npm - @varshylinc/team-management - Versions diffs - 0.1.0 - Mend

@varshylinc/team-management 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (203) hide show

package/.eslintrc.cjs +18 -0
package/CHANGELOG.md +159 -0
package/LICENSE +6 -0
package/README.md +97 -0
package/dist/index.d.ts +4 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +6 -0
package/dist/index.js.map +1 -0
package/dist/server/crypto.d.ts +6 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +42 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/index.d.ts +34 -0
package/dist/server/index.d.ts.map +1 -0
package/dist/server/index.js +114 -0
package/dist/server/index.js.map +1 -0
package/dist/server/middleware/require-membership.d.ts +10 -0
package/dist/server/middleware/require-membership.d.ts.map +1 -0
package/dist/server/middleware/require-membership.js +33 -0
package/dist/server/middleware/require-membership.js.map +1 -0
package/dist/server/middleware/require-role.d.ts +4 -0
package/dist/server/middleware/require-role.d.ts.map +1 -0
package/dist/server/middleware/require-role.js +16 -0
package/dist/server/middleware/require-role.js.map +1 -0
package/dist/server/middleware/require-super-admin.d.ts +5 -0
package/dist/server/middleware/require-super-admin.d.ts.map +1 -0
package/dist/server/middleware/require-super-admin.js +27 -0
package/dist/server/middleware/require-super-admin.js.map +1 -0
package/dist/server/migrations/0001_create_tm_schema_migrations.sql +13 -0
package/dist/server/migrations/0002_create_tm_organizations.sql +14 -0
package/dist/server/migrations/0003_create_tm_memberships.sql +24 -0
package/dist/server/migrations/0004_create_tm_invitations.sql +22 -0
package/dist/server/migrations/0005_create_tm_audit_events.sql +17 -0
package/dist/server/migrations/0006_create_tm_email_change_requests.sql +13 -0
package/dist/server/migrations/0007_create_tm_ownership_transfers.sql +22 -0
package/dist/server/migrations/0008_create_tm_super_admins.sql +8 -0
package/dist/server/migrations/0009_create_tm_password_reset_requests.sql +9 -0
package/dist/server/migrations/0010_create_tm_shared_access.sql +8 -0
package/dist/server/migrations/0011_seed_super_admin.sql +15 -0
package/dist/server/migrations/0012_create_tm_user_locks.sql +7 -0
package/dist/server/routes/admin.routes.d.ts +5 -0
package/dist/server/routes/admin.routes.d.ts.map +1 -0
package/dist/server/routes/admin.routes.js +262 -0
package/dist/server/routes/admin.routes.js.map +1 -0
package/dist/server/routes/audit.routes.d.ts +5 -0
package/dist/server/routes/audit.routes.d.ts.map +1 -0
package/dist/server/routes/audit.routes.js +70 -0
package/dist/server/routes/audit.routes.js.map +1 -0
package/dist/server/routes/health.routes.d.ts +8 -0
package/dist/server/routes/health.routes.d.ts.map +1 -0
package/dist/server/routes/health.routes.js +39 -0
package/dist/server/routes/health.routes.js.map +1 -0
package/dist/server/routes/invitations.routes.d.ts +5 -0
package/dist/server/routes/invitations.routes.d.ts.map +1 -0
package/dist/server/routes/invitations.routes.js +232 -0
package/dist/server/routes/invitations.routes.js.map +1 -0
package/dist/server/routes/me.routes.d.ts +5 -0
package/dist/server/routes/me.routes.d.ts.map +1 -0
package/dist/server/routes/me.routes.js +188 -0
package/dist/server/routes/me.routes.js.map +1 -0
package/dist/server/routes/orgs.routes.d.ts +5 -0
package/dist/server/routes/orgs.routes.d.ts.map +1 -0
package/dist/server/routes/orgs.routes.js +371 -0
package/dist/server/routes/orgs.routes.js.map +1 -0
package/dist/server/routes/transfer.routes.d.ts +5 -0
package/dist/server/routes/transfer.routes.d.ts.map +1 -0
package/dist/server/routes/transfer.routes.js +108 -0
package/dist/server/routes/transfer.routes.js.map +1 -0
package/dist/server/services/audit.service.d.ts +20 -0
package/dist/server/services/audit.service.d.ts.map +1 -0
package/dist/server/services/audit.service.js +23 -0
package/dist/server/services/audit.service.js.map +1 -0
package/dist/server/services/email-change.service.d.ts +16 -0
package/dist/server/services/email-change.service.d.ts.map +1 -0
package/dist/server/services/email-change.service.js +107 -0
package/dist/server/services/email-change.service.js.map +1 -0
package/dist/server/services/invitations.service.d.ts +41 -0
package/dist/server/services/invitations.service.d.ts.map +1 -0
package/dist/server/services/invitations.service.js +214 -0
package/dist/server/services/invitations.service.js.map +1 -0
package/dist/server/services/memberships.service.d.ts +27 -0
package/dist/server/services/memberships.service.d.ts.map +1 -0
package/dist/server/services/memberships.service.js +69 -0
package/dist/server/services/memberships.service.js.map +1 -0
package/dist/server/services/organizations.service.d.ts +19 -0
package/dist/server/services/organizations.service.d.ts.map +1 -0
package/dist/server/services/organizations.service.js +61 -0
package/dist/server/services/organizations.service.js.map +1 -0
package/dist/server/services/ownership.service.d.ts +19 -0
package/dist/server/services/ownership.service.d.ts.map +1 -0
package/dist/server/services/ownership.service.js +102 -0
package/dist/server/services/ownership.service.js.map +1 -0
package/dist/server/services/password-reset.service.d.ts +12 -0
package/dist/server/services/password-reset.service.d.ts.map +1 -0
package/dist/server/services/password-reset.service.js +54 -0
package/dist/server/services/password-reset.service.js.map +1 -0
package/dist/server/services/super-admin.service.d.ts +59 -0
package/dist/server/services/super-admin.service.d.ts.map +1 -0
package/dist/server/services/super-admin.service.js +187 -0
package/dist/server/services/super-admin.service.js.map +1 -0
package/dist/server/types.d.ts +186 -0
package/dist/server/types.d.ts.map +1 -0
package/dist/server/types.js +6 -0
package/dist/server/types.js.map +1 -0
package/dist/shared/types.d.ts +23 -0
package/dist/shared/types.d.ts.map +1 -0
package/dist/shared/types.js +6 -0
package/dist/shared/types.js.map +1 -0
package/package.json +56 -0
package/src/client/api.ts +314 -0
package/src/client/components/AuditEventRow.tsx +59 -0
package/src/client/components/CascadePreview.tsx +36 -0
package/src/client/components/DangerZoneCard.tsx +103 -0
package/src/client/components/InvitationCodeDisplay.tsx +48 -0
package/src/client/components/InviteForm.tsx +77 -0
package/src/client/components/MemberRow.tsx +69 -0
package/src/client/components/PendingTransferBanner.tsx +98 -0
package/src/client/components/PlaceholderCard.tsx +26 -0
package/src/client/components/RoleBadge.tsx +26 -0
package/src/client/components/RoleSelect.tsx +35 -0
package/src/client/hooks/.gitkeep +0 -0
package/src/client/hooks/useCurrentMembership.ts +24 -0
package/src/client/hooks/useMembers.ts +24 -0
package/src/client/hooks/usePendingInvitations.ts +24 -0
package/src/client/hooks/usePendingTransfer.ts +27 -0
package/src/client/index.ts +80 -0
package/src/client/pages/AuditLogPage.tsx +164 -0
package/src/client/pages/EmailChangePage.tsx +144 -0
package/src/client/pages/InvitationAcceptPage.tsx +163 -0
package/src/client/pages/InvitationCodePage.tsx +108 -0
package/src/client/pages/MembersPage.tsx +290 -0
package/src/client/pages/OrgSettingsPage.tsx +185 -0
package/src/client/pages/OwnershipTransferPage.tsx +163 -0
package/src/client/pages/PasswordResetPage.tsx +104 -0
package/src/client/pages/PasswordResetRequestPage.tsx +71 -0
package/src/client/pages/PlaceholderPage.tsx +20 -0
package/src/client/pages/SuperAdminDashboard.tsx +401 -0
package/src/client/types.ts +78 -0
package/src/index.ts +24 -0
package/src/server/crypto.ts +47 -0
package/src/server/index.ts +167 -0
package/src/server/middleware/require-membership.ts +48 -0
package/src/server/middleware/require-role.ts +19 -0
package/src/server/middleware/require-super-admin.ts +32 -0
package/src/server/migrations/0001_create_tm_schema_migrations.sql +13 -0
package/src/server/migrations/0002_create_tm_organizations.sql +14 -0
package/src/server/migrations/0003_create_tm_memberships.sql +24 -0
package/src/server/migrations/0004_create_tm_invitations.sql +22 -0
package/src/server/migrations/0005_create_tm_audit_events.sql +17 -0
package/src/server/migrations/0006_create_tm_email_change_requests.sql +13 -0
package/src/server/migrations/0007_create_tm_ownership_transfers.sql +22 -0
package/src/server/migrations/0008_create_tm_super_admins.sql +8 -0
package/src/server/migrations/0009_create_tm_password_reset_requests.sql +9 -0
package/src/server/migrations/0010_create_tm_shared_access.sql +8 -0
package/src/server/migrations/0011_seed_super_admin.sql +15 -0
package/src/server/migrations/0012_create_tm_user_locks.sql +7 -0
package/src/server/routes/admin.routes.ts +208 -0
package/src/server/routes/audit.routes.ts +93 -0
package/src/server/routes/health.routes.ts +46 -0
package/src/server/routes/invitations.routes.ts +252 -0
package/src/server/routes/me.routes.ts +143 -0
package/src/server/routes/orgs.routes.ts +428 -0
package/src/server/routes/transfer.routes.ts +110 -0
package/src/server/services/.gitkeep +0 -0
package/src/server/services/audit.service.ts +49 -0
package/src/server/services/email-change.service.ts +178 -0
package/src/server/services/invitations.service.ts +316 -0
package/src/server/services/memberships.service.ts +129 -0
package/src/server/services/organizations.service.ts +110 -0
package/src/server/services/ownership.service.ts +170 -0
package/src/server/services/password-reset.service.ts +94 -0
package/src/server/services/super-admin.service.ts +321 -0
package/src/server/sql/.gitkeep +0 -0
package/src/server/types.ts +145 -0
package/src/shared/types.ts +24 -0
package/tests/integration/audit-fires.test.ts +288 -0
package/tests/integration/cascade-preview.test.ts +157 -0
package/tests/integration/email-change.test.ts +190 -0
package/tests/integration/feature-flags.test.ts +213 -0
package/tests/integration/invitations-code.test.ts +218 -0
package/tests/integration/invitations-expiry.test.ts +216 -0
package/tests/integration/invitations-resend.test.ts +241 -0
package/tests/integration/invitations-revoke.test.ts +226 -0
package/tests/integration/invitations-switch-org.test.ts +156 -0
package/tests/integration/invitations-token.test.ts +221 -0
package/tests/integration/migrations.test.ts +119 -0
package/tests/integration/only-owner-protections.test.ts +130 -0
package/tests/integration/org-lifecycle.test.ts +169 -0
package/tests/integration/ownership-transfer-cancel.test.ts +171 -0
package/tests/integration/ownership-transfer-expire.test.ts +171 -0
package/tests/integration/ownership-transfer-happy.test.ts +184 -0
package/tests/integration/ownership-transfer-locks.test.ts +146 -0
package/tests/integration/password-reset.test.ts +200 -0
package/tests/integration/super-admin-actions.test.ts +180 -0
package/tests/integration/super-admin-restrictions.test.ts +209 -0
package/tests/setup/global-setup.ts +20 -0
package/tests/unit/adapter-shape.test.ts +330 -0
package/tests/unit/role-permissions.test.ts +236 -0
package/tests/unit/validation.test.ts +304 -0
package/tsconfig.client.json +13 -0
package/tsconfig.json +12 -0
package/tsconfig.tsbuildinfo +1 -0
package/vitest.config.ts +13 -0

package/tests/unit/role-permissions.test.ts ADDED Viewed

@@ -0,0 +1,236 @@
+import { describe, it, expect } from 'vitest';
+import { roleAtLeast } from '../../src/server/types.js';
+import type { OrgRole } from '../../src/server/types.js';
+// ---------------------------------------------------------------------------
+// Permission matrix from spec
+//
+// ACTION                              | OWNER | ADMIN | MEMBER | VIEWER
+// ------------------------------------|-------|-------|--------|--------
+// View org info                       | ✓     | ✓     | ✓      | ✓
+// List members                        | ✓     | ✓     | ✓      | ✓
+// View audit log                      | ✓     | ✓     | ✗      | ✗
+// Edit org settings (name/slug)       | ✓     | ✓     | ✗      | ✗
+// Invite member                       | ✓     | ✓     | ✗      | ✗
+// Revoke pending invite               | ✓     | ✓     | ✗      | ✗
+// Change member role (not owner)      | ✓     | ✓     | ✗      | ✗
+// Change another admin's role         | ✓     | ✗     | ✗      | ✗
+// Remove member (not owner)           | ✓     | ✓     | ✗      | ✗
+// Remove an admin                     | ✓     | ✗     | ✗      | ✗
+// Initiate ownership transfer         | ✓     | ✗     | ✗      | ✗
+// Delete org                          | ✓     | ✗     | ✗      | ✗
+// Change own email                    | ✓     | ✓     | ✓      | ✓
+// Reset own password                  | ✓     | ✓     | ✓      | ✓
+// ---------------------------------------------------------------------------
+const ALL_ROLES: OrgRole[] = ['owner', 'admin', 'member', 'viewer'];
+// Helper: given a minimum role, returns whether each role in ALL_ROLES can perform the action.
+function canDo(minRole: OrgRole): Record<OrgRole, boolean> {
+  return {
+    owner: roleAtLeast('owner', minRole),
+    admin: roleAtLeast('admin', minRole),
+    member: roleAtLeast('member', minRole),
+    viewer: roleAtLeast('viewer', minRole),
+  };
+}
+// ---------------------------------------------------------------------------
+// View org info — minimum role: viewer (all roles allowed)
+// ---------------------------------------------------------------------------
+describe('View org info', () => {
+  const perms = canDo('viewer');
+  it('owner can view org info', () => expect(perms.owner).toBe(true));
+  it('admin can view org info', () => expect(perms.admin).toBe(true));
+  it('member can view org info', () => expect(perms.member).toBe(true));
+  it('viewer can view org info', () => expect(perms.viewer).toBe(true));
+});
+// ---------------------------------------------------------------------------
+// List members — minimum role: viewer (all roles allowed)
+// ---------------------------------------------------------------------------
+describe('List members', () => {
+  const perms = canDo('viewer');
+  it('owner can list members', () => expect(perms.owner).toBe(true));
+  it('admin can list members', () => expect(perms.admin).toBe(true));
+  it('member can list members', () => expect(perms.member).toBe(true));
+  it('viewer can list members', () => expect(perms.viewer).toBe(true));
+});
+// ---------------------------------------------------------------------------
+// View audit log — minimum role: admin
+// ---------------------------------------------------------------------------
+describe('View audit log', () => {
+  const perms = canDo('admin');
+  it('owner can view audit log', () => expect(perms.owner).toBe(true));
+  it('admin can view audit log', () => expect(perms.admin).toBe(true));
+  it('member cannot view audit log', () => expect(perms.member).toBe(false));
+  it('viewer cannot view audit log', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Edit org settings (name/slug) — minimum role: admin
+// ---------------------------------------------------------------------------
+describe('Edit org settings (name/slug)', () => {
+  const perms = canDo('admin');
+  it('owner can edit org settings', () => expect(perms.owner).toBe(true));
+  it('admin can edit org settings', () => expect(perms.admin).toBe(true));
+  it('member cannot edit org settings', () => expect(perms.member).toBe(false));
+  it('viewer cannot edit org settings', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Invite member — minimum role: admin
+// ---------------------------------------------------------------------------
+describe('Invite member', () => {
+  const perms = canDo('admin');
+  it('owner can invite member', () => expect(perms.owner).toBe(true));
+  it('admin can invite member', () => expect(perms.admin).toBe(true));
+  it('member cannot invite member', () => expect(perms.member).toBe(false));
+  it('viewer cannot invite member', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Revoke pending invite — minimum role: admin
+// ---------------------------------------------------------------------------
+describe('Revoke pending invite', () => {
+  const perms = canDo('admin');
+  it('owner can revoke pending invite', () => expect(perms.owner).toBe(true));
+  it('admin can revoke pending invite', () => expect(perms.admin).toBe(true));
+  it('member cannot revoke pending invite', () => expect(perms.member).toBe(false));
+  it('viewer cannot revoke pending invite', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Change member role (not owner) — minimum role: admin
+// ---------------------------------------------------------------------------
+describe('Change member role (not owner)', () => {
+  const perms = canDo('admin');
+  it('owner can change member role', () => expect(perms.owner).toBe(true));
+  it('admin can change member role', () => expect(perms.admin).toBe(true));
+  it('member cannot change member role', () => expect(perms.member).toBe(false));
+  it('viewer cannot change member role', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Change another admin's role — minimum role: owner
+// ---------------------------------------------------------------------------
+describe("Change another admin's role", () => {
+  const perms = canDo('owner');
+  it("owner can change another admin's role", () => expect(perms.owner).toBe(true));
+  it("admin cannot change another admin's role", () => expect(perms.admin).toBe(false));
+  it("member cannot change another admin's role", () => expect(perms.member).toBe(false));
+  it("viewer cannot change another admin's role", () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Remove member (not owner) — minimum role: admin
+// ---------------------------------------------------------------------------
+describe('Remove member (not owner)', () => {
+  const perms = canDo('admin');
+  it('owner can remove member', () => expect(perms.owner).toBe(true));
+  it('admin can remove member', () => expect(perms.admin).toBe(true));
+  it('member cannot remove member', () => expect(perms.member).toBe(false));
+  it('viewer cannot remove member', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Remove an admin — minimum role: owner
+// ---------------------------------------------------------------------------
+describe('Remove an admin', () => {
+  const perms = canDo('owner');
+  it('owner can remove an admin', () => expect(perms.owner).toBe(true));
+  it('admin cannot remove an admin', () => expect(perms.admin).toBe(false));
+  it('member cannot remove an admin', () => expect(perms.member).toBe(false));
+  it('viewer cannot remove an admin', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Initiate ownership transfer — minimum role: owner
+// ---------------------------------------------------------------------------
+describe('Initiate ownership transfer', () => {
+  const perms = canDo('owner');
+  it('owner can initiate ownership transfer', () => expect(perms.owner).toBe(true));
+  it('admin cannot initiate ownership transfer', () => expect(perms.admin).toBe(false));
+  it('member cannot initiate ownership transfer', () => expect(perms.member).toBe(false));
+  it('viewer cannot initiate ownership transfer', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Delete org — minimum role: owner
+// ---------------------------------------------------------------------------
+describe('Delete org', () => {
+  const perms = canDo('owner');
+  it('owner can delete org', () => expect(perms.owner).toBe(true));
+  it('admin cannot delete org', () => expect(perms.admin).toBe(false));
+  it('member cannot delete org', () => expect(perms.member).toBe(false));
+  it('viewer cannot delete org', () => expect(perms.viewer).toBe(false));
+});
+// ---------------------------------------------------------------------------
+// Change own email — minimum role: viewer (all roles allowed)
+// ---------------------------------------------------------------------------
+describe('Change own email', () => {
+  const perms = canDo('viewer');
+  it('owner can change own email', () => expect(perms.owner).toBe(true));
+  it('admin can change own email', () => expect(perms.admin).toBe(true));
+  it('member can change own email', () => expect(perms.member).toBe(true));
+  it('viewer can change own email', () => expect(perms.viewer).toBe(true));
+});
+// ---------------------------------------------------------------------------
+// Reset own password — minimum role: viewer (all roles allowed)
+// ---------------------------------------------------------------------------
+describe('Reset own password', () => {
+  const perms = canDo('viewer');
+  it('owner can reset own password', () => expect(perms.owner).toBe(true));
+  it('admin can reset own password', () => expect(perms.admin).toBe(true));
+  it('member can reset own password', () => expect(perms.member).toBe(true));
+  it('viewer can reset own password', () => expect(perms.viewer).toBe(true));
+});
+// ---------------------------------------------------------------------------
+// Cross-cutting: exhaustive matrix spot-checks
+// ---------------------------------------------------------------------------
+describe('Full permission matrix — exhaustive spot-checks', () => {
+  it('owner has highest privilege (passes all checks)', () => {
+    for (const role of ALL_ROLES) {
+      expect(roleAtLeast('owner', role)).toBe(true);
+    }
+  });
+  it('viewer has lowest privilege (only passes viewer check)', () => {
+    expect(roleAtLeast('viewer', 'viewer')).toBe(true);
+    expect(roleAtLeast('viewer', 'member')).toBe(false);
+    expect(roleAtLeast('viewer', 'admin')).toBe(false);
+    expect(roleAtLeast('viewer', 'owner')).toBe(false);
+  });
+  it('admin passes admin and below, fails owner', () => {
+    expect(roleAtLeast('admin', 'viewer')).toBe(true);
+    expect(roleAtLeast('admin', 'member')).toBe(true);
+    expect(roleAtLeast('admin', 'admin')).toBe(true);
+    expect(roleAtLeast('admin', 'owner')).toBe(false);
+  });
+  it('member passes member and viewer, fails admin and owner', () => {
+    expect(roleAtLeast('member', 'viewer')).toBe(true);
+    expect(roleAtLeast('member', 'member')).toBe(true);
+    expect(roleAtLeast('member', 'admin')).toBe(false);
+    expect(roleAtLeast('member', 'owner')).toBe(false);
+  });
+});

package/tests/unit/validation.test.ts ADDED Viewed

@@ -0,0 +1,304 @@
+import { describe, it, expect } from 'vitest';
+// ---------------------------------------------------------------------------
+// Pure validation functions — no src imports needed.
+// These mirror the validation logic that the package enforces.
+// ---------------------------------------------------------------------------
+// Slug: lowercase alphanumeric + hyphens, 3-50 chars, no leading/trailing hyphens.
+function isValidSlug(slug: string): boolean {
+  if (slug.length < 3 || slug.length > 50) return false;
+  // Must start and end with alphanumeric, inner chars can include hyphens.
+  return /^[a-z0-9][a-z0-9-]*[a-z0-9]$|^[a-z0-9]{1}$/.test(slug) && slug.length >= 3;
+}
+// Email: basic RFC-ish check — local@domain.tld
+function isValidEmail(email: string): boolean {
+  if (!email) return false;
+  return /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(email);
+}
+// OrgRole: exactly one of the four valid roles.
+function isValidOrgRole(role: string): boolean {
+  return ['owner', 'admin', 'member', 'viewer'].includes(role);
+}
+// Token: hex string, exactly 64 characters.
+function isValidToken(token: string): boolean {
+  return /^[0-9a-f]{64}$/.test(token);
+}
+// ---------------------------------------------------------------------------
+// Slug validation
+// ---------------------------------------------------------------------------
+describe('Slug validation', () => {
+  describe('valid slugs', () => {
+    it('"demo-co" is valid', () => {
+      expect(isValidSlug('demo-co')).toBe(true);
+    });
+    it('"acme" is valid', () => {
+      expect(isValidSlug('acme')).toBe(true);
+    });
+    it('"my-org-123" is valid', () => {
+      expect(isValidSlug('my-org-123')).toBe(true);
+    });
+    it('exactly 3 chars "abc" is valid (lower boundary)', () => {
+      expect(isValidSlug('abc')).toBe(true);
+    });
+    it('exactly 50 chars is valid (upper boundary)', () => {
+      const slug = 'a' + 'b'.repeat(48) + 'c'; // 50 chars
+      expect(slug.length).toBe(50);
+      expect(isValidSlug(slug)).toBe(true);
+    });
+    it('alphanumeric with numbers "org123" is valid', () => {
+      expect(isValidSlug('org123')).toBe(true);
+    });
+    it('multiple hyphens in middle "my-big-org-2024" is valid', () => {
+      expect(isValidSlug('my-big-org-2024')).toBe(true);
+    });
+  });
+  describe('invalid slugs', () => {
+    it('empty string is invalid', () => {
+      expect(isValidSlug('')).toBe(false);
+    });
+    it('single char "a" is invalid (too short)', () => {
+      expect(isValidSlug('a')).toBe(false);
+    });
+    it('two chars "ab" is invalid (too short)', () => {
+      expect(isValidSlug('ab')).toBe(false);
+    });
+    it('leading hyphen "-start" is invalid', () => {
+      expect(isValidSlug('-start')).toBe(false);
+    });
+    it('trailing hyphen "end-" is invalid', () => {
+      expect(isValidSlug('end-')).toBe(false);
+    });
+    it('spaces "with spaces" is invalid', () => {
+      expect(isValidSlug('with spaces')).toBe(false);
+    });
+    it('51 chars is invalid (too long)', () => {
+      const slug = 'a'.repeat(51);
+      expect(slug.length).toBe(51);
+      expect(isValidSlug(slug)).toBe(false);
+    });
+    it('uppercase letters "MyOrg" is invalid', () => {
+      expect(isValidSlug('MyOrg')).toBe(false);
+    });
+    it('underscores "my_org" are invalid', () => {
+      expect(isValidSlug('my_org')).toBe(false);
+    });
+    it('special chars "org@co" are invalid', () => {
+      expect(isValidSlug('org@co')).toBe(false);
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// Email validation
+// ---------------------------------------------------------------------------
+describe('Email validation', () => {
+  describe('valid emails', () => {
+    it('"user@example.com" is valid', () => {
+      expect(isValidEmail('user@example.com')).toBe(true);
+    });
+    it('"a+b@x.co" is valid', () => {
+      expect(isValidEmail('a+b@x.co')).toBe(true);
+    });
+    it('"firstname.lastname@domain.org" is valid', () => {
+      expect(isValidEmail('firstname.lastname@domain.org')).toBe(true);
+    });
+    it('"user123@sub.domain.com" is valid', () => {
+      expect(isValidEmail('user123@sub.domain.com')).toBe(true);
+    });
+  });
+  describe('invalid emails', () => {
+    it('"notanemail" is invalid (no @ or domain)', () => {
+      expect(isValidEmail('notanemail')).toBe(false);
+    });
+    it('"@domain.com" is invalid (no local part)', () => {
+      expect(isValidEmail('@domain.com')).toBe(false);
+    });
+    it('"user@" is invalid (no domain)', () => {
+      expect(isValidEmail('user@')).toBe(false);
+    });
+    it('empty string is invalid', () => {
+      expect(isValidEmail('')).toBe(false);
+    });
+    it('"user@domain" is invalid (no TLD)', () => {
+      expect(isValidEmail('user@domain')).toBe(false);
+    });
+    it('"user @example.com" is invalid (space in local part)', () => {
+      expect(isValidEmail('user @example.com')).toBe(false);
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// OrgRole enum validation
+// ---------------------------------------------------------------------------
+describe('OrgRole validation', () => {
+  describe('valid roles', () => {
+    it('"owner" is valid', () => {
+      expect(isValidOrgRole('owner')).toBe(true);
+    });
+    it('"admin" is valid', () => {
+      expect(isValidOrgRole('admin')).toBe(true);
+    });
+    it('"member" is valid', () => {
+      expect(isValidOrgRole('member')).toBe(true);
+    });
+    it('"viewer" is valid', () => {
+      expect(isValidOrgRole('viewer')).toBe(true);
+    });
+  });
+  describe('invalid roles', () => {
+    it('"superadmin" is invalid', () => {
+      expect(isValidOrgRole('superadmin')).toBe(false);
+    });
+    it('"Owner" is invalid (case-sensitive)', () => {
+      expect(isValidOrgRole('Owner')).toBe(false);
+    });
+    it('"ADMIN" is invalid (uppercase)', () => {
+      expect(isValidOrgRole('ADMIN')).toBe(false);
+    });
+    it('empty string is invalid', () => {
+      expect(isValidOrgRole('')).toBe(false);
+    });
+    it('"moderator" is invalid', () => {
+      expect(isValidOrgRole('moderator')).toBe(false);
+    });
+    it('"guest" is invalid', () => {
+      expect(isValidOrgRole('guest')).toBe(false);
+    });
+    it('"MEMBER" is invalid (uppercase)', () => {
+      expect(isValidOrgRole('MEMBER')).toBe(false);
+    });
+    it('"Viewer" is invalid (mixed case)', () => {
+      expect(isValidOrgRole('Viewer')).toBe(false);
+    });
+  });
+});
+// ---------------------------------------------------------------------------
+// Token format validation (hex, exactly 64 chars)
+// ---------------------------------------------------------------------------
+describe('Token format validation', () => {
+  describe('valid tokens', () => {
+    it('"a".repeat(64) is valid', () => {
+      const token = 'a'.repeat(64);
+      expect(token.length).toBe(64);
+      expect(isValidToken(token)).toBe(true);
+    });
+    it('"abc123".repeat(10) + "ab" (64 hex chars) is valid', () => {
+      // "abc123" * 10 = 60 chars + "ab" = 62? Let's compute correctly:
+      // "abc123".repeat(10) = 60 chars, need 4 more: "abcd" => 64 total
+      const token = 'abc123'.repeat(10) + 'abcd';
+      expect(token.length).toBe(64);
+      // all chars in 'abc123abcd' are hex (a,b,c,d,1,2,3)
+      expect(isValidToken(token)).toBe(true);
+    });
+    it('all-zeros token "0".repeat(64) is valid', () => {
+      const token = '0'.repeat(64);
+      expect(isValidToken(token)).toBe(true);
+    });
+    it('all-f token "f".repeat(64) is valid', () => {
+      const token = 'f'.repeat(64);
+      expect(isValidToken(token)).toBe(true);
+    });
+    it('mixed hex chars covering 0-9 and a-f is valid', () => {
+      // 64 chars using full hex alphabet
+      const token = '0123456789abcdef'.repeat(4);
+      expect(token.length).toBe(64);
+      expect(isValidToken(token)).toBe(true);
+    });
+  });
+  describe('invalid tokens', () => {
+    it('"short" is invalid (too few chars)', () => {
+      expect(isValidToken('short')).toBe(false);
+    });
+    it('"z".repeat(64) is invalid ("z" is not a hex digit)', () => {
+      const token = 'z'.repeat(64);
+      expect(token.length).toBe(64);
+      expect(isValidToken(token)).toBe(false);
+    });
+    it('empty string is invalid', () => {
+      expect(isValidToken('')).toBe(false);
+    });
+    it('63 hex chars is invalid (one too short)', () => {
+      const token = 'a'.repeat(63);
+      expect(token.length).toBe(63);
+      expect(isValidToken(token)).toBe(false);
+    });
+    it('65 hex chars is invalid (one too long)', () => {
+      const token = 'a'.repeat(65);
+      expect(token.length).toBe(65);
+      expect(isValidToken(token)).toBe(false);
+    });
+    it('uppercase hex "A".repeat(64) is invalid (must be lowercase)', () => {
+      const token = 'A'.repeat(64);
+      expect(isValidToken(token)).toBe(false);
+    });
+    it('token with hyphens is invalid', () => {
+      // UUID-style, 32 hex + 4 hyphens = not valid token
+      const token = 'a'.repeat(28) + '-' + 'b'.repeat(27) + '-' + 'cc';
+      expect(isValidToken(token)).toBe(false);
+    });
+    it('token with spaces is invalid', () => {
+      const token = 'a'.repeat(32) + ' ' + 'b'.repeat(31);
+      expect(isValidToken(token)).toBe(false);
+    });
+    it('"g".repeat(64) is invalid ("g" is not hex)', () => {
+      const token = 'g'.repeat(64);
+      expect(isValidToken(token)).toBe(false);
+    });
+  });
+});

package/tsconfig.client.json ADDED Viewed

@@ -0,0 +1,13 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "target": "ES2020",
+    "lib": ["ES2020", "DOM", "DOM.Iterable"],
+    "module": "ESNext",
+    "moduleResolution": "Bundler",
+    "jsx": "react-jsx",
+    "noEmit": true
+  },
+  "include": ["src/client/**/*", "src/shared/**/*"],
+  "exclude": ["node_modules", "dist"]
+}

package/tsconfig.json ADDED Viewed

@@ -0,0 +1,12 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "composite": true,
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext"
+  },
+  "include": ["src/server/**/*", "src/shared/**/*", "src/index.ts"],
+  "exclude": ["node_modules", "dist", "tests", "src/client"]
+}