientId: "proxy-client", url: "javascript:alert(1)" })).toBeNull();
+  });
+});

package/src/services/auth-flows/proxy-return.ts

@@ -0,0 +1,49 @@
+import { redis } from "bun";
+
+const KEY_PREFIX = "auth:proxy-return:";
+const DEFAULT_TTL_SECONDS = 300;
+
+type ProxyReturnPayload = {
+  clientId: string;
+  url: string;
+};
+
+const key = (token: string) => `${KEY_PREFIX}${token}`;
+
+const normalizeReturnUrl = (value: string): string | null => {
+  try {
+    const url = new URL(value);
+    if (url.protocol !== "https:" && url.protocol !== "http:") return null;
+    return url.toString();
+  } catch {
+    return null;
+  }
+};
+
+export const create = async (params: { clientId: string; url: string; ttlSeconds?: number }): Promise<string | null> => {
+  const url = normalizeReturnUrl(params.url);
+  if (!url) return null;
+
+  const token = crypto.randomUUID();
+  const payload: ProxyReturnPayload = {
+    clientId: params.clientId,
+    url,
+  };
+  await redis.set(key(token), JSON.stringify(payload), "EX", params.ttlSeconds ?? DEFAULT_TTL_SECONDS);
+  return token;
+};
+
+export const consume = async (params: { token: string }): Promise<ProxyReturnPayload | null> => {
+  const raw = await redis.getdel(key(params.token));
+  if (!raw) return null;
+
+  try {
+    const payload = JSON.parse(raw) as Partial<ProxyReturnPayload>;
+    if (typeof payload.clientId !== "string" || typeof payload.url !== "string") return null;
+    const url = normalizeReturnUrl(payload.url);
+    if (!url) return null;
+    return { clientId: payload.clientId, url };
+  } catch {
+    return null;
+  }
+};

package/src/services/gateway.ts

@@ -0,0 +1,162 @@
+import { ephemeral, topic } from "@valentinkolb/sync";
+import { logger } from "./logging";
+
+const SNAPSHOT_TTL_MS = 30_000;
+const TOPIC_PREFIX = "cloud:gateway:telemetry";
+const TOPIC_ID = "events";
+const TOPIC_RETENTION_MS = 24 * 60 * 60 * 1000;
+const TOPIC_TENANT = "default";
+const DROP_LOG_INTERVAL_MS = 30_000;
+
+const log = logger("gateway:telemetry");
+
+export type GatewayRouteWarning = {
+  appId: string;
+  prefix: string;
+  reason: string;
+  detail?: string;
+};
+
+export type GatewayRouteSnapshotInput = {
+  instanceId: string;
+  baseUrl: string;
+  startedAt: number;
+  routeHash: string;
+  routeWarnings: GatewayRouteWarning[];
+  table: {
+    version: number;
+    builtAt: number;
+    routeCount: number;
+    routes: Array<{ prefix: string; appId: string }>;
+  };
+  stats: {
+    totalRequests: number;
+    noRouteCount: number;
+    byApp: Map<string, { count: number; totalMs: number; errors: number }>;
+    byRoute: Map<string, { count: number; errors: number; lastSeen: number }>;
+  };
+};
+
+export type GatewayRouteSnapshot = {
+  instanceId: string;
+  baseUrl: string;
+  startedAt: number;
+  updatedAt: number;
+  tableVersion: number;
+  tableBuiltAt: number;
+  routeCount: number;
+  routeHash: string;
+  routeWarnings: GatewayRouteWarning[];
+  routes: Array<{ prefix: string; appId: string }>;
+  stats: {
+    totalRequests: number;
+    noRouteCount: number;
+    byApp: Array<{ appId: string; count: number; totalMs: number; errors: number }>;
+    byRoute: Array<{ prefix: string; count: number; errors: number; lastSeen: number }>;
+  };
+};
+
+export type GatewayTelemetryEvent = {
+  v: 1;
+  kind: "request";
+  appId: string;
+  routePrefix: string;
+  method: string;
+  status: number;
+  durationMs: number;
+  errorKind: "upstream_unavailable" | "unmatched_route" | null;
+  occurredAt: string;
+};
+
+const snapshots = ephemeral<GatewayRouteSnapshot>({
+  id: "gateway-route-snapshots",
+  ttlMs: SNAPSHOT_TTL_MS,
+  limits: { maxPayloadBytes: 128_000 },
+});
+
+export const buildGatewayRouteSnapshot = (input: GatewayRouteSnapshotInput): GatewayRouteSnapshot => ({
+  instanceId: input.instanceId,
+  baseUrl: input.baseUrl,
+  startedAt: input.startedAt,
+  updatedAt: Date.now(),
+  tableVersion: input.table.version,
+  tableBuiltAt: input.table.builtAt,
+  routeCount: input.table.routeCount,
+  routeHash: input.routeHash,
+  routeWarnings: input.routeWarnings,
+  routes: input.table.routes,
+  stats: {
+    totalRequests: input.stats.totalRequests,
+    noRouteCount: input.stats.noRouteCount,
+    byApp: [...input.stats.byApp.entries()].map(([appId, value]) => ({ appId, ...value })),
+    byRoute: [...input.stats.byRoute.entries()].map(([prefix, value]) => ({ prefix, ...value })),
+  },
+});
+
+export const publishGatewayRouteSnapshot = async (snapshot: GatewayRouteSnapshot): Promise<void> => {
+  await snapshots.upsert({ key: `instances/${snapshot.instanceId}`, value: snapshot });
+};
+
+export const removeGatewayRouteSnapshot = async (instanceId: string): Promise<void> => {
+  await snapshots.remove({ key: `instances/${instanceId}` });
+};
+
+export const listGatewayRouteSnapshots = async (): Promise<GatewayRouteSnapshot[]> => {
+  const snap = await snapshots.snapshot({ prefix: "instances/" });
+  return snap.entries.map((entry) => entry.value).sort((a, b) => a.instanceId.localeCompare(b.instanceId));
+};
+
+export const latestGatewayRouteSnapshot = async (): Promise<GatewayRouteSnapshot | null> => {
+  const all = await listGatewayRouteSnapshots();
+  return all.sort((a, b) => b.updatedAt - a.updatedAt)[0] ?? null;
+};
+
+export const gatewayTelemetryTopic = topic<GatewayTelemetryEvent>({
+  id: TOPIC_ID,
+  prefix: TOPIC_PREFIX,
+  retentionMs: TOPIC_RETENTION_MS,
+  limits: { payloadBytes: 8_000 },
+});
+
+export const GATEWAY_TELEMETRY_TENANT = TOPIC_TENANT;
+
+const normalizeMethod = (method: string): string => method.toUpperCase().slice(0, 16);
+const normalizeStatus = (status: number): number => (Number.isFinite(status) ? Math.max(0, Math.min(999, Math.round(status))) : 0);
+const normalizeDuration = (durationMs: number): number => (Number.isFinite(durationMs) ? Math.max(0, Math.round(durationMs)) : 0);
+const normalizeText = (value: string, fallback: string): string => {
+  const trimmed = value.trim();
+  return (trimmed.length ? trimmed : fallback).slice(0, 200);
+};
+
+export const publishRequestTelemetry = (event: Omit<GatewayTelemetryEvent, "v" | "kind" | "occurredAt">): void => {
+  const payload: GatewayTelemetryEvent = {
+    v: 1,
+    kind: "request",
+    appId: normalizeText(event.appId, "unknown"),
+    routePrefix: normalizeText(event.routePrefix, "(unknown)"),
+    method: normalizeMethod(event.method),
+    status: normalizeStatus(event.status),
+    durationMs: normalizeDuration(event.durationMs),
+    errorKind: event.errorKind,
+    occurredAt: new Date().toISOString(),
+  };
+
+  void gatewayTelemetryTopic
+    .pub({
+      tenantId: GATEWAY_TELEMETRY_TENANT,
+      orderingKey: payload.appId,
+      data: payload,
+    })
+    .catch((error) => {
+      const now = Date.now();
+      if (now - lastPublishErrorAt < DROP_LOG_INTERVAL_MS) return;
+      lastPublishErrorAt = now;
+      log.warn("Dropped gateway telemetry event", {
+        appId: payload.appId,
+        routePrefix: payload.routePrefix,
+        error: error instanceof Error ? error.message : String(error),
+      });
+    });
+};
+
+let lastPublishErrorAt = 0;

package/src/services/index.ts

@@ -1,12 +1,27 @@
+// biome-ignore-all assist/source/organizeImports: Preserve grouped service barrel exports.
 export { ipa } from "./ipa";
 export { accounts } from "./accounts";
 export { accountsAppService } from "./accounts";
 export { providers } from "./providers";
 export { authFlows } from "./auth-flows";
-export { toPgTextArray, toPgUuidArray, escapeLikePattern } from "./postgres";
+export { toPgTextArray, toPgUuidArray, escapeLikePattern, isUniqueViolation } from "./postgres";
 
 export { logger, logging } from "./logging";
 export type { LogEntry } from "./logging";
+export { audit } from "./audit";
+export type { AuditActionGroup, AuditActor, AuditEvent, AuditListFilter, AuditOutcome, AuditRecordParams, AuditTarget } from "./audit";
+
+export {
+  GATEWAY_TELEMETRY_TENANT,
+  buildGatewayRouteSnapshot,
+  gatewayTelemetryTopic,
+  latestGatewayRouteSnapshot,
+  listGatewayRouteSnapshots,
+  publishGatewayRouteSnapshot,
+  publishRequestTelemetry,
+  removeGatewayRouteSnapshot,
+} from "./gateway";
+export type { GatewayRouteSnapshot, GatewayRouteSnapshotInput, GatewayRouteWarning, GatewayTelemetryEvent } from "./gateway";
 
 export { notifications } from "./notifications";
 export type {
@@ -16,8 +31,25 @@ export type {
   SendToUserParams,
   NotificationMessage,
 } from "./notifications";
+export { announcements } from "./announcements";
+export type { AnnouncementsService } from "./announcements";
 
 export { session } from "./session";
+export { serviceAccounts } from "./service-accounts";
+export type { ServiceAccount, ServiceAccountKind, ServiceAccountStatus } from "./service-accounts";
+export { serviceAccountCredentials } from "./service-account-credentials";
+export type {
+  AuthenticatedServiceAccountCredential,
+  ServiceAccountCredential,
+  ServiceAccountCredentialKind,
+  ServiceAccountCredentialOverview,
+  ServiceAccountCredentialOwner,
+  ServiceAccountCredentialStatus,
+} from "./service-account-credentials";
+export { oauthTokens } from "./oauth-tokens";
+export type { AuthenticatedOAuthToken } from "./oauth-tokens";
+export { webauthn } from "./webauthn";
+export type { WebAuthnRp } from "./webauthn";
 
 export { accountLifecycle } from "./account-lifecycle";
 export type { AccountLifecycleService } from "./account-lifecycle";
@@ -32,11 +64,21 @@ export type { SettingDef, SettingKind, SettingOption } from "./settings/defaults
 export { renderTemplate } from "./settings/templates";
 export { settingsService } from "./settings/app";
 export type { SettingsService } from "./settings/app";
+export { decryptSecret, encryptSecret, secrets } from "./secrets";
 
 // Typed async API + cache-aside primitives.
 export { coreSettings, createSettingsAPI } from "./settings/api";
 export type { SettingsAPI } from "./settings/api";
-export { readKey as settingsReadKey, writeKey as settingsWriteKey, deleteKey as settingsDeleteKey, bulkRead as settingsBulkRead, allKnownKeys as settingsAllKnownKeys } from "./settings/store";
+export {
+  readKey as settingsReadKey,
+  writeKey as settingsWriteKey,
+  deleteKey as settingsDeleteKey,
+  bulkRead as settingsBulkRead,
+  allKnownKeys as settingsAllKnownKeys,
+  listLegacyKeys as settingsListLegacyKeys,
+  deleteLegacyKeys as settingsDeleteLegacyKeys,
+} from "./settings/store";
+export type { LegacySettingRow } from "./settings/store";
 export { loadSnapshot as loadSettingsSnapshot } from "./settings/snapshot";
 
 export { weatherService } from "./weather";

package/src/services/ipa/effective-groups.test.ts

@@ -0,0 +1,33 @@
+import { describe, expect, test } from "bun:test";
+import { buildEffectiveIpaGroupsByUid } from "./effective-groups";
+
+describe("buildEffectiveIpaGroupsByUid", () => {
+  test("includes direct and inherited parent groups", () => {
+    const effective = buildEffectiveIpaGroupsByUid([
+      { cn: "base-sync", users: [], groups: ["team"] },
+      { cn: "base-realm", users: [], groups: ["base-sync"] },
+      { cn: "team", users: ["eva"], groups: [] },
+    ]);
+
+    expect(effective.get("eva")).toEqual(["base-realm", "base-sync", "team"]);
+  });
+
+  test("keeps transit groups available even when callers hide them from display", () => {
+    const effective = buildEffectiveIpaGroupsByUid([
+      { cn: "base-realm", users: [], groups: ["excluded-transit"] },
+      { cn: "excluded-transit", users: [], groups: ["team"] },
+      { cn: "team", users: ["eva"], groups: [] },
+    ]);
+
+    expect(effective.get("eva")).toEqual(["base-realm", "excluded-transit", "team"]);
+  });
+
+  test("terminates on cyclic group nesting", () => {
+    const effective = buildEffectiveIpaGroupsByUid([
+      { cn: "a", users: ["eva"], groups: ["b"] },
+      { cn: "b", users: [], groups: ["a"] },
+    ]);
+
+    expect(effective.get("eva")).toEqual(["a", "b"]);
+  });
+});

package/src/services/ipa/effective-groups.ts

@@ -0,0 +1,70 @@
+export type IpaGroupMembership = {
+  cn: string;
+  users: string[];
+  groups: string[];
+};
+
+const sorted = (values: Iterable<string>): string[] => [...values].sort((a, b) => a.localeCompare(b));
+
+/**
+ * Build effective IPA group membership from authoritative group records.
+ * A group contains direct users and child groups; user effective membership is
+ * direct groups plus every parent group reached through group nesting.
+ */
+export const buildEffectiveIpaGroupsByUid = (groups: IpaGroupMembership[]): Map<string, string[]> => {
+  const groupNames = new Set(groups.map((group) => group.cn).filter(Boolean));
+  const childToParents = new Map<string, Set<string>>();
+  const directGroupsByUid = new Map<string, Set<string>>();
+
+  for (const group of groups) {
+    if (!group.cn) continue;
+
+    for (const uid of group.users) {
+      if (!uid) continue;
+      const directGroups = directGroupsByUid.get(uid) ?? new Set<string>();
+      directGroups.add(group.cn);
+      directGroupsByUid.set(uid, directGroups);
+    }
+
+    for (const child of group.groups) {
+      if (!child || !groupNames.has(child)) continue;
+      const parents = childToParents.get(child) ?? new Set<string>();
+      parents.add(group.cn);
+      childToParents.set(child, parents);
+    }
+  }
+
+  const memo = new Map<string, Set<string>>();
+  const resolveGroupClosure = (groupName: string, visiting = new Set<string>()): Set<string> => {
+    const cached = memo.get(groupName);
+    if (cached) return cached;
+
+    const closure = new Set<string>([groupName]);
+    if (visiting.has(groupName)) return closure;
+
+    const nextVisiting = new Set(visiting);
+    nextVisiting.add(groupName);
+
+    for (const parent of childToParents.get(groupName) ?? []) {
+      for (const inherited of resolveGroupClosure(parent, nextVisiting)) {
+        closure.add(inherited);
+      }
+    }
+
+    memo.set(groupName, closure);
+    return closure;
+  };
+
+  const effectiveByUid = new Map<string, string[]>();
+  for (const [uid, directGroups] of directGroupsByUid) {
+    const effective = new Set<string>();
+    for (const groupName of directGroups) {
+      for (const inherited of resolveGroupClosure(groupName)) {
+        effective.add(inherited);
+      }
+    }
+    effectiveByUid.set(uid, sorted(effective));
+  }
+
+  return effectiveByUid;
+};