npm - @varshylinc/team-management - Versions diffs - 0.1.0 - Mend

@varshylinc/team-management 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/.eslintrc.cjs +18 -0
package/CHANGELOG.md +159 -0
package/LICENSE +6 -0
package/README.md +97 -0
package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +6 -0
package/dist/index.js.map +1 -0
package/dist/server/crypto.d.ts +6 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +42 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/index.d.ts +34 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +114 -0
package/dist/server/index.js.map +1 -0
package/dist/server/middleware/require-membership.d.ts +10 -0
package/dist/server/middleware/require-membership.d.ts.map +1 -0
package/dist/server/middleware/require-membership.js +33 -0
package/dist/server/middleware/require-membership.js.map +1 -0
package/dist/server/middleware/require-role.d.ts +4 -0
package/dist/server/middleware/require-role.d.ts.map +1 -0
package/dist/server/middleware/require-role.js +16 -0
package/dist/server/middleware/require-role.js.map +1 -0
package/dist/server/middleware/require-super-admin.d.ts +5 -0
package/dist/server/middleware/require-super-admin.d.ts.map +1 -0
package/dist/server/middleware/require-super-admin.js +27 -0
package/dist/server/middleware/require-super-admin.js.map +1 -0
package/dist/server/migrations/0001_create_tm_schema_migrations.sql +13 -0
package/dist/server/migrations/0002_create_tm_organizations.sql +14 -0
package/dist/server/migrations/0003_create_tm_memberships.sql +24 -0
package/dist/server/migrations/0004_create_tm_invitations.sql +22 -0
package/dist/server/migrations/0005_create_tm_audit_events.sql +17 -0
package/dist/server/migrations/0006_create_tm_email_change_requests.sql +13 -0
package/dist/server/migrations/0007_create_tm_ownership_transfers.sql +22 -0
package/dist/server/migrations/0008_create_tm_super_admins.sql +8 -0
package/dist/server/migrations/0009_create_tm_password_reset_requests.sql +9 -0
package/dist/server/migrations/0010_create_tm_shared_access.sql +8 -0
package/dist/server/migrations/0011_seed_super_admin.sql +15 -0
package/dist/server/migrations/0012_create_tm_user_locks.sql +7 -0
package/dist/server/routes/admin.routes.d.ts +5 -0
package/dist/server/routes/admin.routes.d.ts.map +1 -0
package/dist/server/routes/admin.routes.js +262 -0
package/dist/server/routes/admin.routes.js.map +1 -0
package/dist/server/routes/audit.routes.d.ts +5 -0
package/dist/server/routes/audit.routes.d.ts.map +1 -0
package/dist/server/routes/audit.routes.js +70 -0
package/dist/server/routes/audit.routes.js.map +1 -0
package/dist/server/routes/health.routes.d.ts +8 -0
package/dist/server/routes/health.routes.d.ts.map +1 -0
package/dist/server/routes/health.routes.js +39 -0
package/dist/server/routes/health.routes.js.map +1 -0
package/dist/server/routes/invitations.routes.d.ts +5 -0
package/dist/server/routes/invitations.routes.d.ts.map +1 -0
package/dist/server/routes/invitations.routes.js +232 -0
package/dist/server/routes/invitations.routes.js.map +1 -0
package/dist/server/routes/me.routes.d.ts +5 -0
package/dist/server/routes/me.routes.d.ts.map +1 -0
package/dist/server/routes/me.routes.js +188 -0
package/dist/server/routes/me.routes.js.map +1 -0
package/dist/server/routes/orgs.routes.d.ts +5 -0
package/dist/server/routes/orgs.routes.d.ts.map +1 -0
package/dist/server/routes/orgs.routes.js +371 -0
package/dist/server/routes/orgs.routes.js.map +1 -0
package/dist/server/routes/transfer.routes.d.ts +5 -0
package/dist/server/routes/transfer.routes.d.ts.map +1 -0
package/dist/server/routes/transfer.routes.js +108 -0
package/dist/server/routes/transfer.routes.js.map +1 -0
package/dist/server/services/audit.service.d.ts +20 -0
package/dist/server/services/audit.service.d.ts.map +1 -0
package/dist/server/services/audit.service.js +23 -0
package/dist/server/services/audit.service.js.map +1 -0
package/dist/server/services/email-change.service.d.ts +16 -0
package/dist/server/services/email-change.service.d.ts.map +1 -0
package/dist/server/services/email-change.service.js +107 -0
package/dist/server/services/email-change.service.js.map +1 -0
package/dist/server/services/invitations.service.d.ts +41 -0
package/dist/server/services/invitations.service.d.ts.map +1 -0
package/dist/server/services/invitations.service.js +214 -0
package/dist/server/services/invitations.service.js.map +1 -0
package/dist/server/services/memberships.service.d.ts +27 -0
package/dist/server/services/memberships.service.d.ts.map +1 -0
package/dist/server/services/memberships.service.js +69 -0
package/dist/server/services/memberships.service.js.map +1 -0
package/dist/server/services/organizations.service.d.ts +19 -0
package/dist/server/services/organizations.service.d.ts.map +1 -0
package/dist/server/services/organizations.service.js +61 -0
package/dist/server/services/organizations.service.js.map +1 -0
package/dist/server/services/ownership.service.d.ts +19 -0
package/dist/server/services/ownership.service.d.ts.map +1 -0
package/dist/server/services/ownership.service.js +102 -0
package/dist/server/services/ownership.service.js.map +1 -0
package/dist/server/services/password-reset.service.d.ts +12 -0
package/dist/server/services/password-reset.service.d.ts.map +1 -0
package/dist/server/services/password-reset.service.js +54 -0
package/dist/server/services/password-reset.service.js.map +1 -0
package/dist/server/services/super-admin.service.d.ts +59 -0
package/dist/server/services/super-admin.service.d.ts.map +1 -0
package/dist/server/services/super-admin.service.js +187 -0
package/dist/server/services/super-admin.service.js.map +1 -0
package/dist/server/types.d.ts +186 -0
package/dist/server/types.d.ts.map +1 -0
package/dist/server/types.js +6 -0
package/dist/server/types.js.map +1 -0
package/dist/shared/types.d.ts +23 -0
package/dist/shared/types.d.ts.map +1 -0
package/dist/shared/types.js +6 -0
package/dist/shared/types.js.map +1 -0
package/package.json +56 -0
package/src/client/api.ts +314 -0
package/src/client/components/AuditEventRow.tsx +59 -0
package/src/client/components/CascadePreview.tsx +36 -0
package/src/client/components/DangerZoneCard.tsx +103 -0
package/src/client/components/InvitationCodeDisplay.tsx +48 -0
package/src/client/components/InviteForm.tsx +77 -0
package/src/client/components/MemberRow.tsx +69 -0
package/src/client/components/PendingTransferBanner.tsx +98 -0
package/src/client/components/PlaceholderCard.tsx +26 -0
package/src/client/components/RoleBadge.tsx +26 -0
package/src/client/components/RoleSelect.tsx +35 -0
package/src/client/hooks/.gitkeep +0 -0
package/src/client/hooks/useCurrentMembership.ts +24 -0
package/src/client/hooks/useMembers.ts +24 -0
package/src/client/hooks/usePendingInvitations.ts +24 -0
package/src/client/hooks/usePendingTransfer.ts +27 -0
package/src/client/index.ts +80 -0
package/src/client/pages/AuditLogPage.tsx +164 -0
package/src/client/pages/EmailChangePage.tsx +144 -0
package/src/client/pages/InvitationAcceptPage.tsx +163 -0
package/src/client/pages/InvitationCodePage.tsx +108 -0
package/src/client/pages/MembersPage.tsx +290 -0
package/src/client/pages/OrgSettingsPage.tsx +185 -0
package/src/client/pages/OwnershipTransferPage.tsx +163 -0
package/src/client/pages/PasswordResetPage.tsx +104 -0
package/src/client/pages/PasswordResetRequestPage.tsx +71 -0
package/src/client/pages/PlaceholderPage.tsx +20 -0
package/src/client/pages/SuperAdminDashboard.tsx +401 -0
package/src/client/types.ts +78 -0
package/src/index.ts +24 -0
package/src/server/crypto.ts +47 -0
package/src/server/index.ts +167 -0
package/src/server/middleware/require-membership.ts +48 -0
package/src/server/middleware/require-role.ts +19 -0
package/src/server/middleware/require-super-admin.ts +32 -0
package/src/server/migrations/0001_create_tm_schema_migrations.sql +13 -0
package/src/server/migrations/0002_create_tm_organizations.sql +14 -0
package/src/server/migrations/0003_create_tm_memberships.sql +24 -0
package/src/server/migrations/0004_create_tm_invitations.sql +22 -0
package/src/server/migrations/0005_create_tm_audit_events.sql +17 -0
package/src/server/migrations/0006_create_tm_email_change_requests.sql +13 -0
package/src/server/migrations/0007_create_tm_ownership_transfers.sql +22 -0
package/src/server/migrations/0008_create_tm_super_admins.sql +8 -0
package/src/server/migrations/0009_create_tm_password_reset_requests.sql +9 -0
package/src/server/migrations/0010_create_tm_shared_access.sql +8 -0
package/src/server/migrations/0011_seed_super_admin.sql +15 -0
package/src/server/migrations/0012_create_tm_user_locks.sql +7 -0
package/src/server/routes/admin.routes.ts +208 -0
package/src/server/routes/audit.routes.ts +93 -0
package/src/server/routes/health.routes.ts +46 -0
package/src/server/routes/invitations.routes.ts +252 -0
package/src/server/routes/me.routes.ts +143 -0
package/src/server/routes/orgs.routes.ts +428 -0
package/src/server/routes/transfer.routes.ts +110 -0
package/src/server/services/.gitkeep +0 -0
package/src/server/services/audit.service.ts +49 -0
package/src/server/services/email-change.service.ts +178 -0
package/src/server/services/invitations.service.ts +316 -0
package/src/server/services/memberships.service.ts +129 -0
package/src/server/services/organizations.service.ts +110 -0
package/src/server/services/ownership.service.ts +170 -0
package/src/server/services/password-reset.service.ts +94 -0
package/src/server/services/super-admin.service.ts +321 -0
package/src/server/sql/.gitkeep +0 -0
package/src/server/types.ts +145 -0
package/src/shared/types.ts +24 -0
package/tests/integration/audit-fires.test.ts +288 -0
package/tests/integration/cascade-preview.test.ts +157 -0
package/tests/integration/email-change.test.ts +190 -0
package/tests/integration/feature-flags.test.ts +213 -0
package/tests/integration/invitations-code.test.ts +218 -0
package/tests/integration/invitations-expiry.test.ts +216 -0
package/tests/integration/invitations-resend.test.ts +241 -0
package/tests/integration/invitations-revoke.test.ts +226 -0
package/tests/integration/invitations-switch-org.test.ts +156 -0
package/tests/integration/invitations-token.test.ts +221 -0
package/tests/integration/migrations.test.ts +119 -0
package/tests/integration/only-owner-protections.test.ts +130 -0
package/tests/integration/org-lifecycle.test.ts +169 -0
package/tests/integration/ownership-transfer-cancel.test.ts +171 -0
package/tests/integration/ownership-transfer-expire.test.ts +171 -0
package/tests/integration/ownership-transfer-happy.test.ts +184 -0
package/tests/integration/ownership-transfer-locks.test.ts +146 -0
package/tests/integration/password-reset.test.ts +200 -0
package/tests/integration/super-admin-actions.test.ts +180 -0
package/tests/integration/super-admin-restrictions.test.ts +209 -0
package/tests/setup/global-setup.ts +20 -0
package/tests/unit/adapter-shape.test.ts +330 -0
package/tests/unit/role-permissions.test.ts +236 -0
package/tests/unit/validation.test.ts +304 -0
package/tsconfig.client.json +13 -0
package/tsconfig.json +12 -0
package/tsconfig.tsbuildinfo +1 -0
package/vitest.config.ts +13 -0

package/tests/integration/ownership-transfer-locks.test.ts ADDED Viewed

@@ -0,0 +1,146 @@
+import { describe, it, expect, beforeAll, afterAll, beforeEach } from 'vitest';
+import express from 'express';
+import request from 'supertest';
+import { Pool } from 'pg';
+import { createServerModule } from '../../src/server/index.js';
+import type { ServerModuleAdapter, OrgRole } from '../../src/server/types.js';
+const describeWithDb = process.env.DATABASE_URL ? describe : describe.skip;
+let currentUserId: number | null = null;
+let currentOrgId: number | null = null;
+const testAdapter: ServerModuleAdapter = {
+  getCurrentUserId: async () => currentUserId,
+  getOrganizationIdForUser: async () => currentOrgId,
+  isUserOrgAdmin: async (userId) => userId <= 2,
+  logger: { info: () => {}, warn: () => {}, error: () => {} },
+  getUserById: async (id) => ({ id, email: `u${id}@test.com`, name: `User${id}` }),
+  getUsersByIds: async (ids) => ids.map(id => ({ id, email: `u${id}@test.com`, name: `User${id}` })),
+  findUserByEmail: async (email) => {
+    const m = email.match(/^u(\d+)@test\.com$/);
+    return m ? { id: parseInt(m[1]), email } : null;
+  },
+  createUserFromInvite: async ({ email }: { email: string; orgId: number; role: OrgRole }) => ({ id: 99, email }),
+  setUserPassword: async () => {},
+  hashPassword: async (p) => `h:${p}`,
+  verifyPassword: async (p, h) => h === `h:${p}`,
+  invalidateAllUserSessions: async () => {},
+  sendInviteEmail: async () => {},
+  sendOwnershipTransferEmail: async () => {},
+  sendEmailChangeVerification: async () => {},
+  sendEmailChangeOldNotice: async () => {},
+  sendEmailChangedFinalNotice: async () => {},
+  sendPasswordResetEmail: async () => {},
+  sendOrgDeletionNotice: async () => {},
+  emitNotification: async () => {},
+};
+async function cleanAll(pool: Pool) {
+  await pool.query(`TRUNCATE tm_super_admins, tm_password_reset_requests,
+    tm_email_change_requests, tm_ownership_transfers, tm_audit_events,
+    tm_invitations, tm_memberships, tm_organizations RESTART IDENTITY CASCADE`);
+}
+async function seedOrg(pool: Pool, orgId = 1) {
+  await pool.query(`INSERT INTO tm_organizations (id, name, slug, owner_user_id, settings)
+    VALUES (${orgId}, 'Test Org ${orgId}', 'test-org-${orgId}', 1, '{}') ON CONFLICT DO NOTHING`);
+  await pool.query(`INSERT INTO tm_memberships (org_id, user_id, role) VALUES
+    (${orgId}, 1, 'owner'), (${orgId}, 2, 'admin'), (${orgId}, 3, 'member'), (${orgId}, 4, 'viewer')
+    ON CONFLICT DO NOTHING`);
+}
+describeWithDb('ownership transfer — locks', () => {
+  let pool: Pool;
+  let app: express.Express;
+  let pendingTransferId: number;
+  beforeAll(async () => {
+    pool = new Pool({ connectionString: process.env.DATABASE_URL });
+    const mod = createServerModule({ adapter: testAdapter, pool, features: {} });
+    app = express();
+    app.use(express.json());
+    app.use(mod.router);
+  });
+  afterAll(async () => {
+    await pool.end();
+  });
+  beforeEach(async () => {
+    await cleanAll(pool);
+    currentUserId = 1;
+    currentOrgId = 1;
+    await seedOrg(pool);
+    // Establish a pending transfer for all lock tests
+    const initRes = await request(app)
+      .post('/orgs/1/transfer')
+      .send({ toUserId: 2 });
+    expect(initRes.status).toBe(201);
+    pendingTransferId = initRes.body.transfer.id as number;
+  });
+  it('initiating another transfer while one is pending → 409 or 422', async () => {
+    currentUserId = 1;
+    const res = await request(app)
+      .post('/orgs/1/transfer')
+      .send({ toUserId: 3 });
+    expect([409, 422]).toContain(res.status);
+  });
+  it('deleting the org while transfer is pending → 409', async () => {
+    currentUserId = 1;
+    const res = await request(app)
+      .delete('/orgs/1')
+      .send({ confirmOrgName: 'Test Org 1' });
+    expect(res.status).toBe(409);
+  });
+  it('removing the transfer recipient while transfer is pending → 409', async () => {
+    currentUserId = 1;
+    const res = await request(app).delete('/orgs/1/members/2');
+    expect(res.status).toBe(409);
+  });
+  it('removing the transfer initiator (owner) while transfer is pending → 409 or 400', async () => {
+    // Switch to an admin trying to remove the owner — should be 409 or 400
+    currentUserId = 2;
+    const res = await request(app).delete('/orgs/1/members/1');
+    // Could be 400 (owner protection) or 409 (transfer lock) — both acceptable
+    expect([400, 403, 409]).toContain(res.status);
+  });
+  it('changing recipient role while transfer is pending → 409', async () => {
+    currentUserId = 1;
+    const res = await request(app)
+      .patch('/orgs/1/members/2')
+      .send({ role: 'member' });
+    expect(res.status).toBe(409);
+  });
+  it('after cancelling the transfer, org delete is no longer locked', async () => {
+    currentUserId = 1;
+    await request(app).delete('/orgs/1/transfer');
+    const deleteRes = await request(app)
+      .delete('/orgs/1')
+      .send({ confirmOrgName: 'Test Org 1' });
+    // Should no longer be 409 — either succeeds or fails for another reason
+    expect(deleteRes.status).not.toBe(409);
+  });
+  it('after cancelling the transfer, removing members is no longer locked', async () => {
+    currentUserId = 1;
+    await request(app).delete('/orgs/1/transfer');
+    const removeRes = await request(app).delete('/orgs/1/members/3');
+    expect(removeRes.status).not.toBe(409);
+  });
+});

package/tests/integration/password-reset.test.ts ADDED Viewed

@@ -0,0 +1,200 @@
+import { describe, it, expect, beforeAll, afterAll, beforeEach, vi } from 'vitest';
+import { createHash } from 'crypto';
+import express from 'express';
+import request from 'supertest';
+import { Pool } from 'pg';
+import { createServerModule } from '../../src/server/index.js';
+import type { ServerModuleAdapter, OrgRole } from '../../src/server/types.js';
+const describeWithDb = process.env.DATABASE_URL ? describe : describe.skip;
+function sha256(s: string): string {
+  return createHash('sha256').update(s).digest('hex');
+}
+function extractResetToken(spy: ReturnType<typeof vi.fn>): string {
+  const callArg = spy.mock.calls[0]?.[0] as { resetUrl?: string } | undefined;
+  const url = callArg?.resetUrl ?? '';
+  const qs = url.includes('?') ? url.split('?')[1] : '';
+  return new URLSearchParams(qs).get('token') ?? '';
+}
+let currentUserId: number | null = null;
+let currentOrgId: number | null = null;
+const sendPasswordResetEmail = vi.fn(async () => {});
+const testAdapter: ServerModuleAdapter = {
+  getCurrentUserId: async () => currentUserId,
+  getOrganizationIdForUser: async () => currentOrgId,
+  isUserOrgAdmin: async (userId) => userId <= 2,
+  logger: { info: () => {}, warn: () => {}, error: () => {} },
+  getUserById: async (id) => ({ id, email: `u${id}@test.com`, name: `User${id}` }),
+  getUsersByIds: async (ids) => ids.map(id => ({ id, email: `u${id}@test.com`, name: `User${id}` })),
+  findUserByEmail: async (email) => {
+    const m = email.match(/^u(\d+)@test\.com$/);
+    return m ? { id: parseInt(m[1]), email } : null;
+  },
+  createUserFromInvite: async ({ email }: { email: string; orgId: number; role: OrgRole }) => ({ id: 99, email }),
+  setUserPassword: vi.fn(async () => {}),
+  hashPassword: async (p) => `h:${p}`,
+  verifyPassword: async (p, h) => h === `h:${p}`,
+  invalidateAllUserSessions: async () => {},
+  sendInviteEmail: async () => {},
+  sendOwnershipTransferEmail: async () => {},
+  sendEmailChangeVerification: async () => {},
+  sendEmailChangeOldNotice: async () => {},
+  sendEmailChangedFinalNotice: async () => {},
+  sendPasswordResetEmail,
+  sendOrgDeletionNotice: async () => {},
+  emitNotification: async () => {},
+};
+async function cleanAll(pool: Pool) {
+  await pool.query(`TRUNCATE tm_super_admins, tm_password_reset_requests,
+    tm_email_change_requests, tm_ownership_transfers, tm_audit_events,
+    tm_invitations, tm_memberships, tm_organizations RESTART IDENTITY CASCADE`);
+}
+async function seedOrg(pool: Pool, orgId = 1) {
+  await pool.query(`INSERT INTO tm_organizations (id, name, slug, owner_user_id, settings)
+    VALUES (${orgId}, 'Test Org ${orgId}', 'test-org-${orgId}', 1, '{}') ON CONFLICT DO NOTHING`);
+  await pool.query(`INSERT INTO tm_memberships (org_id, user_id, role) VALUES
+    (${orgId}, 1, 'owner'), (${orgId}, 2, 'admin'), (${orgId}, 3, 'member'), (${orgId}, 4, 'viewer')
+    ON CONFLICT DO NOTHING`);
+}
+describeWithDb('password reset flow', () => {
+  let pool: Pool;
+  let app: express.Express;
+  beforeAll(async () => {
+    pool = new Pool({ connectionString: process.env.DATABASE_URL });
+    const mod = createServerModule({ adapter: testAdapter, pool, features: {} });
+    app = express();
+    app.use(express.json());
+    app.use(mod.router);
+  });
+  afterAll(async () => {
+    await pool.end();
+  });
+  beforeEach(async () => {
+    await cleanAll(pool);
+    sendPasswordResetEmail.mockClear();
+    (testAdapter.setUserPassword as ReturnType<typeof vi.fn>).mockClear?.();
+    currentUserId = null;
+    currentOrgId = null;
+    await seedOrg(pool);
+  });
+  it('POST /me/password-reset/request with existing email → 200', async () => {
+    const res = await request(app)
+      .post('/me/password-reset/request')
+      .send({ email: 'u1@test.com' });
+    expect(res.status).toBe(200);
+    expect(sendPasswordResetEmail).toHaveBeenCalledOnce();
+    const dbRow = await pool.query(
+      `SELECT * FROM tm_password_reset_requests WHERE user_id = 1 ORDER BY created_at DESC LIMIT 1`
+    );
+    expect(dbRow.rows.length).toBe(1);
+    // used_at is NULL when not yet used
+    expect(dbRow.rows[0].used_at).toBeNull();
+  });
+  it('POST /me/password-reset/request with unknown email → 200 (no user enumeration)', async () => {
+    const res = await request(app)
+      .post('/me/password-reset/request')
+      .send({ email: 'nonexistent@example.com' });
+    expect(res.status).toBe(200);
+    expect(sendPasswordResetEmail).not.toHaveBeenCalled();
+  });
+  it('POST /me/password-reset with valid token → 200 and password updated', async () => {
+    await request(app)
+      .post('/me/password-reset/request')
+      .send({ email: 'u1@test.com' });
+    // Extract plaintext token from the reset URL sent via mock
+    const token = extractResetToken(sendPasswordResetEmail);
+    expect(token).toBeTruthy();
+    // Confirm endpoint is POST /me/password-reset (not /confirm)
+    const confirmRes = await request(app)
+      .post('/me/password-reset')
+      .send({ token, newPassword: 'NewSecurePass123!' });
+    expect(confirmRes.status).toBe(200);
+    expect(testAdapter.setUserPassword).toHaveBeenCalledOnce();
+  });
+  it('POST /me/password-reset with used token → 422', async () => {
+    await request(app)
+      .post('/me/password-reset/request')
+      .send({ email: 'u1@test.com' });
+    const token = extractResetToken(sendPasswordResetEmail);
+    expect(token).toBeTruthy();
+    // Use it once
+    await request(app)
+      .post('/me/password-reset')
+      .send({ token, newPassword: 'FirstUse!' });
+    // Try to use again → 422 (Invalid or expired)
+    const res = await request(app)
+      .post('/me/password-reset')
+      .send({ token, newPassword: 'SecondUse!' });
+    expect(res.status).toBe(422);
+  });
+  it('POST /me/password-reset with expired token → 422', async () => {
+    // Request first to get a real token (captures from mock)
+    await request(app)
+      .post('/me/password-reset/request')
+      .send({ email: 'u1@test.com' });
+    const token = extractResetToken(sendPasswordResetEmail);
+    expect(token).toBeTruthy();
+    // Force-expire it in DB
+    await pool.query(
+      `UPDATE tm_password_reset_requests SET expires_at = NOW() - INTERVAL '3 hours' WHERE token_hash = $1`,
+      [sha256(token)]
+    );
+    const res = await request(app)
+      .post('/me/password-reset')
+      .send({ token, newPassword: 'DoesNotMatter!' });
+    expect(res.status).toBe(422);
+  });
+  it('rate limit: 4th password reset request → 200 but email suppressed (silent rate limit)', async () => {
+    const recent = new Date(Date.now() - 20 * 60 * 1000).toISOString();
+    const futureExpiry = new Date(Date.now() + 60 * 60 * 1000).toISOString();
+    // Insert 3 existing reset requests with token_hash
+    for (let i = 0; i < 3; i++) {
+      const fakeToken = `rate-tok-placeholder-${i}`;
+      await pool.query(
+        `INSERT INTO tm_password_reset_requests (user_id, token_hash, expires_at, created_at)
+         VALUES (1, $1, $2, $3)`,
+        [sha256(fakeToken), futureExpiry, recent]
+      );
+    }
+    const res = await request(app)
+      .post('/me/password-reset/request')
+      .send({ email: 'u1@test.com' });
+    // Service silently swallows rate limit (no 429) to prevent email enumeration
+    expect(res.status).toBe(200);
+    // But the email must NOT have been sent
+    expect(sendPasswordResetEmail).not.toHaveBeenCalled();
+  });
+});

package/tests/integration/super-admin-actions.test.ts ADDED Viewed

@@ -0,0 +1,180 @@
+import { describe, it, expect, beforeAll, afterAll, beforeEach, vi } from 'vitest';
+import express from 'express';
+import request from 'supertest';
+import { Pool } from 'pg';
+import { createServerModule } from '../../src/server/index.js';
+import type { ServerModuleAdapter, OrgRole } from '../../src/server/types.js';
+const describeWithDb = process.env.DATABASE_URL ? describe : describe.skip;
+let currentUserId: number | null = null;
+let currentOrgId: number | null = null;
+const sendPasswordResetEmail = vi.fn(async () => {});
+const testAdapter: ServerModuleAdapter = {
+  getCurrentUserId: async () => currentUserId,
+  getOrganizationIdForUser: async () => currentOrgId,
+  isUserOrgAdmin: async (userId) => userId <= 2,
+  logger: { info: () => {}, warn: () => {}, error: () => {} },
+  getUserById: async (id) => ({ id, email: `u${id}@test.com`, name: `User${id}` }),
+  getUsersByIds: async (ids) => ids.map(id => ({ id, email: `u${id}@test.com`, name: `User${id}` })),
+  findUserByEmail: async (email) => {
+    const m = email.match(/^u(\d+)@test\.com$/);
+    return m ? { id: parseInt(m[1]), email } : null;
+  },
+  createUserFromInvite: async ({ email }: { email: string; orgId: number; role: OrgRole }) => ({ id: 99, email }),
+  setUserPassword: async () => {},
+  hashPassword: async (p) => `h:${p}`,
+  verifyPassword: async (p, h) => h === `h:${p}`,
+  invalidateAllUserSessions: async () => {},
+  sendInviteEmail: async () => {},
+  sendOwnershipTransferEmail: async () => {},
+  sendEmailChangeVerification: async () => {},
+  sendEmailChangeOldNotice: async () => {},
+  sendEmailChangedFinalNotice: async () => {},
+  sendPasswordResetEmail,
+  sendOrgDeletionNotice: async () => {},
+  emitNotification: async () => {},
+};
+async function cleanAll(pool: Pool) {
+  await pool.query(`TRUNCATE tm_super_admins, tm_password_reset_requests,
+    tm_email_change_requests, tm_ownership_transfers, tm_audit_events,
+    tm_invitations, tm_memberships, tm_organizations RESTART IDENTITY CASCADE`);
+}
+async function seedOrg(pool: Pool, orgId = 1) {
+  await pool.query(`INSERT INTO tm_organizations (id, name, slug, owner_user_id, settings)
+    VALUES (${orgId}, 'Test Org ${orgId}', 'test-org-${orgId}', 1, '{}') ON CONFLICT DO NOTHING`);
+  await pool.query(`INSERT INTO tm_memberships (org_id, user_id, role) VALUES
+    (${orgId}, 1, 'owner'), (${orgId}, 2, 'admin'), (${orgId}, 3, 'member'), (${orgId}, 4, 'viewer')
+    ON CONFLICT DO NOTHING`);
+}
+describeWithDb('super admin', () => {
+  let pool: Pool;
+  let app: express.Express;
+  beforeAll(async () => {
+    pool = new Pool({ connectionString: process.env.DATABASE_URL });
+    // Enable super admin feature
+    const mod = createServerModule({
+      adapter: testAdapter,
+      pool,
+      features: { enableSuperAdmin: true },
+    });
+    app = express();
+    app.use(express.json());
+    app.use(mod.router);
+  });
+  afterAll(async () => {
+    await pool.end();
+  });
+  beforeEach(async () => {
+    await cleanAll(pool);
+    sendPasswordResetEmail.mockClear();
+    currentOrgId = 1;
+    await seedOrg(pool);
+    // Register user 1 as super admin
+    await pool.query(`INSERT INTO tm_super_admins (user_id) VALUES (1) ON CONFLICT DO NOTHING`);
+    currentUserId = 1;
+  });
+  it('GET /admin/orgs → 200 with list of orgs', async () => {
+    const res = await request(app).get('/admin/orgs');
+    expect(res.status).toBe(200);
+    // Route returns { orgs: [...] }
+    const orgs = res.body.orgs ?? res.body;
+    expect(Array.isArray(orgs)).toBe(true);
+    expect(orgs.length).toBeGreaterThanOrEqual(1);
+  });
+  it('POST /admin/orgs/:id/restore → 200 on a deleted org', async () => {
+    // Soft-delete the org
+    await pool.query(`UPDATE tm_organizations SET deleted_at = NOW() WHERE id = 1`);
+    const res = await request(app)
+      .post('/admin/orgs/1/restore')
+      .send({ reason: 'test restore' });
+    expect(res.status).toBe(200);
+    const row = await pool.query(`SELECT deleted_at FROM tm_organizations WHERE id = 1`);
+    expect(row.rows[0].deleted_at).toBeNull();
+  });
+  it('POST /admin/orgs/:id/appoint-owner → 200, audit event with actor_type=super_admin', async () => {
+    const res = await request(app)
+      .post('/admin/orgs/1/appoint-owner')
+      .send({ targetUserId: 2, reason: 'test' });
+    expect(res.status).toBe(200);
+    // Verify new owner in DB
+    const org = await pool.query(`SELECT owner_user_id FROM tm_organizations WHERE id = 1`);
+    expect(org.rows[0].owner_user_id).toBe(2);
+    // Reason is stored in audit reason column
+    const adminEvent = await pool.query(
+      `SELECT reason FROM tm_audit_events WHERE actor_type = 'super_admin' ORDER BY created_at DESC LIMIT 1`
+    );
+    if (adminEvent.rows.length > 0) {
+      expect(adminEvent.rows[0].reason).toContain('test');
+    }
+  });
+  it('POST /admin/users/:userId/lock → 200', async () => {
+    const res = await request(app)
+      .post('/admin/users/3/lock')
+      .send({ reason: 'spam' });
+    expect(res.status).toBe(200);
+  });
+  it('POST /admin/users/:userId/password-reset → 200 and calls sendPasswordResetEmail', async () => {
+    const res = await request(app)
+      .post('/admin/users/3/password-reset')
+      .send({ reason: 'support request' });
+    expect(res.status).toBe(200);
+    expect(sendPasswordResetEmail).toHaveBeenCalledOnce();
+  });
+  it('audit events from super-admin actions show actor_type = "super_admin"', async () => {
+    await request(app)
+      .post('/admin/orgs/1/appoint-owner')
+      .send({ targetUserId: 2, reason: 'audit test' });
+    const events = await pool.query(
+      `SELECT * FROM tm_audit_events WHERE actor_type = 'super_admin'`
+    );
+    expect(events.rows.length).toBeGreaterThanOrEqual(1);
+  });
+  it('non-super-admin accessing /admin/* → 403', async () => {
+    currentUserId = 2; // admin but not super-admin
+    const res = await request(app).get('/admin/orgs');
+    expect(res.status).toBe(403);
+  });
+  it('unauthenticated user accessing /admin/* → 401 or 403', async () => {
+    currentUserId = null;
+    const res = await request(app).get('/admin/orgs');
+    expect([401, 403]).toContain(res.status);
+  });
+  it('GET /admin/orgs includes soft-deleted orgs', async () => {
+    await pool.query(`UPDATE tm_organizations SET deleted_at = NOW() WHERE id = 1`);
+    const res = await request(app).get('/admin/orgs');
+    expect(res.status).toBe(200);
+    const orgs = (res.body.orgs ?? res.body) as Array<{ id: number }>;
+    const ids = orgs.map(o => o.id);
+    expect(ids).toContain(1);
+  });
+});