@varshylinc/team-management 0.1.0 → 0.2.0

package/src/server/types.ts

@@ -1,145 +0,0 @@
-import type { Request } from 'express';
-
-export type OrgRole = 'owner' | 'admin' | 'member' | 'viewer';
-export type AuditActorType = 'user' | 'super_admin';
-export type TransferStatus = 'pending' | 'accepted' | 'cancelled' | 'expired';
-
-export interface TmOrganization {
-  id: number;
-  name: string;
-  slug: string;
-  owner_user_id: number;
-  settings: Record<string, unknown>;
-  deleted_at: Date | null;
-  delete_scheduled_for: Date | null;
-  deleted_by_user_id: number | null;
-  created_at: Date;
-  updated_at: Date;
-}
-
-export interface TmMembership {
-  id: number;
-  org_id: number;
-  user_id: number;
-  role: OrgRole;
-  joined_at: Date;
-  removed_at: Date | null;
-  removed_by_user_id: number | null;
-  removal_reason: string | null;
-  created_at: Date;
-  updated_at: Date;
-}
-
-export interface TmInvitation {
-  id: number;
-  org_id: number;
-  invited_by_user_id: number;
-  email: string;
-  role: OrgRole;
-  token_hash: string;
-  code_encrypted: string;
-  expires_at: Date;
-  accepted_at: Date | null;
-  revoked_at: Date | null;
-  revoked_by_user_id: number | null;
-  resent_count: number;
-  created_at: Date;
-  updated_at: Date;
-}
-
-export interface TmAuditEvent {
-  id: string;
-  org_id: number | null;
-  actor_user_id: number | null;
-  actor_type: AuditActorType;
-  action: string;
-  target_type: string | null;
-  target_id: string | null;
-  before_state: Record<string, unknown> | null;
-  after_state: Record<string, unknown> | null;
-  ip: string | null;
-  user_agent: string | null;
-  reason: string | null;
-  created_at: Date;
-}
-
-export interface TmOwnershipTransfer {
-  id: number;
-  org_id: number;
-  from_user_id: number;
-  to_user_id: number;
-  status: TransferStatus;
-  initiated_at: Date;
-  accepted_at: Date | null;
-  cancelled_at: Date | null;
-  cancelled_by_user_id: number | null;
-  expires_at: Date;
-}
-
-export interface TmPasswordResetRequest {
-  id: number;
-  user_id: number;
-  token_hash: string;
-  expires_at: Date;
-  used_at: Date | null;
-  created_at: Date;
-}
-
-export interface ServerModuleAdapter {
-  // v0.0.1
-  getCurrentUserId(req: Request): Promise<number | null>;
-  getOrganizationIdForUser(userId: number): Promise<number | null>;
-  isUserOrgAdmin(userId: number, orgId: number): Promise<boolean>;
-  logger: {
-    info(message: string, meta?: Record<string, unknown>): void;
-    warn(message: string, meta?: Record<string, unknown>): void;
-    error(message: string, meta?: Record<string, unknown>): void;
-  };
-  // v0.1.0 additions
-  getUserById(userId: number): Promise<{ id: number; email: string; name?: string } | null>;
-  getUsersByIds(userIds: number[]): Promise<Array<{ id: number; email: string; name?: string }>>;
-  findUserByEmail(email: string): Promise<{ id: number; email: string } | null>;
-  createUserFromInvite(data: { email: string; orgId: number; role: OrgRole }): Promise<{ id: number; email: string }>;
-  setUserPassword(userId: number, passwordHash: string): Promise<void>;
-  hashPassword(plaintext: string): Promise<string>;
-  verifyPassword(plaintext: string, hash: string): Promise<boolean>;
-  invalidateAllUserSessions(userId: number): Promise<void>;
-  sendInviteEmail(data: { to: string; orgName: string; inviterName: string; role: OrgRole; magicLinkUrl: string; code: string }): Promise<void>;
-  sendOwnershipTransferEmail(data: { to: string; orgName: string; fromName: string; transferUrl: string }): Promise<void>;
-  sendEmailChangeVerification(data: { to: string; verifyUrl: string }): Promise<void>;
-  sendEmailChangeOldNotice(data: { to: string; newEmail: string; cancelUrl: string }): Promise<void>;
-  sendEmailChangedFinalNotice(data: { to: string; oldEmail: string; newEmail: string }): Promise<void>;
-  sendPasswordResetEmail(data: { to: string; resetUrl: string }): Promise<void>;
-  sendOrgDeletionNotice(data: { to: string; orgName: string; scheduledFor: Date }): Promise<void>;
-  emitNotification(data: { userId: number; type: string; payload: Record<string, unknown> }): Promise<void>;
-}
-
-export interface TeamManagementFeatureFlags {
-  enableInvites?: boolean;
-  enableAuditLog?: boolean;
-  enableOwnershipTransfer?: boolean;
-  enableEmailChange?: boolean;
-  enablePasswordReset?: boolean;
-  enableSuperAdmin?: boolean;
-  enableSharedAccess?: boolean;
-  enableHardDelete?: boolean;
-}
-
-export interface TeamManagementConfig {
-  featureFlags?: TeamManagementFeatureFlags;
-  baseUrl?: string;
-}
-
-export interface TeamManagementServerModule {
-  router: import('express').Router;
-  runMigrations(): Promise<{ applied: string[]; skipped: string[] }>;
-  /** Alias for runMigrations — for test convenience */
-  migrate(): Promise<{ applied: string[]; skipped: string[] }>;
-}
-
-// Role permission helpers — values are spaced by 10 so future roles can be inserted
-export const ROLE_HIERARCHY: Record<OrgRole, number> = { viewer: 10, member: 20, admin: 30, owner: 40 };
-
-export function roleAtLeast(userRole: OrgRole, required: OrgRole): boolean {
-  return ROLE_HIERARCHY[userRole] >= ROLE_HIERARCHY[required];
-}

package/src/shared/types.ts

@@ -1,24 +0,0 @@
-/**
- * Shared types used by both server and client sides of team-management.
- * No Node.js or browser-specific APIs here.
- */
-
-/** A team member as returned by the module's public API. */
-export interface TeamMember {
-  id: number;
-  userId: number;
-  organizationId: number;
-  role: 'owner' | 'admin' | 'member';
-  joinedAt: string; // ISO 8601
-}
-
-/** An invite as returned by the module's public API (stub shape). */
-export interface TeamInvite {
-  id: number;
-  organizationId: number;
-  email: string;
-  role: 'admin' | 'member';
-  status: 'pending' | 'accepted' | 'expired';
-  createdAt: string; // ISO 8601
-  expiresAt: string; // ISO 8601
-}

package/tests/integration/audit-fires.test.ts

@@ -1,288 +0,0 @@
-import { describe, it, expect, beforeAll, afterAll, beforeEach, vi } from 'vitest';
-import express from 'express';
-import request from 'supertest';
-import { Pool } from 'pg';
-import { createServerModule } from '../../src/server/index.js';
-import type { ServerModuleAdapter, OrgRole } from '../../src/server/types.js';
-
-const describeWithDb = process.env.DATABASE_URL ? describe : describe.skip;
-
-let currentUserId: number | null = null;
-let currentOrgId: number | null = null;
-
-function extractToken(spy: ReturnType<typeof vi.fn>): string {
-  const callArg = spy.mock.calls[0]?.[0] as { magicLinkUrl?: string } | undefined;
-  const url = callArg?.magicLinkUrl ?? '';
-  const qs = url.includes('?') ? url.split('?')[1] : '';
-  return new URLSearchParams(qs).get('token') ?? '';
-}
-
-function extractEmailChangeToken(spy: ReturnType<typeof vi.fn>): string {
-  const callArg = spy.mock.calls[0]?.[0] as { verifyUrl?: string } | undefined;
-  const url = callArg?.verifyUrl ?? '';
-  const qs = url.includes('?') ? url.split('?')[1] : '';
-  return new URLSearchParams(qs).get('token') ?? '';
-}
-
-const sendInviteEmail = vi.fn(async () => {});
-const sendEmailChangeVerification = vi.fn(async () => {});
-
-const testAdapter: ServerModuleAdapter = {
-  getCurrentUserId: async () => currentUserId,
-  getOrganizationIdForUser: async () => currentOrgId,
-  isUserOrgAdmin: async (userId) => userId <= 2,
-  logger: { info: () => {}, warn: () => {}, error: () => {} },
-  getUserById: async (id) => ({ id, email: `u${id}@test.com`, name: `User${id}` }),
-  getUsersByIds: async (ids) => ids.map(id => ({ id, email: `u${id}@test.com`, name: `User${id}` })),
-  findUserByEmail: async (email) => {
-    const m = email.match(/^u(\d+)@test\.com$/);
-    return m ? { id: parseInt(m[1]), email } : null;
-  },
-  createUserFromInvite: async ({ email }: { email: string; orgId: number; role: OrgRole }) => ({ id: 99, email }),
-  setUserPassword: async () => {},
-  hashPassword: async (p) => `h:${p}`,
-  verifyPassword: async (p, h) => h === `h:${p}`,
-  invalidateAllUserSessions: async () => {},
-  sendInviteEmail,
-  sendOwnershipTransferEmail: async () => {},
-  sendEmailChangeVerification,
-  sendEmailChangeOldNotice: async () => {},
-  sendEmailChangedFinalNotice: async () => {},
-  sendPasswordResetEmail: async () => {},
-  sendOrgDeletionNotice: async () => {},
-  emitNotification: async () => {},
-};
-
-async function cleanAll(pool: Pool) {
-  await pool.query(`TRUNCATE tm_super_admins, tm_password_reset_requests,
-    tm_email_change_requests, tm_ownership_transfers, tm_audit_events,
-    tm_invitations, tm_memberships, tm_organizations RESTART IDENTITY CASCADE`);
-}
-
-async function seedOrg(pool: Pool, orgId = 1) {
-  await pool.query(`INSERT INTO tm_organizations (id, name, slug, owner_user_id, settings)
-    VALUES (${orgId}, 'Test Org ${orgId}', 'test-org-${orgId}', 1, '{}') ON CONFLICT DO NOTHING`);
-  await pool.query(`INSERT INTO tm_memberships (org_id, user_id, role) VALUES
-    (${orgId}, 1, 'owner'), (${orgId}, 2, 'admin'), (${orgId}, 3, 'member'), (${orgId}, 4, 'viewer')
-    ON CONFLICT DO NOTHING`);
-}
-
-async function getLatestAuditEvent(pool: Pool, action: string) {
-  const res = await pool.query(
-    `SELECT * FROM tm_audit_events WHERE action = $1 ORDER BY created_at DESC LIMIT 1`,
-    [action]
-  );
-  return res.rows[0] ?? null;
-}
-
-describeWithDb('audit events fire for all 13 event types', () => {
-  let pool: Pool;
-  let app: express.Express;
-
-  beforeAll(async () => {
-    pool = new Pool({ connectionString: process.env.DATABASE_URL });
-    const mod = createServerModule({ adapter: testAdapter, pool, features: {} });
-    app = express();
-    app.use(express.json());
-    app.use(mod.router);
-  });
-
-  afterAll(async () => {
-    await pool.end();
-  });
-
-  beforeEach(async () => {
-    await cleanAll(pool);
-    sendInviteEmail.mockClear();
-    sendEmailChangeVerification.mockClear();
-    currentUserId = 1;
-    currentOrgId = 1;
-  });
-
-  it('org.created fires when org is created', async () => {
-    const res = await request(app)
-      .post('/orgs')
-      .send({ name: 'Audit Org', slug: 'audit-org' });
-    expect(res.status).toBe(201);
-
-    const event = await getLatestAuditEvent(pool, 'org.created');
-    expect(event).not.toBeNull();
-    expect(event.action).toBe('org.created');
-  });
-
-  it('org.settings.updated fires on PATCH /orgs/:id', async () => {
-    await seedOrg(pool);
-
-    const res = await request(app)
-      .patch('/orgs/1')
-      .send({ name: 'Updated Name' });
-    expect(res.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'org.settings.updated');
-    expect(event).not.toBeNull();
-  });
-
-  it('org.deleted fires on DELETE /orgs/:id', async () => {
-    await seedOrg(pool);
-
-    const res = await request(app)
-      .delete('/orgs/1')
-      .send({ confirmName: 'Test Org 1' });
-    expect(res.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'org.deleted');
-    expect(event).not.toBeNull();
-  });
-
-  it('member.invited fires on POST /orgs/:id/invitations', async () => {
-    await seedOrg(pool);
-
-    const res = await request(app)
-      .post('/orgs/1/invitations')
-      .send({ email: 'newuser@example.com', role: 'member' });
-    expect(res.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'member.invited');
-    expect(event).not.toBeNull();
-  });
-
-  it('member.invite_accepted fires when invitation is accepted', async () => {
-    await seedOrg(pool);
-
-    const invRes = await request(app)
-      .post('/orgs/1/invitations')
-      .send({ email: 'u99@test.com', role: 'member' });
-    expect(invRes.status).toBeLessThan(500);
-
-    const token = extractToken(sendInviteEmail);
-    if (!token) return; // Can't test without a token
-
-    currentUserId = 99;
-    currentOrgId = null;
-    const acceptRes = await request(app)
-      .post('/invitations/accept/token')
-      .send({ token });
-    expect(acceptRes.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'member.invite_accepted');
-    expect(event).not.toBeNull();
-  });
-
-  it('member.invite_revoked fires on DELETE /orgs/:id/invitations/:invId', async () => {
-    await seedOrg(pool);
-
-    const invRes = await request(app)
-      .post('/orgs/1/invitations')
-      .send({ email: 'revoke@example.com', role: 'member' });
-    expect(invRes.status).toBeLessThan(500);
-
-    const inv = await pool.query(`SELECT id FROM tm_invitations ORDER BY created_at DESC LIMIT 1`);
-    if (!inv.rows.length) return;
-    const invId = inv.rows[0].id;
-
-    const revokeRes = await request(app).delete(`/orgs/1/invitations/${invId}`);
-    expect(revokeRes.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'member.invite_revoked');
-    expect(event).not.toBeNull();
-  });
-
-  it('member.removed fires on DELETE /orgs/:id/members/:userId', async () => {
-    await seedOrg(pool);
-
-    const res = await request(app).delete('/orgs/1/members/3');
-    expect(res.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'member.removed');
-    expect(event).not.toBeNull();
-  });
-
-  it('member.role_changed fires on PATCH /orgs/:id/members/:userId/role', async () => {
-    await seedOrg(pool);
-
-    const res = await request(app)
-      .patch('/orgs/1/members/3/role')
-      .send({ role: 'admin' });
-    expect(res.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'member.role_changed');
-    expect(event).not.toBeNull();
-  });
-
-  it('ownership.transfer_initiated fires on POST /orgs/:id/transfer', async () => {
-    await seedOrg(pool);
-
-    const res = await request(app)
-      .post('/orgs/1/transfer')
-      .send({ toUserId: 2 });
-    expect(res.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'ownership.transfer_initiated');
-    expect(event).not.toBeNull();
-  });
-
-  it('ownership.transfer_accepted fires on POST /orgs/:id/transfer/accept', async () => {
-    await seedOrg(pool);
-
-    const initRes = await request(app)
-      .post('/orgs/1/transfer')
-      .send({ toUserId: 2 });
-    expect(initRes.status).toBeLessThan(500);
-
-    currentUserId = 2;
-    const acceptRes = await request(app)
-      .post('/orgs/1/transfer/accept')
-      .send({});
-    expect(acceptRes.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'ownership.transfer_accepted');
-    expect(event).not.toBeNull();
-  });
-
-  it('ownership.transfer_cancelled fires on DELETE /orgs/:id/transfer', async () => {
-    await seedOrg(pool);
-
-    await request(app)
-      .post('/orgs/1/transfer')
-      .send({ toUserId: 2 });
-
-    const cancelRes = await request(app)
-      .delete('/orgs/1/transfer');
-    expect(cancelRes.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'ownership.transfer_cancelled');
-    expect(event).not.toBeNull();
-  });
-
-  it('email.change_requested fires on POST /me/email-change', async () => {
-    await seedOrg(pool);
-
-    const res = await request(app)
-      .post('/me/email-change')
-      .send({ newEmail: 'newemail@test.com', currentPassword: 'pass' });
-    expect(res.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'email.change_requested');
-    expect(event).not.toBeNull();
-  });
-
-  it('email.change_completed fires when email change is verified', async () => {
-    await seedOrg(pool);
-
-    await request(app)
-      .post('/me/email-change')
-      .send({ newEmail: 'verified@test.com', currentPassword: 'pass' });
-
-    // Extract verify token from spy (service calls sendEmailChangeVerification({ to, verifyUrl }))
-    const verifyToken = extractEmailChangeToken(sendEmailChangeVerification);
-    if (!verifyToken) return; // skip if email change not triggered
-
-    currentUserId = null; // token-based route
-    const verifyRes = await request(app)
-      .get(`/me/email-change/verify?token=${verifyToken}`);
-    expect(verifyRes.status).toBeLessThan(500);
-
-    const event = await getLatestAuditEvent(pool, 'email.change_completed');
-    expect(event).not.toBeNull();
-  });
-});

package/tests/integration/cascade-preview.test.ts

@@ -1,157 +0,0 @@
-import { describe, it, expect, beforeAll, afterAll, beforeEach } from 'vitest';
-import { createHash } from 'crypto';
-import express from 'express';
-import request from 'supertest';
-import { Pool } from 'pg';
-import { createServerModule } from '../../src/server/index.js';
-import type { ServerModuleAdapter, OrgRole } from '../../src/server/types.js';
-
-const describeWithDb = process.env.DATABASE_URL ? describe : describe.skip;
-
-function sha256(s: string): string {
-  return createHash('sha256').update(s).digest('hex');
-}
-
-let currentUserId: number | null = null;
-let currentOrgId: number | null = null;
-
-const testAdapter: ServerModuleAdapter = {
-  getCurrentUserId: async () => currentUserId,
-  getOrganizationIdForUser: async () => currentOrgId,
-  isUserOrgAdmin: async (userId) => userId <= 2,
-  logger: { info: () => {}, warn: () => {}, error: () => {} },
-  getUserById: async (id) => ({ id, email: `u${id}@test.com`, name: `User${id}` }),
-  getUsersByIds: async (ids) => ids.map(id => ({ id, email: `u${id}@test.com`, name: `User${id}` })),
-  findUserByEmail: async (email) => {
-    const m = email.match(/^u(\d+)@test\.com$/);
-    return m ? { id: parseInt(m[1]), email } : null;
-  },
-  createUserFromInvite: async ({ email }: { email: string; orgId: number; role: OrgRole }) => ({ id: 99, email }),
-  setUserPassword: async () => {},
-  hashPassword: async (p) => `h:${p}`,
-  verifyPassword: async (p, h) => h === `h:${p}`,
-  invalidateAllUserSessions: async () => {},
-  sendInviteEmail: async () => {},
-  sendOwnershipTransferEmail: async () => {},
-  sendEmailChangeVerification: async () => {},
-  sendEmailChangeOldNotice: async () => {},
-  sendEmailChangedFinalNotice: async () => {},
-  sendPasswordResetEmail: async () => {},
-  sendOrgDeletionNotice: async () => {},
-  emitNotification: async () => {},
-};
-
-async function cleanAll(pool: Pool) {
-  await pool.query(`TRUNCATE tm_super_admins, tm_password_reset_requests,
-    tm_email_change_requests, tm_ownership_transfers, tm_audit_events,
-    tm_invitations, tm_memberships, tm_organizations RESTART IDENTITY CASCADE`);
-}
-
-async function seedOrg(pool: Pool, orgId = 1) {
-  await pool.query(`INSERT INTO tm_organizations (id, name, slug, owner_user_id, settings)
-    VALUES (${orgId}, 'Test Org ${orgId}', 'test-org-${orgId}', 1, '{}') ON CONFLICT DO NOTHING`);
-  await pool.query(`INSERT INTO tm_memberships (org_id, user_id, role) VALUES
-    (${orgId}, 1, 'owner'), (${orgId}, 2, 'admin'), (${orgId}, 3, 'member'), (${orgId}, 4, 'viewer')
-    ON CONFLICT DO NOTHING`);
-}
-
-describeWithDb('cascade preview', () => {
-  let pool: Pool;
-  let app: express.Express;
-
-  beforeAll(async () => {
-    pool = new Pool({ connectionString: process.env.DATABASE_URL });
-    const mod = createServerModule({ adapter: testAdapter, pool, features: {} });
-    app = express();
-    app.use(express.json());
-    app.use(mod.router);
-  });
-
-  afterAll(async () => {
-    await pool.end();
-  });
-
-  beforeEach(async () => {
-    await cleanAll(pool);
-    currentUserId = 1;
-    currentOrgId = 1;
-    await seedOrg(pool);
-  });
-
-  it('returns cascade preview for member who has sent invitations', async () => {
-    // Member 2 sends an invitation — insert directly with correct column names
-    await pool.query(
-      `INSERT INTO tm_invitations (org_id, invited_by_user_id, email, role, token_hash, code_encrypted, expires_at)
-       VALUES (1, 2, 'invited@example.com', 'member', $1, 'fake-enc-abc123', NOW() + INTERVAL '7 days')`,
-      [sha256('tok-abc123')]
-    );
-
-    currentUserId = 1; // admin calling on behalf
-
-    const res = await request(app)
-      .get('/orgs/1/members/2/cascade-preview');
-
-    expect(res.status).toBeLessThan(500);
-    expect(res.body).toBeDefined();
-
-    // Must include the membership being removed
-    const body = res.body;
-    expect(body).toHaveProperty('membership');
-
-    // Must include pending invitations they sent
-    expect(body).toHaveProperty('pendingInvitations');
-    const invitations = body.pendingInvitations as Array<{ invited_by_user_id?: number; invitedByUserId?: number }>;
-    expect(Array.isArray(invitations)).toBe(true);
-    expect(invitations.length).toBeGreaterThanOrEqual(1);
-  });
-
-  it('returns cascade preview for member who has NOT sent invitations', async () => {
-    // Member 4 has no invitations
-    const res = await request(app)
-      .get('/orgs/1/members/4/cascade-preview');
-
-    expect(res.status).toBeLessThan(500);
-    expect(res.body).toBeDefined();
-
-    const body = res.body;
-    expect(body).toHaveProperty('membership');
-    expect(body).toHaveProperty('pendingInvitations');
-
-    const invitations = body.pendingInvitations as unknown[];
-    expect(Array.isArray(invitations)).toBe(true);
-    expect(invitations.length).toBe(0);
-  });
-
-  it('returns 404 for non-existent member', async () => {
-    const res = await request(app)
-      .get('/orgs/1/members/999/cascade-preview');
-
-    expect(res.status).toBe(404);
-  });
-
-  it('returns 403 for non-admin caller', async () => {
-    currentUserId = 3; // member, not admin
-    const res = await request(app)
-      .get('/orgs/1/members/4/cascade-preview');
-
-    expect(res.status).toBe(403);
-  });
-
-  it('preview for member with multiple pending invitations lists all of them', async () => {
-    await pool.query(
-      `INSERT INTO tm_invitations (org_id, invited_by_user_id, email, role, token_hash, code_encrypted, expires_at)
-       VALUES
-         (1, 2, 'a@example.com', 'member', $1, 'fake-enc-001', NOW() + INTERVAL '7 days'),
-         (1, 2, 'b@example.com', 'viewer', $2, 'fake-enc-002', NOW() + INTERVAL '7 days'),
-         (1, 2, 'c@example.com', 'admin', $3, 'fake-enc-003', NOW() + INTERVAL '7 days')`,
-      [sha256('tok-001'), sha256('tok-002'), sha256('tok-003')]
-    );
-
-    const res = await request(app)
-      .get('/orgs/1/members/2/cascade-preview');
-
-    expect(res.status).toBeLessThan(500);
-    const invitations = res.body.pendingInvitations as unknown[];
-    expect(invitations.length).toBe(3);
-  });
-});