npm - @varshylinc/team-management - Versions diffs - 0.1.0 - Mend

@varshylinc/team-management 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/.eslintrc.cjs +18 -0
package/CHANGELOG.md +159 -0
package/LICENSE +6 -0
package/README.md +97 -0
package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +6 -0
package/dist/index.js.map +1 -0
package/dist/server/crypto.d.ts +6 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +42 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/index.d.ts +34 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +114 -0
package/dist/server/index.js.map +1 -0
package/dist/server/middleware/require-membership.d.ts +10 -0
package/dist/server/middleware/require-membership.d.ts.map +1 -0
package/dist/server/middleware/require-membership.js +33 -0
package/dist/server/middleware/require-membership.js.map +1 -0
package/dist/server/middleware/require-role.d.ts +4 -0
package/dist/server/middleware/require-role.d.ts.map +1 -0
package/dist/server/middleware/require-role.js +16 -0
package/dist/server/middleware/require-role.js.map +1 -0
package/dist/server/middleware/require-super-admin.d.ts +5 -0
package/dist/server/middleware/require-super-admin.d.ts.map +1 -0
package/dist/server/middleware/require-super-admin.js +27 -0
package/dist/server/middleware/require-super-admin.js.map +1 -0
package/dist/server/migrations/0001_create_tm_schema_migrations.sql +13 -0
package/dist/server/migrations/0002_create_tm_organizations.sql +14 -0
package/dist/server/migrations/0003_create_tm_memberships.sql +24 -0
package/dist/server/migrations/0004_create_tm_invitations.sql +22 -0
package/dist/server/migrations/0005_create_tm_audit_events.sql +17 -0
package/dist/server/migrations/0006_create_tm_email_change_requests.sql +13 -0
package/dist/server/migrations/0007_create_tm_ownership_transfers.sql +22 -0
package/dist/server/migrations/0008_create_tm_super_admins.sql +8 -0
package/dist/server/migrations/0009_create_tm_password_reset_requests.sql +9 -0
package/dist/server/migrations/0010_create_tm_shared_access.sql +8 -0
package/dist/server/migrations/0011_seed_super_admin.sql +15 -0
package/dist/server/migrations/0012_create_tm_user_locks.sql +7 -0
package/dist/server/routes/admin.routes.d.ts +5 -0
package/dist/server/routes/admin.routes.d.ts.map +1 -0
package/dist/server/routes/admin.routes.js +262 -0
package/dist/server/routes/admin.routes.js.map +1 -0
package/dist/server/routes/audit.routes.d.ts +5 -0
package/dist/server/routes/audit.routes.d.ts.map +1 -0
package/dist/server/routes/audit.routes.js +70 -0
package/dist/server/routes/audit.routes.js.map +1 -0
package/dist/server/routes/health.routes.d.ts +8 -0
package/dist/server/routes/health.routes.d.ts.map +1 -0
package/dist/server/routes/health.routes.js +39 -0
package/dist/server/routes/health.routes.js.map +1 -0
package/dist/server/routes/invitations.routes.d.ts +5 -0
package/dist/server/routes/invitations.routes.d.ts.map +1 -0
package/dist/server/routes/invitations.routes.js +232 -0
package/dist/server/routes/invitations.routes.js.map +1 -0
package/dist/server/routes/me.routes.d.ts +5 -0
package/dist/server/routes/me.routes.d.ts.map +1 -0
package/dist/server/routes/me.routes.js +188 -0
package/dist/server/routes/me.routes.js.map +1 -0
package/dist/server/routes/orgs.routes.d.ts +5 -0
package/dist/server/routes/orgs.routes.d.ts.map +1 -0
package/dist/server/routes/orgs.routes.js +371 -0
package/dist/server/routes/orgs.routes.js.map +1 -0
package/dist/server/routes/transfer.routes.d.ts +5 -0
package/dist/server/routes/transfer.routes.d.ts.map +1 -0
package/dist/server/routes/transfer.routes.js +108 -0
package/dist/server/routes/transfer.routes.js.map +1 -0
package/dist/server/services/audit.service.d.ts +20 -0
package/dist/server/services/audit.service.d.ts.map +1 -0
package/dist/server/services/audit.service.js +23 -0
package/dist/server/services/audit.service.js.map +1 -0
package/dist/server/services/email-change.service.d.ts +16 -0
package/dist/server/services/email-change.service.d.ts.map +1 -0
package/dist/server/services/email-change.service.js +107 -0
package/dist/server/services/email-change.service.js.map +1 -0
package/dist/server/services/invitations.service.d.ts +41 -0
package/dist/server/services/invitations.service.d.ts.map +1 -0
package/dist/server/services/invitations.service.js +214 -0
package/dist/server/services/invitations.service.js.map +1 -0
package/dist/server/services/memberships.service.d.ts +27 -0
package/dist/server/services/memberships.service.d.ts.map +1 -0
package/dist/server/services/memberships.service.js +69 -0
package/dist/server/services/memberships.service.js.map +1 -0
package/dist/server/services/organizations.service.d.ts +19 -0
package/dist/server/services/organizations.service.d.ts.map +1 -0
package/dist/server/services/organizations.service.js +61 -0
package/dist/server/services/organizations.service.js.map +1 -0
package/dist/server/services/ownership.service.d.ts +19 -0
package/dist/server/services/ownership.service.d.ts.map +1 -0
package/dist/server/services/ownership.service.js +102 -0
package/dist/server/services/ownership.service.js.map +1 -0
package/dist/server/services/password-reset.service.d.ts +12 -0
package/dist/server/services/password-reset.service.d.ts.map +1 -0
package/dist/server/services/password-reset.service.js +54 -0
package/dist/server/services/password-reset.service.js.map +1 -0
package/dist/server/services/super-admin.service.d.ts +59 -0
package/dist/server/services/super-admin.service.d.ts.map +1 -0
package/dist/server/services/super-admin.service.js +187 -0
package/dist/server/services/super-admin.service.js.map +1 -0
package/dist/server/types.d.ts +186 -0
package/dist/server/types.d.ts.map +1 -0
package/dist/server/types.js +6 -0
package/dist/server/types.js.map +1 -0
package/dist/shared/types.d.ts +23 -0
package/dist/shared/types.d.ts.map +1 -0
package/dist/shared/types.js +6 -0
package/dist/shared/types.js.map +1 -0
package/package.json +56 -0
package/src/client/api.ts +314 -0
package/src/client/components/AuditEventRow.tsx +59 -0
package/src/client/components/CascadePreview.tsx +36 -0
package/src/client/components/DangerZoneCard.tsx +103 -0
package/src/client/components/InvitationCodeDisplay.tsx +48 -0
package/src/client/components/InviteForm.tsx +77 -0
package/src/client/components/MemberRow.tsx +69 -0
package/src/client/components/PendingTransferBanner.tsx +98 -0
package/src/client/components/PlaceholderCard.tsx +26 -0
package/src/client/components/RoleBadge.tsx +26 -0
package/src/client/components/RoleSelect.tsx +35 -0
package/src/client/hooks/.gitkeep +0 -0
package/src/client/hooks/useCurrentMembership.ts +24 -0
package/src/client/hooks/useMembers.ts +24 -0
package/src/client/hooks/usePendingInvitations.ts +24 -0
package/src/client/hooks/usePendingTransfer.ts +27 -0
package/src/client/index.ts +80 -0
package/src/client/pages/AuditLogPage.tsx +164 -0
package/src/client/pages/EmailChangePage.tsx +144 -0
package/src/client/pages/InvitationAcceptPage.tsx +163 -0
package/src/client/pages/InvitationCodePage.tsx +108 -0
package/src/client/pages/MembersPage.tsx +290 -0
package/src/client/pages/OrgSettingsPage.tsx +185 -0
package/src/client/pages/OwnershipTransferPage.tsx +163 -0
package/src/client/pages/PasswordResetPage.tsx +104 -0
package/src/client/pages/PasswordResetRequestPage.tsx +71 -0
package/src/client/pages/PlaceholderPage.tsx +20 -0
package/src/client/pages/SuperAdminDashboard.tsx +401 -0
package/src/client/types.ts +78 -0
package/src/index.ts +24 -0
package/src/server/crypto.ts +47 -0
package/src/server/index.ts +167 -0
package/src/server/middleware/require-membership.ts +48 -0
package/src/server/middleware/require-role.ts +19 -0
package/src/server/middleware/require-super-admin.ts +32 -0
package/src/server/migrations/0001_create_tm_schema_migrations.sql +13 -0
package/src/server/migrations/0002_create_tm_organizations.sql +14 -0
package/src/server/migrations/0003_create_tm_memberships.sql +24 -0
package/src/server/migrations/0004_create_tm_invitations.sql +22 -0
package/src/server/migrations/0005_create_tm_audit_events.sql +17 -0
package/src/server/migrations/0006_create_tm_email_change_requests.sql +13 -0
package/src/server/migrations/0007_create_tm_ownership_transfers.sql +22 -0
package/src/server/migrations/0008_create_tm_super_admins.sql +8 -0
package/src/server/migrations/0009_create_tm_password_reset_requests.sql +9 -0
package/src/server/migrations/0010_create_tm_shared_access.sql +8 -0
package/src/server/migrations/0011_seed_super_admin.sql +15 -0
package/src/server/migrations/0012_create_tm_user_locks.sql +7 -0
package/src/server/routes/admin.routes.ts +208 -0
package/src/server/routes/audit.routes.ts +93 -0
package/src/server/routes/health.routes.ts +46 -0
package/src/server/routes/invitations.routes.ts +252 -0
package/src/server/routes/me.routes.ts +143 -0
package/src/server/routes/orgs.routes.ts +428 -0
package/src/server/routes/transfer.routes.ts +110 -0
package/src/server/services/.gitkeep +0 -0
package/src/server/services/audit.service.ts +49 -0
package/src/server/services/email-change.service.ts +178 -0
package/src/server/services/invitations.service.ts +316 -0
package/src/server/services/memberships.service.ts +129 -0
package/src/server/services/organizations.service.ts +110 -0
package/src/server/services/ownership.service.ts +170 -0
package/src/server/services/password-reset.service.ts +94 -0
package/src/server/services/super-admin.service.ts +321 -0
package/src/server/sql/.gitkeep +0 -0
package/src/server/types.ts +145 -0
package/src/shared/types.ts +24 -0
package/tests/integration/audit-fires.test.ts +288 -0
package/tests/integration/cascade-preview.test.ts +157 -0
package/tests/integration/email-change.test.ts +190 -0
package/tests/integration/feature-flags.test.ts +213 -0
package/tests/integration/invitations-code.test.ts +218 -0
package/tests/integration/invitations-expiry.test.ts +216 -0
package/tests/integration/invitations-resend.test.ts +241 -0
package/tests/integration/invitations-revoke.test.ts +226 -0
package/tests/integration/invitations-switch-org.test.ts +156 -0
package/tests/integration/invitations-token.test.ts +221 -0
package/tests/integration/migrations.test.ts +119 -0
package/tests/integration/only-owner-protections.test.ts +130 -0
package/tests/integration/org-lifecycle.test.ts +169 -0
package/tests/integration/ownership-transfer-cancel.test.ts +171 -0
package/tests/integration/ownership-transfer-expire.test.ts +171 -0
package/tests/integration/ownership-transfer-happy.test.ts +184 -0
package/tests/integration/ownership-transfer-locks.test.ts +146 -0
package/tests/integration/password-reset.test.ts +200 -0
package/tests/integration/super-admin-actions.test.ts +180 -0
package/tests/integration/super-admin-restrictions.test.ts +209 -0
package/tests/setup/global-setup.ts +20 -0
package/tests/unit/adapter-shape.test.ts +330 -0
package/tests/unit/role-permissions.test.ts +236 -0
package/tests/unit/validation.test.ts +304 -0
package/tsconfig.client.json +13 -0
package/tsconfig.json +12 -0
package/tsconfig.tsbuildinfo +1 -0
package/vitest.config.ts +13 -0

package/.eslintrc.cjs ADDED Viewed

@@ -0,0 +1,18 @@
+module.exports = {
+  root: true,
+  parser: '@typescript-eslint/parser',
+  parserOptions: {
+    project: ['./tsconfig.json', './tsconfig.client.json'],
+    tsconfigRootDir: __dirname,
+  },
+  plugins: ['@typescript-eslint'],
+  extends: [
+    'eslint:recommended',
+    'plugin:@typescript-eslint/recommended',
+  ],
+  rules: {
+    '@typescript-eslint/no-explicit-any': 'warn',
+    '@typescript-eslint/no-unused-vars': ['error', { argsIgnorePattern: '^_' }],
+  },
+  env: { node: true, browser: true, es2022: true },
+};

package/CHANGELOG.md ADDED Viewed

@@ -0,0 +1,159 @@
+# Changelog — @varshylinc/team-management
+## 0.1.0 — 2026-05-08
+First production-grade release. v0.0.1 was a stub with no business logic; v0.1.0 is the first version products can actually consume — a complete team management module with org model, RBAC, invitations, audit log, ownership transfer, email change, password reset, and super-admin back office.
+### Added
+**Org management**
+- `POST /orgs` — create organization (name, slug)
+- `GET /orgs/:id` — fetch org details
+- `PATCH /orgs/:id` — update org name and slug (admin+)
+- `DELETE /orgs/:id` — soft-delete with 30-day grace period; must type org name to confirm (owner only)
+- Org slug unique partial index (active orgs only)
+- Soft-delete columns: `deleted_at`, `delete_scheduled_for`, `deleted_by_user_id`
+**Member management**
+- `GET /orgs/:id/members` — list active members with roles
+- `GET /orgs/:id/members/former` — list removed members with removal metadata
+- `DELETE /orgs/:id/members/:userId` — soft-remove member; records `removed_by_user_id` and `removal_reason`
+- `PATCH /orgs/:id/members/:userId` — change member role (role-gated per matrix)
+- `GET /orgs/:id/members/:userId/cascade-preview` — preview what will be affected by removal
+**Invitations** (flag: `enableInvites`)
+- `POST /orgs/:id/invitations` — invite by email; sends magic link + 6-digit code in same email; 7-day expiry
+- `GET /orgs/:id/invitations` — list pending invitations (admin+)
+- `DELETE /orgs/:id/invitations/:invId` — revoke pending invitation (admin+)
+- `POST /orgs/:id/invitations/:invId/resend` — regenerate token + code, invalidate old (admin+)
+- `GET /orgs/:id/invitations/:invId/code` — fetch decrypted 6-digit code for phone fallback (admin+)
+- `GET /invitations/accept/:token` — public magic-link landing; shows org, role, inviter
+- `POST /invitations/accept/code` — public code-entry; `{email, code}`
+- Sub-A enforcement: member accepting while already in an org gets warning; owner is blocked entirely
+**Audit log** (flag: `enableAuditLog`)
+- `GET /orgs/:id/audit` — paginated audit events (admin+ only)
+- 13 event types: `org.created`, `org.settings.updated`, `org.deleted`, `member.invited`, `member.invite_accepted`, `member.invite_revoked`, `member.removed`, `member.role_changed`, `ownership.transfer_initiated`, `ownership.transfer_accepted`, `ownership.transfer_cancelled`, `email.change_requested`, `email.change_completed`
+- Each event stores: `actor_user_id`, `actor_type` (`user`/`super_admin`), `action`, `target_type`, `target_id`, `before` JSONB, `after` JSONB, `ip`, `user_agent`, `reason`, `created_at`
+- Super-admin events appear as "Varshyl Support" (real identity never exposed to org)
+**Ownership transfer** (flag: `enableOwnershipTransfer`)
+- `POST /orgs/:id/transfer` — initiate transfer to an admin (owner only; target must already be admin)
+- `GET /orgs/:id/transfer` — get pending transfer details
+- `POST /orgs/:id/transfer/:transferId/accept` — accept transfer (atomic role swap)
+- `DELETE /orgs/:id/transfer/:transferId` — cancel transfer (either party)
+- Transfer locks: no second transfer, no org delete, no party removal during pending transfer
+- 7-day expiration; auto-cancelled on expiry
+**Email change** (flag: `enableEmailChange`)
+- `POST /me/email-change` — request email change; sends verification to new + notice to old
+- `GET /me/email-change/verify` — verify new email via token
+- `POST /me/email-change/cancel` — cancel via old-email cancellation link; triggers mandatory password reset
+- Rate limit: 3 requests per user per 24 hours
+- Old-email notice contains cancel link with mandatory-reset semantics if clicked
+**Password reset** (flag: `enablePasswordReset`)
+- `POST /me/password-reset/request` — self-service; always returns 200 (no user enumeration)
+- `POST /me/password-reset/confirm` — confirm with token + new password
+- Rate limit: 3 requests per email per hour
+- 1-hour token expiry
+**Super-admin back office** (flag: `enableSuperAdmin`, default OFF)
+- `GET /admin/orgs` — list all orgs including deleted
+- `GET /admin/orgs/:id` — org details + members
+- `POST /admin/orgs/:id/restore` — restore soft-deleted org during grace period
+- `POST /admin/orgs/:id/appoint-owner` — appoint new owner (requires `reason`)
+- `POST /admin/orgs/:id/hard-delete` — legal-compliance hard delete (requires `legal_basis`)
+- `POST /admin/orgs/:id/members/add` — add member to any org (requires `reason`)
+- `POST /admin/orgs/:id/members/remove` — remove member from any org (requires `reason`)
+- `POST /admin/users/:id/lock` — lock user account (requires `reason`)
+- `POST /admin/users/:id/unlock` — unlock account
+- `POST /admin/users/:id/password-reset` — trigger reset link; super-admin never sees password
+- All super-admin actions require `reason` text; write audit event with `actor_type='super_admin'`
+- Cannot impersonate users; cannot modify product data; cannot set passwords directly
+**Self-service**
+- `GET /me/membership` — current user's org membership info
+**Health**
+- `GET /health` — module health with flag states
+### Adapter contract changes
+11 new required methods added to `ServerModuleAdapter` (all hosts must implement):
+| Method | Purpose |
+|--------|---------|
+| `getUserById(userId)` | Look up user by ID |
+| `getUsersByIds(userIds[])` | Batch user lookup |
+| `findUserByEmail(email)` | Look up user by email |
+| `createUserFromInvite({email, orgId, role})` | Create user on invite accept |
+| `setUserPassword(userId, hash)` | Store new password hash |
+| `hashPassword(plaintext)` | Hash a password |
+| `verifyPassword(plaintext, hash)` | Verify password against hash |
+| `invalidateAllUserSessions(userId)` | Invalidate all sessions for user |
+| `sendInviteEmail({to, orgName, inviterName, role, magicLinkUrl, code})` | Send invitation email |
+| `sendOwnershipTransferEmail({to, orgName, fromName, transferUrl})` | Send transfer notification |
+| `sendEmailChangeVerification({to, verifyUrl})` | Send verification to new email |
+| `sendEmailChangeOldNotice({to, newEmail, cancelUrl})` | Send notice to old email |
+| `sendEmailChangedFinalNotice({to, oldEmail, newEmail})` | Send final confirmation |
+| `sendPasswordResetEmail({to, resetUrl})` | Send reset link |
+| `sendOrgDeletionNotice({to, orgName, scheduledFor})` | Notify members on org delete |
+| `emitNotification({userId, type, payload})` | In-app notification hook |
+### Migrations included
+| File | Description |
+|------|-------------|
+| `0001_create_tm_schema_migrations.sql` | Migration ledger table |
+| `0002_create_tm_organizations.sql` | Organizations table |
+| `0003_create_tm_memberships.sql` | Memberships with soft-delete columns |
+| `0004_create_tm_invitations.sql` | Invitations with encrypted code storage |
+| `0005_create_tm_audit_events.sql` | Audit events log |
+| `0006_create_tm_email_change_requests.sql` | Email change requests |
+| `0007_create_tm_ownership_transfers.sql` | Ownership transfer requests |
+| `0008_create_tm_super_admins.sql` | Super-admin registry |
+| `0009_create_tm_password_reset_requests.sql` | Password reset tokens |
+| `0010_create_tm_shared_access.sql` | Shared access scaffold (empty, v0.2.0) |
+| `0011_seed_super_admin.sql` | Super-admin seed (idempotent, flag-gated) |
+All migrations are forward-only, idempotent (`IF NOT EXISTS`), and tracked in `tm_schema_migrations`.
+### Feature flags introduced
+| Flag | Default | Description |
+|------|---------|-------------|
+| `enableInvites` | `true` | Invitation flows (magic link + code) |
+| `enableAuditLog` | `true` | Audit log table and routes |
+| `enableOwnershipTransfer` | `true` | Ownership transfer flow |
+| `enableEmailChange` | `true` | Self-service email change |
+| `enablePasswordReset` | `true` | Self-service password reset |
+| `enableSuperAdmin` | `false` | Super-admin back office (Varshyl internal) |
+| `enableSharedAccess` | `false` | Shared access scaffold (reserved v0.2.0) |
+| `enableHardDelete` | `false` | Super-admin direct hard-delete |
+Routes return `501 Not Implemented` when their flag is off.
+### Locked design decisions (set in v0.1.0; future major bumps may revise)
+**Decision 1 — Org model:** Every user belongs to exactly one org at a time. Solo accounts = org of one. `tm_shared_access` scaffolded empty (v0.2.0 placeholder). Multi-contractor vendor case handled by existing vendor-invite system in ConstructIInv (out of scope).
+**Decision 2 — Roles:** Four roles: `owner` (unique per org, billing, delete, transfer), `admin` (invite/remove/settings, no audit-visible super-admin identity), `member` (day-to-day, no team powers), `viewer` (read-only). Permission matrix enforced at middleware level.
+**Decision 3 — Audit log:** Stored forever. Visible to admin+ only. 13 event types. Super-admin entries visible as "Varshyl Support" — real identity never exposed.
+**Decision 4 — Invitations:** Magic link + 6-digit code in same email. AES-256-GCM encryption for codes. 7-day expiry. Sub-A: member accepting into new org gets explicit warning + atomic switch; owner is blocked until they transfer or delete current org.
+**Decision 5 — Deletion:** Member removal is soft (`removed_at`). Org deletion is soft with 30-day grace; confirm by typing org name. Background sweep hard-deletes after grace period.
+**Decision 6 — Email change:** Verification to new address + immediate notice to old. Cancel from old address triggers mandatory password reset. Rate limit: 3 per user per 24h.
+**Decision 7 — Ownership transfer:** Target must already be admin. Confirm by typing org name (initiator) and email (recipient). Atomic role swap on accept. Locks: no second transfer, no org delete, no party removal.
+**Decision 8 — Super-admin:** Flag-gated (default OFF). Seeded from `TM_SUPER_ADMIN_EMAIL` env. Cannot impersonate, cannot modify product data, cannot set passwords. All actions require reason text.
+---
+## v0.0.1 — 2026-04-28
+Initial stub. Module scaffolding only — no business logic.

package/LICENSE ADDED Viewed

@@ -0,0 +1,6 @@
+UNLICENSED
+Copyright (c) 2026 Varshyl Inc. All rights reserved.
+This software and associated documentation files are proprietary and confidential.
+Unauthorized copying, distribution, modification, or use is strictly prohibited.

package/README.md ADDED Viewed

@@ -0,0 +1,97 @@
+# @varshylinc/team-management
+> Shared team management module for Varshyl products. Install as a versioned package via git tag.
+## Status
+**Stub** — architecture in place, features to be implemented in the Team Management design session.
+## 1. Installation
+```json
+"dependencies": {
+  "@varshylinc/team-management": "github:VagishKapila/varshyl-toolkit#team-management-v0.0.1"
+}
+```
+## 2. Server setup
+```ts
+import { createServerModule } from '@varshylinc/team-management';
+import type { ServerModuleAdapter } from '@varshylinc/team-management';
+// Implement the adapter for your product
+const adapter: ServerModuleAdapter = {
+  getCurrentUserId: async (req) => req.user?.id ?? null,
+  getOrganizationIdForUser: async (userId) => yourDb.getOrgId(userId),
+  isUserOrgAdmin: async (userId, orgId) => yourDb.checkAdmin(userId, orgId),
+  logger: console,
+};
+const tm = createServerModule({
+  adapter,
+  db: yourPgPool,
+  config: {
+    featureFlags: { enableInvites: false, enableAuditLog: false },
+  },
+});
+// Run on boot — idempotent, safe to call every startup
+await tm.runMigrations();
+// Mount the router
+app.use('/api/team', tm.router);
+```
+## 3. Client setup
+```tsx
+import { PlaceholderPage } from '@varshylinc/team-management/client';
+// In your React router:
+<Route path="/team" element={<PlaceholderPage />} />
+```
+## 4. DB ownership
+All DB tables are prefixed `tm_*`. The module owns them exclusively.
+Host products must not query these tables directly — use the module's API.
+| Table | Purpose |
+|---|---|
+| `tm_schema_migrations` | Migration ledger — tracks applied migrations |
+## 5. Feature flags
+| Flag | Default | Description |
+|---|---|---|
+| `enableInvites` | `false` | Enable invite flows (stub) |
+| `enableAuditLog` | `false` | Enable audit log (stub) |
+Routes for disabled flags return `501 Not Implemented`.
+## 6. API routes
+| Method | Path | Description |
+|---|---|---|
+| GET | `/health` | Module health + DB connectivity check |
+| GET | `/invites` | List invites (flag: `enableInvites`) |
+| POST | `/invites` | Create invite (flag: `enableInvites`) |
+| GET | `/audit` | Audit log (flag: `enableAuditLog`) |
+## 7. Adapter interface
+See `src/server/types.ts` for the full `ServerModuleAdapter` interface.
+## 8. Versioning
+Tags: `team-management-v<X.Y.Z>`. See `CHANGELOG.md` for history.
+## 9. Migrations
+Migrations are plain SQL files in `src/server/migrations/`, named `NNNN_description.sql`.
+`runMigrations()` applies them in order, skipping already-applied ones (ledger in `tm_schema_migrations`).
+## 10. Architecture
+See `../../docs/SHARED_MODULE_ARCHITECTURE.md` for the full architecture doc.

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+export { createServerModule } from './server/index.js';
+export type { ServerModuleAdapter, TeamManagementConfig, TeamManagementServerModule, OrgRole, AuditActorType, TransferStatus, TmOrganization, TmMembership, TmInvitation, TmAuditEvent, TmOwnershipTransfer, TmPasswordResetRequest, TeamManagementFeatureFlags, } from './server/types.js';
+export type { TeamMember, TeamInvite } from './shared/types.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,YAAY,EACV,mBAAmB,EACnB,oBAAoB,EACpB,0BAA0B,EAC1B,OAAO,EACP,cAAc,EACd,cAAc,EACd,cAAc,EACd,YAAY,EACZ,YAAY,EACZ,YAAY,EACZ,mBAAmB,EACnB,sBAAsB,EACtB,0BAA0B,GAC3B,MAAM,mBAAmB,CAAC;AAG3B,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC"}

package/dist/index.js ADDED Viewed

@@ -0,0 +1,6 @@
+// ─── Server exports (Node.js + tsc, DO NOT import in browser bundles) ─────────
+export { createServerModule } from './server/index.js';
+// NOTE: Client exports live in packages/team-management/src/client/index.ts
+// Import them in your bundler (Vite/webpack) via the "client" export condition:
+//   import { PlaceholderPage } from '@varshylinc/team-management/client'
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,iFAAiF;AACjF,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AAoBvD,4EAA4E;AAC5E,gFAAgF;AAChF,yEAAyE"}

package/dist/server/crypto.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export declare function encrypt(plaintext: string): string;
+export declare function decrypt(ciphertext: string): string;
+export declare function sha256(input: string): string;
+export declare function generateToken(byteLength?: number): string;
+export declare function generateSixDigitCode(): string;
+//# sourceMappingURL=crypto.d.ts.map

package/dist/server/crypto.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"crypto.d.ts","sourceRoot":"","sources":["../../src/server/crypto.ts"],"names":[],"mappings":"AAWA,wBAAgB,OAAO,CAAC,SAAS,EAAE,MAAM,GAAG,MAAM,CAOjD;AAED,wBAAgB,OAAO,CAAC,UAAU,EAAE,MAAM,GAAG,MAAM,CAWlD;AAED,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAE5C;AAED,wBAAgB,aAAa,CAAC,UAAU,SAAK,GAAG,MAAM,CAErD;AAED,wBAAgB,oBAAoB,IAAI,MAAM,CAI7C"}

package/dist/server/crypto.js ADDED Viewed

@@ -0,0 +1,42 @@
+import { createCipheriv, createDecipheriv, randomBytes, createHash } from 'crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+function getKey() {
+    const secret = process.env.TM_ENCRYPTION_KEY;
+    if (!secret)
+        throw new Error('TM_ENCRYPTION_KEY environment variable is required');
+    return createHash('sha256').update(secret).digest();
+}
+export function encrypt(plaintext) {
+    const key = getKey();
+    const iv = randomBytes(IV_LENGTH);
+    const cipher = createCipheriv(ALGORITHM, key, iv);
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const tag = cipher.getAuthTag();
+    return `${iv.toString('hex')}:${tag.toString('hex')}:${encrypted.toString('hex')}`;
+}
+export function decrypt(ciphertext) {
+    const key = getKey();
+    const parts = ciphertext.split(':');
+    if (parts.length !== 3)
+        throw new Error('Invalid ciphertext format');
+    const [ivHex, tagHex, encHex] = parts;
+    const iv = Buffer.from(ivHex, 'hex');
+    const tag = Buffer.from(tagHex, 'hex');
+    const encrypted = Buffer.from(encHex, 'hex');
+    const decipher = createDecipheriv(ALGORITHM, key, iv);
+    decipher.setAuthTag(tag);
+    return decipher.update(encrypted).toString('utf8') + decipher.final('utf8');
+}
+export function sha256(input) {
+    return createHash('sha256').update(input).digest('hex');
+}
+export function generateToken(byteLength = 32) {
+    return randomBytes(byteLength).toString('hex');
+}
+export function generateSixDigitCode() {
+    // Cryptographically random 6-digit code (100000-999999)
+    const rand = randomBytes(4).readUInt32BE(0);
+    return String(100000 + (rand % 900000));
+}
+//# sourceMappingURL=crypto.js.map

package/dist/server/crypto.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/server/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,cAAc,EAAE,gBAAgB,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,QAAQ,CAAC;AAEnF,MAAM,SAAS,GAAG,aAAa,CAAC;AAChC,MAAM,SAAS,GAAG,EAAE,CAAC;AAErB,SAAS,MAAM;IACb,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC;IAC7C,IAAI,CAAC,MAAM;QAAE,MAAM,IAAI,KAAK,CAAC,oDAAoD,CAAC,CAAC;IACnF,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,EAAE,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,SAAiB;IACvC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,EAAE,GAAG,WAAW,CAAC,SAAS,CAAC,CAAC;IAClC,MAAM,MAAM,GAAG,cAAc,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IAClD,MAAM,SAAS,GAAG,MAAM,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,SAAS,EAAE,MAAM,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IACpF,MAAM,GAAG,GAAG,MAAM,CAAC,UAAU,EAAE,CAAC;IAChC,OAAO,GAAG,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;AACrF,CAAC;AAED,MAAM,UAAU,OAAO,CAAC,UAAkB;IACxC,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC;IACrB,MAAM,KAAK,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IACpC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC;QAAE,MAAM,IAAI,KAAK,CAAC,2BAA2B,CAAC,CAAC;IACrE,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,CAAC,GAAG,KAAK,CAAC;IACtC,MAAM,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,EAAE,KAAK,CAAC,CAAC;IACrC,MAAM,GAAG,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IACvC,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,MAAM,EAAE,KAAK,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,gBAAgB,CAAC,SAAS,EAAE,GAAG,EAAE,EAAE,CAAC,CAAC;IACtD,QAAQ,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;IACzB,OAAO,QAAQ,CAAC,MAAM,CAAC,SAAS,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;AAC9E,CAAC;AAED,MAAM,UAAU,MAAM,CAAC,KAAa;IAClC,OAAO,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AAC1D,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,UAAU,GAAG,EAAE;IAC3C,OAAO,WAAW,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;AACjD,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,wDAAwD;IACxD,MAAM,IAAI,GAAG,WAAW,CAAC,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC;IAC5C,OAAO,MAAM,CAAC,MAAM,GAAG,CAAC,IAAI,GAAG,MAAM,CAAC,CAAC,CAAC;AAC1C,CAAC"}

package/dist/server/index.d.ts ADDED Viewed

@@ -0,0 +1,34 @@
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter, TeamManagementConfig, TeamManagementServerModule, TeamManagementFeatureFlags } from './types.js';
+export declare function runMigrations(db: Pool, logger?: {
+    info(msg: string): void;
+}): Promise<{
+    applied: string[];
+    skipped: string[];
+}>;
+/**
+ * createServerModule — entry point for host products.
+ *
+ * Usage (production):
+ *   const tm = createServerModule({ adapter, db, config });
+ *   await tm.runMigrations();
+ *   app.use('/api/team', tm.router);
+ *
+ * Usage (test shorthand — pool and features accepted as aliases):
+ *   const tm = createServerModule({ adapter, pool, features });
+ */
+export declare function createServerModule(opts: {
+    adapter: ServerModuleAdapter;
+    /** pg Pool — use `db` or `pool` interchangeably */
+    db?: Pool;
+    /** Alias for db */
+    pool?: Pool;
+    /** Full config object (takes precedence over individual fields below) */
+    config?: TeamManagementConfig;
+    /** Shorthand for config.featureFlags */
+    features?: Partial<TeamManagementFeatureFlags>;
+    /** Shorthand for config.baseUrl */
+    baseUrl?: string;
+}): TeamManagementServerModule;
+export type { ServerModuleAdapter, TeamManagementConfig, TeamManagementServerModule };
+//# sourceMappingURL=index.d.ts.map

package/dist/server/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAW/B,OAAO,KAAK,EACV,mBAAmB,EACnB,oBAAoB,EACpB,0BAA0B,EAC1B,0BAA0B,EAC3B,MAAM,YAAY,CAAC;AAkCpB,wBAAsB,aAAa,CACjC,EAAE,EAAE,IAAI,EACR,MAAM,GAAE;IAAE,IAAI,CAAC,GAAG,EAAE,MAAM,GAAG,IAAI,CAAA;CAAuB,GACvD,OAAO,CAAC;IAAE,OAAO,EAAE,MAAM,EAAE,CAAC;IAAC,OAAO,EAAE,MAAM,EAAE,CAAA;CAAE,CAAC,CAmCnD;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE;IACvC,OAAO,EAAE,mBAAmB,CAAC;IAC7B,mDAAmD;IACnD,EAAE,CAAC,EAAE,IAAI,CAAC;IACV,mBAAmB;IACnB,IAAI,CAAC,EAAE,IAAI,CAAC;IACZ,yEAAyE;IACzE,MAAM,CAAC,EAAE,oBAAoB,CAAC;IAC9B,wCAAwC;IACxC,QAAQ,CAAC,EAAE,OAAO,CAAC,0BAA0B,CAAC,CAAC;IAC/C,mCAAmC;IACnC,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB,GAAG,0BAA0B,CAkD7B;AAED,YAAY,EAAE,mBAAmB,EAAE,oBAAoB,EAAE,0BAA0B,EAAE,CAAC"}

package/dist/server/index.js ADDED Viewed

@@ -0,0 +1,114 @@
+import { Router } from 'express';
+import { readFileSync } from 'fs';
+import { join } from 'path';
+import { createHealthRouter } from './routes/health.routes.js';
+import { createOrgsRouter } from './routes/orgs.routes.js';
+import { createInvitationsRouter } from './routes/invitations.routes.js';
+import { createMeRouter } from './routes/me.routes.js';
+import { createTransferRouter } from './routes/transfer.routes.js';
+import { createAuditRouter } from './routes/audit.routes.js';
+import { createAdminRouter } from './routes/admin.routes.js';
+import { seedSuperAdmin } from './services/super-admin.service.js';
+const migrationsDir = join(new URL('.', import.meta.url).pathname, 'migrations');
+// All migrations in order. Append new migrations here — never reorder or remove.
+const MIGRATIONS = [
+    { name: '0001_create_tm_schema_migrations', file: join(migrationsDir, '0001_create_tm_schema_migrations.sql') },
+    { name: '0002_create_tm_organizations', file: join(migrationsDir, '0002_create_tm_organizations.sql') },
+    { name: '0003_create_tm_memberships', file: join(migrationsDir, '0003_create_tm_memberships.sql') },
+    { name: '0004_create_tm_invitations', file: join(migrationsDir, '0004_create_tm_invitations.sql') },
+    { name: '0005_create_tm_audit_events', file: join(migrationsDir, '0005_create_tm_audit_events.sql') },
+    { name: '0006_create_tm_email_change_requests', file: join(migrationsDir, '0006_create_tm_email_change_requests.sql') },
+    { name: '0007_create_tm_ownership_transfers', file: join(migrationsDir, '0007_create_tm_ownership_transfers.sql') },
+    { name: '0008_create_tm_super_admins', file: join(migrationsDir, '0008_create_tm_super_admins.sql') },
+    { name: '0009_create_tm_password_reset_requests', file: join(migrationsDir, '0009_create_tm_password_reset_requests.sql') },
+    { name: '0010_create_tm_shared_access', file: join(migrationsDir, '0010_create_tm_shared_access.sql') },
+    { name: '0011_seed_super_admin', file: join(migrationsDir, '0011_seed_super_admin.sql') },
+    { name: '0012_create_tm_user_locks', file: join(migrationsDir, '0012_create_tm_user_locks.sql') },
+];
+// Default feature flags for v0.1.0
+const DEFAULT_FLAGS = {
+    enableInvites: true,
+    enableAuditLog: true,
+    enableOwnershipTransfer: true,
+    enableEmailChange: true,
+    enablePasswordReset: true,
+    enableSuperAdmin: false,
+    enableSharedAccess: false,
+    enableHardDelete: false,
+};
+// ── Standalone migration runner ─────────────────────────────────────────────
+// Exported so tests and globalSetup can call it directly without a full module.
+export async function runMigrations(db, logger = { info: () => { } }) {
+    const applied = [];
+    const skipped = [];
+    // Boot step: ensure ledger table exists (idempotent — CREATE TABLE IF NOT EXISTS)
+    const ledgerSql = readFileSync(join(migrationsDir, '0001_create_tm_schema_migrations.sql'), 'utf-8');
+    await db.query(ledgerSql);
+    for (const migration of MIGRATIONS) {
+        const result = await db.query('SELECT id FROM tm_schema_migrations WHERE migration = $1', [migration.name]);
+        if (result.rows.length > 0) {
+            skipped.push(migration.name);
+            logger.info(`[team-management] skipped: ${migration.name}`);
+            continue;
+        }
+        const sql = readFileSync(migration.file, 'utf-8');
+        await db.query(sql);
+        await db.query('INSERT INTO tm_schema_migrations (migration) VALUES ($1)', [migration.name]);
+        applied.push(migration.name);
+        logger.info(`[team-management] applied: ${migration.name}`);
+    }
+    return { applied, skipped };
+}
+/**
+ * createServerModule — entry point for host products.
+ *
+ * Usage (production):
+ *   const tm = createServerModule({ adapter, db, config });
+ *   await tm.runMigrations();
+ *   app.use('/api/team', tm.router);
+ *
+ * Usage (test shorthand — pool and features accepted as aliases):
+ *   const tm = createServerModule({ adapter, pool, features });
+ */
+export function createServerModule(opts) {
+    const db = (opts.db ?? opts.pool);
+    const featureFlags = opts.config?.featureFlags ?? opts.features ?? {};
+    const baseUrl = opts.config?.baseUrl ?? opts.baseUrl ?? '';
+    const config = { featureFlags, baseUrl };
+    const { adapter } = opts;
+    const flags = {
+        ...DEFAULT_FLAGS,
+        ...featureFlags,
+    };
+    // ── Super-admin seed on boot ────────────────────────────────────────────────
+    if (flags.enableSuperAdmin) {
+        const superAdminEmail = process.env.TM_SUPER_ADMIN_EMAIL;
+        if (superAdminEmail) {
+            seedSuperAdmin(db, adapter, superAdminEmail).catch(e => {
+                adapter.logger.warn('[team-management] seedSuperAdmin failed', {
+                    error: e.message,
+                });
+            });
+        }
+    }
+    // ── Routers ─────────────────────────────────────────────────────────────────
+    const { router: healthRouter } = createHealthRouter(db, config);
+    const orgsRouter = createOrgsRouter(db, adapter, flags);
+    const invitationsRouter = createInvitationsRouter(db, adapter, flags, baseUrl);
+    const meRouter = createMeRouter(db, adapter, flags, baseUrl);
+    const transferRouter = createTransferRouter(db, adapter, flags, baseUrl);
+    const auditRouter = createAuditRouter(db, adapter, flags);
+    const adminRouter = createAdminRouter(db, adapter, flags, baseUrl);
+    const router = Router();
+    router.use(healthRouter);
+    router.use('/me', meRouter);
+    router.use('/orgs', orgsRouter);
+    router.use('/orgs', invitationsRouter);
+    router.use('/orgs', transferRouter);
+    router.use('/orgs', auditRouter);
+    router.use('/invitations', invitationsRouter);
+    router.use('/admin', adminRouter);
+    const migrate = () => runMigrations(db, adapter.logger);
+    return { router, runMigrations: migrate, migrate };
+}
+//# sourceMappingURL=index.js.map

package/dist/server/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/server/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAEjC,OAAO,EAAE,YAAY,EAAE,MAAM,IAAI,CAAC;AAClC,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EAAE,kBAAkB,EAAE,MAAM,2BAA2B,CAAC;AAC/D,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAC3D,OAAO,EAAE,uBAAuB,EAAE,MAAM,gCAAgC,CAAC;AACzE,OAAO,EAAE,cAAc,EAAE,MAAM,uBAAuB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,6BAA6B,CAAC;AACnE,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AAQnE,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,GAAG,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;AAEjF,iFAAiF;AACjF,MAAM,UAAU,GAA0C;IACxD,EAAE,IAAI,EAAE,kCAAkC,EAAE,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,sCAAsC,CAAC,EAAE;IAC/G,EAAE,IAAI,EAAE,8BAA8B,EAAK,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,kCAAkC,CAAC,EAAE;IAC1G,EAAE,IAAI,EAAE,4BAA4B,EAAO,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,gCAAgC,CAAC,EAAE;IACxG,EAAE,IAAI,EAAE,4BAA4B,EAAO,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,gCAAgC,CAAC,EAAE;IACxG,EAAE,IAAI,EAAE,6BAA6B,EAAM,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,iCAAiC,CAAC,EAAE;IACzG,EAAE,IAAI,EAAE,sCAAsC,EAAG,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,0CAA0C,CAAC,EAAE;IACxH,EAAE,IAAI,EAAE,oCAAoC,EAAK,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,wCAAwC,CAAC,EAAE;IACtH,EAAE,IAAI,EAAE,6BAA6B,EAAY,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,iCAAiC,CAAC,EAAE;IAC/G,EAAE,IAAI,EAAE,wCAAwC,EAAC,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,4CAA4C,CAAC,EAAE;IAC1H,EAAE,IAAI,EAAE,8BAA8B,EAAW,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,kCAAkC,CAAC,EAAE;IAChH,EAAE,IAAI,EAAE,uBAAuB,EAAkB,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,2BAA2B,CAAC,EAAE;IACzG,EAAE,IAAI,EAAE,2BAA2B,EAAc,IAAI,EAAE,IAAI,CAAC,aAAa,EAAE,+BAA+B,CAAC,EAAE;CAC9G,CAAC;AAEF,mCAAmC;AACnC,MAAM,aAAa,GAAyC;IAC1D,aAAa,EAAE,IAAI;IACnB,cAAc,EAAE,IAAI;IACpB,uBAAuB,EAAE,IAAI;IAC7B,iBAAiB,EAAE,IAAI;IACvB,mBAAmB,EAAE,IAAI;IACzB,gBAAgB,EAAE,KAAK;IACvB,kBAAkB,EAAE,KAAK;IACzB,gBAAgB,EAAE,KAAK;CACxB,CAAC;AAEF,+EAA+E;AAC/E,gFAAgF;AAChF,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,EAAQ,EACR,SAAsC,EAAE,IAAI,EAAE,GAAG,EAAE,GAAE,CAAC,EAAE;IAExD,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,OAAO,GAAa,EAAE,CAAC;IAE7B,kFAAkF;IAClF,MAAM,SAAS,GAAG,YAAY,CAC5B,IAAI,CAAC,aAAa,EAAE,sCAAsC,CAAC,EAC3D,OAAO,CACR,CAAC;IACF,MAAM,EAAE,CAAC,KAAK,CAAC,SAAS,CAAC,CAAC;IAE1B,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC,KAAK,CAC3B,0DAA0D,EAC1D,CAAC,SAAS,CAAC,IAAI,CAAC,CACjB,CAAC;QAEF,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3B,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC,8BAA8B,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;YAC5D,SAAS;QACX,CAAC;QAED,MAAM,GAAG,GAAG,YAAY,CAAC,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;QAClD,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QACpB,MAAM,EAAE,CAAC,KAAK,CACZ,0DAA0D,EAC1D,CAAC,SAAS,CAAC,IAAI,CAAC,CACjB,CAAC;QAEF,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;QAC7B,MAAM,CAAC,IAAI,CAAC,8BAA8B,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AAC9B,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,kBAAkB,CAAC,IAYlC;IACC,MAAM,EAAE,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,IAAI,CAAC,IAAI,CAAE,CAAC;IACnC,MAAM,YAAY,GAChB,IAAI,CAAC,MAAM,EAAE,YAAY,IAAI,IAAI,CAAC,QAAQ,IAAI,EAAE,CAAC;IACnD,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,EAAE,OAAO,IAAI,IAAI,CAAC,OAAO,IAAI,EAAE,CAAC;IAC3D,MAAM,MAAM,GAAyB,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC;IAC/D,MAAM,EAAE,OAAO,EAAE,GAAG,IAAI,CAAC;IAEzB,MAAM,KAAK,GAAyC;QAClD,GAAG,aAAa;QAChB,GAAG,YAAY;KAChB,CAAC;IAEF,+EAA+E;IAE/E,IAAI,KAAK,CAAC,gBAAgB,EAAE,CAAC;QAC3B,MAAM,eAAe,GAAG,OAAO,CAAC,GAAG,CAAC,oBAAoB,CAAC;QACzD,IAAI,eAAe,EAAE,CAAC;YACpB,cAAc,CAAC,EAAE,EAAE,OAAO,EAAE,eAAe,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE;gBACrD,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE;oBAC7D,KAAK,EAAG,CAAW,CAAC,OAAO;iBAC5B,CAAC,CAAC;YACL,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,+EAA+E;IAE/E,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,GAAG,kBAAkB,CAAC,EAAE,EAAE,MAAM,CAAC,CAAC;IAChE,MAAM,UAAU,GAAU,gBAAgB,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAC/D,MAAM,iBAAiB,GAAG,uBAAuB,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC/E,MAAM,QAAQ,GAAY,cAAc,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IACtE,MAAM,cAAc,GAAM,oBAAoB,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAC5E,MAAM,WAAW,GAAS,iBAAiB,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAChE,MAAM,WAAW,GAAS,iBAAiB,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC;IAEzE,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IAExB,MAAM,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;IACzB,MAAM,CAAC,GAAG,CAAC,KAAK,EAAE,QAAQ,CAAC,CAAC;IAC5B,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,UAAU,CAAC,CAAC;IAChC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,iBAAiB,CAAC,CAAC;IACvC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,cAAc,CAAC,CAAC;IACpC,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;IACjC,MAAM,CAAC,GAAG,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;IAC9C,MAAM,CAAC,GAAG,CAAC,QAAQ,EAAE,WAAW,CAAC,CAAC;IAElC,MAAM,OAAO,GAAG,GAAG,EAAE,CAAC,aAAa,CAAC,EAAE,EAAE,OAAO,CAAC,MAAM,CAAC,CAAC;IAExD,OAAO,EAAE,MAAM,EAAE,aAAa,EAAE,OAAO,EAAE,OAAO,EAAE,CAAC;AACrD,CAAC"}

package/dist/server/middleware/require-membership.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+import type { Request, Response, NextFunction } from 'express';
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter, OrgRole } from '../types.js';
+export interface AuthenticatedRequest extends Request {
+    userId: number;
+    orgId: number;
+    userRole: OrgRole;
+}
+export declare function requireMembership(pool: Pool, adapter: ServerModuleAdapter): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=require-membership.d.ts.map

package/dist/server/middleware/require-membership.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"require-membership.d.ts","sourceRoot":"","sources":["../../../src/server/middleware/require-membership.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EAAE,mBAAmB,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAEhE,MAAM,WAAW,oBAAqB,SAAQ,OAAO;IACnD,MAAM,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,OAAO,CAAC;CACnB;AAED,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,mBAAmB,IAC1D,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CAoC9E"}

package/dist/server/middleware/require-membership.js ADDED Viewed

@@ -0,0 +1,33 @@
+export function requireMembership(pool, adapter) {
+    return async (req, res, next) => {
+        try {
+            const userId = await adapter.getCurrentUserId(req);
+            if (!userId) {
+                res.status(401).json({ error: 'Authentication required' });
+                return;
+            }
+            const orgIdParam = parseInt(req.params.orgId || req.params.id || '', 10);
+            if (isNaN(orgIdParam)) {
+                res.status(400).json({ error: 'Invalid org ID' });
+                return;
+            }
+            const result = await pool.query(`SELECT m.role FROM tm_memberships m
+         JOIN tm_organizations o ON o.id = m.org_id
+         WHERE m.org_id = $1 AND m.user_id = $2 AND m.removed_at IS NULL
+           AND o.deleted_at IS NULL`, [orgIdParam, userId]);
+            if (result.rows.length === 0) {
+                res.status(403).json({ error: 'You are not a member of this organization' });
+                return;
+            }
+            req.userId = userId;
+            req.orgId = orgIdParam;
+            req.userRole = result.rows[0].role;
+            next();
+        }
+        catch (e) {
+            adapter.logger.error('[requireMembership]', { error: e.message });
+            res.status(500).json({ error: 'Authentication check failed' });
+        }
+    };
+}
+//# sourceMappingURL=require-membership.js.map

package/dist/server/middleware/require-membership.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"require-membership.js","sourceRoot":"","sources":["../../../src/server/middleware/require-membership.ts"],"names":[],"mappings":"AAUA,MAAM,UAAU,iBAAiB,CAAC,IAAU,EAAE,OAA4B;IACxE,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC9E,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACnD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;gBAC3D,OAAO;YACT,CAAC;YAED,MAAM,UAAU,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,KAAK,IAAI,GAAG,CAAC,MAAM,CAAC,EAAE,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;YACzE,IAAI,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;gBACtB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;gBAClD,OAAO;YACT,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;;oCAG4B,EAC5B,CAAC,UAAU,EAAE,MAAM,CAAC,CACrB,CAAC;YAEF,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2CAA2C,EAAE,CAAC,CAAC;gBAC7E,OAAO;YACT,CAAC;YAEA,GAA4B,CAAC,MAAM,GAAG,MAAM,CAAC;YAC7C,GAA4B,CAAC,KAAK,GAAG,UAAU,CAAC;YAChD,GAA4B,CAAC,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAe,CAAC;YACxE,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC,CAAC;QACjE,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/middleware/require-role.d.ts ADDED Viewed

@@ -0,0 +1,4 @@
+import type { Request, Response, NextFunction } from 'express';
+import type { OrgRole } from '../types.js';
+export declare function requireRole(minimumRole: OrgRole): (req: Request, res: Response, next: NextFunction) => void;
+//# sourceMappingURL=require-role.d.ts.map

package/dist/server/middleware/require-role.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"require-role.d.ts","sourceRoot":"","sources":["../../../src/server/middleware/require-role.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAI3C,wBAAgB,WAAW,CAAC,WAAW,EAAE,OAAO,IACtC,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,IAAI,CAY/D"}

package/dist/server/middleware/require-role.js ADDED Viewed

@@ -0,0 +1,16 @@
+import { roleAtLeast } from '../types.js';
+export function requireRole(minimumRole) {
+    return (req, res, next) => {
+        const authReq = req;
+        if (!authReq.userRole) {
+            res.status(401).json({ error: 'Authentication required' });
+            return;
+        }
+        if (!roleAtLeast(authReq.userRole, minimumRole)) {
+            res.status(403).json({ error: `Requires ${minimumRole} role or higher` });
+            return;
+        }
+        next();
+    };
+}
+//# sourceMappingURL=require-role.js.map

package/dist/server/middleware/require-role.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"require-role.js","sourceRoot":"","sources":["../../../src/server/middleware/require-role.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAG1C,MAAM,UAAU,WAAW,CAAC,WAAoB;IAC9C,OAAO,CAAC,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAQ,EAAE;QAC/D,MAAM,OAAO,GAAG,GAA2B,CAAC;QAC5C,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,CAAC;YACtB,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;YAC3D,OAAO;QACT,CAAC;QACD,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,QAAQ,EAAE,WAAW,CAAC,EAAE,CAAC;YAChD,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,YAAY,WAAW,iBAAiB,EAAE,CAAC,CAAC;YAC1E,OAAO;QACT,CAAC;QACD,IAAI,EAAE,CAAC;IACT,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/middleware/require-super-admin.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import type { Request, Response, NextFunction } from 'express';
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter, TeamManagementFeatureFlags } from '../types.js';
+export declare function requireSuperAdmin(pool: Pool, adapter: ServerModuleAdapter, flags: TeamManagementFeatureFlags): (req: Request, res: Response, next: NextFunction) => Promise<void>;
+//# sourceMappingURL=require-super-admin.d.ts.map

package/dist/server/middleware/require-super-admin.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"require-super-admin.d.ts","sourceRoot":"","sources":["../../../src/server/middleware/require-super-admin.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,QAAQ,EAAE,YAAY,EAAE,MAAM,SAAS,CAAC;AAC/D,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AAEnF,wBAAgB,iBAAiB,CAAC,IAAI,EAAE,IAAI,EAAE,OAAO,EAAE,mBAAmB,EAAE,KAAK,EAAE,0BAA0B,IAC7F,KAAK,OAAO,EAAE,KAAK,QAAQ,EAAE,MAAM,YAAY,KAAG,OAAO,CAAC,IAAI,CAAC,CA0B9E"}