npm - @varshylinc/team-management - Versions diffs - 0.1.0 - Mend

@varshylinc/team-management 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/.eslintrc.cjs +18 -0
package/CHANGELOG.md +159 -0
package/LICENSE +6 -0
package/README.md +97 -0
package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +6 -0
package/dist/index.js.map +1 -0
package/dist/server/crypto.d.ts +6 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +42 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/index.d.ts +34 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +114 -0
package/dist/server/index.js.map +1 -0
package/dist/server/middleware/require-membership.d.ts +10 -0
package/dist/server/middleware/require-membership.d.ts.map +1 -0
package/dist/server/middleware/require-membership.js +33 -0
package/dist/server/middleware/require-membership.js.map +1 -0
package/dist/server/middleware/require-role.d.ts +4 -0
package/dist/server/middleware/require-role.d.ts.map +1 -0
package/dist/server/middleware/require-role.js +16 -0
package/dist/server/middleware/require-role.js.map +1 -0
package/dist/server/middleware/require-super-admin.d.ts +5 -0
package/dist/server/middleware/require-super-admin.d.ts.map +1 -0
package/dist/server/middleware/require-super-admin.js +27 -0
package/dist/server/middleware/require-super-admin.js.map +1 -0
package/dist/server/migrations/0001_create_tm_schema_migrations.sql +13 -0
package/dist/server/migrations/0002_create_tm_organizations.sql +14 -0
package/dist/server/migrations/0003_create_tm_memberships.sql +24 -0
package/dist/server/migrations/0004_create_tm_invitations.sql +22 -0
package/dist/server/migrations/0005_create_tm_audit_events.sql +17 -0
package/dist/server/migrations/0006_create_tm_email_change_requests.sql +13 -0
package/dist/server/migrations/0007_create_tm_ownership_transfers.sql +22 -0
package/dist/server/migrations/0008_create_tm_super_admins.sql +8 -0
package/dist/server/migrations/0009_create_tm_password_reset_requests.sql +9 -0
package/dist/server/migrations/0010_create_tm_shared_access.sql +8 -0
package/dist/server/migrations/0011_seed_super_admin.sql +15 -0
package/dist/server/migrations/0012_create_tm_user_locks.sql +7 -0
package/dist/server/routes/admin.routes.d.ts +5 -0
package/dist/server/routes/admin.routes.d.ts.map +1 -0
package/dist/server/routes/admin.routes.js +262 -0
package/dist/server/routes/admin.routes.js.map +1 -0
package/dist/server/routes/audit.routes.d.ts +5 -0
package/dist/server/routes/audit.routes.d.ts.map +1 -0
package/dist/server/routes/audit.routes.js +70 -0
package/dist/server/routes/audit.routes.js.map +1 -0
package/dist/server/routes/health.routes.d.ts +8 -0
package/dist/server/routes/health.routes.d.ts.map +1 -0
package/dist/server/routes/health.routes.js +39 -0
package/dist/server/routes/health.routes.js.map +1 -0
package/dist/server/routes/invitations.routes.d.ts +5 -0
package/dist/server/routes/invitations.routes.d.ts.map +1 -0
package/dist/server/routes/invitations.routes.js +232 -0
package/dist/server/routes/invitations.routes.js.map +1 -0
package/dist/server/routes/me.routes.d.ts +5 -0
package/dist/server/routes/me.routes.d.ts.map +1 -0
package/dist/server/routes/me.routes.js +188 -0
package/dist/server/routes/me.routes.js.map +1 -0
package/dist/server/routes/orgs.routes.d.ts +5 -0
package/dist/server/routes/orgs.routes.d.ts.map +1 -0
package/dist/server/routes/orgs.routes.js +371 -0
package/dist/server/routes/orgs.routes.js.map +1 -0
package/dist/server/routes/transfer.routes.d.ts +5 -0
package/dist/server/routes/transfer.routes.d.ts.map +1 -0
package/dist/server/routes/transfer.routes.js +108 -0
package/dist/server/routes/transfer.routes.js.map +1 -0
package/dist/server/services/audit.service.d.ts +20 -0
package/dist/server/services/audit.service.d.ts.map +1 -0
package/dist/server/services/audit.service.js +23 -0
package/dist/server/services/audit.service.js.map +1 -0
package/dist/server/services/email-change.service.d.ts +16 -0
package/dist/server/services/email-change.service.d.ts.map +1 -0
package/dist/server/services/email-change.service.js +107 -0
package/dist/server/services/email-change.service.js.map +1 -0
package/dist/server/services/invitations.service.d.ts +41 -0
package/dist/server/services/invitations.service.d.ts.map +1 -0
package/dist/server/services/invitations.service.js +214 -0
package/dist/server/services/invitations.service.js.map +1 -0
package/dist/server/services/memberships.service.d.ts +27 -0
package/dist/server/services/memberships.service.d.ts.map +1 -0
package/dist/server/services/memberships.service.js +69 -0
package/dist/server/services/memberships.service.js.map +1 -0
package/dist/server/services/organizations.service.d.ts +19 -0
package/dist/server/services/organizations.service.d.ts.map +1 -0
package/dist/server/services/organizations.service.js +61 -0
package/dist/server/services/organizations.service.js.map +1 -0
package/dist/server/services/ownership.service.d.ts +19 -0
package/dist/server/services/ownership.service.d.ts.map +1 -0
package/dist/server/services/ownership.service.js +102 -0
package/dist/server/services/ownership.service.js.map +1 -0
package/dist/server/services/password-reset.service.d.ts +12 -0
package/dist/server/services/password-reset.service.d.ts.map +1 -0
package/dist/server/services/password-reset.service.js +54 -0
package/dist/server/services/password-reset.service.js.map +1 -0
package/dist/server/services/super-admin.service.d.ts +59 -0
package/dist/server/services/super-admin.service.d.ts.map +1 -0
package/dist/server/services/super-admin.service.js +187 -0
package/dist/server/services/super-admin.service.js.map +1 -0
package/dist/server/types.d.ts +186 -0
package/dist/server/types.d.ts.map +1 -0
package/dist/server/types.js +6 -0
package/dist/server/types.js.map +1 -0
package/dist/shared/types.d.ts +23 -0
package/dist/shared/types.d.ts.map +1 -0
package/dist/shared/types.js +6 -0
package/dist/shared/types.js.map +1 -0
package/package.json +56 -0
package/src/client/api.ts +314 -0
package/src/client/components/AuditEventRow.tsx +59 -0
package/src/client/components/CascadePreview.tsx +36 -0
package/src/client/components/DangerZoneCard.tsx +103 -0
package/src/client/components/InvitationCodeDisplay.tsx +48 -0
package/src/client/components/InviteForm.tsx +77 -0
package/src/client/components/MemberRow.tsx +69 -0
package/src/client/components/PendingTransferBanner.tsx +98 -0
package/src/client/components/PlaceholderCard.tsx +26 -0
package/src/client/components/RoleBadge.tsx +26 -0
package/src/client/components/RoleSelect.tsx +35 -0
package/src/client/hooks/.gitkeep +0 -0
package/src/client/hooks/useCurrentMembership.ts +24 -0
package/src/client/hooks/useMembers.ts +24 -0
package/src/client/hooks/usePendingInvitations.ts +24 -0
package/src/client/hooks/usePendingTransfer.ts +27 -0
package/src/client/index.ts +80 -0
package/src/client/pages/AuditLogPage.tsx +164 -0
package/src/client/pages/EmailChangePage.tsx +144 -0
package/src/client/pages/InvitationAcceptPage.tsx +163 -0
package/src/client/pages/InvitationCodePage.tsx +108 -0
package/src/client/pages/MembersPage.tsx +290 -0
package/src/client/pages/OrgSettingsPage.tsx +185 -0
package/src/client/pages/OwnershipTransferPage.tsx +163 -0
package/src/client/pages/PasswordResetPage.tsx +104 -0
package/src/client/pages/PasswordResetRequestPage.tsx +71 -0
package/src/client/pages/PlaceholderPage.tsx +20 -0
package/src/client/pages/SuperAdminDashboard.tsx +401 -0
package/src/client/types.ts +78 -0
package/src/index.ts +24 -0
package/src/server/crypto.ts +47 -0
package/src/server/index.ts +167 -0
package/src/server/middleware/require-membership.ts +48 -0
package/src/server/middleware/require-role.ts +19 -0
package/src/server/middleware/require-super-admin.ts +32 -0
package/src/server/migrations/0001_create_tm_schema_migrations.sql +13 -0
package/src/server/migrations/0002_create_tm_organizations.sql +14 -0
package/src/server/migrations/0003_create_tm_memberships.sql +24 -0
package/src/server/migrations/0004_create_tm_invitations.sql +22 -0
package/src/server/migrations/0005_create_tm_audit_events.sql +17 -0
package/src/server/migrations/0006_create_tm_email_change_requests.sql +13 -0
package/src/server/migrations/0007_create_tm_ownership_transfers.sql +22 -0
package/src/server/migrations/0008_create_tm_super_admins.sql +8 -0
package/src/server/migrations/0009_create_tm_password_reset_requests.sql +9 -0
package/src/server/migrations/0010_create_tm_shared_access.sql +8 -0
package/src/server/migrations/0011_seed_super_admin.sql +15 -0
package/src/server/migrations/0012_create_tm_user_locks.sql +7 -0
package/src/server/routes/admin.routes.ts +208 -0
package/src/server/routes/audit.routes.ts +93 -0
package/src/server/routes/health.routes.ts +46 -0
package/src/server/routes/invitations.routes.ts +252 -0
package/src/server/routes/me.routes.ts +143 -0
package/src/server/routes/orgs.routes.ts +428 -0
package/src/server/routes/transfer.routes.ts +110 -0
package/src/server/services/.gitkeep +0 -0
package/src/server/services/audit.service.ts +49 -0
package/src/server/services/email-change.service.ts +178 -0
package/src/server/services/invitations.service.ts +316 -0
package/src/server/services/memberships.service.ts +129 -0
package/src/server/services/organizations.service.ts +110 -0
package/src/server/services/ownership.service.ts +170 -0
package/src/server/services/password-reset.service.ts +94 -0
package/src/server/services/super-admin.service.ts +321 -0
package/src/server/sql/.gitkeep +0 -0
package/src/server/types.ts +145 -0
package/src/shared/types.ts +24 -0
package/tests/integration/audit-fires.test.ts +288 -0
package/tests/integration/cascade-preview.test.ts +157 -0
package/tests/integration/email-change.test.ts +190 -0
package/tests/integration/feature-flags.test.ts +213 -0
package/tests/integration/invitations-code.test.ts +218 -0
package/tests/integration/invitations-expiry.test.ts +216 -0
package/tests/integration/invitations-resend.test.ts +241 -0
package/tests/integration/invitations-revoke.test.ts +226 -0
package/tests/integration/invitations-switch-org.test.ts +156 -0
package/tests/integration/invitations-token.test.ts +221 -0
package/tests/integration/migrations.test.ts +119 -0
package/tests/integration/only-owner-protections.test.ts +130 -0
package/tests/integration/org-lifecycle.test.ts +169 -0
package/tests/integration/ownership-transfer-cancel.test.ts +171 -0
package/tests/integration/ownership-transfer-expire.test.ts +171 -0
package/tests/integration/ownership-transfer-happy.test.ts +184 -0
package/tests/integration/ownership-transfer-locks.test.ts +146 -0
package/tests/integration/password-reset.test.ts +200 -0
package/tests/integration/super-admin-actions.test.ts +180 -0
package/tests/integration/super-admin-restrictions.test.ts +209 -0
package/tests/setup/global-setup.ts +20 -0
package/tests/unit/adapter-shape.test.ts +330 -0
package/tests/unit/role-permissions.test.ts +236 -0
package/tests/unit/validation.test.ts +304 -0
package/tsconfig.client.json +13 -0
package/tsconfig.json +12 -0
package/tsconfig.tsbuildinfo +1 -0
package/vitest.config.ts +13 -0

package/tests/integration/email-change.test.ts ADDED Viewed

@@ -0,0 +1,190 @@
+import { describe, it, expect, beforeAll, afterAll, beforeEach, vi } from 'vitest';
+import { createHash } from 'crypto';
+import express from 'express';
+import request from 'supertest';
+import { Pool } from 'pg';
+import { createServerModule } from '../../src/server/index.js';
+import type { ServerModuleAdapter, OrgRole } from '../../src/server/types.js';
+const describeWithDb = process.env.DATABASE_URL ? describe : describe.skip;
+function sha256(s: string): string {
+  return createHash('sha256').update(s).digest('hex');
+}
+let currentUserId: number | null = null;
+let currentOrgId: number | null = null;
+const sendEmailChangeVerification = vi.fn(async () => {});
+const sendEmailChangeOldNotice = vi.fn(async () => {});
+const sendEmailChangedFinalNotice = vi.fn(async () => {});
+const sendPasswordResetEmail = vi.fn(async () => {});
+const testAdapter: ServerModuleAdapter = {
+  getCurrentUserId: async () => currentUserId,
+  getOrganizationIdForUser: async () => currentOrgId,
+  isUserOrgAdmin: async (userId) => userId <= 2,
+  logger: { info: () => {}, warn: () => {}, error: () => {} },
+  getUserById: async (id) => ({ id, email: `u${id}@test.com`, name: `User${id}` }),
+  getUsersByIds: async (ids) => ids.map(id => ({ id, email: `u${id}@test.com`, name: `User${id}` })),
+  findUserByEmail: async (email) => {
+    const m = email.match(/^u(\d+)@test\.com$/);
+    return m ? { id: parseInt(m[1]), email } : null;
+  },
+  createUserFromInvite: async ({ email }: { email: string; orgId: number; role: OrgRole }) => ({ id: 99, email }),
+  setUserPassword: async () => {},
+  hashPassword: async (p) => `h:${p}`,
+  verifyPassword: async (p, h) => h === `h:${p}`,
+  invalidateAllUserSessions: async () => {},
+  sendInviteEmail: async () => {},
+  sendOwnershipTransferEmail: async () => {},
+  sendEmailChangeVerification,
+  sendEmailChangeOldNotice,
+  sendEmailChangedFinalNotice,
+  sendPasswordResetEmail,
+  sendOrgDeletionNotice: async () => {},
+  emitNotification: async () => {},
+};
+async function cleanAll(pool: Pool) {
+  await pool.query(`TRUNCATE tm_super_admins, tm_password_reset_requests,
+    tm_email_change_requests, tm_ownership_transfers, tm_audit_events,
+    tm_invitations, tm_memberships, tm_organizations RESTART IDENTITY CASCADE`);
+}
+async function seedOrg(pool: Pool, orgId = 1) {
+  await pool.query(`INSERT INTO tm_organizations (id, name, slug, owner_user_id, settings)
+    VALUES (${orgId}, 'Test Org ${orgId}', 'test-org-${orgId}', 1, '{}') ON CONFLICT DO NOTHING`);
+  await pool.query(`INSERT INTO tm_memberships (org_id, user_id, role) VALUES
+    (${orgId}, 1, 'owner'), (${orgId}, 2, 'admin'), (${orgId}, 3, 'member'), (${orgId}, 4, 'viewer')
+    ON CONFLICT DO NOTHING`);
+}
+describeWithDb('email change flow', () => {
+  let pool: Pool;
+  let app: express.Express;
+  beforeAll(async () => {
+    pool = new Pool({ connectionString: process.env.DATABASE_URL });
+    const mod = createServerModule({ adapter: testAdapter, pool, features: {} });
+    app = express();
+    app.use(express.json());
+    app.use(mod.router);
+  });
+  afterAll(async () => {
+    await pool.end();
+  });
+  beforeEach(async () => {
+    await cleanAll(pool);
+    sendEmailChangeVerification.mockClear();
+    sendEmailChangeOldNotice.mockClear();
+    sendEmailChangedFinalNotice.mockClear();
+    sendPasswordResetEmail.mockClear();
+    currentUserId = 3;
+    currentOrgId = 1;
+    await seedOrg(pool);
+  });
+  it('POST /me/email-change → 200 and calls verification + notice emails', async () => {
+    const res = await request(app)
+      .post('/me/email-change')
+      .send({ newEmail: 'new@example.com', currentPassword: 'mypassword' });
+    expect(res.status).toBe(200);
+    // Both verification and old-address notice should be sent
+    expect(sendEmailChangeVerification).toHaveBeenCalledOnce();
+    expect(sendEmailChangeOldNotice).toHaveBeenCalledOnce();
+    // Verify row in DB
+    const dbRow = await pool.query(
+      `SELECT * FROM tm_email_change_requests WHERE user_id = 3 ORDER BY created_at DESC LIMIT 1`
+    );
+    expect(dbRow.rows.length).toBe(1);
+    expect(dbRow.rows[0].new_email).toBe('new@example.com');
+    // Status is tracked via verified_at/cancelled_at (both null = pending)
+    expect(dbRow.rows[0].verified_at).toBeNull();
+    expect(dbRow.rows[0].cancelled_at).toBeNull();
+  });
+  it('GET /me/email-change/verify?token=:token → 200, email changed', async () => {
+    sendEmailChangeVerification.mockClear();
+    await request(app)
+      .post('/me/email-change')
+      .send({ newEmail: 'verified@example.com', currentPassword: 'mypassword' });
+    // Extract raw token from the verifyUrl sent to the spy
+    const callArg = sendEmailChangeVerification.mock.calls[0]?.[0] as { verifyUrl?: string } | undefined;
+    const verifyUrl = callArg?.verifyUrl ?? '';
+    const token = new URLSearchParams(verifyUrl.split('?')[1] ?? '').get('token') ?? '';
+    expect(token).toBeTruthy();
+    // Route requires auth — keep currentUserId=3
+    const res = await request(app)
+      .get(`/me/email-change/verify?token=${token}`);
+    expect(res.status).toBe(200);
+    // sendEmailChangedFinalNotice is called twice (for new address and old address)
+    expect(sendEmailChangedFinalNotice).toHaveBeenCalledTimes(2);
+    // Verify DB shows verified_at is set
+    const tokenHash = sha256(token);
+    const updated = await pool.query(
+      `SELECT verified_at FROM tm_email_change_requests WHERE verify_token_hash = $1`,
+      [tokenHash]
+    );
+    expect(updated.rows[0].verified_at).not.toBeNull();
+  });
+  it('GET /me/email-change/cancel?token=:cancelToken → 200, change cancelled', async () => {
+    sendEmailChangeOldNotice.mockClear();
+    await request(app)
+      .post('/me/email-change')
+      .send({ newEmail: 'cancel@example.com', currentPassword: 'mypassword' });
+    // Extract raw cancel token from the cancelUrl sent to the spy
+    const cancelCallArg = sendEmailChangeOldNotice.mock.calls[0]?.[0] as { cancelUrl?: string } | undefined;
+    const cancelUrl = cancelCallArg?.cancelUrl ?? '';
+    const cancelToken = new URLSearchParams(cancelUrl.split('?')[1] ?? '').get('token') ?? '';
+    expect(cancelToken).toBeTruthy();
+    currentUserId = null; // cancel is unauthenticated — token is the credential
+    const res = await request(app)
+      .get(`/me/email-change/cancel?token=${cancelToken}`);
+    expect(res.status).toBe(200);
+    // Verify DB shows cancelled_at is set
+    const cancelTokenHash = sha256(cancelToken);
+    const updated = await pool.query(
+      `SELECT cancelled_at FROM tm_email_change_requests WHERE cancel_token_hash = $1`,
+      [cancelTokenHash]
+    );
+    expect(updated.rows[0].cancelled_at).not.toBeNull();
+  });
+  it.skip('after cancel: sendPasswordResetEmail is triggered (not yet implemented in service)', async () => {
+    // cancelEmailChange service calls invalidateAllUserSessions but not sendPasswordResetEmail.
+    // Skipped until the security-triggered password-reset-on-cancel flow is implemented.
+  });
+  it('rate limit: 4th email-change request in 24h → 429', async () => {
+    // Insert 3 existing requests within the last 24 hours
+    const past = new Date(Date.now() - 30 * 60 * 1000).toISOString(); // 30 min ago
+    for (let i = 0; i < 3; i++) {
+      await pool.query(
+        `INSERT INTO tm_email_change_requests (user_id, new_email, verify_token_hash, cancel_token_hash, expires_at, created_at)
+         VALUES (3, $1, $2, $3, NOW() + INTERVAL '24 hours', $4)`,
+        [`rate${i}@example.com`, sha256(`verify-rate${i}`), sha256(`cancel-rate${i}`), past]
+      );
+    }
+    const res = await request(app)
+      .post('/me/email-change')
+      .send({ newEmail: 'fourth@example.com', currentPassword: 'mypassword' });
+    expect(res.status).toBe(429);
+  });
+});

package/tests/integration/feature-flags.test.ts ADDED Viewed

@@ -0,0 +1,213 @@
+import { describe, it, expect, beforeAll, afterAll, beforeEach } from 'vitest';
+import express from 'express';
+import request from 'supertest';
+import { Pool } from 'pg';
+import { createServerModule } from '../../src/server/index.js';
+import type { ServerModuleAdapter, OrgRole } from '../../src/server/types.js';
+const describeWithDb = process.env.DATABASE_URL ? describe : describe.skip;
+let currentUserId: number | null = null;
+let currentOrgId: number | null = null;
+const testAdapter: ServerModuleAdapter = {
+  getCurrentUserId: async () => currentUserId,
+  getOrganizationIdForUser: async () => currentOrgId,
+  isUserOrgAdmin: async (userId) => userId <= 2,
+  logger: { info: () => {}, warn: () => {}, error: () => {} },
+  getUserById: async (id) => ({ id, email: `u${id}@test.com`, name: `User${id}` }),
+  getUsersByIds: async (ids) => ids.map(id => ({ id, email: `u${id}@test.com`, name: `User${id}` })),
+  findUserByEmail: async (email) => {
+    const m = email.match(/^u(\d+)@test\.com$/);
+    return m ? { id: parseInt(m[1]), email } : null;
+  },
+  createUserFromInvite: async ({ email }: { email: string; orgId: number; role: OrgRole }) => ({ id: 99, email }),
+  setUserPassword: async () => {},
+  hashPassword: async (p) => `h:${p}`,
+  verifyPassword: async (p, h) => h === `h:${p}`,
+  invalidateAllUserSessions: async () => {},
+  sendInviteEmail: async () => {},
+  sendOwnershipTransferEmail: async () => {},
+  sendEmailChangeVerification: async () => {},
+  sendEmailChangeOldNotice: async () => {},
+  sendEmailChangedFinalNotice: async () => {},
+  sendPasswordResetEmail: async () => {},
+  sendOrgDeletionNotice: async () => {},
+  emitNotification: async () => {},
+};
+async function cleanAll(pool: Pool) {
+  await pool.query(`TRUNCATE tm_super_admins, tm_password_reset_requests,
+    tm_email_change_requests, tm_ownership_transfers, tm_audit_events,
+    tm_invitations, tm_memberships, tm_organizations RESTART IDENTITY CASCADE`);
+}
+async function seedOrg(pool: Pool, orgId = 1) {
+  await pool.query(`INSERT INTO tm_organizations (id, name, slug, owner_user_id, settings)
+    VALUES (${orgId}, 'Test Org ${orgId}', 'test-org-${orgId}', 1, '{}') ON CONFLICT DO NOTHING`);
+  await pool.query(`INSERT INTO tm_memberships (org_id, user_id, role) VALUES
+    (${orgId}, 1, 'owner'), (${orgId}, 2, 'admin'), (${orgId}, 3, 'member'), (${orgId}, 4, 'viewer')
+    ON CONFLICT DO NOTHING`);
+}
+function buildApp(pool: Pool, features: Record<string, boolean>) {
+  const mod = createServerModule({ adapter: testAdapter, pool, features });
+  const app = express();
+  app.use(express.json());
+  app.use(mod.router);
+  return app;
+}
+describeWithDb('feature flags', () => {
+  let pool: Pool;
+  beforeAll(async () => {
+    pool = new Pool({ connectionString: process.env.DATABASE_URL });
+  });
+  afterAll(async () => {
+    await pool.end();
+  });
+  beforeEach(async () => {
+    await cleanAll(pool);
+    currentUserId = 1;
+    currentOrgId = 1;
+    await seedOrg(pool);
+  });
+  describe('enableInvites = false', () => {
+    it('POST /orgs/1/invitations → 501', async () => {
+      const app = buildApp(pool, { enableInvites: false });
+      const res = await request(app)
+        .post('/orgs/1/invitations')
+        .send({ email: 'test@example.com', role: 'member' });
+      expect(res.status).toBe(501);
+    });
+  });
+  describe('enableAuditLog = false', () => {
+    it('GET /orgs/1/audit → 501', async () => {
+      const app = buildApp(pool, { enableAuditLog: false });
+      const res = await request(app).get('/orgs/1/audit');
+      expect(res.status).toBe(501);
+    });
+  });
+  describe('enableOwnershipTransfer = false', () => {
+    it('POST /orgs/1/transfer → 501', async () => {
+      const app = buildApp(pool, { enableOwnershipTransfer: false });
+      const res = await request(app)
+        .post('/orgs/1/transfer')
+        .send({ toUserId: 2, confirmOrgName: 'Test Org 1' });
+      expect(res.status).toBe(501);
+    });
+  });
+  describe('enableEmailChange = false', () => {
+    it('POST /me/email-change → 501', async () => {
+      const app = buildApp(pool, { enableEmailChange: false });
+      const res = await request(app)
+        .post('/me/email-change')
+        .send({ newEmail: 'new@example.com', currentPassword: 'pass' });
+      expect(res.status).toBe(501);
+    });
+  });
+  describe('enablePasswordReset = false', () => {
+    it('POST /me/password-reset/request → 501', async () => {
+      const app = buildApp(pool, { enablePasswordReset: false });
+      currentUserId = null;
+      const res = await request(app)
+        .post('/me/password-reset/request')
+        .send({ email: 'u1@test.com' });
+      expect(res.status).toBe(501);
+    });
+  });
+  describe('enableSuperAdmin = false', () => {
+    it('GET /admin/orgs → 403, 404, or 501', async () => {
+      const app = buildApp(pool, { enableSuperAdmin: false });
+      const res = await request(app).get('/admin/orgs');
+      // 404 when feature disabled (middleware returns 404 to obscure admin routes)
+      // 403 if user not super-admin, 501 if feature check first
+      expect([403, 404, 501]).toContain(res.status);
+    });
+  });
+  describe('all flags enabled', () => {
+    it('POST /orgs/1/invitations returns non-501', async () => {
+      const app = buildApp(pool, {
+        enableInvites: true,
+        enableAuditLog: true,
+        enableOwnershipTransfer: true,
+        enableEmailChange: true,
+        enablePasswordReset: true,
+        enableSuperAdmin: true,
+      });
+      const res = await request(app)
+        .post('/orgs/1/invitations')
+        .send({ email: 'test@example.com', role: 'member' });
+      expect(res.status).not.toBe(501);
+    });
+    it('GET /orgs/1/audit returns non-501', async () => {
+      const app = buildApp(pool, {
+        enableInvites: true,
+        enableAuditLog: true,
+        enableOwnershipTransfer: true,
+        enableEmailChange: true,
+        enablePasswordReset: true,
+        enableSuperAdmin: true,
+      });
+      const res = await request(app).get('/orgs/1/audit');
+      expect(res.status).not.toBe(501);
+    });
+    it('POST /orgs/1/transfer returns non-501', async () => {
+      const app = buildApp(pool, {
+        enableInvites: true,
+        enableAuditLog: true,
+        enableOwnershipTransfer: true,
+        enableEmailChange: true,
+        enablePasswordReset: true,
+        enableSuperAdmin: true,
+      });
+      const res = await request(app)
+        .post('/orgs/1/transfer')
+        .send({ toUserId: 2, confirmOrgName: 'Test Org 1' });
+      expect(res.status).not.toBe(501);
+    });
+    it('POST /me/email-change returns non-501', async () => {
+      const app = buildApp(pool, {
+        enableInvites: true,
+        enableAuditLog: true,
+        enableOwnershipTransfer: true,
+        enableEmailChange: true,
+        enablePasswordReset: true,
+        enableSuperAdmin: true,
+      });
+      const res = await request(app)
+        .post('/me/email-change')
+        .send({ newEmail: 'new@example.com', currentPassword: 'pass' });
+      expect(res.status).not.toBe(501);
+    });
+    it('POST /me/password-reset/request returns non-501', async () => {
+      const app = buildApp(pool, {
+        enableInvites: true,
+        enableAuditLog: true,
+        enableOwnershipTransfer: true,
+        enableEmailChange: true,
+        enablePasswordReset: true,
+        enableSuperAdmin: true,
+      });
+      currentUserId = null;
+      const res = await request(app)
+        .post('/me/password-reset/request')
+        .send({ email: 'u1@test.com' });
+      expect(res.status).not.toBe(501);
+    });
+  });
+});

package/tests/integration/invitations-code.test.ts ADDED Viewed

@@ -0,0 +1,218 @@
+import { describe, it, expect, beforeAll, afterAll, beforeEach } from 'vitest';
+import express from 'express';
+import request from 'supertest';
+import { Pool } from 'pg';
+import { createServerModule } from '../../src/server/index.js';
+import type { ServerModuleAdapter, OrgRole } from '../../src/server/types.js';
+const DATABASE_URL = process.env.DATABASE_URL;
+describe.skipIf(!DATABASE_URL)('Invitations – Code Accept', () => {
+  let pool: Pool;
+  let app: express.Express;
+  let currentUserId: number | null = null;
+  let currentOrgId: number | null = null;
+  const testAdapter: ServerModuleAdapter = {
+    getCurrentUserId: async () => currentUserId,
+    getOrganizationIdForUser: async () => currentOrgId,
+    isUserOrgAdmin: async (userId, _orgId) => userId === 1 || userId === 2,
+    logger: { info: () => {}, warn: () => {}, error: () => {} },
+    getUserById: async (id) => {
+      const users: Record<number, { id: number; email: string; name: string }> = {
+        1: { id: 1, email: 'owner@test.com', name: 'Owner' },
+        2: { id: 2, email: 'admin@test.com', name: 'Admin' },
+        3: { id: 3, email: 'member@test.com', name: 'Member' },
+        4: { id: 4, email: 'viewer@test.com', name: 'Viewer' },
+        5: { id: 5, email: 'outsider@test.com', name: 'Outsider' },
+      };
+      return users[id] ?? null;
+    },
+    getUsersByIds: async (ids) =>
+      ids.map((id) => ({ id, email: `user${id}@test.com`, name: `User${id}` })),
+    findUserByEmail: async (email) => {
+      const map: Record<string, { id: number; email: string }> = {
+        'owner@test.com': { id: 1, email: 'owner@test.com' },
+        'admin@test.com': { id: 2, email: 'admin@test.com' },
+        'member@test.com': { id: 3, email: 'member@test.com' },
+        'outsider@test.com': { id: 5, email: 'outsider@test.com' },
+        'new@test.com': { id: 6, email: 'new@test.com' },
+      };
+      return map[email] ?? null;
+    },
+    createUserFromInvite: async ({ email }: { email: string; orgId: number; role: OrgRole }) => ({
+      id: 99,
+      email,
+    }),
+    setUserPassword: async () => {},
+    hashPassword: async (p) => `h:${p}`,
+    verifyPassword: async (p, h) => h === `h:${p}`,
+    invalidateAllUserSessions: async () => {},
+    sendInviteEmail: async () => {},
+    sendOwnershipTransferEmail: async () => {},
+    sendEmailChangeVerification: async () => {},
+    sendEmailChangeOldNotice: async () => {},
+    sendEmailChangedFinalNotice: async () => {},
+    sendPasswordResetEmail: async () => {},
+    sendOrgDeletionNotice: async () => {},
+    emitNotification: async () => {},
+  };
+  beforeAll(async () => {
+    pool = new Pool({ connectionString: DATABASE_URL });
+    const serverModule = createServerModule({ adapter: testAdapter, pool, features: {
+      enableInvites: true,
+      enableAuditLog: false,
+    } });
+    await pool.query(`DELETE FROM tm_memberships WHERE org_id = 1`);
+    await pool.query(`DELETE FROM tm_organizations WHERE id = 1`);
+    await pool.query(
+      `INSERT INTO tm_organizations (id, name, slug, owner_user_id, settings) VALUES (1, 'Test Org', 'test-org', 1, '{}')`
+    );
+    await pool.query(
+      `INSERT INTO tm_memberships (org_id, user_id, role) VALUES (1, 1, 'owner'), (1, 2, 'admin'), (1, 3, 'member'), (1, 4, 'viewer')`
+    );
+    app = express();
+    app.use(express.json());
+    app.use(serverModule.router);
+  });
+  afterAll(async () => {
+    await pool.query(`DELETE FROM tm_invitations WHERE org_id = 1`);
+    await pool.query(`DELETE FROM tm_memberships WHERE org_id = 1`);
+    await pool.query(`DELETE FROM tm_organizations WHERE id = 1`);
+    await pool.end();
+  });
+  beforeEach(async () => {
+    currentUserId = null;
+    currentOrgId = null;
+    await pool.query(`DELETE FROM tm_invitations WHERE org_id = 1`);
+    await pool.query(`DELETE FROM tm_memberships WHERE org_id = 1 AND user_id = 5`);
+  });
+  it('POST /orgs/1/invitations as admin creates invite (201)', async () => {
+    currentUserId = 2;
+    currentOrgId = 1;
+    const res = await request(app)
+      .post('/orgs/1/invitations')
+      .send({ email: 'outsider@test.com', role: 'viewer' });
+    expect(res.status).toBe(201);
+    expect(res.body).toMatchObject({
+      invitation: expect.objectContaining({
+        email: 'outsider@test.com',
+        role: 'viewer',
+      }),
+    });
+  });
+  it('GET /orgs/1/invitations/:id/code as admin returns plaintext 6-digit code (200)', async () => {
+    currentUserId = 2;
+    currentOrgId = 1;
+    const createRes = await request(app)
+      .post('/orgs/1/invitations')
+      .send({ email: 'outsider@test.com', role: 'viewer' });
+    expect(createRes.status).toBe(201);
+    const inviteId = createRes.body.invitation?.id ?? createRes.body.id;
+    const res = await request(app).get(`/orgs/1/invitations/${inviteId}/code`);
+    expect(res.status).toBe(200);
+    expect(res.body.code).toBeDefined();
+    expect(/^\d{6}$/.test(String(res.body.code))).toBe(true);
+  });
+  it('GET /orgs/1/invitations/:id/code as member → 403', async () => {
+    currentUserId = 2;
+    currentOrgId = 1;
+    const createRes = await request(app)
+      .post('/orgs/1/invitations')
+      .send({ email: 'outsider@test.com', role: 'viewer' });
+    expect(createRes.status).toBe(201);
+    const inviteId = createRes.body.invitation?.id ?? createRes.body.id;
+    currentUserId = 3;
+    currentOrgId = 1;
+    const res = await request(app).get(`/orgs/1/invitations/${inviteId}/code`);
+    expect(res.status).toBe(403);
+  });
+  it('POST /invitations/accept/code with valid code and matching email → 200', async () => {
+    currentUserId = 2;
+    currentOrgId = 1;
+    const createRes = await request(app)
+      .post('/orgs/1/invitations')
+      .send({ email: 'outsider@test.com', role: 'member' });
+    expect(createRes.status).toBe(201);
+    const inviteId = createRes.body.invitation?.id ?? createRes.body.id;
+    const codeRes = await request(app).get(`/orgs/1/invitations/${inviteId}/code`);
+    expect(codeRes.status).toBe(200);
+    const code = codeRes.body.code;
+    currentUserId = 5;
+    currentOrgId = null;
+    const res = await request(app)
+      .post('/invitations/accept/code')
+      .send({ email: 'outsider@test.com', code });
+    expect(res.status).toBe(200);
+    const membershipRow = await pool.query(
+      `SELECT * FROM tm_memberships WHERE org_id = 1 AND user_id = 5`
+    );
+    expect(membershipRow.rows.length).toBe(1);
+    expect(membershipRow.rows[0].role).toBe('member');
+  });
+  it('POST /invitations/accept/code with wrong code → 400 or 404', async () => {
+    currentUserId = 2;
+    currentOrgId = 1;
+    const createRes = await request(app)
+      .post('/orgs/1/invitations')
+      .send({ email: 'outsider@test.com', role: 'member' });
+    expect(createRes.status).toBe(201);
+    currentUserId = 5;
+    currentOrgId = null;
+    const res = await request(app)
+      .post('/invitations/accept/code')
+      .send({ email: 'outsider@test.com', code: '000000' });
+    expect([400, 404]).toContain(res.status);
+  });
+  it('POST /invitations/accept/code with wrong email → 400 or 404', async () => {
+    currentUserId = 2;
+    currentOrgId = 1;
+    const createRes = await request(app)
+      .post('/orgs/1/invitations')
+      .send({ email: 'outsider@test.com', role: 'member' });
+    expect(createRes.status).toBe(201);
+    const inviteId = createRes.body.invitation?.id ?? createRes.body.id;
+    const codeRes = await request(app).get(`/orgs/1/invitations/${inviteId}/code`);
+    const code = codeRes.body.code;
+    currentUserId = null;
+    currentOrgId = null;
+    const res = await request(app)
+      .post('/invitations/accept/code')
+      .send({ email: 'wrongperson@test.com', code });
+    expect([400, 404]).toContain(res.status);
+  });
+});