@varshylinc/team-management 0.1.0

package/dist/server/middleware/require-super-admin.js

@@ -0,0 +1,27 @@
+export function requireSuperAdmin(pool, adapter, flags) {
+    return async (req, res, next) => {
+        if (!flags.enableSuperAdmin) {
+            res.status(404).json({ error: 'Not found' });
+            return;
+        }
+        try {
+            const userId = await adapter.getCurrentUserId(req);
+            if (!userId) {
+                res.status(401).json({ error: 'Authentication required' });
+                return;
+            }
+            const result = await pool.query(`SELECT user_id FROM tm_super_admins WHERE user_id = $1 AND revoked_at IS NULL`, [userId]);
+            if (result.rows.length === 0) {
+                res.status(403).json({ error: 'Super-admin access required' });
+                return;
+            }
+            req.superAdminUserId = userId;
+            next();
+        }
+        catch (e) {
+            adapter.logger.error('[requireSuperAdmin]', { error: e.message });
+            res.status(500).json({ error: 'Authorization check failed' });
+        }
+    };
+}
+//# sourceMappingURL=require-super-admin.js.map

package/dist/server/middleware/require-super-admin.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"require-super-admin.js","sourceRoot":"","sources":["../../../src/server/middleware/require-super-admin.ts"],"names":[],"mappings":"AAIA,MAAM,UAAU,iBAAiB,CAAC,IAAU,EAAE,OAA4B,EAAE,KAAiC;IAC3G,OAAO,KAAK,EAAE,GAAY,EAAE,GAAa,EAAE,IAAkB,EAAiB,EAAE;QAC9E,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;YAC5B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,WAAW,EAAE,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QACD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,gBAAgB,CAAC,GAAG,CAAC,CAAC;YACnD,IAAI,CAAC,MAAM,EAAE,CAAC;gBACZ,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;gBAC3D,OAAO;YACT,CAAC;YACD,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B,+EAA+E,EAC/E,CAAC,MAAM,CAAC,CACT,CAAC;YACF,IAAI,MAAM,CAAC,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC7B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,6BAA6B,EAAE,CAAC,CAAC;gBAC/D,OAAO;YACT,CAAC;YACA,GAA8C,CAAC,gBAAgB,GAAG,MAAM,CAAC;YAC1E,IAAI,EAAE,CAAC;QACT,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,qBAAqB,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,CAAC;QAChE,CAAC;IACH,CAAC,CAAC;AACJ,CAAC"}

package/dist/server/migrations/0001_create_tm_schema_migrations.sql

@@ -0,0 +1,13 @@
+-- Migration: 0001_create_tm_schema_migrations
+-- Creates the ledger table that tracks which team-management
+-- migrations have been applied. All tm_* tables are owned by
+-- the team-management module — host products never query them directly.
+
+CREATE TABLE IF NOT EXISTS tm_schema_migrations (
+  id          SERIAL       PRIMARY KEY,
+  migration   VARCHAR(255) NOT NULL UNIQUE,
+  applied_at  TIMESTAMPTZ  NOT NULL DEFAULT NOW()
+);
+
+CREATE INDEX IF NOT EXISTS idx_tm_schema_migrations_migration
+  ON tm_schema_migrations (migration);

package/dist/server/migrations/0002_create_tm_organizations.sql

@@ -0,0 +1,14 @@
+CREATE TABLE IF NOT EXISTS tm_organizations (
+  id SERIAL PRIMARY KEY,
+  name TEXT NOT NULL,
+  slug TEXT NOT NULL UNIQUE,
+  owner_user_id INTEGER NOT NULL,  -- denormalized for quick lookup
+  settings JSONB NOT NULL DEFAULT '{}',
+  deleted_at TIMESTAMPTZ,
+  delete_scheduled_for TIMESTAMPTZ,
+  deleted_by_user_id INTEGER,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_orgs_slug ON tm_organizations(slug) WHERE deleted_at IS NULL;
+CREATE INDEX IF NOT EXISTS idx_tm_orgs_owner ON tm_organizations(owner_user_id);

package/dist/server/migrations/0003_create_tm_memberships.sql

@@ -0,0 +1,24 @@
+-- If the type already exists, ignore
+DO $$ BEGIN
+  CREATE TYPE tm_role AS ENUM ('owner', 'admin', 'member', 'viewer');
+EXCEPTION WHEN duplicate_object THEN NULL;
+END $$;
+
+CREATE TABLE IF NOT EXISTS tm_memberships (
+  id SERIAL PRIMARY KEY,
+  org_id INTEGER NOT NULL REFERENCES tm_organizations(id) ON DELETE CASCADE,
+  user_id INTEGER NOT NULL,
+  role tm_role NOT NULL DEFAULT 'member',
+  joined_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  removed_at TIMESTAMPTZ,
+  removed_by_user_id INTEGER,
+  removal_reason TEXT,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+-- Only one active membership per user per org
+CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_memberships_active ON tm_memberships(org_id, user_id) WHERE removed_at IS NULL;
+-- Only one owner per org (active)
+CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_memberships_owner ON tm_memberships(org_id) WHERE role = 'owner' AND removed_at IS NULL;
+CREATE INDEX IF NOT EXISTS idx_tm_memberships_user ON tm_memberships(user_id);
+CREATE INDEX IF NOT EXISTS idx_tm_memberships_org ON tm_memberships(org_id);

package/dist/server/migrations/0004_create_tm_invitations.sql

@@ -0,0 +1,22 @@
+CREATE TABLE IF NOT EXISTS tm_invitations (
+  id SERIAL PRIMARY KEY,
+  org_id INTEGER NOT NULL REFERENCES tm_organizations(id) ON DELETE CASCADE,
+  invited_by_user_id INTEGER NOT NULL,
+  email TEXT NOT NULL,
+  role tm_role NOT NULL DEFAULT 'member',
+  token_hash TEXT NOT NULL UNIQUE,   -- SHA-256 of the magic-link token
+  code_encrypted TEXT NOT NULL,      -- AES-256-GCM encrypted 6-digit code
+  expires_at TIMESTAMPTZ NOT NULL,   -- NOW() + 7 days
+  accepted_at TIMESTAMPTZ,
+  revoked_at TIMESTAMPTZ,
+  revoked_by_user_id INTEGER,
+  resent_count INTEGER NOT NULL DEFAULT 0,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+-- Only one pending (non-accepted, non-revoked) invite per email per org
+-- Note: expires_at check omitted from predicate (NOW() is not IMMUTABLE); enforced at query time
+CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_invitations_pending ON tm_invitations(org_id, email) WHERE accepted_at IS NULL AND revoked_at IS NULL;
+CREATE INDEX IF NOT EXISTS idx_tm_invitations_org ON tm_invitations(org_id);
+CREATE INDEX IF NOT EXISTS idx_tm_invitations_email ON tm_invitations(email);
+

package/dist/server/migrations/0005_create_tm_audit_events.sql

@@ -0,0 +1,17 @@
+CREATE TABLE IF NOT EXISTS tm_audit_events (
+  id BIGSERIAL PRIMARY KEY,
+  org_id INTEGER REFERENCES tm_organizations(id) ON DELETE SET NULL,
+  actor_user_id INTEGER,
+  actor_type TEXT NOT NULL DEFAULT 'user' CHECK (actor_type IN ('user', 'super_admin')),
+  action TEXT NOT NULL,
+  target_type TEXT,
+  target_id TEXT,
+  before_state JSONB,
+  after_state JSONB,
+  ip TEXT,
+  user_agent TEXT,
+  reason TEXT,  -- required for super_admin actions
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_tm_audit_org ON tm_audit_events(org_id, created_at DESC);
+CREATE INDEX IF NOT EXISTS idx_tm_audit_actor ON tm_audit_events(actor_user_id);

package/dist/server/migrations/0006_create_tm_email_change_requests.sql

@@ -0,0 +1,13 @@
+CREATE TABLE IF NOT EXISTS tm_email_change_requests (
+  id SERIAL PRIMARY KEY,
+  user_id INTEGER NOT NULL,
+  old_email TEXT,
+  new_email TEXT NOT NULL,
+  verify_token_hash TEXT NOT NULL UNIQUE,   -- SHA-256 of verification token
+  cancel_token_hash TEXT NOT NULL UNIQUE,   -- SHA-256 of cancellation token
+  expires_at TIMESTAMPTZ NOT NULL,          -- NOW() + 24 hours
+  verified_at TIMESTAMPTZ,
+  cancelled_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_tm_email_change_user ON tm_email_change_requests(user_id, created_at DESC);

package/dist/server/migrations/0007_create_tm_ownership_transfers.sql

@@ -0,0 +1,22 @@
+DO $$ BEGIN
+  CREATE TYPE tm_transfer_status AS ENUM ('pending', 'accepted', 'cancelled', 'expired');
+EXCEPTION WHEN duplicate_object THEN NULL;
+END $$;
+
+CREATE TABLE IF NOT EXISTS tm_ownership_transfers (
+  id SERIAL PRIMARY KEY,
+  org_id INTEGER NOT NULL REFERENCES tm_organizations(id) ON DELETE CASCADE,
+  from_user_id INTEGER NOT NULL,
+  to_user_id INTEGER NOT NULL,
+  status tm_transfer_status NOT NULL DEFAULT 'pending',
+  initiated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  accepted_at TIMESTAMPTZ,
+  cancelled_at TIMESTAMPTZ,
+  cancelled_by_user_id INTEGER,
+  expires_at TIMESTAMPTZ NOT NULL,  -- NOW() + 7 days
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+-- Only one pending transfer per org
+CREATE UNIQUE INDEX IF NOT EXISTS idx_tm_transfers_pending ON tm_ownership_transfers(org_id) WHERE status = 'pending';
+CREATE INDEX IF NOT EXISTS idx_tm_transfers_org ON tm_ownership_transfers(org_id);

package/dist/server/migrations/0008_create_tm_super_admins.sql

@@ -0,0 +1,8 @@
+CREATE TABLE IF NOT EXISTS tm_super_admins (
+  user_id INTEGER PRIMARY KEY,
+  granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  granted_by_user_id INTEGER,
+  notes TEXT,
+  revoked_at TIMESTAMPTZ
+);
+CREATE INDEX IF NOT EXISTS idx_tm_super_admins_active ON tm_super_admins(user_id) WHERE revoked_at IS NULL;

package/dist/server/migrations/0009_create_tm_password_reset_requests.sql

@@ -0,0 +1,9 @@
+CREATE TABLE IF NOT EXISTS tm_password_reset_requests (
+  id SERIAL PRIMARY KEY,
+  user_id INTEGER NOT NULL,
+  token_hash TEXT NOT NULL UNIQUE,  -- SHA-256 of reset token
+  expires_at TIMESTAMPTZ NOT NULL,  -- NOW() + 1 hour
+  used_at TIMESTAMPTZ,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+CREATE INDEX IF NOT EXISTS idx_tm_pwd_reset_user ON tm_password_reset_requests(user_id, created_at DESC);

package/dist/server/migrations/0010_create_tm_shared_access.sql

@@ -0,0 +1,8 @@
+-- tm_shared_access: reserved for v0.2.0 (cross-org vendor access).
+-- Empty scaffold -- no columns beyond id. Do not add anything here in v0.1.0.
+CREATE TABLE IF NOT EXISTS tm_shared_access (
+  id SERIAL PRIMARY KEY,
+  created_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
+);
+-- NOTE: This table is intentionally empty in v0.1.0.
+-- Schema will be defined in the v0.2.0 migration.

package/dist/server/migrations/0011_seed_super_admin.sql

@@ -0,0 +1,15 @@
+-- Seed super-admin for vaakapila@gmail.com.
+-- This migration is ALWAYS run but only inserts if:
+--   1. A user with that email exists in the host app's user table.
+--   2. The row does not already exist in tm_super_admins.
+-- The host adapter is responsible for user existence; this migration
+-- does nothing if the user does not exist (host-managed users table
+-- is outside module scope). The demo-host seeds this user before
+-- running migrations.
+--
+-- Since tm_super_admins uses host user_id (INTEGER), and we cannot
+-- JOIN across host tables from inside the module, this seed is
+-- handled by the createServerModule boot sequence when
+-- enableSuperAdmin=true (see index.ts seedSuperAdmin()).
+-- This file is a no-op placeholder to reserve the migration slot.
+SELECT 1; -- placeholder: actual seed runs in application boot

package/dist/server/migrations/0012_create_tm_user_locks.sql

@@ -0,0 +1,7 @@
+CREATE TABLE IF NOT EXISTS tm_user_locks (
+  user_id INTEGER PRIMARY KEY,
+  locked_by INTEGER NOT NULL,
+  reason TEXT NOT NULL,
+  locked_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
+  unlocked_at TIMESTAMPTZ
+);

package/dist/server/routes/admin.routes.d.ts

@@ -0,0 +1,5 @@
+import { Router } from 'express';
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter, TeamManagementFeatureFlags } from '../types.js';
+export declare function createAdminRouter(pool: Pool, adapter: ServerModuleAdapter, flags: TeamManagementFeatureFlags, baseUrl: string): Router;
+//# sourceMappingURL=admin.routes.d.ts.map

package/dist/server/routes/admin.routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.routes.d.ts","sourceRoot":"","sources":["../../../src/server/routes/admin.routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EAAE,mBAAmB,EAAE,0BAA0B,EAAW,MAAM,aAAa,CAAC;AAgB5F,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,KAAK,EAAE,0BAA0B,EACjC,OAAO,EAAE,MAAM,GACd,MAAM,CAuLR"}

package/dist/server/routes/admin.routes.js

@@ -0,0 +1,262 @@
+import { Router } from 'express';
+import { requireSuperAdmin } from '../middleware/require-super-admin.js';
+import { listAllOrgs, getOrgForAdmin, getUserForAdmin, restoreOrg, appointOwner, hardDeleteOrg, addMemberAdmin, removeMemberAdmin, lockUser, unlockUser, triggerPasswordReset, } from '../services/super-admin.service.js';
+export function createAdminRouter(pool, adapter, flags, baseUrl) {
+    const router = Router();
+    const superAdminMiddleware = requireSuperAdmin(pool, adapter, flags);
+    // GET /admin/orgs
+    router.get('/orgs', superAdminMiddleware, async (req, res) => {
+        try {
+            const orgs = await listAllOrgs(pool);
+            res.json({ orgs });
+        }
+        catch (e) {
+            adapter.logger.error('[admin] GET /orgs', { error: e.message });
+            res.status(500).json({ error: 'Failed to list organizations' });
+        }
+    });
+    // GET /admin/orgs/:id
+    router.get('/orgs/:id', superAdminMiddleware, async (req, res) => {
+        const orgId = parseInt(req.params.id, 10);
+        if (isNaN(orgId)) {
+            res.status(400).json({ error: 'Invalid org ID' });
+            return;
+        }
+        try {
+            const org = await getOrgForAdmin(pool, orgId);
+            res.json({ org });
+        }
+        catch (e) {
+            const msg = e.message;
+            adapter.logger.error('[admin] GET /orgs/:id', { error: msg });
+            if (msg.includes('not found')) {
+                res.status(404).json({ error: msg });
+            }
+            else {
+                res.status(500).json({ error: 'Failed to fetch organization' });
+            }
+        }
+    });
+    // GET /admin/users/:id
+    router.get('/users/:id', superAdminMiddleware, async (req, res) => {
+        const userId = parseInt(req.params.id, 10);
+        if (isNaN(userId)) {
+            res.status(400).json({ error: 'Invalid user ID' });
+            return;
+        }
+        try {
+            const user = await getUserForAdmin(pool, adapter, userId);
+            res.json({ user });
+        }
+        catch (e) {
+            const msg = e.message;
+            adapter.logger.error('[admin] GET /users/:id', { error: msg });
+            if (msg.includes('not found')) {
+                res.status(404).json({ error: msg });
+            }
+            else {
+                res.status(500).json({ error: 'Failed to fetch user' });
+            }
+        }
+    });
+    // POST /admin/orgs/:id/restore
+    router.post('/orgs/:id/restore', superAdminMiddleware, async (req, res) => {
+        const orgId = parseInt(req.params.id, 10);
+        if (isNaN(orgId)) {
+            res.status(400).json({ error: 'Invalid org ID' });
+            return;
+        }
+        const { reason } = req.body;
+        if (!reason) {
+            res.status(400).json({ error: 'reason is required' });
+            return;
+        }
+        const saUserId = req.superAdminUserId;
+        try {
+            await restoreOrg(pool, { orgId, superAdminUserId: saUserId, reason });
+            res.json({ message: 'Organization restored' });
+        }
+        catch (e) {
+            const msg = e.message;
+            adapter.logger.error('[admin] POST /orgs/:id/restore', { error: msg });
+            if (msg.includes('not found') || msg.includes('not deleted')) {
+                res.status(404).json({ error: msg });
+            }
+            else {
+                res.status(500).json({ error: 'Failed to restore organization' });
+            }
+        }
+    });
+    // POST /admin/orgs/:id/appoint-owner
+    router.post('/orgs/:id/appoint-owner', superAdminMiddleware, async (req, res) => {
+        const orgId = parseInt(req.params.id, 10);
+        if (isNaN(orgId)) {
+            res.status(400).json({ error: 'Invalid org ID' });
+            return;
+        }
+        const { targetUserId, reason } = req.body;
+        if (!targetUserId || !reason) {
+            res.status(400).json({ error: 'targetUserId and reason are required' });
+            return;
+        }
+        const saUserId = req.superAdminUserId;
+        try {
+            await appointOwner(pool, { orgId, targetUserId, superAdminUserId: saUserId, reason });
+            res.json({ message: 'Owner appointed' });
+        }
+        catch (e) {
+            adapter.logger.error('[admin] POST /orgs/:id/appoint-owner', { error: e.message });
+            res.status(500).json({ error: 'Failed to appoint owner' });
+        }
+    });
+    // POST /admin/orgs/:id/hard-delete
+    router.post('/orgs/:id/hard-delete', superAdminMiddleware, async (req, res) => {
+        if (!flags.enableHardDelete) {
+            res.status(403).json({ error: 'Hard delete is not enabled' });
+            return;
+        }
+        const orgId = parseInt(req.params.id, 10);
+        if (isNaN(orgId)) {
+            res.status(400).json({ error: 'Invalid org ID' });
+            return;
+        }
+        const { legalBasis } = req.body;
+        if (!legalBasis) {
+            res.status(400).json({ error: 'legalBasis is required' });
+            return;
+        }
+        const saUserId = req.superAdminUserId;
+        try {
+            await hardDeleteOrg(pool, { orgId, superAdminUserId: saUserId, legalBasis });
+            res.json({ message: 'Organization permanently deleted' });
+        }
+        catch (e) {
+            const msg = e.message;
+            adapter.logger.error('[admin] POST /orgs/:id/hard-delete', { error: msg });
+            if (msg.includes('legal basis')) {
+                res.status(400).json({ error: msg });
+            }
+            else {
+                res.status(500).json({ error: 'Failed to hard delete organization' });
+            }
+        }
+    });
+    // POST /admin/orgs/:id/members/add
+    router.post('/orgs/:id/members/add', superAdminMiddleware, async (req, res) => {
+        const orgId = parseInt(req.params.id, 10);
+        if (isNaN(orgId)) {
+            res.status(400).json({ error: 'Invalid org ID' });
+            return;
+        }
+        const { userId, role, reason } = req.body;
+        if (!userId || !role || !reason) {
+            res.status(400).json({ error: 'userId, role, and reason are required' });
+            return;
+        }
+        const saUserId = req.superAdminUserId;
+        try {
+            await addMemberAdmin(pool, { orgId, userId, role: role, superAdminUserId: saUserId, reason });
+            res.json({ message: 'Member added' });
+        }
+        catch (e) {
+            adapter.logger.error('[admin] POST /orgs/:id/members/add', { error: e.message });
+            res.status(500).json({ error: 'Failed to add member' });
+        }
+    });
+    // POST /admin/orgs/:id/members/remove
+    router.post('/orgs/:id/members/remove', superAdminMiddleware, async (req, res) => {
+        const orgId = parseInt(req.params.id, 10);
+        if (isNaN(orgId)) {
+            res.status(400).json({ error: 'Invalid org ID' });
+            return;
+        }
+        const { userId, reason } = req.body;
+        if (!userId || !reason) {
+            res.status(400).json({ error: 'userId and reason are required' });
+            return;
+        }
+        const saUserId = req.superAdminUserId;
+        try {
+            await removeMemberAdmin(pool, { orgId, userId, superAdminUserId: saUserId, reason });
+            res.json({ message: 'Member removed' });
+        }
+        catch (e) {
+            adapter.logger.error('[admin] POST /orgs/:id/members/remove', { error: e.message });
+            res.status(500).json({ error: 'Failed to remove member' });
+        }
+    });
+    // POST /admin/users/:id/lock
+    router.post('/users/:id/lock', superAdminMiddleware, async (req, res) => {
+        const userId = parseInt(req.params.id, 10);
+        if (isNaN(userId)) {
+            res.status(400).json({ error: 'Invalid user ID' });
+            return;
+        }
+        const { reason } = req.body;
+        if (!reason) {
+            res.status(400).json({ error: 'reason is required' });
+            return;
+        }
+        const saUserId = req.superAdminUserId;
+        try {
+            await lockUser(pool, adapter, { userId, superAdminUserId: saUserId, reason });
+            res.json({ message: 'User locked and sessions invalidated' });
+        }
+        catch (e) {
+            adapter.logger.error('[admin] POST /users/:id/lock', { error: e.message });
+            res.status(500).json({ error: 'Failed to lock user' });
+        }
+    });
+    // POST /admin/users/:id/unlock
+    router.post('/users/:id/unlock', superAdminMiddleware, async (req, res) => {
+        const userId = parseInt(req.params.id, 10);
+        if (isNaN(userId)) {
+            res.status(400).json({ error: 'Invalid user ID' });
+            return;
+        }
+        const { reason } = req.body;
+        if (!reason) {
+            res.status(400).json({ error: 'reason is required' });
+            return;
+        }
+        const saUserId = req.superAdminUserId;
+        try {
+            await unlockUser(pool, adapter, { userId, superAdminUserId: saUserId, reason });
+            res.json({ message: 'User unlocked' });
+        }
+        catch (e) {
+            adapter.logger.error('[admin] POST /users/:id/unlock', { error: e.message });
+            res.status(500).json({ error: 'Failed to unlock user' });
+        }
+    });
+    // POST /admin/users/:id/password-reset
+    router.post('/users/:id/password-reset', superAdminMiddleware, async (req, res) => {
+        const userId = parseInt(req.params.id, 10);
+        if (isNaN(userId)) {
+            res.status(400).json({ error: 'Invalid user ID' });
+            return;
+        }
+        const { reason } = req.body;
+        if (!reason) {
+            res.status(400).json({ error: 'reason is required' });
+            return;
+        }
+        const saUserId = req.superAdminUserId;
+        try {
+            await triggerPasswordReset(pool, adapter, { userId, superAdminUserId: saUserId, reason, baseUrl });
+            res.json({ message: 'Password reset email sent' });
+        }
+        catch (e) {
+            const msg = e.message;
+            adapter.logger.error('[admin] POST /users/:id/password-reset', { error: msg });
+            if (msg.includes('not found')) {
+                res.status(404).json({ error: msg });
+            }
+            else {
+                res.status(500).json({ error: 'Failed to trigger password reset' });
+            }
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=admin.routes.js.map

package/dist/server/routes/admin.routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"admin.routes.js","sourceRoot":"","sources":["../../../src/server/routes/admin.routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,sCAAsC,CAAC;AACzE,OAAO,EACL,WAAW,EACX,cAAc,EACd,eAAe,EACf,UAAU,EACV,YAAY,EACZ,aAAa,EACb,cAAc,EACd,iBAAiB,EACjB,QAAQ,EACR,UAAU,EACV,oBAAoB,GACrB,MAAM,oCAAoC,CAAC;AAE5C,MAAM,UAAU,iBAAiB,CAC/B,IAAU,EACV,OAA4B,EAC5B,KAAiC,EACjC,OAAe;IAEf,MAAM,MAAM,GAAG,MAAM,EAAE,CAAC;IACxB,MAAM,oBAAoB,GAAG,iBAAiB,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC;IAIrE,kBAAkB;IAClB,MAAM,CAAC,GAAG,CAAC,OAAO,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC3D,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC,IAAI,CAAC,CAAC;YACrC,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACrB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAC3E,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC;QAClE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,sBAAsB;IACtB,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/D,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAChF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,cAAc,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC9C,GAAG,CAAC,IAAI,CAAC,EAAE,GAAG,EAAE,CAAC,CAAC;QACpB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAI,CAAW,CAAC,OAAO,CAAC;YACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uBAAuB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAC9D,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAAC,CAAC;iBACnE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,CAAC,CAAC;YAAC,CAAC;QAC3E,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,uBAAuB;IACvB,MAAM,CAAC,GAAG,CAAC,YAAY,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAChE,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC3C,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAClF,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,eAAe,CAAC,IAAI,EAAE,OAAO,EAAE,MAAM,CAAC,CAAC;YAC1D,GAAG,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC;QACrB,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAI,CAAW,CAAC,OAAO,CAAC;YACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wBAAwB,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAC/D,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAAC,CAAC;iBACnE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;YAAC,CAAC;QACnE,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,+BAA+B;IAC/B,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACxE,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAChF,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAA2B,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC/E,MAAM,QAAQ,GAAI,GAAiB,CAAC,gBAAgB,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACtE,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,uBAAuB,EAAE,CAAC,CAAC;QACjD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAI,CAAW,CAAC,OAAO,CAAC;YACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YACvE,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAAC,CAAC;iBAClG,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAAC,CAAC;QAC7E,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,qCAAqC;IACrC,MAAM,CAAC,IAAI,CAAC,yBAAyB,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC9E,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAChF,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAAkD,CAAC;QACxF,IAAI,CAAC,YAAY,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sCAAsC,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAClH,MAAM,QAAQ,GAAI,GAAiB,CAAC,gBAAgB,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,YAAY,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,YAAY,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACtF,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,iBAAiB,EAAE,CAAC,CAAC;QAC3C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,sCAAsC,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAC9F,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC5E,IAAI,CAAC,KAAK,CAAC,gBAAgB,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,4BAA4B,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACvG,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAChF,MAAM,EAAE,UAAU,EAAE,GAAG,GAAG,CAAC,IAA+B,CAAC;QAC3D,IAAI,CAAC,UAAU,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wBAAwB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACvF,MAAM,QAAQ,GAAI,GAAiB,CAAC,gBAAgB,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,gBAAgB,EAAE,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC;YAC7E,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,kCAAkC,EAAE,CAAC,CAAC;QAC5D,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAI,CAAW,CAAC,OAAO,CAAC;YACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAC3E,IAAI,GAAG,CAAC,QAAQ,CAAC,aAAa,CAAC,EAAE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAAC,CAAC;iBACrE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oCAAoC,EAAE,CAAC,CAAC;YAAC,CAAC;QACjF,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,mCAAmC;IACnC,MAAM,CAAC,IAAI,CAAC,uBAAuB,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC5E,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAChF,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAA2D,CAAC;QACjG,IAAI,CAAC,MAAM,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACtH,MAAM,QAAQ,GAAI,GAAiB,CAAC,gBAAgB,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,cAAc,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,IAAI,EAAE,IAAe,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACzG,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,cAAc,EAAE,CAAC,CAAC;QACxC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,oCAAoC,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAC5F,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,sBAAsB,EAAE,CAAC,CAAC;QAC1D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,sCAAsC;IACtC,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAC/E,MAAM,KAAK,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1C,IAAI,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAChF,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAA4C,CAAC;QAC5E,IAAI,CAAC,MAAM,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,gCAAgC,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QACtG,MAAM,QAAQ,GAAI,GAAiB,CAAC,gBAAgB,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,iBAAiB,CAAC,IAAI,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YACrF,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAC1C,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,uCAAuC,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YAC/F,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,CAAC,CAAC;QAC7D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,6BAA6B;IAC7B,MAAM,CAAC,IAAI,CAAC,iBAAiB,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACtE,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC3C,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAClF,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAA2B,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC/E,MAAM,QAAQ,GAAI,GAAiB,CAAC,gBAAgB,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YAC9E,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,sCAAsC,EAAE,CAAC,CAAC;QAChE,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YACtF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,qBAAqB,EAAE,CAAC,CAAC;QACzD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,+BAA+B;IAC/B,MAAM,CAAC,IAAI,CAAC,mBAAmB,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACxE,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC3C,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAClF,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAA2B,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC/E,MAAM,QAAQ,GAAI,GAAiB,CAAC,gBAAgB,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,UAAU,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,CAAC,CAAC;YAChF,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;QACzC,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,gCAAgC,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YACxF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uBAAuB,EAAE,CAAC,CAAC;QAC3D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,uCAAuC;IACvC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE,oBAAoB,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QAChF,MAAM,MAAM,GAAG,QAAQ,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC;QAC3C,IAAI,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,iBAAiB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAClF,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC,IAA2B,CAAC;QACnD,IAAI,CAAC,MAAM,EAAE,CAAC;YAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,oBAAoB,EAAE,CAAC,CAAC;YAAC,OAAO;QAAC,CAAC;QAC/E,MAAM,QAAQ,GAAI,GAAiB,CAAC,gBAAgB,CAAC;QACrD,IAAI,CAAC;YACH,MAAM,oBAAoB,CAAC,IAAI,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,gBAAgB,EAAE,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC;YACnG,GAAG,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,2BAA2B,EAAE,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,MAAM,GAAG,GAAI,CAAW,CAAC,OAAO,CAAC;YACjC,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,wCAAwC,EAAE,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAC/E,IAAI,GAAG,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;YAAC,CAAC;iBACnE,CAAC;gBAAC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,kCAAkC,EAAE,CAAC,CAAC;YAAC,CAAC;QAC/E,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/server/routes/audit.routes.d.ts

@@ -0,0 +1,5 @@
+import { Router } from 'express';
+import type { Pool } from 'pg';
+import type { ServerModuleAdapter, TeamManagementFeatureFlags } from '../types.js';
+export declare function createAuditRouter(pool: Pool, adapter: ServerModuleAdapter, flags: TeamManagementFeatureFlags): Router;
+//# sourceMappingURL=audit.routes.d.ts.map

package/dist/server/routes/audit.routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.routes.d.ts","sourceRoot":"","sources":["../../../src/server/routes/audit.routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EAAE,mBAAmB,EAAE,0BAA0B,EAAE,MAAM,aAAa,CAAC;AAQnF,wBAAgB,iBAAiB,CAC/B,IAAI,EAAE,IAAI,EACV,OAAO,EAAE,mBAAmB,EAC5B,KAAK,EAAE,0BAA0B,GAChC,MAAM,CA8ER"}

package/dist/server/routes/audit.routes.js

@@ -0,0 +1,70 @@
+import { Router } from 'express';
+import { requireMembership } from '../middleware/require-membership.js';
+import { requireRole } from '../middleware/require-role.js';
+const SUPER_ADMIN_DISPLAY_NAME = 'Varshyl Support';
+const DEFAULT_PAGE_LIMIT = 50;
+const MAX_PAGE_LIMIT = 200;
+export function createAuditRouter(pool, adapter, flags) {
+    const router = Router({ mergeParams: true });
+    const authMiddleware = requireMembership(pool, adapter);
+    // GET /orgs/:orgId/audit — paginated audit log (admin+)
+    router.get('/:orgId/audit', authMiddleware, requireRole('admin'), async (req, res) => {
+        if (!flags.enableAuditLog) {
+            res.status(501).json({ error: 'Audit log is not enabled' });
+            return;
+        }
+        const { orgId } = req;
+        const page = Math.max(1, parseInt(req.query.page, 10) || 1);
+        const rawLimit = parseInt(req.query.limit, 10) || DEFAULT_PAGE_LIMIT;
+        const limit = Math.min(rawLimit, MAX_PAGE_LIMIT);
+        const offset = (page - 1) * limit;
+        const action = req.query.action;
+        try {
+            const params = [orgId, limit, offset];
+            let actionFilter = '';
+            if (action) {
+                params.push(action);
+                actionFilter = `AND ae.action = $${params.length}`;
+            }
+            const result = await pool.query(`SELECT ae.*, sa.user_id AS is_super_admin_actor
+         FROM tm_audit_events ae
+         LEFT JOIN tm_super_admins sa ON sa.user_id = ae.actor_user_id AND sa.revoked_at IS NULL
+         WHERE ae.org_id = $1
+         ${actionFilter}
+         ORDER BY ae.created_at DESC
+         LIMIT $2 OFFSET $3`, params);
+            const countResult = await pool.query(`SELECT COUNT(*) FROM tm_audit_events WHERE org_id = $1 ${action ? 'AND action = $2' : ''}`, action ? [orgId, action] : [orgId]);
+            const total = parseInt(countResult.rows[0].count, 10);
+            // Collect user IDs for enrichment (non-super-admin actors)
+            const userIds = [
+                ...new Set(result.rows
+                    .filter(r => r.actor_user_id && !r.is_super_admin_actor)
+                    .map(r => r.actor_user_id)),
+            ];
+            const users = userIds.length > 0 ? await adapter.getUsersByIds(userIds) : [];
+            const userMap = new Map(users.map(u => [u.id, u]));
+            const events = result.rows.map(row => {
+                const { is_super_admin_actor, ...event } = row;
+                const actorDisplay = is_super_admin_actor
+                    ? { id: row.actor_user_id, name: SUPER_ADMIN_DISPLAY_NAME, email: null }
+                    : userMap.get(row.actor_user_id) ?? { id: row.actor_user_id, name: null, email: null };
+                return { ...event, actor: actorDisplay };
+            });
+            res.json({
+                events,
+                pagination: {
+                    page,
+                    limit,
+                    total,
+                    totalPages: Math.ceil(total / limit),
+                },
+            });
+        }
+        catch (e) {
+            adapter.logger.error('[audit] GET /:orgId/audit', { error: e.message });
+            res.status(500).json({ error: 'Failed to fetch audit log' });
+        }
+    });
+    return router;
+}
+//# sourceMappingURL=audit.routes.js.map

package/dist/server/routes/audit.routes.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"audit.routes.js","sourceRoot":"","sources":["../../../src/server/routes/audit.routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AAGjC,OAAO,EAAE,iBAAiB,EAA6B,MAAM,qCAAqC,CAAC;AACnG,OAAO,EAAE,WAAW,EAAE,MAAM,+BAA+B,CAAC;AAE5D,MAAM,wBAAwB,GAAG,iBAAiB,CAAC;AACnD,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAC9B,MAAM,cAAc,GAAG,GAAG,CAAC;AAE3B,MAAM,UAAU,iBAAiB,CAC/B,IAAU,EACV,OAA4B,EAC5B,KAAiC;IAEjC,MAAM,MAAM,GAAG,MAAM,CAAC,EAAE,WAAW,EAAE,IAAI,EAAE,CAAC,CAAC;IAC7C,MAAM,cAAc,GAAG,iBAAiB,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;IAExD,wDAAwD;IACxD,MAAM,CAAC,GAAG,CAAC,eAAe,EAAE,cAAc,EAAE,WAAW,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,GAAG,EAAE,EAAE;QACnF,IAAI,CAAC,KAAK,CAAC,cAAc,EAAE,CAAC;YAC1B,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,CAAC,CAAC;YAC5D,OAAO;QACT,CAAC;QAED,MAAM,EAAE,KAAK,EAAE,GAAG,GAA2B,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,IAAc,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,KAAe,EAAE,EAAE,CAAC,IAAI,kBAAkB,CAAC;QAC/E,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;QACjD,MAAM,MAAM,GAAG,CAAC,IAAI,GAAG,CAAC,CAAC,GAAG,KAAK,CAAC;QAClC,MAAM,MAAM,GAAG,GAAG,CAAC,KAAK,CAAC,MAA4B,CAAC;QAEtD,IAAI,CAAC;YACH,MAAM,MAAM,GAAc,CAAC,KAAK,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC;YACjD,IAAI,YAAY,GAAG,EAAE,CAAC;YACtB,IAAI,MAAM,EAAE,CAAC;gBACX,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;gBACpB,YAAY,GAAG,oBAAoB,MAAM,CAAC,MAAM,EAAE,CAAC;YACrD,CAAC;YAED,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,KAAK,CAC7B;;;;WAIG,YAAY;;4BAEK,EACpB,MAAM,CACP,CAAC;YAEF,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,KAAK,CAClC,0DAA0D,MAAM,CAAC,CAAC,CAAC,iBAAiB,CAAC,CAAC,CAAC,EAAE,EAAE,EAC3F,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CACnC,CAAC;YACF,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC;YAEtD,2DAA2D;YAC3D,MAAM,OAAO,GAAG;gBACd,GAAG,IAAI,GAAG,CACR,MAAM,CAAC,IAAI;qBACR,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAa,IAAI,CAAC,CAAC,CAAC,oBAAoB,CAAC;qBACvD,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,aAAuB,CAAC,CACvC;aACF,CAAC;YACF,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,OAAO,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAC7E,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC;YAEnD,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE;gBACnC,MAAM,EAAE,oBAAoB,EAAE,GAAG,KAAK,EAAE,GAAG,GAAG,CAAC;gBAC/C,MAAM,YAAY,GAAG,oBAAoB;oBACvC,CAAC,CAAC,EAAE,EAAE,EAAE,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,wBAAwB,EAAE,KAAK,EAAE,IAAI,EAAE;oBACxE,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,aAAa,CAAC,IAAI,EAAE,EAAE,EAAE,GAAG,CAAC,aAAa,EAAE,IAAI,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,CAAC;gBACzF,OAAO,EAAE,GAAG,KAAK,EAAE,KAAK,EAAE,YAAY,EAAE,CAAC;YAC3C,CAAC,CAAC,CAAC;YAEH,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM;gBACN,UAAU,EAAE;oBACV,IAAI;oBACJ,KAAK;oBACL,KAAK;oBACL,UAAU,EAAE,IAAI,CAAC,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;iBACrC;aACF,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,CAAC,EAAE,CAAC;YACX,OAAO,CAAC,MAAM,CAAC,KAAK,CAAC,2BAA2B,EAAE,EAAE,KAAK,EAAG,CAAW,CAAC,OAAO,EAAE,CAAC,CAAC;YACnF,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,2BAA2B,EAAE,CAAC,CAAC;QAC/D,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/server/routes/health.routes.d.ts

@@ -0,0 +1,8 @@
+import { Router } from 'express';
+import type { Pool } from 'pg';
+import type { TeamManagementConfig } from '../types.js';
+export declare function createHealthRouter(pool: Pool, config: TeamManagementConfig): {
+    router: Router;
+    handler: import('express').RequestHandler;
+};
+//# sourceMappingURL=health.routes.d.ts.map

package/dist/server/routes/health.routes.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"health.routes.d.ts","sourceRoot":"","sources":["../../../src/server/routes/health.routes.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,EAAE,MAAM,SAAS,CAAC;AACjC,OAAO,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,CAAC;AAC/B,OAAO,KAAK,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAIxD,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,IAAI,EACV,MAAM,EAAE,oBAAoB,GAC3B;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,OAAO,SAAS,EAAE,cAAc,CAAA;CAAE,CAoC/D"}